Loading ...

Play interactive tourEdit tour

Windows Analysis Report Arrival Notice, CIA Awb Inv Form.pdf.exe

Overview

General Information

Sample Name:Arrival Notice, CIA Awb Inv Form.pdf.exe
Analysis ID:527894
MD5:ff71941571d8930c1125b3931d400d86
SHA1:0a417bf568a5978777021e433bf4693893facd3e
SHA256:bf952f1cd44de7bf63c63e502670d3a6a97eca1b5f7fd9981ed0d235351e975f
Tags:exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Initial sample is a PE file and has a suspicious name
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Uses an obfuscated file name to hide its real file extension (double extension)
Machine Learning detection for sample
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
PE / OLE file has an invalid certificate
Program does not show much activity (idle)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=16igyruBe"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.589123852.0000000004BB0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000001.00000002.589123852.0000000004BB0000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=16igyruBe"}
    Multi AV Scanner detection for submitted fileShow sources
    Source: Arrival Notice, CIA Awb Inv Form.pdf.exeVirustotal: Detection: 37%Perma Link
    Source: Arrival Notice, CIA Awb Inv Form.pdf.exeReversingLabs: Detection: 31%
    Machine Learning detection for sampleShow sources
    Source: Arrival Notice, CIA Awb Inv Form.pdf.exeJoe Sandbox ML: detected
    Source: Arrival Notice, CIA Awb Inv Form.pdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=download&id=16igyruBe
    Source: Arrival Notice, CIA Awb Inv Form.pdf.exeString found in binary or memory: http://s.symcb.com/universal-root.crl0
    Source: Arrival Notice, CIA Awb Inv Form.pdf.exeString found in binary or memory: http://s.symcd.com06
    Source: Arrival Notice, CIA Awb Inv Form.pdf.exeString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
    Source: Arrival Notice, CIA Awb Inv Form.pdf.exeString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
    Source: Arrival Notice, CIA Awb Inv Form.pdf.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
    Source: Arrival Notice, CIA Awb Inv Form.pdf.exeString found in binary or memory: https://d.symcb.com/cps0%
    Source: Arrival Notice, CIA Awb Inv Form.pdf.exeString found in binary or memory: https://d.symcb.com/rpa0
    Source: Arrival Notice, CIA Awb Inv Form.pdf.exeString found in binary or memory: https://d.symcb.com/rpa0.

    System Summary:

    barindex
    Initial sample is a PE file and has a suspicious nameShow sources
    Source: initial sampleStatic PE information: Filename: Arrival Notice, CIA Awb Inv Form.pdf.exe
    Source: initial sampleStatic PE information: Filename: Arrival Notice, CIA Awb Inv Form.pdf.exe
    Executable has a suspicious name (potential lure to open the executable)Show sources
    Source: Arrival Notice, CIA Awb Inv Form.pdf.exeStatic file information: Suspicious name
    Source: Arrival Notice, CIA Awb Inv Form.pdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000001.00000000.250570072.000000000042C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBEGRLIGHED.exe vs Arrival Notice, CIA Awb Inv Form.pdf.exe
    Source: Arrival Notice, CIA Awb Inv Form.pdf.exeBinary or memory string: OriginalFilenameBEGRLIGHED.exe vs Arrival Notice, CIA Awb Inv Form.pdf.exe
    Source: Arrival Notice, CIA Awb Inv Form.pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exeCode function: 1_2_0040430D1_2_0040430D
    Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exeCode function: 1_2_04BC15AA1_2_04BC15AA
    Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exeCode function: 1_2_04BBFFF21_2_04BBFFF2
    Source: Arrival Notice, CIA Awb Inv Form.pdf.exeStatic PE information: invalid certificate
    Source: Arrival Notice, CIA Awb Inv Form.pdf.exeVirustotal: Detection: 37%
    Source: Arrival Notice, CIA Awb Inv Form.pdf.exeReversingLabs: Detection: 31%
    Source: Arrival Notice, CIA Awb Inv Form.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exeFile created: C:\Users\user~1\AppData\Local\Temp\~DF09CCCFC54315C8A8.TMPJump to behavior
    Source: classification engineClassification label: mal84.troj.evad.winEXE@1/1@0/0

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: 00000001.00000002.589123852.0000000004BB0000.00000040.00000001.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exeCode function: 1_2_00403EA8 push es; ret 1_2_00403EB7
    Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exeCode function: 1_2_00406105 pushfd ; ret 1_2_00406106
    Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exeCode function: 1_2_004057C0 push esp; ret 1_2_004057C1
    Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exeCode function: 1_2_04BB3C50 pushad ; retf 1_2_04BB3C51
    Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exeCode function: 1_2_04BB593E push di; ret 1_2_04BB5969
    Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exeCode function: 1_2_04BB590E push di; ret 1_2_04BB5969
    Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exeCode function: 1_2_04BB5372 pushfd ; ret 1_2_04BB5379
    Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exeCode function: 1_2_04BB255E push edx; retf 1_2_04BB255F

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Uses an obfuscated file name to hide its real file extension (double extension)Show sources
    Source: Possible double extension: pdf.exeStatic PE information: Arrival Notice, CIA Awb Inv Form.pdf.exe
    Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exeCode function: 1_2_04BBF8FD mov eax, dword ptr fs:[00000030h]1_2_04BBF8FD
    Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exeCode function: 1_2_04BC0232 mov eax, dword ptr fs:[00000030h]1_2_04BC0232
    Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exeCode function: 1_2_04BBC602 mov eax, dword ptr fs:[00000030h]1_2_04BBC602
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000001.00000002.523260487.0000000000C90000.00000002.00020000.sdmpBinary or memory string: uProgram Manager
    Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000001.00000002.523260487.0000000000C90000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
    Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000001.00000002.523260487.0000000000C90000.00000002.00020000.sdmpBinary or memory string: Progman
    Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000001.00000002.523260487.0000000000C90000.00000002.00020000.sdmpBinary or memory string: Progmanlock
    Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exeQueries volume information: C:\ VolumeInformationJump to behavior

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Masquerading1OS Credential DumpingProcess Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemorySystem Information Discovery11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information11Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.