Windows Analysis Report
file.exe

Overview

General Information

Sample Name: file.exe
Analysis ID: 623387
MD5: 2beb53482de8f6a713deb6fa9f9e7267
SHA1: 0959ea9b1697d980da699f8375f91ca1df8e0f56
SHA256: 7ac7845621113c87e927eb2b582af6f1809e4866e4ee0f089dd1c6ab0042dd27
Tags: exe
Infos:

Detection

GuLoader
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Yara detected GuLoader
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
PE / OLE file has an invalid certificate
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Abnormal high CPU Usage
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Found malware configuration
Source: 00000000.00000002.784726043.00000000030B0000.00000040.00001000.00020000.00000000.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://msdvc.com/oluwa_RcQBQnZSyJ230.bin"}
Multi AV Scanner detection for submitted file
Source: file.exe Virustotal: Detection: 26% Perma Link
Source: file.exe ReversingLabs: Detection: 21%
Antivirus detection for URL or domain
Source: https://msdvc.com/oluwa_RcQBQnZSyJ230.bin Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: https://msdvc.com/oluwa_RcQBQnZSyJ230.bin Virustotal: Detection: 5% Perma Link
Uses 32bit PE files
Source: file.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: file.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: D:\SourceCode\ScenarioProfile\production_V4.2\ScenarioProfileFrameWork\Service\Config_Editor\obj\Release\ConfigXML_ScenarioProfile.pdb, source: file.exe, 00000000.00000003.260908380.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.0.dr
Source: Binary string: D:\SourceCode\ScenarioProfile\production_V4.2\ScenarioProfileFrameWork\Service\Config_Editor\obj\Release\ConfigXML_ScenarioProfile.pdb source: file.exe, 00000000.00000003.260908380.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.0.dr
Source: Binary string: MsMpCom.pdb source: file.exe, 00000000.00000002.783091463.000000000040A000.00000004.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.261521429.00000000027ED000.00000004.00000800.00020000.00000000.sdmp, MsMpCom.dll.0.dr
Source: Binary string: MsMpCom.pdbGCTL source: file.exe, 00000000.00000002.783091463.000000000040A000.00000004.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.261521429.00000000027ED000.00000004.00000800.00020000.00000000.sdmp, MsMpCom.dll.0.dr
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405C13
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040683D FindFirstFileW,FindClose, 0_2_0040683D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://msdvc.com/oluwa_RcQBQnZSyJ230.bin
Source: file.exe, 00000000.00000003.260908380.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: file.exe, 00000000.00000003.260908380.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: file.exe, 00000000.00000003.260908380.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.0.dr String found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
Source: file.exe, 00000000.00000003.260908380.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.0.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
Source: file.exe, 00000000.00000003.260908380.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.0.dr String found in binary or memory: http://crl.globalsign.com/root.crl0G
Source: file.exe, 00000000.00000003.260908380.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: file.exe, 00000000.00000003.260908380.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: file.exe, 00000000.00000003.260908380.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: file.exe, 00000000.00000003.260908380.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: file.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: file.exe, 00000000.00000003.260908380.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: file.exe, 00000000.00000003.260908380.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: file.exe, 00000000.00000003.260908380.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.0.dr String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: file.exe, 00000000.00000003.260908380.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.0.dr String found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
Source: file.exe, 00000000.00000003.260908380.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.0.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: file.exe, 00000000.00000003.260908380.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.0.dr String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
Source: file.exe, 00000000.00000003.260908380.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe, 00000000.00000003.260908380.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: file.exe, 00000000.00000003.260908380.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.0.dr String found in binary or memory: https://www.globalsign.com/repository/0
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004056A8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004056A8
Uses 32bit PE files
Source: file.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000003.260908380.00000000027E8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameConfigXML_ScenarioProfile.dllT vs file.exe
Source: file.exe, 00000000.00000003.261521429.00000000027ED000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpCom.dllj% vs file.exe
PE file contains strange resources
Source: file.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004034F7
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00406BFE 0_2_00406BFE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_72E61BFF 0_2_72E61BFF
PE / OLE file has an invalid certificate
Source: file.exe Static PE information: invalid certificate
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\file.exe Process Stats: CPU usage > 98%
Source: file.exe Virustotal: Detection: 26%
Source: file.exe ReversingLabs: Detection: 21%
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: file.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004034F7
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\nssEAB6.tmp Jump to behavior
Source: classification engine Classification label: mal88.troj.evad.winEXE@1/6@0/0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004021AA CoCreateInstance, 0_2_004021AA
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00404954 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_00404954
Source: file.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: D:\SourceCode\ScenarioProfile\production_V4.2\ScenarioProfileFrameWork\Service\Config_Editor\obj\Release\ConfigXML_ScenarioProfile.pdb, source: file.exe, 00000000.00000003.260908380.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.0.dr
Source: Binary string: D:\SourceCode\ScenarioProfile\production_V4.2\ScenarioProfileFrameWork\Service\Config_Editor\obj\Release\ConfigXML_ScenarioProfile.pdb source: file.exe, 00000000.00000003.260908380.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.0.dr
Source: Binary string: MsMpCom.pdb source: file.exe, 00000000.00000002.783091463.000000000040A000.00000004.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.261521429.00000000027ED000.00000004.00000800.00020000.00000000.sdmp, MsMpCom.dll.0.dr
Source: Binary string: MsMpCom.pdbGCTL source: file.exe, 00000000.00000002.783091463.000000000040A000.00000004.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.261521429.00000000027ED000.00000004.00000800.00020000.00000000.sdmp, MsMpCom.dll.0.dr

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.784726043.00000000030B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_72E630C0 push eax; ret 0_2_72E630EE
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_72E61BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_72E61BFF
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\MsMpCom.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\ConfigXML_ScenarioProfile.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\nsaF229.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 00000000030BD9E3 second address: 00000000030BD9E3 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FD358363427h 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 cmp ax, dx 0x0000000b rdtsc
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MsMpCom.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ConfigXML_ScenarioProfile.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405C13
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040683D FindFirstFileW,FindClose, 0_2_0040683D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_72E61BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_72E61BFF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004034F7
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 623387 Sample: file.exe Startdate: 10/05/2022 Architecture: WINDOWS Score: 88 15 Multi AV Scanner detection for domain / URL 2->15 17 Found malware configuration 2->17 19 Antivirus detection for URL or domain 2->19 21 3 other signatures 2->21 5 file.exe 22 2->5         started        process3 file4 9 C:\Users\user\AppData\Local\...\System.dll, PE32 5->9 dropped 11 C:\Users\user\AppData\Local\...\MsMpCom.dll, PE32+ 5->11 dropped 13 C:\Users\...\ConfigXML_ScenarioProfile.dll, PE32 5->13 dropped 23 Tries to detect virtualization through RDTSC time measurements 5->23 signatures5
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://msdvc.com/oluwa_RcQBQnZSyJ230.bin true
  • 5%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown