Analysis Report Shipping Document INVPLBL_pdf.exe

Overview

General Information

Sample Name: Shipping Document INVPLBL_pdf.exe
Analysis ID: 323820
MD5: 40e23535eaeb38100848d2544f29425d
SHA1: 115391590b015b30e742095c3355b63f4ae29335
SHA256: f76e242ad82adab98e38fbdcc1469a7066031c5345d4904035d545713355629d
Tags: exeGuLoader

Most interesting Screenshot:

Detection

GuLoader
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Executable has a suspicious name (potential lure to open the executable)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to enumerate running services
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
PE file contains strange resources
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: Shipping Document INVPLBL_pdf.exe Virustotal: Detection: 31% Perma Link
Source: Shipping Document INVPLBL_pdf.exe ReversingLabs: Detection: 18%
Source: unknown DNS traffic detected: queries for: g.msn.com
Source: Shipping Document INVPLBL_pdf.exe, 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp String found in binary or memory: https://gorkaloyola.com/cashout/Kalied_zgFWOmD234.bin

System Summary:

barindex
Executable has a suspicious name (potential lure to open the executable)
Source: Shipping Document INVPLBL_pdf.exe Static file information: Suspicious name
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Shipping Document INVPLBL_pdf.exe
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_02324046 NtSetInformationThread,NtWriteVirtualMemory,CreateFileA, 0_2_02324046
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_02328117 NtProtectVirtualMemory, 0_2_02328117
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_0232062E EnumWindows,NtSetInformationThread, 0_2_0232062E
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_0232861B NtSetInformationThread,NtResumeThread, 0_2_0232861B
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_02326558 NtSetInformationThread, 0_2_02326558
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_02320A6B NtSetInformationThread,TerminateProcess, 0_2_02320A6B
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_02324887 NtSetInformationThread,NtWriteVirtualMemory, 0_2_02324887
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_02323228 NtWriteVirtualMemory, 0_2_02323228
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_023232DC NtWriteVirtualMemory, 0_2_023232DC
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_0232339C NtWriteVirtualMemory, 0_2_0232339C
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_02324018 NtSetInformationThread, 0_2_02324018
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_0232361C NtWriteVirtualMemory, 0_2_0232361C
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_02328664 NtResumeThread, 0_2_02328664
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_02320709 NtSetInformationThread, 0_2_02320709
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_02323764 NtWriteVirtualMemory, 0_2_02323764
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_02320758 NtSetInformationThread, 0_2_02320758
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_023207AC NtSetInformationThread, 0_2_023207AC
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_023287AC NtResumeThread, 0_2_023287AC
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_023287F8 NtResumeThread, 0_2_023287F8
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_023244F9 NtSetInformationThread, 0_2_023244F9
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_023234CC NtWriteVirtualMemory, 0_2_023234CC
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_02323578 NtWriteVirtualMemory, 0_2_02323578
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_02323A1C NtWriteVirtualMemory, 0_2_02323A1C
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_02328A00 NtResumeThread, 0_2_02328A00
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_02323A80 NtSetInformationThread, 0_2_02323A80
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_02322B0C NtSetInformationThread, 0_2_02322B0C
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_02328B78 NtResumeThread, 0_2_02328B78
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_02328BA6 NtResumeThread, 0_2_02328BA6
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_02326B82 NtWriteVirtualMemory, 0_2_02326B82
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_02320830 NtSetInformationThread, 0_2_02320830
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_02323818 NtWriteVirtualMemory, 0_2_02323818
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_02320863 NtSetInformationThread, 0_2_02320863
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_0232886F NtResumeThread, 0_2_0232886F
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_02328840 NtResumeThread, 0_2_02328840
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_023208D3 NtSetInformationThread, 0_2_023208D3
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_023288C8 NtResumeThread, 0_2_023288C8
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_02328910 NtResumeThread, 0_2_02328910
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_023289B0 NtResumeThread, 0_2_023289B0
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_02322F3D NtSetInformationThread, 0_2_02322F3D
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_02326FDD NtWriteVirtualMemory, 0_2_02326FDD
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_02328C48 NtResumeThread, 0_2_02328C48
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_02322CC0 NtSetInformationThread, 0_2_02322CC0
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_02322D64 NtSetInformationThread, 0_2_02322D64
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 10_2_00564046 NtSetInformationThread,CreateFileA, 10_2_00564046
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 10_2_00568117 NtProtectVirtualMemory, 10_2_00568117
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 10_2_005644F9 NtSetInformationThread,InternetOpenA,InternetOpenUrlA, 10_2_005644F9
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 10_2_00566558 NtSetInformationThread, 10_2_00566558
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 10_2_0056861B NtSetInformationThread,EnumServicesStatusA, 10_2_0056861B
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 10_2_0056062E EnumWindows,NtSetInformationThread, 10_2_0056062E
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 10_2_00560A6B NtSetInformationThread,NtProtectVirtualMemory, 10_2_00560A6B
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 10_2_00564018 NtSetInformationThread, 10_2_00564018
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 10_2_00561343 NtProtectVirtualMemory, 10_2_00561343
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 10_2_00561380 NtProtectVirtualMemory, 10_2_00561380
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 10_2_00560758 NtSetInformationThread, 10_2_00560758
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 10_2_00560709 NtSetInformationThread, 10_2_00560709
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 10_2_005607AC NtSetInformationThread, 10_2_005607AC
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 10_2_00560863 NtSetInformationThread, 10_2_00560863
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 10_2_00560830 NtSetInformationThread, 10_2_00560830
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 10_2_005608D3 NtSetInformationThread, 10_2_005608D3
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 10_2_00564887 NtSetInformationThread, 10_2_00564887
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 10_2_00563A80 NtSetInformationThread, 10_2_00563A80
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 10_2_00562B0C NtSetInformationThread, 10_2_00562B0C
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 10_2_00562CC0 NtSetInformationThread, 10_2_00562CC0
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 10_2_00562D64 NtSetInformationThread, 10_2_00562D64
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 10_2_00562F3D NtSetInformationThread, 10_2_00562F3D
Detected potential crypto function
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00405F92 0_2_00405F92
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00406840 0_2_00406840
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_0040604C 0_2_0040604C
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00406C4F 0_2_00406C4F
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_0040706A 0_2_0040706A
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_0040646C 0_2_0040646C
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_0040707D 0_2_0040707D
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00407006 0_2_00407006
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00406C09 0_2_00406C09
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_0040600D 0_2_0040600D
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00407022 0_2_00407022
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00406432 0_2_00406432
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00406CDE 0_2_00406CDE
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_004060FE 0_2_004060FE
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_004068FE 0_2_004068FE
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00406CFE 0_2_00406CFE
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00406C8F 0_2_00406C8F
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00406497 0_2_00406497
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_0040609A 0_2_0040609A
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00406CA0 0_2_00406CA0
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_004068A9 0_2_004068A9
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_004064AC 0_2_004064AC
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_004070B8 0_2_004070B8
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00406141 0_2_00406141
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00406548 0_2_00406548
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00406555 0_2_00406555
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00406D6F 0_2_00406D6F
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_0040617C 0_2_0040617C
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00406D0A 0_2_00406D0A
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00406520 0_2_00406520
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00406D22 0_2_00406D22
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_004069C6 0_2_004069C6
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00406DD0 0_2_00406DD0
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_004061E0 0_2_004061E0
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_004065E1 0_2_004065E1
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_004069F3 0_2_004069F3
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_004065FB 0_2_004065FB
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_0040698F 0_2_0040698F
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_0040619F 0_2_0040619F
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_004061BC 0_2_004061BC
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00406261 0_2_00406261
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00406E62 0_2_00406E62
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00406A6C 0_2_00406A6C
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00406673 0_2_00406673
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00406201 0_2_00406201
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00406E10 0_2_00406E10
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00406A18 0_2_00406A18
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00406627 0_2_00406627
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00406A3E 0_2_00406A3E
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00406EE1 0_2_00406EE1
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_004066E3 0_2_004066E3
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00406AF5 0_2_00406AF5
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00406E82 0_2_00406E82
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_004062A9 0_2_004062A9
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00406AA9 0_2_00406AA9
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_004066B0 0_2_004066B0
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00406B5C 0_2_00406B5C
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_0040676F 0_2_0040676F
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00406F76 0_2_00406F76
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00406F7F 0_2_00406F7F
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00406701 0_2_00406701
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00406F0B 0_2_00406F0B
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00406317 0_2_00406317
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00406F26 0_2_00406F26
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00406B38 0_2_00406B38
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_004063CC 0_2_004063CC
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00406BD7 0_2_00406BD7
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_004067D9 0_2_004067D9
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_004067E6 0_2_004067E6
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00406391 0_2_00406391
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_004063A8 0_2_004063A8
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00406BB6 0_2_00406BB6
PE file contains strange resources
Source: Shipping Document INVPLBL_pdf.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: Shipping Document INVPLBL_pdf.exe, 00000000.00000002.450736065.00000000022F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs Shipping Document INVPLBL_pdf.exe
Source: Shipping Document INVPLBL_pdf.exe, 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSkaget.exe vs Shipping Document INVPLBL_pdf.exe
Source: Shipping Document INVPLBL_pdf.exe, 0000000A.00000002.596524457.0000000002480000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemswsock.dll.muij% vs Shipping Document INVPLBL_pdf.exe
Source: Shipping Document INVPLBL_pdf.exe, 0000000A.00000000.448665148.0000000000414000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSkaget.exe vs Shipping Document INVPLBL_pdf.exe
Source: Shipping Document INVPLBL_pdf.exe Binary or memory string: OriginalFilenameSkaget.exe vs Shipping Document INVPLBL_pdf.exe
Source: classification engine Classification label: mal96.troj.evad.winEXE@3/0@2/0
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe File created: C:\Users\user\AppData\Local\Temp\~DF5734C66BAC6D41BF.TMP Jump to behavior
Source: Shipping Document INVPLBL_pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Shipping Document INVPLBL_pdf.exe Virustotal: Detection: 31%
Source: Shipping Document INVPLBL_pdf.exe ReversingLabs: Detection: 18%
Source: unknown Process created: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe 'C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe'
Source: unknown Process created: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe 'C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe'
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Process created: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe 'C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe' Jump to behavior

