Windows Analysis Report
cP5nXH8fQI

Overview

General Information

Sample Name: cP5nXH8fQI (renamed file extension from none to exe)
Analysis ID: 559052
MD5: 37fc2aa213d1607545a9b876f4aa543e
SHA1: 7da3e745ac618d2aee602d1de1957aa4442c98ed
SHA256: 4486318d812a32852db5a4b8bd19dc456890b6c9a1bd03ffe94e2ef189394d90
Tags: 32exetrojan
Infos:

Detection

GuLoader
Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Drops PE files
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
PE / OLE file has an invalid certificate
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Found malware configuration
Source: 00000000.00000002.767624973.0000000002940000.00000040.00000800.00020000.00000000.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://bangladeshshoecity.com/im"}
Multi AV Scanner detection for submitted file
Source: cP5nXH8fQI.exe Virustotal: Detection: 10% Perma Link
Source: cP5nXH8fQI.exe ReversingLabs: Detection: 18%

Compliance
barindex
Uses 32bit PE files
Source: cP5nXH8fQI.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: cP5nXH8fQI.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405C49
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe Code function: 0_2_00406873 FindFirstFileW,FindClose, 0_2_00406873
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://bangladeshshoecity.com/im
Source: cP5nXH8fQI.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: cP5nXH8fQI.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: cP5nXH8fQI.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: cP5nXH8fQI.exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: cP5nXH8fQI.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: cP5nXH8fQI.exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: cP5nXH8fQI.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: cP5nXH8fQI.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: cP5nXH8fQI.exe String found in binary or memory: http://ocsp.digicert.com0O
Source: cP5nXH8fQI.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: cP5nXH8fQI.exe String found in binary or memory: https://www.digicert.com/CPS0

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe Code function: 0_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004056DE

System Summary
barindex
Uses 32bit PE files
Source: cP5nXH8fQI.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040352D
Detected potential crypto function
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe Code function: 0_2_0040755C 0_2_0040755C
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe Code function: 0_2_00406D85 0_2_00406D85
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe Code function: 0_2_70581BFF 0_2_70581BFF
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe Code function: 0_2_0294559A 0_2_0294559A
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe Code function: 0_2_02943A95 0_2_02943A95
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe Code function: 0_2_02945881 0_2_02945881
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe Code function: 0_2_029452F8 0_2_029452F8
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe Code function: 0_2_02940217 0_2_02940217
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe Code function: 0_2_02945435 0_2_02945435
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe Code function: 0_2_0294744F 0_2_0294744F
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe Code function: 0_2_0294767A 0_2_0294767A
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe Code function: 0_2_0294719A 0_2_0294719A
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe Code function: 0_2_029441F1 0_2_029441F1
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe Code function: 0_2_029439FE 0_2_029439FE
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe Code function: 0_2_029415FB 0_2_029415FB
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe Code function: 0_2_02946D17 0_2_02946D17
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe Code function: 0_2_02943B22 0_2_02943B22
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe Code function: 0_2_02943D5A 0_2_02943D5A
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe Code function: 0_2_0294734F 0_2_0294734F
PE / OLE file has an invalid certificate
Source: cP5nXH8fQI.exe Static PE information: invalid certificate
Contains functionality to call native functions
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe Code function: 0_2_0294559A NtAllocateVirtualMemory, 0_2_0294559A
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe Code function: 0_2_029452F8 NtAllocateVirtualMemory, 0_2_029452F8
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe Process Stats: CPU usage > 98%
Source: cP5nXH8fQI.exe Virustotal: Detection: 10%
Source: cP5nXH8fQI.exe ReversingLabs: Detection: 18%
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe File read: C:\Users\user\Desktop\cP5nXH8fQI.exe Jump to behavior
Source: cP5nXH8fQI.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040352D
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe File created: C:\Users\user\AppData\Local\Temp\nsr50D.tmp Jump to behavior
Source: classification engine Classification label: mal68.troj.winEXE@1/3@0/0
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe Code function: 0_2_004021AA CoCreateInstance, 0_2_004021AA
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe Code function: 0_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_0040498A
Source: cP5nXH8fQI.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.767624973.0000000002940000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe Code function: 0_2_705830C0 push eax; ret 0_2_705830EE
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe Code function: 0_2_02942EF0 push es; iretd 0_2_02942EF3
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe Code function: 0_2_70581BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_70581BFF

Persistence and Installation Behavior
barindex
Drops PE files
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe File created: C:\Users\user\AppData\Local\Temp\nss731.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe Code function: 0_2_029450C4 rdtsc 0_2_029450C4
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405C49
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe Code function: 0_2_00406873 FindFirstFileW,FindClose, 0_2_00406873
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe API call chain: ExitProcess graph end node

Anti Debugging
barindex
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe Code function: 0_2_0294689E mov eax, dword ptr fs:[00000030h] 0_2_0294689E
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe Code function: 0_2_0294744F mov eax, dword ptr fs:[00000030h] 0_2_0294744F
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe Code function: 0_2_02944F83 mov eax, dword ptr fs:[00000030h] 0_2_02944F83
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe Code function: 0_2_02946BA0 mov eax, dword ptr fs:[00000030h] 0_2_02946BA0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe Code function: 0_2_70581BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_70581BFF
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe Code function: 0_2_029450C4 rdtsc 0_2_029450C4
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe Code function: 0_2_0294809F RtlAddVectoredExceptionHandler, 0_2_0294809F
Source: C:\Users\user\Desktop\cP5nXH8fQI.exe Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040352D
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 559052 Sample: cP5nXH8fQI Startdate: 24/01/2022 Architecture: WINDOWS Score: 68 12 Found malware configuration 2->12 14 Multi AV Scanner detection for submitted file 2->14 16 Yara detected GuLoader 2->16 18 C2 URLs / IPs found in malware configuration 2->18 5 cP5nXH8fQI.exe 19 2->5         started        process3 file4 8 C:\Users\user\AppData\Local\...\System.dll, PE32 5->8 dropped 10 C:\Users\user\AppData\...\Stenkastenes.dat, DOS 5->10 dropped
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
0,0,238381330,0000000000095000,00000104,00000010,00020000,00000000,1,0 true
    		low
    https://bangladeshshoecity.com/im true
    • Avira URL Cloud: safe
    		 unknown