Loading ...

Play interactive tourEdit tour

Windows Analysis Report PREVENTIVO RICHIESTO (2).exe

Overview

General Information

Sample Name:PREVENTIVO RICHIESTO (2).exe
Analysis ID:450786
MD5:72d9c62e4483519df1303fe0c46d16aa
SHA1:12093edc01bcf89eb7a9758d1392592fb273de35
SHA256:42c8ded976a7c9f295888220d4d2fc273535f1fa15e6e25cfceaf454188f7895
Tags:exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • PREVENTIVO RICHIESTO (2).exe (PID: 2920 cmdline: 'C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe' MD5: 72D9C62E4483519DF1303FE0C46D16AA)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://bamontarquitectura.com.mx/IRANSAT_kowbB4.bin"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
PREVENTIVO RICHIESTO (2).exeJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000002.766210847.0000000002B30000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      00000001.00000002.760416679.0000000000401000.00000020.00020000.sdmpJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
        00000001.00000000.234229828.0000000000401000.00000020.00020000.sdmpJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          1.0.PREVENTIVO RICHIESTO (2).exe.400000.0.unpackJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
            1.2.PREVENTIVO RICHIESTO (2).exe.400000.0.unpackJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

              Sigma Overview

              No Sigma rule has matched

              Jbx Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: PREVENTIVO RICHIESTO (2).exeMalware Configuration Extractor: GuLoader {"Payload URL": "https://bamontarquitectura.com.mx/IRANSAT_kowbB4.bin"}
              Multi AV Scanner detection for submitted fileShow sources
              Source: PREVENTIVO RICHIESTO (2).exeVirustotal: Detection: 30%Perma Link
              Source: PREVENTIVO RICHIESTO (2).exeReversingLabs: Detection: 13%
              Source: PREVENTIVO RICHIESTO (2).exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

              Networking:

              barindex
              C2 URLs / IPs found in malware configurationShow sources
              Source: Malware configuration extractorURLs: https://bamontarquitectura.com.mx/IRANSAT_kowbB4.bin
              Source: PREVENTIVO RICHIESTO (2).exe, 00000001.00000002.761454521.000000000066A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeProcess Stats: CPU usage > 98%
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B3845C NtAllocateVirtualMemory,
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B3845C NtAllocateVirtualMemory,
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B3845C
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B30AA1
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B31AF5
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B372F9
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B30A2D
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B3B213
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B30A75
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B36A69
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B3125D
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B37249
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B33BA4
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B31BF5
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B363DD
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B36BC1
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B3E3CA
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B35338
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B31325
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B3DB08
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B33BA4
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B32B51
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B36B4B
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B36891
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B31895
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B308E3
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B310C9
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B38023
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B32079
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B3706D
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B33056
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B319B9
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B311F5
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B369E6
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B321D5
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B359DF
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B39139
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B3693D
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B31929
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B32119
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B37105
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B31159
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B3769D
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B366F5
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B3A6F9
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B35EE0
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B36EE9
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B31ECD
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B37E3B
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B31E2A
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B36E05
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B31675
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B31E7B
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B36E55
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B33E5D
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B36641
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B3B645
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B32645
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B31FA1
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B30FAD
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B367AD
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B33F9D
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B3579C
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B30F89
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B30FEA
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B3845C
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B33F15
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B31715
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B3C71B
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B3E4B5
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B36CBD
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B3BCA9
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B32496
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B36489
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B35CD5
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B304CF
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B354CD
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B35437
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B3042B
              Source: PREVENTIVO RICHIESTO (2).exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: PREVENTIVO RICHIESTO (2).exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: PREVENTIVO RICHIESTO (2).exe, 00000001.00000002.760734160.0000000000435000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSome4.exe vs PREVENTIVO RICHIESTO (2).exe
              Source: PREVENTIVO RICHIESTO (2).exeBinary or memory string: OriginalFilenameSome4.exe vs PREVENTIVO RICHIESTO (2).exe
              Source: PREVENTIVO RICHIESTO (2).exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              Source: classification engineClassification label: mal92.troj.evad.winEXE@1/0@0/0
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeFile created: C:\Users\user\AppData\Local\Temp\~DF54E67088F923551D.TMPJump to behavior
              Source: PREVENTIVO RICHIESTO (2).exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: PREVENTIVO RICHIESTO (2).exeVirustotal: Detection: 30%
              Source: PREVENTIVO RICHIESTO (2).exeReversingLabs: Detection: 13%

              Data Obfuscation:

              barindex
              Yara detected GuLoaderShow sources
              Source: Yara matchFile source: 00000001.00000002.766210847.0000000002B30000.00000040.00000001.sdmp, type: MEMORY
              Yara detected GuLoaderShow sources
              Source: Yara matchFile source: PREVENTIVO RICHIESTO (2).exe, type: SAMPLE
              Source: Yara matchFile source: 1.0.PREVENTIVO RICHIESTO (2).exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.PREVENTIVO RICHIESTO (2).exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000002.760416679.0000000000401000.00000020.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000000.234229828.0000000000401000.00000020.00020000.sdmp, type: MEMORY
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_00406632 push ebp; iretd
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B352D0 pushfd ; iretd
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion:

              barindex
              Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B31AF5
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B372F9
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B36A69
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B3125D
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B37249
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B33BA4
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B363DD
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B36BC1
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B3E3CA
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B35338
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B31325
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B33BA4
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B32B51
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B36B4B
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B36891
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B31895
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B310C9
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B3706D
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B319B9
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B311F5
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B369E6
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B359DF
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B39139
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B3693D
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B31929
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B37105
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B31159
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B366F5
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B3A6F9
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B36EE9
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B37E3B
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B36E05
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B31675
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B30651
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B36E55
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B36641
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B3B645
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B30FAD
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B367AD
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B30F89
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B30FEA
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B31715
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B3C71B
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B36CBD
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B36489
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B334C5
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B304CF
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B3042B
              Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeRDTSC instruction interceptor: First address: 0000000002B3BF06 second address: 0000000002B3BF06 instructions:
              Tries to detect virtualization through RDTSC time measurementsShow sources
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeRDTSC instruction interceptor: First address: 0000000002B3B34C second address: 0000000002B3B3B1 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp esi, A3B0EE80h 0x00000009 mov edx, dword ptr [esp+04h] 0x0000000d test ch, ch 0x0000000f mov ecx, dword ptr [esp+08h] 0x00000013 jmp 00007F0274A679B2h 0x00000015 test ax, bx 0x00000018 add edx, ecx 0x0000001a neg ecx 0x0000001c test dx, cx 0x0000001f mov ebx, dword ptr [esp+0Ch] 0x00000023 mov eax, dword ptr [esp+10h] 0x00000027 cmp ecx, eax 0x00000029 add eax, ebx 0x0000002b mov esi, eax 0x0000002d neg ebx 0x0000002f pushad 0x00000030 mov esi, 0000000Eh 0x00000035 rdtsc
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeRDTSC instruction interceptor: First address: 0000000002B3BF06 second address: 0000000002B3BF06 instructions:
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B30AA1 rdtsc
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

              Anti Debugging:

              barindex
              Found potential dummy code loops (likely to delay analysis)Show sources
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeProcess Stats: CPU usage > 90% for more than 60s
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B30AA1 rdtsc
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B35338 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B3AB78 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B37E00 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B3C71B mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B3B43A mov eax, dword ptr fs:[00000030h]
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: PREVENTIVO RICHIESTO (2).exe, 00000001.00000002.762145071.0000000000CF0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: PREVENTIVO RICHIESTO (2).exe, 00000001.00000002.762145071.0000000000CF0000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: PREVENTIVO RICHIESTO (2).exe, 00000001.00000002.762145071.0000000000CF0000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
              Source: PREVENTIVO RICHIESTO (2).exe, 00000001.00000002.762145071.0000000000CF0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
              Source: PREVENTIVO RICHIESTO (2).exe, 00000001.00000002.762145071.0000000000CF0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 1_2_02B31AF5 cpuid

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11Input Capture1Security Software Discovery41Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery311Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              PREVENTIVO RICHIESTO (2).exe30%VirustotalBrowse
              PREVENTIVO RICHIESTO (2).exe13%ReversingLabs

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://bamontarquitectura.com.mx/IRANSAT_kowbB4.bin0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://bamontarquitectura.com.mx/IRANSAT_kowbB4.bintrue
              • Avira URL Cloud: safe
              unknown

              Contacted IPs

              No contacted IP infos

              General Information

              Joe Sandbox Version:33.0.0 White Diamond
              Analysis ID:450786
              Start date:19.07.2021
              Start time:18:02:44
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 8m 26s
              Hypervisor based Inspection enabled:false
              Report type:light
              Sample file name:PREVENTIVO RICHIESTO (2).exe
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:30
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal92.troj.evad.winEXE@1/0@0/0
              EGA Information:Failed
              HDC Information:
              • Successful, ratio: 24.4% (good quality ratio 10.6%)
              • Quality average: 23.7%
              • Quality standard deviation: 31.8%
              HCA Information:Failed
              Cookbook Comments:
              • Adjust boot time
              • Enable AMSI
              • Found application associated with file extension: .exe
              • Override analysis time to 240s for sample files taking high CPU consumption
              Warnings:
              Show All
              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
              • Not all processes where analyzed, report is missing behavior information

              Simulations

              Behavior and APIs

              No simulations

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASN

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              No created / dropped files found

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows
              Entropy (8bit):6.24355762284074
              TrID:
              • Win32 Executable (generic) a (10002005/4) 99.15%
              • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:PREVENTIVO RICHIESTO (2).exe
              File size:241664
              MD5:72d9c62e4483519df1303fe0c46d16aa
              SHA1:12093edc01bcf89eb7a9758d1392592fb273de35
              SHA256:42c8ded976a7c9f295888220d4d2fc273535f1fa15e6e25cfceaf454188f7895
              SHA512:cf6d6c1a6072c022ab4d19f098715cba02f8dcc74f01ce7ad735d5cdb5c7505aeb9c98fb9ff3faac7932ffbdb7cdf581c583fa846cc76b71dee3f2a71b7b30a0
              SSDEEP:3072:c3BepJlZa/E5cv3MRwqmVqY+9uiwBDa1Gh7HJlZapGBR:eiUEUMyqmVrTjDc4HP
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......W................. ...................0....@................

              File Icon

              Icon Hash:f8fcd4ccf4e4e8d0

              Static PE Info

              General

              Entrypoint:0x4019b0
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              DLL Characteristics:
              Time Stamp:0x5783B9FD [Mon Jul 11 15:23:41 2016 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:e9f7dd0da1a2a1266893e1ae4ef42b67

              Entrypoint Preview

              Instruction
              push 00408ABCh
              call 00007F0274C94525h
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              xor byte ptr [eax], al
              add byte ptr [eax], al
              inc eax
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [12DC752Eh], ch
              or ch, byte ptr [eax]
              inc ebx
              movsd
              salc
              sbb ebp, dword ptr [ebp-24h]
              pop ds
              rcl dh, 00000000h
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [ecx], al
              add byte ptr [eax], al
              add byte ptr [edx+00h], al
              push es
              push eax
              add dword ptr [edx], 4Eh
              bound esi, dword ptr fs:[edx+79h]
              jnc 00007F0274C9456Ah
              add byte ptr [eax], al
              movsb
              sub edi, ebp
              add al, byte ptr [eax]
              add byte ptr [eax], al
              add bh, bh
              int3
              xor dword ptr [eax], eax
              xor dword ptr [ebp-4Fh], edx
              loop 00007F0274C9459Dh
              dec edi
              rcl dword ptr [esi], 46h
              sahf
              pop ss
              xor al, C8h
              sub cl, 00000053h
              loope 00007F0274C944FEh
              pop edi
              mov eax, dword ptr [09AE2179h]
              dec ebp
              xchg eax, edx
              in al, dx
              inc ebx
              cmp dh, byte ptr [ebp-52h]
              add edx, edx
              cmp cl, byte ptr [edi-53h]
              xor ebx, dword ptr [ecx-48EE309Ah]
              or al, 00h
              stosb
              add byte ptr [eax-2Dh], ah
              xchg eax, ebx
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              stc
              outsd
              add byte ptr [eax], al
              xchg eax, edi
              push 04000000h
              add byte ptr [edx+65h], dh
              jc 00004533h
              or eax, 55000901h
              push 6C726564h
              imul esp, dword ptr [edi+37h], 00001900h

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x326d40x28.text
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x350000x6d0e.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
              IMAGE_DIRECTORY_ENTRY_IAT0x10000x1a4.text
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x31d440x32000False0.390419921875data6.39904472476IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              .data0x330000x12900x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
              .rsrc0x350000x6d0e0x7000False0.48193359375data5.46083184817IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountry
              RT_ICON0x3ae660xea8data
              RT_ICON0x3a5be0x8a8data
              RT_ICON0x39ef60x6c8data
              RT_ICON0x3998e0x568GLS_BINARY_LSB_FIRST
              RT_ICON0x373e60x25a8dBase III DBT, version number 0, next free block index 40
              RT_ICON0x3633e0x10a8data
              RT_ICON0x359b60x988data
              RT_ICON0x3554e0x468GLS_BINARY_LSB_FIRST
              RT_GROUP_ICON0x354d80x76data
              RT_VERSION0x352400x298dataEnglishUnited States

              Imports

              DLLImport
              MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaAryMove, __vbaLenBstr, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenBstrB, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaCyStr, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaI2I4, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaFpCmpCy, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaInStrVar, __vbaDateVar, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaNew2, __vbaVar2Vec, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaLateMemCall, __vbaVarDup, __vbaStrToAnsi, __vbaFpI4, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

              Version Infos

              DescriptionData
              Translation0x0409 0x04b0
              LegalCopyrightSocialbakers
              InternalNameSome4
              FileVersion1.00
              CompanyNameSocialbakers
              LegalTrademarksSocialbakers
              ProductNameNedbrydes6
              ProductVersion1.00
              OriginalFilenameSome4.exe

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States

              Network Behavior

              No network behavior found

              Code Manipulations

              Statistics

              System Behavior

              General

              Start time:18:03:38
              Start date:19/07/2021
              Path:C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe
              Wow64 process (32bit):true
              Commandline:'C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe'
              Imagebase:0x400000
              File size:241664 bytes
              MD5 hash:72D9C62E4483519DF1303FE0C46D16AA
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:Visual Basic
              Yara matches:
              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.766210847.0000000002B30000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000001.00000002.760416679.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000001.00000000.234229828.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
              Reputation:low

              Disassembly

              Code Analysis

              Reset < >