Windows Analysis Report GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709212890.exe

Overview

General Information

Sample Name: GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709212890.exe
Analysis ID: 491606
MD5: 917a78f3605abfda3674fe5264a721e9
SHA1: c753e171b3ef5b974d70de7247734e3008841fd2
SHA256: 03e08e44d9df2a0ecc7824cc1b8f41e200cee531be111ee21d56ae1a5e05821a
Tags: exeguloader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Program does not show much activity (idle)
Uses code obfuscation techniques (call, push, ret)
Contains functionality for execution timing, often used to detect debuggers
Detected potential crypto function

Classification

AV Detection:

barindex
Found malware configuration
Source: GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709212890.exe Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1qlA"}
Multi AV Scanner detection for submitted file
Source: GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709212890.exe Virustotal: Detection: 25% Perma Link
Source: GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709212890.exe ReversingLabs: Detection: 13%

Compliance:

barindex
Uses 32bit PE files
Source: GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709212890.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&id=1qlA

System Summary:

barindex
Uses 32bit PE files
Source: GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709212890.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Sample file is different than original file name gathered from version info
Source: GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709212890.exe, 00000000.00000000.242791228.0000000000417000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameelect.exe vs GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709212890.exe
Source: GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709212890.exe Binary or memory string: OriginalFilenameelect.exe vs GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709212890.exe
PE file contains strange resources
Source: GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709212890.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Detected potential crypto function
Source: C:\Users\user\Desktop\GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709212890.exe Code function: 0_2_021F76A5 0_2_021F76A5
Source: GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709212890.exe Virustotal: Detection: 25%
Source: GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709212890.exe ReversingLabs: Detection: 13%
Source: C:\Users\user\Desktop\GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709212890.exe File created: C:\Users\user\AppData\Local\Temp\~DF7517115C2FEB583B.TMP Jump to behavior
Source: GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709212890.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709212890.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709212890.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: classification engine Classification label: mal68.troj.winEXE@1/0@0/0

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.514140065.00000000021F0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709212890.exe Code function: 0_2_00403752 push eax; ret 0_2_004037A5
Source: C:\Users\user\Desktop\GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709212890.exe Code function: 0_2_00406552 push es; ret 0_2_00406561
Source: C:\Users\user\Desktop\GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709212890.exe Code function: 0_2_00403558 pushfd ; ret 0_2_00403561
Source: C:\Users\user\Desktop\GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709212890.exe Code function: 0_2_00404FF6 push ecx; ret 0_2_00404FFC
Source: C:\Users\user\Desktop\GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709212890.exe Code function: 0_2_021F2625 push esi; iretd 0_2_021F2631
Source: C:\Users\user\Desktop\GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709212890.exe Code function: 0_2_021F0ADE push 00000016h; ret 0_2_021F0AE0
Source: C:\Users\user\Desktop\GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709212890.exe Code function: 0_2_021F12F3 push ebx; ret 0_2_021F1310
Source: C:\Users\user\Desktop\GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709212890.exe Code function: 0_2_021F0F95 push edx; retf 0_2_021F0FEA
Source: C:\Users\user\Desktop\GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709212890.exe Code function: 0_2_021F3184 push ds; retf 0_2_021F3189
Source: C:\Users\user\Desktop\GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709212890.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709212890.exe Code function: 0_2_021F9CAA rdtsc 0_2_021F9CAA

Anti Debugging:

barindex
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709212890.exe Code function: 0_2_021F965B mov eax, dword ptr fs:[00000030h] 0_2_021F965B
Source: C:\Users\user\Desktop\GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709212890.exe Code function: 0_2_021FCBD3 mov eax, dword ptr fs:[00000030h] 0_2_021FCBD3
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709212890.exe Code function: 0_2_021F9CAA rdtsc 0_2_021F9CAA
Source: GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709212890.exe, 00000000.00000002.512820853.0000000000C90000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709212890.exe, 00000000.00000002.512820853.0000000000C90000.00000002.00020000.sdmp Binary or memory string: Progman
Source: GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709212890.exe, 00000000.00000002.512820853.0000000000C90000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709212890.exe, 00000000.00000002.512820853.0000000000C90000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709212890.exe, 00000000.00000002.512820853.0000000000C90000.00000002.00020000.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 491606 Sample: GRUPO MARI#U00d1O OBRAS Y S... Startdate: 27/09/2021 Architecture: WINDOWS Score: 68 7 Found malware configuration 2->7 9 Multi AV Scanner detection for submitted file 2->9 11 Yara detected GuLoader 2->11 13 C2 URLs / IPs found in malware configuration 2->13 5 GRUPO MARI#U00d1O OBRAS Y SERVICIOS, SL Oferta 2709212890.exe 1 2->5         started        process3
No contacted IP infos