Loading ...

Play interactive tourEdit tour

Analysis Report PC21-270421.exe

Overview

General Information

Sample Name:PC21-270421.exe
Analysis ID:430961
MD5:140733109e3a3b3de2ae1aaf164178da
SHA1:5f8685572c91386045a5f458b298ee8c6934277c
SHA256:4bb04df120eb27c3f5b3a46a54891b927fe4232fdaf75b9ecaddc2f24d61533c
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:57
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains capabilities to detect virtual machines
Detected potential crypto function
Found large amount of non-executed APIs
PE file contains strange resources
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • PC21-270421.exe (PID: 6376 cmdline: 'C:\Users\user\Desktop\PC21-270421.exe' MD5: 140733109E3A3B3DE2AE1AAF164178DA)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1IyeIvFG2j6rM8MkH-OGyKJbMY3m1XbJ6"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
PC21-270421.exeJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: PC21-270421.exeMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1IyeIvFG2j6rM8MkH-OGyKJbMY3m1XbJ6"}
    Multi AV Scanner detection for submitted fileShow sources
    Source: PC21-270421.exeVirustotal: Detection: 33%Perma Link
    Source: PC21-270421.exeReversingLabs: Detection: 17%
    Source: PC21-270421.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=download&id=1IyeIvFG2j6rM8MkH-OGyKJbMY3m1XbJ6

    System Summary:

    barindex
    Potential malicious icon foundShow sources
    Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_004014B80_2_004014B8
    Source: PC21-270421.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: PC21-270421.exe, 00000000.00000000.658336766.0000000000424000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameINDFRELSENS.exe vs PC21-270421.exe
    Source: PC21-270421.exe, 00000000.00000002.685380233.00000000021E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs PC21-270421.exe
    Source: PC21-270421.exeBinary or memory string: OriginalFilenameINDFRELSENS.exe vs PC21-270421.exe
    Source: PC21-270421.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: classification engineClassification label: mal57.rans.troj.winEXE@1/0@0/0
    Source: C:\Users\user\Desktop\PC21-270421.exeFile created: C:\Users\user\Desktop\BortdsledesJump to behavior
    Source: PC21-270421.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\PC21-270421.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: C:\Users\user\Desktop\PC21-270421.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\PC21-270421.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: PC21-270421.exeVirustotal: Detection: 33%
    Source: PC21-270421.exeReversingLabs: Detection: 17%
    Source: C:\Users\user\Desktop\PC21-270421.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
    Source: C:\Users\user\Desktop\PC21-270421.exeAutomated click: OK
    Source: C:\Users\user\Desktop\PC21-270421.exeAutomated click: OK
    Source: C:\Users\user\Desktop\PC21-270421.exeAutomated click: OK
    Source: Window RecorderWindow detected: More than 3 window changes detected

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: PC21-270421.exe, type: SAMPLE
    Source: Yara matchFile source: 0.0.PC21-270421.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.PC21-270421.exe.400000.0.unpack, type: UNPACKEDPE
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_00410040 push edx; iretd 0_2_0041004B
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_0040D844 push edx; iretd 0_2_0040D84F
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_0040F844 push edx; iretd 0_2_0040F84F
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_0040B04B push ebx; iretd 0_2_0040B00F
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_0041004C push ebx; iretd 0_2_004100BF
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_0040E050 push edx; iretd 0_2_0040E0EB
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_00415051 push edx; iretd 0_2_0041506B
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_0041105B push edx; iretd 0_2_0041106B
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_0040785C push edx; iretd 0_2_00407863
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_00410861 push edx; iretd 0_2_004108D7
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_0040F862 push edx; iretd 0_2_0040F86F
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_0040C066 push ebx; iretd 0_2_0040C073
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_0040D870 push edx; iretd 0_2_0040D887
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_0040B874 push ebx; iretd 0_2_0040B87F
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_00408078 push ebx; iretd 0_2_00408093
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_0040A008 push edx; iretd 0_2_00409FFF
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_0040B809 push ebx; iretd 0_2_0040B873
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_0040900F push edx; iretd 0_2_00409027
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_0041601A push edx; iretd 0_2_0041603B
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_00406021 push edx; iretd 0_2_00406023
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_0040F025 push edx; iretd 0_2_0040F027
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_00414028 push edi; iretd 0_2_00414029
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_0041402A push edx; iretd 0_2_0041402B
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_00407034 push edx; iretd 0_2_0040703F
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_00410038 push ebx; iretd 0_2_004100BF
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_004078D4 push edx; iretd 0_2_004078DB
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_004068D4 push edx; iretd 0_2_0040692B
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_004090DC push edx; iretd 0_2_004090E3
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_004090E4 push ebx; iretd 0_2_00409147
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_004080E9 push edx; iretd 0_2_004080F7
    Source: C:\Users\user\Desktop\PC21-270421.exeCode function: 0_2_004108ED push edx; iretd 0_2_004108D7
    Source: C:\Users\user\Desktop\PC21-270421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PC21-270421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PC21-270421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PC21-270421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PC21-270421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PC21-270421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PC21-270421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PC21-270421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PC21-270421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PC21-270421.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PC21-270421.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
    Source: C:\Users\user\Desktop\PC21-270421.exeAPI coverage: 0.6 %
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Users\user\Desktop\PC21-270421.exeQueries volume information: unknown VolumeInformationJump to behavior

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionMasquerading1OS Credential DumpingSecurity Software Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery11Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.