Loading ...

Play interactive tourEdit tour

Windows Analysis Report G47wmLn8uy

Overview

General Information

Sample Name:G47wmLn8uy (renamed file extension from none to exe)
Analysis ID:539603
MD5:9a1518ed709f916360e56b5ac7d76995
SHA1:7c85312d66edf5b02ebd6c25cfe9c036a3471263
SHA256:2a0878c196278384aab473c92977d236680c788b4e5ae0cc1f415a075a6fa9e2
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage

Classification

Process Tree

  • System is w10x64
  • G47wmLn8uy.exe (PID: 6320 cmdline: "C:\Users\user\Desktop\G47wmLn8uy.exe" MD5: 9A1518ED709F916360E56B5AC7D76995)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1rvzmbX5uh5o/"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1rvzmbX5uh5o/"}
    Multi AV Scanner detection for submitted fileShow sources
    Source: G47wmLn8uy.exeVirustotal: Detection: 26%Perma Link
    Source: G47wmLn8uy.exeReversingLabs: Detection: 15%
    Machine Learning detection for sampleShow sources
    Source: G47wmLn8uy.exeJoe Sandbox ML: detected
    Source: G47wmLn8uy.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=download&id=1rvzmbX5uh5o/
    Source: G47wmLn8uy.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: G47wmLn8uy.exe, 00000000.00000000.667550110.000000000042B000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFort.exe vs G47wmLn8uy.exe
    Source: G47wmLn8uy.exe, 00000000.00000002.1190054948.00000000020C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFort.exeFE2X vs G47wmLn8uy.exe
    Source: G47wmLn8uy.exeBinary or memory string: OriginalFilenameFort.exe vs G47wmLn8uy.exe
    Source: G47wmLn8uy.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D1841D0_2_04D1841D
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D1D38F0_2_04D1D38F
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D104CA0_2_04D104CA
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D184980_2_04D18498
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D1749D0_2_04D1749D
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D1C4BD0_2_04D1C4BD
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D1C45D0_2_04D1C45D
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D184410_2_04D18441
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D105C30_2_04D105C3
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D165C90_2_04D165C9
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D165890_2_04D16589
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D105490_2_04D10549
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D1057D0_2_04D1057D
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D105170_2_04D10517
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D1C5090_2_04D1C509
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D136F80_2_04D136F8
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D1C66C0_2_04D1C66C
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D1663D0_2_04D1663D
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D167590_2_04D16759
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D1C70E0_2_04D1C70E
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D160CA0_2_04D160CA
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D160F60_2_04D160F6
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D190850_2_04D19085
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D1C0520_2_04D1C052
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D1706B0_2_04D1706B
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D160050_2_04D16005
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D181800_2_04D18180
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D1C2E90_2_04D1C2E9
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D182550_2_04D18255
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D1C2590_2_04D1C259
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D162140_2_04D16214
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D1C2260_2_04D1C226
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D1C3D10_2_04D1C3D1
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D163ED0_2_04D163ED
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D1838C0_2_04D1838C
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D1C37D0_2_04D1C37D
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D1632E0_2_04D1632E
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D16C930_2_04D16C93
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D17C390_2_04D17C39
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D16DC90_2_04D16DC9
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D16EE90_2_04D16EE9
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D15F920_2_04D15F92
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D16F8D0_2_04D16F8D
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D168D10_2_04D168D1
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D169B10_2_04D169B1
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D159A70_2_04D159A7
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D189A80_2_04D189A8
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D169510_2_04D16951
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D1595B0_2_04D1595B
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D18A900_2_04D18A90
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D16A750_2_04D16A75
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D18A150_2_04D18A15
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D18BD10_2_04D18BD1
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D15BF00_2_04D15BF0
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D15BB10_2_04D15BB1
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D18B590_2_04D18B59
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D16B4E0_2_04D16B4E
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D1841D NtAllocateVirtualMemory,0_2_04D1841D
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D184D9 NtAllocateVirtualMemory,0_2_04D184D9
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D18498 NtAllocateVirtualMemory,0_2_04D18498
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D18441 NtAllocateVirtualMemory,0_2_04D18441
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D18551 NtAllocateVirtualMemory,0_2_04D18551
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D18663 NtAllocateVirtualMemory,0_2_04D18663
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D18621 NtAllocateVirtualMemory,0_2_04D18621
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D18255 NtAllocateVirtualMemory,0_2_04D18255
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D1838C NtAllocateVirtualMemory,0_2_04D1838C
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeProcess Stats: CPU usage > 98%
    Source: G47wmLn8uy.exeVirustotal: Detection: 26%
    Source: G47wmLn8uy.exeReversingLabs: Detection: 15%
    Source: G47wmLn8uy.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32Jump to behavior
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeFile created: C:\Users\user\AppData\Local\Temp\~DFAFA5F207726209AF.TMPJump to behavior
    Source: classification engineClassification label: mal76.troj.evad.winEXE@1/1@0/0

