Windows Analysis Report
Transferencia.exe

Overview

General Information

Sample Name: Transferencia.exe
Analysis ID: 624276
MD5: fb1d131568bdd2fa951608534f83a75c
SHA1: ff02df2cb07c221b8ed3583c6dafb8c0e35684f8
SHA256: 42625067621ac2dba6b95e565a48454637f46185356034da214a00a3d453c971
Tags: exe
Infos:

Detection

GuLoader
Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
PE file contains strange resources
Drops PE files
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
PE / OLE file has an invalid certificate
Contains functionality to dynamically determine API calls
Abnormal high CPU Usage
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Found malware configuration
Source: 00000000.00000002.756250628.0000000002D50000.00000040.00001000.00020000.00000000.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1hB?$1A"}
Multi AV Scanner detection for submitted file
Source: Transferencia.exe ReversingLabs: Detection: 26%
Uses 32bit PE files
Source: Transferencia.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Transferencia.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\user\Desktop\Transferencia.exe Code function: 0_2_00406850 FindFirstFileW,FindClose, 0_2_00406850
Source: C:\Users\user\Desktop\Transferencia.exe Code function: 0_2_00405C26 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405C26
Source: C:\Users\user\Desktop\Transferencia.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&id=1hB?$1A
Source: Transferencia.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Transferencia.exe Code function: 0_2_004056BB GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004056BB
Uses 32bit PE files
Source: Transferencia.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
PE file contains strange resources
Source: Transferencia.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Transferencia.exe Code function: 0_2_0040350A EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040350A
Detected potential crypto function
Source: C:\Users\user\Desktop\Transferencia.exe Code function: 0_2_732A1BFF 0_2_732A1BFF
PE / OLE file has an invalid certificate
Source: Transferencia.exe Static PE information: invalid certificate
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Transferencia.exe Process Stats: CPU usage > 98%
Source: Transferencia.exe ReversingLabs: Detection: 26%
Source: C:\Users\user\Desktop\Transferencia.exe File read: C:\Users\user\Desktop\Transferencia.exe Jump to behavior
Source: Transferencia.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Transferencia.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Transferencia.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Transferencia.exe Code function: 0_2_0040350A EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040350A
Source: C:\Users\user\Desktop\Transferencia.exe File created: C:\Users\user\AppData\Local\Temp\nsnC5D7.tmp Jump to behavior
Source: C:\Users\user\Desktop\Transferencia.exe File written: C:\Users\user\AppData\Local\Temp\FJERKRFARMENES.ini Jump to behavior
Source: classification engine Classification label: mal72.troj.evad.winEXE@1/3@0/0
Source: C:\Users\user\Desktop\Transferencia.exe Code function: 0_2_004021AA CoCreateInstance, 0_2_004021AA
Source: C:\Users\user\Desktop\Transferencia.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Transferencia.exe Code function: 0_2_00404967 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_00404967
Source: Transferencia.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.756250628.0000000002D50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Transferencia.exe Code function: 0_2_732A30C0 push eax; ret 0_2_732A30EE
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Transferencia.exe Code function: 0_2_732A1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_732A1BFF
Drops PE files
Source: C:\Users\user\Desktop\Transferencia.exe File created: C:\Users\user\AppData\Local\Temp\nstC730.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\Transferencia.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Transferencia.exe RDTSC instruction interceptor: First address: 0000000002D6467E second address: 0000000002D6467E instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F04749FF19Ah 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Transferencia.exe Code function: 0_2_00406850 FindFirstFileW,FindClose, 0_2_00406850
Source: C:\Users\user\Desktop\Transferencia.exe Code function: 0_2_00405C26 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405C26
Source: C:\Users\user\Desktop\Transferencia.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\Desktop\Transferencia.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Transferencia.exe API call chain: ExitProcess graph end node
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Transferencia.exe Code function: 0_2_732A1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_732A1BFF
Source: C:\Users\user\Desktop\Transferencia.exe Code function: 0_2_0040350A EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040350A
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 624276 Sample: Transferencia.exe Startdate: 11/05/2022 Architecture: WINDOWS Score: 72 11 Found malware configuration 2->11 13 Multi AV Scanner detection for submitted file 2->13 15 Yara detected GuLoader 2->15 17 C2 URLs / IPs found in malware configuration 2->17 5 Transferencia.exe 20 2->5         started        process3 file4 9 C:\Users\user\AppData\Local\...\System.dll, PE32 5->9 dropped 19 Tries to detect virtualization through RDTSC time measurements 5->19 signatures5
No contacted IP infos