Loading ...

Play interactive tourEdit tour

Windows Analysis Report PREVENTIVO RICHIESTO (2).exe

Overview

General Information

Sample Name:PREVENTIVO RICHIESTO (2).exe
Analysis ID:450786
MD5:72d9c62e4483519df1303fe0c46d16aa
SHA1:12093edc01bcf89eb7a9758d1392592fb273de35
SHA256:42c8ded976a7c9f295888220d4d2fc273535f1fa15e6e25cfceaf454188f7895
Tags:exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to query CPU information (cpuid)
Detected potential crypto function
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • PREVENTIVO RICHIESTO (2).exe (PID: 5716 cmdline: 'C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe' MD5: 72D9C62E4483519DF1303FE0C46D16AA)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://bamontarquitectura.com.mx/IRANSAT_kowbB4.bin"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
PREVENTIVO RICHIESTO (2).exeJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1236460953.0000000000401000.00000020.00020000.sdmpJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
      00000000.00000000.208215258.0000000000401000.00000020.00020000.sdmpJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.0.PREVENTIVO RICHIESTO (2).exe.400000.0.unpackJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
          0.2.PREVENTIVO RICHIESTO (2).exe.400000.0.unpackJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: PREVENTIVO RICHIESTO (2).exeMalware Configuration Extractor: GuLoader {"Payload URL": "https://bamontarquitectura.com.mx/IRANSAT_kowbB4.bin"}
            Multi AV Scanner detection for submitted fileShow sources
            Source: PREVENTIVO RICHIESTO (2).exeVirustotal: Detection: 30%Perma Link
            Source: PREVENTIVO RICHIESTO (2).exeReversingLabs: Detection: 13%
            Source: PREVENTIVO RICHIESTO (2).exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: https://bamontarquitectura.com.mx/IRANSAT_kowbB4.bin
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeProcess Stats: CPU usage > 98%
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 0_2_022CDE51
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 0_2_022CDF39
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 0_2_022CDB35
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 0_2_022CDB08
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 0_2_022CCF4D
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 0_2_022CDBE9
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 0_2_022CDC19
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 0_2_022CDC59
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 0_2_022CDD55
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 0_2_022CDDB7
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 0_2_022CDDD5
            Source: PREVENTIVO RICHIESTO (2).exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: PREVENTIVO RICHIESTO (2).exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: PREVENTIVO RICHIESTO (2).exe, 00000000.00000000.208248451.0000000000435000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSome4.exe vs PREVENTIVO RICHIESTO (2).exe
            Source: PREVENTIVO RICHIESTO (2).exeBinary or memory string: OriginalFilenameSome4.exe vs PREVENTIVO RICHIESTO (2).exe
            Source: PREVENTIVO RICHIESTO (2).exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: classification engineClassification label: mal80.troj.evad.winEXE@1/0@0/0
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeFile created: C:\Users\user\AppData\Local\Temp\~DF7595A64BA3F3C87B.TMPJump to behavior
            Source: PREVENTIVO RICHIESTO (2).exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: PREVENTIVO RICHIESTO (2).exeVirustotal: Detection: 30%
            Source: PREVENTIVO RICHIESTO (2).exeReversingLabs: Detection: 13%

