Play interactive tour

Edit tour

Analysis Report shipping Document and Bill Of Landing.exe

Overview

General Information

Sample Name:	shipping Document and Bill Of Landing.exe
Analysis ID:	411858
MD5:	7196e6e67a39225a9b73af0c6f6b5b0e
SHA1:	c0da8d54393e9365d1fa0f0a88cf4b52496992b1
SHA256:	4d5e7bff4f749a4f1a357c61098c19c345246b142308f4048aebc6dfdaf4fc73
Tags:	GuLoader
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Potential malicious icon found

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Executable has a suspicious name (potential lure to open the executable)

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Detected potential crypto function

PE file contains an invalid checksum

PE file contains strange resources

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

shipping Document and Bill Of Landing.exe (PID: 672 cmdline: 'C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe' MD5: 7196E6E67A39225A9B73AF0C6F6B5B0E)

shipping Document and Bill Of Landing.exe (PID: 204 cmdline: 'C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe' MD5: 7196E6E67A39225A9B73AF0C6F6B5B0E)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://reachglobal-in.com/fdeb/bin_dXfiGRj156.bin"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000D.00000002.469283991.0000000000560000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000001.00000002.296439672.0000000002290000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0000000D.00000002.469283991.0000000000560000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://reachglobal-in.com/fdeb/bin_dXfiGRj156.bin"}

Multi AV Scanner detection for submitted file

Show sources

Source: shipping Document and Bill Of Landing.exe	Virustotal: Detection: 52%			Perma Link
Source: shipping Document and Bill Of Landing.exe	ReversingLabs: Detection: 29%

Machine Learning detection for sample

Show sources

Source: shipping Document and Bill Of Landing.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe

Code function: 1_2_00413514 CryptDestroyHash,

Source: shipping Document and Bill Of Landing.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://reachglobal-in.com/fdeb/bin_dXfiGRj156.bin

Source: unknown

DNS traffic detected: query: reachglobal-in.com replaycode: Server failure (2)

Source: unknown

DNS traffic detected: queries for: reachglobal-in.com

Source: shipping Document and Bill Of Landing.exe, 0000000D.00000002.469283991.0000000000560000.00000040.00000001.sdmp

String found in binary or memory: https://reachglobal-in.com/fdeb/bin_dXfiGRj156.bin

System Summary:

Potential malicious icon found

Show sources

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Executable has a suspicious name (potential lure to open the executable)

Show sources

Source: shipping Document and Bill Of Landing.exe

Static file information: Suspicious name

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample	Static PE information: Filename: shipping Document and Bill Of Landing.exe
Source: initial sample	Static PE information: Filename: shipping Document and Bill Of Landing.exe

Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_02296EB1 NtUnmapViewOfSection,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_02290715 EnumWindows,NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_0229292A NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_0229350C NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_02296962 NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_02293636 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_0229720A NtUnmapViewOfSection,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_02292A0C NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_02297277 NtUnmapViewOfSection,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_02292A5C NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_02297257 NtUnmapViewOfSection,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_02296EBE NtUnmapViewOfSection,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_02292A8B NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_022972E0 NtUnmapViewOfSection,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_02292AD8 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_02296F38 NtUnmapViewOfSection,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_02292B32 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_02292B6F NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_02296F48 NtUnmapViewOfSection,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_02296FEA NtUnmapViewOfSection,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_02292BD4 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_02293C23 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_02292C0F NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_0229700E NtUnmapViewOfSection,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_02292C56 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_02292CAE NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_022970B6 NtUnmapViewOfSection,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_02297087 NtUnmapViewOfSection,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_022970FB NtUnmapViewOfSection,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_02297130 NtUnmapViewOfSection,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_0229290F NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_02292D04 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_0229351C NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_0229194A NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_0229714E NtUnmapViewOfSection,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_02292943 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_02292D5C NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_02293554 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_02292DA7 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_022935A6 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_022971BE NtUnmapViewOfSection,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_0229299B NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_022935E0 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_022935D1 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_022929D0 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 13_2_00566962 NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 13_2_0056350C NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 13_2_005609FB NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 13_2_00566EB1 NtSetInformationThread,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 13_2_0056700E NtSetInformationThread,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 13_2_005670FB NtSetInformationThread,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 13_2_00567087 NtSetInformationThread,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 13_2_005670B6 NtSetInformationThread,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 13_2_00563554 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 13_2_0056714E NtSetInformationThread,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 13_2_0056351C NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 13_2_00567130 NtSetInformationThread,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 13_2_005635D1 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 13_2_005635E0 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 13_2_005671BE NtSetInformationThread,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 13_2_005635A6 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 13_2_00567257 NtSetInformationThread,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 13_2_00567277 NtSetInformationThread,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 13_2_0056720A NtSetInformationThread,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 13_2_00563636 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 13_2_005672E0 NtSetInformationThread,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 13_2_00566EBE NtSetInformationThread,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 13_2_00566F48 NtSetInformationThread,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 13_2_00566F38 NtSetInformationThread,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 13_2_00560FFA NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 13_2_00566FEA NtSetInformationThread,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 13_2_00560FAC NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 13_2_00560FA8 NtProtectVirtualMemory,

Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_02295460
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 13_2_00565460

Source: shipping Document and Bill Of Landing.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: shipping Document and Bill Of Landing.exe, 00000001.00000002.297195400.0000000002A10000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameThe.exeFE2X< vs shipping Document and Bill Of Landing.exe
Source: shipping Document and Bill Of Landing.exe, 00000001.00000002.296409915.0000000002210000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs shipping Document and Bill Of Landing.exe
Source: shipping Document and Bill Of Landing.exe, 00000001.00000002.296018416.000000000042F000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameThe.exe vs shipping Document and Bill Of Landing.exe
Source: shipping Document and Bill Of Landing.exe, 0000000D.00000000.294760484.000000000042F000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameThe.exe vs shipping Document and Bill Of Landing.exe
Source: shipping Document and Bill Of Landing.exe	Binary or memory string: OriginalFilenameThe.exe vs shipping Document and Bill Of Landing.exe

Source: shipping Document and Bill Of Landing.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@3/0@43/0

Source: shipping Document and Bill Of Landing.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: shipping Document and Bill Of Landing.exe	Virustotal: Detection: 52%
Source: shipping Document and Bill Of Landing.exe	ReversingLabs: Detection: 29%

Source: unknown	Process created: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe 'C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe'
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Process created: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe 'C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe'
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Process created: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe 'C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe'

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 0000000D.00000002.469283991.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.296439672.0000000002290000.00000040.00000001.sdmp, type: MEMORY

Source: shipping Document and Bill Of Landing.exe

Static PE information: real checksum: 0x3be80 should be: 0x37542

Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_00401CCC push edx; retf 2E00h
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_0040424D push ss; iretd
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_00404334 push ss; iretd
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_02296628 push eax; ret
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 13_2_00566628 push eax; ret

Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	File created: \shipping document and bill of landing.exe
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	File created: \shipping document and bill of landing.exe

Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_02297644
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_0229765E
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 13_2_0056765E
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 13_2_00567644

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	RDTSC instruction interceptor: First address: 0000000002295F8A second address: 0000000002295F8A instructions:
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	RDTSC instruction interceptor: First address: 0000000002296025 second address: 0000000002296025 instructions:
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	RDTSC instruction interceptor: First address: 0000000002295F27 second address: 0000000002295F27 instructions:
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	RDTSC instruction interceptor: First address: 0000000002295D71 second address: 0000000002295D71 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FDABC9E8338h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test cx, cx 0x00000020 test bh, dh 0x00000022 add edi, edx 0x00000024 cmp ah, dh 0x00000026 dec dword ptr [ebp+000000F8h] 0x0000002c cmp dx, bx 0x0000002f cmp dword ptr [ebp+000000F8h], 00000000h 0x00000036 jne 00007FDABC9E830Fh 0x00000038 cmp ax, bx 0x0000003b call 00007FDABC9E837Eh 0x00000040 call 00007FDABC9E8348h 0x00000045 lfence 0x00000048 mov edx, dword ptr [7FFE0014h] 0x0000004e lfence 0x00000051 ret 0x00000052 mov esi, edx 0x00000054 pushad 0x00000055 rdtsc
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	RDTSC instruction interceptor: First address: 0000000002293DBD second address: 0000000002293DBD instructions:

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	File opened: C:\Program Files\qga\qga.exe

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: shipping Document and Bill Of Landing.exe, 00000001.00000002.296445757.00000000022A0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Source: shipping Document and Bill Of Landing.exe, 00000001.00000002.296445757.00000000022A0000.00000004.00000001.sdmp, shipping Document and Bill Of Landing.exe, 0000000D.00000002.469952233.0000000000740000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: shipping Document and Bill Of Landing.exe, 0000000D.00000002.469952233.0000000000740000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	RDTSC instruction interceptor: First address: 0000000002295F8A second address: 0000000002295F8A instructions:
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	RDTSC instruction interceptor: First address: 0000000002296025 second address: 0000000002296025 instructions:
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	RDTSC instruction interceptor: First address: 0000000002295F27 second address: 0000000002295F27 instructions:
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	RDTSC instruction interceptor: First address: 0000000002295D71 second address: 0000000002295D71 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FDABC9E8338h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test cx, cx 0x00000020 test bh, dh 0x00000022 add edi, edx 0x00000024 cmp ah, dh 0x00000026 dec dword ptr [ebp+000000F8h] 0x0000002c cmp dx, bx 0x0000002f cmp dword ptr [ebp+000000F8h], 00000000h 0x00000036 jne 00007FDABC9E830Fh 0x00000038 cmp ax, bx 0x0000003b call 00007FDABC9E837Eh 0x00000040 call 00007FDABC9E8348h 0x00000045 lfence 0x00000048 mov edx, dword ptr [7FFE0014h] 0x0000004e lfence 0x00000051 ret 0x00000052 mov esi, edx 0x00000054 pushad 0x00000055 rdtsc
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	RDTSC instruction interceptor: First address: 0000000002295DB1 second address: 0000000002295DB1 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FDABC9BB85Eh 0x0000001d popad 0x0000001e call 00007FDABC9BB41Bh 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	RDTSC instruction interceptor: First address: 0000000002293DBD second address: 0000000002293DBD instructions:
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	RDTSC instruction interceptor: First address: 0000000000565DB1 second address: 0000000000565DB1 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FDABC9BB85Eh 0x0000001d popad 0x0000001e call 00007FDABC9BB41Bh 0x00000023 lfence 0x00000026 rdtsc

Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe

Code function: 1_2_0229350C rdtsc

Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe

Last function: Thread delayed

Source: shipping Document and Bill Of Landing.exe, 0000000D.00000002.469952233.0000000000740000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeMsi.dllPublishershell32advapi32TEMP=wininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Source: shipping Document and Bill Of Landing.exe, 00000001.00000002.296445757.00000000022A0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: shipping Document and Bill Of Landing.exe, 00000001.00000002.296445757.00000000022A0000.00000004.00000001.sdmp, shipping Document and Bill Of Landing.exe, 0000000D.00000002.469952233.0000000000740000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Thread information set: HideFromDebugger

Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Process queried: DebugPort
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe

Code function: 1_2_0229350C rdtsc

Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe

Code function: 1_2_02294174 LdrInitializeThunk,

Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_02295A88 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_022952C8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_022952DA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_022923FC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_022963F1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_022963F4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_02291BC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_02292415 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_02296416 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_0229644C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_02292440 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 1_2_022930E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 13_2_00562440 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 13_2_0056644C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 13_2_00566416 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 13_2_00562415 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 13_2_005630E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 13_2_005652DA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 13_2_005652C8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 13_2_00565A88 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 13_2_00561BC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 13_2_005663F4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 13_2_005663F1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe	Code function: 13_2_005623FC mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe

Process created: C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe 'C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe'

Source: shipping Document and Bill Of Landing.exe, 0000000D.00000002.470425237.0000000000EF0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: shipping Document and Bill Of Landing.exe, 0000000D.00000002.470425237.0000000000EF0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: shipping Document and Bill Of Landing.exe, 0000000D.00000002.470425237.0000000000EF0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: shipping Document and Bill Of Landing.exe, 0000000D.00000002.470425237.0000000000EF0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection12	Virtualization/Sandbox Evasion21	OS Credential Dumping	Security Software Discovery621	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Virtualization/Sandbox Evasion21	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol11	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery31	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
shipping Document and Bill Of Landing.exe	52%	Virustotal		Browse
shipping Document and Bill Of Landing.exe	30%	ReversingLabs	Win32.Trojan.Vebzenpak
shipping Document and Bill Of Landing.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://reachglobal-in.com/fdeb/bin_dXfiGRj156.bin	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
reachglobal-in.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://reachglobal-in.com/fdeb/bin_dXfiGRj156.bin	true	Avira URL Cloud: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	411858
Start date:	12.05.2021
Start time:	08:00:38
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 44s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	shipping Document and Bill Of Landing.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	33
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.troj.evad.winEXE@3/0@43/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 7% (good quality ratio 3.2%) Quality average: 26.4% Quality standard deviation: 33.2%
HCA Information:	Successful, ratio: 73% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Excluded IPs from analysis (whitelisted): 40.88.32.150, 92.122.145.220, 104.43.193.48, 168.61.161.212, 13.64.90.137, 23.218.208.56, 20.82.209.183, 92.122.213.194, 92.122.213.247, 20.54.26.129 Excluded domains from analysis (whitelisted): skypedataprdcolwus17.cloudapp.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, ris-prod.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.954249338916242
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	shipping Document and Bill Of Landing.exe
File size:	192512
MD5:	7196e6e67a39225a9b73af0c6f6b5b0e
SHA1:	c0da8d54393e9365d1fa0f0a88cf4b52496992b1
SHA256:	4d5e7bff4f749a4f1a357c61098c19c345246b142308f4048aebc6dfdaf4fc73
SHA512:	d977f3ef74715984e3d1f536975a8ab0a361724f2303305abcf6e14895461ef2288096c0f05be69c84656c9cb8eebc51b586e5f38119bae0507102fc1c7209f7
SSDEEP:	3072:OTqw9SpYIjV4Swtm3hdcIYZKZEXaXk/L:OTqw9PSukCKZKaU/
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......M.....................0....................@................

