Windows Analysis Report Arrival Notice, CIA Awb Inv Form.pdf.exe

Overview

General Information

Sample Name: Arrival Notice, CIA Awb Inv Form.pdf.exe
Analysis ID: 527894
MD5: ff71941571d8930c1125b3931d400d86
SHA1: 0a417bf568a5978777021e433bf4693893facd3e
SHA256: bf952f1cd44de7bf63c63e502670d3a6a97eca1b5f7fd9981ed0d235351e975f
Tags: exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Initial sample is a PE file and has a suspicious name
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Uses an obfuscated file name to hide its real file extension (double extension)
Machine Learning detection for sample
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
PE / OLE file has an invalid certificate
Program does not show much activity (idle)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000001.00000002.589123852.0000000004BB0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=16igyruBe"}
Multi AV Scanner detection for submitted file
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe Virustotal: Detection: 37% Perma Link
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe ReversingLabs: Detection: 31%
Machine Learning detection for sample
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&id=16igyruBe
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe String found in binary or memory: http://s.symcd.com06
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe String found in binary or memory: https://d.symcb.com/cps0%
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe String found in binary or memory: https://d.symcb.com/rpa0
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe String found in binary or memory: https://d.symcb.com/rpa0.

System Summary:

barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Arrival Notice, CIA Awb Inv Form.pdf.exe
Source: initial sample Static PE information: Filename: Arrival Notice, CIA Awb Inv Form.pdf.exe
Executable has a suspicious name (potential lure to open the executable)
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe Static file information: Suspicious name
Uses 32bit PE files
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Sample file is different than original file name gathered from version info
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000001.00000000.250570072.000000000042C000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameBEGRLIGHED.exe vs Arrival Notice, CIA Awb Inv Form.pdf.exe
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe Binary or memory string: OriginalFilenameBEGRLIGHED.exe vs Arrival Notice, CIA Awb Inv Form.pdf.exe
PE file contains strange resources
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Detected potential crypto function
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 1_2_0040430D 1_2_0040430D
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 1_2_04BC15AA 1_2_04BC15AA
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 1_2_04BBFFF2 1_2_04BBFFF2
PE / OLE file has an invalid certificate
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe Static PE information: invalid certificate
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe Virustotal: Detection: 37%
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe ReversingLabs: Detection: 31%
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe File created: C:\Users\user~1\AppData\Local\Temp\~DF09CCCFC54315C8A8.TMP Jump to behavior
Source: classification engine Classification label: mal84.troj.evad.winEXE@1/1@0/0

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000001.00000002.589123852.0000000004BB0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 1_2_00403EA8 push es; ret 1_2_00403EB7
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 1_2_00406105 pushfd ; ret 1_2_00406106
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 1_2_004057C0 push esp; ret 1_2_004057C1
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 1_2_04BB3C50 pushad ; retf 1_2_04BB3C51
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 1_2_04BB593E push di; ret 1_2_04BB5969
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 1_2_04BB590E push di; ret 1_2_04BB5969
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 1_2_04BB5372 pushfd ; ret 1_2_04BB5379
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 1_2_04BB255E push edx; retf 1_2_04BB255F

Hooking and other Techniques for Hiding and Protection:

barindex
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: pdf.exe Static PE information: Arrival Notice, CIA Awb Inv Form.pdf.exe
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 1_2_04BBF8FD mov eax, dword ptr fs:[00000030h] 1_2_04BBF8FD
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 1_2_04BC0232 mov eax, dword ptr fs:[00000030h] 1_2_04BC0232
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Code function: 1_2_04BBC602 mov eax, dword ptr fs:[00000030h] 1_2_04BBC602
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000001.00000002.523260487.0000000000C90000.00000002.00020000.sdmp Binary or memory string: uProgram Manager
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000001.00000002.523260487.0000000000C90000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000001.00000002.523260487.0000000000C90000.00000002.00020000.sdmp Binary or memory string: Progman
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000001.00000002.523260487.0000000000C90000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe Queries volume information: C:\ VolumeInformation Jump to behavior
No contacted IP infos