Play interactive tour

Edit tour

Windows Analysis Report 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe

Overview

General Information

Sample Name:	210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe
Analysis ID:	539503
MD5:	1547238c5f89a46f4f3d448138478e05
SHA1:	b83e59cffe50f76e819731d506efd045c55aaabc
SHA256:	3e6418ff545a4ca402fd68da393fd9db7ed7e798ffed1de2fbcdbb31fa08817f
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Initial sample is a PE file and has a suspicious name

Executable has a suspicious name (potential lure to open the executable)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Sample file is different than original file name gathered from version info

PE file contains strange resources

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to call native functions

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Classification

Process Tree

System is w10x64

210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe (PID: 5784 cmdline: "C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe" MD5: 1547238C5F89A46F4F3D448138478E05)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1sW9p"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.814005809.0000000004E10000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000001.00000002.814005809.0000000004E10000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1sW9p"}

Multi AV Scanner detection for submitted file

Show sources

Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe

Virustotal: Detection: 33%

Perma Link

Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=1sW9p

System Summary:

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample	Static PE information: Filename: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe
Source: initial sample	Static PE information: Filename: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe

Executable has a suspicious name (potential lure to open the executable)

Show sources

Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe

Static file information: Suspicious name

Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe, 00000001.00000000.284825706.000000000042B000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameLydbl.exe vs 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe
Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe, 00000001.00000002.813092668.0000000002A50000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLydbl.exeFE2X vs 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe
Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Binary or memory string: OriginalFilenameLydbl.exe vs 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe

Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E1D19E	1_2_04E1D19E
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E1831F	1_2_04E1831F
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E168F3	1_2_04E168F3
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E188F7	1_2_04E188F7
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E16CCF	1_2_04E16CCF
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E160B3	1_2_04E160B3
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E16496	1_2_04E16496
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E18899	1_2_04E18899
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E16872	1_2_04E16872
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E18032	1_2_04E18032
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E15836	1_2_04E15836
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E1803A	1_2_04E1803A
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E165C3	1_2_04E165C3
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E1BDD7	1_2_04E1BDD7
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E15DDB	1_2_04E15DDB
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E159DE	1_2_04E159DE
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E159A1	1_2_04E159A1
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E169A5	1_2_04E169A5
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E15D90	1_2_04E15D90
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E18996	1_2_04E18996
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E18940	1_2_04E18940
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E1692C	1_2_04E1692C
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E1652F	1_2_04E1652F
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E16D33	1_2_04E16D33
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E166E6	1_2_04E166E6
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E18AA5	1_2_04E18AA5
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E16AB7	1_2_04E16AB7
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E15A99	1_2_04E15A99
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E15E72	1_2_04E15E72
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E1625B	1_2_04E1625B
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E1665F	1_2_04E1665F
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E18A27	1_2_04E18A27
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E16A3E	1_2_04E16A3E
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E1BA0E	1_2_04E1BA0E
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E157E4	1_2_04E157E4
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E163F1	1_2_04E163F1
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E16BF6	1_2_04E16BF6
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E17BCA	1_2_04E17BCA
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E1AFDE	1_2_04E1AFDE
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E18FA7	1_2_04E18FA7
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E16781	1_2_04E16781
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E17B8A	1_2_04E17B8A
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E1636B	1_2_04E1636B
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E15F6A	1_2_04E15F6A
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E1BF7C	1_2_04E1BF7C
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E16B53	1_2_04E16B53
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E17B57	1_2_04E17B57
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E17B5B	1_2_04E17B5B
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E15F25	1_2_04E15F25
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E18B26	1_2_04E18B26
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E1632E	1_2_04E1632E
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E1833B	1_2_04E1833B
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E1B306	1_2_04E1B306
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E18318	1_2_04E18318

Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E1831F NtAllocateVirtualMemory,	1_2_04E1831F
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E184CD NtAllocateVirtualMemory,	1_2_04E184CD
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E1833B NtAllocateVirtualMemory,	1_2_04E1833B
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E18318 NtAllocateVirtualMemory,	1_2_04E18318

Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe

Process Stats: CPU usage > 98%

Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe

Virustotal: Detection: 33%

Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe

File created: C:\Users\user\AppData\Local\Temp\~DF66A3895C75D2E9C9.TMP

Jump to behavior

Source: classification engine

Classification label: mal76.troj.winEXE@1/1@0/0

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000001.00000002.814005809.0000000004E10000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_00408C44 push ebp; ret	1_2_00408C45
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_0040686F pushad ; ret	1_2_004068B0
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_004078FD push ebx; ret	1_2_0040790B
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_004055C1 push ds; ret	1_2_004055DB
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_00409198 push edx; retf	1_2_0040919E
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_0040970C push ebp; iretd	1_2_0040970F
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_0040733E pushfd ; ret	1_2_00407359
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E1831F pushfd ; retf	1_2_04E1865B
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E12DCC push ecx; retf	1_2_04E12DD8
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E13AC0 push esi; ret	1_2_04E13B2A
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E147E9 push esp; iretd	1_2_04E14832
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E13B20 push esi; ret	1_2_04E13B2A

Source: initial sample

Static PE information: section name: .text entropy: 7.13735500913

Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe

Code function: 1_2_04E17E74 rdtsc

1_2_04E17E74

Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E178C2 mov eax, dword ptr fs:[00000030h]	1_2_04E178C2
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E1B0BA mov eax, dword ptr fs:[00000030h]	1_2_04E1B0BA
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E152F6 mov eax, dword ptr fs:[00000030h]	1_2_04E152F6
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E1528E mov eax, dword ptr fs:[00000030h]	1_2_04E1528E
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E1525A mov eax, dword ptr fs:[00000030h]	1_2_04E1525A
Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe	Code function: 1_2_04E1BF7C mov eax, dword ptr fs:[00000030h]	1_2_04E1BF7C

Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe

Code function: 1_2_04E17E74 rdtsc

1_2_04E17E74

Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe

Code function: 1_2_04E1D19E RtlAddVectoredExceptionHandler,

1_2_04E1D19E

Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe, 00000001.00000002.812875992.0000000000DA0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe, 00000001.00000002.812875992.0000000000DA0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe, 00000001.00000002.812875992.0000000000DA0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe, 00000001.00000002.812875992.0000000000DA0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Software Packing1	OS Credential Dumping	Security Software Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information2	Security Account Manager	System Information Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails