Play interactive tour

Edit tour

Analysis Report DOCUMENTOS CORREOS.exe

Overview

General Information

Sample Name:	DOCUMENTOS CORREOS.exe
Analysis ID:	430603
MD5:	c73ab52ccb3b77ffda43ab3764fff1ab
SHA1:	99e3f024e741388c0a788df19fb87bf105ab84f4
SHA256:	8fe1d7d807635615314910e8145e2e050afd648a5eb7be85908563b30290e2fd
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Potential malicious icon found

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to hide a thread from the debugger

Executable has a suspicious name (potential lure to open the executable)

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Yara detected VB6 Downloader Generic

Abnormal high CPU Usage

Antivirus or Machine Learning detection for unpacked file

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

DOCUMENTOS CORREOS.exe (PID: 5320 cmdline: 'C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe' MD5: C73AB52CCB3B77FFDA43AB3764FFF1AB)

DOCUMENTOS CORREOS.exe (PID: 5392 cmdline: 'C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe' MD5: C73AB52CCB3B77FFDA43AB3764FFF1AB)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://www.mediafire.com/file/md0mc3zocq6uh6b/gbam_encrypted_65A39A0.bin/file\u0000\u0000", "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.279722809.0000000000620000.00000040.00000001.sdmp	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
00000004.00000000.278693331.0000000000560000.00000040.00000001.sdmp	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
00000004.00000002.486013693.0000000000560000.00000040.00000001.sdmp	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: DOCUMENTOS CORREOS.exe PID: 5392	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: DOCUMENTOS CORREOS.exe PID: 5392	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: DOCUMENTOS CORREOS.exe

Avira: detected

Found malware configuration

Show sources

Source: 00000000.00000002.279722809.0000000000620000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://www.mediafire.com/file/md0mc3zocq6uh6b/gbam_encrypted_65A39A0.bin/file\u0000\u0000", "User Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"}

Multi AV Scanner detection for submitted file

Show sources

Source: DOCUMENTOS CORREOS.exe	Virustotal: Detection: 75%			Perma Link
Source: DOCUMENTOS CORREOS.exe	ReversingLabs: Detection: 86%

Source: 0.0.DOCUMENTOS CORREOS.exe.400000.0.unpack	Avira: Label: TR/AD.VBCryptor.vjznr
Source: 4.0.DOCUMENTOS CORREOS.exe.400000.0.unpack	Avira: Label: TR/AD.VBCryptor.vjznr

Source: DOCUMENTOS CORREOS.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: unknown

HTTPS traffic detected: 104.16.203.237:443 -> 192.168.2.3:49723 version: TLS 1.2

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://www.mediafire.com/file/md0mc3zocq6uh6b/gbam_encrypted_65A39A0.bin/file

Source: Joe Sandbox View	IP Address: 104.16.203.237 104.16.203.237
Source: Joe Sandbox View	IP Address: 104.16.203.237 104.16.203.237

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe

Code function: 4_2_0056A75D InternetReadFile,

Source: DOCUMENTOS CORREOS.exe, 00000004.00000002.488373545.0000000002580000.00000004.00000001.sdmp	String found in binary or memory: <!DOCTYPE html> <html lang="en-US" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> equals www.facebook.com (Facebook)
Source: DOCUMENTOS CORREOS.exe, 00000004.00000002.488373545.0000000002580000.00000004.00000001.sdmp	String found in binary or memory: </script> <noscript><img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=542578585845936&ev=PageView&noscript=1" alt="Facebook"/></noscript> equals www.facebook.com (Facebook)

