Loading ...

Play interactive tourEdit tour

Windows Analysis Report mU9H96igb3

Overview

General Information

Sample Name:mU9H96igb3 (renamed file extension from none to exe)
Analysis ID:502656
MD5:8777020a37b6797241a489a707b9784b
SHA1:a1ed1029b967295f9ce5e9d219f41dc6c7fc4d1a
SHA256:8a45d901cab57a1b65c32aea2452f56436dcf01c37bdf7875838e6054f395d90
Tags:32exetrojan
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Potential malicious icon found
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to call native functions
Program does not show much activity (idle)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage

Classification

Process Tree

  • System is w10x64
  • mU9H96igb3.exe (PID: 5184 cmdline: 'C:\Users\user\Desktop\mU9H96igb3.exe' MD5: 8777020A37B6797241A489A707B9784B)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://implantecapilarpereira.com/NetGen"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1193811530.0000000004BF0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000000.00000002.1193811530.0000000004BF0000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "http://implantecapilarpereira.com/NetGen"}
    Multi AV Scanner detection for submitted fileShow sources
    Source: mU9H96igb3.exeVirustotal: Detection: 32%Perma Link
    Source: mU9H96igb3.exeMetadefender: Detection: 25%Perma Link
    Source: mU9H96igb3.exeReversingLabs: Detection: 24%
    Machine Learning detection for sampleShow sources
    Source: mU9H96igb3.exeJoe Sandbox ML: detected
    Source: mU9H96igb3.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: http://implantecapilarpereira.com/NetGen

    System Summary:

    barindex
    Potential malicious icon foundShow sources
    Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
    Source: mU9H96igb3.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: mU9H96igb3.exe, 00000000.00000000.665404546.0000000000431000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePattes5.exe vs mU9H96igb3.exe
    Source: mU9H96igb3.exeBinary or memory string: OriginalFilenamePattes5.exe vs mU9H96igb3.exe
    Source: mU9H96igb3.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 0_2_04C0557A
    Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 0_2_04C1474A
    Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 0_2_04C000C6
    Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 0_2_04C0ECDD
    Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 0_2_04C100B4
    Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 0_2_04C0087E
    Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 0_2_04C0E400
    Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 0_2_04C07574
    Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 0_2_04BF4AA2
    Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 0_2_04C11BCE
    Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 0_2_04C06BF6
    Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 0_2_04C04B8B
    Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 0_2_04C1130A
    Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 0_2_04C0557A NtAllocateVirtualMemory,
    Source: C:\Users\user\Desktop\mU9H96igb3.exeProcess Stats: CPU usage > 98%
    Source: mU9H96igb3.exeVirustotal: Detection: 32%
    Source: mU9H96igb3.exeMetadefender: Detection: 25%
    Source: mU9H96igb3.exeReversingLabs: Detection: 24%
    Source: mU9H96igb3.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\mU9H96igb3.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: C:\Users\user\Desktop\mU9H96igb3.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
    Source: classification engineClassification label: mal88.rans.troj.evad.winEXE@1/0@0/0

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: 00000000.00000002.1193811530.0000000004BF0000.00000040.00000001.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 0_2_0041A474 push ebp; ret
    Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 0_2_0040E9CB push ecx; retf
    Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 0_2_004191F0 push ecx; ret
    Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 0_2_004131A3 push ecx; ret
    Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 0_2_004086CE push eax; retf
    Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 0_2_00411ACE push ecx; ret
    Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 0_2_004132DE push ecx; ret
    Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 0_2_0041729D push edx; retf
    Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 0_2_0040DAAA push ecx; ret
    Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 0_2_0040E6B3 push ecx; ret
    Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 0_2_00417AB9 push eax; ret
    Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 0_2_0040A750 push ss; retf
    Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 0_2_00411B06 push ecx; ret
    Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 0_2_00407B81 push esi; retf
    Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 0_2_04C14084 push FFFFFF94h; retf
    Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 0_2_04BF1611 push esi; iretd
    Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 0_2_04BF2A10 push FFFFFF94h; retf
    Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 0_2_04BF465A push ebx; retf
    Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 0_2_04BF67BC push es; ret
    Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 0_2_04C06BF6 push FFFFFF94h; retf
    Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 0_2_04BF1327 push esi; iretd
    Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 0_2_04BF1366 push esi; iretd
    Source: C:\Users\user\Desktop\mU9H96igb3.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion:

    barindex
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\user\Desktop\mU9H96igb3.exeRDTSC instruction interceptor: First address: 0000000004C0F8E2 second address: 0000000004C0F8E2 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 3AB33088h 0x00000007 sub eax, 03336DF3h 0x0000000c xor eax, 78D04D3Fh 0x00000011 xor eax, 4FAF8FABh 0x00000016 cpuid 0x00000018 popad 0x00000019 jmp 00007FC97CF5E8D9h 0x0000001e cmp eax, edx 0x00000020 call 00007FC97CF5E7AAh 0x00000025 lfence 0x00000028 mov edx, 337D36F1h 0x0000002d xor edx, 66E5A0A3h 0x00000033 xor edx, 9D6B538Dh 0x00000039 xor edx, B70DC5CBh 0x0000003f mov edx, dword ptr [edx] 0x00000041 lfence 0x00000044 jmp 00007FC97CF5E8DDh 0x00000049 test cl, bl 0x0000004b ret 0x0000004c sub edx, esi 0x0000004e ret 0x0000004f add edi, edx 0x00000051 dec dword ptr [ebp+000000F8h] 0x00000057 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000005e jne 00007FC97CF5E78Ch 0x00000060 call 00007FC97CF5E91Fh 0x00000065 call 00007FC97CF5E906h 0x0000006a lfence 0x0000006d mov edx, 337D36F1h 0x00000072 xor edx, 66E5A0A3h 0x00000078 xor edx, 9D6B538Dh 0x0000007e xor edx, B70DC5CBh 0x00000084 mov edx, dword ptr [edx] 0x00000086 lfence 0x00000089 jmp 00007FC97CF5E8DDh 0x0000008e test cl, bl 0x00000090 ret 0x00000091 mov esi, edx 0x00000093 pushad 0x00000094 rdtsc
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 0_2_04C0F8DA rdtsc

    Anti Debugging:

    barindex
    Found potential dummy code loops (likely to delay analysis)Show sources
    Source: C:\Users\user\Desktop\mU9H96igb3.exeProcess Stats: CPU usage > 90% for more than 60s
    Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 0_2_04C0C054 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 0_2_04C0E990 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 0_2_04C046A0 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 0_2_04C11BCE mov eax, dword ptr fs:[00000030h]
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 0_2_04C0F8DA rdtsc
    Source: C:\Users\user\Desktop\mU9H96igb3.exeCode function: 0_2_04C1474A RtlAddVectoredExceptionHandler,
    Source: mU9H96igb3.exe, 00000000.00000002.1192442091.0000000000DC0000.00000002.00020000.sdmpBinary or memory string: Program Manager
    Source: mU9H96igb3.exe, 00000000.00000002.1192442091.0000000000DC0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
    Source: mU9H96igb3.exe, 00000000.00000002.1192442091.0000000000DC0000.00000002.00020000.sdmpBinary or memory string: Progman
    Source: mU9H96igb3.exe, 00000000.00000002.1192442091.0000000000DC0000.00000002.00020000.sdmpBinary or memory string: Progmanlock

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery21Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery11Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    mU9H96igb3.exe33%VirustotalBrowse
    mU9H96igb3.exe26%MetadefenderBrowse
    mU9H96igb3.exe24%ReversingLabsWin32.Trojan.Mucc
    mU9H96igb3.exe100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://implantecapilarpereira.com/NetGen0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://implantecapilarpereira.com/NetGentrue
    • Avira URL Cloud: safe
    unknown

    Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:33.0.0 White Diamond
    Analysis ID:502656
    Start date:14.10.2021
    Start time:08:27:11
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 7m 50s
    Hypervisor based Inspection enabled:false
    Report type:light
    Sample file name:mU9H96igb3 (renamed file extension from none to exe)
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Number of analysed new started processes analysed:1
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal88.rans.troj.evad.winEXE@1/0@0/0
    EGA Information:Failed
    HDC Information:
    • Successful, ratio: 24.7% (good quality ratio 7.7%)
    • Quality average: 19.5%
    • Quality standard deviation: 31.3%
    HCA Information:Failed
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Override analysis time to 240s for sample files taking high CPU consumption
    Warnings:
    Show All
    • Excluded IPs from analysis (whitelisted): 13.107.4.50
    • Excluded domains from analysis (whitelisted): wu-shim.trafficmanager.net, ctldl.windowsupdate.com, c-0001.c-msedge.net, b1ns.c-0001.c-msedge.net, b1ns.au-msedge.net

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):4.14906794472717
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.15%
    • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:mU9H96igb3.exe
    File size:208896
    MD5:8777020a37b6797241a489a707b9784b
    SHA1:a1ed1029b967295f9ce5e9d219f41dc6c7fc4d1a
    SHA256:8a45d901cab57a1b65c32aea2452f56436dcf01c37bdf7875838e6054f395d90
    SHA512:0a9d13ca582dd72b4cdce8c91a5226aeb8c70ac7a73fa5f9775c6d03753bf7ec856371f55bf5f5e38f0a1d84e375c80916e5508f89d91e7100a82c4e544174d8
    SSDEEP:1536:tTEDegofhrRAnvzYFBWigYcgkOwijQkwY+EhBKDID:tQeZpR47YeigqVX+SK8
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i.......................*..............Rich....................PE..L......R.....................P......|.............@........

