Play interactive tour

Edit tour

Windows Analysis Report Hesap Hareketleri 28-09-2021.exe

Overview

General Information

Sample Name:	Hesap Hareketleri 28-09-2021.exe
Analysis ID:	491950
MD5:	2fca7a3e51417ee2e8aefafede0847d9
SHA1:	931518250bed6cd21b6cab529ed3ad9ead83cdcf
SHA256:	bffbffc2b1be154742fb81ecea14cb779b8fd81581ffce2855cf588f21a8020f
Tags:	exegeoTUR
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Tries to detect virtualization through RDTSC time measurements

C2 URLs / IPs found in malware configuration

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

PE file contains strange resources

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to call native functions

Program does not show much activity (idle)

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Classification

Process Tree

System is w10x64

Hesap Hareketleri 28-09-2021.exe (PID: 6572 cmdline: 'C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe' MD5: 2FCA7A3E51417EE2E8AEFAFEDE0847D9)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id"}

Multi AV Scanner detection for submitted file

Show sources

Source: Hesap Hareketleri 28-09-2021.exe

ReversingLabs: Detection: 26%

Machine Learning detection for sample

Show sources

Source: Hesap Hareketleri 28-09-2021.exe

Joe Sandbox ML: detected

Source: Hesap Hareketleri 28-09-2021.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id

Source: Hesap Hareketleri 28-09-2021.exe, 00000001.00000002.867529345.000000000073A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: Hesap Hareketleri 28-09-2021.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: Hesap Hareketleri 28-09-2021.exe, 00000001.00000000.344162020.0000000000415000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameTOBENET.exe vs Hesap Hareketleri 28-09-2021.exe
Source: Hesap Hareketleri 28-09-2021.exe	Binary or memory string: OriginalFilenameTOBENET.exe vs Hesap Hareketleri 28-09-2021.exe

Source: Hesap Hareketleri 28-09-2021.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_0071727D
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_0071BB62
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00715A60
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_0071C264
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_0071AA45
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00717447
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_0071584B
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_0071A64C
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_0071604F
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00715630
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_0071743A
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00715625
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_0071262A
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_0071522C
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_0071561F
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00715E04
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00713AF5
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00715CD4
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00715ADA
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_007156DD
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_007162C4
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_007176B9
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_007150AA
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00710480
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00715F75
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00715561
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_0071595B
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_0071A727
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_007107F5
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_007163E5
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_0071ABDA
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00715BC0
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_007155B3
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_0071079A

Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_0071727D NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_007176B9 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00717890 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00717719 NtAllocateVirtualMemory,

Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe

Process Stats: CPU usage > 98%

Source: Hesap Hareketleri 28-09-2021.exe

ReversingLabs: Detection: 26%

Source: Hesap Hareketleri 28-09-2021.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe

File created: C:\Users\user\AppData\Local\Temp\~DF4ED96077179BC113.TMP

Jump to behavior

Source: classification engine

Classification label: mal80.troj.evad.winEXE@1/0@0/0

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp, type: MEMORY

Source: Hesap Hareketleri 28-09-2021.exe

Static PE information: real checksum: 0x24c6f should be: 0x20bce

Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00402AE8 push es; ret
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_004064F7 push 13C55635h; retf
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_0040431A pushfd ; retf
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00711A34 push ebp; iretd
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00711EFD push esi; iretd
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00711544 push ecx; ret
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00711922 push esi; iretd
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00711927 push ebp; iretd
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_0071712B push ds; iretd
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00717112 push ds; iretw
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00711915 push ebp; iretd
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00711915 push esi; iretd
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00711993 push ebp; iretd

Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	RDTSC instruction interceptor: First address: 000000000040EB3B second address: 000000000040EB3B instructions: 0x00000000 rdtsc 0x00000002 cmp ecx, 000000A1h 0x00000008 cmp eax, 000000C9h 0x0000000d popad 0x0000000e lfence 0x00000011 lfence 0x00000014 dec edi 0x00000015 lfence 0x00000018 pushfd 0x00000019 popfd 0x0000001a cmp edi, 00000000h 0x0000001d jne 00007F72DC9E1FC6h 0x0000001f lfence 0x00000022 cmp eax, 00000089h 0x00000027 pushad 0x00000028 mfence 0x0000002b wait 0x0000002c rdtsc
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	RDTSC instruction interceptor: First address: 0000000000716F2F second address: 0000000000716F2F instructions: 0x00000000 rdtsc 0x00000002 mov eax, 8219BBE4h 0x00000007 xor eax, 75E10D96h 0x0000000c sub eax, 173DA739h 0x00000011 sub eax, E0BB0F38h 0x00000016 cpuid 0x00000018 popad 0x00000019 jmp 00007F72DCE2065Eh 0x0000001b test al, dl 0x0000001d call 00007F72DCE20618h 0x00000022 lfence 0x00000025 mov edx, C4E9AE68h 0x0000002a xor edx, 87763148h 0x00000030 xor edx, B74B9B40h 0x00000036 xor edx, 8B2A0474h 0x0000003c mov edx, dword ptr [edx] 0x0000003e lfence 0x00000041 ret 0x00000042 sub edx, esi 0x00000044 ret 0x00000045 pop ecx 0x00000046 jmp 00007F72DCE2065Ah 0x00000048 cmp dl, bl 0x0000004a add edi, edx 0x0000004c dec ecx 0x0000004d mov dword ptr [ebp+00000182h], ecx 0x00000053 mov ecx, 9B298471h 0x00000058 xor ecx, C9916611h 0x0000005e add ecx, 132F64BEh 0x00000064 add ecx, 9A17B8E2h 0x0000006a cmp dword ptr [ebp+00000182h], ecx 0x00000070 mov ecx, dword ptr [ebp+00000182h] 0x00000076 jne 00007F72DCE20583h 0x0000007c mov dword ptr [ebp+000001D9h], esi 0x00000082 mov esi, ecx 0x00000084 push esi 0x00000085 mov esi, dword ptr [ebp+000001D9h] 0x0000008b call 00007F72DCE206C4h 0x00000090 call 00007F72DCE20689h 0x00000095 lfence 0x00000098 mov edx, C4E9AE68h 0x0000009d xor edx, 87763148h 0x000000a3 xor edx, B74B9B40h 0x000000a9 xor edx, 8B2A0474h 0x000000af mov edx, dword ptr [edx] 0x000000b1 lfence 0x000000b4 ret 0x000000b5 mov esi, edx 0x000000b7 pushad 0x000000b8 rdtsc

