Loading ...

Play interactive tourEdit tour

Windows Analysis Report FACTURAS.exe

Overview

General Information

Sample Name:FACTURAS.exe
Analysis ID:527918
MD5:ab63f9ba38d9eb4f8bd57ae56a844a31
SHA1:bf1c2a15553f893ff180a307dcb5805c6e440158
SHA256:5d14499fc44a623454a0518972ba97be883b0394f16f08b4265e46ff12ebfeb3
Tags:exeguloader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Found potential dummy code loops (likely to delay analysis)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Contains functionality to call native functions
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Program does not show much activity (idle)
Uses code obfuscation techniques (call, push, ret)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Detected potential crypto function

Classification

Process Tree

  • System is w10x64
  • FACTURAS.exe (PID: 6568 cmdline: "C:\Users\user\Desktop\FACTURAS.exe" MD5: AB63F9BA38D9EB4F8BD57AE56A844A31)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id="}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.820204862.00000000020D0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000000.00000002.820204862.00000000020D0000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id="}
    Multi AV Scanner detection for submitted fileShow sources
    Source: FACTURAS.exeReversingLabs: Detection: 15%
    Source: FACTURAS.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=download&id=
    Source: FACTURAS.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020DDD75 NtAllocateVirtualMemory,
    Source: FACTURAS.exe, 00000000.00000000.294184122.0000000000421000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameGILDER.exe vs FACTURAS.exe
    Source: FACTURAS.exeBinary or memory string: OriginalFilenameGILDER.exe vs FACTURAS.exe
    Source: C:\Users\user\Desktop\FACTURAS.exeProcess Stats: CPU usage > 98%
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_004036BD
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_00401538
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_00401774
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_00401727
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020E6E65
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020DDD75
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020D924D
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020D924F
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020D9331
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020E5138
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020D9691
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020DD7F6
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020D94E5
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020D95CD
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020E45C5
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020E3A47
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020DCFA2
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020E4CA7
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020E4DD5
    Source: FACTURAS.exeReversingLabs: Detection: 15%
    Source: C:\Users\user\Desktop\FACTURAS.exeFile created: C:\Users\user\AppData\Local\Temp\~DF26AA5308F7227456.TMPJump to behavior
    Source: FACTURAS.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\FACTURAS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: C:\Users\user\Desktop\FACTURAS.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
    Source: classification engineClassification label: mal72.troj.evad.winEXE@1/1@0/0

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: 00000000.00000002.820204862.00000000020D0000.00000040.00000001.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_004013B4 push FFFFFFCDh; iretd
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0040204F push FFFFFFCDh; iretd
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_004111C3 push ebp; ret
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_004051D5 push 0340104Fh; iretd
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_00403A4A push esi; retf
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_00402B0E push FFFFFFCDh; iretd
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_00404C1F push eax; ret
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0040BCD6 push 3CF881B8h; ret
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_00413574 push 00000039h; iretd
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0040A61E push D9EC50BBh; retf
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0040A739 push cs; iretd
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020DE3B0 pushad ; retf
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020D17FB push cs; ret
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020D4AE0 push ebp; retf
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020D5860 push esp; retn 0004h
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020D0E32 pushfd ; iretd
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020D5F76 push eax; iretd
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020D5FC1 push eax; iretd
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020D4C41 push ebp; ret
    Source: C:\Users\user\Desktop\FACTURAS.exeProcess information set: NOOPENFILEERRORBOX
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0041724F rdtsc

    Anti Debugging:

    barindex
    Found potential dummy code loops (likely to delay analysis)Show sources
    Source: C:\Users\user\Desktop\FACTURAS.exeProcess Stats: CPU usage > 90% for more than 60s
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020E5138 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020E3589 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020D8A51 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020DC9F2 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020E2C97 mov eax, dword ptr fs:[00000030h]
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0041724F rdtsc
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020E6E65 RtlAddVectoredExceptionHandler,
    Source: FACTURAS.exe, 00000000.00000002.820123754.0000000000C40000.00000002.00020000.sdmpBinary or memory string: Program Manager
    Source: FACTURAS.exe, 00000000.00000002.820123754.0000000000C40000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
    Source: FACTURAS.exe, 00000000.00000002.820123754.0000000000C40000.00000002.00020000.sdmpBinary or memory string: Progman
    Source: FACTURAS.exe, 00000000.00000002.820123754.0000000000C40000.00000002.00020000.sdmpBinary or memory string: Progmanlock

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery11Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    FACTURAS.exe16%ReversingLabsWin32.Downloader.GuLoader

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:34.0.0 Boulder Opal
    Analysis ID:527918
    Start date:24.11.2021
    Start time:15:29:30
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 7m 41s
    Hypervisor based Inspection enabled:false
    Report type:light
    Sample file name:FACTURAS.exe
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Number of analysed new started processes analysed:16
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal72.troj.evad.winEXE@1/1@0/0
    EGA Information:Failed
    HDC Information:
    • Successful, ratio: 2.3% (good quality ratio 1.4%)
    • Quality average: 30.1%
    • Quality standard deviation: 28.4%
    HCA Information:
    • Successful, ratio: 53%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Found application associated with file extension: .exe
    • Override analysis time to 240s for sample files taking high CPU consumption
    Warnings:
    Show All
    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
    • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
    • Not all processes where analyzed, report is missing behavior information

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\Users\user\AppData\Local\Temp\~DF26AA5308F7227456.TMP
    Process:C:\Users\user\Desktop\FACTURAS.exe
    File Type:Composite Document File V2 Document, Cannot read section info
    Category:dropped
    Size (bytes):16384
    Entropy (8bit):0.9277305547216628
    Encrypted:false
    SSDEEP:48:rJSq2Upu8metqPrIXHimU7zdvP1vncU7pCr8P:VSKUpACLFcUVCrG
    MD5:19809EDD1FF00A1D7C105BC58A97CD02
    SHA1:26FB6D339CF2A7474DE6F785166163FA9B2ADBB1
    SHA-256:4745D04A4BB99D70866D722394D9E71F3FAE597AA84E229A1E3B40F31521594C
    SHA-512:434722936006B56B042FB5C72CAB98D8B7615A5A0E48EE6746DD6839BE029029E3BCECF7EFA49DDC8A9DB016FA472FB9EE1CE75126C13E06D66EAA12166A38F7
    Malicious:false
    Reputation:low
    Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):4.736694563648511
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.15%
    • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:FACTURAS.exe
    File size:135168
    MD5:ab63f9ba38d9eb4f8bd57ae56a844a31
    SHA1:bf1c2a15553f893ff180a307dcb5805c6e440158
    SHA256:5d14499fc44a623454a0518972ba97be883b0394f16f08b4265e46ff12ebfeb3
    SHA512:a8a0d1040432cffc40aaaee619a28703c731b9f3c809db6d915521424a3b4394f3ed46c37c9d7cdd2903d2c8aa33cb9ce87b50acc79de30aa4fbc80b6b264f36
    SSDEEP:1536:t7Do180f9y+zVLdUAcAyB/BMsZWU1/7nYp4r1O/pejim0SD:t7gZz7RcAy/Vkm7nYCr1Omim0S
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i.......................*..............Rich....................PE..L...#..K.....................0....................@........

    File Icon

    Icon Hash:981dca909cee36b0

    Static PE Info

    General

    Entrypoint:0x4013b4
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    DLL Characteristics:
    Time Stamp:0x4BCC8F23 [Mon Apr 19 17:13:07 2010 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:d77040f4614bccfda7b8aa2e04863738

