Windows Analysis Report
xcVh7ZmH4Y

Overview

General Information

Sample Name: xcVh7ZmH4Y (renamed file extension from none to exe)
Analysis ID: 623886
MD5: d17d180329065df1bf54501a2c8e138b
SHA1: 255c70621a90d6070d2585ef47eaff05c143c54a
SHA256: 6a3b4d2025462d750011db9881bd74700cf7e2e7708398a18dfec422555ba438
Tags: exe
Infos:

Detection

GuLoader
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Abnormal high CPU Usage
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: xcVh7ZmH4Y.exe Avira: detected
Found malware configuration
Source: 00000000.00000002.896769853.0000000002D00000.00000040.00000001.00040000.00000007.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1VssbX_L5DESUoNwRHcbF42fii8wzHqEA"}
Multi AV Scanner detection for submitted file
Source: xcVh7ZmH4Y.exe Metadefender: Detection: 22% Perma Link
Source: xcVh7ZmH4Y.exe ReversingLabs: Detection: 39%
Uses 32bit PE files
Source: xcVh7ZmH4Y.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: xcVh7ZmH4Y.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: D:\SourceCode\ScenarioProfile\production_V4.2\ScenarioProfileFrameWork\Service\ServiceSDK\Release\ScenarioProfilePlugIn\AsOpenFile.pdb source: xcVh7ZmH4Y.exe, 00000000.00000002.895018034.000000000040D000.00000004.00000001.01000000.00000003.sdmp, AsOpenFile.exe.0.dr
Source: Binary string: D:\SourceCode\ScenarioProfile\production_V4.2\ScenarioProfileFrameWork\Service\ServiceSDK\Release\ScenarioProfilePlugIn\AsOpenFile.pdb,,)GCTL source: xcVh7ZmH4Y.exe, 00000000.00000002.895018034.000000000040D000.00000004.00000001.01000000.00000003.sdmp, AsOpenFile.exe.0.dr
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405C49
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe Code function: 0_2_00406873 FindFirstFileW,FindClose, 0_2_00406873
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&id=1VssbX_L5DESUoNwRHcbF42fii8wzHqEA
Source: AsOpenFile.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: AsOpenFile.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: xcVh7ZmH4Y.exe, 00000000.00000002.895018034.000000000040D000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: http://crl.F
Source: AsOpenFile.exe.0.dr String found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
Source: AsOpenFile.exe.0.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
Source: xcVh7ZmH4Y.exe, 00000000.00000002.895018034.000000000040D000.00000004.00000001.01000000.00000003.sdmp, AsOpenFile.exe.0.dr String found in binary or memory: http://crl.globalsign.com/root.crl0G
Source: AsOpenFile.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: AsOpenFile.exe.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: AsOpenFile.exe.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: AsOpenFile.exe.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: xcVh7ZmH4Y.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: AsOpenFile.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: AsOpenFile.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: xcVh7ZmH4Y.exe, 00000000.00000002.895018034.000000000040D000.00000004.00000001.01000000.00000003.sdmp, AsOpenFile.exe.0.dr String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: AsOpenFile.exe.0.dr String found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
Source: xcVh7ZmH4Y.exe, 00000000.00000002.895018034.000000000040D000.00000004.00000001.01000000.00000003.sdmp, AsOpenFile.exe.0.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: AsOpenFile.exe.0.dr String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
Source: AsOpenFile.exe.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: AsOpenFile.exe.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: xcVh7ZmH4Y.exe, 00000000.00000002.895018034.000000000040D000.00000004.00000001.01000000.00000003.sdmp, AsOpenFile.exe.0.dr String found in binary or memory: https://www.globalsign.com/repository/0
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe Code function: 0_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004056DE
Uses 32bit PE files
Source: xcVh7ZmH4Y.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Sample file is different than original file name gathered from version info
Source: xcVh7ZmH4Y.exe, 00000000.00000002.895018034.000000000040D000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameAsOpenFile.exeL vs xcVh7ZmH4Y.exe
PE file contains strange resources
Source: xcVh7ZmH4Y.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AsOpenFile.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040352D
Detected potential crypto function
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe Code function: 0_2_0040755C 0_2_0040755C
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe Code function: 0_2_00406D85 0_2_00406D85
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe Code function: 0_2_73541BFF 0_2_73541BFF
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe Process Stats: CPU usage > 98%
Source: xcVh7ZmH4Y.exe Metadefender: Detection: 22%
Source: xcVh7ZmH4Y.exe ReversingLabs: Detection: 39%
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe File read: C:\Users\user\Desktop\xcVh7ZmH4Y.exe Jump to behavior
Source: xcVh7ZmH4Y.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040352D
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe File created: C:\Users\user\AppData\Local\Temp\nsg70C8.tmp Jump to behavior
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe File written: C:\Users\user\AppData\Local\Temp\duperinger.ini Jump to behavior
Source: classification engine Classification label: mal80.troj.evad.winEXE@1/7@0/0
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe Code function: 0_2_004021AA CoCreateInstance, 0_2_004021AA
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe Code function: 0_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_0040498A
Source: xcVh7ZmH4Y.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: D:\SourceCode\ScenarioProfile\production_V4.2\ScenarioProfileFrameWork\Service\ServiceSDK\Release\ScenarioProfilePlugIn\AsOpenFile.pdb source: xcVh7ZmH4Y.exe, 00000000.00000002.895018034.000000000040D000.00000004.00000001.01000000.00000003.sdmp, AsOpenFile.exe.0.dr
Source: Binary string: D:\SourceCode\ScenarioProfile\production_V4.2\ScenarioProfileFrameWork\Service\ServiceSDK\Release\ScenarioProfilePlugIn\AsOpenFile.pdb,,)GCTL source: xcVh7ZmH4Y.exe, 00000000.00000002.895018034.000000000040D000.00000004.00000001.01000000.00000003.sdmp, AsOpenFile.exe.0.dr

