Loading ...

Play interactive tourEdit tour

Windows Analysis Report Zr26f1rL6r.danger

Overview

General Information

Sample Name:Zr26f1rL6r.danger (renamed file extension from danger to exe)
Analysis ID:528518
MD5:812181df251e06433bf2f4f6a0c0f0f4
SHA1:aa38a567ee48483d98966622fd320c791bc45871
SHA256:4d6c910a379d00f329e55ad98a7817de0370695566443a74a9a02c85d2463a9d
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
PE / OLE file has an invalid certificate
Program does not show much activity (idle)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage

Classification

Process Tree

  • System is w10x64
  • Zr26f1rL6r.exe (PID: 7096 cmdline: "C:\Users\user\Desktop\Zr26f1rL6r.exe" MD5: 812181DF251E06433BF2F4F6A0C0F0F4)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://atseasonals.com/GHrtt/bin_k"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.804770184.0000000002A60000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000001.00000002.804770184.0000000002A60000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://atseasonals.com/GHrtt/bin_k"}
    Multi AV Scanner detection for submitted fileShow sources
    Source: Zr26f1rL6r.exeVirustotal: Detection: 40%Perma Link
    Source: Zr26f1rL6r.exeReversingLabs: Detection: 20%
    Source: Zr26f1rL6r.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://atseasonals.com/GHrtt/bin_k
    Source: Zr26f1rL6r.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
    Source: Zr26f1rL6r.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
    Source: Zr26f1rL6r.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
    Source: Zr26f1rL6r.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
    Source: Zr26f1rL6r.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
    Source: Zr26f1rL6r.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
    Source: Zr26f1rL6r.exeString found in binary or memory: http://ocsp.digicert.com0C
    Source: Zr26f1rL6r.exeString found in binary or memory: http://ocsp.digicert.com0O
    Source: Zr26f1rL6r.exeString found in binary or memory: http://www.digicert.com/CPS0
    Source: Zr26f1rL6r.exeString found in binary or memory: https://www.digicert.com/CPS0
    Source: Zr26f1rL6r.exe, 00000001.00000002.804004031.000000000071A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
    Source: Zr26f1rL6r.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: Zr26f1rL6r.exe, 00000001.00000000.279454201.0000000000422000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameUNDERWR.exe vs Zr26f1rL6r.exe
    Source: Zr26f1rL6r.exeBinary or memory string: OriginalFilenameUNDERWR.exe vs Zr26f1rL6r.exe
    Source: C:\Users\user\Desktop\Zr26f1rL6r.exeCode function: 1_2_00401772
    Source: C:\Users\user\Desktop\Zr26f1rL6r.exeCode function: 1_2_00401725
    Source: C:\Users\user\Desktop\Zr26f1rL6r.exeCode function: 1_2_00401536
    Source: C:\Users\user\Desktop\Zr26f1rL6r.exeCode function: 1_2_02A6523E
    Source: C:\Users\user\Desktop\Zr26f1rL6r.exeCode function: 1_2_02A65814
    Source: C:\Users\user\Desktop\Zr26f1rL6r.exeCode function: 1_2_02A6FFED
    Source: Zr26f1rL6r.exeStatic PE information: invalid certificate
    Source: C:\Users\user\Desktop\Zr26f1rL6r.exeProcess Stats: CPU usage > 98%
    Source: Zr26f1rL6r.exeVirustotal: Detection: 40%
    Source: Zr26f1rL6r.exeReversingLabs: Detection: 20%
    Source: Zr26f1rL6r.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\Zr26f1rL6r.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: C:\Users\user\Desktop\Zr26f1rL6r.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
    Source: C:\Users\user\Desktop\Zr26f1rL6r.exeFile created: C:\Users\user\AppData\Local\Temp\~DFD789DA64D34966AA.TMPJump to behavior
    Source: classification engineClassification label: mal76.troj.evad.winEXE@1/1@0/0

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: 00000001.00000002.804770184.0000000002A60000.00000040.00000001.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\Zr26f1rL6r.exeCode function: 1_2_004093B3 push ebx; ret
    Source: C:\Users\user\Desktop\Zr26f1rL6r.exeCode function: 1_2_02A62286 push esi; retf
    Source: C:\Users\user\Desktop\Zr26f1rL6r.exeCode function: 1_2_02A638B3 push 4674B5B4h; retf
    Source: C:\Users\user\Desktop\Zr26f1rL6r.exeCode function: 1_2_02A6388E push 4674B5B4h; retf
    Source: C:\Users\user\Desktop\Zr26f1rL6r.exeCode function: 1_2_02A660C4 pushfd ; iretd
    Source: C:\Users\user\Desktop\Zr26f1rL6r.exeCode function: 1_2_02A638CA push 4674B5B4h; retf
    Source: C:\Users\user\Desktop\Zr26f1rL6r.exeCode function: 1_2_02A658DF pushfd ; retf
    Source: C:\Users\user\Desktop\Zr26f1rL6r.exeCode function: 1_2_02A63800 push 4674B5B4h; retf
    Source: C:\Users\user\Desktop\Zr26f1rL6r.exeCode function: 1_2_02A65814 pushfd ; retf
    Source: C:\Users\user\Desktop\Zr26f1rL6r.exeCode function: 1_2_02A65814 push ebx; retf
    Source: C:\Users\user\Desktop\Zr26f1rL6r.exeCode function: 1_2_02A60047 push ds; ret
    Source: C:\Users\user\Desktop\Zr26f1rL6r.exeCode function: 1_2_02A60047 push ds; ret
    Source: C:\Users\user\Desktop\Zr26f1rL6r.exeCode function: 1_2_02A63841 push 4674B5B4h; retf
    Source: C:\Users\user\Desktop\Zr26f1rL6r.exeCode function: 1_2_02A659A2 push ebx; retf
    Source: C:\Users\user\Desktop\Zr26f1rL6r.exeCode function: 1_2_02A659AE push ebx; retf
    Source: C:\Users\user\Desktop\Zr26f1rL6r.exeCode function: 1_2_02A6598A push ebx; retf
    Source: C:\Users\user\Desktop\Zr26f1rL6r.exeCode function: 1_2_02A65996 push ebx; retf
    Source: C:\Users\user\Desktop\Zr26f1rL6r.exeCode function: 1_2_02A6590E pushfd ; retf
    Source: C:\Users\user\Desktop\Zr26f1rL6r.exeCode function: 1_2_02A6010F push ds; ret
    Source: C:\Users\user\Desktop\Zr26f1rL6r.exeCode function: 1_2_02A61918 push esi; ret
    Source: C:\Users\user\Desktop\Zr26f1rL6r.exeCode function: 1_2_02A65919 push ebx; retf
    Source: C:\Users\user\Desktop\Zr26f1rL6r.exeCode function: 1_2_02A6597F push ebx; retf
    Source: C:\Users\user\Desktop\Zr26f1rL6r.exeCode function: 1_2_02A62954 pushad ; ret
    Source: C:\Users\user\Desktop\Zr26f1rL6r.exeCode function: 1_2_02A64DAC push ecx; ret
    Source: C:\Users\user\Desktop\Zr26f1rL6r.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion:

    barindex
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\user\Desktop\Zr26f1rL6r.exeRDTSC instruction interceptor: First address: 0000000002A70462 second address: 0000000002A70462 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 6DE2EF76h 0x00000007 xor eax, 3DB09C71h 0x0000000c sub eax, 5442A7C9h 0x00000011 xor eax, FC0FCB3Fh 0x00000016 cpuid 0x00000018 jmp 00007FA49CC56E26h 0x0000001a cmp cx, bx 0x0000001d popad 0x0000001e cmp esi, 4B3AFD05h 0x00000024 call 00007FA49CC56DECh 0x00000029 lfence 0x0000002c mov edx, 710EE3C3h 0x00000031 xor edx, C84DA636h 0x00000037 xor edx, 5FA736A0h 0x0000003d xor edx, 991A7341h 0x00000043 mov edx, dword ptr [edx] 0x00000045 lfence 0x00000048 jmp 00007FA49CC56E1Ah 0x0000004a cmp ecx, C21290E3h 0x00000050 cmp cx, B483h 0x00000055 ret 0x00000056 sub edx, esi 0x00000058 ret 0x00000059 cmp cl, dl 0x0000005b jmp 00007FA49CC56E26h 0x0000005d cmp cx, bx 0x00000060 cmp esi, 7ED3C2E3h 0x00000066 add edi, edx 0x00000068 dec dword ptr [ebp+000000F8h] 0x0000006e cmp dword ptr [ebp+000000F8h], 00000000h 0x00000075 jne 00007FA49CC56D73h 0x00000077 cmp edx, ecx 0x00000079 cmp ebx, 1CFC15CDh 0x0000007f call 00007FA49CC56E8Bh 0x00000084 call 00007FA49CC56E5Ch 0x00000089 lfence 0x0000008c mov edx, 710EE3C3h 0x00000091 xor edx, C84DA636h 0x00000097 xor edx, 5FA736A0h 0x0000009d xor edx, 991A7341h 0x000000a3 mov edx, dword ptr [edx] 0x000000a5 lfence 0x000000a8 jmp 00007FA49CC56E1Ah 0x000000aa cmp ecx, C21290E3h 0x000000b0 cmp cx, B483h 0x000000b5 ret 0x000000b6 mov esi, edx 0x000000b8 pushad 0x000000b9 rdtsc
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Users\user\Desktop\Zr26f1rL6r.exeCode function: 1_2_02A7045A rdtsc

