Loading ...

Play interactive tourEdit tour

Windows Analysis Report FACTURAS.exe

Overview

General Information

Sample Name:FACTURAS.exe
Analysis ID:539419
MD5:2332fdde9344114749db5496eef5f5f9
SHA1:303c40dd112294dc012836be48eb38e8af056432
SHA256:0e693b9dcb4ccb3e64cb61396447dd4e3871234b4af80c2d57e4fbc9b6268a61
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Contains functionality to call native functions
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Detected potential crypto function

Classification

Process Tree

  • System is w10x64
  • FACTURAS.exe (PID: 6492 cmdline: "C:\Users\user\Desktop\FACTURAS.exe" MD5: 2332FDDE9344114749DB5496EEF5F5F9)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=downlD'"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=downlD'"}
    Multi AV Scanner detection for submitted fileShow sources
    Source: FACTURAS.exeVirustotal: Detection: 40%Perma Link
    Source: FACTURAS.exeMetadefender: Detection: 38%Perma Link
    Source: FACTURAS.exeReversingLabs: Detection: 57%
    Source: FACTURAS.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=downlD'
    Source: FACTURAS.exe, 00000000.00000002.860970740.00000000005CA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
    Source: FACTURAS.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306D940 NtAllocateVirtualMemory,
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306DB0E NtAllocateVirtualMemory,
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306DB52 NtAllocateVirtualMemory,
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306DE06 NtAllocateVirtualMemory,
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306DC8C NtAllocateVirtualMemory,
    Source: FACTURAS.exe, 00000000.00000002.860928984.0000000000424000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSERVICEKONTRAKTS.exe vs FACTURAS.exe
    Source: FACTURAS.exe, 00000000.00000002.861579074.0000000002A60000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSERVICEKONTRAKTS.exeFE2XMURALL vs FACTURAS.exe
    Source: FACTURAS.exeBinary or memory string: OriginalFilenameSERVICEKONTRAKTS.exe vs FACTURAS.exe
    Source: C:\Users\user\Desktop\FACTURAS.exeProcess Stats: CPU usage > 98%
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_03076B17
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306D940
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306E3A7
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306A3A0
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306E3C2
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306A28E
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_030692AF
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_030692DA
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306A122
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306B1FE
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306B034
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306A0B4
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306A0D5
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306A730
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306E75A
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306C76B
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_030697F8
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306E65C
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306A6C9
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306D566
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306957A
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_03074430
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_03069444
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306A4C0
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306E4F6
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306DB0E
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_03074BBF
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_03073BCC
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_03069A80
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_03073ABC
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306AAFA
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_03069932
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306993C
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_03073994
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306A9DE
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0307382F
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_03073860
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306E8B4
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306EF04
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_03074F2E
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_03069FA8
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_03069E60
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306AE9A
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306EEB4
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_03073D0C
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306CD2E
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306AD74
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_03069DDE
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306AC38
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_03069CDB
    Source: FACTURAS.exeVirustotal: Detection: 40%
    Source: FACTURAS.exeMetadefender: Detection: 38%
    Source: FACTURAS.exeReversingLabs: Detection: 57%
    Source: C:\Users\user\Desktop\FACTURAS.exeFile created: C:\Users\user\AppData\Local\Temp\~DF6CBEB2FF77188695.TMPJump to behavior
    Source: FACTURAS.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\FACTURAS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: C:\Users\user\Desktop\FACTURAS.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
    Source: classification engineClassification label: mal68.troj.winEXE@1/2@0/0
    Source: C:\Users\user\Desktop\FACTURAS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\InprocServer32
    Source: C:\Users\user\Desktop\FACTURAS.exeFile created: C:\Users\user\AppData\Roaming\Bh2BSU9xxO49MYboEPptixGKslvKjoQApxmsXHE151Jump to behavior

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_004098C0 push 2DBAC715h; retf
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_004098CB push ss; retf
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0040508B pushad ; ret
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0040755C push cs; retf
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_00407179 push esp; iretd
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_00407584 push cs; retf
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_004085B8 push edx; retf
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_00406245 push ecx; retf
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_004072E6 push ebp; iretd
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_004042FC push edx; retf
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0040972A push eax; iretd
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_004083D6 pushfd ; iretd
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_03066512 push ecx; retf
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_03064E82 push esi; iretd
    Source: C:\Users\user\Desktop\FACTURAS.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\FACTURAS.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\FACTURAS.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\FACTURAS.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\FACTURAS.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306D11F rdtsc
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0307339D mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306C76B mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_03072A70 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_03074F2E mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0306D11F rdtsc
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_03076B17 RtlAddVectoredExceptionHandler,
    Source: FACTURAS.exe, 00000000.00000002.861049488.0000000000D90000.00000002.00020000.sdmpBinary or memory string: Program Manager
    Source: FACTURAS.exe, 00000000.00000002.861049488.0000000000D90000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
    Source: FACTURAS.exe, 00000000.00000002.861049488.0000000000D90000.00000002.00020000.sdmpBinary or memory string: Progman
    Source: FACTURAS.exe, 00000000.00000002.861049488.0000000000D90000.00000002.00020000.sdmpBinary or memory string: Progmanlock