    File Icon

    Icon Hash:20047c7c70f0e004

    Static PE Info

    General

    Entrypoint:0x40137c
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    DLL Characteristics:
    Time Stamp:0x52EAF782 [Fri Jan 31 01:08:18 2014 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:5daabd92eded5d2026efd3adb9b442c0

    Entrypoint Preview

    Instruction
    push 0040171Ch
    call 00007FC97CC9FA15h
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    xor byte ptr [eax], al
    add byte ptr [eax], al
    dec eax
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [ebx+79h], cl
    adc eax, EE6C2F36h
    inc ecx
    mov bh, byte ptr [ecx-19h]
    and al, 3Dh
    pop eax
    xchg eax, edi
    push 00000000h
    add byte ptr [eax], al
    add dword ptr [eax], eax
    add byte ptr [eax], al
    add byte ptr [eax], al
    nop
    stosb
    xlatb
    add cl, byte ptr [eax+69h]
    insb
    bound esi, dword ptr fs:[edx+61h]
    outsb
    jnc 00007FC97CC9FA8Fh
    imul esp, dword ptr [ebp+64h], 41070036h
    add ah, al
    stosb
    xlatb
    add al, byte ptr [eax]
    add byte ptr [eax], al
    add bh, bh
    int3
    xor dword ptr [eax], eax
    add al, 2Ch
    xor dword ptr [esi+20h], ebp
    fcom st(0), st(0)
    movsd
    inc esi
    mov byte ptr [esi-18h], dh
    dec ebp
    adc dword ptr [edx+esi*2], 3433C456h
    cmc
    mov esi, DC9142B1h
    inc esp
    mov edx, 960E1019h
    cmp cl, byte ptr [edi-53h]
    xor ebx, dword ptr [ecx-48EE309Ah]
    or al, 00h
    stosb
    add byte ptr [eax-2Dh], ah
    xchg eax, ebx
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    test dword ptr [eax], 00510000h
    add byte ptr [eax], al
    add byte ptr [edi], al
    add byte ptr [edi+ecx*2+57h], dl
    dec ebp
    dec edi
    dec esi
    push esp
    add byte ptr [00000F01h], cl

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x2e0240x28.text
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x310000x2526.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2300x20
    IMAGE_DIRECTORY_ENTRY_IAT0x10000x10c.text
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x2d4840x2e000False0.23853069803data4.22024266439IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    .data0x2f0000x13ec0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
    .rsrc0x310000x25260x3000False0.168375651042data2.83539382363IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountry
    CUSTOM0x32c680x8beMS Windows icon resource - 1 icon, 32x32EnglishUnited States
    CUSTOM0x323aa0x8beMS Windows icon resource - 1 icon, 32x32EnglishUnited States
    CUSTOM0x320ac0x2feMS Windows icon resource - 1 icon, 32x32, 4 colorsEnglishUnited States
    CUSTOM0x31dae0x2feMS Windows icon resource - 1 icon, 32x32, 4 colorsEnglishUnited States
    CUSTOM0x31ab00x2feMS Windows icon resource - 1 icon, 32x32, 4 colorsEnglishUnited States
    RT_ICON0x319800x130data
    RT_ICON0x316980x2e8data
    RT_ICON0x315700x128GLS_BINARY_LSB_FIRST
    RT_GROUP_ICON0x315400x30data
    RT_VERSION0x312600x2e0dataEnglishUnited States

    Imports

    DLLImport
    MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, __vbaVarIdiv, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaBoolStr, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, _adj_fpatan, __vbaLateIdCallLd, __vbaRedim, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarDup, __vbaFpI4, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

    Version Infos

    DescriptionData
    Translation0x0409 0x04b0
    LegalCopyrightSoftware Inc.
    InternalNamePattes5
    FileVersion1.00
    CompanyNameUnions Inc.
    LegalTrademarksUnions Software
    ProductNameUnions Inc.
    ProductVersion1.00
    FileDescriptionUnions Inc.
    OriginalFilenamePattes5.exe

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    EnglishUnited States

    Network Behavior

    No network behavior found

    Code Manipulations

    Statistics

    System Behavior

    General

    Start time:08:28:08
    Start date:14/10/2021
    Path:C:\Users\user\Desktop\mU9H96igb3.exe
    Wow64 process (32bit):true
    Commandline:'C:\Users\user\Desktop\mU9H96igb3.exe'
    Imagebase:0x400000
    File size:208896 bytes
    MD5 hash:8777020A37B6797241A489A707B9784B
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Visual Basic
    Yara matches:
    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.1193811530.0000000004BF0000.00000040.00000001.sdmp, Author: Joe Security
    Reputation:low

    Disassembly

    Code Analysis

    Reset < >