Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe

Overview

General Information

Sample Name:210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe
Analysis ID:539503
MD5:1547238c5f89a46f4f3d448138478e05
SHA1:b83e59cffe50f76e819731d506efd045c55aaabc
SHA256:3e6418ff545a4ca402fd68da393fd9db7ed7e798ffed1de2fbcdbb31fa08817f
Tags:exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Initial sample is a PE file and has a suspicious name
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1sW9p"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.814005809.0000000004E10000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000001.00000002.814005809.0000000004E10000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1sW9p"}
    Multi AV Scanner detection for submitted fileShow sources
    Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeVirustotal: Detection: 33%Perma Link
    Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=download&id=1sW9p

    System Summary:

    barindex
    Initial sample is a PE file and has a suspicious nameShow sources
    Source: initial sampleStatic PE information: Filename: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe
    Source: initial sampleStatic PE information: Filename: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe
    Executable has a suspicious name (potential lure to open the executable)Show sources
    Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeStatic file information: Suspicious name
    Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe, 00000001.00000000.284825706.000000000042B000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameLydbl.exe vs 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe
    Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe, 00000001.00000002.813092668.0000000002A50000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLydbl.exeFE2X vs 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe
    Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeBinary or memory string: OriginalFilenameLydbl.exe vs 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe
    Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E1D19E
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E1831F
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E168F3
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E188F7
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E16CCF
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E160B3
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E16496
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E18899
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E16872
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E18032
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E15836
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E1803A
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E165C3
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E1BDD7
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E15DDB
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E159DE
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E159A1
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E169A5
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E15D90
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E18996
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E18940
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E1692C
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E1652F
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E16D33
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E166E6
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E18AA5
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E16AB7
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E15A99
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E15E72
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E1625B
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E1665F
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E18A27
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E16A3E
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E1BA0E
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E157E4
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E163F1
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E16BF6
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E17BCA
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E1AFDE
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E18FA7
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E16781
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E17B8A
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E1636B
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E15F6A
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E1BF7C
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E16B53
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E17B57
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E17B5B
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E15F25
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E18B26
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E1632E
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E1833B
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E1B306
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E18318
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E1831F NtAllocateVirtualMemory,
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E184CD NtAllocateVirtualMemory,
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E1833B NtAllocateVirtualMemory,
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E18318 NtAllocateVirtualMemory,
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeProcess Stats: CPU usage > 98%
    Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeVirustotal: Detection: 33%
    Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeFile created: C:\Users\user\AppData\Local\Temp\~DF66A3895C75D2E9C9.TMPJump to behavior
    Source: classification engineClassification label: mal76.troj.winEXE@1/1@0/0

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: 00000001.00000002.814005809.0000000004E10000.00000040.00000001.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_00408C44 push ebp; ret
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_0040686F pushad ; ret
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_004078FD push ebx; ret
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_004055C1 push ds; ret
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_00409198 push edx; retf
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_0040970C push ebp; iretd
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_0040733E pushfd ; ret
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E1831F pushfd ; retf
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E12DCC push ecx; retf
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E13AC0 push esi; ret
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E147E9 push esp; iretd
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E13B20 push esi; ret
    Source: initial sampleStatic PE information: section name: .text entropy: 7.13735500913
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E17E74 rdtsc
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E178C2 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E1B0BA mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E152F6 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E1528E mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E1525A mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E1BF7C mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E17E74 rdtsc
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E1D19E RtlAddVectoredExceptionHandler,
    Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe, 00000001.00000002.812875992.0000000000DA0000.00000002.00020000.sdmpBinary or memory string: Program Manager
    Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe, 00000001.00000002.812875992.0000000000DA0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
    Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe, 00000001.00000002.812875992.0000000000DA0000.00000002.00020000.sdmpBinary or memory string: Progman
    Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe, 00000001.00000002.812875992.0000000000DA0000.00000002.00020000.sdmpBinary or memory string: Progmanlock

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Software Packing1OS Credential DumpingSecurity Software Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information2Security Account ManagerSystem Information Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe34%VirustotalBrowse

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:34.0.0 Boulder Opal
    Analysis ID:539503
    Start date:14.12.2021
    Start time:12:42:11
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 7m 14s
    Hypervisor based Inspection enabled:false
    Report type:light
    Sample file name:210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Number of analysed new started processes analysed:20
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal76.troj.winEXE@1/1@0/0
    EGA Information:Failed
    HDC Information:
    • Successful, ratio: 29% (good quality ratio 19.6%)
    • Quality average: 38%
    • Quality standard deviation: 32.3%
    HCA Information:Failed
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Found application associated with file extension: .exe
    • Override analysis time to 240s for sample files taking high CPU consumption
    Warnings:
    Show All
    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
    • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
    • Not all processes where analyzed, report is missing behavior information

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\Users\user\AppData\Local\Temp\~DF66A3895C75D2E9C9.TMP
    Process:C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe
    File Type:Composite Document File V2 Document, Cannot read section info
    Category:dropped
    Size (bytes):16384
    Entropy (8bit):0.9704190403390272
    Encrypted:false
    SSDEEP:24:rohnKifA3iuOH/AcaVRIJ0lBefVYwqDnKolnBX26:rUKifAyxAPM03wewqDKolnB
    MD5:F8A7BA0B6BDD9C33070359F2E417C6B3
    SHA1:264F7F9354D53EF8198E0EF71962290E469BEAAF
    SHA-256:8ED5A6E47FACFC9FA4FE11F98B198F7F75A3A3F8B0A3A4C56A949E6D3D3EF13A
    SHA-512:B2A39C9F4B1E6A66A95BA8BF8E899BC9D851133E083C45203EAF1DFA1DDB83437E9A79C535B33746C358C8C100EE456A8DA227CEE9BAC360896E27D6F2D8BC4A
    Malicious:false
    Reputation:low
    Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):6.885277653187616
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.15%
    • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe
    File size:167936
    MD5:1547238c5f89a46f4f3d448138478e05
    SHA1:b83e59cffe50f76e819731d506efd045c55aaabc
    SHA256:3e6418ff545a4ca402fd68da393fd9db7ed7e798ffed1de2fbcdbb31fa08817f
    SHA512:81b287cac12ef493bc3d8d45fefcab4e268833e8365d59c2c8c9aacd849c43f3296fbcd93ac4feff779f9380d0f8ddc1f73a0248ed5ff96309ff7736188a1fb2
    SSDEEP:1536:ggh9P8HOja+Zg/EsPdCfWGUbu8yIjJNa+I37KTqXpzV5pkNXuUAnX:gG9P8u7ZQmeGUbUIjJNS7hXvUAnX
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W.x.....................\.......%.......Rich............................PE..L...+..J.................`...P......\........p....@

    File Icon

    Icon Hash:93f1e0c8d2e4f9fb

    Static PE Info

    General

    Entrypoint:0x40195c
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    DLL Characteristics:
    Time Stamp:0x4AAB2E2B [Sat Sep 12 05:14:19 2009 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:e7597de960f525af7c9e8aa5873fcec3

    Entrypoint Preview

    Instruction
    push 00402000h
    call 00007F3B14B2FDA5h
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    xor byte ptr [eax], al
    add byte ptr [eax], al
    cmp byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    stosb
    adc eax, 226C9C5Ch
    test dword ptr [esi-59h], eax
    jmp edx
    ret
    jl 00007F3B14B2FE0Bh
    mov byte ptr [000000A5h], al
    add byte ptr [eax], al
    add byte ptr [ecx], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [edi+41h], dl
    push esi
    inc ebp
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    dec esp
    xor dword ptr [eax], eax
    or al, bh
    mov dword ptr [ebp+esi*4-58h], eax
    int DFh
    dec edx
    add dword ptr [esi+1Eh], FFFFFFA6h
    call far 03C9h : 4BBA39D8h
    pop ebx
    or eax, dword ptr [ebp+70A34C87h]
    push cs
    and ecx, esi
    mov dl, 96h
    imul edi, dword ptr [edx], 9933AD4Fh
    iretw
    adc dword ptr [edi+00AA000Ch], esi
    pushad
    rcl dword ptr [ebx+00000000h], cl
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    cli
    add eax, 04C70000h
    add byte ptr [eax], al
    add byte ptr [eax+eax], al
    dec ebp
    inc ebp
    push esp
    inc ecx
    add byte ptr [41000601h], cl
    jc 00007F3B14B2FE15h
    push 19006964h
    add dword ptr [eax], eax
    inc edx
    add byte ptr [ebx], ah
    xchg byte ptr [eax+eax], al
    add byte ptr [esp+esi*2+00h], ch

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x264140x28.text
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x2b0000x850.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2380x20
    IMAGE_DIRECTORY_ENTRY_IAT0x10000x24c.text
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x25ba00x26000False0.558214689556data7.13735500913IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    .data0x270000x36e40x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
    .rsrc0x2b0000x8500x1000False0.322021484375data3.0856399087IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountry
    RT_ICON0x2b3e80x468GLS_BINARY_LSB_FIRST
    RT_GROUP_ICON0x2b3d40x14data
    RT_VERSION0x2b0f00x2e4dataEnglishUnited States

    Imports

    DLLImport
    MSVBVM60.DLL__vbaVarSub, __vbaR8FixI4, _CIcos, _adj_fptan, __vbaStrI4, __vbaVarMove, __vbaHresultCheck, __vbaFreeVar, __vbaAryMove, __vbaStrVarMove, __vbaLenBstr, __vbaFreeVarList, _adj_fdiv_m64, _adj_fprem1, __vbaStrCat, __vbaHresultCheckObj, __vbaLenBstrB, __vbaLenVar, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFPFix, __vbaFpR8, _CIsin, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaGet3, __vbaStrCmp, __vbaAryConstruct2, __vbaVarTstEq, __vbaI2I4, __vbaObjVar, __vbaStrR4, _adj_fpatan, __vbaRedim, __vbaStrR8, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, __vbaUbound, __vbaVarCat, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaInStr, __vbaNew2, __vbaVar2Vec, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, __vbaDerefAry1, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarDup, __vbaFpI4, __vbaVarTstGe, __vbaLateMemCallLd, _CIatan, __vbaStrMove, __vbaR8IntI4, _allmul, _CItan, __vbaFPInt, _CIexp, __vbaFreeStr, __vbaFreeObj

    Version Infos

    DescriptionData
    Translation0x0409 0x04b0
    LegalCopyrightTemplafy
    InternalNameLydbl
    FileVersion2.00
    CompanyNameTemplafy
    LegalTrademarksTemplafy
    CommentsTemplafy
    ProductNameTemplafy
    ProductVersion2.00
    FileDescriptionTemplafy
    OriginalFilenameLydbl.exe

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    EnglishUnited States

    Network Behavior

    No network behavior found

    Code Manipulations

    Statistics

    System Behavior

    Analysis Process: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe PID: 5784 Parent PID: 3568

    General

    Start time:12:43:04
    Start date:14/12/2021
    Path:C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe
    Wow64 process (32bit):true
    Commandline:"C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe"
    Imagebase:0x400000
    File size:167936 bytes
    MD5 hash:1547238C5F89A46F4F3D448138478E05
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Visual Basic
    Yara matches:
    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.814005809.0000000004E10000.00000040.00000001.sdmp, Author: Joe Security
    Reputation:low

    Disassembly

    Code Analysis

    Reset < >