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Masquerading1Input Capture1Security Software Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryProcess Discovery1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerSystem Information Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    FACTURAS.exe41%VirustotalBrowse
    FACTURAS.exe38%MetadefenderBrowse
    FACTURAS.exe58%ReversingLabsWin32.Trojan.GuLoader

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:34.0.0 Boulder Opal
    Analysis ID:539419
    Start date:14.12.2021
    Start time:09:38:19
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 8m 14s
    Hypervisor based Inspection enabled:false
    Report type:light
    Sample file name:FACTURAS.exe
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Number of analysed new started processes analysed:16
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal68.troj.winEXE@1/2@0/0
    EGA Information:
    • Successful, ratio: 100%
    HDC Information:
    • Successful, ratio: 4.1% (good quality ratio 1.6%)
    • Quality average: 18.8%
    • Quality standard deviation: 26.4%
    HCA Information:Failed
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Found application associated with file extension: .exe
    • Override analysis time to 240s for sample files taking high CPU consumption
    Warnings:
    Show All
    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
    • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
    • Not all processes where analyzed, report is missing behavior information

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\Users\user\AppData\Local\Temp\M9XgMRXaN30mgEl56ja236
    Process:C:\Users\user\Desktop\FACTURAS.exe
    File Type:data
    Category:dropped
    Size (bytes):4
    Entropy (8bit):0.8112781244591328
    Encrypted:false
    SSDEEP:3:1ln:v
    MD5:34F45818F16D1BBB62BA5874B8814CC7
    SHA1:A454CA483B4A66B83826D061BE2859DD79FF0D6C
    SHA-256:DC765660B06EE03DD16FD7CA5B957E8C805161AC2C4AF28C5A100AB2AB432CA1
    SHA-512:65711C8D556639DDFC14CE292B2415F3A2824D003AF1A530093B8E0B70B695E6C639694B7B90C6750B1129566D9A3784ED274667988D4B227DB2AC9B6CF7548B
    Malicious:false
    Reputation:low
    Preview: ....
    C:\Users\user\AppData\Local\Temp\~DF6CBEB2FF77188695.TMP
    Process:C:\Users\user\Desktop\FACTURAS.exe
    File Type:Composite Document File V2 Document, Cannot read section info
    Category:dropped
    Size (bytes):16384
    Entropy (8bit):1.365570111635911
    Encrypted:false
    SSDEEP:48:rCXH5P26XpZKfAujEnkmHE+dJ+//iaBnF6UmkM:EHrZedAnjHrMyaL61
    MD5:E5AAF1474D5E7489F86A267B928DE425
    SHA1:8DAC741F82956D6111A5B442442E095DC4FC3299
    SHA-256:DBBEF5EC504CF458770890AF07448ABF835345029D078D4BA36CBF431F86314E
    SHA-512:B9AE66432026ADF7FE691F6E95292C6299CFE37FDC27760AD8DB5464386663A0398E53A770B0C8CCFDD734A8162064FF2D01093197A3BEC7356E9933EC344961
    Malicious:false
    Reputation:low
    Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):5.04128986675064
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.15%
    • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:FACTURAS.exe
    File size:147456
    MD5:2332fdde9344114749db5496eef5f5f9
    SHA1:303c40dd112294dc012836be48eb38e8af056432
    SHA256:0e693b9dcb4ccb3e64cb61396447dd4e3871234b4af80c2d57e4fbc9b6268a61
    SHA512:7b3d94fb5e12a09f1b417e8042cbb0abe394a1d577a466cd2394e9aa0068ab276d5da25edf742660edb8bd01611f4680c982d6f14373d80e2896d34a887379c1
    SSDEEP:1536:nVas/8YOk4FOHBbmpBpQr9nV43XExeM0Jw52P3u1D6CqljbW:Is/8YJ4kRmpBpqVC090JS63hN
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.......................D.......=.......Rich............PE..L....e`V.....................0............... ....@................