    Anti Debugging:

    barindex
    Found potential dummy code loops (likely to delay analysis)Show sources
    Source: C:\Users\user\Desktop\Zr26f1rL6r.exeProcess Stats: CPU usage > 90% for more than 60s
    Source: C:\Users\user\Desktop\Zr26f1rL6r.exeCode function: 1_2_02A6F3CA mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\Zr26f1rL6r.exeCode function: 1_2_02A6FCC1 mov eax, dword ptr fs:[00000030h]
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Users\user\Desktop\Zr26f1rL6r.exeCode function: 1_2_02A7045A rdtsc
    Source: Zr26f1rL6r.exe, 00000001.00000002.804242856.0000000000CA0000.00000002.00020000.sdmpBinary or memory string: Program Manager
    Source: Zr26f1rL6r.exe, 00000001.00000002.804242856.0000000000CA0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
    Source: Zr26f1rL6r.exe, 00000001.00000002.804242856.0000000000CA0000.00000002.00020000.sdmpBinary or memory string: Progman
    Source: Zr26f1rL6r.exe, 00000001.00000002.804242856.0000000000CA0000.00000002.00020000.sdmpBinary or memory string: Progmanlock

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11Input Capture1Security Software Discovery21Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery11Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    Zr26f1rL6r.exe40%VirustotalBrowse
    Zr26f1rL6r.exe20%ReversingLabsWin32.Trojan.GuLoader

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://atseasonals.com/GHrtt/bin_k0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://atseasonals.com/GHrtt/bin_ktrue
    • Avira URL Cloud: safe
    unknown

    Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:34.0.0 Boulder Opal
    Analysis ID:528518
    Start date:25.11.2021
    Start time:12:43:41
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 7m 13s
    Hypervisor based Inspection enabled:false
    Report type:light
    Sample file name:Zr26f1rL6r.danger (renamed file extension from danger to exe)
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Number of analysed new started processes analysed:26
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal76.troj.evad.winEXE@1/1@0/0
    EGA Information:
    • Successful, ratio: 100%
    HDC Information:
    • Successful, ratio: 6.4% (good quality ratio 2.5%)
    • Quality average: 21%
    • Quality standard deviation: 29.7%
    HCA Information:Failed
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Override analysis time to 240s for sample files taking high CPU consumption
    Warnings:
    Show All
    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
    • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
    • Not all processes where analyzed, report is missing behavior information

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\Users\user\AppData\Local\Temp\~DFD789DA64D34966AA.TMP
    Process:C:\Users\user\Desktop\Zr26f1rL6r.exe
    File Type:Composite Document File V2 Document, Cannot read section info
    Category:dropped
    Size (bytes):16384
    Entropy (8bit):1.021204976774085
    Encrypted:false
    SSDEEP:48:rJSq2Upu8metqPrIXHimU7zdvP1vnRecR:VSKUpACLF0
    MD5:E9F7C24086FE230572BB84C262385677
    SHA1:16B4D54B227860CD7942CB26F607C2464F69B416
    SHA-256:1F1B9BB21DBBE012A4824C25111BAB849BE0E7BCED9234527701823A68C65374
    SHA-512:4F82F38C3A3D93FED9E1D0A27D1993FAA723CD2C0AD08241F1FC8C93E1DFAF47E035A94A2075B828AD12D41C6860150C3B42EE79B060912EBC44D340C8CDA492
    Malicious:false
    Reputation:low
    Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):6.18115352999971
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.15%
    • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:Zr26f1rL6r.exe
    File size:144472
    MD5:812181df251e06433bf2f4f6a0c0f0f4
    SHA1:aa38a567ee48483d98966622fd320c791bc45871
    SHA256:4d6c910a379d00f329e55ad98a7817de0370695566443a74a9a02c85d2463a9d
    SHA512:4d34981930ed3e40572cfc761dcb78e59494d8e33f2e6615ed3e53d3e17945718d7d627abca099167e188e2e76973a550c64c54a3f6700bb6bbb7b13bbd0cf47
    SSDEEP:3072:txD6tQfQC/nHcs0lZ8+g81AYe22uQCNIJXmeL5A2m:txDQgvHyY80oQCNQm
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7b..s...s...s.......r...<!..v...E%..r...Richs...........................PE..L....H.X.....................0....................@