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe

Code function: 1_2_0071726F rdtsc

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00719EDE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00716D70 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_00719913 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe	Code function: 1_2_0071ABDA mov eax, dword ptr fs:[00000030h]

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe

Code function: 1_2_0071726F rdtsc

Source: C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe

Code function: 1_2_0071BB62 RtlAddVectoredExceptionHandler,

Source: Hesap Hareketleri 28-09-2021.exe, 00000001.00000002.867638962.0000000000CC0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: Hesap Hareketleri 28-09-2021.exe, 00000001.00000002.867638962.0000000000CC0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: Hesap Hareketleri 28-09-2021.exe, 00000001.00000002.867638962.0000000000CC0000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: Hesap Hareketleri 28-09-2021.exe, 00000001.00000002.867638962.0000000000CC0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	Input Capture1	Security Software Discovery21	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery11	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Hesap Hareketleri 28-09-2021.exe	27%	ReversingLabs	Win32.Trojan.Generic
Hesap Hareketleri 28-09-2021.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	491950
Start date:	28.09.2021
Start time:	08:03:16
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 26s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Hesap Hareketleri 28-09-2021.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 23.4% (good quality ratio 7.5%) Quality average: 20.1% Quality standard deviation: 32.5%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 20.82.210.154, 20.54.110.249, 40.112.88.60, 80.67.82.235, 80.67.82.211, 23.211.4.86 Excluded domains from analysis (whitelisted): fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.7538699249737375
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Hesap Hareketleri 28-09-2021.exe
File size:	90112
MD5:	2fca7a3e51417ee2e8aefafede0847d9
SHA1:	931518250bed6cd21b6cab529ed3ad9ead83cdcf
SHA256:	bffbffc2b1be154742fb81ecea14cb779b8fd81581ffce2855cf588f21a8020f
SHA512:	4d56a20cc61aa096fbd1e181ce72a79d237d90b7e20078fed0e3c767dfead51a5b1d150307ca911fbaffac206ef3679c99e9dc93dd37b3f5f419a55bb683220a
SSDEEP:	1536:tM0wFjVxFXrMGm0tEM5eoz/s74HEgKhs:tM0wFjV7XrXltPXs7SJgs
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i.......................*..............Rich....................PE..L...A6.L.................0... ...............@....@........

File Icon


Icon Hash:	821ca88c8e8c8c00

Static PE Info

General
Entrypoint:	0x4012c8
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4C923641 [Thu Sep 16 15:22:41 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e73b8c032c82c64991ebe487a7ffcd43

Entrypoint Preview

Instruction
push 0040FF80h
call 00007F72DC9BEC83h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebx+edx*2], ch
and dword ptr [edx], esp
std
sbb eax, 52944436h
push esp
sbb byte ptr [esi], al
sar dword ptr [eax+00000000h], 1
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
inc edx
add byte ptr [esi], al
push eax
add dword ptr [ecx], 73h
popad
jc 00007F72DC9BECF5h
push 73676E69h
add byte ptr [eax], al
sbb al, 29h
sbb al, 03h
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
cmp byte ptr [edx+ecx*8-66h], ch
outsd
adc eax, A74A902Eh
mov bl, D9h
dec esi
pop ebp
push esi
dec esp
stosd
mov dword ptr [76B9991Fh], eax
xor eax, 74B8462Ah
add ch, ah
call 00007F7289EB2702h
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push cs
jmp far 0000h : 01A90000h
add byte ptr [eax+eax], cl
dec eax
jc 00007F72DC9BED06h
imul esp, dword ptr [ecx+62h], 65h
jc 00007F72DC9BED00h
xor dword ptr [eax], eax
or eax, 50001201h
outsd