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: PREVENTIVO RICHIESTO (2).exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.PREVENTIVO RICHIESTO (2).exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.PREVENTIVO RICHIESTO (2).exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.1236460953.0000000000401000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.208215258.0000000000401000.00000020.00020000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 0_2_00406632 push ebp; iretd
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeRDTSC instruction interceptor: First address: 00000000022CBF06 second address: 00000000022CBF06 instructions:
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeRDTSC instruction interceptor: First address: 00000000022CB646 second address: 00000000022CBA31 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test ebx, eax 0x0000000c call 00007F394C8F551Dh 0x00000011 test ax, ax 0x00000014 test dh, 00000034h 0x00000017 xor edi, edi 0x00000019 pushad 0x0000001a mov bx, 94B2h 0x0000001e cmp bx, 94B2h 0x00000023 jne 00007F394C8F4448h 0x00000029 popad 0x0000002a test ch, ch 0x0000002c mov dword ptr [ebp+000000F8h], 00A95F60h 0x00000036 test ch, FFFFFFCAh 0x00000039 call 00007F394C8F5292h 0x0000003e call 00007F394C8F5265h 0x00000043 lfence 0x00000046 mov edx, C4D7E93Dh 0x0000004b xor edx, F24722A8h 0x00000051 xor edx, 65E80731h 0x00000057 xor edx, 2C86CCB0h 0x0000005d mov edx, dword ptr [edx] 0x0000005f lfence 0x00000062 jmp 00007F394C8F522Eh 0x00000064 cmp eax, BD9A57B8h 0x00000069 cmp cl, cl 0x0000006b cmp ch, ah 0x0000006d cmp ebx, ebx 0x0000006f test al, 1Ah 0x00000071 ret 0x00000072 mov esi, edx 0x00000074 pushad 0x00000075 rdtsc
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeRDTSC instruction interceptor: First address: 00000000022CB34C second address: 00000000022CB3B1 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp esi, A3B0EE80h 0x00000009 mov edx, dword ptr [esp+04h] 0x0000000d test ch, ch 0x0000000f mov ecx, dword ptr [esp+08h] 0x00000013 jmp 00007F394C398152h 0x00000015 test ax, bx 0x00000018 add edx, ecx 0x0000001a neg ecx 0x0000001c test dx, cx 0x0000001f mov ebx, dword ptr [esp+0Ch] 0x00000023 mov eax, dword ptr [esp+10h] 0x00000027 cmp ecx, eax 0x00000029 add eax, ebx 0x0000002b mov esi, eax 0x0000002d neg ebx 0x0000002f pushad 0x00000030 mov esi, 0000000Eh 0x00000035 rdtsc
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeRDTSC instruction interceptor: First address: 00000000022CBF06 second address: 00000000022CBF06 instructions:
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeRDTSC instruction interceptor: First address: 00000000022CB646 second address: 00000000022CBA31 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test ebx, eax 0x0000000c call 00007F394C8F551Dh 0x00000011 test ax, ax 0x00000014 test dh, 00000034h 0x00000017 xor edi, edi 0x00000019 pushad 0x0000001a mov bx, 94B2h 0x0000001e cmp bx, 94B2h 0x00000023 jne 00007F394C8F4448h 0x00000029 popad 0x0000002a test ch, ch 0x0000002c mov dword ptr [ebp+000000F8h], 00A95F60h 0x00000036 test ch, FFFFFFCAh 0x00000039 call 00007F394C8F5292h 0x0000003e call 00007F394C8F5265h 0x00000043 lfence 0x00000046 mov edx, C4D7E93Dh 0x0000004b xor edx, F24722A8h 0x00000051 xor edx, 65E80731h 0x00000057 xor edx, 2C86CCB0h 0x0000005d mov edx, dword ptr [edx] 0x0000005f lfence 0x00000062 jmp 00007F394C8F522Eh 0x00000064 cmp eax, BD9A57B8h 0x00000069 cmp cl, cl 0x0000006b cmp ch, ah 0x0000006d cmp ebx, ebx 0x0000006f test al, 1Ah 0x00000071 ret 0x00000072 mov esi, edx 0x00000074 pushad 0x00000075 rdtsc
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeRDTSC instruction interceptor: First address: 00000000022CBB41 second address: 00000000022CB487 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 6D96B120h 0x00000013 add eax, 9E133F54h 0x00000018 xor eax, F9EAE90Fh 0x0000001d xor eax, F243197Ah 0x00000022 cpuid 0x00000024 test al, D2h 0x00000026 bt ecx, 1Fh 0x0000002a cmp ch, dh 0x0000002c jc 00007F394CDEDCA8h 0x00000032 cmp edx, eax 0x00000034 cmp al, cl 0x00000036 push D375BB0Ch 0x0000003b pushad 0x0000003c mov di, 6000h 0x00000040 cmp di, 6000h 0x00000045 jne 00007F394CDE1A53h 0x0000004b popad 0x0000004c call 00007F394CDEC40Ch 0x00000051 mov eax, dword ptr fs:[00000030h] 0x00000057 mov eax, dword ptr [eax+0Ch] 0x0000005a cmp bh, ah 0x0000005c mov eax, dword ptr [eax+14h] 0x0000005f test cx, dx 0x00000062 mov ecx, dword ptr [eax] 0x00000064 mov eax, ecx 0x00000066 jmp 00007F394CDED2DBh 0x00000068 mov ebx, dword ptr [eax+28h] 0x0000006b mov dword ptr [ebp+000001F5h], edi 0x00000071 mov edi, E1E7AEC2h 0x00000076 cmp dl, 0000004Dh 0x00000079 xor edi, 75204E2Fh 0x0000007f pushad 0x00000080 mov edx, 0000008Ch 0x00000085 rdtsc
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 0_2_022CE707 rdtsc
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

