Windows Analysis Report PKO_TRANS_DETAILS_20211216_0809521.exe

Overview

General Information

Sample Name: PKO_TRANS_DETAILS_20211216_0809521.exe
Analysis ID: 540990
MD5: 1823b507e96d8138bada7c65d424abcc
SHA1: e5d7884da7d17ba0ae592ff787e84ae665e21c3a
SHA256: 99b81b452d173986229ed512383e05214f35c819aa9da4c2a972bb05c880d536
Tags: exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to call native functions
Program does not show much activity (idle)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.805543754.0000000004C80000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1byST7nT"}
Multi AV Scanner detection for submitted file
Source: PKO_TRANS_DETAILS_20211216_0809521.exe Virustotal: Detection: 20% Perma Link

Compliance:

barindex
Uses 32bit PE files
Source: PKO_TRANS_DETAILS_20211216_0809521.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&id=1byST7nT

System Summary:

barindex
Uses 32bit PE files
Source: PKO_TRANS_DETAILS_20211216_0809521.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Sample file is different than original file name gathered from version info
Source: PKO_TRANS_DETAILS_20211216_0809521.exe, 00000000.00000002.803502480.0000000000425000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameDagins.exe vs PKO_TRANS_DETAILS_20211216_0809521.exe
Source: PKO_TRANS_DETAILS_20211216_0809521.exe Binary or memory string: OriginalFilenameDagins.exe vs PKO_TRANS_DETAILS_20211216_0809521.exe
PE file contains strange resources
Source: PKO_TRANS_DETAILS_20211216_0809521.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Detected potential crypto function
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_00401E86 0_2_00401E86
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C884B3 0_2_04C884B3
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C8D3CE 0_2_04C8D3CE
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C880CC 0_2_04C880CC
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C88CCE 0_2_04C88CCE
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C860C1 0_2_04C860C1
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C804D3 0_2_04C804D3
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C868E8 0_2_04C868E8
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C86CE3 0_2_04C86CE3
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C804E6 0_2_04C804E6
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C890E6 0_2_04C890E6
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C884F4 0_2_04C884F4
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C894A0 0_2_04C894A0
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C884B6 0_2_04C884B6
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C86C56 0_2_04C86C56
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C86069 0_2_04C86069
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C86878 0_2_04C86878
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C8587D 0_2_04C8587D
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C8647E 0_2_04C8647E
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C88C06 0_2_04C88C06
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C86014 0_2_04C86014
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C865D8 0_2_04C865D8
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C805DA 0_2_04C805DA
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C865DE 0_2_04C865DE
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C869D6 0_2_04C869D6
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C865E9 0_2_04C865E9
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C86580 0_2_04C86580
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C80584 0_2_04C80584
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C86985 0_2_04C86985
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C86D95 0_2_04C86D95
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C869A0 0_2_04C869A0
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C861BE 0_2_04C861BE
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C89154 0_2_04C89154
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C86501 0_2_04C86501
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C8051E 0_2_04C8051E
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C88D15 0_2_04C88D15
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C86928 0_2_04C86928
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C8613F 0_2_04C8613F
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C862E2 0_2_04C862E2
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C866F5 0_2_04C866F5
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C88AF5 0_2_04C88AF5
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C88A8F 0_2_04C88A8F
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C8C285 0_2_04C8C285
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C88297 0_2_04C88297
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C85EB9 0_2_04C85EB9
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C86249 0_2_04C86249
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C85A55 0_2_04C85A55
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C86661 0_2_04C86661
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C86A65 0_2_04C86A65
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C86E28 0_2_04C86E28
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C85E2C 0_2_04C85E2C
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C85A31 0_2_04C85A31
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C863F6 0_2_04C863F6
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C86B84 0_2_04C86B84
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C85FA4 0_2_04C85FA4
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C88BBA 0_2_04C88BBA
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C86BB1 0_2_04C86BB1
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C8674D 0_2_04C8674D
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C85F46 0_2_04C85F46
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C8637E 0_2_04C8637E
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C86B09 0_2_04C86B09
Contains functionality to call native functions
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C884B3 NtAllocateVirtualMemory, 0_2_04C884B3
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C880CC NtAllocateVirtualMemory, 0_2_04C880CC
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C884F4 NtAllocateVirtualMemory, 0_2_04C884F4
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C884B6 NtAllocateVirtualMemory, 0_2_04C884B6
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C885B2 NtAllocateVirtualMemory, 0_2_04C885B2
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C8855C NtAllocateVirtualMemory, 0_2_04C8855C
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C886AA NtAllocateVirtualMemory, 0_2_04C886AA
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C88631 NtAllocateVirtualMemory, 0_2_04C88631
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Process Stats: CPU usage > 98%
Source: PKO_TRANS_DETAILS_20211216_0809521.exe Virustotal: Detection: 20%
Source: PKO_TRANS_DETAILS_20211216_0809521.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe File created: C:\Users\user\AppData\Local\Temp\~DF4AE55F204BB0FB8A.TMP Jump to behavior
Source: classification engine Classification label: mal72.troj.evad.winEXE@1/1@0/0

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.805543754.0000000004C80000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_00406A78 push ebp; ret 0_2_00406A79
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_004081F5 push eax; ret 0_2_004081F6
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C89595 push es; ret 0_2_04C89597
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C8B11A push FFFFFFB9h; retf 0_2_04C8B126
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C8293C push ebp; iretd 0_2_04C8293D
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C83EA4 push ebx; ret 0_2_04C83EA7
Source: initial sample Static PE information: section name: .text entropy: 6.98717798783
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C87CFD rdtsc 0_2_04C87CFD

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C8A906 mov eax, dword ptr fs:[00000030h] 0_2_04C8A906
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C87AD4 mov eax, dword ptr fs:[00000030h] 0_2_04C87AD4
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C8C285 mov eax, dword ptr fs:[00000030h] 0_2_04C8C285
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C8B397 mov eax, dword ptr fs:[00000030h] 0_2_04C8B397
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C87CFD rdtsc 0_2_04C87CFD
Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exe Code function: 0_2_04C8D3CE RtlAddVectoredExceptionHandler, 0_2_04C8D3CE
Source: PKO_TRANS_DETAILS_20211216_0809521.exe, 00000000.00000002.803824263.0000000000C50000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: PKO_TRANS_DETAILS_20211216_0809521.exe, 00000000.00000002.803824263.0000000000C50000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: PKO_TRANS_DETAILS_20211216_0809521.exe, 00000000.00000002.803824263.0000000000C50000.00000002.00020000.sdmp Binary or memory string: Progman
Source: PKO_TRANS_DETAILS_20211216_0809521.exe, 00000000.00000002.803824263.0000000000C50000.00000002.00020000.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 540990 Sample: PKO_TRANS_DETAILS_20211216_... Startdate: 16/12/2021 Architecture: WINDOWS Score: 72 8 Found malware configuration 2->8 10 Multi AV Scanner detection for submitted file 2->10 12 Yara detected GuLoader 2->12 14 C2 URLs / IPs found in malware configuration 2->14 5 PKO_TRANS_DETAILS_20211216_0809521.exe 1 2->5         started        process3 signatures4 16 Found potential dummy code loops (likely to delay analysis) 5->16
No contacted IP infos