Loading ...

Play interactive tourEdit tour

Analysis Report ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exe

Overview

General Information

Sample Name:ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exe
Analysis ID:403997
MD5:5777362ea00ed2dd6c40121450291e7d
SHA1:4cbdfa68ef829f9709ee74bb883985d8a18c4048
SHA256:f6f23db6c1ecdf6b5766a22434e7a9c24585ecf94cf8a784f1a15640d0f0ba45
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

DLL reload attack detected
Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Tries to detect virtualization through RDTSC time measurements
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
PE file contains executable resources (Code or Archives)
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1hJRfPD7mATt1zd_Z0FIM8Q9qnryDNQsL"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1290771999.0000000002B50000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000000.00000000.204937287.000000000040C000.00000020.00020000.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
    • 0x110c:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
    00000000.00000002.1285251776.000000000040C000.00000020.00020000.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
    • 0x110c:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000000.00000002.1290771999.0000000002B50000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1hJRfPD7mATt1zd_Z0FIM8Q9qnryDNQsL"}
    Source: ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=download&id=1hJRfPD7mATt1zd_Z0FIM8Q9qnryDNQsL

    System Summary:

    barindex
    Malicious sample detected (through community Yara rule)Show sources
    Source: 00000000.00000000.204937287.000000000040C000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000000.00000002.1285251776.000000000040C000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeCode function: 0_2_02B54FB9 NtProtectVirtualMemory,
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeCode function: 0_2_02B525DA NtAllocateVirtualMemory,
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeCode function: 0_2_02B52786 NtAllocateVirtualMemory,
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeCode function: 0_2_02B52781 NtAllocateVirtualMemory,
    Source: ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
    Source: ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeBinary or memory string: OriginalFilenamePHILAD.exe vs ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exe
    Source: ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: 00000000.00000000.204937287.000000000040C000.00000020.00020000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000000.00000002.1285251776.000000000040C000.00000020.00020000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: classification engineClassification label: mal80.troj.evad.winEXE@1/0@0/0
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeFile created: C:\Users\user\AppData\Local\Temp\~DF6274FC7E47975599.TMPJump to behavior
    Source: ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: 00000000.00000002.1290771999.0000000002B50000.00000040.00000001.sdmp, type: MEMORY

    Hooking and other Techniques for Hiding and Protection:

    barindex
    DLL reload attack detectedShow sources
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeModule Loaded: Original DLL: "C:\USERS\user\DESKTOP\ACS ROUTE reload: AIRCRAFT COND. REQ INFORMATION & DOC00710020210501154406 PDF.EXE"
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion:

    barindex
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeRDTSC instruction interceptor: First address: 0000000002B54D0E second address: 0000000002B54D0E instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b inc ecx 0x0000000c inc ebx 0x0000000d cmp bh, bh 0x0000000f cmp dword ptr [ebx], 9090C350h 0x00000015 jne 00007F0481024659h 0x00000017 cmp edx, dword ptr [ebx] 0x00000019 jne 00007F048102464Bh 0x0000001b cmp byte ptr [ebx], FFFFFFE8h 0x0000001e jne 00007F04810246B3h 0x00000020 fnop 0x00000022 cmp byte ptr [ebx], FFFFFFB8h 0x00000025 jne 00007F0481024664h 0x00000027 cmp ecx, 00002000h 0x0000002d jne 00007F048102455Ch 0x00000033 pushad 0x00000034 lfence 0x00000037 rdtsc
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeRDTSC instruction interceptor: First address: 0000000002B5243D second address: 0000000002B5243D instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F04803CB82Ah 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e add edi, edx 0x00000020 dec ecx 0x00000021 cmp ax, cx 0x00000024 cmp ecx, 00000000h 0x00000027 jne 00007F04803CB80Bh 0x00000029 push ecx 0x0000002a test ebx, edx 0x0000002c cmp dx, cx 0x0000002f call 00007F04803CB84Bh 0x00000034 call 00007F04803CB83Ah 0x00000039 lfence 0x0000003c mov edx, dword ptr [7FFE0014h] 0x00000042 lfence 0x00000045 ret 0x00000046 mov esi, edx 0x00000048 pushad 0x00000049 rdtsc
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeCode function: 0_2_02B514AA rdtsc
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeCode function: 0_2_02B514AA rdtsc
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeCode function: 0_2_02B51240 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeCode function: 0_2_02B5424A mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeCode function: 0_2_02B523A3 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeCode function: 0_2_02B545A8 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeCode function: 0_2_02B54B81 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeCode function: 0_2_02B5171E mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeCode function: 0_2_02B51718 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeCode function: 0_2_02B54B5D mov eax, dword ptr fs:[00000030h]
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exe, 00000000.00000002.1286359625.0000000000D70000.00000002.00000001.sdmpBinary or memory string: Program Manager
    Source: ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exe, 00000000.00000002.1286359625.0000000000D70000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exe, 00000000.00000002.1286359625.0000000000D70000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exe, 00000000.00000002.1286359625.0000000000D70000.00000002.00000001.sdmpBinary or memory string: Progmanlock
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeQueries volume information: C:\ VolumeInformation

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationDLL Side-Loading1Process Injection1Process Injection1OS Credential DumpingSecurity Software Discovery11Remote ServicesData from Local SystemExfiltration Over Other Network MediumApplication Layer Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1DLL Side-Loading1LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerSystem Information Discovery111SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    No Antivirus matches

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:32.0.0 Black Diamond
    Analysis ID:403997
    Start date:04.05.2021
    Start time:16:05:50
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 10m 43s
    Hypervisor based Inspection enabled:false
    Report type:light
    Sample file name:ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exe
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Number of analysed new started processes analysed:22
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal80.troj.evad.winEXE@1/0@0/0
    EGA Information:
    • Successful, ratio: 100%
    HDC Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Found application associated with file extension: .exe
    Warnings:
    Show All
    • Report size getting too big, too many NtAllocateVirtualMemory calls found.