File Icon


Icon Hash:	20047c7c70f0e004

Static PE Info

General
Entrypoint:	0x401ccc
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4DE4F581 [Tue May 31 14:04:49 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	3af66fbc6abd133270fa3848991f9c33

Entrypoint Preview

Instruction
push 0041222Ch
call 00007FDABCAC72C3h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebx], al
pushad
in eax, dx
fcom dword ptr [ecx-64B32A36h]
test dword ptr [edi+3Ah], eax
mov edx, esi
and eax, 0000000Fh
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [edx+00h], al
push es
push eax
add dword ptr [ecx], 41h
insd
je 00007FDABCAC734Ch
jnc 00007FDABCAC7346h
jc 00007FDABCAC7307h
add byte ptr [eax], al
mov ah, 28h
or eax, 00000003h
add bh, bh
int3
xor dword ptr [eax], eax
or al, FDh
salc
cmp eax, ebx
call 00007FDA3DEF2BDDh
sbb dh, ch
jmp far 1A55h : 7BB8AF0Bh
cld
mov edx, 44E62D63h
mov ebp, BC1E9B46h
dec ebp
and byte ptr [edx], al
cmp cl, byte ptr [edi-53h]
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
pop esp
add al, 01h
add byte ptr [edx+02h], ch
add dword ptr [eax], eax
add byte ptr [ecx], cl
add byte ptr [edi+68h], dh
insb
jc 00007FDABCAC7346h
add byte ptr [43000501h], cl
outsd
outsd
jo 00007FDABCAC7307h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2bc74	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2f000	0x900	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x140	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2b200	0x2c000	False	0.31094082919	data	6.14682442454	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x2d000	0x11f4	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x2f000	0x900	0x1000	False	0.16650390625	data	1.96156765674	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x2f7d0	0x130	data
RT_ICON	0x2f4e8	0x2e8	data
RT_ICON	0x2f3c0	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x2f390	0x30	data
RT_VERSION	0x2f150	0x240	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaStrCat, __vbaSetSystemError, __vbaRecDestruct, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaVarTstLt, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, __vbaRecUniToAnsi, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarAdd, __vbaStrToAnsi, __vbaFpI4, __vbaRecDestructAnsi, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0409 0x04b0
InternalName	The
FileVersion	1.00
CompanyName	Origin! CAD
ProductName	Origin! CAD
ProductVersion	1.00
FileDescription	Origin!
OriginalFilename	The.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source IP	Dest IP
05/12/21-08:02:35.204329	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.3	8.8.8.8
05/12/21-08:02:36.222464	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.3	8.8.8.8
05/12/21-08:02:37.240826	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.3	8.8.8.8
05/12/21-08:02:40.491414	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.3	8.8.8.8
05/12/21-08:02:41.527466	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.3	8.8.8.8
05/12/21-08:02:46.372764	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.3	8.8.8.8
05/12/21-08:02:50.638500	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.3	8.8.8.8
05/12/21-08:02:51.639741	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.3	8.8.8.8
05/12/21-08:02:55.687460	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.3	8.8.8.8
05/12/21-08:02:56.734923	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.3	8.8.8.8
05/12/21-08:03:00.783150	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.3	8.8.8.8
05/12/21-08:03:02.811944	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.3	8.8.8.8
05/12/21-08:03:05.906613	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.3	8.8.8.8
05/12/21-08:03:06.938617	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.3	8.8.8.8
05/12/21-08:03:11.031996	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.3	8.8.8.8
05/12/21-08:03:12.079577	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.3	8.8.8.8
05/12/21-08:03:16.126441	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.3	8.8.8.8
05/12/21-08:03:17.141343	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.3	8.8.8.8
05/12/21-08:03:19.140188	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.3	8.8.8.8
05/12/21-08:03:22.289451	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.3	8.8.8.8
05/12/21-08:03:23.327932	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.3	8.8.8.8
05/12/21-08:03:25.321499	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.3	8.8.8.8
05/12/21-08:03:27.403886	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.3	8.8.8.8
05/12/21-08:03:28.393190	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.3	8.8.8.8
05/12/21-08:03:33.424666	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.3	8.8.8.8
05/12/21-08:03:34.472475	ICMP	402	ICMP Destination Unreachable Port Unreachable	192.168.2.3	8.8.8.8

