Loading ...

Play interactive tourEdit tour

Analysis Report cotizacion.exe

Overview

General Information

Sample Name:cotizacion.exe
Analysis ID:395265
MD5:35f5d83dbc44b907d379c5ab35f725f8
SHA1:745ba0ab77e726e01d3f2fca4506383948906e24
SHA256:daf8d6de50e27c49b372d6cb0a7c6b7cd7a0946f959d13d3d3eb8d5d892c9eb7
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Machine Learning detection for sample
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains an invalid checksum
PE file contains strange resources
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • cotizacion.exe (PID: 1976 cmdline: 'C:\Users\user\Desktop\cotizacion.exe' MD5: 35F5D83DBC44B907D379C5AB35F725F8)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
cotizacion.exeJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.493125170.0000000000401000.00000020.00020000.sdmpJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
      00000000.00000000.229099820.0000000000401000.00000020.00020000.sdmpJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.0.cotizacion.exe.400000.0.unpackJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
          0.2.cotizacion.exe.400000.0.unpackJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for submitted fileShow sources
            Source: cotizacion.exeVirustotal: Detection: 62%Perma Link
            Source: cotizacion.exeMetadefender: Detection: 32%Perma Link
            Source: cotizacion.exeReversingLabs: Detection: 70%
            Machine Learning detection for sampleShow sources
            Source: cotizacion.exeJoe Sandbox ML: detected
            Source: cotizacion.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: cotizacion.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cotizacion.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: cotizacion.exe, 00000000.00000002.493866250.00000000020A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs cotizacion.exe
            Source: cotizacion.exe, 00000000.00000002.493157991.000000000041A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameForkvakledes.exe vs cotizacion.exe
            Source: cotizacion.exe, 00000000.00000002.502916759.0000000004FA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs cotizacion.exe
            Source: cotizacion.exe, 00000000.00000002.494036894.0000000002200000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameForkvakledes.exeFE2XCluster-CCluster-C vs cotizacion.exe
            Source: cotizacion.exeBinary or memory string: OriginalFilenameForkvakledes.exe vs cotizacion.exe
            Source: cotizacion.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: classification engineClassification label: mal68.troj.winEXE@1/0@0/0
            Source: C:\Users\user\Desktop\cotizacion.exeFile created: C:\Users\user~1\AppData\Local\Temp\~DF8BE9C0E48D19B38F.TMPJump to behavior
            Source: cotizacion.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\cotizacion.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\Desktop\cotizacion.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: cotizacion.exeVirustotal: Detection: 62%
            Source: cotizacion.exeMetadefender: Detection: 32%
            Source: cotizacion.exeReversingLabs: Detection: 70%

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: cotizacion.exe, type: SAMPLE
            Source: Yara matchFile source: 00000000.00000002.493125170.0000000000401000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.229099820.0000000000401000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0.0.cotizacion.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.cotizacion.exe.400000.0.unpack, type: UNPACKEDPE
            Source: cotizacion.exeStatic PE information: real checksum: 0x279ca should be: 0x1d63d
            Source: C:\Users\user\Desktop\cotizacion.exeCode function: 0_2_00407C52 push es; ret 0_2_00407CB9
            Source: C:\Users\user\Desktop\cotizacion.exeCode function: 0_2_00401275 push 02A3CF73h; iretd 0_2_0040141C
            Source: C:\Users\user\Desktop\cotizacion.exeCode function: 0_2_00406E16 pushad ; ret 0_2_00406E19
            Source: C:\Users\user\Desktop\cotizacion.exeCode function: 0_2_0040261A push es; retf 0_2_0040265D
            Source: C:\Users\user\Desktop\cotizacion.exeCode function: 0_2_004078E3 pushad ; ret 0_2_004078E5
            Source: C:\Users\user\Desktop\cotizacion.exeCode function: 0_2_004092E9 push es; ret 0_2_004092F1
            Source: C:\Users\user\Desktop\cotizacion.exeCode function: 0_2_00409C8F push esi; iretd 0_2_00409C93
            Source: C:\Users\user\Desktop\cotizacion.exeCode function: 0_2_00406C97 push cs; ret 0_2_00406CD9
            Source: C:\Users\user\Desktop\cotizacion.exeCode function: 0_2_00405140 push ss; retf 0_2_00405141
            Source: C:\Users\user\Desktop\cotizacion.exeCode function: 0_2_00407D73 pushad ; retf 0_2_00407D75
            Source: C:\Users\user\Desktop\cotizacion.exeCode function: 0_2_00404D04 push es; ret 0_2_00404D05
            Source: C:\Users\user\Desktop\cotizacion.exeCode function: 0_2_00405310 push ecx; ret 0_2_00405311
            Source: C:\Users\user\Desktop\cotizacion.exeCode function: 0_2_00403D1F push eax; ret 0_2_00403D21
            Source: C:\Users\user\Desktop\cotizacion.exeCode function: 0_2_00404BD3 push es; retf 0_2_00404BD5
            Source: C:\Users\user\Desktop\cotizacion.exeCode function: 0_2_0040298C push ecx; retf 0_2_0040298D
            Source: C:\Users\user\Desktop\cotizacion.exeCode function: 0_2_00403792 push eax; ret 0_2_00403795
            Source: C:\Users\user\Desktop\cotizacion.exeCode function: 0_2_004037AE push eax; ret 0_2_004037B1
            Source: C:\Users\user\Desktop\cotizacion.exeCode function: 0_2_004029B7 push es; retf 0_2_004029B9

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Icon mismatch, binary includes an icon from a different legit application in order to fool usersShow sources
            Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (71).png
            Source: C:\Users\user\Desktop\cotizacion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\cotizacion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\cotizacion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\cotizacion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\cotizacion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\cotizacion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\cotizacion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\cotizacion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\cotizacion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\cotizacion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\cotizacion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\cotizacion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\cotizacion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\cotizacion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\cotizacion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\cotizacion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\cotizacion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\cotizacion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\cotizacion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\cotizacion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\cotizacion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\cotizacion.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\cotizacion.exeWindow / User API: threadDelayed 8041Jump to behavior
            Source: C:\Users\user\Desktop\cotizacion.exeWindow / User API: threadDelayed 1959Jump to behavior
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: C:\Users\user\Desktop\cotizacion.exeLast function: Thread delayed
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: cotizacion.exe, 00000000.00000002.493462189.0000000000C20000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
            Source: cotizacion.exe, 00000000.00000002.493462189.0000000000C20000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: cotizacion.exe, 00000000.00000002.493462189.0000000000C20000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: cotizacion.exe, 00000000.00000002.493462189.0000000000C20000.00000002.00000001.sdmpBinary or memory string: Progmanlock

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Masquerading1OS Credential DumpingProcess Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryApplication Window Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerSystem Information Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.