Play interactive tour

Edit tour

Windows Analysis Report ogvcqbOEQs.exe

Overview

General Information

Sample Name:	ogvcqbOEQs.exe
Analysis ID:	456986
MD5:	f00e0bf11a316d65ab59574825f125bf
SHA1:	a25674d3d8285ad9216e61cfe923bc4b4a0c833a
SHA256:	06b51823317ace5ebfb38121fce872db43c72042d7ef657e3830d46c5572f0c3
Tags:	32exe
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

GuLoader behavior detected

Multi AV Scanner detection for submitted file

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found potential dummy code loops (likely to delay analysis)

Hides threads from debuggers

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

PE file contains an invalid checksum

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

ogvcqbOEQs.exe (PID: 7100 cmdline: 'C:\Users\user\Desktop\ogvcqbOEQs.exe' MD5: F00E0BF11A316D65AB59574825F125BF)

ieinstal.exe (PID: 6160 cmdline: 'C:\Users\user\Desktop\ogvcqbOEQs.exe' MD5: DAD17AB737E680C47C8A44CBB95EE67E)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://d-bin.duckdns.org/remcos_dyno_xLTzJv"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000D.00000002.1721956987.0000000000C10000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000000.00000002.1311529373.00000000021F0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: ogvcqbOEQs.exe

Malware Configuration Extractor: GuLoader {"Payload URL": "http://d-bin.duckdns.org/remcos_dyno_xLTzJv"}

Multi AV Scanner detection for submitted file

Show sources

Source: ogvcqbOEQs.exe	Virustotal: Detection: 18%			Perma Link
Source: ogvcqbOEQs.exe	ReversingLabs: Detection: 10%

Source: ogvcqbOEQs.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: http://d-bin.duckdns.org/remcos_dyno_xLTzJv

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Process Stats: CPU usage > 98%
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021FA50C NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F0F30 NtWriteVirtualMemory,TerminateProcess,
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F8D7C NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4B8B NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F543B NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4E5E NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F507A NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F8E64 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F5696 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F8EFA NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F591C NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F8D0C NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F530A NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4D08 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F3331 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4F53 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F557A NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021FA566 NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F5193 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4FAF NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F8DA0 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F57DA NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4BD2 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F51C6 NtWriteVirtualMemory,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C18D0C NtAllocateVirtualMemory,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C18EFA NtAllocateVirtualMemory,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C18E64 NtAllocateVirtualMemory,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C18D81 NtAllocateVirtualMemory,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C18DA0 NtAllocateVirtualMemory,

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F06B3
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F0F30
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F8D7C
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4B8B
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021FA9B4
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F7DC5
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F401A
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4810
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F1610
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F1402
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F543B
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F3432
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F6631
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021FAA30
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F302C
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021FB026
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4E5E
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F2E5C
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F0E54
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F6C42
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F507A
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F1E71
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F9A67
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021FAA98
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F5696
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F0EBC
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F44C7
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F90F6
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F40EF
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F08E6
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F10E4
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F12E2
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F9D1E
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F591C
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F2914
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F910C
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F8D0C
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F530A
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4D08
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021FAB06
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F2104
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F9735
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F3331
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F8927
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F1F22
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021FAB58
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F2956
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4F53
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F5D4B
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F1546
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F557A
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F9163
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F2F9A
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F5193
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F9984
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4FAF
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F33A5
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F8DA0
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F7DDE
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F0FDC
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F57DA
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F07D6
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4BD2
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F3FCE
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021FA9CB
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F11CA
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F51C6
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021FABFC
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F91FA
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F07E8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C18D0C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C144C7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C10AD8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C140EF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C190F6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C12E5C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C19A67
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C11E71
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C14810
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C1401A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C14C22
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C1082A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C1302C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C13432
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C17DC5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C107D7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C191FA
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C18D81
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C19984
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C14B8B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C15193
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C12F9A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C18DA0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C133A5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C14FAF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C1A9B4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C12956
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C19163
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C12104
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C1910C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C12914
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C19D1E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C11F22
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C13331
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C19735

