Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Variant.Jaik.46242.3594.22390

Overview

General Information

Sample Name:SecuriteInfo.com.Variant.Jaik.46242.3594.22390 (renamed file extension from 22390 to exe)
Analysis ID:431830
MD5:99bbf83abe9d6e4ecc91493e32230833
SHA1:b0bd6ba2dc10eb5552edc7a3460c80ee0eb1b11e
SHA256:2b2a00650dc91d1a7ccfa4a62e3462762c62d8a092bddb75943f87074f1d56a5
Tags:exeGuLoader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected GuLoader
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
Detected potential crypto function
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://www.pos.nblwarehouse.my.id/bin_GgrWeMMq137.bin, http://benvenuti.rs/wp-co"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
SecuriteInfo.com.Variant.Jaik.46242.3594.exeJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.722670441.0000000002280000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      00000000.00000000.197018556.0000000000401000.00000020.00020000.sdmpJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
        00000000.00000002.721540373.0000000000401000.00000020.00020000.sdmpJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.SecuriteInfo.com.Variant.Jaik.46242.3594.exe.400000.0.unpackJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
            0.0.SecuriteInfo.com.Variant.Jaik.46242.3594.exe.400000.0.unpackJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exeMalware Configuration Extractor: GuLoader {"Payload URL": "https://www.pos.nblwarehouse.my.id/bin_GgrWeMMq137.bin, http://benvenuti.rs/wp-co"}
              Multi AV Scanner detection for submitted fileShow sources
              Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exeVirustotal: Detection: 26%Perma Link
              Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

              Networking:

              barindex
              C2 URLs / IPs found in malware configurationShow sources
              Source: Malware configuration extractorURLs: https://www.pos.nblwarehouse.my.id/bin_GgrWeMMq137.bin, http://benvenuti.rs/wp-co

              System Summary:

              barindex
              Potential malicious icon foundShow sources
              Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeProcess Stats: CPU usage > 98%
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_02286A2E NtAllocateVirtualMemory,
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_02286C20 NtAllocateVirtualMemory,
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_02286A78 NtAllocateVirtualMemory,
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_02286AF8 NtAllocateVirtualMemory,
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_02286B94 NtAllocateVirtualMemory,
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_00401C10
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_004055F3
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_02286A2E
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_02286629
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_02283238
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_02283A30
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_02283834
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_0228B409
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_0228341C
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_0228666C
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_02286A78
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_02284440
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_0228185A
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_022832A0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_02283AA0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_022866B8
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_02284490
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_02286AF8
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_022834C0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_022836DE
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_02283925
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_0228173C
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_02283B30
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_0228350C
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_0228450C
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_0228331C
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_02283714
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_022833A4
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_022817B8
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_02283788
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_02284993
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_022847ED
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_022843FB
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_022831D8
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_022839DC
              Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exe, 00000000.00000002.721975031.00000000020B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs SecuriteInfo.com.Variant.Jaik.46242.3594.exe
              Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exe, 00000000.00000000.197037296.0000000000424000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTWINEMAKER.exe vs SecuriteInfo.com.Variant.Jaik.46242.3594.exe
              Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exeBinary or memory string: OriginalFilenameTWINEMAKER.exe vs SecuriteInfo.com.Variant.Jaik.46242.3594.exe
              Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              Source: classification engineClassification label: mal96.rans.troj.evad.winEXE@1/0@0/0
              Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exeVirustotal: Detection: 26%

              Data Obfuscation:

              barindex
              Yara detected GuLoaderShow sources
              Source: Yara matchFile source: 00000000.00000002.722670441.0000000002280000.00000040.00000001.sdmp, type: MEMORY
              Yara detected GuLoaderShow sources
              Source: Yara matchFile source: SecuriteInfo.com.Variant.Jaik.46242.3594.exe, type: SAMPLE
              Source: Yara matchFile source: 00000000.00000000.197018556.0000000000401000.00000020.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.721540373.0000000000401000.00000020.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0.2.SecuriteInfo.com.Variant.Jaik.46242.3594.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.SecuriteInfo.com.Variant.Jaik.46242.3594.exe.400000.0.unpack, type: UNPACKEDPE
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_00409C54 push es; iretd
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_0040605F push 00000059h; retf
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_00406E64 push eax; retf
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_0040A065 pushad ; retf
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_00409E0D push edx; iretd
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_00409EF8 push ss; iretd
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_00406AFE push es; iretd
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_004079CA push cs; iretd
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_00409387 push ss; iretd
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_00408D90 push cs; iretd
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_00403191 push dword ptr [ebp-44h]; ret
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_02285356 push edi; iretd
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion:

