Loading ...

Play interactive tourEdit tour

Windows Analysis Report RICHIESTA DI OFFERTA.exe

Overview

General Information

Sample Name:RICHIESTA DI OFFERTA.exe
Analysis ID:450724
MD5:73bb5c4b690b8d6df88d6bc18fb3a553
SHA1:60adddd91b6038fc9d819cf6d647ce3be0b11d38
SHA256:a3feb5265e6d02710f04ff618e966e9da9ba8fc8dc5692d6f7633fe0a3037b66
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w7x64
  • RICHIESTA DI OFFERTA.exe (PID: 2452 cmdline: 'C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe' MD5: 73BB5C4B690B8D6DF88D6BC18FB3A553)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://bamontarquitectura.com.mx/IRANSAT_kowbB4.bi}"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2609057616.0000000000460000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000000.00000002.2609057616.0000000000460000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://bamontarquitectura.com.mx/IRANSAT_kowbB4.bi}"}
    Source: RICHIESTA DI OFFERTA.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://bamontarquitectura.com.mx/IRANSAT_kowbB4.bi}
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeProcess Stats: CPU usage > 98%
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeMemory allocated: 76E20000 page execute and read and write
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeMemory allocated: 76D20000 page execute and read and write
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_004092BC
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_0046684F
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_0046A455
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_0046681F
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_00467025
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_00467022
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_004618FB
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_00466C93
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_0046709F
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_00467CAB
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_00466554
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_00466955
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_0046156F
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_0046A969
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_00461175
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_00463971
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_0046AFD7
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_00466D2C
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_0046692D
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_00466138
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_004661DC
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_004669D8
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_0046C5D9
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_004655A6
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_00461A43
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_00461664
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_00461276
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_00466E00
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_0046662B
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_004666C7
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_00466EC7
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_004616E3
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_004612E8
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_004636FA
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_0046E280
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_00466692
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_004662A3
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_00466AAB
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_0046634E
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_0046DB55
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_00466B6B
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_00466778
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_0046C329
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_0046AFD7
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_00466BEB
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_004663F7
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_00465FF1
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_00461783
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_00466F9B
    Source: RICHIESTA DI OFFERTA.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: RICHIESTA DI OFFERTA.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: RICHIESTA DI OFFERTA.exe, 00000000.00000002.2609026459.0000000000435000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIndtr8.exe vs RICHIESTA DI OFFERTA.exe
    Source: RICHIESTA DI OFFERTA.exe, 00000000.00000002.2608868723.00000000003E0000.00000008.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs RICHIESTA DI OFFERTA.exe
    Source: RICHIESTA DI OFFERTA.exeBinary or memory string: OriginalFilenameIndtr8.exe vs RICHIESTA DI OFFERTA.exe
    Source: RICHIESTA DI OFFERTA.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: classification engineClassification label: mal76.troj.evad.winEXE@1/0@0/0
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeFile created: C:\Users\user\AppData\Local\Temp\~DF94EEF8D419BE56F0.TMPJump to behavior
    Source: RICHIESTA DI OFFERTA.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: 00000000.00000002.2609057616.0000000000460000.00000040.00000001.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_0040C06E push 00000000h; retf
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_00406625 push ebp; iretd
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_00463429 push 84000002h; retf
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_00460095 pushad ; retf
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_0046010B pushad ; retf
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion:

    barindex
    Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_0046684F
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_0046A455
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_0046681F
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_004618FB
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_00466554
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_00466955
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_0046156F
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_0046A969
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_00461175
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_00463971
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_0046692D
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_00466138
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_004661DC
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_004669D8
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_0046C5D9
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_00461664
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_00461276
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_0046662B
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_004666C7
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_004616E3
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_004612E8
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_004636FA
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_0046E280
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_00466692
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_004662A3
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_00466AAB
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_0046634E
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_00466778
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_004663F7
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_00465FF1
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_00461783
    Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeRDTSC instruction interceptor: First address: 000000000046E352 second address: 000000000046E352 instructions:
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeRDTSC instruction interceptor: First address: 000000000046E352 second address: 000000000046E352 instructions:
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_0046684F rdtsc
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

    Anti Debugging:

    barindex
    Found potential dummy code loops (likely to delay analysis)Show sources
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeProcess Stats: CPU usage > 90% for more than 60s
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_0046684F rdtsc
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_0046A900 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_0046C5D9 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_0046B1FE mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_00467AB1 mov eax, dword ptr fs:[00000030h]
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: RICHIESTA DI OFFERTA.exe, 00000000.00000002.2609521250.0000000000A00000.00000002.00000001.sdmpBinary or memory string: Program Manager
    Source: RICHIESTA DI OFFERTA.exe, 00000000.00000002.2609521250.0000000000A00000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: RICHIESTA DI OFFERTA.exe, 00000000.00000002.2609521250.0000000000A00000.00000002.00000001.sdmpBinary or memory string: !Progman
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeCode function: 0_2_004608C5 cpuid
    Source: C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery41Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery312Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    RICHIESTA DI OFFERTA.exe9%ReversingLabsWin32.Backdoor.Remcos

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://bamontarquitectura.com.mx/IRANSAT_kowbB4.bi}0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://bamontarquitectura.com.mx/IRANSAT_kowbB4.bi}true
    • Avira URL Cloud: safe
    unknown

    Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:33.0.0 White Diamond
    Analysis ID:450724
    Start date:19.07.2021
    Start time:16:25:18
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 8m 15s
    Hypervisor based Inspection enabled:false
    Report type:light
    Sample file name:RICHIESTA DI OFFERTA.exe
    Cookbook file name:default.jbs
    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
    Number of analysed new started processes analysed:2
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal76.troj.evad.winEXE@1/0@0/0
    EGA Information:
    • Successful, ratio: 100%
    HDC Information:
    • Successful, ratio: 25.5% (good quality ratio 7.7%)
    • Quality average: 18.2%
    • Quality standard deviation: 29.9%
    HCA Information:Failed
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Found application associated with file extension: .exe
    • Override analysis time to 240s for sample files taking high CPU consumption
    Warnings:
    Show All
    • Exclude process from analysis (whitelisted): dllhost.exe
    • VT rate limit hit for: /opt/package/joesandbox/database/analysis/450724/sample/RICHIESTA DI OFFERTA.exe

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):6.2221702126738
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.15%
    • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:RICHIESTA DI OFFERTA.exe
    File size:241664
    MD5:73bb5c4b690b8d6df88d6bc18fb3a553
    SHA1:60adddd91b6038fc9d819cf6d647ce3be0b11d38
    SHA256:a3feb5265e6d02710f04ff618e966e9da9ba8fc8dc5692d6f7633fe0a3037b66
    SHA512:9c023dc66d9bcfb2f5bc0274001d92948ac058fc8765d2178907dfd8fb9885ede57acc3836d583ad97516dce1a97c50f081800b41a1f42ea938efb8b23e87567
    SSDEEP:3072:+3BepJlZa/xao5JKwI7V4R4iUW/qcijw2HJlZapGBR:EiUIo5JKPgU99vHP
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L...WS.N................. ...................0....@................

    File Icon

    Icon Hash:f8fcd4ccf4e4e8d0

    Static PE Info

    General

    Entrypoint:0x4019b0
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    DLL Characteristics:
    Time Stamp:0x4EA15357 [Fri Oct 21 11:11:19 2011 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:e9f7dd0da1a2a1266893e1ae4ef42b67