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):4.777529017205276
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.15%
    • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exe
    File size:98304
    MD5:5777362ea00ed2dd6c40121450291e7d
    SHA1:4cbdfa68ef829f9709ee74bb883985d8a18c4048
    SHA256:f6f23db6c1ecdf6b5766a22434e7a9c24585ecf94cf8a784f1a15640d0f0ba45
    SHA512:b040be11572cb05338212e73492d475211f24c79be94486ada0a5d4438d436bd24e92479d001531dcb6f56045a6901ab5526c72b9dee968e24f8e4a0380d4014
    SSDEEP:1536:OR02SmQFaUvIZddDGaz24YxUzAoma3vx:OnrsaXdZG1409ovJ
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.......0...~...0.......0...Rich1...........PE..L......W.................P... ......|........`....@................

    File Icon

    Icon Hash:b074cecec891b2e4

    Static PE Info

    General

    Entrypoint:0x40157c
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    DLL Characteristics:
    Time Stamp:0x5711B91D [Sat Apr 16 04:01:33 2016 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:631ffe9ad0b821781f48149fabda62f6

    Entrypoint Preview

    Instruction
    push 0040CA8Ch
    call 00007F0480BA7975h
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    xor byte ptr [eax], al
    add byte ptr [eax], al
    cmp byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    mov dh, 80h
    leave
    leave
    retf
    salc
    clc
    dec edi
    call far 49E6h : 708BCD81h
    fild word ptr [eax]
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [ecx], al
    add byte ptr [eax], al
    add byte ptr [eax+edx*2+72h], bl
    outsd
    push 00000065h
    outsb
    popad
    outsb
    jnc 00007F0480BA7983h
    add byte ptr [eax], al
    add byte ptr [eax], al
    dec esp
    xor dword ptr [eax], eax
    sub byte ptr [esi+0B9DFADDh], ah
    sal edx, 1
    dec ecx
    stosb
    sub eax, 8D5E5938h
    jnle 00007F0480BA79F7h
    aad 85h
    and cl, ch
    mov ecx, AA4E556Bh
    test eax, 87B2E630h
    or dword ptr [edx], esp
    cmp cl, byte ptr [edi-53h]
    xor ebx, dword ptr [ecx-48EE309Ah]
    or al, 00h
    stosb
    add byte ptr [eax-2Dh], ah
    xchg eax, ebx
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    mov dh, B3h
    add byte ptr [eax], al
    push esp
    add al, byte ptr [eax]
    add byte ptr [eax], al
    or dword ptr [eax], eax
    jbe 00007F0480BA79EBh
    outsb
    imul esp, dword ptr [ebp+74h], 73h
    jc 00007F0480BA79E3h
    add byte ptr [6B000901h], cl
    outsd
    push 0000006Fh
    insd
    jc 00007983h
    sbb dword ptr [ecx], eax
    add byte ptr [edx+00h], al

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x14ed40x28.text
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x170000x5a4.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
    IMAGE_DIRECTORY_ENTRY_IAT0x10000x10c.text
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x143500x15000False0.341331845238data5.21336422112IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    .data0x160000xad40x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
    .rsrc0x170000x5a40x1000False0.182861328125data1.71064501623IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountry
    RT_ICON0x173bc0x1e8data
    RT_GROUP_ICON0x173a80x14data
    RT_VERSION0x170f00x2b8COM executable for DOSEnglishUnited States

    Imports

    DLLImport
    MSVBVM60.DLL_CIcos, _adj_fptan, __vbaFreeVar, __vbaStrVarMove, __vbaLenBstr, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, __vbaRecUniToAnsi, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaI4Var, __vbaStrToAnsi, __vbaFpI4, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

    Version Infos

    DescriptionData
    Translation0x0409 0x04b0
    InternalNamePHILAD
    FileVersion1.00
    CompanyNameMummys Technology
    CommentsMummys Technology
    ProductNameMummys Technology
    ProductVersion1.00
    FileDescriptionMummys Technology
    OriginalFilenamePHILAD.exe

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    EnglishUnited States

    Network Behavior

    No network behavior found

    Code Manipulations

    Statistics

    System Behavior

    General

    Start time:16:06:39
    Start date:04/05/2021
    Path:C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exe
    Wow64 process (32bit):true
    Commandline:'C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exe'
    Imagebase:0x400000
    File size:98304 bytes
    MD5 hash:5777362EA00ED2DD6C40121450291E7D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Visual Basic
    Yara matches:
    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.1290771999.0000000002B50000.00000040.00000001.sdmp, Author: Joe Security
    • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000000.00000000.204937287.000000000040C000.00000020.00020000.sdmp, Author: Florian Roth
    • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000000.00000002.1285251776.000000000040C000.00000020.00020000.sdmp, Author: Florian Roth
    Reputation:low

    Disassembly

    Code Analysis

    Reset < >