Loading ...

Play interactive tourEdit tour

Windows Analysis Report justificante de la transfer.exe

Overview

General Information

Sample Name:justificante de la transfer.exe
Analysis ID:526293
MD5:e565201ac69a8a2fa7ee22e0809f7b3c
SHA1:fed196aeff9aca57c198b0b99a9c9bc6e01d31b9
SHA256:b6fad861abae70b69d7f0ef4e51756b181149e165ada09aee47e3d2bd5f9a0c6
Tags:exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Uses 32bit PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to call native functions
Program does not show much activity (idle)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?exporto"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.870508386.0000000002280000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000000.00000002.870508386.0000000002280000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?exporto"}
    Source: justificante de la transfer.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://drive.google.com/uc?exporto
    Source: justificante de la transfer.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: justificante de la transfer.exe, 00000000.00000000.345440290.0000000000445000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCappuccino.exe vs justificante de la transfer.exe
    Source: justificante de la transfer.exeBinary or memory string: OriginalFilenameCappuccino.exe vs justificante de la transfer.exe
    Source: justificante de la transfer.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: justificante de la transfer.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_0228BB0F0_2_0228BB0F
    Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_0228776F0_2_0228776F
    Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_02285A000_2_02285A00
    Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_022878140_2_02287814
    Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_022804630_2_02280463
    Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_02285E500_2_02285E50
    Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_022860510_2_02286051
    Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_022858540_2_02285854
    Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_0228628D0_2_0228628D
    Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_02285CEC0_2_02285CEC
    Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_022870C50_2_022870C5
    Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_022870C70_2_022870C7
    Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_02285AD90_2_02285AD9
    Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_022856D30_2_022856D3
    Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_02285F260_2_02285F26
    Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_0228AB720_2_0228AB72
    Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_022861490_2_02286149
    Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_022863AA0_2_022863AA
    Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_022859890_2_02285989
    Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_0228059C0_2_0228059C
    Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_0228579C0_2_0228579C
    Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_0228779F0_2_0228779F
    Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_02285BE50_2_02285BE5
    Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_0228A9F10_2_0228A9F1
    Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_02289BC70_2_02289BC7
    Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_0228776F NtAllocateVirtualMemory,0_2_0228776F
    Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_02287814 NtAllocateVirtualMemory,0_2_02287814
    Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_022878F8 NtAllocateVirtualMemory,0_2_022878F8
    Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_0228779F NtAllocateVirtualMemory,0_2_0228779F
    Source: C:\Users\user\Desktop\justificante de la transfer.exeProcess Stats: CPU usage > 98%
    Source: justificante de la transfer.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\justificante de la transfer.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\justificante de la transfer.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: C:\Users\user\Desktop\justificante de la transfer.exeFile created: C:\Users\user\AppData\Local\Temp\~DFEB935E0BE46A145A.TMPJump to behavior
    Source: classification engineClassification label: mal64.troj.evad.winEXE@1/1@0/0

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: 00000000.00000002.870508386.0000000002280000.00000040.00000001.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_00406467 push esi; iretd 0_2_00406468
    Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_00404E11 push eax; ret 0_2_00404E19
    Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_00403CFC push cs; retf 0_2_00403D26
    Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_004045D2 push cs; iretd 0_2_004045ED
    Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_00404B97 push eax; retf 0_2_00404B99
    Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_00404DB7 push cs; retf 0_2_00404DBB
    Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_02287E7E push esi; retf 0_2_02287E86
    Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_022806B9 push eax; iretd 0_2_022806D8
    Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_02282CEB push es; ret 0_2_02282CF0
    Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_022820E0 push edi; ret 0_2_02282106
    Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_02280FDB push 83025563h; ret 0_2_02280FF1
    Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_022835DB push eax; ret 0_2_022835DC
    Source: C:\Users\user\Desktop\justificante de la transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\justificante de la transfer.exeWindow / User API: threadDelayed 6236Jump to behavior
    Source: C:\Users\user\Desktop\justificante de la transfer.exeWindow / User API: threadDelayed 3764Jump to behavior
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_0228707C rdtsc 0_2_0228707C

    Anti Debugging:

    barindex
    Found potential dummy code loops (likely to delay analysis)Show sources
    Source: C:\Users\user\Desktop\justificante de la transfer.exeProcess Stats: CPU usage > 90% for more than 60s
    Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_02286EA3 mov eax, dword ptr fs:[00000030h]0_2_02286EA3
    Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_02289E9A mov eax, dword ptr fs:[00000030h]0_2_02289E9A
    Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_0228AB72 mov eax, dword ptr fs:[00000030h]0_2_0228AB72
    Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_0228994C mov eax, dword ptr fs:[00000030h]0_2_0228994C
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_0228707C rdtsc 0_2_0228707C
    Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_0228BB0F RtlAddVectoredExceptionHandler,0_2_0228BB0F
    Source: justificante de la transfer.exe, 00000000.00000002.870177230.0000000000C50000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
    Source: justificante de la transfer.exe, 00000000.00000002.870177230.0000000000C50000.00000002.00020000.sdmpBinary or memory string: Progman
    Source: justificante de la transfer.exe, 00000000.00000002.870177230.0000000000C50000.00000002.00020000.sdmpBinary or memory string: &Program Manager
    Source: justificante de la transfer.exe, 00000000.00000002.870177230.0000000000C50000.00000002.00020000.sdmpBinary or memory string: Progmanlock

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery11Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsSystem Information Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.