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x13684	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x15000	0x540	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x230	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0xe8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x12aec	0x13000	False	0.519377055921	data	6.24667059185	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x14000	0xcf4	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x15000	0x540	0x1000	False	0.1298828125	data	1.4104134768	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x15418	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x15404	0x14	data
RT_VERSION	0x150f0	0x314	data	Chinese	Taiwan

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaAryConstruct2, __vbaObjVar, DllFunctionCall, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaStrToAnsi, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0404 0x04b0
LegalCopyright	ChatSwipe
InternalName	TOBENET
FileVersion	4.04.0001
CompanyName	ChatSwipe
LegalTrademarks	ChatSwipe
Comments	ChatSwipe
ProductName	ChatSwipe
ProductVersion	4.04.0001
FileDescription	ChatSwipe
OriginalFilename	TOBENET.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	Taiwan

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 28, 2021 08:04:43.679177046 CEST	54513	53	192.168.2.6	8.8.8.8
Sep 28, 2021 08:04:43.706648111 CEST	53	54513	8.8.8.8	192.168.2.6
Sep 28, 2021 08:05:11.663681984 CEST	62044	53	192.168.2.6	8.8.8.8
Sep 28, 2021 08:05:11.702028990 CEST	53	62044	8.8.8.8	192.168.2.6
Sep 28, 2021 08:05:12.749793053 CEST	63791	53	192.168.2.6	8.8.8.8
Sep 28, 2021 08:05:12.784634113 CEST	53	63791	8.8.8.8	192.168.2.6
Sep 28, 2021 08:05:13.378412008 CEST	64267	53	192.168.2.6	8.8.8.8
Sep 28, 2021 08:05:13.439718962 CEST	53	64267	8.8.8.8	192.168.2.6
Sep 28, 2021 08:05:13.796654940 CEST	49448	53	192.168.2.6	8.8.8.8
Sep 28, 2021 08:05:13.816284895 CEST	53	49448	8.8.8.8	192.168.2.6
Sep 28, 2021 08:05:14.339658976 CEST	60342	53	192.168.2.6	8.8.8.8
Sep 28, 2021 08:05:14.359230995 CEST	53	60342	8.8.8.8	192.168.2.6
Sep 28, 2021 08:05:15.067100048 CEST	61346	53	192.168.2.6	8.8.8.8
Sep 28, 2021 08:05:15.088597059 CEST	53	61346	8.8.8.8	192.168.2.6
Sep 28, 2021 08:05:15.551141024 CEST	51774	53	192.168.2.6	8.8.8.8
Sep 28, 2021 08:05:15.574536085 CEST	56023	53	192.168.2.6	8.8.8.8
Sep 28, 2021 08:05:15.585517883 CEST	53	51774	8.8.8.8	192.168.2.6
Sep 28, 2021 08:05:15.600014925 CEST	53	56023	8.8.8.8	192.168.2.6
Sep 28, 2021 08:05:16.310364008 CEST	58384	53	192.168.2.6	8.8.8.8
Sep 28, 2021 08:05:16.330646992 CEST	53	58384	8.8.8.8	192.168.2.6
Sep 28, 2021 08:05:17.862464905 CEST	60261	53	192.168.2.6	8.8.8.8
Sep 28, 2021 08:05:17.879365921 CEST	53	60261	8.8.8.8	192.168.2.6
Sep 28, 2021 08:05:18.499778986 CEST	56061	53	192.168.2.6	8.8.8.8
Sep 28, 2021 08:05:18.517704964 CEST	53	56061	8.8.8.8	192.168.2.6
Sep 28, 2021 08:05:34.030338049 CEST	58336	53	192.168.2.6	8.8.8.8
Sep 28, 2021 08:05:34.057075024 CEST	53	58336	8.8.8.8	192.168.2.6
Sep 28, 2021 08:05:38.985905886 CEST	53781	53	192.168.2.6	8.8.8.8
Sep 28, 2021 08:05:39.016797066 CEST	53	53781	8.8.8.8	192.168.2.6
Sep 28, 2021 08:06:02.887357950 CEST	54064	53	192.168.2.6	8.8.8.8
Sep 28, 2021 08:06:02.918589115 CEST	53	54064	8.8.8.8	192.168.2.6
Sep 28, 2021 08:06:07.316895008 CEST	52811	53	192.168.2.6	8.8.8.8
Sep 28, 2021 08:06:07.349633932 CEST	53	52811	8.8.8.8	192.168.2.6

Code Manipulations

Statistics

System Behavior

Analysis Process: Hesap Hareketleri 28-09-2021.exe PID: 6572 Parent PID: 3888

General

Start time:	08:04:14
Start date:	28/09/2021
Path:	C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Hesap Hareketleri 28-09-2021.exe'
Imagebase:	0x400000
File size:	90112 bytes
MD5 hash:	2FCA7A3E51417EE2E8AEFAFEDE0847D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.867469822.0000000000710000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Hesap Hareketleri 28-09-2021.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

System Behavior

Analysis Process: Hesap Hareketleri 28-09-2021.exe PID: 6572 Parent PID: 3888

General

Disassembly

Code Analysis