Source: unknown

DNS traffic detected: queries for: www.mediafire.com

Source: DOCUMENTOS CORREOS.exe, 00000004.00000002.488373545.0000000002580000.00000004.00000001.sdmp	String found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js
Source: DOCUMENTOS CORREOS.exe, 00000004.00000002.488373545.0000000002580000.00000004.00000001.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: DOCUMENTOS CORREOS.exe, 00000004.00000002.488373545.0000000002580000.00000004.00000001.sdmp	String found in binary or memory: https://static.cloudflareinsights.com/beacon.min.js
Source: DOCUMENTOS CORREOS.exe, 00000004.00000002.488373545.0000000002580000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/recaptcha/api.js
Source: DOCUMENTOS CORREOS.exe, 00000004.00000002.488373545.0000000002580000.00000004.00000001.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-829541-1
Source: DOCUMENTOS CORREOS.exe, 00000004.00000002.488373545.0000000002580000.00000004.00000001.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
Source: DOCUMENTOS CORREOS.exe, 00000004.00000002.488373545.0000000002580000.00000004.00000001.sdmp	String found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-53LP4T
Source: DOCUMENTOS CORREOS.exe, 00000004.00000002.488373545.0000000002580000.00000004.00000001.sdmp	String found in binary or memory: https://www.mediafire.com
Source: DOCUMENTOS CORREOS.exe, 00000004.00000002.485885466.000000000019A000.00000004.00000001.sdmp	String found in binary or memory: https://www.mediafire.com/file/md0mc3zocq6uh6b/gbam_encrypted_65A39
Source: DOCUMENTOS CORREOS.exe	String found in binary or memory: https://www.mediafire.com/file/md0mc3zocq6uh6b/gbam_encrypted_65A39A0.bin/file
Source: DOCUMENTOS CORREOS.exe, 00000004.00000002.488373545.0000000002580000.00000004.00000001.sdmp	String found in binary or memory: https://www.mediafire.com/images/logos/mf_logo250x250.png

Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown

HTTPS traffic detected: 104.16.203.237:443 -> 192.168.2.3:49723 version: TLS 1.2

System Summary:

Potential malicious icon found

Show sources

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Executable has a suspicious name (potential lure to open the executable)

Show sources

Source: DOCUMENTOS CORREOS.exe

Static file information: Suspicious name

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: DOCUMENTOS CORREOS.exe

Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe	Code function: 4_2_0056A2A9 NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe	Code function: 4_2_00560636 NtSetInformationThread,
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe	Code function: 4_2_00560526 NtSetInformationThread,

Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe

Code function: String function: 00401450 appears 32 times

Source: DOCUMENTOS CORREOS.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: DOCUMENTOS CORREOS.exe, 00000000.00000002.279069921.000000000041D000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameLepidop6.exe vs DOCUMENTOS CORREOS.exe
Source: DOCUMENTOS CORREOS.exe, 00000000.00000002.280743215.00000000021E0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLepidop6.exeFE2X vs DOCUMENTOS CORREOS.exe
Source: DOCUMENTOS CORREOS.exe, 00000004.00000002.493784317.000000001EFB0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs DOCUMENTOS CORREOS.exe
Source: DOCUMENTOS CORREOS.exe, 00000004.00000002.493701104.000000001EE60000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs DOCUMENTOS CORREOS.exe
Source: DOCUMENTOS CORREOS.exe, 00000004.00000000.277944455.000000000041D000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameLepidop6.exe vs DOCUMENTOS CORREOS.exe
Source: DOCUMENTOS CORREOS.exe	Binary or memory string: OriginalFilenameLepidop6.exe vs DOCUMENTOS CORREOS.exe

Source: DOCUMENTOS CORREOS.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@3/0@1/2

Source: DOCUMENTOS CORREOS.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: DOCUMENTOS CORREOS.exe	Virustotal: Detection: 75%
Source: DOCUMENTOS CORREOS.exe	ReversingLabs: Detection: 86%

Source: unknown	Process created: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe 'C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe'
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe	Process created: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe 'C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe'
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe	Process created: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe 'C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe'

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 00000000.00000002.279722809.0000000000620000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.278693331.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.486013693.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DOCUMENTOS CORREOS.exe PID: 5392, type: MEMORY

Yara detected VB6 Downloader Generic

Show sources

Source: Yara match

File source: Process Memory Space: DOCUMENTOS CORREOS.exe PID: 5392, type: MEMORY

Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe	Code function: 0_2_004114EA push dword ptr [edi+3ABAD03Ah]; iretd
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe	Code function: 0_2_00408972 push cs; iretd
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe	Code function: 0_2_004055E0 push esi; retf
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe	Code function: 0_2_00409A4B pushfd ; retf
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe	Code function: 0_2_00409E31 push 2955CA9Fh; ret
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe	Code function: 0_2_0040573B push cs; iretd
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe	Code function: 0_2_00406F87 push D0AFF143h; ret

Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe TID: 4724	Thread sleep count: 107 > 30
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe TID: 4724	Thread sleep time: -1070000s >= -30000s

Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe	Last function: Thread delayed

Anti Debugging:

Contains functionality to hide a thread from the debugger

Show sources

Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe

Code function: 4_2_00560636 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe	Thread information set: HideFromDebugger

Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe	Code function: 4_2_00561D70 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe	Code function: 4_2_00564403 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe	Code function: 4_2_00568B2A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe	Code function: 4_2_00562BF7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe	Code function: 4_2_00568190 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe	Code function: 4_2_00569886 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe

Process created: C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe 'C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe'

Source: DOCUMENTOS CORREOS.exe, 00000004.00000002.487569983.0000000000FB0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: DOCUMENTOS CORREOS.exe, 00000004.00000002.487569983.0000000000FB0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: DOCUMENTOS CORREOS.exe, 00000004.00000002.487569983.0000000000FB0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: DOCUMENTOS CORREOS.exe, 00000004.00000002.487569983.0000000000FB0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection12	Virtualization/Sandbox Evasion11	OS Credential Dumping	Security Software Discovery2	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Deobfuscate/Decode Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	System Information Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
DOCUMENTOS CORREOS.exe	75%	Virustotal		Browse
DOCUMENTOS CORREOS.exe	86%	ReversingLabs	Win32.Trojan.Guloader
DOCUMENTOS CORREOS.exe	100%	Avira	TR/AD.VBCryptor.vjznr

