Analysis Report DOCUMENTOS CORREOS.exe

Overview

General Information

Sample Name: DOCUMENTOS CORREOS.exe
Analysis ID: 430596
MD5: c73ab52ccb3b77ffda43ab3764fff1ab
SHA1: 99e3f024e741388c0a788df19fb87bf105ab84f4
SHA256: 8fe1d7d807635615314910e8145e2e050afd648a5eb7be85908563b30290e2fd
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to hide a thread from the debugger
Executable has a suspicious name (potential lure to open the executable)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: DOCUMENTOS CORREOS.exe Avira: detected
Found malware configuration
Source: 00000000.00000002.293287609.00000000022A0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://www.mediafire.com/file/md0mc3zocq6uh6b/gbam_encrypted_65A39A0.bin/file\u0000\u0000", "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"}
Multi AV Scanner detection for submitted file
Source: DOCUMENTOS CORREOS.exe Virustotal: Detection: 75% Perma Link
Source: DOCUMENTOS CORREOS.exe ReversingLabs: Detection: 86%
Antivirus or Machine Learning detection for unpacked file
Source: 0.0.DOCUMENTOS CORREOS.exe.400000.0.unpack Avira: Label: TR/AD.VBCryptor.vjznr
Source: 8.0.DOCUMENTOS CORREOS.exe.400000.0.unpack Avira: Label: TR/AD.VBCryptor.vjznr

Compliance:

barindex
Uses 32bit PE files
Source: DOCUMENTOS CORREOS.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unknown HTTPS traffic detected: 104.16.202.237:443 -> 192.168.2.7:49723 version: TLS 1.2

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://www.mediafire.com/file/md0mc3zocq6uh6b/gbam_encrypted_65A39A0.bin/file
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.16.202.237 104.16.202.237
Source: Joe Sandbox View IP Address: 104.16.202.237 104.16.202.237
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe Code function: 8_2_0056A75D InternetReadFile, 8_2_0056A75D
Source: DOCUMENTOS CORREOS.exe, 00000008.00000002.496447052.0000000002390000.00000004.00000001.sdmp String found in binary or memory: <!DOCTYPE html> <html lang="en-US" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> equals www.facebook.com (Facebook)
Source: DOCUMENTOS CORREOS.exe, 00000008.00000002.496447052.0000000002390000.00000004.00000001.sdmp String found in binary or memory: </script> <noscript><img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=542578585845936&ev=PageView&noscript=1" alt="Facebook"/></noscript> equals www.facebook.com (Facebook)
Source: unknown DNS traffic detected: queries for: www.mediafire.com
Source: DOCUMENTOS CORREOS.exe, 00000008.00000002.496447052.0000000002390000.00000004.00000001.sdmp String found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js
Source: DOCUMENTOS CORREOS.exe, 00000008.00000002.496447052.0000000002390000.00000004.00000001.sdmp String found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: DOCUMENTOS CORREOS.exe, 00000008.00000002.496447052.0000000002390000.00000004.00000001.sdmp String found in binary or memory: https://static.cloudflareinsights.com/beacon.min.js
Source: DOCUMENTOS CORREOS.exe, 00000008.00000002.496447052.0000000002390000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/recaptcha/api.js
Source: DOCUMENTOS CORREOS.exe, 00000008.00000002.496447052.0000000002390000.00000004.00000001.sdmp String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-829541-1
Source: DOCUMENTOS CORREOS.exe, 00000008.00000002.496447052.0000000002390000.00000004.00000001.sdmp String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
Source: DOCUMENTOS CORREOS.exe, 00000008.00000002.496447052.0000000002390000.00000004.00000001.sdmp String found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-53LP4T
Source: DOCUMENTOS CORREOS.exe, 00000008.00000002.496447052.0000000002390000.00000004.00000001.sdmp String found in binary or memory: https://www.mediafire.com
Source: DOCUMENTOS CORREOS.exe, 00000008.00000002.494835317.000000000019A000.00000004.00000001.sdmp String found in binary or memory: https://www.mediafire.com/file/md0mc3zocq6uh6b/gbam_encrypted_65A39
Source: DOCUMENTOS CORREOS.exe String found in binary or memory: https://www.mediafire.com/file/md0mc3zocq6uh6b/gbam_encrypted_65A39A0.bin/file
Source: DOCUMENTOS CORREOS.exe, 00000008.00000002.496447052.0000000002390000.00000004.00000001.sdmp String found in binary or memory: https://www.mediafire.com/images/logos/mf_logo250x250.png
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown HTTPS traffic detected: 104.16.202.237:443 -> 192.168.2.7:49723 version: TLS 1.2

