Windows Analysis Report
9u4xTDR5bG

Overview

General Information

Sample Name:	9u4xTDR5bG (renamed file extension from none to exe)
Analysis ID:	561346
MD5:	82c5cdde9df0a76e2933c1cd8bfc7887
SHA1:	7b391b4429dfbf19030fb49ce750aa3c8b844a6b
SHA256:	243ae30d42e90000b882779fae40e0056eab332b95e2c938446138a80868909e
Tags:	32exesignedtrojan
Infos:

Detection

GuLoader

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Tries to detect virtualization through RDTSC time measurements

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Drops PE files

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

PE / OLE file has an invalid certificate

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Classification

Signatures

AV Detection

Found malware configuration

Source: 00000000.00000002.764364094.0000000002A50000.00000040.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://bangladeshshoecity.com/images/2w"}

Multi AV Scanner detection for submitted file

Source: 9u4xTDR5bG.exe	Virustotal: Detection: 31%			Perma Link
Source: 9u4xTDR5bG.exe	ReversingLabs: Detection: 44%

Compliance

Uses 32bit PE files

Source: 9u4xTDR5bG.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 9u4xTDR5bG.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\9u4xTDR5bG.exe	Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C49
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe	Code function: 0_2_00406873 FindFirstFileW,FindClose,	0_2_00406873
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://bangladeshshoecity.com/images/2w

Source: 9u4xTDR5bG.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 9u4xTDR5bG.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 9u4xTDR5bG.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 9u4xTDR5bG.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 9u4xTDR5bG.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 9u4xTDR5bG.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 9u4xTDR5bG.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: 9u4xTDR5bG.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: 9u4xTDR5bG.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: 9u4xTDR5bG.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: 9u4xTDR5bG.exe	String found in binary or memory: https://www.digicert.com/CPS0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\9u4xTDR5bG.exe

Code function: 0_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004056DE

System Summary

Uses 32bit PE files

Source: 9u4xTDR5bG.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\9u4xTDR5bG.exe

Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040352D

Detected potential crypto function

Source: C:\Users\user\Desktop\9u4xTDR5bG.exe	Code function: 0_2_0040755C	0_2_0040755C
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe	Code function: 0_2_00406D85	0_2_00406D85
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe	Code function: 0_2_73201BFF	0_2_73201BFF
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe	Code function: 0_2_02A55694	0_2_02A55694
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe	Code function: 0_2_02A53CAF	0_2_02A53CAF
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe	Code function: 0_2_02A54EDA	0_2_02A54EDA
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe	Code function: 0_2_02A57839	0_2_02A57839
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe	Code function: 0_2_02A5521F	0_2_02A5521F
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe	Code function: 0_2_02A57658	0_2_02A57658
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe	Code function: 0_2_02A55982	0_2_02A55982
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe	Code function: 0_2_02A53B8F	0_2_02A53B8F
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe	Code function: 0_2_02A5279C	0_2_02A5279C
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe	Code function: 0_2_02A53FE2	0_2_02A53FE2
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe	Code function: 0_2_02A57564	0_2_02A57564
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe	Code function: 0_2_02A52749	0_2_02A52749

PE / OLE file has an invalid certificate

Source: 9u4xTDR5bG.exe

Static PE information: invalid certificate

Contains functionality to call native functions

Source: C:\Users\user\Desktop\9u4xTDR5bG.exe

Code function: 0_2_02A55694 NtAllocateVirtualMemory,

0_2_02A55694

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\9u4xTDR5bG.exe

Process Stats: CPU usage > 98%

Source: 9u4xTDR5bG.exe	Virustotal: Detection: 31%
Source: 9u4xTDR5bG.exe	ReversingLabs: Detection: 44%

Source: C:\Users\user\Desktop\9u4xTDR5bG.exe

File read: C:\Users\user\Desktop\9u4xTDR5bG.exe

Jump to behavior

Source: 9u4xTDR5bG.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\9u4xTDR5bG.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\9u4xTDR5bG.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\9u4xTDR5bG.exe

0_2_0040352D

Source: C:\Users\user\Desktop\9u4xTDR5bG.exe

File created: C:\Users\user\AppData\Local\Temp\nsl4A9B.tmp

Jump to behavior

Source: classification engine

Classification label: mal72.troj.evad.winEXE@1/3@0/0

Source: C:\Users\user\Desktop\9u4xTDR5bG.exe

Code function: 0_2_004021AA CoCreateInstance,

0_2_004021AA

Source: C:\Users\user\Desktop\9u4xTDR5bG.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\9u4xTDR5bG.exe

Code function: 0_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_0040498A

Source: 9u4xTDR5bG.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.764364094.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\9u4xTDR5bG.exe

Code function: 0_2_732030C0 push eax; ret

0_2_732030EE

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\9u4xTDR5bG.exe

Code function: 0_2_73201BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_73201BFF

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Desktop\9u4xTDR5bG.exe

File created: C:\Users\user\AppData\Local\Temp\nsm4CBF.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\9u4xTDR5bG.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\9u4xTDR5bG.exe

