Windows Analysis Report
INVOICE.exe

Overview

General Information

Sample Name: INVOICE.exe
Analysis ID: 634111
MD5: a10619d494661c1f8ca180e53c5a11fd
SHA1: 1273e17b50d8d33078df02447fa9adaab255b459
SHA256: e126c11aec2897bd7959747e70bc85d4153abdadbe45344bb41771ced23f3228
Tags: exeInvoicesigned
Infos:

Detection

GuLoader
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Initial sample is a PE file and has a suspicious name
Tries to detect virtualization through RDTSC time measurements
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
PE file does not import any functions
Drops PE files
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Binary contains a suspicious time stamp
Detected potential crypto function
PE / OLE file has an invalid certificate
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Abnormal high CPU Usage
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Found malware configuration
Source: 00000000.00000002.899311337.00000000029F0000.00000040.00001000.00020000.00000000.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://cdn.discordapp.com/attachments/963535165500588126/978282265127825408/NANOBIN_HBsjI150.bin"}
Multi AV Scanner detection for submitted file
Source: INVOICE.exe ReversingLabs: Detection: 42%
Uses 32bit PE files
Source: INVOICE.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: C:\Users\user\Desktop\INVOICE.exe Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\heliolitidae Jump to behavior
Source: INVOICE.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading\net6.0-Release\System.Threading.pdb source: System.Threading.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Handles\net6.0-Release\System.Runtime.Handles.pdb source: System.Runtime.Handles.dll.0.dr
Source: Binary string: System.Threading.ni.pdb source: System.Threading.dll.0.dr
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405C49
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_00406873 FindFirstFileW,FindClose, 0_2_00406873
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\Desktop\INVOICE.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe File opened: C:\Users\user\AppData\Local\Temp\Arteriagra2.Syr Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe File opened: C:\Users\user\AppData\Local\Temp\alnicoes.til Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://cdn.discordapp.com/attachments/963535165500588126/978282265127825408/NANOBIN_HBsjI150.bin
Source: INVOICE.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: INVOICE.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: INVOICE.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: INVOICE.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: updater.ini.0.dr String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: INVOICE.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: INVOICE.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: INVOICE.exe String found in binary or memory: http://ocsp.digicert.com0X
Source: System.Threading.dll.0.dr, System.Runtime.Handles.dll.0.dr String found in binary or memory: https://github.com/dotnet/runtime
Source: System.Threading.dll.0.dr String found in binary or memory: https://github.com/dotnet/runtimeBSJB
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004056DE

System Summary
barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: INVOICE.exe
Executable has a suspicious name (potential lure to open the executable)
Source: INVOICE.exe Static file information: Suspicious name
Uses 32bit PE files
Source: INVOICE.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
PE file does not import any functions
Source: System.Threading.dll.0.dr Static PE information: No import functions for PE file found
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040352D
Detected potential crypto function
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_0040755C 0_2_0040755C
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_00406D85 0_2_00406D85
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_73541BFF 0_2_73541BFF
PE / OLE file has an invalid certificate
Source: INVOICE.exe Static PE information: invalid certificate
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\INVOICE.exe Process Stats: CPU usage > 98%
Source: INVOICE.exe ReversingLabs: Detection: 42%
Source: C:\Users\user\Desktop\INVOICE.exe File read: C:\Users\user\Desktop\INVOICE.exe Jump to behavior
Source: INVOICE.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\INVOICE.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040352D
Source: C:\Users\user\Desktop\INVOICE.exe File created: C:\Users\user\AppData\Local\Temp\nse446C.tmp Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe File written: C:\Users\user\AppData\Local\Temp\updater.ini Jump to behavior
Source: classification engine Classification label: mal80.troj.evad.winEXE@1/10@0/0
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_004021AA CoCreateInstance, 0_2_004021AA
Source: C:\Users\user\Desktop\INVOICE.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_0040498A
Source: C:\Users\user\Desktop\INVOICE.exe Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\heliolitidae Jump to behavior
Source: INVOICE.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading\net6.0-Release\System.Threading.pdb source: System.Threading.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Handles\net6.0-Release\System.Runtime.Handles.pdb source: System.Runtime.Handles.dll.0.dr
Source: Binary string: System.Threading.ni.pdb source: System.Threading.dll.0.dr

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.899311337.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_735430C0 push eax; ret 0_2_735430EE
Binary contains a suspicious time stamp
Source: System.Runtime.Handles.dll.0.dr Static PE information: 0xABF00243 [Sun May 29 22:59:15 2061 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_73541BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_73541BFF
Drops PE files
Source: C:\Users\user\Desktop\INVOICE.exe File created: C:\Users\user\AppData\Local\Temp\System.Threading.dll Jump to dropped file
Source: C:\Users\user\Desktop\INVOICE.exe File created: C:\Users\user\AppData\Local\Temp\nsg5565.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\INVOICE.exe File created: C:\Users\user\AppData\Local\Temp\System.Runtime.Handles.dll Jump to dropped file
Source: C:\Users\user\Desktop\INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\INVOICE.exe RDTSC instruction interceptor: First address: 00000000029F2B3A second address: 00000000029F2B3A instructions: 0x00000000 rdtsc 0x00000002 cmp ah, ch 0x00000004 test bl, bl 0x00000006 cmp ebx, ecx 0x00000008 jc 00007F97D0B3BC0Ah 0x0000000a cmp dh, FFFFFFB8h 0x0000000d test bl, cl 0x0000000f inc ebp 0x00000010 cmp bx, EC37h 0x00000015 inc ebx 0x00000016 test ebx, edx 0x00000018 rdtsc
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\INVOICE.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\System.Threading.dll Jump to dropped file
Source: C:\Users\user\Desktop\INVOICE.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\System.Runtime.Handles.dll Jump to dropped file
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405C49
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_00406873 FindFirstFileW,FindClose, 0_2_00406873
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\Desktop\INVOICE.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\INVOICE.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\INVOICE.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe File opened: C:\Users\user\AppData\Local\Temp\Arteriagra2.Syr Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe File opened: C:\Users\user\AppData\Local\Temp\alnicoes.til Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_73541BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_73541BFF
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040352D
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 634111 Sample: INVOICE.exe Startdate: 25/05/2022 Architecture: WINDOWS Score: 80 15 Found malware configuration 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Yara detected GuLoader 2->19 21 3 other signatures 2->21 5 INVOICE.exe 3 27 2->5         started        process3 file4 9 C:\Users\user\AppData\Local\...\System.dll, PE32 5->9 dropped 11 C:\Users\user\...\System.Threading.dll, PE32+ 5->11 dropped 13 C:\Users\user\...\System.Runtime.Handles.dll, PE32 5->13 dropped 23 Tries to detect virtualization through RDTSC time measurements 5->23 signatures5
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://cdn.discordapp.com/attachments/963535165500588126/978282265127825408/NANOBIN_HBsjI150.bin false
    		high