Windows Analysis Report
Swift Mesaj#U0131#09971.exe

Overview

General Information

Sample Name: Swift Mesaj#U0131#09971.exe
Analysis ID: 755179
MD5: 310df09294b852bab67e158d95788150
SHA1: 9b69175fcbcc718212d21a77d39969309e9787f8
SHA256: d27bf1156e1a463ebada17bac3b3a314835cead7e75c4770c95ff21f06e00310
Tags: exe
Infos:

Detection

GuLoader
Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Tries to detect virtualization through RDTSC time measurements
Uses 32bit PE files
Drops PE files
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Stores files to the Windows start menu directory
Contains functionality to dynamically determine API calls
Abnormal high CPU Usage
Contains functionality for read data from the clipboard

Classification

AV Detection

barindex
Source: Swift Mesaj#U0131#09971.exe Virustotal: Detection: 10% Perma Link
Source: Swift Mesaj#U0131#09971.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Fivefoldness\Endosseringerne\Fouragen Jump to behavior
Source: Swift Mesaj#U0131#09971.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe Code function: 0_2_004065C5 FindFirstFileW,FindClose, 0_2_004065C5
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe Code function: 0_2_00405990 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405990
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe Code function: 0_2_00402862 FindFirstFileW, 0_2_00402862
Source: Swift Mesaj#U0131#09971.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe Code function: 0_2_00405425 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00405425
Source: Swift Mesaj#U0131#09971.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe Code function: 0_2_00403373 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403373
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe Code function: 0_2_00404C62 0_2_00404C62
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe Code function: 0_2_00406ADD 0_2_00406ADD
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe Code function: 0_2_004072B4 0_2_004072B4
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe Process Stats: CPU usage > 98%
Source: Swift Mesaj#U0131#09971.exe Virustotal: Detection: 10%
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe File read: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe Jump to behavior
Source: Swift Mesaj#U0131#09971.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe Code function: 0_2_00403373 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403373
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe File created: C:\Users\user\AppData\Local\Temp\nsf4335.tmp Jump to behavior
Source: classification engine Classification label: mal60.troj.evad.winEXE@1/6@0/0
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe Code function: 0_2_004020FE CoCreateInstance, 0_2_004020FE
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe Code function: 0_2_004046E6 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_004046E6
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Fivefoldness\Endosseringerne\Fouragen Jump to behavior
Source: Swift Mesaj#U0131#09971.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

barindex
Source: Yara match File source: 00000000.00000002.779301986.0000000002AA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe Code function: 0_2_10002DE0 push eax; ret 0_2_10002E0E
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_10001B18
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe File created: C:\Users\user\AppData\Local\Temp\nsy4C6D.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Bikes Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Bikes\Bombekrater210 Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Bikes\Bombekrater210\Cykelhandlerne.Sme Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\libxml2-2.0.typelib Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Coasting102.For Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Castrate Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Castrate\memstat.c Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Novelizes Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Ydervgg\Superassume\dodecaheddra\Novelizes\selection-end-symbolic.symbolic.png Jump to behavior
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe RDTSC instruction interceptor: First address: 0000000002AA206E second address: 0000000002AA206E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3DB4EDD2D4h 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F3DB4EDD262h 0x00000008 cmp ch, dh 0x0000000a cmp al, bl 0x0000000c inc ebp 0x0000000d inc ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe Code function: 0_2_004065C5 FindFirstFileW,FindClose, 0_2_004065C5
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe Code function: 0_2_00405990 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405990
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe Code function: 0_2_00402862 FindFirstFileW, 0_2_00402862
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_10001B18
Source: C:\Users\user\Desktop\Swift Mesaj#U0131#09971.exe Code function: 0_2_00403373 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403373
No contacted IP infos