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 12, 2021 08:01:19.031388044 CEST	64938	53	192.168.2.3	8.8.8.8
May 12, 2021 08:01:19.080117941 CEST	53	64938	8.8.8.8	192.168.2.3
May 12, 2021 08:01:20.157840967 CEST	60152	53	192.168.2.3	8.8.8.8
May 12, 2021 08:01:20.225888968 CEST	53	60152	8.8.8.8	192.168.2.3
May 12, 2021 08:01:22.002157927 CEST	57544	53	192.168.2.3	8.8.8.8
May 12, 2021 08:01:22.053714037 CEST	53	57544	8.8.8.8	192.168.2.3
May 12, 2021 08:01:22.813426971 CEST	55984	53	192.168.2.3	8.8.8.8
May 12, 2021 08:01:22.865047932 CEST	53	55984	8.8.8.8	192.168.2.3
May 12, 2021 08:01:24.007102966 CEST	64185	53	192.168.2.3	8.8.8.8
May 12, 2021 08:01:24.055876970 CEST	53	64185	8.8.8.8	192.168.2.3
May 12, 2021 08:01:25.481729031 CEST	65110	53	192.168.2.3	8.8.8.8
May 12, 2021 08:01:25.539752007 CEST	53	65110	8.8.8.8	192.168.2.3
May 12, 2021 08:01:26.385723114 CEST	58361	53	192.168.2.3	8.8.8.8
May 12, 2021 08:01:26.437232018 CEST	53	58361	8.8.8.8	192.168.2.3
May 12, 2021 08:01:27.526230097 CEST	63492	53	192.168.2.3	8.8.8.8
May 12, 2021 08:01:27.575057030 CEST	53	63492	8.8.8.8	192.168.2.3
May 12, 2021 08:01:28.726255894 CEST	60831	53	192.168.2.3	8.8.8.8
May 12, 2021 08:01:28.778234005 CEST	53	60831	8.8.8.8	192.168.2.3
May 12, 2021 08:01:30.069235086 CEST	60100	53	192.168.2.3	8.8.8.8
May 12, 2021 08:01:30.118036032 CEST	53	60100	8.8.8.8	192.168.2.3
May 12, 2021 08:01:31.603904009 CEST	53195	53	192.168.2.3	8.8.8.8
May 12, 2021 08:01:31.655699968 CEST	53	53195	8.8.8.8	192.168.2.3
May 12, 2021 08:01:34.786555052 CEST	50141	53	192.168.2.3	8.8.8.8
May 12, 2021 08:01:34.841972113 CEST	53	50141	8.8.8.8	192.168.2.3
May 12, 2021 08:01:35.618351936 CEST	53023	53	192.168.2.3	8.8.8.8
May 12, 2021 08:01:35.667068005 CEST	53	53023	8.8.8.8	192.168.2.3
May 12, 2021 08:01:36.700438976 CEST	49563	53	192.168.2.3	8.8.8.8
May 12, 2021 08:01:36.749245882 CEST	53	49563	8.8.8.8	192.168.2.3
May 12, 2021 08:01:37.594563961 CEST	51352	53	192.168.2.3	8.8.8.8
May 12, 2021 08:01:37.643485069 CEST	53	51352	8.8.8.8	192.168.2.3
May 12, 2021 08:01:38.529011011 CEST	59349	53	192.168.2.3	8.8.8.8
May 12, 2021 08:01:38.577831984 CEST	53	59349	8.8.8.8	192.168.2.3
May 12, 2021 08:01:39.541491032 CEST	57084	53	192.168.2.3	8.8.8.8
May 12, 2021 08:01:39.590857983 CEST	53	57084	8.8.8.8	192.168.2.3
May 12, 2021 08:01:44.314141989 CEST	58823	53	192.168.2.3	8.8.8.8
May 12, 2021 08:01:44.365715981 CEST	53	58823	8.8.8.8	192.168.2.3
May 12, 2021 08:01:45.483055115 CEST	57568	53	192.168.2.3	8.8.8.8
May 12, 2021 08:01:45.531965971 CEST	53	57568	8.8.8.8	192.168.2.3
May 12, 2021 08:01:55.487745047 CEST	50540	53	192.168.2.3	8.8.8.8
May 12, 2021 08:01:55.559851885 CEST	53	50540	8.8.8.8	192.168.2.3
May 12, 2021 08:02:29.154186964 CEST	54366	53	192.168.2.3	8.8.8.8
May 12, 2021 08:02:30.151031017 CEST	54366	53	192.168.2.3	8.8.8.8
May 12, 2021 08:02:31.166793108 CEST	54366	53	192.168.2.3	8.8.8.8
May 12, 2021 08:02:32.352262974 CEST	53034	53	192.168.2.3	8.8.8.8
May 12, 2021 08:02:32.424287081 CEST	53	53034	8.8.8.8	192.168.2.3
May 12, 2021 08:02:33.167016029 CEST	54366	53	192.168.2.3	8.8.8.8
May 12, 2021 08:02:34.206736088 CEST	53	54366	8.8.8.8	192.168.2.3
May 12, 2021 08:02:35.203108072 CEST	53	54366	8.8.8.8	192.168.2.3
May 12, 2021 08:02:35.250248909 CEST	57762	53	192.168.2.3	8.8.8.8
May 12, 2021 08:02:36.219311953 CEST	53	54366	8.8.8.8	192.168.2.3
May 12, 2021 08:02:36.419112921 CEST	57762	53	192.168.2.3	8.8.8.8
May 12, 2021 08:02:37.240662098 CEST	53	54366	8.8.8.8	192.168.2.3
May 12, 2021 08:02:37.461003065 CEST	57762	53	192.168.2.3	8.8.8.8
May 12, 2021 08:02:39.314114094 CEST	53	57762	8.8.8.8	192.168.2.3
May 12, 2021 08:02:40.333544970 CEST	55435	53	192.168.2.3	8.8.8.8
May 12, 2021 08:02:40.487884045 CEST	53	57762	8.8.8.8	192.168.2.3
May 12, 2021 08:02:41.323945045 CEST	55435	53	192.168.2.3	8.8.8.8
May 12, 2021 08:02:41.524218082 CEST	53	57762	8.8.8.8	192.168.2.3
May 12, 2021 08:02:42.370624065 CEST	55435	53	192.168.2.3	8.8.8.8
May 12, 2021 08:02:44.397491932 CEST	53	55435	8.8.8.8	192.168.2.3
May 12, 2021 08:02:45.529561043 CEST	50713	53	192.168.2.3	8.8.8.8
May 12, 2021 08:02:46.372621059 CEST	53	55435	8.8.8.8	192.168.2.3
May 12, 2021 08:02:46.434206009 CEST	53	55435	8.8.8.8	192.168.2.3
May 12, 2021 08:02:46.574399948 CEST	50713	53	192.168.2.3	8.8.8.8
May 12, 2021 08:02:47.574556112 CEST	50713	53	192.168.2.3	8.8.8.8
May 12, 2021 08:02:49.593126059 CEST	53	50713	8.8.8.8	192.168.2.3
May 12, 2021 08:02:49.597605944 CEST	56132	53	192.168.2.3	8.8.8.8
May 12, 2021 08:02:49.658670902 CEST	53	56132	8.8.8.8	192.168.2.3
May 12, 2021 08:02:50.613149881 CEST	58987	53	192.168.2.3	8.8.8.8
May 12, 2021 08:02:50.638376951 CEST	53	50713	8.8.8.8	192.168.2.3
May 12, 2021 08:02:51.621308088 CEST	58987	53	192.168.2.3	8.8.8.8
May 12, 2021 08:02:51.639637947 CEST	53	50713	8.8.8.8	192.168.2.3
May 12, 2021 08:02:52.668411970 CEST	58987	53	192.168.2.3	8.8.8.8
May 12, 2021 08:02:54.678493023 CEST	53	58987	8.8.8.8	192.168.2.3
May 12, 2021 08:02:55.687346935 CEST	53	58987	8.8.8.8	192.168.2.3
May 12, 2021 08:02:55.696567059 CEST	56579	53	192.168.2.3	8.8.8.8
May 12, 2021 08:02:56.718844891 CEST	56579	53	192.168.2.3	8.8.8.8
May 12, 2021 08:02:56.734673023 CEST	53	58987	8.8.8.8	192.168.2.3
May 12, 2021 08:02:57.762463093 CEST	56579	53	192.168.2.3	8.8.8.8
May 12, 2021 08:02:58.541511059 CEST	60633	53	192.168.2.3	8.8.8.8
May 12, 2021 08:02:58.606501102 CEST	53	60633	8.8.8.8	192.168.2.3
May 12, 2021 08:02:59.762057066 CEST	53	56579	8.8.8.8	192.168.2.3
May 12, 2021 08:03:00.782874107 CEST	53	56579	8.8.8.8	192.168.2.3
May 12, 2021 08:03:00.853844881 CEST	61292	53	192.168.2.3	8.8.8.8
May 12, 2021 08:03:01.841365099 CEST	61292	53	192.168.2.3	8.8.8.8
May 12, 2021 08:03:02.811834097 CEST	53	56579	8.8.8.8	192.168.2.3
May 12, 2021 08:03:02.872667074 CEST	61292	53	192.168.2.3	8.8.8.8
May 12, 2021 08:03:04.917594910 CEST	53	61292	8.8.8.8	192.168.2.3
May 12, 2021 08:03:05.906464100 CEST	53	61292	8.8.8.8	192.168.2.3
May 12, 2021 08:03:05.970653057 CEST	63619	53	192.168.2.3	8.8.8.8
May 12, 2021 08:03:06.937756062 CEST	53	61292	8.8.8.8	192.168.2.3
May 12, 2021 08:03:06.966382980 CEST	63619	53	192.168.2.3	8.8.8.8
May 12, 2021 08:03:08.013849020 CEST	63619	53	192.168.2.3	8.8.8.8
May 12, 2021 08:03:10.035644054 CEST	53	63619	8.8.8.8	192.168.2.3
May 12, 2021 08:03:11.031840086 CEST	53	63619	8.8.8.8	192.168.2.3
May 12, 2021 08:03:11.059521914 CEST	64938	53	192.168.2.3	8.8.8.8
May 12, 2021 08:03:12.060440063 CEST	64938	53	192.168.2.3	8.8.8.8
May 12, 2021 08:03:12.079459906 CEST	53	63619	8.8.8.8	192.168.2.3
May 12, 2021 08:03:13.076947927 CEST	64938	53	192.168.2.3	8.8.8.8
May 12, 2021 08:03:13.364254951 CEST	61946	53	192.168.2.3	8.8.8.8
May 12, 2021 08:03:13.421365976 CEST	53	61946	8.8.8.8	192.168.2.3
May 12, 2021 08:03:15.076543093 CEST	64938	53	192.168.2.3	8.8.8.8
May 12, 2021 08:03:16.107876062 CEST	53	64938	8.8.8.8	192.168.2.3
May 12, 2021 08:03:16.125893116 CEST	53	64938	8.8.8.8	192.168.2.3
May 12, 2021 08:03:17.141036034 CEST	53	64938	8.8.8.8	192.168.2.3
May 12, 2021 08:03:17.201738119 CEST	64910	53	192.168.2.3	8.8.8.8
May 12, 2021 08:03:17.604834080 CEST	52123	53	192.168.2.3	8.8.8.8
May 12, 2021 08:03:17.666291952 CEST	53	52123	8.8.8.8	192.168.2.3
May 12, 2021 08:03:18.217997074 CEST	64910	53	192.168.2.3	8.8.8.8
May 12, 2021 08:03:19.140124083 CEST	53	64938	8.8.8.8	192.168.2.3
May 12, 2021 08:03:19.264046907 CEST	64910	53	192.168.2.3	8.8.8.8
May 12, 2021 08:03:21.264622927 CEST	64910	53	192.168.2.3	8.8.8.8
May 12, 2021 08:03:21.267046928 CEST	53	64910	8.8.8.8	192.168.2.3
May 12, 2021 08:03:22.285006046 CEST	53	64910	8.8.8.8	192.168.2.3
May 12, 2021 08:03:22.291197062 CEST	56130	53	192.168.2.3	8.8.8.8
May 12, 2021 08:03:23.327791929 CEST	53	64910	8.8.8.8	192.168.2.3
May 12, 2021 08:03:23.341129065 CEST	56130	53	192.168.2.3	8.8.8.8
May 12, 2021 08:03:24.327455997 CEST	56130	53	192.168.2.3	8.8.8.8
May 12, 2021 08:03:25.321345091 CEST	53	64910	8.8.8.8	192.168.2.3
May 12, 2021 08:03:26.345091105 CEST	53	56130	8.8.8.8	192.168.2.3
May 12, 2021 08:03:27.366398096 CEST	56338	53	192.168.2.3	8.8.8.8
May 12, 2021 08:03:27.403759003 CEST	53	56130	8.8.8.8	192.168.2.3
May 12, 2021 08:03:28.375382900 CEST	56338	53	192.168.2.3	8.8.8.8
May 12, 2021 08:03:28.393043995 CEST	53	56130	8.8.8.8	192.168.2.3
May 12, 2021 08:03:29.421453953 CEST	56338	53	192.168.2.3	8.8.8.8
May 12, 2021 08:03:31.420943975 CEST	53	56338	8.8.8.8	192.168.2.3
May 12, 2021 08:03:32.444873095 CEST	59420	53	192.168.2.3	8.8.8.8
May 12, 2021 08:03:33.424427986 CEST	53	56338	8.8.8.8	192.168.2.3
May 12, 2021 08:03:33.437156916 CEST	59420	53	192.168.2.3	8.8.8.8
May 12, 2021 08:03:34.437467098 CEST	59420	53	192.168.2.3	8.8.8.8
May 12, 2021 08:03:34.472316980 CEST	53	56338	8.8.8.8	192.168.2.3
May 12, 2021 08:03:36.453270912 CEST	59420	53	192.168.2.3	8.8.8.8