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: Process Memory Space: Shipping Document INVPLBL_pdf.exe PID: 6704, type: MEMORY
Source: Yara match File source: Process Memory Space: Shipping Document INVPLBL_pdf.exe PID: 7072, type: MEMORY
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: Shipping Document INVPLBL_pdf.exe PID: 6704, type: MEMORY
Source: Yara match File source: Process Memory Space: Shipping Document INVPLBL_pdf.exe PID: 7072, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_0040B456 push A9E19630h; iretd 0_2_0040B45B
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00408400 push cs; ret 0_2_0040840A
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_0040EC06 push es; iretw 0_2_0040EBDC
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_0040C40C push ebp; iretd 0_2_0040C42F
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_0040DC34 push eax; iretd 0_2_0040DC8B
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_0040A43A push ecx; iretd 0_2_0040A43B
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_0040B8C5 push ebx; iretd 0_2_0040B8D3
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_004084A5 push 51D0883Bh; iretd 0_2_004084D3
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_0040996C push dword ptr [5D03CCEEh]; ret 0_2_0040994A
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00409D77 push eax; retf 0_2_00409D78
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00409927 push dword ptr [5D03CCEEh]; ret 0_2_0040994A
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_004089C6 push ecx; iretd 0_2_004089C7
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_0040F9CE push eax; iretd 0_2_0040FA3F
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_0040B1E8 push ecx; iretd 0_2_0040B1EB
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_0040F9F3 push eax; iretd 0_2_0040FA3F
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_0040A9B0 push esp; iretd 0_2_0040A9B3
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00402647 push es; retf 0_2_00402648
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00408E7E push esi; iretd 0_2_00408E97
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00408A1C push 6787C079h; iretd 0_2_00408AB6
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00408A1F push 6787C079h; iretd 0_2_00408AB6
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_0040E224 push ecx; iretd 0_2_0040E227
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00409E2F push es; iretd 0_2_00409E32
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00408E9A push eax; iretd 0_2_00408E9B
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00409F44 push esi; iretd 0_2_00409F4F
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_0040B344 push ds; retf 0_2_0040B3AF
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00409F52 push eax; iretd 0_2_00409F53
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00407B00 push ds; retf 0_2_00407B01
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_00409FD6 push ds; ret 0_2_00409FF7
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_0040AFEB push ecx; iretd 0_2_0040AFF7
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_0040EB89 push es; iretw 0_2_0040EBDC
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_0040E38E push A95D7E27h; iretd 0_2_0040E393
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_02320A6B NtSetInformationThread,TerminateProcess, 0_2_02320A6B
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 10_2_00560A6B NtSetInformationThread,NtProtectVirtualMemory, 10_2_00560A6B
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe RDTSC instruction interceptor: First address: 0000000002327105 second address: 0000000002327105 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F0EA0C74CD8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f add edi, edx 0x00000021 dec dword ptr [ebp+000000F8h] 0x00000027 jmp 00007F0EA0C74D16h 0x00000029 test ah, ah 0x0000002b cmp dword ptr [ebp+000000F8h], 00000000h 0x00000032 jne 00007F0EA0C74C74h 0x00000034 call 00007F0EA0C74D41h 0x00000039 call 00007F0EA0C74CEAh 0x0000003e lfence 0x00000041 mov edx, dword ptr [7FFE0014h] 0x00000047 lfence 0x0000004a ret 0x0000004b mov esi, edx 0x0000004d pushad 0x0000004e rdtsc
Tries to detect Any.run
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Shipping Document INVPLBL_pdf.exe, 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Shipping Document INVPLBL_pdf.exe, 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe RDTSC instruction interceptor: First address: 0000000002327105 second address: 0000000002327105 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F0EA0C74CD8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f add edi, edx 0x00000021 dec dword ptr [ebp+000000F8h] 0x00000027 jmp 00007F0EA0C74D16h 0x00000029 test ah, ah 0x0000002b cmp dword ptr [ebp+000000F8h], 00000000h 0x00000032 jne 00007F0EA0C74C74h 0x00000034 call 00007F0EA0C74D41h 0x00000039 call 00007F0EA0C74CEAh 0x0000003e lfence 0x00000041 mov edx, dword ptr [7FFE0014h] 0x00000047 lfence 0x0000004a ret 0x0000004b mov esi, edx 0x0000004d pushad 0x0000004e rdtsc
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe RDTSC instruction interceptor: First address: 0000000002327127 second address: 0000000002327127 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007F0EA083855Eh 0x0000001f popad 0x00000020 call 00007F0EA0837FE4h 0x00000025 lfence 0x00000028 rdtsc
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe RDTSC instruction interceptor: First address: 0000000000567127 second address: 0000000000567127 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007F0EA0C7539Eh 0x0000001f popad 0x00000020 call 00007F0EA0C74E24h 0x00000025 lfence 0x00000028 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_02320A6B rdtsc 0_2_02320A6B
Contains functionality to enumerate running services
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: NtSetInformationThread,EnumServicesStatusA, 10_2_0056861B
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: EnumServicesStatusA, 10_2_00568664
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: EnumServicesStatusA, 10_2_005687F8
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: EnumServicesStatusA, 10_2_005687AC
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: EnumServicesStatusA, 10_2_00568840
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: EnumServicesStatusA, 10_2_0056886F
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: EnumServicesStatusA, 10_2_005688C8
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: EnumServicesStatusA, 10_2_00568910
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: EnumServicesStatusA, 10_2_005689B0
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: EnumServicesStatusA, 10_2_00568A00
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: EnumServicesStatusA, 10_2_00568B78
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: EnumServicesStatusA, 10_2_00568BA6
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: EnumServicesStatusA, 10_2_00568C48
Source: Shipping Document INVPLBL_pdf.exe, 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Shipping Document INVPLBL_pdf.exe, 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_02324046 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,02328D14,F21FD920,02328801,?,00000000 0_2_02324046
Hides threads from debuggers
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_02320A6B rdtsc 0_2_02320A6B
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_02324E5C LdrInitializeThunk, 0_2_02324E5C
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_0232217F mov eax, dword ptr fs:[00000030h] 0_2_0232217F
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_02326722 mov eax, dword ptr fs:[00000030h] 0_2_02326722
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_02327A40 mov eax, dword ptr fs:[00000030h] 0_2_02327A40
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_02322B0C mov eax, dword ptr fs:[00000030h] 0_2_02322B0C
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_02322B58 mov eax, dword ptr fs:[00000030h] 0_2_02322B58
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_02323BA8 mov eax, dword ptr fs:[00000030h] 0_2_02323BA8
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_0232289C mov eax, dword ptr fs:[00000030h] 0_2_0232289C
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_023279F9 mov eax, dword ptr fs:[00000030h] 0_2_023279F9
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_02326D75 mov eax, dword ptr fs:[00000030h] 0_2_02326D75
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 10_2_0056217F mov eax, dword ptr fs:[00000030h] 10_2_0056217F
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 10_2_00566722 mov eax, dword ptr fs:[00000030h] 10_2_00566722
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 10_2_0056289C mov eax, dword ptr fs:[00000030h] 10_2_0056289C
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 10_2_005679F9 mov eax, dword ptr fs:[00000030h] 10_2_005679F9
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 10_2_00567A40 mov eax, dword ptr fs:[00000030h] 10_2_00567A40
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 10_2_00562B58 mov eax, dword ptr fs:[00000030h] 10_2_00562B58
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 10_2_00562B0C mov eax, dword ptr fs:[00000030h] 10_2_00562B0C
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 10_2_00563BA8 mov eax, dword ptr fs:[00000030h] 10_2_00563BA8
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 10_2_00566D75 mov eax, dword ptr fs:[00000030h] 10_2_00566D75

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Process created: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe 'C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe' Jump to behavior
Source: Shipping Document INVPLBL_pdf.exe, 0000000A.00000002.596423600.0000000000F20000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: Shipping Document INVPLBL_pdf.exe, 0000000A.00000002.596423600.0000000000F20000.00000002.00000001.sdmp Binary or memory string: Progman
Source: Shipping Document INVPLBL_pdf.exe, 0000000A.00000002.596423600.0000000000F20000.00000002.00000001.sdmp Binary or memory string: &Program Manager
Source: Shipping Document INVPLBL_pdf.exe, 0000000A.00000002.596423600.0000000000F20000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe Code function: 0_2_02326A99 cpuid 0_2_02326A99
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 323820 Sample: Shipping Document INVPLBL_pdf.exe Startdate: 27/11/2020 Architecture: WINDOWS Score: 96 14 g.msn.com 2->14 18 Multi AV Scanner detection for submitted file 2->18 20 Yara detected GuLoader 2->20 22 Executable has a suspicious name (potential lure to open the executable) 2->22 24 7 other signatures 2->24 7 Shipping Document INVPLBL_pdf.exe 1 2->7         started        signatures3 process4 signatures5 26 Tries to detect Any.run 7->26 28 Hides threads from debuggers 7->28 10 Shipping Document INVPLBL_pdf.exe 6 7->10         started        process6 dnsIp7 16 gorkaloyola.com 10->16 30 Tries to detect Any.run 10->30 32 Hides threads from debuggers 10->32 signatures8
No contacted IP infos

Contacted Domains

Name IP Active
gorkaloyola.com 192.185.170.106 true
g.msn.com unknown unknown