Loading ...

Play interactive tourEdit tour

Windows Analysis Report Doc0011222003.exe

Overview

General Information

Sample Name:Doc0011222003.exe
Analysis ID:527215
MD5:e70022c5636db76b71c8b2c56552c60c
SHA1:4589b37f02bb95d26bb2ba369c46c99268ce2985
SHA256:0226b26f82ea7ab25ad85a4cfda530f7b28f91b1d57f8ca0361b7b03e8ce59bb
Tags:exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected GuLoader
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains strange resources
Program does not show much activity (idle)
Uses code obfuscation techniques (call, push, ret)
Abnormal high CPU Usage

Classification

Process Tree

  • System is w10x64
  • Doc0011222003.exe (PID: 5604 cmdline: "C:\Users\user\Desktop\Doc0011222003.exe" MD5: E70022C5636DB76B71C8B2C56552C60C)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.826048690.00000000004F0000.00000040.00000010.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results
    Source: Doc0011222003.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: Doc0011222003.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: Doc0011222003.exe, 00000000.00000002.826786525.0000000002A70000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameChalybes.exeFE2X vs Doc0011222003.exe
    Source: Doc0011222003.exe, 00000000.00000002.826786525.0000000002A70000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameChalybes.exeFE2XZ vs Doc0011222003.exe
    Source: Doc0011222003.exe, 00000000.00000002.826786525.0000000002A70000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameChalybes.exeFE2X3 vs Doc0011222003.exe
    Source: Doc0011222003.exe, 00000000.00000002.826786525.0000000002A70000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameChalybes.exeFE2X_ vs Doc0011222003.exe
    Source: Doc0011222003.exe, 00000000.00000002.826786525.0000000002A70000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameChalybes.exeFE2X0 vs Doc0011222003.exe
    Source: Doc0011222003.exe, 00000000.00000002.826040028.0000000000414000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameChalybes.exe vs Doc0011222003.exe
    Source: Doc0011222003.exeBinary or memory string: OriginalFilenameChalybes.exe vs Doc0011222003.exe
    Source: Doc0011222003.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: Doc0011222003.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: C:\Users\user\Desktop\Doc0011222003.exeProcess Stats: CPU usage > 98%
    Source: C:\Users\user\Desktop\Doc0011222003.exeFile created: C:\Users\user\AppData\Local\Temp\~DFC89CDF2998EDD482.TMPJump to behavior
    Source: Doc0011222003.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\Doc0011222003.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: C:\Users\user\Desktop\Doc0011222003.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
    Source: classification engineClassification label: mal56.troj.evad.winEXE@1/1@0/0

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: 00000000.00000002.826048690.00000000004F0000.00000040.00000010.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\Doc0011222003.exeCode function: 0_2_00405840 push ds; ret
    Source: C:\Users\user\Desktop\Doc0011222003.exeCode function: 0_2_00409069 push edx; ret
    Source: C:\Users\user\Desktop\Doc0011222003.exeCode function: 0_2_0040415D push edx; retf
    Source: C:\Users\user\Desktop\Doc0011222003.exeCode function: 0_2_00405EB0 push cs; iretd
    Source: C:\Users\user\Desktop\Doc0011222003.exeCode function: 0_2_00403B17 push ebx; ret
    Source: initial sampleStatic PE information: section name: .text entropy: 7.08459440381
    Source: C:\Users\user\Desktop\Doc0011222003.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Doc0011222003.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\Doc0011222003.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion:

    barindex
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\user\Desktop\Doc0011222003.exeRDTSC instruction interceptor: First address: 00000000004F58CE second address: 00000000004F58CE instructions: 0x00000000 rdtsc 0x00000002 mov eax, F54B2F39h 0x00000007 sub eax, C70568A7h 0x0000000c add eax, FDF4D585h 0x00000011 add eax, D3C563EAh 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007FA278D8C42Ah 0x0000001e lfence 0x00000021 mov edx, 605E9392h 0x00000026 xor edx, 1C4651DFh 0x0000002c xor edx, 7D6CD128h 0x00000032 xor edx, 7E8A1371h 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e sub edx, esi 0x00000040 ret 0x00000041 pop ecx 0x00000042 add edi, edx 0x00000044 dec ecx 0x00000045 mov dword ptr [ebp+00000247h], edi 0x0000004b mov edi, 063AD405h 0x00000050 add edi, 3BA48952h 0x00000056 xor edi, 5E34CBEDh 0x0000005c sub edi, 1FEB96BAh 0x00000062 test ah, dh 0x00000064 cmp ecx, edi 0x00000066 mov edi, dword ptr [ebp+00000247h] 0x0000006c jne 00007FA278D8C3E1h 0x0000006e mov dword ptr [ebp+000001EFh], ebx 0x00000074 mov ebx, ecx 0x00000076 push ebx 0x00000077 mov ebx, dword ptr [ebp+000001EFh] 0x0000007d call 00007FA278D8C4BCh 0x00000082 call 00007FA278D8C44Bh 0x00000087 lfence 0x0000008a mov edx, 605E9392h 0x0000008f xor edx, 1C4651DFh 0x00000095 xor edx, 7D6CD128h 0x0000009b xor edx, 7E8A1371h 0x000000a1 mov edx, dword ptr [edx] 0x000000a3 lfence 0x000000a6 ret 0x000000a7 mov esi, edx 0x000000a9 pushad 0x000000aa rdtsc
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

    Anti Debugging:

    barindex
    Found potential dummy code loops (likely to delay analysis)Show sources
    Source: C:\Users\user\Desktop\Doc0011222003.exeProcess Stats: CPU usage > 90% for more than 60s
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: Doc0011222003.exe, 00000000.00000002.826410137.0000000000D90000.00000002.00020000.sdmpBinary or memory string: Program Manager
    Source: Doc0011222003.exe, 00000000.00000002.826410137.0000000000D90000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
    Source: Doc0011222003.exe, 00000000.00000002.826410137.0000000000D90000.00000002.00020000.sdmpBinary or memory string: Progman
    Source: Doc0011222003.exe, 00000000.00000002.826410137.0000000000D90000.00000002.00020000.sdmpBinary or memory string: Progmanlock

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery2Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsSoftware Packing1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSSystem Information Discovery11Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    No Antivirus matches

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:34.0.0 Boulder Opal
    Analysis ID:527215
    Start date:23.11.2021
    Start time:14:27:15
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 7m 49s
    Hypervisor based Inspection enabled:false
    Report type:light
    Sample file name:Doc0011222003.exe
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Number of analysed new started processes analysed:17
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal56.troj.evad.winEXE@1/1@0/0
    EGA Information:Failed
    HDC Information:
    • Successful, ratio: 33.7% (good quality ratio 13%)
    • Quality average: 16.9%
    • Quality standard deviation: 24.4%
    HCA Information:Failed
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Found application associated with file extension: .exe
    • Override analysis time to 240s for sample files taking high CPU consumption
    Warnings:
    Show All
    • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
    • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
    • Not all processes where analyzed, report is missing behavior information

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\Users\user\AppData\Local\Temp\~DFC89CDF2998EDD482.TMP
    Process:C:\Users\user\Desktop\Doc0011222003.exe
    File Type:Composite Document File V2 Document, Cannot read section info
    Category:dropped
    Size (bytes):16384
    Entropy (8bit):1.3424693381122756
    Encrypted:false
    SSDEEP:48:rMereSiNgxcqYmOCA3OgUTZzR+MYVAJf3L:onTFCSBUTZzgMYVA
    MD5:8BE47FF78C4F694E6577D8CB72B022C9
    SHA1:A32191D769A55B59B38A93EBEA848166EA27F0D6
    SHA-256:A1005C0FAF60AA8C70AD16C4369E6D3FA2357687BC10EE55656363B01DDD633E
    SHA-512:D19109A2AB8141E8A7AF066204652CEE0938A10B45E46B929C825B4844323FB6D184F1BA90D8007ADEAC0CE31F84F25B482153DEA1BEA881E7B5ABE43545A2A3
    Malicious:false
    Reputation:low
    Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):6.527320740089958
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.15%
    • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:Doc0011222003.exe
    File size:81920
    MD5:e70022c5636db76b71c8b2c56552c60c
    SHA1:4589b37f02bb95d26bb2ba369c46c99268ce2985
    SHA256:0226b26f82ea7ab25ad85a4cfda530f7b28f91b1d57f8ca0361b7b03e8ce59bb
    SHA512:d9d16ded54f7424145aba6f423b82ab4c010cc1ee67acb152a1d79b61f23fedc9250dd482b78e3c84ac4b82cdc9283099a06ee5a2d5d14d34e78734f60dd7f61
    SSDEEP:1536:tGs2yzOSOXbgSXZXMyETdwDgL/UQdz+mehpITwHM/kho:tGOzvOXbgSXZXA2Dk/UQHehiTMM8o
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i.......................*..............Rich....................PE..L....e.L.....................0............... ....@........

    File Icon

    Icon Hash:78ecccecccceec70

    Static PE Info

    General

    Entrypoint:0x4013cc
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    DLL Characteristics:
    Time Stamp:0x4CDA65A9 [Wed Nov 10 09:28:09 2010 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:37fe5edb896809a8dcea667d1a5d3341

    Entrypoint Preview

    Instruction
    push 004021D4h
    call 00007FA27857A0F3h
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    xor byte ptr [eax], al
    add byte ptr [eax], al
    dec eax
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add al, bl
    jc 00007FA27857A149h
    dec esp
    in eax, 35h
    inc edx
    inc edi
    cmpsd
    xchg byte ptr [ecx-66h], ch
    adc eax, 00D1123Eh
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [ecx], al
    add byte ptr [eax], al
    add byte ptr [ebx+20h], dh
    dec ecx
    outsb
    je 00007FA27857A167h
    dec esi
    outsd
    outsb
    popad
    jne 00007FA27857A176h
    push 7469726Fh
    popad
    je 00007FA27857A16Bh
    jbe 00007FA27857A167h
    add byte ptr [eax], ah
    inc ecx
    jnc 00007FA27857A122h
    dec ecx
    outsb
    je 00007FA27857A102h
    add byte ptr [eax], al
    add bh, bh
    int3
    xor dword ptr [eax], eax
    or dword ptr [eax], esp
    arpl word ptr [ebp+43h], ax
    dec edi
    cmc
    cdq
    dec edi
    xchg eax, ecx
    jo 00007FA27857A16Eh
    add eax, BD8CFE91h
    out dx, al
    pop ecx
    dec ebp
    salc
    jmp 00007FA237355B46h
    cmc
    xchg eax, esp
    inc ebx
    movsd
    fstcw word ptr [edx]
    dec edi
    lodsd
    xor ebx, dword ptr [ecx-48EE309Ah]
    or al, 00h
    stosb
    add byte ptr [eax-2Dh], ah
    xchg eax, ebx
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    int3
    or eax, dword ptr [eax]
    add byte ptr [esi+0Ah], cl
    add byte ptr [eax], al
    add byte ptr [ecx], cl
    add byte ptr [ecx+ebp*2+76h], al
    imul esp, dword ptr [ecx+62h], 0D00656Ch

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x116840x28.text
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x140000xe08.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2300x20
    IMAGE_DIRECTORY_ENTRY_IAT0x10000x140.text
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x10bb40x11000False0.628547219669data7.08459440381IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    .data0x120000x14280x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
    .rsrc0x140000xe080x1000False0.452880859375data4.20020036066IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountry
    RT_ICON0x1483e0x568GLS_BINARY_LSB_FIRST
    RT_ICON0x143d60x468GLS_BINARY_LSB_FIRST
    RT_STRING0x14da60x62dataEnglishUnited States
    RT_GROUP_ICON0x143b40x22data
    RT_VERSION0x141600x254dataEnglishUnited States

    Imports

    DLLImport
    MSVBVM60.DLL__vbaStrI2, _CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaVarTstLt, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaI2I4, DllFunctionCall, __vbaVarLateMemSt, _adj_fpatan, __vbaRedim, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, _CIlog, __vbaErrorOverflow, __vbaNew2, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarAdd, __vbaInStrB, __vbaVarDup, __vbaFpI4, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

    Version Infos

    DescriptionData
    Translation0x0409 0x04b0
    InternalNameChalybes
    FileVersion6.00
    CompanyNameSillyCame
    ProductNameSillyCame
    ProductVersion6.00
    FileDescriptionSillyCame
    OriginalFilenameChalybes.exe

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    EnglishUnited States

    Network Behavior

    No network behavior found

    Code Manipulations

    Statistics

    System Behavior

    General

    Start time:14:29:09
    Start date:23/11/2021
    Path:C:\Users\user\Desktop\Doc0011222003.exe
    Wow64 process (32bit):true
    Commandline:"C:\Users\user\Desktop\Doc0011222003.exe"
    Imagebase:0x400000
    File size:81920 bytes
    MD5 hash:E70022C5636DB76B71C8B2C56552C60C
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Visual Basic
    Yara matches:
    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.826048690.00000000004F0000.00000040.00000010.sdmp, Author: Joe Security
    Reputation:low

    Disassembly

    Code Analysis

    Reset < >