Loading ...

Play interactive tourEdit tour

Windows Analysis Report n#U00ba410000512664.exe

Overview

General Information

Sample Name:n#U00ba410000512664.exe
Analysis ID:526313
MD5:7c91db57c98a1f0e38ba65ed651b4779
SHA1:28cb0d40a73c1a421a9720808d49da010f9ff4ef
SHA256:12992fe3f998693d92625c53bf5aa6723e87c8c3fb7057dbba4b334742cab376
Tags:exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected GuLoader
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Program does not show much activity (idle)
Uses code obfuscation techniques (call, push, ret)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Detected potential crypto function

Classification

Process Tree

  • System is w10x64
  • n#U00ba410000512664.exe (PID: 3232 cmdline: "C:\Users\user\Desktop\n#U00ba410000512664.exe" MD5: 7C91DB57C98A1F0E38BA65ED651B4779)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=downlo_"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.781957449.00000000021F0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000000.00000002.781957449.00000000021F0000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=downlo_"}
    Machine Learning detection for sampleShow sources
    Source: n#U00ba410000512664.exeJoe Sandbox ML: detected
    Source: n#U00ba410000512664.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=downlo_
    Source: n#U00ba410000512664.exeString found in binary or memory: http://topqualityfreeware.com
    Source: n#U00ba410000512664.exeString found in binary or memory: http://www.topqualityfreeware.com/
    Source: n#U00ba410000512664.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: n#U00ba410000512664.exe, 00000000.00000000.252485383.0000000000426000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameObumbration1.exe vs n#U00ba410000512664.exe
    Source: n#U00ba410000512664.exeBinary or memory string: OriginalFilenameObumbration1.exe vs n#U00ba410000512664.exe
    Source: n#U00ba410000512664.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: n#U00ba410000512664.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeProcess Stats: CPU usage > 98%
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_004090A60_2_004090A6
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_02206B590_2_02206B59
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_021FE22D0_2_021FE22D
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_021F9E780_2_021F9E78
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_021F9AAB0_2_021F9AAB
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_021F92A80_2_021F92A8
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_021FAADB0_2_021FAADB
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_021FAED80_2_021FAED8
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_02204AF50_2_02204AF5
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_021F93140_2_021F9314
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_021F0B330_2_021F0B33
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_021FA3200_2_021FA320
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_021FA75D0_2_021FA75D
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_021FA3640_2_021FA364
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_021F9FAC0_2_021F9FAC
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_021F9BD30_2_021F9BD3
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_021F98360_2_021F9836
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_021FAC2E0_2_021FAC2E
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_021F98580_2_021F9858
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_021FB0440_2_021FB044
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_021FA8780_2_021FA878
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_021FD4B30_2_021FD4B3
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_021FA4CC0_2_021FA4CC
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_021FA0EF0_2_021FA0EF
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_02202D070_2_02202D07
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_021F99500_2_021F9950
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_021F9D500_2_021F9D50
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_021FAD6F0_2_021FAD6F
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_021FB1860_2_021FB186
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_021FA9B70_2_021FA9B7
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeFile created: C:\Users\user\AppData\Local\Temp\~DFE27628A3FBE5D858.TMPJump to behavior
    Source: n#U00ba410000512664.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: classification engineClassification label: mal68.troj.evad.winEXE@1/1@0/0

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: 00000000.00000002.781957449.00000000021F0000.00000040.00000001.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_00404401 pushfd ; retf 0_2_0040441E
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_00403826 push es; ret 0_2_00403828
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_004044E5 pushfd ; retf 0_2_004044E6
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_00404584 pushfd ; retf 0_2_00404596
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_00404599 pushfd ; retf 0_2_004045AA
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_004051BE push dword ptr [esi]; iretd 0_2_004051C5
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_0040665D pushfd ; retf 0_2_0040665E
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_00404279 pushfd ; retf 0_2_0040427A
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_004062C1 pushfd ; retf 0_2_004062C2
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_004072E1 pushfd ; retf 0_2_0040730E
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_004096FC push eax; iretd 0_2_004096FF
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_00404349 pushfd ; retf 0_2_0040434A
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_00404335 pushfd ; retf 0_2_00404346
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_0040633D pushfd ; retf 0_2_0040634A
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_004067DE pushfd ; retf 0_2_004067E6
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_0040A784 push 18165C0Eh; iretd 0_2_0040A789
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_021F423B push 81528D88h; ret 0_2_021F4240
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_021F2644 push ss; retf 0_2_021F2645
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_021F6E73 push E8000002h; retf 0_2_021F6E78
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_021F5ECB push edi; ret 0_2_021F5EC2
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_021F0EF4 push eax; retf 0_2_021F0F07
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_021F5C22 push edi; ret 0_2_021F5EC2
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_021F1447 push ds; ret 0_2_021F1449
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_021F48A7 pushfd ; ret 0_2_021F4A0D
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_021F491D pushfd ; ret 0_2_021F4A0D
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_021F191A push ebx; retf 0_2_021F1920
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_021F4924 pushfd ; ret 0_2_021F4A0D
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_021F5DDC push edi; ret 0_2_021F5EC2
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_021F5DC1 push edi; ret 0_2_021F5EC2
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_021FCAA8 rdtsc 0_2_021FCAA8

    Anti Debugging:

    barindex
    Found potential dummy code loops (likely to delay analysis)Show sources
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeProcess Stats: CPU usage > 90% for more than 60s
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_021FC664 mov eax, dword ptr fs:[00000030h]0_2_021FC664
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_022032C9 mov eax, dword ptr fs:[00000030h]0_2_022032C9
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_021F8730 mov eax, dword ptr fs:[00000030h]0_2_021F8730
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_0220286B mov eax, dword ptr fs:[00000030h]0_2_0220286B
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_021FCAA8 rdtsc 0_2_021FCAA8
    Source: C:\Users\user\Desktop\n#U00ba410000512664.exeCode function: 0_2_02206B59 RtlAddVectoredExceptionHandler,0_2_02206B59
    Source: n#U00ba410000512664.exe, 00000000.00000002.781493325.0000000000C70000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
    Source: n#U00ba410000512664.exe, 00000000.00000002.781493325.0000000000C70000.00000002.00020000.sdmpBinary or memory string: Progman
    Source: n#U00ba410000512664.exe, 00000000.00000002.781493325.0000000000C70000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
    Source: n#U00ba410000512664.exe, 00000000.00000002.781493325.0000000000C70000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
    Source: n#U00ba410000512664.exe, 00000000.00000002.781493325.0000000000C70000.00000002.00020000.sdmpBinary or memory string: Progmanlock

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery11Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.