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.0.DOCUMENTOS CORREOS.exe.400000.0.unpack	100%	Avira	TR/AD.VBCryptor.vjznr	Download File
4.0.DOCUMENTOS CORREOS.exe.400000.0.unpack	100%	Avira	TR/AD.VBCryptor.vjznr	Download File
0.2.DOCUMENTOS CORREOS.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1134906	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://static.cloudflareinsights.com/beacon.min.js	0%	URL Reputation	safe
https://static.cloudflareinsights.com/beacon.min.js	0%	URL Reputation	safe
https://static.cloudflareinsights.com/beacon.min.js	0%	URL Reputation	safe
https://static.cloudflareinsights.com/beacon.min.js	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.mediafire.com	104.16.203.237	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.mediafire.com/file/md0mc3zocq6uh6b/gbam_encrypted_65A39A0.bin/file	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.mediafire.com	DOCUMENTOS CORREOS.exe, 00000004.00000002.488373545.0000000002580000.00000004.00000001.sdmp	false		high
https://www.mediafire.com/file/md0mc3zocq6uh6b/gbam_encrypted_65A39A0.bin/file	DOCUMENTOS CORREOS.exe	false		high
https://static.cloudflareinsights.com/beacon.min.js	DOCUMENTOS CORREOS.exe, 00000004.00000002.488373545.0000000002580000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.mediafire.com/file/md0mc3zocq6uh6b/gbam_encrypted_65A39	DOCUMENTOS CORREOS.exe, 00000004.00000002.485885466.000000000019A000.00000004.00000001.sdmp	false		high
https://www.mediafire.com/images/logos/mf_logo250x250.png	DOCUMENTOS CORREOS.exe, 00000004.00000002.488373545.0000000002580000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.16.203.237	www.mediafire.com	United States		13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	430603
Start date:	07.06.2021
Start time:	17:26:33
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 15s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	DOCUMENTOS CORREOS.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.troj.evad.winEXE@3/0@1/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 13.7% (good quality ratio 10.9%) Quality average: 43.3% Quality standard deviation: 26.4%
HCA Information:	Successful, ratio: 55% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 93.184.220.29, 40.88.32.150, 104.43.193.48, 92.122.145.220, 13.64.90.137, 104.43.139.144, 104.42.151.234, 23.57.80.111, 20.82.210.154, 2.20.142.210, 2.20.142.209, 92.122.213.194, 92.122.213.247, 20.54.26.129 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, cs9.wac.phicdn.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing network information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:28:09	API Interceptor	107x Sleep call for process: DOCUMENTOS CORREOS.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
104.16.203.237	http://download2224.mediafire.com/5rqvtr7atabg/4ufxk777x7qfcdd/FastStoneCapturePortableTW_9.0_azo.exe	Get hash	malicious	Browse	www.mediafire.com/images/icons/myfiles/default.png
	http://download2134.mediafire.com/6d7pu7669u7g/5vpr2kr4s29utk7/PAG004.tgz	Get hash	malicious	Browse	www.mediafire.com/download_repair.php?flag=3&dkey=6d7pu7669u7&qkey=5vpr2kr4s29utk7&ip=84.17.52.40&ref=3
	http://www.mediafire.com/file/cnwik2kgdebsisy/PAG0002.tgz/file	Get hash	malicious	Browse	www.mediafire.com/images/icons/myfiles/default.png
	http://www.mediafire.com/file/4xm9i7c25z2wtqj/Parsel+Detaylar%C4%B1.7z/file	Get hash	malicious	Browse	www.mediafire.com/file/4xm9i7c25z2wtqj/Parsel+Detaylar%C4%B1.7z/file
	https://download1580.mediafire.com/4xprc4caulsg/qpuaxqx0pdqcik8/Solicitud+de+presupuesto.7z	Get hash	malicious	Browse	www.mediafire.com/upgrade
	http://www.mediafire.com/file/f28ppsxzjuy1xsb/UPSRO+2809203321.7z/file	Get hash	malicious	Browse	www.mediafire.com/file/f28ppsxzjuy1xsb/UPSRO+2809203321.7z/file
	http://www.mediafire.com/file/xn60pc8souxfqax/fac_01200.7z/file	Get hash	malicious	Browse	www.mediafire.com/file/xn60pc8souxfqax/fac_01200.7z/file
	http://www.mediafire.com/file/cmzz439j3nr3cp9/TNT1.7z/file	Get hash	malicious	Browse	www.mediafire.com/file/cmzz439j3nr3cp9/TNT1.7z/file
	http://www.mediafire.com/file/59pevvifny3y35x/Comanda+de+achizitie.7z/file	Get hash	malicious	Browse	www.mediafire.com/file/59pevvifny3y35x/Comanda+de+achizitie.7z/file
	https://download2272.mediafire.com/dee0x8gd9lhg/kfsfaocy6dzql61/Cheque+Copy.7z	Get hash	malicious	Browse	www.mediafire.com/about/
	http://www.mediafire.com/file/449cj5l0pxynnlh/Endesa-Facturacion20201806.zip	Get hash	malicious	Browse	www.mediafire.com/file/449cj5l0pxynnlh/Endesa-Facturacion20201806.zip
	http://cartadelcobro.com/pdf_carta_cobro-23-04-2020/	Get hash	malicious	Browse	www.mediafire.com/file/ss26bj0bvghigyj/Cobro.zip/file

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.mediafire.com	DOCUMENTOS CORREOS.exe	Get hash	malicious	Browse	104.16.202.237
	BRnRfGXrIP.exe	Get hash	malicious	Browse	104.16.202.237
	http://download2224.mediafire.com/5rqvtr7atabg/4ufxk777x7qfcdd/FastStoneCapturePortableTW_9.0_azo.exe	Get hash	malicious	Browse	104.16.202.237
	Autuacao-2305148784007A.exe	Get hash	malicious	Browse	104.16.202.237
	http://download2134.mediafire.com/6d7pu7669u7g/5vpr2kr4s29utk7/PAG004.tgz	Get hash	malicious	Browse	104.16.203.237
	http://www.mediafire.com/file/cnwik2kgdebsisy/PAG0002.tgz/file	Get hash	malicious	Browse	104.16.203.237
	http://download1716.mediafire.com/4ovq1dagh3qg/llznllwcu118fj5/New+Order.tgz	Get hash	malicious	Browse	104.16.202.237
	http://www.mediafire.com/file/4xm9i7c25z2wtqj/Parsel+Detaylar%C4%B1.7z/file	Get hash	malicious	Browse	104.16.203.237
	http://www.mediafire.com/file/4xm9i7c25z2wtqj/Parsel+Detaylar%C4%B1.7z/file	Get hash	malicious	Browse	104.16.202.237
	https://download1580.mediafire.com/4xprc4caulsg/qpuaxqx0pdqcik8/Solicitud+de+presupuesto.7z	Get hash	malicious	Browse	104.16.203.237
	https://download1582.mediafire.com/ntorjrq3jvwg/xpqdxdvhyo668qg/Android+WhatsApp+to+iPhone+Transfer+-+DU+x32.zip	Get hash	malicious	Browse	104.16.202.237
	http://www.mediafire.com/file/f28ppsxzjuy1xsb/UPSRO+2809203321.7z/file	Get hash	malicious	Browse	104.16.203.237
	https://www.mediafire.com/file/que9zdctac0t9w8/Cerere_de_achizitie.7z/file	Get hash	malicious	Browse	104.16.203.237
	http://www.mediafire.com/file/69twv65ip7pnmit/Pago+de+septiembre.7z/file	Get hash	malicious	Browse	104.16.202.237
	http://www.mediafire.com/file/xn60pc8souxfqax/fac_01200.7z/file	Get hash	malicious	Browse	104.16.203.237
	http://www.mediafire.com/file/cmzz439j3nr3cp9/TNT1.7z/file	Get hash	malicious	Browse	104.16.203.237
	http://download1525.mediafire.com/a2niozn5iheg/ayhephnsi8hnlgv/test.exe	Get hash	malicious	Browse	104.16.202.237
	https://www.mediafire.com/file/q4ic4hzhjjsvrdr/Posta+Romana+12082033201829.7z/file	Get hash	malicious	Browse	104.16.202.237
	https://www.mediafire.com/file/q4ic4hzhjjsvrdr/Posta+Romana+12082033201829.7z/file	Get hash	malicious	Browse	104.16.203.237

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	DOCUMENTOS CORREOS.exe	Get hash	malicious	Browse	104.16.202.237
	DOCUMENTOS CORREOS.exe	Get hash	malicious	Browse	104.16.202.237
	BBS FX.xlsx	Get hash	malicious	Browse	104.26.0.222
	PAYMENT RECEIPT #FO1420111.exe	Get hash	malicious	Browse	104.21.19.200
	StubV4.exe	Get hash	malicious	Browse	172.67.188.154
	Order No. BCM #03122020.exe	Get hash	malicious	Browse	104.21.93.53
	Confirmation Transfer Note MT103 Ref#8892626882.exe	Get hash	malicious	Browse	172.67.188.154
	Shipping documents & Proforma invoice.exe	Get hash	malicious	Browse	172.67.188.154
	TT500202106029589435472.exe	Get hash	malicious	Browse	104.21.19.200
	Payment Swift copy MT103.exe	Get hash	malicious	Browse	104.21.19.200
	plagin.exe	Get hash	malicious	Browse	104.25.233.53
	New Order.exe	Get hash	malicious	Browse	172.67.155.26
	rtgs_2021-06-07_02-01.exe	Get hash	malicious	Browse	104.21.93.70
	FORM C1.xlsx	Get hash	malicious	Browse	104.21.61.102
	rtgs_pdf.exe	Get hash	malicious	Browse	104.21.93.70
	triage_dropped_file.exe	Get hash	malicious	Browse	23.227.38.74
	sample.EXE	Get hash	malicious	Browse	172.67.206.104
	CSTB FR ORDER 789.exe	Get hash	malicious	Browse	172.67.193.3
	SC-BANK TRANSFER TT-COPY-FRIDAY0621_pdf.exe	Get hash	malicious	Browse	172.67.188.154
	PAYMENT MT103 REMITTANCE SWIFT.exe	Get hash	malicious	Browse	104.21.19.200

