Windows Analysis Report Justificante de Pago 25112021.pdf _.exe

Overview

General Information

Sample Name: Justificante de Pago 25112021.pdf _.exe
Analysis ID: 528616
MD5: 494cd8be1913f9def79b10031587aa8a
SHA1: ff74b67fa7c03d4fb388f49289ff14639656b3d3
SHA256: 75934da02313e0d772b4703bfaa3331311fc5a2b981f8ff0e455795bc3448ddb
Tags: exeguloader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Potential malicious icon found
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Initial sample is a PE file and has a suspicious name
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
PE / OLE file has an invalid certificate
Contains functionality to call native functions
Program does not show much activity (idle)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.1185369693.0000000002980000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/download?c"}
Multi AV Scanner detection for submitted file
Source: Justificante de Pago 25112021.pdf _.exe ReversingLabs: Detection: 17%

Compliance:

barindex
Uses 32bit PE files
Source: Justificante de Pago 25112021.pdf _.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\SKIBSBES.pdb source: Justificante de Pago 25112021.pdf _.exe

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://onedrive.live.com/download?c
Source: Justificante de Pago 25112021.pdf _.exe String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: Justificante de Pago 25112021.pdf _.exe String found in binary or memory: http://s.symcd.com06
Source: Justificante de Pago 25112021.pdf _.exe String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: Justificante de Pago 25112021.pdf _.exe String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: Justificante de Pago 25112021.pdf _.exe String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Justificante de Pago 25112021.pdf _.exe String found in binary or memory: https://d.symcb.com/cps0%
Source: Justificante de Pago 25112021.pdf _.exe String found in binary or memory: https://d.symcb.com/rpa0
Source: Justificante de Pago 25112021.pdf _.exe String found in binary or memory: https://d.symcb.com/rpa0.

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Justificante de Pago 25112021.pdf _.exe
Uses 32bit PE files
Source: Justificante de Pago 25112021.pdf _.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Sample file is different than original file name gathered from version info
Source: Justificante de Pago 25112021.pdf _.exe, 00000000.00000000.655922327.0000000000421000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSKIBSBES.exe vs Justificante de Pago 25112021.pdf _.exe
Source: Justificante de Pago 25112021.pdf _.exe, 00000000.00000002.1185543904.0000000002A60000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSKIBSBES.exeFE2X vs Justificante de Pago 25112021.pdf _.exe
Source: Justificante de Pago 25112021.pdf _.exe Binary or memory string: OriginalFilenameSKIBSBES.exe vs Justificante de Pago 25112021.pdf _.exe
PE file contains strange resources
Source: Justificante de Pago 25112021.pdf _.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Detected potential crypto function
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 0_2_00401578 0_2_00401578
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 0_2_0298C889 0_2_0298C889
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 0_2_02993C74 0_2_02993C74
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 0_2_02992493 0_2_02992493
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 0_2_02988C96 0_2_02988C96
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 0_2_0298C486 0_2_0298C486
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 0_2_029892AF 0_2_029892AF
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 0_2_029828D2 0_2_029828D2
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 0_2_029824EB 0_2_029824EB
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 0_2_0298061C 0_2_0298061C
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 0_2_0298D010 0_2_0298D010
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 0_2_02984608 0_2_02984608
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 0_2_0299120B 0_2_0299120B
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 0_2_02986E3F 0_2_02986E3F
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 0_2_0298B45C 0_2_0298B45C
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 0_2_0299367B 0_2_0299367B
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 0_2_0298258D 0_2_0298258D
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 0_2_02980386 0_2_02980386
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 0_2_029801EC 0_2_029801EC
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 0_2_0298BD14 0_2_0298BD14
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 0_2_02990937 0_2_02990937
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 0_2_02987555 0_2_02987555
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 0_2_02986557 0_2_02986557
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 0_2_0298AF4E 0_2_0298AF4E
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 0_2_0298DF79 0_2_0298DF79
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 0_2_0298657D 0_2_0298657D
PE / OLE file has an invalid certificate
Source: Justificante de Pago 25112021.pdf _.exe Static PE information: invalid certificate
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 0_2_0298C889 NtAllocateVirtualMemory, 0_2_0298C889
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Process Stats: CPU usage > 98%
Source: Justificante de Pago 25112021.pdf _.exe ReversingLabs: Detection: 17%
Source: Justificante de Pago 25112021.pdf _.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: classification engine Classification label: mal84.rans.troj.evad.winEXE@1/0@0/0
Source: Justificante de Pago 25112021.pdf _.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\SKIBSBES.pdb source: Justificante de Pago 25112021.pdf _.exe

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.1185369693.0000000002980000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 0_2_00405661 push ebp; ret 0_2_00405664
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 0_2_004066B9 push ds; ret 0_2_004066D6
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 0_2_00403193 push ds; retf 0_2_0040324B
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 0_2_0298548B push ebx; ret 0_2_0298556C
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 0_2_029854B2 push ebx; ret 0_2_0298556C
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 0_2_02987ECB pushfd ; ret 0_2_02987F37
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 0_2_02985AFC push ds; ret 0_2_02985B23
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 0_2_029824E3 push E2DBE6FFh; retf 0_2_029824E9
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 0_2_0298422C push cs; retf 0_2_0298429C
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 0_2_02984267 push cs; retf 0_2_0298429C
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 0_2_02985FC4 pushad ; iretd 0_2_02985FC5
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 0_2_029841E0 push cs; retf 0_2_0298429C
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 0_2_02985502 push ebx; ret 0_2_0298556C
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 0_2_02982B39 push ds; retf 0_2_02982B50
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 0_2_02980F43 push ebp; retf 0_2_02980F44
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 0_2_0298BBE8 rdtsc 0_2_0298BBE8

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 0_2_02990098 mov eax, dword ptr fs:[00000030h] 0_2_02990098
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 0_2_02992493 mov eax, dword ptr fs:[00000030h] 0_2_02992493
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 0_2_02990EBD mov eax, dword ptr fs:[00000030h] 0_2_02990EBD
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 0_2_0298B8DD mov eax, dword ptr fs:[00000030h] 0_2_0298B8DD
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 0_2_0298BBE8 rdtsc 0_2_0298BBE8
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 0_2_02993C74 RtlAddVectoredExceptionHandler, 0_2_02993C74
Source: Justificante de Pago 25112021.pdf _.exe, 00000000.00000002.1184735200.0000000000C60000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: Justificante de Pago 25112021.pdf _.exe, 00000000.00000002.1184735200.0000000000C60000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: Justificante de Pago 25112021.pdf _.exe, 00000000.00000002.1184735200.0000000000C60000.00000002.00020000.sdmp Binary or memory string: Progman
Source: Justificante de Pago 25112021.pdf _.exe, 00000000.00000002.1184735200.0000000000C60000.00000002.00020000.sdmp Binary or memory string: Progmanlock