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
May 12, 2021 08:02:35.204329014 CEST	192.168.2.3	8.8.8.8	cff5	(Port unreachable)	Destination Unreachable
May 12, 2021 08:02:36.222464085 CEST	192.168.2.3	8.8.8.8	cff5	(Port unreachable)	Destination Unreachable
May 12, 2021 08:02:37.240825891 CEST	192.168.2.3	8.8.8.8	cff5	(Port unreachable)	Destination Unreachable
May 12, 2021 08:02:40.491414070 CEST	192.168.2.3	8.8.8.8	cff5	(Port unreachable)	Destination Unreachable
May 12, 2021 08:02:41.527466059 CEST	192.168.2.3	8.8.8.8	cff5	(Port unreachable)	Destination Unreachable
May 12, 2021 08:02:46.372764111 CEST	192.168.2.3	8.8.8.8	cff5	(Port unreachable)	Destination Unreachable
May 12, 2021 08:02:50.638499975 CEST	192.168.2.3	8.8.8.8	cff5	(Port unreachable)	Destination Unreachable
May 12, 2021 08:02:51.639740944 CEST	192.168.2.3	8.8.8.8	cff5	(Port unreachable)	Destination Unreachable
May 12, 2021 08:02:55.687459946 CEST	192.168.2.3	8.8.8.8	cff5	(Port unreachable)	Destination Unreachable
May 12, 2021 08:02:56.734922886 CEST	192.168.2.3	8.8.8.8	cff5	(Port unreachable)	Destination Unreachable
May 12, 2021 08:03:00.783149958 CEST	192.168.2.3	8.8.8.8	cff5	(Port unreachable)	Destination Unreachable
May 12, 2021 08:03:02.811944008 CEST	192.168.2.3	8.8.8.8	cff5	(Port unreachable)	Destination Unreachable
May 12, 2021 08:03:05.906613111 CEST	192.168.2.3	8.8.8.8	cff5	(Port unreachable)	Destination Unreachable
May 12, 2021 08:03:06.938616991 CEST	192.168.2.3	8.8.8.8	cff5	(Port unreachable)	Destination Unreachable
May 12, 2021 08:03:11.031996012 CEST	192.168.2.3	8.8.8.8	cff5	(Port unreachable)	Destination Unreachable
May 12, 2021 08:03:12.079576969 CEST	192.168.2.3	8.8.8.8	cff5	(Port unreachable)	Destination Unreachable
May 12, 2021 08:03:16.126441002 CEST	192.168.2.3	8.8.8.8	cff5	(Port unreachable)	Destination Unreachable
May 12, 2021 08:03:17.141343117 CEST	192.168.2.3	8.8.8.8	cff5	(Port unreachable)	Destination Unreachable
May 12, 2021 08:03:19.140187979 CEST	192.168.2.3	8.8.8.8	cff5	(Port unreachable)	Destination Unreachable
May 12, 2021 08:03:22.289450884 CEST	192.168.2.3	8.8.8.8	cff5	(Port unreachable)	Destination Unreachable
May 12, 2021 08:03:23.327931881 CEST	192.168.2.3	8.8.8.8	cff5	(Port unreachable)	Destination Unreachable
May 12, 2021 08:03:25.321499109 CEST	192.168.2.3	8.8.8.8	cff5	(Port unreachable)	Destination Unreachable
May 12, 2021 08:03:27.403886080 CEST	192.168.2.3	8.8.8.8	cff5	(Port unreachable)	Destination Unreachable
May 12, 2021 08:03:28.393189907 CEST	192.168.2.3	8.8.8.8	cff5	(Port unreachable)	Destination Unreachable
May 12, 2021 08:03:33.424665928 CEST	192.168.2.3	8.8.8.8	cff5	(Port unreachable)	Destination Unreachable
May 12, 2021 08:03:34.472475052 CEST	192.168.2.3	8.8.8.8	cff5	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 12, 2021 08:02:29.154186964 CEST	192.168.2.3	8.8.8.8	0x5a7c	Standard query (0)	reachglobal-in.com	A (IP address)	IN (0x0001)
May 12, 2021 08:02:30.151031017 CEST	192.168.2.3	8.8.8.8	0x5a7c	Standard query (0)	reachglobal-in.com	A (IP address)	IN (0x0001)
May 12, 2021 08:02:31.166793108 CEST	192.168.2.3	8.8.8.8	0x5a7c	Standard query (0)	reachglobal-in.com	A (IP address)	IN (0x0001)
May 12, 2021 08:02:33.167016029 CEST	192.168.2.3	8.8.8.8	0x5a7c	Standard query (0)	reachglobal-in.com	A (IP address)	IN (0x0001)
May 12, 2021 08:02:35.250248909 CEST	192.168.2.3	8.8.8.8	0x681c	Standard query (0)	reachglobal-in.com	A (IP address)	IN (0x0001)
May 12, 2021 08:02:36.419112921 CEST	192.168.2.3	8.8.8.8	0x681c	Standard query (0)	reachglobal-in.com	A (IP address)	IN (0x0001)
May 12, 2021 08:02:37.461003065 CEST	192.168.2.3	8.8.8.8	0x681c	Standard query (0)	reachglobal-in.com	A (IP address)	IN (0x0001)
May 12, 2021 08:02:40.333544970 CEST	192.168.2.3	8.8.8.8	0x9ec5	Standard query (0)	reachglobal-in.com	A (IP address)	IN (0x0001)
May 12, 2021 08:02:41.323945045 CEST	192.168.2.3	8.8.8.8	0x9ec5	Standard query (0)	reachglobal-in.com	A (IP address)	IN (0x0001)
May 12, 2021 08:02:42.370624065 CEST	192.168.2.3	8.8.8.8	0x9ec5	Standard query (0)	reachglobal-in.com	A (IP address)	IN (0x0001)
May 12, 2021 08:02:45.529561043 CEST	192.168.2.3	8.8.8.8	0x6936	Standard query (0)	reachglobal-in.com	A (IP address)	IN (0x0001)
May 12, 2021 08:02:46.574399948 CEST	192.168.2.3	8.8.8.8	0x6936	Standard query (0)	reachglobal-in.com	A (IP address)	IN (0x0001)
May 12, 2021 08:02:47.574556112 CEST	192.168.2.3	8.8.8.8	0x6936	Standard query (0)	reachglobal-in.com	A (IP address)	IN (0x0001)
May 12, 2021 08:02:50.613149881 CEST	192.168.2.3	8.8.8.8	0x214c	Standard query (0)	reachglobal-in.com	A (IP address)	IN (0x0001)
May 12, 2021 08:02:51.621308088 CEST	192.168.2.3	8.8.8.8	0x214c	Standard query (0)	reachglobal-in.com	A (IP address)	IN (0x0001)
May 12, 2021 08:02:52.668411970 CEST	192.168.2.3	8.8.8.8	0x214c	Standard query (0)	reachglobal-in.com	A (IP address)	IN (0x0001)
May 12, 2021 08:02:55.696567059 CEST	192.168.2.3	8.8.8.8	0x72d7	Standard query (0)	reachglobal-in.com	A (IP address)	IN (0x0001)