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Executable has a suspicious name (potential lure to open the executable)
Source: DOCUMENTOS CORREOS.exe Static file information: Suspicious name
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: DOCUMENTOS CORREOS.exe
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe Code function: 0_2_022AA2A9 NtProtectVirtualMemory, 0_2_022AA2A9
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe Code function: 0_2_022A351A NtWriteVirtualMemory, 0_2_022A351A
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe Code function: 0_2_022AA75D NtResumeThread, 0_2_022AA75D
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe Code function: 0_2_022A0636 NtSetInformationThread,TerminateProcess, 0_2_022A0636
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe Code function: 0_2_022A0526 NtSetInformationThread,TerminateProcess, 0_2_022A0526
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe Code function: 8_2_0056A2A9 NtProtectVirtualMemory, 8_2_0056A2A9
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe Code function: 8_2_00560636 NtSetInformationThread, 8_2_00560636
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe Code function: 8_2_00560526 NtSetInformationThread, 8_2_00560526
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe Code function: String function: 00401450 appears 32 times
PE file contains strange resources
Source: DOCUMENTOS CORREOS.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: DOCUMENTOS CORREOS.exe, 00000000.00000002.293255006.00000000021E0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs DOCUMENTOS CORREOS.exe
Source: DOCUMENTOS CORREOS.exe, 00000000.00000000.227986099.000000000041D000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameLepidop6.exe vs DOCUMENTOS CORREOS.exe
Source: DOCUMENTOS CORREOS.exe, 00000000.00000002.294134113.0000000002AF0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLepidop6.exeFE2X vs DOCUMENTOS CORREOS.exe
Source: DOCUMENTOS CORREOS.exe, 00000008.00000000.291846040.000000000041D000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameLepidop6.exe vs DOCUMENTOS CORREOS.exe
Source: DOCUMENTOS CORREOS.exe, 00000008.00000002.503475023.000000001ED20000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemswsock.dll.muij% vs DOCUMENTOS CORREOS.exe
Source: DOCUMENTOS CORREOS.exe, 00000008.00000002.503529531.000000001EE70000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs DOCUMENTOS CORREOS.exe
Source: DOCUMENTOS CORREOS.exe Binary or memory string: OriginalFilenameLepidop6.exe vs DOCUMENTOS CORREOS.exe
Uses 32bit PE files
Source: DOCUMENTOS CORREOS.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal100.rans.troj.evad.winEXE@3/0@1/1
Source: DOCUMENTOS CORREOS.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: DOCUMENTOS CORREOS.exe Virustotal: Detection: 75%
Source: DOCUMENTOS CORREOS.exe ReversingLabs: Detection: 86%
Source: unknown Process created: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe 'C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe'
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe Process created: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe 'C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe'
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe Process created: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe 'C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe' Jump to behavior

