Loading ...

Play interactive tourEdit tour

Analysis Report DOCUMENTOS CORREOS.exe

Overview

General Information

Sample Name:DOCUMENTOS CORREOS.exe
Analysis ID:430603
MD5:c73ab52ccb3b77ffda43ab3764fff1ab
SHA1:99e3f024e741388c0a788df19fb87bf105ab84f4
SHA256:8fe1d7d807635615314910e8145e2e050afd648a5eb7be85908563b30290e2fd
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to hide a thread from the debugger
Executable has a suspicious name (potential lure to open the executable)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • DOCUMENTOS CORREOS.exe (PID: 5320 cmdline: 'C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe' MD5: C73AB52CCB3B77FFDA43AB3764FFF1AB)
    • DOCUMENTOS CORREOS.exe (PID: 5392 cmdline: 'C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe' MD5: C73AB52CCB3B77FFDA43AB3764FFF1AB)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://www.mediafire.com/file/md0mc3zocq6uh6b/gbam_encrypted_65A39A0.bin/file\u0000\u0000", "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.279722809.0000000000620000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    00000004.00000000.278693331.0000000000560000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
      00000004.00000002.486013693.0000000000560000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
        Process Memory Space: DOCUMENTOS CORREOS.exe PID: 5392JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
          Process Memory Space: DOCUMENTOS CORREOS.exe PID: 5392JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: DOCUMENTOS CORREOS.exeAvira: detected
            Found malware configurationShow sources
            Source: 00000000.00000002.279722809.0000000000620000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://www.mediafire.com/file/md0mc3zocq6uh6b/gbam_encrypted_65A39A0.bin/file\u0000\u0000", "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"}
            Multi AV Scanner detection for submitted fileShow sources
            Source: DOCUMENTOS CORREOS.exeVirustotal: Detection: 75%Perma Link
            Source: DOCUMENTOS CORREOS.exeReversingLabs: Detection: 86%
            Source: 0.0.DOCUMENTOS CORREOS.exe.400000.0.unpackAvira: Label: TR/AD.VBCryptor.vjznr
            Source: 4.0.DOCUMENTOS CORREOS.exe.400000.0.unpackAvira: Label: TR/AD.VBCryptor.vjznr
            Source: DOCUMENTOS CORREOS.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: unknownHTTPS traffic detected: 104.16.203.237:443 -> 192.168.2.3:49723 version: TLS 1.2

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: https://www.mediafire.com/file/md0mc3zocq6uh6b/gbam_encrypted_65A39A0.bin/file
            Source: Joe Sandbox ViewIP Address: 104.16.203.237 104.16.203.237
            Source: Joe Sandbox ViewIP Address: 104.16.203.237 104.16.203.237
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exeCode function: 4_2_0056A75D InternetReadFile,4_2_0056A75D
            Source: DOCUMENTOS CORREOS.exe, 00000004.00000002.488373545.0000000002580000.00000004.00000001.sdmpString found in binary or memory: <!DOCTYPE html> <html lang="en-US" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> equals www.facebook.com (Facebook)
            Source: DOCUMENTOS CORREOS.exe, 00000004.00000002.488373545.0000000002580000.00000004.00000001.sdmpString found in binary or memory: </script> <noscript><img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=542578585845936&ev=PageView&noscript=1" alt="Facebook"/></noscript> equals www.facebook.com (Facebook)
            Source: unknownDNS traffic detected: queries for: www.mediafire.com
            Source: DOCUMENTOS CORREOS.exe, 00000004.00000002.488373545.0000000002580000.00000004.00000001.sdmpString found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js
            Source: DOCUMENTOS CORREOS.exe, 00000004.00000002.488373545.0000000002580000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Open
            Source: DOCUMENTOS CORREOS.exe, 00000004.00000002.488373545.0000000002580000.00000004.00000001.sdmpString found in binary or memory: https://static.cloudflareinsights.com/beacon.min.js
            Source: DOCUMENTOS CORREOS.exe, 00000004.00000002.488373545.0000000002580000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/recaptcha/api.js
            Source: DOCUMENTOS CORREOS.exe, 00000004.00000002.488373545.0000000002580000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-829541-1
            Source: DOCUMENTOS CORREOS.exe, 00000004.00000002.488373545.0000000002580000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
            Source: DOCUMENTOS CORREOS.exe, 00000004.00000002.488373545.0000000002580000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-53LP4T
            Source: DOCUMENTOS CORREOS.exe, 00000004.00000002.488373545.0000000002580000.00000004.00000001.sdmpString found in binary or memory: https://www.mediafire.com
            Source: DOCUMENTOS CORREOS.exe, 00000004.00000002.485885466.000000000019A000.00000004.00000001.sdmpString found in binary or memory: https://www.mediafire.com/file/md0mc3zocq6uh6b/gbam_encrypted_65A39
            Source: DOCUMENTOS CORREOS.exeString found in binary or memory: https://www.mediafire.com/file/md0mc3zocq6uh6b/gbam_encrypted_65A39A0.bin/file
            Source: DOCUMENTOS CORREOS.exe, 00000004.00000002.488373545.0000000002580000.00000004.00000001.sdmpString found in binary or memory: https://www.mediafire.com/images/logos/mf_logo250x250.png
            Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
            Source: unknownHTTPS traffic detected: 104.16.203.237:443 -> 192.168.2.3:49723 version: TLS 1.2

