Windows Analysis Report
flupdate.exe

Overview

General Information

Sample name: flupdate.exe
Analysis ID: 1562193
MD5: 728d903e430115d74f5adbd2f725f2eb
SHA1: 7786bd4ce8f25bc023722b4cb6fc17860a5e29bd
SHA256: c1d322835ee594b660a39b105516d944a92bba93af7c8b3f5e7bd0828aa6afe1
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

AI detected suspicious sample
Found evasive API chain (may stop execution after checking mutex)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found evaded block containing many API calls
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 80.4% probability
Uses 32bit PE files
Source: flupdate.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\flupdate.exe Code function: 0_2_00402870 _sprintf,FindFirstFileA,FindFirstFileA,_sprintf,FindFirstFileA,FindClose, 0_2_00402870
Source: flupdate.exe String found in binary or memory: http://crl.g
Contains functionality to call native functions
Source: C:\Users\user\Desktop\flupdate.exe Code function: 0_2_00401834 NtdllDefWindowProc_A,BeginPaint,GetClientRect,_strlen,DrawTextA,EndPaint,PostQuitMessage, 0_2_00401834
Detected potential crypto function
Source: C:\Users\user\Desktop\flupdate.exe Code function: 0_2_00412CCC 0_2_00412CCC
Source: C:\Users\user\Desktop\flupdate.exe Code function: 0_2_004078EF 0_2_004078EF
Source: C:\Users\user\Desktop\flupdate.exe Code function: 0_2_00412090 0_2_00412090
Source: C:\Users\user\Desktop\flupdate.exe Code function: 0_2_00413CB1 0_2_00413CB1
Source: C:\Users\user\Desktop\flupdate.exe Code function: 0_2_00403D70 0_2_00403D70
Source: C:\Users\user\Desktop\flupdate.exe Code function: 0_2_004125D4 0_2_004125D4
Source: C:\Users\user\Desktop\flupdate.exe Code function: 0_2_00411B4C 0_2_00411B4C
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\flupdate.exe Code function: String function: 00407EB8 appears 38 times
Uses 32bit PE files
Source: flupdate.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: flupdate.exe Binary string: \Device\KeyboardClass0@p
Source: classification engine Classification label: mal48.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\flupdate.exe Code function: 0_2_004026F0 GetDiskFreeSpaceExA, 0_2_004026F0
Source: C:\Users\user\Desktop\flupdate.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\FUMutexName
Source: C:\Users\user\Desktop\flupdate.exe Command line argument: -coh 0_2_00401E45
Source: C:\Users\user\Desktop\flupdate.exe Command line argument: -coh 0_2_00401E45
Source: C:\Users\user\Desktop\flupdate.exe Command line argument: -coh 0_2_00401E45
Source: C:\Users\user\Desktop\flupdate.exe Command line argument: -coh 0_2_00401E45
Source: C:\Users\user\Desktop\flupdate.exe Command line argument: -cmsg 0_2_00401E45
Source: C:\Users\user\Desktop\flupdate.exe Command line argument: -cmsg 0_2_00401E45
Source: C:\Users\user\Desktop\flupdate.exe Command line argument: -cmsg 0_2_00401E45
Source: C:\Users\user\Desktop\flupdate.exe Command line argument: -cmsg 0_2_00401E45
Source: C:\Users\user\Desktop\flupdate.exe Command line argument: FLU 0_2_00401E45
Source: C:\Users\user\Desktop\flupdate.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\flupdate.exe File read: C:\Users\user\Desktop\flupdate.exe Jump to behavior
Source: C:\Users\user\Desktop\flupdate.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\flupdate.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\flupdate.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\flupdate.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\flupdate.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\flupdate.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\flupdate.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\flupdate.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\flupdate.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\flupdate.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\flupdate.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\flupdate.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\flupdate.exe Section loaded: textshaping.dll Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\flupdate.exe Code function: 0_2_004376D0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect, 0_2_004376D0
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\flupdate.exe Code function: 0_2_004050C8 push dword ptr [ecx-75h]; iretd 0_2_004050D0
Source: C:\Users\user\Desktop\flupdate.exe Code function: 0_2_00420989 push eax; ret 0_2_004209B9
Source: C:\Users\user\Desktop\flupdate.exe Code function: 0_2_00420A08 push eax; ret 0_2_004209B9
Source: C:\Users\user\Desktop\flupdate.exe Code function: 0_2_00407EFD push ecx; ret 0_2_00407F10
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\Desktop\flupdate.exe Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Found evaded block containing many API calls
Source: C:\Users\user\Desktop\flupdate.exe Evaded block: after key decision
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\flupdate.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\flupdate.exe Code function: 0_2_00402870 _sprintf,FindFirstFileA,FindFirstFileA,_sprintf,FindFirstFileA,FindClose, 0_2_00402870
Source: C:\Users\user\Desktop\flupdate.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\flupdate.exe Code function: 0_2_004086F0 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_004086F0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\flupdate.exe Code function: 0_2_004376D0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect, 0_2_004376D0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\flupdate.exe Code function: 0_2_004116D9 CreateFileA,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,RtlAllocateHeap,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 0_2_004116D9
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\flupdate.exe Code function: 0_2_00410421 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00410421
Source: C:\Users\user\Desktop\flupdate.exe Code function: 0_2_0040D02A SetUnhandledExceptionFilter, 0_2_0040D02A
Source: C:\Users\user\Desktop\flupdate.exe Code function: 0_2_004086F0 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_004086F0
Source: C:\Users\user\Desktop\flupdate.exe Code function: 0_2_00404FC8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00404FC8
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\flupdate.exe Code function: GetLocaleInfoA, 0_2_00413A30
Source: C:\Users\user\Desktop\flupdate.exe Code function: 0_2_0040D755 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_0040D755

No Screenshots

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1562193 Sample: flupdate.exe Startdate: 25/11/2024 Architecture: WINDOWS Score: 48 8 AI detected suspicious sample 2->8 5 flupdate.exe 2->5         started        process3 signatures4 10 Found evasive API chain (may stop execution after checking mutex) 5->10
No contacted IP infos