              barindex
              Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeRDTSC instruction interceptor: First address: 0000000002289F94 second address: 000000000228A040 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a sub esp, 00000100h 0x00000010 mov edi, esp 0x00000012 test cx, dx 0x00000015 add esp, 00000100h 0x0000001b test eax, eax 0x0000001d mov dword ptr [edi+28h], eax 0x00000020 test bx, dx 0x00000023 mov esi, BEC25DA1h 0x00000028 add esi, 4F1D403Dh 0x0000002e xor esi, E8F819C0h 0x00000034 add esi, 1AD96BE2h 0x0000003a jmp 00007F7DFCC1F3BEh 0x0000003c pushad 0x0000003d mov eax, 0000003Fh 0x00000042 cpuid 0x00000044 popad 0x00000045 add esi, 00001000h 0x0000004b cmp esi, 0000F000h 0x00000051 je 00007F7DFCC1F8D0h 0x00000057 cmp esi, 7FFFF000h 0x0000005d je 00007F7DFCC1F8C4h 0x00000063 push 0AF1A7F6h 0x00000068 xor dword ptr [esp], 7FA34B79h 0x0000006f pushad 0x00000070 rdtsc
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeRDTSC instruction interceptor: First address: 000000000228A040 second address: 000000000228A040 instructions:
              Tries to detect virtualization through RDTSC time measurementsShow sources
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeRDTSC instruction interceptor: First address: 0000000002289F94 second address: 000000000228A040 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a sub esp, 00000100h 0x00000010 mov edi, esp 0x00000012 test cx, dx 0x00000015 add esp, 00000100h 0x0000001b test eax, eax 0x0000001d mov dword ptr [edi+28h], eax 0x00000020 test bx, dx 0x00000023 mov esi, BEC25DA1h 0x00000028 add esi, 4F1D403Dh 0x0000002e xor esi, E8F819C0h 0x00000034 add esi, 1AD96BE2h 0x0000003a jmp 00007F7DFCC1F3BEh 0x0000003c pushad 0x0000003d mov eax, 0000003Fh 0x00000042 cpuid 0x00000044 popad 0x00000045 add esi, 00001000h 0x0000004b cmp esi, 0000F000h 0x00000051 je 00007F7DFCC1F8D0h 0x00000057 cmp esi, 7FFFF000h 0x0000005d je 00007F7DFCC1F8C4h 0x00000063 push 0AF1A7F6h 0x00000068 xor dword ptr [esp], 7FA34B79h 0x0000006f pushad 0x00000070 rdtsc
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeRDTSC instruction interceptor: First address: 000000000228A040 second address: 000000000228A040 instructions:
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_02284E28 rdtsc
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

              Anti Debugging:

              barindex
              Found potential dummy code loops (likely to delay analysis)Show sources
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeProcess Stats: CPU usage > 90% for more than 60s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_02284E28 rdtsc
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_02284440 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_022864F9 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_022890F5 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_022836DE mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_0228993D mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_022843FB mov eax, dword ptr fs:[00000030h]
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exe, 00000000.00000002.721862094.0000000000C30000.00000002.00000001.sdmpBinary or memory string: Program Manager
              Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exe, 00000000.00000002.721862094.0000000000C30000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exe, 00000000.00000002.721862094.0000000000C30000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exe, 00000000.00000002.721862094.0000000000C30000.00000002.00000001.sdmpBinary or memory string: Progmanlock

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery31Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery21Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              SecuriteInfo.com.Variant.Jaik.46242.3594.exe26%VirustotalBrowse

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://www.pos.nblwarehouse.my.id/bin_GgrWeMMq137.bin, http://benvenuti.rs/wp-co0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://www.pos.nblwarehouse.my.id/bin_GgrWeMMq137.bin, http://benvenuti.rs/wp-cotrue
              • Avira URL Cloud: safe
              unknown

              Contacted IPs

              No contacted IP infos

              General Information

              Joe Sandbox Version:32.0.0 Black Diamond
              Analysis ID:431830
              Start date:09.06.2021
              Start time:11:46:16
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 6m 57s
              Hypervisor based Inspection enabled:false
              Report type:light
              Sample file name:SecuriteInfo.com.Variant.Jaik.46242.3594.22390 (renamed file extension from 22390 to exe)
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:28
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal96.rans.troj.evad.winEXE@1/0@0/0
              EGA Information:Failed
              HDC Information:Failed
              HCA Information:Failed
              Cookbook Comments:
              • Adjust boot time
              • Enable AMSI
              • Override analysis time to 240s for sample files taking high CPU consumption
              Warnings:
              Show All
              • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
              • Not all processes where analyzed, report is missing behavior information

              Simulations

              Behavior and APIs

              No simulations

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASN

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              No created / dropped files found