Source: ogvcqbOEQs.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: ogvcqbOEQs.exe, 00000000.00000002.1311297640.0000000000413000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMSTEAMS vs ogvcqbOEQs.exe
Source: ogvcqbOEQs.exe, 00000000.00000002.1311521878.00000000021E0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs ogvcqbOEQs.exe
Source: ogvcqbOEQs.exe	Binary or memory string: OriginalFilenameMSTEAMS vs ogvcqbOEQs.exe

Source: ogvcqbOEQs.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/0@0/0

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

File created: C:\Users\user\AppData\Local\Temp\~DF02B58E180701E70C.TMP

Jump to behavior

Source: ogvcqbOEQs.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: ogvcqbOEQs.exe	Virustotal: Detection: 18%
Source: ogvcqbOEQs.exe	ReversingLabs: Detection: 10%

Source: unknown	Process created: C:\Users\user\Desktop\ogvcqbOEQs.exe 'C:\Users\user\Desktop\ogvcqbOEQs.exe'
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\ogvcqbOEQs.exe'
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\ogvcqbOEQs.exe'

Source: ogvcqbOEQs.exe

Static file information: File size 10571776 > 1048576

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 0000000D.00000002.1721956987.0000000000C10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1311529373.00000000021F0000.00000040.00000001.sdmp, type: MEMORY

Source: ogvcqbOEQs.exe

Static PE information: real checksum: 0xa24e1f should be:

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_00402A6D push edx; ret
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_00405E39 push es; iretd
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_0040483D push edx; ret
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_00405D05 push cs; ret
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_00404725 push esp; retf

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F0F30 NtWriteVirtualMemory,TerminateProcess,
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4B8B NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F3432
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4E5E NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F507A NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4D08 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F3331 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4F53 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F2B62 LoadLibraryA,
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4FAF NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F33A5
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F4BD2 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F69E7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C14C22
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C13432
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C169E7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C14B8B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C133A5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C14FAF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C12B62
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C13331

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	RDTSC instruction interceptor: First address: 00000000021F9289 second address: 00000000021F9289 instructions:
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	RDTSC instruction interceptor: First address: 00000000021F95D8 second address: 00000000021F95D8 instructions:

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	File opened: C:\Program Files\qga\qga.exe

