Loading ...

Play interactive tourEdit tour

Analysis Report udmugning.exe

Overview

General Information

Sample Name:udmugning.exe
Analysis ID:395203
MD5:3d04ed12388c92e15361681ef1921d7f
SHA1:8820ff07e1f60121a057b0303dc7746ea4960617
SHA256:99227f9bb099737a3f356f266c5b8d5e1f4313715f37a4b7b0b6c1ae65c00925
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains an invalid checksum
PE file contains strange resources
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • udmugning.exe (PID: 3440 cmdline: 'C:\Users\user\Desktop\udmugning.exe' MD5: 3D04ED12388C92E15361681EF1921D7F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
udmugning.exeJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000002.474162328.0000000000401000.00000020.00020000.sdmpJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
      00000001.00000000.206225191.0000000000401000.00000020.00020000.sdmpJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.0.udmugning.exe.400000.0.unpackJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
          1.2.udmugning.exe.400000.0.unpackJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for submitted fileShow sources
            Source: udmugning.exeMetadefender: Detection: 35%Perma Link
            Source: udmugning.exeReversingLabs: Detection: 79%
            Machine Learning detection for sampleShow sources
            Source: udmugning.exeJoe Sandbox ML: detected
            Source: udmugning.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: C:\Users\user\Desktop\udmugning.exeCode function: 1_2_0040994D
            Source: C:\Users\user\Desktop\udmugning.exeCode function: 1_2_004011CA
            Source: C:\Users\user\Desktop\udmugning.exeCode function: 1_2_004099E1
            Source: C:\Users\user\Desktop\udmugning.exeCode function: 1_2_00409A6E
            Source: udmugning.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: udmugning.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: udmugning.exe, 00000001.00000002.474813749.0000000002300000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs udmugning.exe
            Source: udmugning.exe, 00000001.00000002.485300567.0000000005090000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs udmugning.exe
            Source: udmugning.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: classification engineClassification label: mal72.troj.evad.winEXE@1/0@0/0
            Source: C:\Users\user\Desktop\udmugning.exeFile created: C:\Users\user\AppData\Local\Temp\~DF5440564B0D50F574.TMPJump to behavior
            Source: udmugning.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\udmugning.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
            Source: C:\Users\user\Desktop\udmugning.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: udmugning.exeMetadefender: Detection: 35%
            Source: udmugning.exeReversingLabs: Detection: 79%

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: udmugning.exe, type: SAMPLE
            Source: Yara matchFile source: 00000001.00000002.474162328.0000000000401000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000000.206225191.0000000000401000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 1.0.udmugning.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.udmugning.exe.400000.0.unpack, type: UNPACKEDPE
            Source: udmugning.exeStatic PE information: real checksum: 0x1fc2a should be: 0x22a75
            Source: C:\Users\user\Desktop\udmugning.exeCode function: 1_2_0040414F push ebp; iretd
            Source: C:\Users\user\Desktop\udmugning.exeCode function: 1_2_0040C126 push 7600FFCEh; iretd
            Source: C:\Users\user\Desktop\udmugning.exeCode function: 1_2_00409138 push eax; iretd
            Source: C:\Users\user\Desktop\udmugning.exeCode function: 1_2_004011CA push 02A3CF73h; iretd
            Source: C:\Users\user\Desktop\udmugning.exeCode function: 1_2_004039D5 push esp; iretd
            Source: C:\Users\user\Desktop\udmugning.exeCode function: 1_2_0040877A push ebx; ret
            Source: C:\Users\user\Desktop\udmugning.exeCode function: 1_2_0040C7DE pushad ; ret
            Source: C:\Users\user\Desktop\udmugning.exeCode function: 1_2_004067F8 push es; iretd

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Icon mismatch, binary includes an icon from a different legit application in order to fool usersShow sources
            Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (71).png
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\udmugning.exeWindow / User API: threadDelayed 4610
            Source: C:\Users\user\Desktop\udmugning.exeWindow / User API: threadDelayed 5389
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: C:\Users\user\Desktop\udmugning.exeLast function: Thread delayed

            Anti Debugging:

            barindex
            Found potential dummy code loops (likely to delay analysis)Show sources
            Source: C:\Users\user\Desktop\udmugning.exeProcess Stats: CPU usage > 90% for more than 60s
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: udmugning.exe, 00000001.00000002.474603838.0000000000DA0000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: udmugning.exe, 00000001.00000002.474603838.0000000000DA0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: udmugning.exe, 00000001.00000002.474603838.0000000000DA0000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: udmugning.exe, 00000001.00000002.474603838.0000000000DA0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Masquerading1OS Credential DumpingSecurity Software Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion11LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsSystem Information Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            udmugning.exe35%MetadefenderBrowse
            udmugning.exe79%ReversingLabsWin32.Trojan.VBObfuse
            udmugning.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox Version:31.0.0 Emerald
            Analysis ID:395203
            Start date:22.04.2021
            Start time:09:55:58
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 5m 11s
            Hypervisor based Inspection enabled:false
            Report type:light
            Sample file name:udmugning.exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:23
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal72.troj.evad.winEXE@1/0@0/0
            EGA Information:
            • Successful, ratio: 100%
            HDC Information:
            • Successful, ratio: 97.7% (good quality ratio 48.7%)
            • Quality average: 27%
            • Quality standard deviation: 30.5%
            HCA Information:Failed
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Found application associated with file extension: .exe
            Warnings:
            Show All
            • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
            • VT rate limit hit for: /opt/package/joesandbox/database/analysis/395203/sample/udmugning.exe

            Simulations

            Behavior and APIs

            No simulations

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASN

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            No created / dropped files found

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386, for MS Windows
            Entropy (8bit):5.747482043975765
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.15%
            • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:udmugning.exe
            File size:118784
            MD5:3d04ed12388c92e15361681ef1921d7f
            SHA1:8820ff07e1f60121a057b0303dc7746ea4960617
            SHA256:99227f9bb099737a3f356f266c5b8d5e1f4313715f37a4b7b0b6c1ae65c00925
            SHA512:39d85417c5667971a8b84eb358656672a2291c8e52143633591c6c5afd7d1a45d6cdd837002797f509e071aa508cee300097c65642cf5ba7d5fc3c6874f08c9f
            SSDEEP:1536:o96yzDtLzOdb4E4Ql9p9LUaYu/+QR15nZ5ioT1VnrveqOrNThdFfwuqltL:oHDtLzOdDLhemaFf
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......O.................p...`......h.............@................

            File Icon

            Icon Hash:c0c6f2e0e4fefe3f

            Static PE Info

            General

            Entrypoint:0x401968
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            DLL Characteristics:
            Time Stamp:0x4FE4DC12 [Fri Jun 22 20:56:50 2012 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:7677b40f5f8927412a58af017314f1ed

            Entrypoint Preview

            Instruction
            push 0040F3B0h
            call 00007F70D0F0A383h
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            xor byte ptr [eax], al
            add byte ptr [eax], al
            cmp byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            cmp al, 47h
            add eax, 838AF2EAh
            dec esp
            xchg dword ptr [edx-41h], esp
            popfd
            sub eax, 0066210Bh
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [ecx], al
            add byte ptr [eax], al
            add byte ptr [ecx+00h], al
            push es
            push eax
            xchg eax, ebx
            add dl, byte ptr [esi+65h]
            jnc 00007F70D0F0A406h
            jnc 00007F70D0F0A392h
            and al, 02h
            add byte ptr [eax], al
            add byte ptr [eax], al
            dec esp
            xor dword ptr [eax], eax
            or al, 79h
            push ebx
            mov esi, 80015E4Dh
            dec edx
            lodsd
            stc
            xchg eax, ebx
            or al, bl
            mov ch, 73h
            sub ebp, ebx
            xor dword ptr [edx+5CEADEADh], edi
            dec edi
            mov dword ptr [AAF3C737h], eax
            xchg eax, esi
            movsd
            add byte ptr [edx], bh
            dec edi
            lodsd
            xor ebx, dword ptr [ecx-48EE309Ah]
            or al, 00h
            stosb
            add byte ptr [eax-2Dh], ah
            xchg eax, ebx
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            aaa
            fld dword ptr [eax]
            add byte ptr [ecx], bh
            xlatb
            add byte ptr [eax], al
            add byte ptr [ebx], cl
            add byte ptr [esi+61h], al
            insb
            imul esp, dword ptr [edi+68h], 72656465h
            add byte ptr [55000601h], cl
            outsb
            outsd
            jc 00007F70D0F0A3F3h
            insb
            add byte ptr [ecx], bl
            add dword ptr [eax], eax
            inc edx

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x176240x28.text
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x1a0000x382a.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
            IMAGE_DIRECTORY_ENTRY_IAT0x10000x1a8.text
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x16c080x17000False0.446204144022data6.13431444514IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            .data0x180000x12600x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
            .rsrc0x1a0000x382a0x4000False0.461853027344data5.140747892IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountry
            RT_ICON0x1cf820x8a8data
            RT_ICON0x1c8ba0x6c8data
            RT_ICON0x1c3520x568GLS_BINARY_LSB_FIRST
            RT_ICON0x1b2aa0x10a8data
            RT_ICON0x1a9220x988data
            RT_ICON0x1a4ba0x468GLS_BINARY_LSB_FIRST
            RT_GROUP_ICON0x1a4600x5adata
            RT_VERSION0x1a1e00x280dataEnglishUnited States

            Imports

            DLLImport
            MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaLenBstr, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenBstrB, _adj_fdiv_m32, __vbaAryDestruct, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR8, __vbaVarTstLt, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaObjVar, DllFunctionCall, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, _CIlog, __vbaNew2, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaLateMemCall, __vbaVarAdd, __vbaStrToAnsi, __vbaVarDup, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, _allmul, __vbaLateIdSt, _CItan, __vbaFPInt, _CIexp, __vbaFreeStr, __vbaFreeObj

            Version Infos

            DescriptionData
            Translation0x0409 0x04b0
            InternalNameudmugning
            FileVersion1.00
            CompanyNameCluster-C
            CommentsCluster-C
            ProductNameCluster-C
            ProductVersion1.00
            FileDescriptionCluster-C
            OriginalFilenameudmugning.exe

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishUnited States

            Network Behavior

            No network behavior found

            Code Manipulations

            Statistics

            System Behavior

            General

            Start time:09:56:48
            Start date:22/04/2021
            Path:C:\Users\user\Desktop\udmugning.exe
            Wow64 process (32bit):true
            Commandline:'C:\Users\user\Desktop\udmugning.exe'
            Imagebase:0x400000
            File size:118784 bytes
            MD5 hash:3D04ED12388C92E15361681EF1921D7F
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:Visual Basic
            Yara matches:
            • Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000001.00000002.474162328.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000001.00000000.206225191.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
            Reputation:low

            Disassembly

            Code Analysis

            Reset < >