Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
3GJ6S3Kwnb.exe

Overview

General Information

Sample Name:3GJ6S3Kwnb.exe
Analysis ID:623825
MD5:6c6a52c18f0ca26d357f2b4430f31568
SHA1:9b32a592e54100a67d907e2ad039b164961dc042
SHA256:cbd91a64900eacff9502b5509769b33adb8472efadd2861d99fd95a06c5630be
Infos:

Detection

GuLoader
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Hides threads from debuggers
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality for execution timing, often used to detect debuggers
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Contains functionality to enumerate device drivers
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification