Windows Analysis Report
xKBLVUHoY6

Overview

General Information

Sample Name: xKBLVUHoY6 (renamed file extension from none to exe)
Analysis ID: 679245
MD5: 6e0bf5d5220fbe4f7245653a259c7dad
SHA1: f077644ac1eb17aa811f4805e1f5f546b4f6166f
SHA256: 2914eb3edbf9dadb98429173fb1c1b5954742b10e49b1f804024e6448028f73e
Tags: exe
Infos:

Detection

GuLoader
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Yara detected GuLoader
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
PE file contains strange resources
Drops PE files
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Detected potential crypto function
PE / OLE file has an invalid certificate
Contains functionality to dynamically determine API calls
Abnormal high CPU Usage
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: xKBLVUHoY6.exe Virustotal: Detection: 36% Perma Link
Antivirus detection for URL or domain
Source: http://212.193.0.40/redi_oXifXcNSpB69.bin Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: http://212.193.0.40/redi_oXifXcNSpB69.bin Virustotal: Detection: 15% Perma Link
Source: 00000000.00000002.753579119.00000000031B0000.00000040.00001000.00020000.00000000.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "http://212.193.0.40/redi_oXifXcNSpB69.bin"}
Uses 32bit PE files
Source: xKBLVUHoY6.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: xKBLVUHoY6.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe Code function: 0_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405C13
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe Code function: 0_2_0040683D FindFirstFileW,FindClose, 0_2_0040683D

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://212.193.0.40/redi_oXifXcNSpB69.bin
Source: xKBLVUHoY6.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: xKBLVUHoY6.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: xKBLVUHoY6.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: xKBLVUHoY6.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: xKBLVUHoY6.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: xKBLVUHoY6.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: xKBLVUHoY6.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: xKBLVUHoY6.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: xKBLVUHoY6.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: xKBLVUHoY6.exe String found in binary or memory: http://ocsp.digicert.com0X
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe Code function: 0_2_004056A8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004056A8
Uses 32bit PE files
Source: xKBLVUHoY6.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
PE file contains strange resources
Source: xKBLVUHoY6.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe Code function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004034F7
Creates files inside the system directory
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe File created: C:\Windows\resources\0409 Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe Code function: 0_2_00406BFE 0_2_00406BFE
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe Code function: 0_2_6EB81BFF 0_2_6EB81BFF
PE / OLE file has an invalid certificate
Source: xKBLVUHoY6.exe Static PE information: invalid certificate
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe Process Stats: CPU usage > 98%
Source: xKBLVUHoY6.exe Virustotal: Detection: 36%
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe File read: C:\Users\user\Desktop\xKBLVUHoY6.exe Jump to behavior
Source: xKBLVUHoY6.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe Code function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004034F7
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Lansat Jump to behavior
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe File created: C:\Users\user\AppData\Local\Temp\nswD9D0.tmp Jump to behavior
Source: classification engine Classification label: mal80.troj.evad.winEXE@1/4@0/0
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe Code function: 0_2_004021AA CoCreateInstance, 0_2_004021AA
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe Code function: 0_2_00404954 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_00404954
Source: xKBLVUHoY6.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.753579119.00000000031B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe Code function: 0_2_6EB830C0 push eax; ret 0_2_6EB830EE
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe Code function: 0_2_6EB81BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_6EB81BFF
Drops PE files
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe File created: C:\Users\user\AppData\Local\Temp\nskE115.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe RDTSC instruction interceptor: First address: 00000000031B2C46 second address: 00000000031B2C46 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FE5D8B46E4Ah 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe Code function: 0_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405C13
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe Code function: 0_2_0040683D FindFirstFileW,FindClose, 0_2_0040683D
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe API call chain: ExitProcess graph end node
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe Code function: 0_2_6EB81BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_6EB81BFF
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe Code function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004034F7
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 679245 Sample: xKBLVUHoY6 Startdate: 05/08/2022 Architecture: WINDOWS Score: 80 11 Multi AV Scanner detection for domain / URL 2->11 13 Antivirus detection for URL or domain 2->13 15 Multi AV Scanner detection for submitted file 2->15 17 2 other signatures 2->17 5 xKBLVUHoY6.exe 36 2->5         started        process3 file4 9 C:\Users\user\AppData\Local\...\System.dll, PE32 5->9 dropped 19 Tries to detect virtualization through RDTSC time measurements 5->19 signatures5
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://212.193.0.40/redi_oXifXcNSpB69.bin true
  • 16%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown