Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
9u4xTDR5bG.exe

Overview

General Information

Sample Name:9u4xTDR5bG.exe
Analysis ID:561346
MD5:82c5cdde9df0a76e2933c1cd8bfc7887
SHA1:7b391b4429dfbf19030fb49ce750aa3c8b844a6b
SHA256:243ae30d42e90000b882779fae40e0056eab332b95e2c938446138a80868909e
Infos:

Detection

GuLoader
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Hides threads from debuggers
Writes to foreign memory regions
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Abnormal high CPU Usage
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
PE / OLE file has an invalid certificate
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64native
  • 9u4xTDR5bG.exe (PID: 5288 cmdline: "C:\Users\user\Desktop\9u4xTDR5bG.exe" MD5: 82C5CDDE9DF0A76E2933C1CD8BFC7887)
    • CasPol.exe (PID: 7664 cmdline: "C:\Users\user\Desktop\9u4xTDR5bG.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
    • CasPol.exe (PID: 5480 cmdline: "C:\Users\user\Desktop\9u4xTDR5bG.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
    • CasPol.exe (PID: 372 cmdline: "C:\Users\user\Desktop\9u4xTDR5bG.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
    • CasPol.exe (PID: 376 cmdline: "C:\Users\user\Desktop\9u4xTDR5bG.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
      • conhost.exe (PID: 4980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://bangladeshshoecity.com/images/2w"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000000.119054079039.00000000013A0000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Found malware configuration
    Source: 0000000C.00000000.119054079039.00000000013A0000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://bangladeshshoecity.com/images/2w"}
    Multi AV Scanner detection for submitted file
    Source: 9u4xTDR5bG.exeVirustotal: Detection: 31%Perma Link
    Source: 9u4xTDR5bG.exeReversingLabs: Detection: 44%
    Source: 9u4xTDR5bG.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: unknownHTTPS traffic detected: 64.188.2.199:443 -> 192.168.11.20:49799 version: TLS 1.2
    Source: 9u4xTDR5bG.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT