Play interactive tourEdit tour
Windows Analysis Report ORDER.xlsx
Overview
General Information
Detection
GuLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected GuLoader
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Execution from Suspicious Folder
Office equation editor drops PE file
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to call native functions
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: GuLoader |
---|
{"Payload URL": "http://37.0.11.217/WEALTHYREM_ecIAnTt143.bin"}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security |
Sigma Overview |
---|
Exploits: |
---|
Sigma detected: EQNEDT32.EXE connecting to internet | Show sources |
Source: | Author: Joe Security: |
Sigma detected: File Dropped By EQNEDT32EXE | Show sources |
Source: | Author: Joe Security: |
System Summary: |
---|
Sigma detected: Droppers Exploiting CVE-2017-11882 | Show sources |
Source: | Author: Florian Roth: |
Sigma detected: Execution from Suspicious Folder | Show sources |
Source: | Author: Florian Roth: |
Jbx Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Machine Learning detection for dropped file | Show sources |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Exploits: |
---|
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) | Show sources |
Source: | Process created: | ||
Source: | Process created: |
Source: | Process created: |
Source: | File opened: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Source: | Memory has grown: |
Networking: |
---|
C2 URLs / IPs found in malware configuration | Show sources |
Source: | URLs: |
Source: | ASN Name: |
Source: | HTTP traffic detected: |