Play interactive tourEdit tour
Windows Analysis Report REQUIREMENT.exe
Overview
General Information
Detection
GuLoader FormBook
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Generic Dropper
Multi AV Scanner detection for submitted file
Yara detected FormBook
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
GuLoader behavior detected
Multi AV Scanner detection for dropped file
Yara detected GuLoader
Hides threads from debuggers
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Writes to foreign memory regions
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Tries to steal Mail credentials (via file access)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Connects to many different domains
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: GuLoader |
---|
{"Payload URL": "https://drive.google.com/uc?export=downloa"}
Threatname: FormBook |
---|
{"C2 list": ["www.tpmionline.com/cogu/"], "decoy": ["bornhub.xyz", "hancofe.store", "bestofnapa.guide", "innerhell.space", "ryker.ink", "leschoixusa.com", "bqgfk.com", "yakyu-eiga.com", "martialkitchen.com", "thousandoaks-buickgmc.com", "researchlearningspirit.xyz", "byobuzz.com", "taichan.xyz", "ballznutcracker.com", "soymilk-design.com", "chalengestodo.com", "nu12.online", "hkautobox.com", "uprisehealthmonitoring.com", "027jia.net", "cacaolixir.com", "werasdfdfsadf.info", "sanchalanprokashon.com", "donlead.com", "dsnfryfufi.com", "laythproduction.com", "narcozland.com", "jachaljuega.com", "centralcontable.net", "agamottocoin.com", "congtyvhomes.com", "i8news-de.website", "estudio-me.com", "high-clicks.com", "boliden-ab.com", "nazfoodstuff.com", "sozialwirtschaft.team", "xn--4pvw92bcry.com", "6ohmf.info", "fishermandm.com", "marvellouslles.com", "suprabranding.net", "jkwhitleyphotography.com", "qylaser.net", "034455.com", "farbeo.com", "boggbeg.com", "domainair.biz", "gulfweeks.com", "alexanderorlandis.com", "earning-beauty.xyz", "shopsharpgraphics.com", "fdndigtavrcb.net", "ceruleden.com", "originial-motors.com", "ebbtidefloodtide.com", "ctlcloudfr.com", "bywl.top", "alo360.net", "cinargeridonusum.com", "xn--ahindelivery-3mc.com", "cryptoidolz.pro", "snowmanvila.com", "mobileiranian2.com"]}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
JoeSecurity_FormBook | Yara detected FormBook | Joe Security | ||
Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group |
| |
Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com |
| |
LokiBot_Dropper_Packed_R11_Feb18 | Auto-generated rule - file scan copy.pdf.r11 | Florian Roth |
| |
Click to see the 33 entries |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Jbx Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: | ||
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | ReversingLabs: |
Yara detected FormBook | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Multi AV Scanner detection for dropped file | Show sources |
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Networking: |
---|
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources |
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
System process connects to network (likely due to code injection or exploit) | Show sources |
Source: | Network Connect: | ||
Source: | Network Connect: | ||
Source: | Network Connect: | ||
Source: | Network Connect: | ||
Source: | Network Connect: | ||
Source: | Network Connect: | ||
Source: | Network Connect: | ||
Source: | Network Connect: | ||
Source: | Network Connect: | ||
Source: | Network Connect: | ||
Source: | Network Connect: | ||
Source: | Network Connect: | ||
Source: | Network Connect: | ||
Source: | Network Connect: | ||
Source: | Network Connect: | ||
Source: | Network Connect: | ||
Source: | Network Connect: | ||
Source: | Network Connect: | ||
Source: | Network Connect: | ||
Source: | Network Connect: | ||
Source: | Network Connect: | ||
Source: | Network Connect: | ||
Source: | Network Connect: | ||
Source: | Network Connect: | ||
Source: | Network Connect: | ||
Source: | Network Connect: | ||
Source: | Network Connect: |
Performs DNS queries to domains with low reputation | Show sources |
Source: | DNS query: | ||
Source: | DNS query: |
C2 URLs / IPs found in malware configuration | Show sources |
Source: | URLs: | ||
Source: | URLs: |
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | Network traffic detected: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTP traffic detected: |