            Anti Debugging:

            barindex
            Found potential dummy code loops (likely to delay analysis)Show sources
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeProcess Stats: CPU usage > 90% for more than 60s
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 0_2_022CE707 rdtsc
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exeCode function: 0_2_022CCF4D cpuid

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionVirtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery31Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsObfuscated Files or Information1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerSystem Information Discovery211SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            PREVENTIVO RICHIESTO (2).exe30%VirustotalBrowse
            PREVENTIVO RICHIESTO (2).exe13%ReversingLabs

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://bamontarquitectura.com.mx/IRANSAT_kowbB4.bin0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            https://bamontarquitectura.com.mx/IRANSAT_kowbB4.bintrue
            • Avira URL Cloud: safe
            unknown

            Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox Version:33.0.0 White Diamond
            Analysis ID:450786
            Start date:19.07.2021
            Start time:18:12:29
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 11m 54s
            Hypervisor based Inspection enabled:false
            Report type:light
            Sample file name:PREVENTIVO RICHIESTO (2).exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Run name:Suspected Instruction Hammering Hide Perf
            Number of analysed new started processes analysed:41
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal80.troj.evad.winEXE@1/0@0/0
            EGA Information:Failed
            HDC Information:
            • Successful, ratio: 51.6% (good quality ratio 23%)
            • Quality average: 24.6%
            • Quality standard deviation: 33.1%
            HCA Information:Failed
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Found application associated with file extension: .exe
            Warnings:
            Show All
            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, MusNotifyIcon.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
            • Not all processes where analyzed, report is missing behavior information

            Simulations

            Behavior and APIs

            No simulations

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASN

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            No created / dropped files found

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386, for MS Windows
            Entropy (8bit):6.24355762284074
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.15%
            • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:PREVENTIVO RICHIESTO (2).exe
            File size:241664
            MD5:72d9c62e4483519df1303fe0c46d16aa
            SHA1:12093edc01bcf89eb7a9758d1392592fb273de35
            SHA256:42c8ded976a7c9f295888220d4d2fc273535f1fa15e6e25cfceaf454188f7895
            SHA512:cf6d6c1a6072c022ab4d19f098715cba02f8dcc74f01ce7ad735d5cdb5c7505aeb9c98fb9ff3faac7932ffbdb7cdf581c583fa846cc76b71dee3f2a71b7b30a0
            SSDEEP:3072:c3BepJlZa/E5cv3MRwqmVqY+9uiwBDa1Gh7HJlZapGBR:eiUEUMyqmVrTjDc4HP
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......W................. ...................0....@................