May 12, 2021 08:02:56.718844891 CEST	192.168.2.3	8.8.8.8	0x72d7	Standard query (0)	reachglobal-in.com	A (IP address)	IN (0x0001)
May 12, 2021 08:02:57.762463093 CEST	192.168.2.3	8.8.8.8	0x72d7	Standard query (0)	reachglobal-in.com	A (IP address)	IN (0x0001)
May 12, 2021 08:03:00.853844881 CEST	192.168.2.3	8.8.8.8	0xf2a4	Standard query (0)	reachglobal-in.com	A (IP address)	IN (0x0001)
May 12, 2021 08:03:01.841365099 CEST	192.168.2.3	8.8.8.8	0xf2a4	Standard query (0)	reachglobal-in.com	A (IP address)	IN (0x0001)
May 12, 2021 08:03:02.872667074 CEST	192.168.2.3	8.8.8.8	0xf2a4	Standard query (0)	reachglobal-in.com	A (IP address)	IN (0x0001)
May 12, 2021 08:03:05.970653057 CEST	192.168.2.3	8.8.8.8	0xf19	Standard query (0)	reachglobal-in.com	A (IP address)	IN (0x0001)
May 12, 2021 08:03:06.966382980 CEST	192.168.2.3	8.8.8.8	0xf19	Standard query (0)	reachglobal-in.com	A (IP address)	IN (0x0001)
May 12, 2021 08:03:08.013849020 CEST	192.168.2.3	8.8.8.8	0xf19	Standard query (0)	reachglobal-in.com	A (IP address)	IN (0x0001)
May 12, 2021 08:03:11.059521914 CEST	192.168.2.3	8.8.8.8	0xa27b	Standard query (0)	reachglobal-in.com	A (IP address)	IN (0x0001)
May 12, 2021 08:03:12.060440063 CEST	192.168.2.3	8.8.8.8	0xa27b	Standard query (0)	reachglobal-in.com	A (IP address)	IN (0x0001)
May 12, 2021 08:03:13.076947927 CEST	192.168.2.3	8.8.8.8	0xa27b	Standard query (0)	reachglobal-in.com	A (IP address)	IN (0x0001)
May 12, 2021 08:03:15.076543093 CEST	192.168.2.3	8.8.8.8	0xa27b	Standard query (0)	reachglobal-in.com	A (IP address)	IN (0x0001)
May 12, 2021 08:03:17.201738119 CEST	192.168.2.3	8.8.8.8	0x2838	Standard query (0)	reachglobal-in.com	A (IP address)	IN (0x0001)
May 12, 2021 08:03:18.217997074 CEST	192.168.2.3	8.8.8.8	0x2838	Standard query (0)	reachglobal-in.com	A (IP address)	IN (0x0001)
May 12, 2021 08:03:19.264046907 CEST	192.168.2.3	8.8.8.8	0x2838	Standard query (0)	reachglobal-in.com	A (IP address)	IN (0x0001)
May 12, 2021 08:03:21.264622927 CEST	192.168.2.3	8.8.8.8	0x2838	Standard query (0)	reachglobal-in.com	A (IP address)	IN (0x0001)
May 12, 2021 08:03:22.291197062 CEST	192.168.2.3	8.8.8.8	0x48c9	Standard query (0)	reachglobal-in.com	A (IP address)	IN (0x0001)
May 12, 2021 08:03:23.341129065 CEST	192.168.2.3	8.8.8.8	0x48c9	Standard query (0)	reachglobal-in.com	A (IP address)	IN (0x0001)
May 12, 2021 08:03:24.327455997 CEST	192.168.2.3	8.8.8.8	0x48c9	Standard query (0)	reachglobal-in.com	A (IP address)	IN (0x0001)
May 12, 2021 08:03:27.366398096 CEST	192.168.2.3	8.8.8.8	0x9d40	Standard query (0)	reachglobal-in.com	A (IP address)	IN (0x0001)
May 12, 2021 08:03:28.375382900 CEST	192.168.2.3	8.8.8.8	0x9d40	Standard query (0)	reachglobal-in.com	A (IP address)	IN (0x0001)
May 12, 2021 08:03:29.421453953 CEST	192.168.2.3	8.8.8.8	0x9d40	Standard query (0)	reachglobal-in.com	A (IP address)	IN (0x0001)
May 12, 2021 08:03:32.444873095 CEST	192.168.2.3	8.8.8.8	0x89c0	Standard query (0)	reachglobal-in.com	A (IP address)	IN (0x0001)
May 12, 2021 08:03:33.437156916 CEST	192.168.2.3	8.8.8.8	0x89c0	Standard query (0)	reachglobal-in.com	A (IP address)	IN (0x0001)
May 12, 2021 08:03:34.437467098 CEST	192.168.2.3	8.8.8.8	0x89c0	Standard query (0)	reachglobal-in.com	A (IP address)	IN (0x0001)
May 12, 2021 08:03:36.453270912 CEST	192.168.2.3	8.8.8.8	0x89c0	Standard query (0)	reachglobal-in.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 12, 2021 08:02:34.206736088 CEST	8.8.8.8	192.168.2.3	0x5a7c	Server failure (2)	reachglobal-in.com	none	none	A (IP address)	IN (0x0001)
May 12, 2021 08:02:35.203108072 CEST	8.8.8.8	192.168.2.3	0x5a7c	Server failure (2)	reachglobal-in.com	none	none	A (IP address)	IN (0x0001)
May 12, 2021 08:02:36.219311953 CEST	8.8.8.8	192.168.2.3	0x5a7c	Server failure (2)	reachglobal-in.com	none	none	A (IP address)	IN (0x0001)
May 12, 2021 08:02:37.240662098 CEST	8.8.8.8	192.168.2.3	0x5a7c	Server failure (2)	reachglobal-in.com	none	none	A (IP address)	IN (0x0001)
May 12, 2021 08:02:39.314114094 CEST	8.8.8.8	192.168.2.3	0x681c	Server failure (2)	reachglobal-in.com	none	none	A (IP address)	IN (0x0001)
May 12, 2021 08:02:40.487884045 CEST	8.8.8.8	192.168.2.3	0x681c	Server failure (2)	reachglobal-in.com	none	none	A (IP address)	IN (0x0001)
May 12, 2021 08:02:41.524218082 CEST	8.8.8.8	192.168.2.3	0x681c	Server failure (2)	reachglobal-in.com	none	none	A (IP address)	IN (0x0001)
May 12, 2021 08:02:44.397491932 CEST	8.8.8.8	192.168.2.3	0x9ec5	Server failure (2)	reachglobal-in.com	none	none	A (IP address)	IN (0x0001)
May 12, 2021 08:02:46.372621059 CEST	8.8.8.8	192.168.2.3	0x9ec5	Server failure (2)	reachglobal-in.com	none	none	A (IP address)	IN (0x0001)
May 12, 2021 08:02:46.434206009 CEST	8.8.8.8	192.168.2.3	0x9ec5	Server failure (2)	reachglobal-in.com	none	none	A (IP address)	IN (0x0001)
May 12, 2021 08:02:49.593126059 CEST	8.8.8.8	192.168.2.3	0x6936	Server failure (2)	reachglobal-in.com	none	none	A (IP address)	IN (0x0001)
