Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report FACTURAS.exe

Overview

General Information

Sample Name:FACTURAS.exe
Analysis ID:539419
MD5:2332fdde9344114749db5496eef5f5f9
SHA1:303c40dd112294dc012836be48eb38e8af056432
SHA256:0e693b9dcb4ccb3e64cb61396447dd4e3871234b4af80c2d57e4fbc9b6268a61
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Contains functionality to call native functions
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Detected potential crypto function

Classification

Process Tree

  • System is w10x64
  • FACTURAS.exe (PID: 6492 cmdline: "C:\Users\user\Desktop\FACTURAS.exe" MD5: 2332FDDE9344114749DB5496EEF5F5F9)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=downlD'"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=downlD'"}
    Multi AV Scanner detection for submitted fileShow sources
    Source: FACTURAS.exeVirustotal: Detection: 40%Perma Link
    Source: FACTURAS.exeMetadefender: Detection: 38%Perma Link
    Source: FACTURAS.exeReversingLabs: Detection: 57%
    Source: FACTURAS.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=downlD'
    Source: FACTURAS.exe, 00000000.00000002.860970740.00000000005CA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
    Source: FACTURAS.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306D940 NtAllocateVirtualMemory,0_2_0306D940
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306DB0E NtAllocateVirtualMemory,0_2_0306DB0E
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306DB52 NtAllocateVirtualMemory,0_2_0306DB52
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306DE06 NtAllocateVirtualMemory,0_2_0306DE06
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306DC8C NtAllocateVirtualMemory,0_2_0306DC8C
    Source: FACTURAS.exe, 00000000.00000002.860928984.0000000000424000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSERVICEKONTRAKTS.exe vs FACTURAS.exe
    Source: FACTURAS.exe, 00000000.00000002.861579074.0000000002A60000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSERVICEKONTRAKTS.exeFE2XMURALL vs FACTURAS.exe
    Source: FACTURAS.exeBinary or memory string: OriginalFilenameSERVICEKONTRAKTS.exe vs FACTURAS.exe
    Source: C:\Users\user\Desktop\FACTURAS.exeProcess Stats: CPU usage > 98%
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_03076B170_2_03076B17
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306D9400_2_0306D940
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306E3A70_2_0306E3A7
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306A3A00_2_0306A3A0
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306E3C20_2_0306E3C2
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306A28E0_2_0306A28E
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_030692AF0_2_030692AF
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_030692DA0_2_030692DA
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306A1220_2_0306A122
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306B1FE0_2_0306B1FE
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306B0340_2_0306B034
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306A0B40_2_0306A0B4
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306A0D50_2_0306A0D5
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306A7300_2_0306A730
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306E75A0_2_0306E75A
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306C76B0_2_0306C76B
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_030697F80_2_030697F8
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306E65C0_2_0306E65C
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306A6C90_2_0306A6C9
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306D5660_2_0306D566
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306957A0_2_0306957A
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_030744300_2_03074430
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_030694440_2_03069444
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306A4C00_2_0306A4C0
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306E4F60_2_0306E4F6
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306DB0E0_2_0306DB0E
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_03074BBF0_2_03074BBF
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_03073BCC0_2_03073BCC
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_03069A800_2_03069A80
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_03073ABC0_2_03073ABC
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306AAFA0_2_0306AAFA
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_030699320_2_03069932
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306993C0_2_0306993C
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_030739940_2_03073994
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306A9DE0_2_0306A9DE
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0307382F0_2_0307382F
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_030738600_2_03073860
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306E8B40_2_0306E8B4
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306EF040_2_0306EF04
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_03074F2E0_2_03074F2E
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_03069FA80_2_03069FA8
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_03069E600_2_03069E60
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306AE9A0_2_0306AE9A
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306EEB40_2_0306EEB4
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_03073D0C0_2_03073D0C
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306CD2E0_2_0306CD2E
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306AD740_2_0306AD74
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_03069DDE0_2_03069DDE
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306AC380_2_0306AC38
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_03069CDB0_2_03069CDB
    Source: FACTURAS.exeVirustotal: Detection: 40%
    Source: FACTURAS.exeMetadefender: Detection: 38%
    Source: FACTURAS.exeReversingLabs: Detection: 57%
    Source: C:\Users\user\Desktop\FACTURAS.exeFile created: C:\Users\user\AppData\Local\Temp\~DF6CBEB2FF77188695.TMPJump to behavior
    Source: FACTURAS.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\FACTURAS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\FACTURAS.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: classification engineClassification label: mal68.troj.winEXE@1/2@0/0
    Source: C:\Users\user\Desktop\FACTURAS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\InprocServer32Jump to behavior
    Source: C:\Users\user\Desktop\FACTURAS.exeFile created: C:\Users\user\AppData\Roaming\Bh2BSU9xxO49MYboEPptixGKslvKjoQApxmsXHE151Jump to behavior

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_004098C0 push 2DBAC715h; retf 0_2_004098C5
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_004098CB push ss; retf 0_2_004098CD
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0040508B pushad ; ret 0_2_0040509D
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0040755C push cs; retf 0_2_0040755D
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_00407179 push esp; iretd 0_2_00407181
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_00407584 push cs; retf 0_2_0040755D
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_004085B8 push edx; retf 0_2_004085B9
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_00406245 push ecx; retf 0_2_00406249
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_004072E6 push ebp; iretd 0_2_004072E9
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_004042FC push edx; retf 0_2_004042FD
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0040972A push eax; iretd 0_2_00409745
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_004083D6 pushfd ; iretd 0_2_00408422
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_03066512 push ecx; retf 0_2_03066516
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_03064E82 push esi; iretd 0_2_03064E99
    Source: C:\Users\user\Desktop\FACTURAS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\FACTURAS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\FACTURAS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\FACTURAS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\FACTURAS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306D11F rdtsc 0_2_0306D11F
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0307339D mov eax, dword ptr fs:[00000030h]0_2_0307339D
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306C76B mov eax, dword ptr fs:[00000030h]0_2_0306C76B
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_03072A70 mov eax, dword ptr fs:[00000030h]0_2_03072A70
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_03074F2E mov eax, dword ptr fs:[00000030h]0_2_03074F2E
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306D11F rdtsc 0_2_0306D11F
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_03076B17 RtlAddVectoredExceptionHandler,0_2_03076B17
    Source: FACTURAS.exe, 00000000.00000002.861049488.0000000000D90000.00000002.00020000.sdmpBinary or memory string: Program Manager
    Source: FACTURAS.exe, 00000000.00000002.861049488.0000000000D90000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
    Source: FACTURAS.exe, 00000000.00000002.861049488.0000000000D90000.00000002.00020000.sdmpBinary or memory string: Progman
    Source: FACTURAS.exe, 00000000.00000002.861049488.0000000000D90000.00000002.00020000.sdmpBinary or memory string: Progmanlock

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Masquerading1Input Capture1Security Software Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryProcess Discovery1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerSystem Information Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.