Loading ...

Play interactive tourEdit tour

Analysis Report sample.exe

Overview

General Information

Sample Name:sample.exe
MD5:5284f2578d687d4d88531880acf873c6
SHA1:75e7e3886aa34c8ab2897292e52496f1562c88a9
SHA256:07d07bdc1fb28af5b2e774a65bf6848d545c440f9b2caacc5105f4afc091e924

Most interesting Screenshot:

Detection

GuLoader
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected GuLoader
Contains functionality to hide a thread from the debugger
Creates autostart registry keys with suspicious values (likely registry only malware)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides threads from debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Found large amount of non-executed APIs
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • sample.exe (PID: 5444 cmdline: 'C:\Users\user\Desktop\sample.exe' MD5: 5284F2578D687D4D88531880ACF873C6)
    • sample.exe (PID: 5508 cmdline: 'C:\Users\user\Desktop\sample.exe' MD5: 5284F2578D687D4D88531880ACF873C6)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1180509560.0000000000560000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    00000000.00000002.800510601.00000000022E0000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
      Process Memory Space: sample.exe PID: 5508JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
        Process Memory Space: sample.exe PID: 5444JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: https://long.af/tozawx/dAvira URL Cloud: Label: malware
          Source: https://vinival.me/origbindedwithbtcvfour.exeAvira URL Cloud: Label: malware
          Source: https://long.af/tozawxAvira URL Cloud: Label: malware
          Multi AV Scanner detection for domain / URLShow sources
          Source: https://vinival.me/origbindedwithbtcvfour.exeVirustotal: Detection: 15%Perma Link
          Source: https://vinival.me/Virustotal: Detection: 7%Perma Link
          Multi AV Scanner detection for submitted fileShow sources
          Source: sample.exeVirustotal: Detection: 70%Perma Link
          Source: sample.exeReversingLabs: Detection: 77%

          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: unknownDNS traffic detected: queries for: long.af
          Source: sample.exe, 00000002.00000002.1181157032.00000000008F1000.00000004.00000020.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudFlareIncECCCA-2.crt0
          Source: sample.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
          Source: sample.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
          Source: sample.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
          Source: sample.exe, 00000002.00000002.1181157032.00000000008F1000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicero
          Source: sample.exe, 00000002.00000003.928245912.00000000008D0000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudFlareIncECCCA2.crl06
          Source: sample.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
          Source: sample.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
          Source: sample.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
          Source: sample.exe, 00000002.00000002.1181157032.00000000008F1000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
          Source: sample.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
          Source: sample.exe, 00000002.00000002.1181157032.00000000008F1000.00000004.00000020.sdmpString found in binary or memory: http://crl4.digicert.com/CloudFlareIncECCCA2.crl0L
          Source: sample.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
          Source: sample.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
          Source: sample.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
          Source: sample.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
          Source: sample.exe, 00000002.00000002.1181157032.00000000008F1000.00000004.00000020.sdmpString found in binary or memory: http://microsoft.co
          Source: sample.exe, 00000002.00000002.1181157032.00000000008F1000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: sample.exe, 00000002.00000002.1181157032.00000000008F1000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
          Source: sample.exeString found in binary or memory: http://ocsp.digicert.com0A
          Source: sample.exeString found in binary or memory: http://ocsp.digicert.com0C
          Source: sample.exeString found in binary or memory: http://ocsp.digicert.com0N
          Source: sample.exeString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
          Source: sample.exe, sample.exe, 00000002.00000003.928278659.00000000008F1000.00000004.00000001.sdmpString found in binary or memory: https://long.af/tozawx
          Source: sample.exe, 00000002.00000002.1181157032.00000000008F1000.00000004.00000020.sdmpString found in binary or memory: https://long.af/tozawx/d
          Source: sample.exe, 00000002.00000002.1181157032.00000000008F1000.00000004.00000020.sdmpString found in binary or memory: https://long.af/tozawxh
          Source: sample.exe, 00000002.00000003.928278659.00000000008F1000.00000004.00000001.sdmpString found in binary or memory: https://long.af/tozawxhq
          Source: sample.exe, 00000002.00000002.1181157032.00000000008F1000.00000004.00000020.sdmpString found in binary or memory: https://long.af/tozawxit
          Source: sample.exe, 00000002.00000003.1099073104.000000000091F000.00000004.00000001.sdmpString found in binary or memory: https://long.af/tozawxvinivalme
          Source: sample.exeString found in binary or memory: https://mozilla.org0
          Source: sample.exe, 00000000.00000002.800510601.00000000022E0000.00000040.00000001.sdmp, sample.exe, 00000002.00000002.1180509560.0000000000560000.00000040.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=72EF66C14DF86B76&resid=72EF66C14DF86B76%21190&authkey=AJ-3yQm
          Source: sample.exe, 00000002.00000003.928245912.00000000008D0000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
          Source: sample.exe, 00000002.00000002.1181157032.00000000008F1000.00000004.00000020.sdmp, sample.exe, 00000002.00000003.928278659.00000000008F1000.00000004.00000001.sdmpString found in binary or memory: https://vinival.me/
          Source: sample.exe, 00000002.00000003.928245912.00000000008D0000.00000004.00000001.sdmpString found in binary or memory: https://vinival.me/?
          Source: sample.exe, 00000002.00000002.1181157032.00000000008F1000.00000004.00000020.sdmpString found in binary or memory: https://vinival.me/F
          Source: sample.exe, 00000002.00000003.928245912.00000000008D0000.00000004.00000001.sdmpString found in binary or memory: https://vinival.me/dows
          Source: sample.exe, 00000002.00000002.1181157032.00000000008F1000.00000004.00000020.sdmp, sample.exe, 00000002.00000003.928245912.00000000008D0000.00000004.00000001.sdmpString found in binary or memory: https://vinival.me/origbindedwithbtcvfour.exe
          Source: sample.exe, 00000002.00000002.1181157032.00000000008F1000.00000004.00000020.sdmpString found in binary or memory: https://vinival.me/origbindedwithbtcvfour.exe-
          Source: sample.exe, 00000002.00000002.1181157032.00000000008F1000.00000004.00000020.sdmpString found in binary or memory: https://vinival.me/origbindedwithbtcvfour.exeB
          Source: sample.exe, 00000002.00000003.1152439128.0000000000911000.00000004.00000001.sdmpString found in binary or memory: https://vinival.me/origbindedwithbtcvfour.exej/
          Source: sample.exeString found in binary or memory: https://www.digicert.com/CPS0
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
          Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443

          Source: sample.exe, 00000000.00000002.799973505.0000000000730000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          System Summary:

          barindex
          Potential malicious icon foundShow sources
          Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022EA4EE NtProtectVirtualMemory,0_2_022EA4EE
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E04CB EnumWindows,NtSetInformationThread,TerminateProcess,0_2_022E04CB
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E350D NtWriteVirtualMemory,0_2_022E350D
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E3E18 NtWriteVirtualMemory,0_2_022E3E18
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E067D NtSetInformationThread,TerminateProcess,0_2_022E067D
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E0679 NtSetInformationThread,TerminateProcess,0_2_022E0679
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E0675 NtSetInformationThread,TerminateProcess,0_2_022E0675
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E0671 NtSetInformationThread,TerminateProcess,0_2_022E0671
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E06A1 NtSetInformationThread,TerminateProcess,0_2_022E06A1
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E36BD NtWriteVirtualMemory,0_2_022E36BD
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E36B9 NtWriteVirtualMemory,0_2_022E36B9
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E36B5 NtWriteVirtualMemory,0_2_022E36B5
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E068D NtSetInformationThread,TerminateProcess,0_2_022E068D
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E0689 NtSetInformationThread,TerminateProcess,0_2_022E0689
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E0685 NtSetInformationThread,TerminateProcess,0_2_022E0685
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E0681 NtSetInformationThread,TerminateProcess,0_2_022E0681
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E069D NtSetInformationThread,TerminateProcess,0_2_022E069D
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E0699 NtSetInformationThread,TerminateProcess,0_2_022E0699
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E0695 NtSetInformationThread,TerminateProcess,0_2_022E0695
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E0691 NtSetInformationThread,TerminateProcess,0_2_022E0691
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E36CD NtWriteVirtualMemory,0_2_022E36CD
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E36C9 NtWriteVirtualMemory,0_2_022E36C9
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E36C5 NtWriteVirtualMemory,0_2_022E36C5
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E36C1 NtWriteVirtualMemory,0_2_022E36C1
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E36DD NtWriteVirtualMemory,0_2_022E36DD
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E36D5 NtWriteVirtualMemory,0_2_022E36D5
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E36D1 NtWriteVirtualMemory,0_2_022E36D1
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E3B6D NtWriteVirtualMemory,0_2_022E3B6D
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E3B69 NtWriteVirtualMemory,0_2_022E3B69
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E3B7D NtWriteVirtualMemory,0_2_022E3B7D
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E3B79 NtWriteVirtualMemory,0_2_022E3B79
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E3B75 NtWriteVirtualMemory,0_2_022E3B75
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E3B71 NtWriteVirtualMemory,0_2_022E3B71
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E37B9 NtWriteVirtualMemory,0_2_022E37B9
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E3B81 NtWriteVirtualMemory,0_2_022E3B81
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E383D NtWriteVirtualMemory,0_2_022E383D
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E3839 NtWriteVirtualMemory,0_2_022E3839
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E3835 NtWriteVirtualMemory,0_2_022E3835
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E3831 NtWriteVirtualMemory,0_2_022E3831
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E384D NtWriteVirtualMemory,0_2_022E384D
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E3849 NtWriteVirtualMemory,0_2_022E3849
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E3845 NtWriteVirtualMemory,0_2_022E3845
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E3841 NtWriteVirtualMemory,0_2_022E3841
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E3859 NtWriteVirtualMemory,0_2_022E3859
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E3855 NtWriteVirtualMemory,0_2_022E3855
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E3851 NtWriteVirtualMemory,0_2_022E3851
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E3D2D NtWriteVirtualMemory,0_2_022E3D2D
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E3D29 NtWriteVirtualMemory,0_2_022E3D29
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E3D25 NtWriteVirtualMemory,0_2_022E3D25
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E3D21 NtWriteVirtualMemory,0_2_022E3D21
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E053D NtSetInformationThread,TerminateProcess,0_2_022E053D
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E3D3D NtWriteVirtualMemory,0_2_022E3D3D
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E0539 NtSetInformationThread,TerminateProcess,0_2_022E0539
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E3D39 NtWriteVirtualMemory,0_2_022E3D39
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E0535 NtSetInformationThread,TerminateProcess,0_2_022E0535
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E3D35 NtWriteVirtualMemory,0_2_022E3D35
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E0531 NtSetInformationThread,TerminateProcess,0_2_022E0531
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E3D31 NtWriteVirtualMemory,0_2_022E3D31
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E3D1D NtWriteVirtualMemory,0_2_022E3D1D
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E3D19 NtWriteVirtualMemory,0_2_022E3D19
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E356D NtWriteVirtualMemory,0_2_022E356D
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E3561 NtWriteVirtualMemory,0_2_022E3561
