Windows Analysis Report payment confirmation.exe

Overview

General Information

Sample Name: payment confirmation.exe
Analysis ID: 491535
MD5: 930debccdeecb4fc138b0319bef33720
SHA1: b56f93dc8316eb35a3b311ce1c412e5d617bcfeb
SHA256: 03082b2f67073c9017a28fe1ef9166d38edd339ef72da583653f083ec2b9fac4
Tags: exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Initial sample is a PE file and has a suspicious name
Tries to detect virtualization through RDTSC time measurements
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to call native functions
Program does not show much activity (idle)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000001.00000002.873217700.00000000021F0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=dow"}
Multi AV Scanner detection for submitted file
Source: payment confirmation.exe Virustotal: Detection: 30% Perma Link
Source: payment confirmation.exe ReversingLabs: Detection: 15%

Compliance:

barindex
Uses 32bit PE files
Source: payment confirmation.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=dow

System Summary:

barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: payment confirmation.exe
Executable has a suspicious name (potential lure to open the executable)
Source: payment confirmation.exe Static file information: Suspicious name
Uses 32bit PE files
Source: payment confirmation.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Sample file is different than original file name gathered from version info
Source: payment confirmation.exe, 00000001.00000002.872716225.0000000000415000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamedamrred.exe vs payment confirmation.exe
Source: payment confirmation.exe Binary or memory string: OriginalFilenamedamrred.exe vs payment confirmation.exe
PE file contains strange resources
Source: payment confirmation.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Detected potential crypto function
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F72A4 1_2_021F72A4
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021FBC77 1_2_021FBC77
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F6236 1_2_021F6236
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F622A 1_2_021F622A
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F625A 1_2_021F625A
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F624E 1_2_021F624E
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F6242 1_2_021F6242
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F5A96 1_2_021F5A96
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F5A8A 1_2_021F5A8A
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F5AAE 1_2_021F5AAE
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F5AA2 1_2_021F5AA2
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F5AEA 1_2_021F5AEA
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F637A 1_2_021F637A
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F5B78 1_2_021F5B78
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F636E 1_2_021F636E
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F639E 1_2_021F639E
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F6392 1_2_021F6392
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F6386 1_2_021F6386
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021FABBD 1_2_021FABBD
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F63C2 1_2_021F63C2
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F5876 1_2_021F5876
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F589A 1_2_021F589A
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F588E 1_2_021F588E
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F5882 1_2_021F5882
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F58A6 1_2_021F58A6
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F58CA 1_2_021F58CA
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F60FE 1_2_021F60FE
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F60F2 1_2_021F60F2
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F6116 1_2_021F6116
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F610A 1_2_021F610A
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F6122 1_2_021F6122
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F6146 1_2_021F6146
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F5161 1_2_021F5161
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F5996 1_2_021F5996
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F598A 1_2_021F598A
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F59BA 1_2_021F59BA
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F59A2 1_2_021F59A2
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F59C6 1_2_021F59C6
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F5652 1_2_021F5652
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F5646 1_2_021F5646
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F5676 1_2_021F5676
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F5E9E 1_2_021F5E9E
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F5E92 1_2_021F5E92
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F5E86 1_2_021F5E86
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F5682 1_2_021F5682
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F76AB 1_2_021F76AB
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F575E 1_2_021F575E
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F5752 1_2_021F5752
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F576A 1_2_021F576A
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F5F9E 1_2_021F5F9E
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F5F92 1_2_021F5F92
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F5FB6 1_2_021F5FB6
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F5FAA 1_2_021F5FAA
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F57A6 1_2_021F57A6
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F5FF6 1_2_021F5FF6
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F6FEA 1_2_021F6FEA
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F5C3E 1_2_021F5C3E
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F5C32 1_2_021F5C32
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F5C56 1_2_021F5C56
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F5C4A 1_2_021F5C4A
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F5C6E 1_2_021F5C6E
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F5C62 1_2_021F5C62
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F54D0 1_2_021F54D0
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F5D3E 1_2_021F5D3E
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F5536 1_2_021F5536
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F5D32 1_2_021F5D32
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F552A 1_2_021F552A
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F5D26 1_2_021F5D26
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F5D56 1_2_021F5D56
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F554E 1_2_021F554E
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F5D4A 1_2_021F5D4A
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F5542 1_2_021F5542
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F5D7A 1_2_021F5D7A
Contains functionality to call native functions
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F72A4 NtAllocateVirtualMemory, 1_2_021F72A4
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F787E NtAllocateVirtualMemory, 1_2_021F787E
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F7872 NtAllocateVirtualMemory, 1_2_021F7872
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F7866 NtAllocateVirtualMemory, 1_2_021F7866
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F7896 NtAllocateVirtualMemory, 1_2_021F7896
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F788A NtAllocateVirtualMemory, 1_2_021F788A
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F78BA NtAllocateVirtualMemory, 1_2_021F78BA
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F76AB NtAllocateVirtualMemory, 1_2_021F76AB
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F774E NtAllocateVirtualMemory, 1_2_021F774E
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F777E NtAllocateVirtualMemory, 1_2_021F777E
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F7772 NtAllocateVirtualMemory, 1_2_021F7772
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F7766 NtAllocateVirtualMemory, 1_2_021F7766
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\payment confirmation.exe Process Stats: CPU usage > 98%
Source: payment confirmation.exe Virustotal: Detection: 30%
Source: payment confirmation.exe ReversingLabs: Detection: 15%
Source: payment confirmation.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\payment confirmation.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\payment confirmation.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\payment confirmation.exe File created: C:\Users\user\AppData\Local\Temp\~DF6135C90C205E10D1.TMP Jump to behavior
Source: classification engine Classification label: mal84.troj.evad.winEXE@1/0@0/0

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000001.00000002.873217700.00000000021F0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_00406252 push ebx; retf 1_2_00406257
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_0040645E push edi; retf 1_2_0040645F
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_00404A04 push 0000003Ah; iretd 1_2_00404A10
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_0040523B push edi; ret 1_2_0040523C
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_004080D3 push cs; ret 1_2_004080E9
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_004060E8 push dword ptr [edi-36h]; iretd 1_2_004060F4
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_00408098 push cs; ret 1_2_004080E9
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_004047D9 push cs; retf 1_2_0040483F
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_00404795 push cs; retf 1_2_004047B7
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F8A25 pushad ; retf 1_2_021F8A26
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F8A44 push eax; ret 1_2_021F8A45
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F2AFA push eax; ret 1_2_021F2B01
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F8336 push 5FF5B4E2h; ret 1_2_021F833D
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F236E push ecx; retf 1_2_021F2370
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F83AF push 84000016h; ret 1_2_021F83B4
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F8890 push esi; iretd 1_2_021F8896
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F1883 pushad ; ret 1_2_021F1889
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F3882 push eax; ret 1_2_021F3885
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F49C7 push esp; iretd 1_2_021F49CF
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F1698 pushad ; ret 1_2_021F16FD
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F16FE pushad ; ret 1_2_021F16FD
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F1716 pushad ; ret 1_2_021F16FD
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F170A pushad ; ret 1_2_021F16FD
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F1722 pushad ; ret 1_2_021F16FD
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F1568 push eax; ret 1_2_021F156C
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F45D4 pusha ; iretd 1_2_021F45E2
Source: C:\Users\user\Desktop\payment confirmation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment confirmation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment confirmation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment confirmation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment confirmation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\payment confirmation.exe RDTSC instruction interceptor: First address: 000000000040EC4B second address: 000000000040EC4B instructions: 0x00000000 rdtsc 0x00000002 cmp ecx, 50h 0x00000005 cmp eax, 00000089h 0x0000000a popad 0x0000000b cmp eax, 4Fh 0x0000000e wait 0x0000000f dec edi 0x00000010 lfence 0x00000013 wait 0x00000014 cmp edi, 00000000h 0x00000017 jne 00007F6508BEA90Fh 0x00000019 pushfd 0x0000001a popfd 0x0000001b mfence 0x0000001e pushad 0x0000001f mfence 0x00000022 wait 0x00000023 rdtsc
Source: C:\Users\user\Desktop\payment confirmation.exe RDTSC instruction interceptor: First address: 00000000021F6F29 second address: 00000000021F6F29 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 6D2A1F19h 0x00000007 xor eax, 45945F07h 0x0000000c add eax, C726675Ch 0x00000011 add eax, 101B5887h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F650838F078h 0x0000001e lfence 0x00000021 mov edx, CC755165h 0x00000026 xor edx, BA4B37F6h 0x0000002c xor edx, 2C31E30Ah 0x00000032 xor edx, 25F1858Dh 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e sub edx, esi 0x00000040 ret 0x00000041 pop ecx 0x00000042 add edi, edx 0x00000044 dec ecx 0x00000045 mov dword ptr [ebp+000001B3h], ecx 0x0000004b mov ecx, A73C3F3Ch 0x00000050 add ecx, 692C6FF6h 0x00000056 sub ecx, 1AB1EA29h 0x0000005c add ecx, 0A493AF7h 0x00000062 cmp dword ptr [ebp+000001B3h], ecx 0x00000068 mov ecx, dword ptr [ebp+000001B3h] 0x0000006e jne 00007F650838F02Dh 0x00000070 test al, al 0x00000072 mov dword ptr [ebp+0000025Bh], edi 0x00000078 mov edi, ecx 0x0000007a push edi 0x0000007b mov edi, dword ptr [ebp+0000025Bh] 0x00000081 call 00007F650838F148h 0x00000086 call 00007F650838F099h 0x0000008b lfence 0x0000008e mov edx, CC755165h 0x00000093 xor edx, BA4B37F6h 0x00000099 xor edx, 2C31E30Ah 0x0000009f xor edx, 25F1858Dh 0x000000a5 mov edx, dword ptr [edx] 0x000000a7 lfence 0x000000aa ret 0x000000ab mov esi, edx 0x000000ad pushad 0x000000ae rdtsc
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F7235 rdtsc 1_2_021F7235

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\payment confirmation.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021FABBD mov eax, dword ptr fs:[00000030h] 1_2_021FABBD
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F99FC mov eax, dword ptr fs:[00000030h] 1_2_021F99FC
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F9F4F mov eax, dword ptr fs:[00000030h] 1_2_021F9F4F
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F6D48 mov eax, dword ptr fs:[00000030h] 1_2_021F6D48
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021F7235 rdtsc 1_2_021F7235
Source: C:\Users\user\Desktop\payment confirmation.exe Code function: 1_2_021FBC77 RtlAddVectoredExceptionHandler, 1_2_021FBC77
Source: payment confirmation.exe, 00000001.00000002.872876297.0000000000D80000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: payment confirmation.exe, 00000001.00000002.872876297.0000000000D80000.00000002.00020000.sdmp Binary or memory string: Progman
Source: payment confirmation.exe, 00000001.00000002.872876297.0000000000D80000.00000002.00020000.sdmp Binary or memory string: &Program Manager
Source: payment confirmation.exe, 00000001.00000002.872876297.0000000000D80000.00000002.00020000.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 491535 Sample: payment confirmation.exe Startdate: 27/09/2021 Architecture: WINDOWS Score: 84 7 Found malware configuration 2->7 9 Multi AV Scanner detection for submitted file 2->9 11 Yara detected GuLoader 2->11 13 5 other signatures 2->13 5 payment confirmation.exe 1 2->5         started        process3
No contacted IP infos