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows
              Entropy (8bit):5.607689655560483
              TrID:
              • Win32 Executable (generic) a (10002005/4) 99.15%
              • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:SecuriteInfo.com.Variant.Jaik.46242.3594.exe
              File size:147456
              MD5:99bbf83abe9d6e4ecc91493e32230833
              SHA1:b0bd6ba2dc10eb5552edc7a3460c80ee0eb1b11e
              SHA256:2b2a00650dc91d1a7ccfa4a62e3462762c62d8a092bddb75943f87074f1d56a5
              SHA512:0f6b9f9a843f491b925aab0af5d4f08024a2d430c41022c23afb46ce3abdf7881e8d87ac6d93f5adfc2f11aee0f0bb0ac28fa2500ec118bc1ed496281d3afec6
              SSDEEP:1536:Fttu3FssKUmvr9DJ1FJS1bQNZ6bp/+Dtr5m3XSt4lYS0eXJWUTFboob:ztu3alxx3fSQmbs55r4l6eXJWUB0ob
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......G.....................0............... ....@................

              File Icon

              Icon Hash:20047c7c70f0e004

              Static PE Info

              General

              Entrypoint:0x401c10
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              DLL Characteristics:
              Time Stamp:0x47BBB203 [Wed Feb 20 04:52:19 2008 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:9b8686288ab82fdbf8ede30bc55c83b7

              Entrypoint Preview

              Instruction
              push 0040205Ch
              call 00007F7DFCCE22D5h
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              xor byte ptr [eax], al
              add byte ptr [eax], al
              dec eax
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [ecx-0Dh], bh
              out dx, al
              mov byte ptr [44508D06h], al
              xchg eax, edx
              popad
              sbb al, C1h
              int1
              or eax, 0000BF8Ah
              add byte ptr [eax], al
              add byte ptr [eax], al
              add dword ptr [eax], eax
              add byte ptr [eax], al
              add byte ptr [eax], al
              push 4203026Dh
              jc 00007F7DFCCE2351h
              outsb
              imul ebp, dword ptr [edi+73h], 6Bh
              outsd
              jo 00007F7DFCCE2347h
              jc 00007F7DFCCE234Bh
              outsb
              jc 00007F7DFCCE2352h
              jnc 00007F7DFCCE22E3h
              insd
              add al, byte ptr [ebx]
              add byte ptr [eax], al
              add byte ptr [eax], al
              dec esp
              xor dword ptr [eax], eax
              cmovnle edi, dword ptr [ecx]
              outsd
              mov ecx, esp
              call 00007F7DC353660Bh
              pop edx
              test byte ptr [edi+10h], bl

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x20f240x28.text
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x240000x950.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
              IMAGE_DIRECTORY_ENTRY_IAT0x10000x1c4.text
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x205e80x21000False0.356082800663data5.85827510304IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              .data0x220000x12500x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
              .rsrc0x240000x9500x1000False0.171875data2.03163651737IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountry
              RT_ICON0x248200x130data
              RT_ICON0x245380x2e8data
              RT_ICON0x244100x128GLS_BINARY_LSB_FIRST
              RT_GROUP_ICON0x243e00x30data
              RT_VERSION0x241500x290MS Windows COFF PA-RISC object fileEnglishUnited States

              Imports

              DLLImport
              MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaStrCat, __vbaSetSystemError, __vbaRecDestruct, __vbaHresultCheckObj, __vbaLenBstrB, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaCyStr, __vbaFpR8, __vbaVarTstLt, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaObjVar, __vbaI2I4, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, __vbaRecUniToAnsi, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaFpCmpCy, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaFileOpen, __vbaNew2, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarAdd, __vbaLateMemCall, __vbaVarDup, __vbaStrToAnsi, __vbaFpI4, __vbaLateMemCallLd, __vbaRecDestructAnsi, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

              Version Infos

              DescriptionData
              Translation0x0409 0x04b0
              InternalNameTWINEMAKER
              FileVersion1.00
              CompanyNameMortagage
              CommentsMortagage
              ProductNameMortagage
              ProductVersion1.00
              FileDescriptionMortagage
              OriginalFilenameTWINEMAKER.exe

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States

              Network Behavior

              No network behavior found

              Code Manipulations

              Statistics

              System Behavior

              General

              Start time:11:47:01
              Start date:09/06/2021
              Path:C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe
              Wow64 process (32bit):true
              Commandline:'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exe'
              Imagebase:0x400000
              File size:147456 bytes
              MD5 hash:99BBF83ABE9D6E4ECC91493E32230833
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:Visual Basic
              Yara matches:
              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.722670441.0000000002280000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000000.00000000.197018556.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000000.00000002.721540373.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
              Reputation:low

              Disassembly

              Code Analysis

              Reset < >