Windows Analysis Report
documentos DHL.exe

Overview

General Information

Sample Name: documentos DHL.exe
Analysis ID: 755464
MD5: ca1cd0656568af4f58aa28e61a3e3edb
SHA1: 1fde05eb6e587047d8a47950bcb2efdb53409b42
SHA256: 6931d5a8ac6e00c855139d9da394b7895d83a9a18a8974c0b2381c5a28e68678
Tags: DHLexe
Infos:

Detection

GuLoader
Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected GuLoader
Initial sample is a PE file and has a suspicious name
Tries to detect virtualization through RDTSC time measurements
Executable has a suspicious name (potential lure to open the executable)
Uses 32bit PE files
Drops PE files
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Detected potential crypto function
PE file contains more sections than normal
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Abnormal high CPU Usage
Contains functionality for read data from the clipboard

Classification

Uses 32bit PE files
Source: documentos DHL.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\documentos DHL.exe Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Legendarian Jump to behavior
Source: documentos DHL.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 0_2_004066F3 FindFirstFileW,FindClose, 0_2_004066F3
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 0_2_00405ABE CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405ABE
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 0_2_00402862 FindFirstFileW, 0_2_00402862
Source: documentos DHL.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 0_2_00405553 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00405553

System Summary
barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: documentos DHL.exe
Executable has a suspicious name (potential lure to open the executable)
Source: documentos DHL.exe Static file information: Suspicious name
Uses 32bit PE files
Source: documentos DHL.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 0_2_00403489 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403489
Creates files inside the system directory
Source: C:\Users\user\Desktop\documentos DHL.exe File created: C:\Windows\resources\0409 Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 0_2_00404D90 0_2_00404D90
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 0_2_00406ABA 0_2_00406ABA
PE file contains more sections than normal
Source: libpixbufloader-icns.dll.0.dr Static PE information: Number of sections : 11 > 10
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\documentos DHL.exe Process Stats: CPU usage > 98%
Source: C:\Users\user\Desktop\documentos DHL.exe File read: C:\Users\user\Desktop\documentos DHL.exe Jump to behavior
Source: documentos DHL.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\documentos DHL.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 0_2_00403489 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403489
Source: C:\Users\user\Desktop\documentos DHL.exe File created: C:\Users\user\Zorillinae Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe File created: C:\Users\user\AppData\Local\Temp\nsb9999.tmp Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe File written: C:\Windows\Resources\0409\Transcriptive.ini Jump to behavior
Source: classification engine Classification label: mal60.troj.evad.winEXE@1/5@0/0
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 0_2_004020FE CoCreateInstance, 0_2_004020FE
Source: C:\Users\user\Desktop\documentos DHL.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 0_2_00404814 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_00404814
Source: C:\Users\user\Desktop\documentos DHL.exe Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Legendarian Jump to behavior
Source: documentos DHL.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.772378244.0000000003110000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 0_2_10002DE0 push eax; ret 0_2_10002E0E
PE file contains sections with non-standard names
Source: libpixbufloader-icns.dll.0.dr Static PE information: section name: .xdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_10001B18
Drops PE files
Source: C:\Users\user\Desktop\documentos DHL.exe File created: C:\Users\user\AppData\Local\Temp\nsrCE63.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\documentos DHL.exe File created: C:\Users\user\Zorillinae\Skaalpundet\Inkbslistes\Tset\Demodulationen\Iagttagerposition\libpixbufloader-icns.dll Jump to dropped file
Source: C:\Users\user\Desktop\documentos DHL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\documentos DHL.exe RDTSC instruction interceptor: First address: 00000000031136FD second address: 00000000031136FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBAD0C3B4E6h 0x00000004 test dl, dl 0x00000006 cmp ebx, ecx 0x00000008 jc 00007FBAD0C3B412h 0x0000000a inc ebp 0x0000000b inc ebx 0x0000000c rdtsc
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\documentos DHL.exe Dropped PE file which has not been started: C:\Users\user\Zorillinae\Skaalpundet\Inkbslistes\Tset\Demodulationen\Iagttagerposition\libpixbufloader-icns.dll Jump to dropped file
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 0_2_004066F3 FindFirstFileW,FindClose, 0_2_004066F3
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 0_2_00405ABE CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405ABE
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 0_2_00402862 FindFirstFileW, 0_2_00402862
Source: C:\Users\user\Desktop\documentos DHL.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\documentos DHL.exe API call chain: ExitProcess graph end node
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_10001B18
Source: C:\Users\user\Desktop\documentos DHL.exe Code function: 0_2_00403489 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403489
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 755464 Sample: documentos DHL.exe Startdate: 28/11/2022 Architecture: WINDOWS Score: 60 12 Yara detected GuLoader 2->12 14 Executable has a suspicious name (potential lure to open the executable) 2->14 16 Initial sample is a PE file and has a suspicious name 2->16 18 Tries to detect virtualization through RDTSC time measurements 2->18 5 documentos DHL.exe 3 504 2->5         started        process3 file4 8 C:\Users\user\...\libpixbufloader-icns.dll, PE32+ 5->8 dropped 10 C:\Users\user\AppData\Local\...\System.dll, PE32 5->10 dropped
No contacted IP infos