May 12, 2021 08:02:50.638376951 CEST	8.8.8.8	192.168.2.3	0x6936	Server failure (2)	reachglobal-in.com	none	none	A (IP address)	IN (0x0001)
May 12, 2021 08:02:51.639637947 CEST	8.8.8.8	192.168.2.3	0x6936	Server failure (2)	reachglobal-in.com	none	none	A (IP address)	IN (0x0001)
May 12, 2021 08:02:54.678493023 CEST	8.8.8.8	192.168.2.3	0x214c	Server failure (2)	reachglobal-in.com	none	none	A (IP address)	IN (0x0001)
May 12, 2021 08:02:55.687346935 CEST	8.8.8.8	192.168.2.3	0x214c	Server failure (2)	reachglobal-in.com	none	none	A (IP address)	IN (0x0001)
May 12, 2021 08:02:56.734673023 CEST	8.8.8.8	192.168.2.3	0x214c	Server failure (2)	reachglobal-in.com	none	none	A (IP address)	IN (0x0001)
May 12, 2021 08:02:59.762057066 CEST	8.8.8.8	192.168.2.3	0x72d7	Server failure (2)	reachglobal-in.com	none	none	A (IP address)	IN (0x0001)
May 12, 2021 08:03:00.782874107 CEST	8.8.8.8	192.168.2.3	0x72d7	Server failure (2)	reachglobal-in.com	none	none	A (IP address)	IN (0x0001)
May 12, 2021 08:03:02.811834097 CEST	8.8.8.8	192.168.2.3	0x72d7	Server failure (2)	reachglobal-in.com	none	none	A (IP address)	IN (0x0001)
May 12, 2021 08:03:04.917594910 CEST	8.8.8.8	192.168.2.3	0xf2a4	Server failure (2)	reachglobal-in.com	none	none	A (IP address)	IN (0x0001)
May 12, 2021 08:03:05.906464100 CEST	8.8.8.8	192.168.2.3	0xf2a4	Server failure (2)	reachglobal-in.com	none	none	A (IP address)	IN (0x0001)
May 12, 2021 08:03:06.937756062 CEST	8.8.8.8	192.168.2.3	0xf2a4	Server failure (2)	reachglobal-in.com	none	none	A (IP address)	IN (0x0001)
May 12, 2021 08:03:10.035644054 CEST	8.8.8.8	192.168.2.3	0xf19	Server failure (2)	reachglobal-in.com	none	none	A (IP address)	IN (0x0001)
May 12, 2021 08:03:11.031840086 CEST	8.8.8.8	192.168.2.3	0xf19	Server failure (2)	reachglobal-in.com	none	none	A (IP address)	IN (0x0001)
May 12, 2021 08:03:12.079459906 CEST	8.8.8.8	192.168.2.3	0xf19	Server failure (2)	reachglobal-in.com	none	none	A (IP address)	IN (0x0001)
May 12, 2021 08:03:16.107876062 CEST	8.8.8.8	192.168.2.3	0xa27b	Server failure (2)	reachglobal-in.com	none	none	A (IP address)	IN (0x0001)
May 12, 2021 08:03:16.125893116 CEST	8.8.8.8	192.168.2.3	0xa27b	Server failure (2)	reachglobal-in.com	none	none	A (IP address)	IN (0x0001)
May 12, 2021 08:03:17.141036034 CEST	8.8.8.8	192.168.2.3	0xa27b	Server failure (2)	reachglobal-in.com	none	none	A (IP address)	IN (0x0001)
May 12, 2021 08:03:19.140124083 CEST	8.8.8.8	192.168.2.3	0xa27b	Server failure (2)	reachglobal-in.com	none	none	A (IP address)	IN (0x0001)
May 12, 2021 08:03:21.267046928 CEST	8.8.8.8	192.168.2.3	0x2838	Server failure (2)	reachglobal-in.com	none	none	A (IP address)	IN (0x0001)
May 12, 2021 08:03:22.285006046 CEST	8.8.8.8	192.168.2.3	0x2838	Server failure (2)	reachglobal-in.com	none	none	A (IP address)	IN (0x0001)
May 12, 2021 08:03:23.327791929 CEST	8.8.8.8	192.168.2.3	0x2838	Server failure (2)	reachglobal-in.com	none	none	A (IP address)	IN (0x0001)
May 12, 2021 08:03:25.321345091 CEST	8.8.8.8	192.168.2.3	0x2838	Server failure (2)	reachglobal-in.com	none	none	A (IP address)	IN (0x0001)
May 12, 2021 08:03:26.345091105 CEST	8.8.8.8	192.168.2.3	0x48c9	Server failure (2)	reachglobal-in.com	none	none	A (IP address)	IN (0x0001)
May 12, 2021 08:03:27.403759003 CEST	8.8.8.8	192.168.2.3	0x48c9	Server failure (2)	reachglobal-in.com	none	none	A (IP address)	IN (0x0001)
May 12, 2021 08:03:28.393043995 CEST	8.8.8.8	192.168.2.3	0x48c9	Server failure (2)	reachglobal-in.com	none	none	A (IP address)	IN (0x0001)
May 12, 2021 08:03:31.420943975 CEST	8.8.8.8	192.168.2.3	0x9d40	Server failure (2)	reachglobal-in.com	none	none	A (IP address)	IN (0x0001)
May 12, 2021 08:03:33.424427986 CEST	8.8.8.8	192.168.2.3	0x9d40	Server failure (2)	reachglobal-in.com	none	none	A (IP address)	IN (0x0001)
May 12, 2021 08:03:34.472316980 CEST	8.8.8.8	192.168.2.3	0x9d40	Server failure (2)	reachglobal-in.com	none	none	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: shipping Document and Bill Of Landing.exe PID: 672 Parent PID: 5588

General

Start time:	08:01:26
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe'
Imagebase:	0x400000
File size:	192512 bytes
MD5 hash:	7196E6E67A39225A9B73AF0C6F6B5B0E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.296439672.0000000002290000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: shipping Document and Bill Of Landing.exe PID: 204 Parent PID: 672

General

Start time:	08:02:09
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\shipping Document and Bill Of Landing.exe'
Imagebase:	0x400000
File size:	192512 bytes
MD5 hash:	7196E6E67A39225A9B73AF0C6F6B5B0E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000D.00000002.469283991.0000000000560000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report shipping Document and Bill Of Landing.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Cryptography:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: shipping Document and Bill Of Landing.exe PID: 672 Parent PID: 5588

General