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E354D NtWriteVirtualMemory,0_2_022E354D
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E3549 NtWriteVirtualMemory,0_2_022E3549
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E3545 NtWriteVirtualMemory,0_2_022E3545
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E3D41 NtWriteVirtualMemory,0_2_022E3D41
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E355D NtWriteVirtualMemory,0_2_022E355D
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E3551 NtWriteVirtualMemory,0_2_022E3551
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E39ED NtWriteVirtualMemory,0_2_022E39ED
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E39E9 NtWriteVirtualMemory,0_2_022E39E9
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E39E5 NtWriteVirtualMemory,0_2_022E39E5
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E39F1 NtWriteVirtualMemory,0_2_022E39F1
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E39CD NtWriteVirtualMemory,0_2_022E39CD
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E39C5 NtWriteVirtualMemory,0_2_022E39C5
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E39C1 NtWriteVirtualMemory,0_2_022E39C1
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E39DD NtWriteVirtualMemory,0_2_022E39DD
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E39D9 NtWriteVirtualMemory,0_2_022E39D9
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E39D5 NtWriteVirtualMemory,0_2_022E39D5
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E39D1 NtWriteVirtualMemory,0_2_022E39D1
          Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_005604CB EnumWindows,NtSetInformationThread,NtProtectVirtualMemory,2_2_005604CB
          Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_0056A4EE NtProtectVirtualMemory,2_2_0056A4EE
          Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00560675 NtSetInformationThread,2_2_00560675
          Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00560671 NtSetInformationThread,2_2_00560671
          Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_0056067D NtSetInformationThread,2_2_0056067D
          Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00560679 NtSetInformationThread,2_2_00560679
          Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00560A65 NtProtectVirtualMemory,2_2_00560A65
          Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00560B01 NtProtectVirtualMemory,2_2_00560B01
          Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00560535 NtSetInformationThread,2_2_00560535
          Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00560531 NtSetInformationThread,2_2_00560531
          Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_0056053D NtSetInformationThread,2_2_0056053D
          Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00560539 NtSetInformationThread,2_2_00560539
          Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00560AD5 NtProtectVirtualMemory,2_2_00560AD5
          Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00560ADD NtProtectVirtualMemory,2_2_00560ADD
          Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00560695 NtSetInformationThread,2_2_00560695
          Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00560691 NtSetInformationThread,2_2_00560691
          Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_0056069D NtSetInformationThread,2_2_0056069D
          Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00560699 NtSetInformationThread,2_2_00560699
          Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00560685 NtSetInformationThread,2_2_00560685
          Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00560681 NtSetInformationThread,2_2_00560681
          Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_0056068D NtSetInformationThread,2_2_0056068D
          Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00560689 NtSetInformationThread,2_2_00560689
          Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_005606A1 NtSetInformationThread,2_2_005606A1
          Source: sample.exeStatic PE information: invalid certificate
          Source: sample.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: sample.exe, 00000000.00000002.799096997.0000000000418000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameUdmugn.exe vs sample.exe
          Source: sample.exe, 00000000.00000002.799929109.0000000000700000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs sample.exe
          Source: sample.exe, 00000002.00000002.1181514628.0000000002380000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs sample.exe
          Source: sample.exe, 00000002.00000000.798651498.0000000000418000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameUdmugn.exe vs sample.exe
          Source: sample.exe, 00000002.00000002.1181538513.0000000002390000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs sample.exe
          Source: sample.exeBinary or memory string: OriginalFilenameUdmugn.exe vs sample.exe
          Source: classification engineClassification label: mal96.rans.troj.evad.winEXE@3/0@94/1
          Source: C:\Users\user\Desktop\sample.exeFile created: C:\Users\user\AppData\Local\Temp\IODOJump to behavior
          Source: sample.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\sample.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
          Source: C:\Users\user\Desktop\sample.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\Desktop\sample.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\sample.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\sample.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\sample.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: sample.exeVirustotal: Detection: 70%
          Source: sample.exeReversingLabs: Detection: 77%
          Source: unknownProcess created: C:\Users\user\Desktop\sample.exe 'C:\Users\user\Desktop\sample.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\sample.exe 'C:\Users\user\Desktop\sample.exe'
          Source: C:\Users\user\Desktop\sample.exeProcess created: C:\Users\user\Desktop\sample.exe 'C:\Users\user\Desktop\sample.exe' Jump to behavior
          Source: C:\Users\user\Desktop\sample.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior

          Data Obfuscation:

          barindex
          Yara detected GuLoaderShow sources
          Source: Yara matchFile source: 00000002.00000002.1180509560.0000000000560000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.800510601.00000000022E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: sample.exe PID: 5508, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: sample.exe PID: 5444, type: MEMORY
          Source: sample.exeStatic PE information: real checksum: 0x559de should be: 0x2910a
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_00410C08 push dword ptr [ebx+30B3CB2Fh]; retf 0_2_00410C12
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_0040781F push es; ret 0_2_00407820
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_00410C27 push dword ptr [ebp+34B5CC36h]; retf 0_2_00410C45
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_00407029 push es; ret 0_2_00407030
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_0040D8E2 push eax; ret 0_2_0040D8E3
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_004108A8 push dword ptr [ebx+30B3CB2Fh]; retf 0_2_004108B2
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_00411D66 push dword ptr [ebx+33B4CB30h]; retf 0_2_00411D6E
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_00404D02 push es; ret 0_2_00404D08
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_00403D08 push es; ret 0_2_00403D0C
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_0040752C push es; ret 0_2_0040754C
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_00411DDF pushad ; retf 0_2_00411DE0
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_00406A7E push ebx; ret 0_2_00406A7F
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_004052C8 push es; ret 0_2_004052CC
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_004106FB push dword ptr [ebp+37FFCD36h]; retf 0_2_0041070E
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_0040EA97 push es; ret 0_2_0040EA98
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_0040B6A4 push C562AAF1h; ret 0_2_0040B6A9