            File Icon

            Icon Hash:f8fcd4ccf4e4e8d0

            Static PE Info

            General

            Entrypoint:0x4019b0
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            DLL Characteristics:
            Time Stamp:0x5783B9FD [Mon Jul 11 15:23:41 2016 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:e9f7dd0da1a2a1266893e1ae4ef42b67

            Entrypoint Preview

            Instruction
            push 00408ABCh
            call 00007F394C975B45h
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            xor byte ptr [eax], al
            add byte ptr [eax], al
            inc eax
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [12DC752Eh], ch
            or ch, byte ptr [eax]
            inc ebx
            movsd
            salc
            sbb ebp, dword ptr [ebp-24h]
            pop ds
            rcl dh, 00000000h
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [ecx], al
            add byte ptr [eax], al
            add byte ptr [edx+00h], al
            push es
            push eax
            add dword ptr [edx], 4Eh
            bound esi, dword ptr fs:[edx+79h]
            jnc 00007F394C975B8Ah
            add byte ptr [eax], al
            movsb
            sub edi, ebp
            add al, byte ptr [eax]
            add byte ptr [eax], al
            add bh, bh
            int3
            xor dword ptr [eax], eax
            xor dword ptr [ebp-4Fh], edx
            loop 00007F394C975BBDh
            dec edi
            rcl dword ptr [esi], 46h
            sahf
            pop ss
            xor al, C8h
            sub cl, 00000053h
            loope 00007F394C975B1Eh
            pop edi
            mov eax, dword ptr [09AE2179h]
            dec ebp
            xchg eax, edx
            in al, dx
            inc ebx
            cmp dh, byte ptr [ebp-52h]
            add edx, edx
            cmp cl, byte ptr [edi-53h]
            xor ebx, dword ptr [ecx-48EE309Ah]
            or al, 00h
            stosb
            add byte ptr [eax-2Dh], ah
            xchg eax, ebx
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            stc
            outsd
            add byte ptr [eax], al
            xchg eax, edi
            push 04000000h
            add byte ptr [edx+65h], dh
            jc 00005B53h
            or eax, 55000901h
            push 6C726564h
            imul esp, dword ptr [edi+37h], 00001900h

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x326d40x28.text
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x350000x6d0e.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
            IMAGE_DIRECTORY_ENTRY_IAT0x10000x1a4.text
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x31d440x32000False0.390419921875data6.39904472476IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            .data0x330000x12900x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
            .rsrc0x350000x6d0e0x7000False0.48193359375data5.46083184817IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountry
            RT_ICON0x3ae660xea8data
            RT_ICON0x3a5be0x8a8data
            RT_ICON0x39ef60x6c8data
            RT_ICON0x3998e0x568GLS_BINARY_LSB_FIRST
            RT_ICON0x373e60x25a8dBase III DBT, version number 0, next free block index 40
            RT_ICON0x3633e0x10a8data
            RT_ICON0x359b60x988data
            RT_ICON0x3554e0x468GLS_BINARY_LSB_FIRST
            RT_GROUP_ICON0x354d80x76data
            RT_VERSION0x352400x298dataEnglishUnited States

            Imports

            DLLImport
            MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaAryMove, __vbaLenBstr, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenBstrB, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaCyStr, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaI2I4, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaFpCmpCy, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaInStrVar, __vbaDateVar, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaNew2, __vbaVar2Vec, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaLateMemCall, __vbaVarDup, __vbaStrToAnsi, __vbaFpI4, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

            Version Infos

            DescriptionData
            Translation0x0409 0x04b0
            LegalCopyrightSocialbakers
            InternalNameSome4
            FileVersion1.00
            CompanyNameSocialbakers
            LegalTrademarksSocialbakers
            ProductNameNedbrydes6
            ProductVersion1.00
            OriginalFilenameSome4.exe

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishUnited States

            Network Behavior

            No network behavior found

            Code Manipulations

            Statistics

            System Behavior

            General

            Start time:18:13:20
            Start date:19/07/2021
            Path:C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe
            Wow64 process (32bit):true
            Commandline:'C:\Users\user\Desktop\PREVENTIVO RICHIESTO (2).exe'
            Imagebase:0x400000
            File size:241664 bytes
            MD5 hash:72D9C62E4483519DF1303FE0C46D16AA
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:Visual Basic
            Yara matches:
            • Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000000.00000002.1236460953.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000000.00000000.208215258.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
            Reputation:low

            Disassembly

            Code Analysis

            Reset < >