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: ogvcqbOEQs.exe, 00000000.00000002.1311539557.0000000002200000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32PSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=PROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSVBVM60.DLL
Source: ogvcqbOEQs.exe, 00000000.00000002.1311539557.0000000002200000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	RDTSC instruction interceptor: First address: 000000000040D2BF second address: 000000000040D2BF instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 cmp ecx, 00000092h 0x00000009 popad 0x0000000a pushfd 0x0000000b popfd 0x0000000c nop 0x0000000d dec edi 0x0000000e lfence 0x00000011 cmp eax, 34h 0x00000014 cmp edi, 00000000h 0x00000017 jne 00007F13808AFE30h 0x00000019 nop 0x0000001a lfence 0x0000001d pushad 0x0000001e cmp eax, 7Ch 0x00000021 nop 0x00000022 rdtsc
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	RDTSC instruction interceptor: First address: 00000000021F032C second address: 00000000021F84FD instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov dword ptr [ebp+0000022Ch], edx 0x00000011 mov edx, 79A9B8F5h 0x00000016 xor edx, A14CDEE8h 0x0000001c xor edx, B4BF7B12h 0x00000022 add edx, 93A5E2F1h 0x00000028 push edx 0x00000029 mov edx, dword ptr [ebp+0000022Ch] 0x0000002f cmp ax, bx 0x00000032 push B6F4F8D9h 0x00000037 cmp ax, cx 0x0000003a push E49F8B3Ch 0x0000003f nop 0x00000040 push 16E1361Ah 0x00000045 push 1E79F54Fh 0x0000004a push 66B6A393h 0x0000004f test dl, al 0x00000051 push 54CCBF9Ah 0x00000056 call 00007F13808B939Ah 0x0000005b jmp 00007F13808B066Ah 0x0000005d cmp ah, dh 0x0000005f test ax, dx 0x00000062 cmp ch, FFFFFFDDh 0x00000065 mov ecx, dword ptr [ebp+1Ch] 0x00000068 mov edx, 129FECA4h 0x0000006d call 00007F13808AF965h 0x00000072 mov dword ptr [ebp+000001A2h], ecx 0x00000078 mov ecx, esi 0x0000007a cmp edx, 5B13C306h 0x00000080 push ecx 0x00000081 mov ecx, dword ptr [ebp+000001A2h] 0x00000087 mov dword ptr [ebp+0000022Eh], eax 0x0000008d mov eax, edx 0x0000008f push eax 0x00000090 cld 0x00000091 mov eax, dword ptr [ebp+0000022Eh] 0x00000097 mov dword ptr [ebp+0000017Fh], ebx 0x0000009d mov ebx, ecx 0x0000009f push ebx 0x000000a0 pushad 0x000000a1 lfence 0x000000a4 rdtsc
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	RDTSC instruction interceptor: First address: 00000000021F9289 second address: 00000000021F9289 instructions:
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	RDTSC instruction interceptor: First address: 00000000021F95D8 second address: 00000000021F95D8 instructions:
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	RDTSC instruction interceptor: First address: 00000000021F9C7B second address: 00000000021F9C7B instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp byte ptr [ebx], al 0x0000000d mov eax, dword ptr [ebp+000001D3h] 0x00000013 jne 00007F1380E4CFEEh 0x00000015 push esi 0x00000016 mov esi, 2E377BD6h 0x0000001b cmp esi, 2E377BD6h 0x00000021 jne 00007F1380E43BC7h 0x00000027 pop esi 0x00000028 inc ebx 0x00000029 mov dword ptr [ebp+00000180h], eax 0x0000002f test ebx, ebx 0x00000031 cmp ebx, dword ptr [ebp+00000180h] 0x00000037 je 00007F1380E4D4D5h 0x0000003d mov dword ptr [ebp+000001D3h], eax 0x00000043 test ecx, eax 0x00000045 mov eax, BE50D788h 0x0000004a fnop 0x0000004c xor eax, BF222699h 0x00000051 test bh, dh 0x00000053 test ax, bx 0x00000056 xor eax, 9AD4409Eh 0x0000005b xor eax, 9BA6B137h 0x00000060 pushad 0x00000061 lfence 0x00000064 rdtsc
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	RDTSC instruction interceptor: First address: 00000000021F6A80 second address: 00000000021F84FD instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov ecx, dword ptr [ebp+1Ch] 0x00000006 mov edx, 12634CFEh 0x0000000b cmp eax, ecx 0x0000000d call 00007F13808B204Eh 0x00000012 mov dword ptr [ebp+000001A2h], ecx 0x00000018 mov ecx, esi 0x0000001a cmp edx, 5B13C306h 0x00000020 push ecx 0x00000021 mov ecx, dword ptr [ebp+000001A2h] 0x00000027 mov dword ptr [ebp+0000022Eh], eax 0x0000002d mov eax, edx 0x0000002f push eax 0x00000030 cld 0x00000031 mov eax, dword ptr [ebp+0000022Eh] 0x00000037 mov dword ptr [ebp+0000017Fh], ebx 0x0000003d mov ebx, ecx 0x0000003f push ebx 0x00000040 pushad 0x00000041 lfence 0x00000044 rdtsc
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	RDTSC instruction interceptor: First address: 00000000021F6BBE second address: 00000000021F84FD instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b call 00007F1380E4E952h 0x00000010 mov dword ptr [ebp+000001A2h], ecx 0x00000016 mov ecx, esi 0x00000018 cmp edx, 5B13C306h 0x0000001e push ecx 0x0000001f mov ecx, dword ptr [ebp+000001A2h] 0x00000025 mov dword ptr [ebp+0000022Eh], eax 0x0000002b mov eax, edx 0x0000002d push eax 0x0000002e cld 0x0000002f mov eax, dword ptr [ebp+0000022Eh] 0x00000035 mov dword ptr [ebp+0000017Fh], ebx 0x0000003b mov ebx, ecx 0x0000003d push ebx 0x0000003e pushad 0x0000003f lfence 0x00000042 rdtsc
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	RDTSC instruction interceptor: First address: 00000000021F4C3F second address: 00000000021F4CA3 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 xor dword ptr [esp], 85D5A0CAh 0x0000000a cmp ebx, edx 0x0000000c xor dword ptr [esp], 4638D96Dh 0x00000013 add dword ptr [esp], D41A2919h 0x0000001a cmp al, dl 0x0000001c mov dword ptr [ebp+000001DEh], ecx 0x00000022 mov ecx, D6837C84h 0x00000027 xor ecx, CC419165h 0x0000002d xor ecx, 2B0470FEh 0x00000033 xor ecx, 31C69D1Fh 0x00000039 push ecx 0x0000003a cmp ax, 0000B3B4h 0x0000003e mov ecx, dword ptr [ebp+000001DEh] 0x00000044 test ah, bh 0x00000046 push E0FD18E3h 0x0000004b add dword ptr [esp], 0DF85EB0h 0x00000052 xor dword ptr [esp], 3AC71945h 0x00000059 xor dword ptr [esp], D4326ED6h 0x00000060 pushad 0x00000061 lfence 0x00000064 rdtsc
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	RDTSC instruction interceptor: First address: 00000000021F4CA3 second address: 00000000021F84FD instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push 1030ACD3h 0x00000010 cmp cx, 41CEh 0x00000015 xor dword ptr [esp], B540BC3Ah 0x0000001c cmp cl, al 0x0000001e xor dword ptr [esp], 660B06BBh 0x00000025 xor dword ptr [esp], C37B1652h 0x0000002c call 00007F1380E51D05h 0x00000031 test dh, ah 0x00000033 mov ecx, dword ptr [ebp+1Ch] 0x00000036 cmp dx, dx 0x00000039 mov edx, AC70FD1Ah 0x0000003e call 00007F1380E4BB8Ah 0x00000043 mov dword ptr [ebp+000001A2h], ecx 0x00000049 mov ecx, esi 0x0000004b cmp edx, 5B13C306h 0x00000051 push ecx 0x00000052 mov ecx, dword ptr [ebp+000001A2h] 0x00000058 mov dword ptr [ebp+0000022Eh], eax 0x0000005e mov eax, edx 0x00000060 push eax 0x00000061 cld 0x00000062 mov eax, dword ptr [ebp+0000022Eh] 0x00000068 mov dword ptr [ebp+0000017Fh], ebx 0x0000006e mov ebx, ecx 0x00000070 push ebx 0x00000071 pushad 0x00000072 lfence 0x00000075 rdtsc
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	RDTSC instruction interceptor: First address: 0000000000C1032C second address: 0000000000C184FD instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov dword ptr [ebp+0000022Ch], edx 0x00000011 mov edx, 79A9B8F5h 0x00000016 xor edx, A14CDEE8h 0x0000001c xor edx, B4BF7B12h 0x00000022 add edx, 93A5E2F1h 0x00000028 push edx 0x00000029 mov edx, dword ptr [ebp+0000022Ch] 0x0000002f cmp ax, bx 0x00000032 push B6F4F8D9h 0x00000037 cmp ax, cx 0x0000003a push E49F8B3Ch 0x0000003f nop 0x00000040 push 16E1361Ah 0x00000045 push 1E79F54Fh 0x0000004a push 66B6A393h 0x0000004f test dl, al 0x00000051 push 54CCBF9Ah 0x00000056 call 00007F13808B939Ah 0x0000005b jmp 00007F13808B066Ah 0x0000005d cmp ah, dh 0x0000005f test ax, dx 0x00000062 cmp ch, FFFFFFDDh 0x00000065 mov ecx, dword ptr [ebp+1Ch] 0x00000068 mov edx, 129FECA4h 0x0000006d call 00007F13808AF965h 0x00000072 mov dword ptr [ebp+000001A2h], ecx 0x00000078 mov ecx, esi 0x0000007a cmp edx, 5B13C306h 0x00000080 push ecx 0x00000081 mov ecx, dword ptr [ebp+000001A2h] 0x00000087 mov dword ptr [ebp+0000022Eh], eax 0x0000008d mov eax, edx 0x0000008f push eax 0x00000090 cld 0x00000091 mov eax, dword ptr [ebp+0000022Eh] 0x00000097 mov dword ptr [ebp+0000017Fh], ebx 0x0000009d mov ebx, ecx 0x0000009f push ebx 0x000000a0 pushad 0x000000a1 lfence 0x000000a4 rdtsc