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_00406471 push edi; iretd 0_2_00406472
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_00409011 push esp; retf 0_2_00409013
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_0040682F push esi; retf 0_2_00406830
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_0040A490 push ds; iretd 0_2_0040A491
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_004079F6 push eax; retf 0_2_00407A10
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_004055BF push ds; ret 0_2_004055D9
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_00405ECC push ebp; ret 0_2_00405ED8
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_00407F27 push edi; ret 0_2_00407F28
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_00407FBA push eax; iretd 0_2_00407FBB
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D1747D pushfd ; iretd 0_2_04D19C58
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D17404 pushfd ; iretd 0_2_04D19C58
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D100CA push 5D54C3DCh; ret 0_2_04D10116
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D19157 push E8BBB633h; retf 001Bh0_2_04D1915F
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D14344 push 8122E3ECh; ret 0_2_04D14349
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D17371 pushfd ; iretd 0_2_04D19C58
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D17368 pushfd ; iretd 0_2_04D19C58
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D11F01 push esi; ret 0_2_04D11F02
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D19B93 pushfd ; iretd 0_2_04D19C58
    Source: initial sampleStatic PE information: section name: .text entropy: 7.15645216813
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion:

    barindex
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeRDTSC instruction interceptor: First address: 0000000004D17C16 second address: 0000000004D17C16 instructions: 0x00000000 rdtsc 0x00000002 mov eax, B4901491h 0x00000007 sub eax, 05E3F0C7h 0x0000000c xor eax, 8F9A272Fh 0x00000011 sub eax, 213604E4h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F65F4CB431Dh 0x0000001e lfence 0x00000021 mov edx, 238EE826h 0x00000026 sub edx, 0388C43Eh 0x0000002c xor edx, E448541Bh 0x00000032 xor edx, BBB077E7h 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e sub edx, esi 0x00000040 ret 0x00000041 pop ecx 0x00000042 add edi, edx 0x00000044 dec ecx 0x00000045 mov dword ptr [ebp+00000229h], AD8B339Ah 0x0000004f xor dword ptr [ebp+00000229h], 22419229h 0x00000059 xor dword ptr [ebp+00000229h], 3996C157h 0x00000063 sub dword ptr [ebp+00000229h], B65C60E4h 0x0000006d cmp ecx, dword ptr [ebp+00000229h] 0x00000073 jne 00007F65F4CB4237h 0x00000075 cmp cx, ax 0x00000078 mov dword ptr [ebp+0000020Bh], ebx 0x0000007e mov ebx, ecx 0x00000080 push ebx 0x00000081 mov ebx, dword ptr [ebp+0000020Bh] 0x00000087 jmp 00007F65F4CB42DEh 0x00000089 cmp dl, bl 0x0000008b call 00007F65F4CB4321h 0x00000090 call 00007F65F4CB433Eh 0x00000095 lfence 0x00000098 mov edx, 238EE826h 0x0000009d sub edx, 0388C43Eh 0x000000a3 xor edx, E448541Bh 0x000000a9 xor edx, BBB077E7h 0x000000af mov edx, dword ptr [edx] 0x000000b1 lfence 0x000000b4 ret 0x000000b5 mov esi, edx 0x000000b7 pushad 0x000000b8 rdtsc
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D17C0E rdtsc 0_2_04D17C0E
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D1B2F5 mov eax, dword ptr fs:[00000030h]0_2_04D1B2F5
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D1C259 mov eax, dword ptr fs:[00000030h]0_2_04D1C259
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D1C226 mov eax, dword ptr fs:[00000030h]0_2_04D1C226
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D1ACF0 mov eax, dword ptr fs:[00000030h]0_2_04D1ACF0
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D17A41 mov eax, dword ptr fs:[00000030h]0_2_04D17A41
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D17C0E rdtsc 0_2_04D17C0E
    Source: C:\Users\user\Desktop\G47wmLn8uy.exeCode function: 0_2_04D1D38F RtlAddVectoredExceptionHandler,0_2_04D1D38F
    Source: G47wmLn8uy.exe, 00000000.00000002.1189999307.0000000000C40000.00000002.00020000.sdmpBinary or memory string: Program Manager
    Source: G47wmLn8uy.exe, 00000000.00000002.1189999307.0000000000C40000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
    Source: G47wmLn8uy.exe, 00000000.00000002.1189999307.0000000000C40000.00000002.00020000.sdmpBinary or memory string: Progman
    Source: G47wmLn8uy.exe, 00000000.00000002.1189999307.0000000000C40000.00000002.00020000.sdmpBinary or memory string: Progmanlock

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Software Packing1OS Credential DumpingSecurity Software Discovery11Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information2Security Account ManagerSystem Information Discovery11SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.