          Boot Survival:

          barindex
          Creates autostart registry keys with suspicious values (likely registry only malware)Show sources
          Source: C:\Users\user\Desktop\sample.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce mangelvar C:\Users\user\AppData\Local\Temp\IODO\deckelsr.vbsJump to behavior
          Source: C:\Users\user\Desktop\sample.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce mangelvar C:\Users\user\AppData\Local\Temp\IODO\deckelsr.vbsJump to behavior
          Source: C:\Users\user\Desktop\sample.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce mangelvarJump to behavior
          Source: C:\Users\user\Desktop\sample.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce mangelvarJump to behavior
          Source: C:\Users\user\Desktop\sample.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce mangelvarJump to behavior
          Source: C:\Users\user\Desktop\sample.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce mangelvarJump to behavior

          Source: C:\Users\user\Desktop\sample.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\sample.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\sample.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\sample.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\sample.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\sample.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\sample.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)Show sources
          Source: C:\Users\user\Desktop\sample.exeEvasive API call chain: GetPEB, DecisionNodes, Sleepgraph_2-4525
          Source: C:\Users\user\Desktop\sample.exeAPI coverage: 9.3 %
          Source: C:\Users\user\Desktop\sample.exe TID: 5512Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\sample.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\sample.exeLast function: Thread delayed
          Source: sample.exe, 00000002.00000003.928245912.00000000008D0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
          Source: sample.exe, 00000002.00000003.928245912.00000000008D0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWen-USn

          Anti Debugging:

          barindex
          Contains functionality to hide a thread from the debuggerShow sources
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E04CB NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,000000000_2_022E04CB
          Hides threads from debuggersShow sources
          Source: C:\Users\user\Desktop\sample.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\sample.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E5BCD LdrInitializeThunk,0_2_022E5BCD
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E9AD6 mov eax, dword ptr fs:[00000030h]0_2_022E9AD6
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E4304 mov eax, dword ptr fs:[00000030h]0_2_022E4304
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E2BF5 mov eax, dword ptr fs:[00000030h]0_2_022E2BF5
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E844D mov eax, dword ptr fs:[00000030h]0_2_022E844D
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E8CB1 mov eax, dword ptr fs:[00000030h]0_2_022E8CB1
          Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_022E1D57 mov eax, dword ptr fs:[00000030h]0_2_022E1D57
          Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00561D57 mov eax, dword ptr fs:[00000030h]2_2_00561D57
          Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_0056844D mov eax, dword ptr fs:[00000030h]2_2_0056844D
          Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00564304 mov eax, dword ptr fs:[00000030h]2_2_00564304
          Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00569AD6 mov eax, dword ptr fs:[00000030h]2_2_00569AD6
          Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00562BF5 mov eax, dword ptr fs:[00000030h]2_2_00562BF5
          Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00568CB1 mov eax, dword ptr fs:[00000030h]2_2_00568CB1

          Source: C:\Users\user\Desktop\sample.exeProcess created: C:\Users\user\Desktop\sample.exe 'C:\Users\user\Desktop\sample.exe' Jump to behavior
          Source: sample.exe, 00000002.00000002.1181318242.0000000000F10000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: sample.exe, 00000002.00000002.1181318242.0000000000F10000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: sample.exe, 00000002.00000002.1181318242.0000000000F10000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: sample.exe, 00000002.00000002.1181318242.0000000000F10000.00000002.00000001.sdmpBinary or memory string: Progmanlock

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsExecution through API1Registry Run Keys / Startup Folder11Process Injection12Virtualization/Sandbox Evasion11Input Capture1Virtualization/Sandbox Evasion11Application Deployment SoftwareInput Capture1Data CompressedStandard Cryptographic Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesProcess Injection12Network SniffingProcess Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionObfuscated Files or Information1Input CaptureSecurity Software Discovery21Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or InformationCredentials in FilesRemote System Discovery1Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
          Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasqueradingAccount ManipulationSystem Information Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.