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

Code function: 0_2_021F84CB rdtsc

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: ogvcqbOEQs.exe, 00000000.00000002.1311539557.0000000002200000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32psapi.dllMsi.dllPublishershell32advapi32TEMP=ProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\msvbvm60.dll
Source: ogvcqbOEQs.exe, 00000000.00000002.1311539557.0000000002200000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

System information queried: ModuleInformation

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Process Stats: CPU usage > 90% for more than 60s

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

Thread information set: HideFromDebugger

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

Process queried: DebugPort

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

Code function: 0_2_021F84CB rdtsc

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

Code function: 0_2_021F7144 LdrInitializeThunk,

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F401A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F8A7E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F3C84 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F84B2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F62A9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F3331 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F9984 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ogvcqbOEQs.exe	Code function: 0_2_021F3FCE mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C13C84 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C162A9 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C184B2 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C18A7E mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C1401A mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C19984 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00C13331 mov eax, dword ptr fs:[00000030h]

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: C10000

Source: C:\Users\user\Desktop\ogvcqbOEQs.exe

Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\ogvcqbOEQs.exe'

Source: ieinstal.exe, 0000000D.00000002.1723109058.0000000003630000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: ieinstal.exe, 0000000D.00000002.1723109058.0000000003630000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: ieinstal.exe, 0000000D.00000002.1723109058.0000000003630000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: ieinstal.exe, 0000000D.00000002.1723109058.0000000003630000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Stealing of Sensitive Information:

GuLoader behavior detected

Show sources

Source: Initial file

Signature Results: GuLoader behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection112	Virtualization/Sandbox Evasion311	OS Credential Dumping	Security Software Discovery721	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection112	LSASS Memory	Virtualization/Sandbox Evasion311	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery32	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ogvcqbOEQs.exe	19%	Virustotal		Browse
ogvcqbOEQs.exe	11%	ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://d-bin.duckdns.org/remcos_dyno_xLTzJv	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://d-bin.duckdns.org/remcos_dyno_xLTzJv	true	Avira URL Cloud: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	456986
Start date:	30.07.2021
Start time:	18:03:24
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 19m 7s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	ogvcqbOEQs.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Suspected Instruction Hammering Hide Perf
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@3/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 26% (good quality ratio 14%) Quality average: 31.6% Quality standard deviation: 35.4%
HCA Information:	Successful, ratio: 69% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, RuntimeBroker.exe, MusNotifyIcon.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.998638224332722
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ogvcqbOEQs.exe
File size:	10571776
MD5:	f00e0bf11a316d65ab59574825f125bf
SHA1:	a25674d3d8285ad9216e61cfe923bc4b4a0c833a
SHA256:	06b51823317ace5ebfb38121fce872db43c72042d7ef657e3830d46c5572f0c3
SHA512:	3330bdeb213a3e8f2ec104a7018bf4accdd715b4eb7891f2cf29e8a2a3b5109ef143beba0ba51c5e13d92d5992dc9d809c52b1aa181c265d950e181a6a8c14fd
SSDEEP:	24576:tkELLVtinQL/2HkZQwTLniGZQwCwTrVtLTrzVQe2wCwX:SnGOHHQiGuHHHwCQ
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i.......................*..............Rich....................PE..L....JQW.....................0......d........ ....@........

File Icon


Icon Hash:	e2b0d8d8d2d8c400

Static PE Info

General
Entrypoint:	0x401364
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x57514AAD [Fri Jun 3 09:15:25 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	9c8c8bb37b14de578924ac09be0d5cc5

Entrypoint Preview

Instruction
push 0040E6DCh
call 00007F13807E9803h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add bl, ah
nop
mov cl, byte ptr [ecx-57h]
mov ebp, D38EA846h
fdivr st(0), st(1)
xor al, BBh
pop esi
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
inc edx
add byte ptr [esi+76018350h], al
bound esi, dword ptr [eax+esi*2]
jc 00007F13807E9881h
push 00000065h
arpl word ptr [esi+edx*2+62h], si
add byte ptr [ebx], ch
adc al, byte ptr [ebx]
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
or eax, dword ptr [ebx+edx-66h]
dec ecx
pop eax
in eax, dx
cmp byte ptr [edi-75h], cl
call 00007F13B4F28A92h
xor dword ptr [ebp+15h], edx
mov esi, dword ptr [ebp-546DF334h]
inc edx
test byte ptr [edx], ch
inc ecx
out dx, eax
outsb
enter 8F4Dh, 3Ah
dec edi
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
mov ebp, 960000D0h
add dword ptr [eax], eax
add byte ptr [eax], al
or eax, dword ptr [eax]
push ebx
arpl word ptr [ecx+6Eh], sp
popad
insb
insb
imul ebp, dword ptr [esi+67h], 09010D00h
add byte ptr [ecx+eax*2+52h], dl

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x11124	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x13000	0x12a4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x230	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x110	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x105dc	0x11000	False	0.509966681985	data	6.08573946634	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x12000	0xd24	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x13000	0x12a4	0x2000	False	0.166381835938	data	2.77658216516	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x13118	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 14540253, next used block 12303291
RT_ICON	0x139c0	0x568	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x13f28	0x22	data
RT_VERSION	0x13f4c	0x358	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaFreeVar, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaOnError, __vbaObjSet, __vbaCyAdd, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaCyStr, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, DllFunctionCall, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaFpCmpCy, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, _CIlog, __vbaNew2, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaLateMemCall, __vbaInStrB, __vbaVarDup, __vbaStrToAnsi, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0409 0x04b0
LegalCopyright	Microsoft Corporation
InternalName	MSTEAMS
FileVersion	1.11.0056
CompanyName	Microsoft Corporation
LegalTrademarks	MTEAMS
Comments	Microsoft Teams
ProductName	Microsoft Teams
ProductVersion	1.11.0056
FileDescription	Microsoft Teams
OriginalFilename	MSTEAMS

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: ogvcqbOEQs.exe PID: 7100 Parent PID: 6112

General

Start time:	18:04:07
Start date:	30/07/2021
Path:	C:\Users\user\Desktop\ogvcqbOEQs.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\ogvcqbOEQs.exe'
Imagebase:	0x400000
File size:	10571776 bytes
MD5 hash:	F00E0BF11A316D65AB59574825F125BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.1311529373.00000000021F0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: ieinstal.exe PID: 6160 Parent PID: 7100

General

Start time:	18:08:15
Start date:	30/07/2021
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\ogvcqbOEQs.exe'
Imagebase:	0xf40000
File size:	480256 bytes
MD5 hash:	DAD17AB737E680C47C8A44CBB95EE67E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000D.00000002.1721956987.0000000000C10000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report ogvcqbOEQs.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: ogvcqbOEQs.exe PID: 7100 Parent PID: 6112

General

Analysis Process: ieinstal.exe PID: 6160 Parent PID: 7100

General

Disassembly

Code Analysis