Windows Analysis Report Justificante de Pago 25112021.pdf _.exe

Overview

General Information

Sample Name:	Justificante de Pago 25112021.pdf _.exe
Analysis ID:	528616
MD5:	494cd8be1913f9def79b10031587aa8a
SHA1:	ff74b67fa7c03d4fb388f49289ff14639656b3d3
SHA256:	75934da02313e0d772b4703bfaa3331311fc5a2b981f8ff0e455795bc3448ddb
Tags:	exeguloader
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Potential malicious icon found

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Initial sample is a PE file and has a suspicious name

C2 URLs / IPs found in malware configuration

Found potential dummy code loops (likely to delay analysis)

Uses 32bit PE files

Sample file is different than original file name gathered from version info

PE file contains strange resources

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

PE / OLE file has an invalid certificate

Contains functionality to call native functions

Program does not show much activity (idle)

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000000.00000002.1185369693.0000000002980000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/download?c"}

Multi AV Scanner detection for submitted file

Source: Justificante de Pago 25112021.pdf _.exe

ReversingLabs: Detection: 17%

Compliance:

Uses 32bit PE files

Source: Justificante de Pago 25112021.pdf _.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:

Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\SKIBSBES.pdb source: Justificante de Pago 25112021.pdf _.exe

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://onedrive.live.com/download?c

Source: Justificante de Pago 25112021.pdf _.exe	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: Justificante de Pago 25112021.pdf _.exe	String found in binary or memory: http://s.symcd.com06
Source: Justificante de Pago 25112021.pdf _.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: Justificante de Pago 25112021.pdf _.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: Justificante de Pago 25112021.pdf _.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Justificante de Pago 25112021.pdf _.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: Justificante de Pago 25112021.pdf _.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: Justificante de Pago 25112021.pdf _.exe	String found in binary or memory: https://d.symcb.com/rpa0.

System Summary:

Potential malicious icon found

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Justificante de Pago 25112021.pdf _.exe

Uses 32bit PE files

Source: Justificante de Pago 25112021.pdf _.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Sample file is different than original file name gathered from version info

Source: Justificante de Pago 25112021.pdf _.exe, 00000000.00000000.655922327.0000000000421000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSKIBSBES.exe vs Justificante de Pago 25112021.pdf _.exe
Source: Justificante de Pago 25112021.pdf _.exe, 00000000.00000002.1185543904.0000000002A60000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSKIBSBES.exeFE2X vs Justificante de Pago 25112021.pdf _.exe
Source: Justificante de Pago 25112021.pdf _.exe	Binary or memory string: OriginalFilenameSKIBSBES.exe vs Justificante de Pago 25112021.pdf _.exe

PE file contains strange resources

Source: Justificante de Pago 25112021.pdf _.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Detected potential crypto function

Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_00401578	0_2_00401578
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_0298C889	0_2_0298C889
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_02993C74	0_2_02993C74
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_02992493	0_2_02992493
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_02988C96	0_2_02988C96
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_0298C486	0_2_0298C486
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_029892AF	0_2_029892AF
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_029828D2	0_2_029828D2
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_029824EB	0_2_029824EB
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_0298061C	0_2_0298061C
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_0298D010	0_2_0298D010
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_02984608	0_2_02984608
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_0299120B	0_2_0299120B
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_02986E3F	0_2_02986E3F
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_0298B45C	0_2_0298B45C
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_0299367B	0_2_0299367B
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_0298258D	0_2_0298258D
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_02980386	0_2_02980386
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_029801EC	0_2_029801EC
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_0298BD14	0_2_0298BD14
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_02990937	0_2_02990937
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_02987555	0_2_02987555
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_02986557	0_2_02986557
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_0298AF4E	0_2_0298AF4E
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_0298DF79	0_2_0298DF79
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_0298657D	0_2_0298657D

PE / OLE file has an invalid certificate

Source: Justificante de Pago 25112021.pdf _.exe

Static PE information: invalid certificate

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe

Code function: 0_2_0298C889 NtAllocateVirtualMemory,

0_2_0298C889

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe

Process Stats: CPU usage > 98%

Source: Justificante de Pago 25112021.pdf _.exe

ReversingLabs: Detection: 17%

Source: Justificante de Pago 25112021.pdf _.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: classification engine

Classification label: mal84.rans.troj.evad.winEXE@1/0@0/0

Source: Justificante de Pago 25112021.pdf _.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\SKIBSBES.pdb source: Justificante de Pago 25112021.pdf _.exe

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.1185369693.0000000002980000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_00405661 push ebp; ret	0_2_00405664
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_004066B9 push ds; ret	0_2_004066D6
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_00403193 push ds; retf	0_2_0040324B
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_0298548B push ebx; ret	0_2_0298556C
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_029854B2 push ebx; ret	0_2_0298556C
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_02987ECB pushfd ; ret	0_2_02987F37
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_02985AFC push ds; ret	0_2_02985B23
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_029824E3 push E2DBE6FFh; retf	0_2_029824E9
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_0298422C push cs; retf	0_2_0298429C
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_02984267 push cs; retf	0_2_0298429C
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_02985FC4 pushad ; iretd	0_2_02985FC5
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_029841E0 push cs; retf	0_2_0298429C
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_02985502 push ebx; ret	0_2_0298556C
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_02982B39 push ds; retf	0_2_02982B50
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_02980F43 push ebp; retf	0_2_02980F44

Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe

Code function: 0_2_0298BBE8 rdtsc

0_2_0298BBE8

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe

Process Stats: CPU usage > 90% for more than 60s

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_02990098 mov eax, dword ptr fs:[00000030h]	0_2_02990098
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_02992493 mov eax, dword ptr fs:[00000030h]	0_2_02992493
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_02990EBD mov eax, dword ptr fs:[00000030h]	0_2_02990EBD
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_0298B8DD mov eax, dword ptr fs:[00000030h]	0_2_0298B8DD

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe

Code function: 0_2_0298BBE8 rdtsc

0_2_0298BBE8

Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe

Code function: 0_2_02993C74 RtlAddVectoredExceptionHandler,

0_2_02993C74

Source: Justificante de Pago 25112021.pdf _.exe, 00000000.00000002.1184735200.0000000000C60000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: Justificante de Pago 25112021.pdf _.exe, 00000000.00000002.1184735200.0000000000C60000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: Justificante de Pago 25112021.pdf _.exe, 00000000.00000002.1184735200.0000000000C60000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: Justificante de Pago 25112021.pdf _.exe, 00000000.00000002.1184735200.0000000000C60000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://onedrive.live.com/download?c	false		high

ID:	528616
Product:	CloudBasic
Start time:	15:07:14
Start date:	25.11.2021
Sample:	Justificante de Pago 25112021.pdf _.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	494cd8be1913f9def79b10031587aa8a
SHA1:	ff74b67fa7c03d4fb388f49289ff14639656b3d3
SHA256:	75934da02313e0d772b4703bfaa3331311fc5a2b981f8ff0e455795bc3448ddb
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Windows Analysis Report Justificante de Pago 25112021.pdf _.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Screenshots

Behavior Graph

Network Map

Contacted URLs