RDTSC instruction interceptor: First address: 0000000002A551C3 second address: 0000000002A551C3 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 42A4596Fh 0x00000007 sub eax, FBADDA8Dh 0x0000000c xor eax, 87ED79C8h 0x00000011 xor eax, C11B072Bh 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F151CAE4FDEh 0x0000001e lfence 0x00000021 mov edx, B78E5550h 0x00000026 xor edx, 614933DAh 0x0000002c add edx, 0CEF4ABFh 0x00000032 xor edx, 9C48B15Dh 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e test dx, bx 0x00000041 sub edx, esi 0x00000043 ret 0x00000044 pop ecx 0x00000045 cmp ch, 0000007Eh 0x00000048 add edi, edx 0x0000004a dec ecx 0x0000004b mov dword ptr [ebp+00000227h], 169B01A4h 0x00000055 xor dword ptr [ebp+00000227h], BF933C27h 0x0000005f fnop 0x00000061 sub dword ptr [ebp+00000227h], B3AFC749h 0x0000006b xor dword ptr [ebp+00000227h], F558763Ah 0x00000075 cmp ecx, dword ptr [ebp+00000227h] 0x0000007b jne 00007F151CAE4F85h 0x0000007d mov dword ptr [ebp+0000024Ch], esi 0x00000083 mov esi, ecx 0x00000085 push esi 0x00000086 mov esi, dword ptr [ebp+0000024Ch] 0x0000008c call 00007F151CAE503Fh 0x00000091 call 00007F151CAE4FFFh 0x00000096 lfence 0x00000099 mov edx, B78E5550h 0x0000009e xor edx, 614933DAh 0x000000a4 add edx, 0CEF4ABFh 0x000000aa xor edx, 9C48B15Dh 0x000000b0 mov edx, dword ptr [edx] 0x000000b2 lfence 0x000000b5 ret 0x000000b6 mov esi, edx 0x000000b8 pushad 0x000000b9 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\9u4xTDR5bG.exe

Code function: 0_2_02A5542A rdtsc

0_2_02A5542A

Source: C:\Users\user\Desktop\9u4xTDR5bG.exe	Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C49
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe	Code function: 0_2_00406873 FindFirstFileW,FindClose,	0_2_00406873
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Source: C:\Users\user\Desktop\9u4xTDR5bG.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe	API call chain: ExitProcess graph end node

Anti Debugging

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\9u4xTDR5bG.exe	Code function: 0_2_02A550A9 mov eax, dword ptr fs:[00000030h]	0_2_02A550A9
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe	Code function: 0_2_02A56CD9 mov eax, dword ptr fs:[00000030h]	0_2_02A56CD9
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe	Code function: 0_2_02A56A06 mov eax, dword ptr fs:[00000030h]	0_2_02A56A06
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe	Code function: 0_2_02A537EC mov eax, dword ptr fs:[00000030h]	0_2_02A537EC
Source: C:\Users\user\Desktop\9u4xTDR5bG.exe	Code function: 0_2_02A57564 mov eax, dword ptr fs:[00000030h]	0_2_02A57564

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\9u4xTDR5bG.exe

Code function: 0_2_73201BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_73201BFF

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\9u4xTDR5bG.exe

Code function: 0_2_02A5542A rdtsc

0_2_02A5542A

Source: C:\Users\user\Desktop\9u4xTDR5bG.exe

Code function: 0_2_02A58130 RtlAddVectoredExceptionHandler,

0_2_02A58130

Source: C:\Users\user\Desktop\9u4xTDR5bG.exe

0_2_0040352D

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://bangladeshshoecity.com/images/2w	true	Avira URL Cloud: safe	unknown

ID:	561346
Product:	CloudBasic
Start time:	11:27:47
Start date:	27.01.2022
Sample:	9u4xTDR5bG
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	82c5cdde9df0a76e2933c1cd8bfc7887
SHA1:	7b391b4429dfbf19030fb49ce750aa3c8b844a6b
SHA256:	243ae30d42e90000b882779fae40e0056eab332b95e2c938446138a80868909e
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\Bosporus5.dat	DOS executable (COM)	2C2658C12C970777B7D352045683823D	6EEDC661A65C91EBF2F0CB013ED683CFD704757E	2514D174967C285492114476DC13AAABBBD4248A756770BDD2B60117EE347752
C:\Users\user\AppData\Local\Temp\gamer.txt	ASCII text, with very long lines, with no line terminators	695A2030432B3D981B012A42EDCA055A	31283CF8F970E22E7C9B6FCB811B9C1608997211	F0568B8400FE6F4621B3E62C56B3C3AB9712DD6D30966A348EB3497ACF6B226A
C:\Users\user\AppData\Local\Temp\nsm4CBF.tmp\System.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	CFF85C549D536F651D4FB8387F1976F2	D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E	8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8

Windows Analysis Report
9u4xTDR5bG

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted URLs

Windows Analysis Report 9u4xTDR5bG

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted URLs

Windows Analysis Report
9u4xTDR5bG