    File Icon

    Icon Hash:6ce8fac8c8e46868

    Static PE Info

    General

    Entrypoint:0x4013b4
    Entrypoint Section:.text
    Digitally signed:true
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    DLL Characteristics:
    Time Stamp:0x58DD4808 [Thu Mar 30 18:01:44 2017 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:0db4e1fdede6848b7d67f260c767df5d

    Authenticode Signature

    Signature Valid:false
    Signature Issuer:E=Knyste6@Eximiousne3.BRY, CN=Siphonalet4, OU=Dehumanise5, O=octocorall, L=Myomatous7, S=FAHLORE, C=TD
    Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
    Error Number:-2146762487
    Not Before, Not After
    • 11/24/2021 4:22:16 AM 11/24/2022 4:22:16 AM
    Subject Chain
    • E=Knyste6@Eximiousne3.BRY, CN=Siphonalet4, OU=Dehumanise5, O=octocorall, L=Myomatous7, S=FAHLORE, C=TD
    Version:3
    Thumbprint MD5:3EA4D95D319B3BCDDF3A916A0A7F25DF
    Thumbprint SHA-1:827D80430EC06C8058A205E7E710FFF3EB2A03DE
    Thumbprint SHA-256:7824D156B89CF1BF25F923BECB9DCE0EF3F49C821D270075A626DE65497E77AD
    Serial:00

    Entrypoint Preview

    Instruction
    push 00402510h
    call 00007FA49CC7D905h
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    xor byte ptr [eax], al
    add byte ptr [eax], al
    cmp byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    xlatb
    lds ebx, edx
    mov bl, 87h
    fisttp dword ptr [edi-6Ch]
    push ebp
    inc ecx
    dec eax
    jmp far 0000h : 00DCC60Ah
    add byte ptr [eax], al
    add byte ptr [ecx], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax+45h], dl
    push edx
    dec ecx
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    dec esp
    xor dword ptr [eax], eax
    sub eax, B60C4E3Eh
    test eax, B24EE131h
    cmp eax, 043AB174h
    imul ebp, dword ptr [edx], 2411205Eh
    push ss
    pushad
    bound eax, dword ptr [ebp-64h]
    mov byte ptr [esi], FFFFFF8Ah
    push ds

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x1f1440x28.text
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x220000xf77.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x220000x1458
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2380x20
    IMAGE_DIRECTORY_ENTRY_IAT0x10000x13c.text
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x1e6c00x1f000False0.523012222782data6.34448502446IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    .data0x200000x1a400x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
    .rsrc0x220000xf770x1000False0.367431640625data4.13632936066IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountry
    CUSTOM0x22d3b0x23cASCII text, with CRLF line terminatorsEnglishUnited States
    CUSTOM0x22d180x23ASCII text, with CRLF line terminatorsEnglishUnited States
    RT_ICON0x224700x8a8data
    RT_GROUP_ICON0x2245c0x14data
    RT_VERSION0x221700x2ecdataEnglishUnited States

    Imports

    DLLImport
    MSVBVM60.DLL__vbaStrI2, _CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaErase, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaCyI2, __vbaStrCmp, DllFunctionCall, __vbaVarLateMemSt, _adj_fpatan, __vbaLateIdCallLd, __vbaRedim, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaStrToAnsi, __vbaVarDup, __vbaVarCopy, _CIatan, __vbaStrMove, __vbaI4Cy, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

    Version Infos

    DescriptionData
    Translation0x0409 0x04b0
    LegalCopyrightMon Frak
    InternalNameUNDERWR
    FileVersion1.00
    CompanyNameMon Frak
    LegalTrademarksMon Frak
    CommentsMon Frak
    ProductNameMon Frak
    ProductVersion1.00
    FileDescriptionMon Frak
    OriginalFilenameUNDERWR.exe

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    EnglishUnited States

    Network Behavior

    No network behavior found

    Code Manipulations

    Statistics

    System Behavior

    General

    Start time:12:44:33
    Start date:25/11/2021
    Path:C:\Users\user\Desktop\Zr26f1rL6r.exe
    Wow64 process (32bit):true
    Commandline:"C:\Users\user\Desktop\Zr26f1rL6r.exe"
    Imagebase:0x400000
    File size:144472 bytes
    MD5 hash:812181DF251E06433BF2F4F6A0C0F0F4
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Visual Basic
    Yara matches:
    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.804770184.0000000002A60000.00000040.00000001.sdmp, Author: Joe Security
    Reputation:low

    Disassembly

    Code Analysis

    Reset < >