Loading ...

Play interactive tourEdit tour

Windows Analysis Report PKO_TRANS_DETAILS_20211216_0809521.exe

Overview

General Information

Sample Name:PKO_TRANS_DETAILS_20211216_0809521.exe
Analysis ID:540990
MD5:1823b507e96d8138bada7c65d424abcc
SHA1:e5d7884da7d17ba0ae592ff787e84ae665e21c3a
SHA256:99b81b452d173986229ed512383e05214f35c819aa9da4c2a972bb05c880d536
Tags:exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to call native functions
Program does not show much activity (idle)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1byST7nT"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.805543754.0000000004C80000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000000.00000002.805543754.0000000004C80000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1byST7nT"}
    Multi AV Scanner detection for submitted fileShow sources
    Source: PKO_TRANS_DETAILS_20211216_0809521.exeVirustotal: Detection: 20%Perma Link
    Source: PKO_TRANS_DETAILS_20211216_0809521.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=download&id=1byST7nT
    Source: PKO_TRANS_DETAILS_20211216_0809521.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: PKO_TRANS_DETAILS_20211216_0809521.exe, 00000000.00000002.803502480.0000000000425000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDagins.exe vs PKO_TRANS_DETAILS_20211216_0809521.exe
    Source: PKO_TRANS_DETAILS_20211216_0809521.exeBinary or memory string: OriginalFilenameDagins.exe vs PKO_TRANS_DETAILS_20211216_0809521.exe
    Source: PKO_TRANS_DETAILS_20211216_0809521.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_00401E86
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C884B3
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C8D3CE
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C880CC
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C88CCE
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C860C1
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C804D3
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C868E8
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C86CE3
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C804E6
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C890E6
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C884F4
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C894A0
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C884B6
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C86C56
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C86069
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C86878
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C8587D
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C8647E
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C88C06
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C86014
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C865D8
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C805DA
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C865DE
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C869D6
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C865E9
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C86580
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C80584
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C86985
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C86D95
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C869A0
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C861BE
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C89154
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C86501
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C8051E
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C88D15
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C86928
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C8613F
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C862E2
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C866F5
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C88AF5
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C88A8F
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C8C285
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C88297
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C85EB9
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C86249
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C85A55
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C86661
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C86A65
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C86E28
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C85E2C
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C85A31
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C863F6
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C86B84
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C85FA4
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C88BBA
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C86BB1
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C8674D
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C85F46
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C8637E
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C86B09
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C884B3 NtAllocateVirtualMemory,
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C880CC NtAllocateVirtualMemory,
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C884F4 NtAllocateVirtualMemory,
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C884B6 NtAllocateVirtualMemory,
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C885B2 NtAllocateVirtualMemory,
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C8855C NtAllocateVirtualMemory,
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C886AA NtAllocateVirtualMemory,
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C88631 NtAllocateVirtualMemory,
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeProcess Stats: CPU usage > 98%
    Source: PKO_TRANS_DETAILS_20211216_0809521.exeVirustotal: Detection: 20%
    Source: PKO_TRANS_DETAILS_20211216_0809521.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeFile created: C:\Users\user\AppData\Local\Temp\~DF4AE55F204BB0FB8A.TMPJump to behavior
    Source: classification engineClassification label: mal72.troj.evad.winEXE@1/1@0/0

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: 00000000.00000002.805543754.0000000004C80000.00000040.00000001.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_00406A78 push ebp; ret
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_004081F5 push eax; ret
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C89595 push es; ret
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C8B11A push FFFFFFB9h; retf
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C8293C push ebp; iretd
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C83EA4 push ebx; ret
    Source: initial sampleStatic PE information: section name: .text entropy: 6.98717798783
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeProcess information set: NOOPENFILEERRORBOX
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C87CFD rdtsc

    Anti Debugging:

    barindex
    Found potential dummy code loops (likely to delay analysis)Show sources
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeProcess Stats: CPU usage > 90% for more than 60s
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C8A906 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C87AD4 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C8C285 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C8B397 mov eax, dword ptr fs:[00000030h]
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C87CFD rdtsc
    Source: C:\Users\user\Desktop\PKO_TRANS_DETAILS_20211216_0809521.exeCode function: 0_2_04C8D3CE RtlAddVectoredExceptionHandler,
    Source: PKO_TRANS_DETAILS_20211216_0809521.exe, 00000000.00000002.803824263.0000000000C50000.00000002.00020000.sdmpBinary or memory string: Program Manager
    Source: PKO_TRANS_DETAILS_20211216_0809521.exe, 00000000.00000002.803824263.0000000000C50000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
    Source: PKO_TRANS_DETAILS_20211216_0809521.exe, 00000000.00000002.803824263.0000000000C50000.00000002.00020000.sdmpBinary or memory string: Progman
    Source: PKO_TRANS_DETAILS_20211216_0809521.exe, 00000000.00000002.803824263.0000000000C50000.00000002.00020000.sdmpBinary or memory string: Progmanlock

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery11Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsSoftware Packing1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSSystem Information Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.