    Entrypoint Preview

    Instruction
    push 00401FD0h
    call 00007F4684F9E265h
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    xor byte ptr [eax], al
    add byte ptr [eax], al
    cmp byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    push ecx
    sahf
    cmp ebx, esp
    sub dword ptr [ecx+69h], ecx
    inc esp
    sahf
    fild qword ptr [ebx-74h]
    jnp 00007F4684F9E2A9h
    in eax, 54h
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add dword ptr [eax], eax
    add byte ptr [eax], al
    inc ecx
    add al, dh
    pop es
    inc ecx
    add byte ptr [ecx+ebp*2+6Ch], dl
    insb
    jns 00007F4684F9E2E5h
    xor dword ptr [eax], eax
    add byte ptr [eax], al
    add byte ptr [eax], al
    dec esp
    xor dword ptr [eax], eax
    add eax, E27047BEh
    sbb eax, ebx
    push cs
    inc esp
    xchg eax, esp
    push FFFFFFCDh
    iretd
    dec ecx
    mov dl, FEh
    imul eax, dword ptr [esi-081F81EBh], 3Dh
    adc cl, byte ptr [esi-62h]
    ror byte ptr [ebx], 1
    xor eax, FD7A371Dh
    cmp cl, byte ptr [edi-53h]
    xor ebx, dword ptr [ecx-48EE309Ah]
    or al, 00h
    stosb
    add byte ptr [eax-2Dh], ah
    xchg eax, ebx
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    clc
    or dword ptr [eax], eax
    add byte ptr [ebx], bl
    or dword ptr [eax], eax
    add byte ptr [eax], al
    or al, byte ptr [eax]
    push ebx
    popad
    insd
    popad
    jc 00007F4684F9E2DBh
    jne 00007F4684F9E2DFh
    jnc 00007F4684F9E2A5h
    add byte ptr [4F000D01h], cl
    jc 00007F4684F9E2D6h
    outsb
    jnc 00007F4684F9E2DDh
    popad
    jo 00007F4684F9E2DBh
    je 00007F4684F9E2D7h

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x1dc040x28.text
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x210000xf40.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2300x20
    IMAGE_DIRECTORY_ENTRY_IAT0x10000x11c.text
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x1d10c0x1e000False0.344938151042data4.91647345609IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    .data0x1f0000x141c0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
    .rsrc0x210000xf400x1000False0.337158203125data3.27489444604IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountry
    CUSTOM0x21e020x13eMS Windows icon resource - 1 icon, 16x16, 16 colorsEnglishUnited States
    CUSTOM0x21cc40x13eMS Windows icon resource - 1 icon, 16x16, 16 colorsEnglishUnited States
    RT_ICON0x2141c0x8a8data
    RT_GROUP_ICON0x214080x14data
    RT_VERSION0x211700x298dataTurkmenTurkmenistan

    Imports

    DLLImport
    MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, __vbaVarIdiv, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaStrCat, __vbaSetSystemError, __vbaRecDestruct, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, DllFunctionCall, _adj_fpatan, __vbaRecUniToAnsi, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaInStr, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaStrToAnsi, __vbaVarDup, __vbaRecDestructAnsi, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

    Version Infos

    DescriptionData
    Translation0x0442 0x04b0
    LegalCopyrightLips
    InternalNameGILDER
    FileVersion1.00
    CompanyNameLips
    LegalTrademarksLips
    ProductNameLips
    ProductVersion1.00
    FileDescriptionLips
    OriginalFilenameGILDER.exe

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    EnglishUnited States
    TurkmenTurkmenistan

    Network Behavior

    No network behavior found

    Code Manipulations

    Statistics

    System Behavior

    General

    Start time:15:30:30
    Start date:24/11/2021
    Path:C:\Users\user\Desktop\FACTURAS.exe
    Wow64 process (32bit):true
    Commandline:"C:\Users\user\Desktop\FACTURAS.exe"
    Imagebase:0x400000
    File size:135168 bytes
    MD5 hash:AB63F9BA38D9EB4F8BD57AE56A844A31
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Visual Basic
    Yara matches:
    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.820204862.00000000020D0000.00000040.00000001.sdmp, Author: Joe Security
    Reputation:low

    Disassembly

    Code Analysis

    Reset < >