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.896769853.0000000002D00000.00000040.00000001.00040000.00000007.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe Code function: 0_2_735430C0 push eax; ret 0_2_735430EE
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe Code function: 0_2_73541BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_73541BFF
Drops PE files
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe File created: C:\Users\user\AppData\Local\Temp\AsOpenFile.exe Jump to dropped file
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe File created: C:\Users\user\AppData\Local\Temp\nss732B.tmp\System.dll Jump to dropped file
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe RDTSC instruction interceptor: First address: 0000000002D05B85 second address: 0000000002D05B85 instructions: 0x00000000 rdtsc 0x00000002 cmp bx, dx 0x00000005 test ch, bh 0x00000007 cmp ebx, ecx 0x00000009 jc 00007F51ECBB244Dh 0x0000000b inc ebp 0x0000000c test edi, 09E7C1CFh 0x00000012 inc ebx 0x00000013 cmp ah, dh 0x00000015 rdtsc
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AsOpenFile.exe Jump to dropped file
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405C49
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe Code function: 0_2_00406873 FindFirstFileW,FindClose, 0_2_00406873
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe API call chain: ExitProcess graph end node
Source: xcVh7ZmH4Y.exe, 00000000.00000002.895956305.0000000000731000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe Code function: 0_2_73541BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_73541BFF
Source: C:\Users\user\Desktop\xcVh7ZmH4Y.exe Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040352D
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 623886 Sample: xcVh7ZmH4Y Startdate: 10/05/2022 Architecture: WINDOWS Score: 80 13 Found malware configuration 2->13 15 Antivirus / Scanner detection for submitted sample 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 2 other signatures 2->19 5 xcVh7ZmH4Y.exe 2 24 2->5         started        process3 file4 9 C:\Users\user\AppData\Local\...\System.dll, PE32 5->9 dropped 11 C:\Users\user\AppData\...\AsOpenFile.exe, PE32+ 5->11 dropped 21 Tries to detect virtualization through RDTSC time measurements 5->21 signatures5
No contacted IP infos