Windows Analysis Report 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe

Overview

General Information

Sample Name: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe
Analysis ID: 539503
MD5: 1547238c5f89a46f4f3d448138478e05
SHA1: b83e59cffe50f76e819731d506efd045c55aaabc
SHA256: 3e6418ff545a4ca402fd68da393fd9db7ed7e798ffed1de2fbcdbb31fa08817f
Tags: exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Initial sample is a PE file and has a suspicious name
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000001.00000002.814005809.0000000004E10000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1sW9p"}
Multi AV Scanner detection for submitted file
Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Virustotal: Detection: 33% Perma Link

Compliance:

barindex
Uses 32bit PE files
Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&id=1sW9p

System Summary:

barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe
Source: initial sample Static PE information: Filename: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe
Executable has a suspicious name (potential lure to open the executable)
Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Static file information: Suspicious name
Uses 32bit PE files
Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Sample file is different than original file name gathered from version info
Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe, 00000001.00000000.284825706.000000000042B000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameLydbl.exe vs 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe
Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe, 00000001.00000002.813092668.0000000002A50000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLydbl.exeFE2X vs 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe
Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Binary or memory string: OriginalFilenameLydbl.exe vs 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe
PE file contains strange resources
Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Detected potential crypto function
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E1D19E 1_2_04E1D19E
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E1831F 1_2_04E1831F
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E168F3 1_2_04E168F3
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E188F7 1_2_04E188F7
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E16CCF 1_2_04E16CCF
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E160B3 1_2_04E160B3
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E16496 1_2_04E16496
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E18899 1_2_04E18899
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E16872 1_2_04E16872
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E18032 1_2_04E18032
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E15836 1_2_04E15836
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E1803A 1_2_04E1803A
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E165C3 1_2_04E165C3
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E1BDD7 1_2_04E1BDD7
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E15DDB 1_2_04E15DDB
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E159DE 1_2_04E159DE
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E159A1 1_2_04E159A1
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E169A5 1_2_04E169A5
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E15D90 1_2_04E15D90
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E18996 1_2_04E18996
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E18940 1_2_04E18940
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E1692C 1_2_04E1692C
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E1652F 1_2_04E1652F
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E16D33 1_2_04E16D33
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E166E6 1_2_04E166E6
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E18AA5 1_2_04E18AA5
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E16AB7 1_2_04E16AB7
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E15A99 1_2_04E15A99
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E15E72 1_2_04E15E72
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E1625B 1_2_04E1625B
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E1665F 1_2_04E1665F
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E18A27 1_2_04E18A27
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E16A3E 1_2_04E16A3E
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E1BA0E 1_2_04E1BA0E
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E157E4 1_2_04E157E4
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E163F1 1_2_04E163F1
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E16BF6 1_2_04E16BF6
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E17BCA 1_2_04E17BCA
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E1AFDE 1_2_04E1AFDE
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E18FA7 1_2_04E18FA7
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E16781 1_2_04E16781
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E17B8A 1_2_04E17B8A
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E1636B 1_2_04E1636B
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E15F6A 1_2_04E15F6A
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E1BF7C 1_2_04E1BF7C
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E16B53 1_2_04E16B53
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E17B57 1_2_04E17B57
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E17B5B 1_2_04E17B5B
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E15F25 1_2_04E15F25
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E18B26 1_2_04E18B26
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E1632E 1_2_04E1632E
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E1833B 1_2_04E1833B
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E1B306 1_2_04E1B306
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E18318 1_2_04E18318
Contains functionality to call native functions
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E1831F NtAllocateVirtualMemory, 1_2_04E1831F
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E184CD NtAllocateVirtualMemory, 1_2_04E184CD
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E1833B NtAllocateVirtualMemory, 1_2_04E1833B
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E18318 NtAllocateVirtualMemory, 1_2_04E18318
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Process Stats: CPU usage > 98%
Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Virustotal: Detection: 33%
Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe File created: C:\Users\user\AppData\Local\Temp\~DF66A3895C75D2E9C9.TMP Jump to behavior
Source: classification engine Classification label: mal76.troj.winEXE@1/1@0/0

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000001.00000002.814005809.0000000004E10000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_00408C44 push ebp; ret 1_2_00408C45
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_0040686F pushad ; ret 1_2_004068B0
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_004078FD push ebx; ret 1_2_0040790B
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_004055C1 push ds; ret 1_2_004055DB
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_00409198 push edx; retf 1_2_0040919E
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_0040970C push ebp; iretd 1_2_0040970F
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_0040733E pushfd ; ret 1_2_00407359
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E1831F pushfd ; retf 1_2_04E1865B
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E12DCC push ecx; retf 1_2_04E12DD8
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E13AC0 push esi; ret 1_2_04E13B2A
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E147E9 push esp; iretd 1_2_04E14832
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E13B20 push esi; ret 1_2_04E13B2A
Source: initial sample Static PE information: section name: .text entropy: 7.13735500913
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E17E74 rdtsc 1_2_04E17E74

Anti Debugging:

barindex
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E178C2 mov eax, dword ptr fs:[00000030h] 1_2_04E178C2
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E1B0BA mov eax, dword ptr fs:[00000030h] 1_2_04E1B0BA
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E152F6 mov eax, dword ptr fs:[00000030h] 1_2_04E152F6
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E1528E mov eax, dword ptr fs:[00000030h] 1_2_04E1528E
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E1525A mov eax, dword ptr fs:[00000030h] 1_2_04E1525A
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E1BF7C mov eax, dword ptr fs:[00000030h] 1_2_04E1BF7C
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E17E74 rdtsc 1_2_04E17E74
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe Code function: 1_2_04E1D19E RtlAddVectoredExceptionHandler, 1_2_04E1D19E
Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe, 00000001.00000002.812875992.0000000000DA0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe, 00000001.00000002.812875992.0000000000DA0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe, 00000001.00000002.812875992.0000000000DA0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe, 00000001.00000002.812875992.0000000000DA0000.00000002.00020000.sdmp Binary or memory string: Progmanlock