    Entrypoint Preview

    Instruction
    push 00408AA0h
    call 00007FC0210E5A65h
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    xor byte ptr [eax], al
    add byte ptr [eax], al
    cmp byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    outsd
    mul byte ptr [ebx+3Fh]
    dec esi
    outsb
    and al, 41h
    mov bl, 08h
    popad
    pop ds
    test al, CEh
    xchg eax, esi
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add dword ptr [eax], eax
    add byte ptr [eax], al
    inc edx
    add byte ptr [esi], al
    push eax
    add dword ptr [ecx], 56h
    jne 00007FC0210E5AE4h
    cmp dword ptr fs:[eax], eax
    add al, byte ptr [eax]
    add byte ptr [eax], al
    add bh, bh
    int3
    xor dword ptr [eax], eax
    xor esp, esp
    push cs
    xchg eax, edx
    test eax, 48C3D75Ah
    mov gs, bx
    test al, CAh
    xor esp, esp
    xor al, 88h
    jecxz 00007FC0210E5A9Ah
    scasb
    and dword ptr [edi-40B94528h], 28h
    cmp dword ptr [edx-38D0AA14h], edi
    cmp cl, byte ptr [edi-53h]
    xor ebx, dword ptr [ecx-48EE309Ah]
    or al, 00h
    stosb
    add byte ptr [eax-2Dh], ah
    xchg eax, ebx
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    out 6Fh, eax
    add byte ptr [eax], al
    lea ebp, dword ptr [eax+00h]
    add byte ptr [eax], al
    add al, 00h
    jnc 00007FC0210E5ADAh
    add byte ptr [41000401h], cl
    jc 00007FC0210E5AD9h
    jne 00007FC0210E5A72h
    sbb dword ptr [ecx], eax
    add byte ptr [edx+00h], al
    and al, byte ptr [ecx]
    and ecx, dword ptr [esi+68h]
    add byte ptr [eax], al
    insb

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x322340x28.text
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x350000x6d0a.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
    IMAGE_DIRECTORY_ENTRY_IAT0x10000x1a4.text
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x318a40x32000False0.39177734375data6.3764832494IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    .data0x330000x12900x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
    .rsrc0x350000x6d0a0x7000False0.481689453125data5.46300019784IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountry
    RT_ICON0x3ae620xea8data
    RT_ICON0x3a5ba0x8a8data
    RT_ICON0x39ef20x6c8data
    RT_ICON0x3998a0x568GLS_BINARY_LSB_FIRST
    RT_ICON0x373e20x25a8dBase III DBT, version number 0, next free block index 40
    RT_ICON0x3633a0x10a8data
    RT_ICON0x359b20x988data
    RT_ICON0x3554a0x468GLS_BINARY_LSB_FIRST
    RT_GROUP_ICON0x354d40x76data
    RT_VERSION0x352400x294dataEnglishUnited States

    Imports

    DLLImport
    MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaAryMove, __vbaLenBstr, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenBstrB, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaCyStr, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaI2I4, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaFpCmpCy, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaInStrVar, __vbaDateVar, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaNew2, __vbaVar2Vec, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaLateMemCall, __vbaVarDup, __vbaStrToAnsi, __vbaFpI4, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

    Version Infos

    DescriptionData
    Translation0x0409 0x04b0
    LegalCopyrightSocialbakers
    InternalNameIndtr8
    FileVersion1.00
    CompanyNameSocialbakers
    LegalTrademarksSocialbakers
    ProductNameVurd9
    ProductVersion1.00
    OriginalFilenameIndtr8.exe

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    EnglishUnited States

    Network Behavior

    No network behavior found

    Code Manipulations

    Statistics

    System Behavior

    General

    Start time:16:25:37
    Start date:19/07/2021
    Path:C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe
    Wow64 process (32bit):true
    Commandline:'C:\Users\user\Desktop\RICHIESTA DI OFFERTA.exe'
    Imagebase:0x400000
    File size:241664 bytes
    MD5 hash:73BB5C4B690B8D6DF88D6BC18FB3A553
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Visual Basic
    Yara matches:
    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.2609057616.0000000000460000.00000040.00000001.sdmp, Author: Joe Security
    Reputation:low

    Disassembly

    Code Analysis

    Reset < >