            System Summary:

            barindex
            Potential malicious icon foundShow sources
            Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
            Executable has a suspicious name (potential lure to open the executable)Show sources
            Source: DOCUMENTOS CORREOS.exeStatic file information: Suspicious name
            Initial sample is a PE file and has a suspicious nameShow sources
            Source: initial sampleStatic PE information: Filename: DOCUMENTOS CORREOS.exe
            Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exeProcess Stats: CPU usage > 98%
            Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exeCode function: 4_2_0056A2A9 NtProtectVirtualMemory,4_2_0056A2A9
            Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exeCode function: 4_2_00560636 NtSetInformationThread,4_2_00560636
            Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exeCode function: 4_2_00560526 NtSetInformationThread,4_2_00560526
            Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exeCode function: String function: 00401450 appears 32 times
            Source: DOCUMENTOS CORREOS.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: DOCUMENTOS CORREOS.exe, 00000000.00000002.279069921.000000000041D000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameLepidop6.exe vs DOCUMENTOS CORREOS.exe
            Source: DOCUMENTOS CORREOS.exe, 00000000.00000002.280743215.00000000021E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLepidop6.exeFE2X vs DOCUMENTOS CORREOS.exe
            Source: DOCUMENTOS CORREOS.exe, 00000004.00000002.493784317.000000001EFB0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs DOCUMENTOS CORREOS.exe
            Source: DOCUMENTOS CORREOS.exe, 00000004.00000002.493701104.000000001EE60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs DOCUMENTOS CORREOS.exe
            Source: DOCUMENTOS CORREOS.exe, 00000004.00000000.277944455.000000000041D000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameLepidop6.exe vs DOCUMENTOS CORREOS.exe
            Source: DOCUMENTOS CORREOS.exeBinary or memory string: OriginalFilenameLepidop6.exe vs DOCUMENTOS CORREOS.exe
            Source: DOCUMENTOS CORREOS.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: classification engineClassification label: mal100.rans.troj.evad.winEXE@3/0@1/2
            Source: DOCUMENTOS CORREOS.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: DOCUMENTOS CORREOS.exeVirustotal: Detection: 75%
            Source: DOCUMENTOS CORREOS.exeReversingLabs: Detection: 86%
            Source: unknownProcess created: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe 'C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe'
            Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exeProcess created: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe 'C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe'
            Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exeProcess created: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe 'C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe' Jump to behavior

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 00000000.00000002.279722809.0000000000620000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.278693331.0000000000560000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.486013693.0000000000560000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: DOCUMENTOS CORREOS.exe PID: 5392, type: MEMORY
            Yara detected VB6 Downloader GenericShow sources
            Source: Yara matchFile source: Process Memory Space: DOCUMENTOS CORREOS.exe PID: 5392, type: MEMORY
            Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exeCode function: 0_2_004114EA push dword ptr [edi+3ABAD03Ah]; iretd 0_2_004114F8
            Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exeCode function: 0_2_00408972 push cs; iretd 0_2_00408973
            Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exeCode function: 0_2_004055E0 push esi; retf 0_2_004055E1
            Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exeCode function: 0_2_00409A4B pushfd ; retf 0_2_00409A4C
            Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exeCode function: 0_2_00409E31 push 2955CA9Fh; ret 0_2_00409E37
            Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exeCode function: 0_2_0040573B push cs; iretd 0_2_0040573C
            Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exeCode function: 0_2_00406F87 push D0AFF143h; ret 0_2_00406F96
            Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe TID: 4724Thread sleep count: 107 > 30Jump to behavior
            Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe TID: 4724Thread sleep time: -1070000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exeLast function: Thread delayed

            Anti Debugging:

            barindex
            Contains functionality to hide a thread from the debuggerShow sources
            Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exeCode function: 4_2_00560636 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,000000004_2_00560636
            Hides threads from debuggersShow sources
            Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exeCode function: 4_2_00561D70 mov eax, dword ptr fs:[00000030h]4_2_00561D70
            Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exeCode function: 4_2_00564403 mov eax, dword ptr fs:[00000030h]4_2_00564403
            Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exeCode function: 4_2_00568B2A mov eax, dword ptr fs:[00000030h]4_2_00568B2A
            Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exeCode function: 4_2_00562BF7 mov eax, dword ptr fs:[00000030h]4_2_00562BF7
            Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exeCode function: 4_2_00568190 mov eax, dword ptr fs:[00000030h]4_2_00568190
            Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exeCode function: 4_2_00569886 mov eax, dword ptr fs:[00000030h]4_2_00569886
            Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exeProcess created: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe 'C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe' Jump to behavior
            Source: DOCUMENTOS CORREOS.exe, 00000004.00000002.487569983.0000000000FB0000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: DOCUMENTOS CORREOS.exe, 00000004.00000002.487569983.0000000000FB0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: DOCUMENTOS CORREOS.exe, 00000004.00000002.487569983.0000000000FB0000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: DOCUMENTOS CORREOS.exe, 00000004.00000002.487569983.0000000000FB0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection12Virtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery2Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection12LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsSystem Information Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.