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	OewA04QDBh.exe	Get hash	malicious	Browse	104.16.203.237
	plagin.exe	Get hash	malicious	Browse	104.16.203.237
	statistic-608048546.xls	Get hash	malicious	Browse	104.16.203.237
	Zd1j3hnY8u.exe	Get hash	malicious	Browse	104.16.203.237
	HNUQajtypz.exe	Get hash	malicious	Browse	104.16.203.237
	SOA_Outstanding_Balance.exe	Get hash	malicious	Browse	104.16.203.237
	85OpNw6eXm.exe	Get hash	malicious	Browse	104.16.203.237
	QUMuMnixcc.exe	Get hash	malicious	Browse	104.16.203.237
	riy66qgtIR.exe	Get hash	malicious	Browse	104.16.203.237
	R43YJpd6nj.exe	Get hash	malicious	Browse	104.16.203.237
	RFQ.exe	Get hash	malicious	Browse	104.16.203.237
	#Ud83d#Udcde_#U25b6#Ufe0fPlay_to_Listen.htm	Get hash	malicious	Browse	104.16.203.237
	SecuriteInfo.com.Trojan.DownLoader39.38629.28832.exe	Get hash	malicious	Browse	104.16.203.237
	3vuLRePalU.exe	Get hash	malicious	Browse	104.16.203.237
	sZBBKNIKMX.exe	Get hash	malicious	Browse	104.16.203.237
	lnD4uofi2O.exe	Get hash	malicious	Browse	104.16.203.237
	KWLMpN39y2.exe	Get hash	malicious	Browse	104.16.203.237
	JJ1PbTh0SP.dll	Get hash	malicious	Browse	104.16.203.237
	Secured-Message_7634-7.html	Get hash	malicious	Browse	104.16.203.237
	treetop-payroll-075491-pdf.HtmL	Get hash	malicious	Browse	104.16.203.237

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.338112761945723
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	DOCUMENTOS CORREOS.exe
File size:	122880
MD5:	c73ab52ccb3b77ffda43ab3764fff1ab
SHA1:	99e3f024e741388c0a788df19fb87bf105ab84f4
SHA256:	8fe1d7d807635615314910e8145e2e050afd648a5eb7be85908563b30290e2fd
SHA512:	80a6e6794465186450b8e8776de0b0598459319b42494a4937da373caa2dae63f12e197130c76edb76d3f5cba86c611f5eaa221eb62152089a682d0ff33decfe
SSDEEP:	1536:Qth8H3nVcq+YnRThE1K/ZZusX0b/g8uz:QU3n6pYFRu+08p
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........y.....................................Rich............PE..L....e`K..................... ......$.............@................

File Icon


Icon Hash:	20047c7c70f0e004

Static PE Info

General
Entrypoint:	0x401524
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4B6065C8 [Wed Jan 27 16:11:52 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f40fcd81751084aec6b61b1899b8625f

Entrypoint Preview

Instruction
push 004130C0h
call 00007F8C10E238E3h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
cmp byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
sbb byte ptr [ecx-415C509Ch], bl
nop
inc edx
cdq
mov dword ptr [E9366C07h], eax
jmp 00007F8C10E238EFh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [edi+ecx+02h], ch
inc ebx
inc ecx
push ebx
dec ecx
push esp
add byte ptr [ebx], ch
add al, byte ptr [eax]
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
inc esp
das
mov ch, 2Eh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1b404	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1d000	0x934	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x170	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1a978	0x1b000	False	0.30138708044	data	4.55242334496	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x1c000	0xb4c	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x1d000	0x934	0x1000	False	0.173828125	data	1.99326688739	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x1d804	0x130	data
RT_ICON	0x1d51c	0x2e8	data
RT_ICON	0x1d3f4	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x1d3c4	0x30	data
RT_VERSION	0x1d150	0x274	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, _adj_fprem1, __vbaStrCat, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryVar, __vbaAryDestruct, __vbaLateMemSt, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaCyStr, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaVarTstEq, __vbaObjVar, _adj_fpatan, __vbaRedim, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaFpCmpCy, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, __vbaDerefAry1, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaLateMemCall, __vbaVarDup, __vbaLateMemCallLd, _CIatan, __vbaAryCopy, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0409 0x04b0
InternalName	Lepidop6
FileVersion	1.00
CompanyName	NERBing
Comments	NERBing
ProductName	tragtede
ProductVersion	1.00
FileDescription	Overdre
OriginalFilename	Lepidop6.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 7, 2021 17:28:09.059087992 CEST	49723	443	192.168.2.3	104.16.203.237
Jun 7, 2021 17:28:09.102716923 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:09.102834940 CEST	49723	443	192.168.2.3	104.16.203.237
Jun 7, 2021 17:28:09.131134987 CEST	49723	443	192.168.2.3	104.16.203.237
Jun 7, 2021 17:28:09.173614025 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:09.182578087 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:09.182632923 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:09.182650089 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:09.182667017 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:09.182724953 CEST	49723	443	192.168.2.3	104.16.203.237
Jun 7, 2021 17:28:09.182764053 CEST	49723	443	192.168.2.3	104.16.203.237
Jun 7, 2021 17:28:09.315078020 CEST	49723	443	192.168.2.3	104.16.203.237
Jun 7, 2021 17:28:09.357559919 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:09.362318993 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:09.364324093 CEST	49723	443	192.168.2.3	104.16.203.237
Jun 7, 2021 17:28:09.387787104 CEST	49723	443	192.168.2.3	104.16.203.237
Jun 7, 2021 17:28:09.430459023 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:09.679585934 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:09.679807901 CEST	49723	443	192.168.2.3	104.16.203.237
Jun 7, 2021 17:28:09.702694893 CEST	49723	443	192.168.2.3	104.16.203.237
Jun 7, 2021 17:28:09.745126009 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:09.965553045 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:09.965604067 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:09.965642929 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:09.965668917 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:09.965677023 CEST	49723	443	192.168.2.3	104.16.203.237
Jun 7, 2021 17:28:09.965734005 CEST	49723	443	192.168.2.3	104.16.203.237
Jun 7, 2021 17:28:09.965874910 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:09.965917110 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:09.965986967 CEST	49723	443	192.168.2.3	104.16.203.237
Jun 7, 2021 17:28:09.966964006 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:09.967015028 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:09.967042923 CEST	49723	443	192.168.2.3	104.16.203.237
Jun 7, 2021 17:28:09.967077971 CEST	49723	443	192.168.2.3	104.16.203.237
Jun 7, 2021 17:28:09.967994928 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:09.968036890 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:09.968117952 CEST	49723	443	192.168.2.3	104.16.203.237
Jun 7, 2021 17:28:09.969140053 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:09.969178915 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:09.969201088 CEST	49723	443	192.168.2.3	104.16.203.237
Jun 7, 2021 17:28:09.969218016 CEST	49723	443	192.168.2.3	104.16.203.237
Jun 7, 2021 17:28:09.970068932 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:09.970112085 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:09.970177889 CEST	49723	443	192.168.2.3	104.16.203.237
Jun 7, 2021 17:28:09.971131086 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:09.971183062 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:09.971194983 CEST	49723	443	192.168.2.3	104.16.203.237
Jun 7, 2021 17:28:09.971226931 CEST	49723	443	192.168.2.3	104.16.203.237
Jun 7, 2021 17:28:09.972162962 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:09.972206116 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:09.972230911 CEST	49723	443	192.168.2.3	104.16.203.237
Jun 7, 2021 17:28:09.972260952 CEST	49723	443	192.168.2.3	104.16.203.237
Jun 7, 2021 17:28:09.973283052 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:09.973325968 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:09.973422050 CEST	49723	443	192.168.2.3	104.16.203.237
Jun 7, 2021 17:28:09.974281073 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:09.974328041 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:09.974371910 CEST	49723	443	192.168.2.3	104.16.203.237
Jun 7, 2021 17:28:09.974395990 CEST	49723	443	192.168.2.3	104.16.203.237
Jun 7, 2021 17:28:09.975326061 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:09.975369930 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:09.975450039 CEST	49723	443	192.168.2.3	104.16.203.237
Jun 7, 2021 17:28:09.976336002 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:09.976386070 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:09.976404905 CEST	49723	443	192.168.2.3	104.16.203.237
Jun 7, 2021 17:28:09.976437092 CEST	49723	443	192.168.2.3	104.16.203.237
Jun 7, 2021 17:28:09.977365017 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:09.977408886 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:09.977474928 CEST	49723	443	192.168.2.3	104.16.203.237
Jun 7, 2021 17:28:09.978415966 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:09.978456974 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:09.978487968 CEST	49723	443	192.168.2.3	104.16.203.237
Jun 7, 2021 17:28:09.978513956 CEST	49723	443	192.168.2.3	104.16.203.237
Jun 7, 2021 17:28:09.979454994 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:09.979500055 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:09.979619980 CEST	49723	443	192.168.2.3	104.16.203.237
Jun 7, 2021 17:28:09.980499983 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:09.980576038 CEST	49723	443	192.168.2.3	104.16.203.237
Jun 7, 2021 17:28:09.980587959 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:09.980639935 CEST	49723	443	192.168.2.3	104.16.203.237
Jun 7, 2021 17:28:09.981585979 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:09.981667042 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:09.981760025 CEST	49723	443	192.168.2.3	104.16.203.237
Jun 7, 2021 17:28:10.008208036 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:10.008323908 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:10.008446932 CEST	49723	443	192.168.2.3	104.16.203.237
Jun 7, 2021 17:28:10.008625984 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:10.008697033 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:10.008699894 CEST	49723	443	192.168.2.3	104.16.203.237
Jun 7, 2021 17:28:10.008759975 CEST	49723	443	192.168.2.3	104.16.203.237
Jun 7, 2021 17:28:10.009695053 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:10.009763002 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:10.009862900 CEST	49723	443	192.168.2.3	104.16.203.237
Jun 7, 2021 17:28:10.010677099 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:10.010768890 CEST	49723	443	192.168.2.3	104.16.203.237
Jun 7, 2021 17:28:10.010775089 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:10.010824919 CEST	49723	443	192.168.2.3	104.16.203.237
Jun 7, 2021 17:28:10.011812925 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:10.011867046 CEST	443	49723	104.16.203.237	192.168.2.3
Jun 7, 2021 17:28:10.011893034 CEST	49723	443	192.168.2.3	104.16.203.237

