Windows Analysis Report http___2.56.59.76_alig.jpg

Overview

General Information

Sample Name: http___2.56.59.76_alig.jpg (renamed file extension from jpg to exe)
Analysis ID: 457978
MD5: 4cb9e2f765041f74d74e4635144ce621
SHA1: 472ee254ad0196a8a80517d19d2d2f3f0df1fdd7
SHA256: bd068442713d668c544ed7c9b439e27121b33ac1573b12c95c7ff7ca8003d283
Tags: exejpg
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000001.00000002.1158179562.0000000003CB0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/download"}
Machine Learning detection for sample
Source: http___2.56.59.76_alig.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: http___2.56.59.76_alig.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://onedrive.live.com/download

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_0040289C GetAsyncKeyState, 1_2_0040289C
Creates a DirectInput object (often for capturing keystrokes)
Source: http___2.56.59.76_alig.exe, 00000001.00000002.1157181207.000000000076A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB667C NtAllocateVirtualMemory, 1_2_03CB667C
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB67D4 NtAllocateVirtualMemory, 1_2_03CB67D4
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB66A4 NtAllocateVirtualMemory, 1_2_03CB66A4
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB661D NtAllocateVirtualMemory, 1_2_03CB661D
Detected potential crypto function
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB667C 1_2_03CB667C
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB97C8 1_2_03CB97C8
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB03CC 1_2_03CB03CC
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB11D3 1_2_03CB11D3
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB41D3 1_2_03CB41D3
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB4FD3 1_2_03CB4FD3
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CBA3EE 1_2_03CBA3EE
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CBA3EC 1_2_03CBA3EC
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB53FB 1_2_03CB53FB
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB13F6 1_2_03CB13F6
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB6380 1_2_03CB6380
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB9580 1_2_03CB9580
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CBAD9D 1_2_03CBAD9D
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB499D 1_2_03CB499D
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB2FAB 1_2_03CB2FAB
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB9FAB 1_2_03CB9FAB
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CBADAB 1_2_03CBADAB
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CBA1A8 1_2_03CBA1A8
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB2DA1 1_2_03CB2DA1
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB23A7 1_2_03CB23A7
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB9DBA 1_2_03CB9DBA
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB49B7 1_2_03CB49B7
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB0FB6 1_2_03CB0FB6
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB9D4D 1_2_03CB9D4D
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB0B47 1_2_03CB0B47
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB596E 1_2_03CB596E
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB4D6C 1_2_03CB4D6C
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB0B63 1_2_03CB0B63
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB3163 1_2_03CB3163
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB2379 1_2_03CB2379
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB0376 1_2_03CB0376
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB1508 1_2_03CB1508
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB1102 1_2_03CB1102
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB9D4D 1_2_03CB9D4D
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB5718 1_2_03CB5718
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB2B1F 1_2_03CB2B1F
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB511C 1_2_03CB511C
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB0F17 1_2_03CB0F17
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB9D29 1_2_03CB9D29
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB4128 1_2_03CB4128
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CBAF28 1_2_03CBAF28
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB0930 1_2_03CB0930
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB5534 1_2_03CB5534
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB08D9 1_2_03CB08D9
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB9AD4 1_2_03CB9AD4
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB06EB 1_2_03CB06EB
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB12F4 1_2_03CB12F4
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB2285 1_2_03CB2285
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CBA09F 1_2_03CBA09F
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB5290 1_2_03CB5290
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB9690 1_2_03CB9690
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB5AAE 1_2_03CB5AAE
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB4EA2 1_2_03CB4EA2
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB8CA1 1_2_03CB8CA1
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB66A4 1_2_03CB66A4
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB9EB8 1_2_03CB9EB8
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB8ABF 1_2_03CB8ABF
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB9ABD 1_2_03CB9ABD
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB40B1 1_2_03CB40B1
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB584C 1_2_03CB584C
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB5446 1_2_03CB5446
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB1667 1_2_03CB1667
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB947B 1_2_03CB947B
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB9478 1_2_03CB9478
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CBAE7E 1_2_03CBAE7E
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CBAE1E 1_2_03CBAE1E
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB661D 1_2_03CB661D
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB4627 1_2_03CB4627
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB1E39 1_2_03CB1E39
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB043C 1_2_03CB043C
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB3032 1_2_03CB3032
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB4831 1_2_03CB4831
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB0836 1_2_03CB0836
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB5636 1_2_03CB5636
Sample file is different than original file name gathered from version info
Source: http___2.56.59.76_alig.exe, 00000001.00000002.1157310262.0000000002280000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs http___2.56.59.76_alig.exe
Source: http___2.56.59.76_alig.exe, 00000001.00000000.634073264.0000000000423000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamealig.exe vs http___2.56.59.76_alig.exe
Source: http___2.56.59.76_alig.exe Binary or memory string: OriginalFilenamealig.exe vs http___2.56.59.76_alig.exe
Uses 32bit PE files
Source: http___2.56.59.76_alig.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal76.troj.evad.winEXE@1/0@0/1
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe File created: C:\Users\user\AppData\Local\Temp\~DFCEE7CBDD8D96BF04.TMP Jump to behavior
Source: http___2.56.59.76_alig.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe File read: C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4a04656d-52aa-49de-8a09-cb178760e748}\InProcServer32 Jump to behavior

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000001.00000002.1158179562.0000000003CB0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_00407B80 push eax; ret 1_2_00407B86
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB711C push esi; ret 1_2_03CB711E
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CBB869 pushad ; ret 1_2_03CBB86A
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB4FD3 1_2_03CB4FD3
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB53FB 1_2_03CB53FB
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB499D 1_2_03CB499D
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB2FAB 1_2_03CB2FAB
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB9D4D 1_2_03CB9D4D
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB4D6C 1_2_03CB4D6C
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB3163 1_2_03CB3163
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB9D4D 1_2_03CB9D4D
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB511C 1_2_03CB511C
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB0F17 1_2_03CB0F17
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB4128 1_2_03CB4128
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB2285 1_2_03CB2285
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB5290 1_2_03CB5290
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB4EA2 1_2_03CB4EA2
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB40B1 1_2_03CB40B1
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB9478 1_2_03CB9478
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB3032 1_2_03CB3032
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe RDTSC instruction interceptor: First address: 0000000003CB92C9 second address: 0000000003CB92C9 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 7305038Fh 0x00000007 sub eax, 428F9BE4h 0x0000000c xor eax, A94964F8h 0x00000011 add eax, 66C3FCAEh 0x00000016 cpuid 0x00000018 cmp bh, bh 0x0000001a popad 0x0000001b call 00007F7518B710E5h 0x00000020 lfence 0x00000023 mov edx, 89618492h 0x00000028 xor edx, A0F4BA61h 0x0000002e add edx, F6C4231Dh 0x00000034 xor edx, 5FA76204h 0x0000003a mov edx, dword ptr [edx] 0x0000003c lfence 0x0000003f cmp cl, bl 0x00000041 jmp 00007F7518B71104h 0x00000043 cmp edx, ecx 0x00000045 ret 0x00000046 sub edx, esi 0x00000048 ret 0x00000049 add edi, edx 0x0000004b nop 0x0000004c dec dword ptr [ebp+000000F8h] 0x00000052 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000059 jne 00007F7518B710BBh 0x0000005b call 00007F7518B71184h 0x00000060 call 00007F7518B71108h 0x00000065 lfence 0x00000068 mov edx, 89618492h 0x0000006d xor edx, A0F4BA61h 0x00000073 add edx, F6C4231Dh 0x00000079 xor edx, 5FA76204h 0x0000007f mov edx, dword ptr [edx] 0x00000081 lfence 0x00000084 cmp cl, bl 0x00000086 jmp 00007F7518B71104h 0x00000088 cmp edx, ecx 0x0000008a ret 0x0000008b mov esi, edx 0x0000008d pushad 0x0000008e rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB03CC rdtsc 1_2_03CB03CC
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB03CC rdtsc 1_2_03CB03CC
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB8DE9 mov eax, dword ptr fs:[00000030h] 1_2_03CB8DE9
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB61AD mov eax, dword ptr fs:[00000030h] 1_2_03CB61AD
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB87BC mov eax, dword ptr fs:[00000030h] 1_2_03CB87BC
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB9D4D mov eax, dword ptr fs:[00000030h] 1_2_03CB9D4D
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB9D4D mov eax, dword ptr fs:[00000030h] 1_2_03CB9D4D
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB9D29 mov eax, dword ptr fs:[00000030h] 1_2_03CB9D29
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB4128 mov eax, dword ptr fs:[00000030h] 1_2_03CB4128
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB40B1 mov eax, dword ptr fs:[00000030h] 1_2_03CB40B1
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: http___2.56.59.76_alig.exe, 00000001.00000002.1157257404.0000000000DF0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: http___2.56.59.76_alig.exe, 00000001.00000002.1157257404.0000000000DF0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: http___2.56.59.76_alig.exe, 00000001.00000002.1157257404.0000000000DF0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: http___2.56.59.76_alig.exe, 00000001.00000002.1157257404.0000000000DF0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\http___2.56.59.76_alig.exe Code function: 1_2_03CB9ABD cpuid 1_2_03CB9ABD
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 457978 Sample: http___2.56.59.76_alig.jpg Startdate: 02/08/2021 Architecture: WINDOWS Score: 76 11 Found malware configuration 2->11 13 Yara detected GuLoader 2->13 15 C2 URLs / IPs found in malware configuration 2->15 17 Machine Learning detection for sample 2->17 5 http___2.56.59.76_alig.exe 2 2->5         started        process3 dnsIp4 9 2.56.59.76 GBTCLOUDUS Netherlands 5->9 19 Contains functionality to detect hardware virtualization (CPUID execution measurement) 5->19 21 Found potential dummy code loops (likely to delay analysis) 5->21 23 Tries to detect virtualization through RDTSC time measurements 5->23 signatures5
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
2.56.59.76
 unknown Netherlands
395800 GBTCLOUDUS false

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://onedrive.live.com/download false
    		high