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.293287609.00000000022A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.495047042.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.292666583.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DOCUMENTOS CORREOS.exe PID: 5560, type: MEMORY
Source: Yara match File source: Process Memory Space: DOCUMENTOS CORREOS.exe PID: 2672, type: MEMORY
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: DOCUMENTOS CORREOS.exe PID: 5560, type: MEMORY
Source: Yara match File source: Process Memory Space: DOCUMENTOS CORREOS.exe PID: 2672, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe Code function: 0_2_004114EA push dword ptr [edi+3ABAD03Ah]; iretd 0_2_004114F8
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe Code function: 0_2_00408972 push cs; iretd 0_2_00408973
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe Code function: 0_2_004055E0 push esi; retf 0_2_004055E1
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe Code function: 0_2_00409A4B pushfd ; retf 0_2_00409A4C
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe Code function: 0_2_00409E31 push 2955CA9Fh; ret 0_2_00409E37
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe Code function: 0_2_0040573B push cs; iretd 0_2_0040573C
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe Code function: 0_2_00406F87 push D0AFF143h; ret 0_2_00406F96
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe TID: 1416 Thread sleep count: 99 > 30 Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe TID: 1416 Thread sleep time: -990000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe Last function: Thread delayed

Anti Debugging:

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe Code function: 0_2_022A0636 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000 0_2_022A0636
Hides threads from debuggers
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe Thread information set: HideFromDebugger Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe Code function: 0_2_022A4403 mov eax, dword ptr fs:[00000030h] 0_2_022A4403
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe Code function: 0_2_022A9886 mov eax, dword ptr fs:[00000030h] 0_2_022A9886
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe Code function: 0_2_022A8B2A mov eax, dword ptr fs:[00000030h] 0_2_022A8B2A
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe Code function: 0_2_022A1D70 mov eax, dword ptr fs:[00000030h] 0_2_022A1D70
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe Code function: 0_2_022A8190 mov eax, dword ptr fs:[00000030h] 0_2_022A8190
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe Code function: 0_2_022A2BF7 mov eax, dword ptr fs:[00000030h] 0_2_022A2BF7
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe Code function: 8_2_00561D70 mov eax, dword ptr fs:[00000030h] 8_2_00561D70
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe Code function: 8_2_00564403 mov eax, dword ptr fs:[00000030h] 8_2_00564403
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe Code function: 8_2_00568B2A mov eax, dword ptr fs:[00000030h] 8_2_00568B2A
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe Code function: 8_2_00562BF7 mov eax, dword ptr fs:[00000030h] 8_2_00562BF7
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe Code function: 8_2_00568190 mov eax, dword ptr fs:[00000030h] 8_2_00568190
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe Code function: 8_2_00569886 mov eax, dword ptr fs:[00000030h] 8_2_00569886

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe Process created: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe 'C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe' Jump to behavior
Source: DOCUMENTOS CORREOS.exe, 00000008.00000002.496191401.0000000000EC0000.00000002.00000001.sdmp Binary or memory string: uProgram Manager
Source: DOCUMENTOS CORREOS.exe, 00000008.00000002.496191401.0000000000EC0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: DOCUMENTOS CORREOS.exe, 00000008.00000002.496191401.0000000000EC0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: DOCUMENTOS CORREOS.exe, 00000008.00000002.496191401.0000000000EC0000.00000002.00000001.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 430596 Sample: DOCUMENTOS CORREOS.exe Startdate: 07/06/2021 Architecture: WINDOWS Score: 100 15 Potential malicious icon found 2->15 17 Found malware configuration 2->17 19 Antivirus / Scanner detection for submitted sample 2->19 21 7 other signatures 2->21 6 DOCUMENTOS CORREOS.exe 2->6         started        process3 signatures4 23 Hides threads from debuggers 6->23 9 DOCUMENTOS CORREOS.exe 12 6->9         started        process5 dnsIp6 13 www.mediafire.com 104.16.202.237, 443, 49723 CLOUDFLARENETUS United States 9->13 25 Hides threads from debuggers 9->25 signatures7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.16.202.237
 www.mediafire.com United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
www.mediafire.com 104.16.202.237 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://www.mediafire.com/file/md0mc3zocq6uh6b/gbam_encrypted_65A39A0.bin/file false
    		high