Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
oAuym78xev.exe

Overview

General Information

Sample name:oAuym78xev.exe
renamed because original name is a hash value
Original sample name:78ec0aabbdf53c96bdbf83c3cd42e0eb9c6dfc098977048133b5429c0551438e.exe
Analysis ID:1631846
MD5:6333f016a1eb2ef1cca4ec9cce3736ee
SHA1:9da82c51e330af2ff761a5a05d183fbfcf814d33
SHA256:78ec0aabbdf53c96bdbf83c3cd42e0eb9c6dfc098977048133b5429c0551438e
Tags:exesigneduser-adrian__luca
Infos:

Detection

GuLoader
Score:80
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected GuLoader
AI detected suspicious PE digital signature
Joe Sandbox ML detected suspicious sample
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
JA3 SSL client fingerprint seen in connection with other malware
PE / OLE file has an invalid certificate
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • oAuym78xev.exe (PID: 7124 cmdline: "C:\Users\user\Desktop\oAuym78xev.exe" MD5: 6333F016A1EB2EF1CCA4EC9CCE3736EE)
    • oAuym78xev.exe (PID: 2776 cmdline: "C:\Users\user\Desktop\oAuym78xev.exe" MD5: 6333F016A1EB2EF1CCA4EC9CCE3736EE)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.3119456623.00000000070CA000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-03-07T16:37:27.488371+010028032702Potentially Bad Traffic192.168.2.949691142.250.184.206443TCP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus / Scanner detection for submitted sample
    Source: oAuym78xev.exeAvira: detected
    Multi AV Scanner detection for submitted file
    Source: oAuym78xev.exeVirustotal: Detection: 71%Perma Link
    Source: oAuym78xev.exeReversingLabs: Detection: 52%
    Joe Sandbox ML detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
    Source: oAuym78xev.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.9:49691 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.185.225:443 -> 192.168.2.9:49692 version: TLS 1.2
    Source: oAuym78xev.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: C:\Users\user\Desktop\oAuym78xev.exeCode function: 0_2_00406404 FindFirstFileW,FindClose,0_2_00406404
    Source: C:\Users\user\Desktop\oAuym78xev.exeCode function: 0_2_004058B2 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_004058B2
    Source: C:\Users\user\Desktop\oAuym78xev.exeCode function: 0_2_0040287E FindFirstFileW,0_2_0040287E
    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
    Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.9:49691 -> 142.250.184.206:443
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1-ToAtaHbRKlgQ3IAfMQsFD67yEamsGyO HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /download?id=1-ToAtaHbRKlgQ3IAfMQsFD67yEamsGyO&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1-ToAtaHbRKlgQ3IAfMQsFD67yEamsGyO HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /download?id=1-ToAtaHbRKlgQ3IAfMQsFD67yEamsGyO&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
    Source: global trafficDNS traffic detected: DNS query: drive.google.com
    Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
    Source: oAuym78xev.exe, 00000000.00000000.875776178.000000000040A000.00000008.00000001.01000000.00000003.sdmp, oAuym78xev.exe, 00000000.00000002.3118132739.000000000040A000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
    Source: oAuym78xev.exe, 0000000B.00000003.3252009975.0000000007321000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
    Source: oAuym78xev.exe, 0000000B.00000002.3349816236.0000000007278000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
    Source: oAuym78xev.exe, 0000000B.00000002.3349816236.0000000007278000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1-ToAtaHbRKlgQ3IAfMQsFD67yEamsGyO
    Source: oAuym78xev.exe, 0000000B.00000002.3349816236.0000000007278000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1-ToAtaHbRKlgQ3IAfMQsFD67yEamsGyOK
    Source: oAuym78xev.exe, 0000000B.00000002.3349816236.0000000007278000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1-ToAtaHbRKlgQ3IAfMQsFD67yEamsGyOS
    Source: oAuym78xev.exe, 0000000B.00000003.3319331401.00000000072E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/2
    Source: oAuym78xev.exe, 0000000B.00000003.3319331401.00000000072E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/P
    Source: oAuym78xev.exe, 0000000B.00000003.3252009975.0000000007321000.00000004.00000020.00020000.00000000.sdmp, oAuym78xev.exe, 0000000B.00000003.3319331401.00000000072E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1-ToAtaHbRKlgQ3IAfMQsFD67yEamsGyO&export=download
    Source: oAuym78xev.exe, 0000000B.00000002.3349816236.0000000007278000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1-ToAtaHbRKlgQ3IAfMQsFD67yEamsGyO&export=downloadi
    Source: oAuym78xev.exe, 0000000B.00000003.3319331401.00000000072E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1-ToAtaHbRKlgQ3IAfMQsFD67yEamsGyO&export=downloadr
    Source: oAuym78xev.exe, 0000000B.00000003.3252009975.0000000007321000.00000004.00000020.00020000.00000000.sdmp, oAuym78xev.exe, 0000000B.00000002.3349816236.00000000072CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
    Source: oAuym78xev.exe, 0000000B.00000003.3252009975.0000000007321000.00000004.00000020.00020000.00000000.sdmp, oAuym78xev.exe, 0000000B.00000002.3349816236.00000000072CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
    Source: oAuym78xev.exe, 0000000B.00000003.3252009975.0000000007321000.00000004.00000020.00020000.00000000.sdmp, oAuym78xev.exe, 0000000B.00000002.3349816236.00000000072CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
    Source: oAuym78xev.exe, 0000000B.00000003.3252009975.0000000007321000.00000004.00000020.00020000.00000000.sdmp, oAuym78xev.exe, 0000000B.00000002.3349816236.00000000072CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
    Source: oAuym78xev.exe, 0000000B.00000003.3252009975.0000000007321000.00000004.00000020.00020000.00000000.sdmp, oAuym78xev.exe, 0000000B.00000002.3349816236.00000000072CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49691
    Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49691 -> 443
    Source: unknownHTTPS traffic detected: 142.250.184.206:443 -> 192.168.2.9:49691 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.185.225:443 -> 192.168.2.9:49692 version: TLS 1.2
    Source: C:\Users\user\Desktop\oAuym78xev.exeCode function: 0_2_0040535F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageW,CreatePopupMenu,LdrInitializeThunk,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040535F
    Source: C:\Users\user\Desktop\oAuym78xev.exeProcess Stats: CPU usage > 49%
    Source: C:\Users\user\Desktop\oAuym78xev.exeCode function: 0_2_00403311 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403311
    Source: C:\Users\user\Desktop\oAuym78xev.exeFile created: C:\Windows\resources\0809Jump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeCode function: 0_2_00404B9C0_2_00404B9C
    Source: oAuym78xev.exeStatic PE information: invalid certificate
    Source: oAuym78xev.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: classification engineClassification label: mal80.troj.evad.winEXE@3/17@2/2
    Source: C:\Users\user\Desktop\oAuym78xev.exeCode function: 0_2_00403311 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403311
    Source: C:\Users\user\Desktop\oAuym78xev.exeCode function: 0_2_0040474E CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,LdrInitializeThunk,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_0040474E
    Source: C:\Users\user\Desktop\oAuym78xev.exeCode function: 0_2_0040216A LdrInitializeThunk,CoCreateInstance,LdrInitializeThunk,0_2_0040216A
    Source: C:\Users\user\Desktop\oAuym78xev.exeFile created: C:\Users\user\Pictures\stenografere.iniJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeFile created: C:\Users\user\AppData\Local\Temp\nszD81.tmpJump to behavior
    Source: oAuym78xev.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\oAuym78xev.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: oAuym78xev.exeVirustotal: Detection: 71%
    Source: oAuym78xev.exeReversingLabs: Detection: 52%
    Source: C:\Users\user\Desktop\oAuym78xev.exeFile read: C:\Users\user\Desktop\oAuym78xev.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\oAuym78xev.exe "C:\Users\user\Desktop\oAuym78xev.exe"
    Source: C:\Users\user\Desktop\oAuym78xev.exeProcess created: C:\Users\user\Desktop\oAuym78xev.exe "C:\Users\user\Desktop\oAuym78xev.exe"
    Source: C:\Users\user\Desktop\oAuym78xev.exeProcess created: C:\Users\user\Desktop\oAuym78xev.exe "C:\Users\user\Desktop\oAuym78xev.exe"Jump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: shfolder.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: riched20.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: msls31.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: wkscli.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeFile written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Krigsretters95\ekspeditionssedlernes\Granat.iniJump to behavior
    Source: oAuym78xev.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

    Data Obfuscation

    barindex
    Yara detected GuLoader
    Source: Yara matchFile source: 00000000.00000002.3119456623.00000000070CA000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\oAuym78xev.exeCode function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_10001B18
    Source: C:\Users\user\Desktop\oAuym78xev.exeCode function: 0_2_10002DE0 push eax; ret 0_2_10002E0E