    File Icon

    Icon Hash:0cceececceece400

    Static PE Info

    General

    Entrypoint:0x401698
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    DLL Characteristics:
    Time Stamp:0x566065B6 [Thu Dec 3 15:54:30 2015 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:98b6dd560a57b8960045d82e7d77c431

    Entrypoint Preview

    Instruction
    push 004020ACh
    call 00007FDF60D3E2C3h
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    xor byte ptr [eax], al
    add byte ptr [eax], al
    cmp byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    js 00007FDF60D3E2C8h
    rcl byte ptr [ecx-65h], cl
    fsubr dword ptr [edx]
    dec eax
    cmpsd
    mov ebp, 0FAA5268h
    pop eax
    stc
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add dword ptr [eax], eax
    add byte ptr [eax], al
    inc edx
    popfd
    aam 00h
    das
    mov al, byte ptr [69676445h]
    jc 00007FDF60D3E304h
    add byte ptr [eax], al
    add byte ptr [eax], al
    add bh, bh
    int3
    xor dword ptr [eax], eax
    add byte ptr [ebx], dl
    pop esi
    push es
    sal byte ptr [ebx-76h], cl
    inc ebp
    lodsb
    pop esp
    pop esi
    jmp 00007FDF60D3E2A4h
    pop ebp
    mov bh, 60h
    xor eax, 0FA504B7h
    mov ebp, eax
    inc ebx
    xchg eax, edi
    xor edi, dword ptr [DAF603FAh]
    outsd
    cmp cl, byte ptr [edi-53h]
    xor ebx, dword ptr [ecx-48EE309Ah]
    or al, 00h
    stosb
    add byte ptr [eax-2Dh], ah
    xchg eax, ebx
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    adc cl, byte ptr [ecx]
    add byte ptr [eax], al
    or eax, 00000009h
    push es
    add byte ptr [ecx+65h], bl
    jc 00007FDF60D3E33Dh
    jnc 00007FDF60D3E303h
    add byte ptr [67000801h], cl
    jc 00007FDF60D3E333h
    insb
    imul ebp, dword ptr [esi+65h], 00011900h
    inc edx
    add byte ptr [ebx], ah

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x20fb40x28.text
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x240000xc6c.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
    IMAGE_DIRECTORY_ENTRY_IAT0x10000x208.text
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x206380x21000False0.363976680871data5.21775436592IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    .data0x220000x12380x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
    .rsrc0x240000xc6c0x1000False0.484130859375data4.2105621782IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountry
    RT_ICON0x243c40x8a8data
    RT_GROUP_ICON0x243b00x14data
    RT_VERSION0x240f00x2c0dataEnglishUnited States

    Imports

    DLLImport
    MSVBVM60.DLL_CIcos, _adj_fptan, __vbaStrI4, __vbaVarMove, __vbaFreeVar, __vbaLenBstr, __vbaStrVarMove, __vbaFreeVarList, __vbaVarIdiv, __vbaPut3, _adj_fdiv_m64, __vbaFpCDblR8, _adj_fprem1, __vbaStrCat, __vbaHresultCheckObj, __vbaLenBstrB, _adj_fdiv_m32, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFPFix, __vbaFpR8, _CIsin, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaStrCmp, __vbaGet3, __vbaVarTstEq, __vbaObjVar, __vbaI2I4, DllFunctionCall, _adj_fpatan, __vbaStrR8, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaUI1I4, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, __vbaUbound, __vbaVarCat, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarDup, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

    Version Infos

    DescriptionData
    Translation0x0409 0x04b0
    LegalCopyrightMURAL
    InternalNameSERVICEKONTRAKTS
    FileVersion1.00
    CompanyNameMURAL
    LegalTrademarksMURAL
    ProductNameMURAL
    ProductVersion1.00
    FileDescriptionMURAL
    OriginalFilenameSERVICEKONTRAKTS.exe

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    EnglishUnited States

    Network Behavior

    No network behavior found

    Code Manipulations

    Statistics

    System Behavior

    General

    Start time:09:39:39
    Start date:14/12/2021
    Path:C:\Users\user\Desktop\FACTURAS.exe
    Wow64 process (32bit):true
    Commandline:"C:\Users\user\Desktop\FACTURAS.exe"
    Imagebase:0x400000
    File size:147456 bytes
    MD5 hash:2332FDDE9344114749DB5496EEF5F5F9
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Visual Basic
    Yara matches:
    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.862055491.0000000003060000.00000040.00000001.sdmp, Author: Joe Security
    Reputation:low

    Disassembly

    Code Analysis

    Reset < >