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 7, 2021 17:28:08.968982935 CEST	192.168.2.3	8.8.8.8	0x39a7	Standard query (0)	www.mediafire.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jun 7, 2021 17:28:09.019900084 CEST	8.8.8.8	192.168.2.3	0x39a7	No error (0)	www.mediafire.com		104.16.203.237	A (IP address)	IN (0x0001)
Jun 7, 2021 17:28:09.019900084 CEST	8.8.8.8	192.168.2.3	0x39a7	No error (0)	www.mediafire.com		104.16.202.237	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: DOCUMENTOS CORREOS.exe PID: 5320 Parent PID: 5508

General

Start time:	17:27:29
Start date:	07/06/2021
Path:	C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe'
Imagebase:	0x400000
File size:	122880 bytes
MD5 hash:	C73AB52CCB3B77FFDA43AB3764FFF1AB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 00000000.00000002.279722809.0000000000620000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: DOCUMENTOS CORREOS.exe PID: 5392 Parent PID: 5320

General

Start time:	17:27:56
Start date:	07/06/2021
Path:	C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\DOCUMENTOS CORREOS.exe'
Imagebase:	0x400000
File size:	122880 bytes
MD5 hash:	C73AB52CCB3B77FFDA43AB3764FFF1AB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 00000004.00000000.278693331.0000000000560000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 00000004.00000002.486013693.0000000000560000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report DOCUMENTOS CORREOS.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

DNS Queries

DNS Answers

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: DOCUMENTOS CORREOS.exe PID: 5320 Parent PID: 5508

General

Analysis Process: DOCUMENTOS CORREOS.exe PID: 5392 Parent PID: 5320