    Persistence and Installation Behavior

    barindex
    AI detected suspicious PE digital signature
    Source: Initial sampleJoe Sandbox AI: Detected suspicious elements in PE signature: Multiple highly suspicious indicators: 1) Self-signed certificate (issuer same as subject) which is not trusted by system. 2) Suspicious email domain 'Perigenital.Ung' appears non-corporate and potentially generated. 3) Organization 'Gearwheels' is not a known legitimate company. 4) Large time gap between compilation date (2016) and certificate dates (2024-2025) suggests certificate was likely created long after the binary. 5) The OU field contains strange concatenated words 'Lancashire Richter Tachygrapher' that appear randomly generated. 6) While the country (FR) is not inherently suspicious, the combination with other factors suggests this is likely a fake French entity. The overall pattern strongly indicates a malicious attempt to appear legitimate while using generated/fake certificate details.
    Source: C:\Users\user\Desktop\oAuym78xev.exeFile created: C:\Users\user\AppData\Local\Temp\nsb1264.tmp\LangDLL.dllJump to dropped file
    Source: C:\Users\user\Desktop\oAuym78xev.exeFile created: C:\Users\user\AppData\Local\Temp\nsb1264.tmp\System.dllJump to dropped file
    Source: C:\Users\user\Desktop\oAuym78xev.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Switches to a custom stack to bypass stack traces
    Source: C:\Users\user\Desktop\oAuym78xev.exeAPI/Special instruction interceptor: Address: 73A89BD
    Source: C:\Users\user\Desktop\oAuym78xev.exeAPI/Special instruction interceptor: Address: 42389BD
    Tries to detect virtualization through RDTSC time measurements
    Source: C:\Users\user\Desktop\oAuym78xev.exeRDTSC instruction interceptor: First address: 7367C61 second address: 7367C61 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FDAE8722C08h 0x00000006 cmp ebx, ecx 0x00000008 inc ebp 0x00000009 inc ebx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\oAuym78xev.exeRDTSC instruction interceptor: First address: 41F7C61 second address: 41F7C61 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FDAE8D50978h 0x00000006 cmp ebx, ecx 0x00000008 inc ebp 0x00000009 inc ebx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\oAuym78xev.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsb1264.tmp\LangDLL.dllJump to dropped file
    Source: C:\Users\user\Desktop\oAuym78xev.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsb1264.tmp\System.dllJump to dropped file
    Source: C:\Users\user\Desktop\oAuym78xev.exeCode function: 0_2_00406404 FindFirstFileW,FindClose,0_2_00406404
    Source: C:\Users\user\Desktop\oAuym78xev.exeCode function: 0_2_004058B2 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_004058B2
    Source: C:\Users\user\Desktop\oAuym78xev.exeCode function: 0_2_0040287E FindFirstFileW,0_2_0040287E
    Source: oAuym78xev.exe, 0000000B.00000002.3349816236.00000000072CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW9m
    Source: oAuym78xev.exe, 0000000B.00000002.3349816236.0000000007278000.00000004.00000020.00020000.00000000.sdmp, oAuym78xev.exe, 0000000B.00000002.3349816236.00000000072CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: C:\Users\user\Desktop\oAuym78xev.exeAPI call chain: ExitProcess graph end nodegraph_0-4370
    Source: C:\Users\user\Desktop\oAuym78xev.exeAPI call chain: ExitProcess graph end nodegraph_0-4379
    Source: C:\Users\user\Desktop\oAuym78xev.exeCode function: 0_2_00401E43 LdrInitializeThunk,ShowWindow,EnableWindow,0_2_00401E43
    Source: C:\Users\user\Desktop\oAuym78xev.exeCode function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_10001B18
    Source: C:\Users\user\Desktop\oAuym78xev.exeProcess created: C:\Users\user\Desktop\oAuym78xev.exe "C:\Users\user\Desktop\oAuym78xev.exe"Jump to behavior
    Source: C:\Users\user\Desktop\oAuym78xev.exeCode function: 0_2_00403311 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403311

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
    Native API    		1
    DLL Side-Loading    		1
    Access Token Manipulation    		11
    Masquerading    		OS Credential Dumping21
    Security Software Discovery    		Remote Services1
    Archive Collected Data    		11
    Encrypted Channel    		Exfiltration Over Other Network Medium1
    System Shutdown/Reboot
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts11
    Process Injection    		1
    Access Token Manipulation    		LSASS Memory3
    File and Directory Discovery    		Remote Desktop Protocol1
    Clipboard Data    		1
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
    DLL Side-Loading    		11
    Process Injection    		Security Account Manager23
    System Information Discovery    		SMB/Windows Admin SharesData from Network Shared Drive2
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    Obfuscated Files or Information    		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture13
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    DLL Side-Loading    		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.