Windows Analysis Report GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe

Overview

General Information

Sample Name: GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe
Analysis ID: 491600
MD5: 991bee5a9edd18a183c900b7edeccefe
SHA1: 18189c5a9d3ab005df5426494e2016a5d64b8c72
SHA256: e3c94531505c4a4d5bb35bb62e773676f7e9ab522111d930f02c3144c971414d
Tags: exeguloader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Program does not show much activity (idle)
Uses code obfuscation techniques (call, push, ret)
Contains functionality for execution timing, often used to detect debuggers
Detected potential crypto function

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000001.00000002.505045374.0000000002A30000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1ycJKs"}
Multi AV Scanner detection for submitted file
Source: GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe Virustotal: Detection: 27% Perma Link
Source: GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe ReversingLabs: Detection: 11%

Compliance:

barindex
Uses 32bit PE files
Source: GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&id=1ycJKs

System Summary:

barindex
Uses 32bit PE files
Source: GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Sample file is different than original file name gathered from version info
Source: GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe, 00000001.00000000.237743772.0000000000417000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameKios2.exe vs GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe
Source: GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe Binary or memory string: OriginalFilenameKios2.exe vs GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe
PE file contains strange resources
Source: GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Detected potential crypto function
Source: C:\Users\user\Desktop\GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe Code function: 1_2_02A37233 1_2_02A37233
Source: C:\Users\user\Desktop\GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe Code function: 1_2_02A37403 1_2_02A37403
Source: GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe Virustotal: Detection: 27%
Source: GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe ReversingLabs: Detection: 11%
Source: C:\Users\user\Desktop\GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe File created: C:\Users\user\AppData\Local\Temp\~DF2528AA0FB36E21C6.TMP Jump to behavior
Source: GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: classification engine Classification label: mal68.troj.winEXE@1/0@0/0

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000001.00000002.505045374.0000000002A30000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe Code function: 1_2_004055C5 push eax; retf 1_2_004055C6
Source: C:\Users\user\Desktop\GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe Code function: 1_2_00402ACE push ecx; ret 1_2_00402AD4
Source: C:\Users\user\Desktop\GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe Code function: 1_2_004066FC push ebx; ret 1_2_00406705
Source: C:\Users\user\Desktop\GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe Code function: 1_2_02A320A4 push esp; iretd 1_2_02A320A8
Source: C:\Users\user\Desktop\GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe Code function: 1_2_02A36288 push cs; iretd 1_2_02A36311
Source: C:\Users\user\Desktop\GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe Code function: 1_2_02A350E2 push ebp; retf 1_2_02A350E3
Source: C:\Users\user\Desktop\GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe Code function: 1_2_02A33EF3 push ss; ret 1_2_02A33F02
Source: C:\Users\user\Desktop\GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe Code function: 1_2_02A344FF push cs; retf 1_2_02A345D8
Source: C:\Users\user\Desktop\GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe Code function: 1_2_02A36215 push 89000002h; iretd 1_2_02A3621A
Source: C:\Users\user\Desktop\GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe Code function: 1_2_02A32219 push ss; iretd 1_2_02A3225B
Source: C:\Users\user\Desktop\GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe Code function: 1_2_02A3626F push cs; iretd 1_2_02A36311
Source: C:\Users\user\Desktop\GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe Code function: 1_2_02A3225C push ss; iretd 1_2_02A3225B
Source: C:\Users\user\Desktop\GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe Code function: 1_2_02A321A7 push ss; iretd 1_2_02A3225B
Source: C:\Users\user\Desktop\GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe Code function: 1_2_02A363BB push ss; ret 1_2_02A3640F
Source: C:\Users\user\Desktop\GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe Code function: 1_2_02A363E9 push ss; ret 1_2_02A3640F
Source: C:\Users\user\Desktop\GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe Code function: 1_2_02A36312 push cs; iretd 1_2_02A36311
Source: C:\Users\user\Desktop\GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe Code function: 1_2_02A32565 push ds; ret 1_2_02A32566
Source: C:\Users\user\Desktop\GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe Code function: 1_2_02A34576 push cs; retf 1_2_02A345D8
Source: C:\Users\user\Desktop\GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe Code function: 1_2_02A39850 rdtsc 1_2_02A39850

Anti Debugging:

barindex
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe Code function: 1_2_02A3CC88 mov eax, dword ptr fs:[00000030h] 1_2_02A3CC88
Source: C:\Users\user\Desktop\GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe Code function: 1_2_02A395F7 mov eax, dword ptr fs:[00000030h] 1_2_02A395F7
Source: C:\Users\user\Desktop\GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe Code function: 1_2_02A3D33B mov eax, dword ptr fs:[00000030h] 1_2_02A3D33B
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe Code function: 1_2_02A39850 rdtsc 1_2_02A39850
Source: GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe, 00000001.00000002.504865617.0000000000C60000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe, 00000001.00000002.504865617.0000000000C60000.00000002.00020000.sdmp Binary or memory string: Progman
Source: GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe, 00000001.00000002.504865617.0000000000C60000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe, 00000001.00000002.504865617.0000000000C60000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe, 00000001.00000002.504865617.0000000000C60000.00000002.00020000.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 491600 Sample: GRUPO MARI#U00d1O OBRAS Y S... Startdate: 27/09/2021 Architecture: WINDOWS Score: 68 7 Found malware configuration 2->7 9 Multi AV Scanner detection for submitted file 2->9 11 Yara detected GuLoader 2->11 13 C2 URLs / IPs found in malware configuration 2->13 5 GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709213390.exe 1 2->5         started        process3
No contacted IP infos