Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report ZAM#U00d3WIENIE.exe

Overview

General Information

Sample Name:ZAM#U00d3WIENIE.exe
Analysis ID:502209
MD5:4805bfc9145d8aa3ac43d1cc29c451ed
SHA1:7787fa250b35d1a67142d230cbedbc357eb8cb9c
SHA256:bac5da263610272c5c5be4ecb5a16626c653a757abaffc8402d210227ec04bb8
Tags:exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected GuLoader
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Contains functionality to call native functions
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Program does not show much activity (idle)
Uses code obfuscation techniques (call, push, ret)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Detected potential crypto function

Classification

Process Tree

  • System is w10x64
  • ZAM#U00d3WIENIE.exe (PID: 6008 cmdline: 'C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe' MD5: 4805BFC9145D8AA3AC43D1CC29C451ED)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=downloa"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.772210295.00000000021D0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000000.00000002.772210295.00000000021D0000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=downloa"}
    Source: ZAM#U00d3WIENIE.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=downloa
    Source: ZAM#U00d3WIENIE.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_021D7A18 NtAllocateVirtualMemory,
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_021D7AB7 NtAllocateVirtualMemory,
    Source: ZAM#U00d3WIENIE.exe, 00000000.00000002.771912024.0000000000416000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamefamiliegruppers.exe vs ZAM#U00d3WIENIE.exe
    Source: ZAM#U00d3WIENIE.exeBinary or memory string: OriginalFilenamefamiliegruppers.exe vs ZAM#U00d3WIENIE.exe
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeProcess Stats: CPU usage > 98%
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_0040167A
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_0040162D
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_0040143E
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_021D7A18
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_021DBDB9
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_021D5A37
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_021D6233
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_021D7E75
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_021D5E6E
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_021D7EA0
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_021D66F2
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_021D9F0C
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_021DAB24
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_021D5B5F
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_021D7F4C
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_021D634E
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_021D5FB1
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_021D042E
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_021D8022
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_021D5C6B
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_021D609E
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_021D588B
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_021D64A0
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_021D64E5
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_021D8113
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_021D5909
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_021D5505
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_021D6104
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_021D5D65
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_021D659E
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_021D5597
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeFile created: C:\Users\user\AppData\Local\Temp\~DF737D484AB8F1AB01.TMPJump to behavior
    Source: ZAM#U00d3WIENIE.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
    Source: classification engineClassification label: mal68.troj.evad.winEXE@1/0@0/0

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: 00000000.00000002.772210295.00000000021D0000.00000040.00000001.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_00402E52 push esi; ret
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_00405E3D pushfd ; retf
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_00402ECA push esi; ret
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_00402EFC push ss; ret
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_00402E84 push ss; ret
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_00403CBF push ebp; retf
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_021D6A51 push ecx; iretd
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_021D6A9A push ecx; iretd
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_021D6AC0 push ecx; iretd
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_021D2EE5 push edx; iretd
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_021D0B53 push FFFFFF98h; iretd
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_021DA371 push ecx; ret
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_021DA383 push ecx; ret
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_021D902A push ecx; iretd
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_021D9047 push 3966FF69h; retf
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_021D38C2 push ebx; ret
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_021D7DAF push 38E68469h; ret
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion:

    barindex
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeRDTSC instruction interceptor: First address: 000000000040F508 second address: 000000000040F508 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 popfd 0x00000004 cmp ecx, 000000F6h 0x0000000a popad 0x0000000b wait 0x0000000c cmp eax, 5Bh 0x0000000f dec edi 0x00000010 mfence 0x00000013 nop 0x00000014 cmp edi, 00000000h 0x00000017 jne 00007F931C9628C0h 0x00000019 mfence 0x0000001c pushfd 0x0000001d popfd 0x0000001e pushad 0x0000001f pushfd 0x00000020 popfd 0x00000021 nop 0x00000022 rdtsc
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_021D7293 rdtsc

    Anti Debugging:

    barindex
    Found potential dummy code loops (likely to delay analysis)Show sources
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeProcess Stats: CPU usage > 90% for more than 60s
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_021D9AF1 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_021DA05D mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_021D70B2 mov eax, dword ptr fs:[00000030h]
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_021D7293 rdtsc
    Source: C:\Users\user\Desktop\ZAM#U00d3WIENIE.exeCode function: 0_2_021DBDB9 RtlAddVectoredExceptionHandler,
    Source: ZAM#U00d3WIENIE.exe, 00000000.00000002.772116138.0000000000CC0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
    Source: ZAM#U00d3WIENIE.exe, 00000000.00000002.772116138.0000000000CC0000.00000002.00020000.sdmpBinary or memory string: Progman
    Source: ZAM#U00d3WIENIE.exe, 00000000.00000002.772116138.0000000000CC0000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
    Source: ZAM#U00d3WIENIE.exe, 00000000.00000002.772116138.0000000000CC0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
    Source: ZAM#U00d3WIENIE.exe, 00000000.00000002.772116138.0000000000CC0000.00000002.00020000.sdmpBinary or memory string: Progmanlock

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery21Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery11Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    No Antivirus matches

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:33.0.0 White Diamond
    Analysis ID:502209
    Start date:13.10.2021
    Start time:17:55:39
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 7m 14s
    Hypervisor based Inspection enabled:false
    Report type:light
    Sample file name:ZAM#U00d3WIENIE.exe
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Number of analysed new started processes analysed:28
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal68.troj.evad.winEXE@1/0@0/0
    EGA Information:Failed
    HDC Information:
    • Successful, ratio: 25.6% (good quality ratio 17.1%)
    • Quality average: 41.1%
    • Quality standard deviation: 36.1%
    HCA Information:Failed
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Found application associated with file extension: .exe
    • Override analysis time to 240s for sample files taking high CPU consumption
    Warnings:
    Show All
    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
    • Excluded IPs from analysis (whitelisted): 95.100.218.79, 95.100.216.89, 20.82.210.154, 40.112.88.60, 2.20.178.33, 2.20.178.24, 52.251.79.25, 20.54.110.249
    • Excluded domains from analysis (whitelisted): fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
    • Not all processes where analyzed, report is missing behavior information

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):5.844997038967016
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.15%
    • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:ZAM#U00d3WIENIE.exe
    File size:98304
    MD5:4805bfc9145d8aa3ac43d1cc29c451ed
    SHA1:7787fa250b35d1a67142d230cbedbc357eb8cb9c
    SHA256:bac5da263610272c5c5be4ecb5a16626c653a757abaffc8402d210227ec04bb8
    SHA512:493487b0fc72108bc8669cd981f8b226956c63e5098addb36b88a2a78f6f120d785dd35c1e44f37c1ad7a1656ac7769fb7ebf4ce4c5864b6789496326d684792
    SSDEEP:1536:tlDO6+ecV15gr1zsaZMkKfsw1yNbmPsQTz5It5W3gVARkD:tlRwVLgr1zsa4qSkAI/WwVARk
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i.......................*..............Rich....................PE..L.....7W.................@...0...............P....@........

    File Icon

    Icon Hash:69e1c892f664c884

    Static PE Info

    General

    Entrypoint:0x4012b4
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    DLL Characteristics:
    Time Stamp:0x5737ACED [Sat May 14 22:55:41 2016 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:3d3cd1bd8dcc611a5734bf41f4e1a6a6

    Entrypoint Preview

    Instruction
    push 00410938h
    call 00007F931CAADF43h
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    xor byte ptr [eax], al
    add byte ptr [eax], al
    inc eax
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add bh, ah
    iretd
    push esi
    scasb
    scasd
    out 05h, eax
    inc ebp
    mov bh, 98h
    out 42h, eax
    daa
    in al, dx
    fld qword ptr [eax]
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [ecx], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [ecx+6Dh], cl
    insd
    popad
    outsb
    imul esp, dword ptr [esi+65h], 656E7473h
    jnc 00007F931CAADFC5h
    cmp dword ptr [eax], eax
    add byte ptr [eax], al
    add byte ptr [eax], al
    dec esp
    xor dword ptr [eax], eax
    cmp byte ptr [ebp+137AFA88h], bl
    out E1h, eax
    inc edi
    lodsb

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x145340x28.text
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x160000x1c3a.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2300x20
    IMAGE_DIRECTORY_ENTRY_IAT0x10000xf0.text
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x139280x14000False0.517761230469data6.30128676097IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    .data0x150000xcc40x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
    .rsrc0x160000x1c3a0x2000False0.346923828125data3.69728781195IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountry
    CUSTOM0x1793c0x2feMS Windows icon resource - 1 icon, 32x32, 16 colorsEnglishUnited States
    CUSTOM0x1707e0x8beMS Windows icon resource - 1 icon, 32x32, 8 bits/pixelEnglishUnited States
    CUSTOM0x16d800x2feMS Windows icon resource - 1 icon, 32x32, 16 colors, 4 bits/pixelEnglishUnited States
    RT_ICON0x164d80x8a8data
    RT_GROUP_ICON0x164c40x14data
    RT_VERSION0x161a00x324dataEnglishUnited States

    Imports

    DLLImport
    MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarTstLt, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaVarAdd, __vbaVarDup, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

    Version Infos

    DescriptionData
    Translation0x0409 0x04b0
    LegalCopyrightExpressVPN
    InternalNamefamiliegruppers
    FileVersion4.00
    CompanyNameExpressVPN
    LegalTrademarksExpressVPN
    CommentsExpressVPN
    ProductNameExpressVPN
    ProductVersion4.00
    FileDescriptionExpressVPN
    OriginalFilenamefamiliegruppers.exe

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    EnglishUnited States

    Network Behavior

    No network behavior found

    Code Manipulations

    Statistics

    System Behavior

    Analysis Process: ZAM#U00d3WIENIE.exe PID: 6008 Parent PID: 5184

    General

    Start time:17:56:39
    Start date:13/10/2021
    Path:C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe
    Wow64 process (32bit):true
    Commandline:'C:\Users\user\Desktop\ZAM#U00d3WIENIE.exe'
    Imagebase:0x400000
    File size:98304 bytes
    MD5 hash:4805BFC9145D8AA3AC43D1CC29C451ED
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Visual Basic
    Yara matches:
    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.772210295.00000000021D0000.00000040.00000001.sdmp, Author: Joe Security
    Reputation:low

    Disassembly

    Code Analysis

    Reset < >