Loading ...

Play interactive tourEdit tour

Windows Analysis Report 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe

Overview

General Information

Sample Name:210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe
Analysis ID:539503
MD5:1547238c5f89a46f4f3d448138478e05
SHA1:b83e59cffe50f76e819731d506efd045c55aaabc
SHA256:3e6418ff545a4ca402fd68da393fd9db7ed7e798ffed1de2fbcdbb31fa08817f
Tags:exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Initial sample is a PE file and has a suspicious name
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1sW9p"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.814005809.0000000004E10000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000001.00000002.814005809.0000000004E10000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1sW9p"}
    Multi AV Scanner detection for submitted fileShow sources
    Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeVirustotal: Detection: 33%Perma Link
    Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=download&id=1sW9p

    System Summary:

    barindex
    Initial sample is a PE file and has a suspicious nameShow sources
    Source: initial sampleStatic PE information: Filename: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe
    Source: initial sampleStatic PE information: Filename: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe
    Executable has a suspicious name (potential lure to open the executable)Show sources
    Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeStatic file information: Suspicious name
    Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe, 00000001.00000000.284825706.000000000042B000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameLydbl.exe vs 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe
    Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe, 00000001.00000002.813092668.0000000002A50000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLydbl.exeFE2X vs 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe
    Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeBinary or memory string: OriginalFilenameLydbl.exe vs 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe
    Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E1D19E
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E1831F
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E168F3
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E188F7
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E16CCF
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E160B3
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E16496
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E18899
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E16872
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E18032
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E15836
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E1803A
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E165C3
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E1BDD7
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E15DDB
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E159DE
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E159A1
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E169A5
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E15D90
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E18996
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E18940
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E1692C
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E1652F
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E16D33
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E166E6
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E18AA5
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E16AB7
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E15A99
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E15E72
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E1625B
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E1665F
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E18A27
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E16A3E
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E1BA0E
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E157E4
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E163F1
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E16BF6
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E17BCA
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E1AFDE
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E18FA7
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E16781
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E17B8A
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E1636B
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E15F6A
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E1BF7C
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E16B53
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E17B57
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E17B5B
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E15F25
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E18B26
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E1632E
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E1833B
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E1B306
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E18318
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E1831F NtAllocateVirtualMemory,
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E184CD NtAllocateVirtualMemory,
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E1833B NtAllocateVirtualMemory,
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E18318 NtAllocateVirtualMemory,
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeProcess Stats: CPU usage > 98%
    Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeVirustotal: Detection: 33%
    Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeFile created: C:\Users\user\AppData\Local\Temp\~DF66A3895C75D2E9C9.TMPJump to behavior
    Source: classification engineClassification label: mal76.troj.winEXE@1/1@0/0

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: 00000001.00000002.814005809.0000000004E10000.00000040.00000001.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_00408C44 push ebp; ret
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_0040686F pushad ; ret
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_004078FD push ebx; ret
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_004055C1 push ds; ret
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_00409198 push edx; retf
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_0040970C push ebp; iretd
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_0040733E pushfd ; ret
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E1831F pushfd ; retf
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E12DCC push ecx; retf
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E13AC0 push esi; ret
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E147E9 push esp; iretd
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E13B20 push esi; ret
    Source: initial sampleStatic PE information: section name: .text entropy: 7.13735500913
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E17E74 rdtsc
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E178C2 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E1B0BA mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E152F6 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E1528E mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E1525A mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E1BF7C mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E17E74 rdtsc
    Source: C:\Users\user\Desktop\210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exeCode function: 1_2_04E1D19E RtlAddVectoredExceptionHandler,
    Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe, 00000001.00000002.812875992.0000000000DA0000.00000002.00020000.sdmpBinary or memory string: Program Manager
    Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe, 00000001.00000002.812875992.0000000000DA0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
    Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe, 00000001.00000002.812875992.0000000000DA0000.00000002.00020000.sdmpBinary or memory string: Progman
    Source: 210629 Purchase Order 449 BURGHAUSEN (uZ 20-270)_PDF.exe, 00000001.00000002.812875992.0000000000DA0000.00000002.00020000.sdmpBinary or memory string: Progmanlock

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Software Packing1OS Credential DumpingSecurity Software Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information2Security Account ManagerSystem Information Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.