Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Transferencia.exe

Overview

General Information

Sample Name:Transferencia.exe
Analysis ID:624276
MD5:fb1d131568bdd2fa951608534f83a75c
SHA1:ff02df2cb07c221b8ed3583c6dafb8c0e35684f8
SHA256:42625067621ac2dba6b95e565a48454637f46185356034da214a00a3d453c971
Tags:exe
Infos:

Detection

GuLoader
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
PE file contains strange resources
Drops PE files
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
PE / OLE file has an invalid certificate
Contains functionality to dynamically determine API calls
Abnormal high CPU Usage
Contains functionality for read data from the clipboard

Classification

  • System is w10x64
  • Transferencia.exe (PID: 4736 cmdline: "C:\Users\user\Desktop\Transferencia.exe" MD5: FB1D131568BDD2FA951608534F83A75C)
  • cleanup
{"Payload URL": "https://drive.google.com/uc?export=download&id=1hB?$1A"}
SourceRuleDescriptionAuthorStrings
00000000.00000002.756250628.0000000002D50000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    No Sigma rule has matched
    No Snort rule has matched

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: 00000000.00000002.756250628.0000000002D50000.00000040.00001000.00020000.00000000.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1hB?$1A"}
    Source: Transferencia.exeReversingLabs: Detection: 26%
    Source: Transferencia.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: Transferencia.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: C:\Users\user\Desktop\Transferencia.exeCode function: 0_2_00406850 FindFirstFileW,FindClose,
    Source: C:\Users\user\Desktop\Transferencia.exeCode function: 0_2_00405C26 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
    Source: C:\Users\user\Desktop\Transferencia.exeCode function: 0_2_0040290B FindFirstFileW,

    Networking

    barindex
    Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=download&id=1hB?$1A
    Source: Transferencia.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
    Source: C:\Users\user\Desktop\Transferencia.exeCode function: 0_2_004056BB GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,
    Source: Transferencia.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: Transferencia.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: C:\Users\user\Desktop\Transferencia.exeCode function: 0_2_0040350A EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
    Source: C:\Users\user\Desktop\Transferencia.exeCode function: 0_2_732A1BFF
    Source: Transferencia.exeStatic PE information: invalid certificate
    Source: C:\Users\user\Desktop\Transferencia.exeProcess Stats: CPU usage > 98%
    Source: Transferencia.exeReversingLabs: Detection: 26%
    Source: C:\Users\user\Desktop\Transferencia.exeFile read: C:\Users\user\Desktop\Transferencia.exeJump to behavior
    Source: Transferencia.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\Transferencia.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: C:\Users\user\Desktop\Transferencia.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
    Source: C:\Users\user\Desktop\Transferencia.exeCode function: 0_2_0040350A EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
    Source: C:\Users\user\Desktop\Transferencia.exeFile created: C:\Users\user\AppData\Local\Temp\nsnC5D7.tmpJump to behavior
    Source: C:\Users\user\Desktop\Transferencia.exeFile written: C:\Users\user\AppData\Local\Temp\FJERKRFARMENES.iniJump to behavior
    Source: classification engineClassification label: mal72.troj.evad.winEXE@1/3@0/0
    Source: C:\Users\user\Desktop\Transferencia.exeCode function: 0_2_004021AA CoCreateInstance,
    Source: C:\Users\user\Desktop\Transferencia.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\Transferencia.exeCode function: 0_2_00404967 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,
    Source: Transferencia.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

    Data Obfuscation

    barindex
    Source: Yara matchFile source: 00000000.00000002.756250628.0000000002D50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\Transferencia.exeCode function: 0_2_732A30C0 push eax; ret
    Source: C:\Users\user\Desktop\Transferencia.exeCode function: 0_2_732A1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,
    Source: C:\Users\user\Desktop\Transferencia.exeFile created: C:\Users\user\AppData\Local\Temp\nstC730.tmp\System.dllJump to dropped file
    Source: C:\Users\user\Desktop\Transferencia.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion

    barindex
    Source: C:\Users\user\Desktop\Transferencia.exeRDTSC instruction interceptor: First address: 0000000002D6467E second address: 0000000002D6467E instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F04749FF19Ah 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\Transferencia.exeCode function: 0_2_00406850 FindFirstFileW,FindClose,
    Source: C:\Users\user\Desktop\Transferencia.exeCode function: 0_2_00405C26 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
    Source: C:\Users\user\Desktop\Transferencia.exeCode function: 0_2_0040290B FindFirstFileW,
    Source: C:\Users\user\Desktop\Transferencia.exeAPI call chain: ExitProcess graph end node
    Source: C:\Users\user\Desktop\Transferencia.exeAPI call chain: ExitProcess graph end node
    Source: C:\Users\user\Desktop\Transferencia.exeCode function: 0_2_732A1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,
    Source: C:\Users\user\Desktop\Transferencia.exeCode function: 0_2_0040350A EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts1
    Native API
    Path Interception1
    Access Token Manipulation
    1
    Access Token Manipulation
    OS Credential Dumping1
    Security Software Discovery
    Remote Services1
    Archive Collected Data
    Exfiltration Over Other Network Medium1
    Encrypted Channel
    Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
    System Shutdown/Reboot
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
    Obfuscated Files or Information
    LSASS Memory3
    File and Directory Discovery
    Remote Desktop Protocol1
    Clipboard Data
    Exfiltration Over Bluetooth1
    Application Layer Protocol
    Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager13
    System Information Discovery
    SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand
    SourceDetectionScannerLabelLink
    Transferencia.exe27%ReversingLabsWin32.Trojan.Generic
    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Local\Temp\nstC730.tmp\System.dll0%VirustotalBrowse
    C:\Users\user\AppData\Local\Temp\nstC730.tmp\System.dll0%MetadefenderBrowse
    C:\Users\user\AppData\Local\Temp\nstC730.tmp\System.dll0%ReversingLabs
    No Antivirus matches
    No Antivirus matches
    No Antivirus matches
    No contacted domains info
    NameSourceMaliciousAntivirus DetectionReputation
    http://nsis.sf.net/NSIS_ErrorErrorTransferencia.exefalse
      high
      No contacted IP infos
      Joe Sandbox Version:34.0.0 Boulder Opal
      Analysis ID:624276
      Start date and time: 11/05/202213:17:052022-05-11 13:17:05 +02:00
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 7m 14s
      Hypervisor based Inspection enabled:false
      Report type:light
      Sample file name:Transferencia.exe
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Number of analysed new started processes analysed:29
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal72.troj.evad.winEXE@1/3@0/0
      EGA Information:
      • Successful, ratio: 100%
      HDC Information:
      • Successful, ratio: 63.2% (good quality ratio 62%)
      • Quality average: 88.3%
      • Quality standard deviation: 21.7%
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Found application associated with file extension: .exe
      • Adjust boot time
      • Enable AMSI
      • Override analysis time to 240s for sample files taking high CPU consumption
      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
      • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, time.windows.com, arc.msn.com
      • Not all processes where analyzed, report is missing behavior information
      No simulations
      No context
      No context
      No context
      No context
      No context
      Process:C:\Users\user\Desktop\Transferencia.exe
      File Type:data
      Category:dropped
      Size (bytes):163440
      Entropy (8bit):7.327257313432124
      Encrypted:false
      SSDEEP:3072:TAJ8oRPFQ7IfdpA9PCAHmkvLl75I504TTRajaO7HlnKEmou:Mmcd2nGkvLI504TTIb7Fbmou
      MD5:12189C0F205D353F5492E0231A237B97
      SHA1:0ADAC1C37C0B1D812B77FA9466E501B068802061
      SHA-256:4C5C37CDD6B432A2E245CB3E4D5E31919BBA8A9A7246769A40E781EA4A407D71
      SHA-512:B67C7470BB1D1898A6233DF1D61034A76BC9A862A97C885CE9312A1FF318D0D1C7BBF228FB8E0846D3BAA5AC14751F562943356305569C9DF88F8449B70D7DC8
      Malicious:false
      Reputation:low
      Preview:.E.S..$.......B...^... ..u.H...&..t.....14.x].....}N..+.G.....Tp.$..{S...`).....b..Av.......X..n....^.IO`lw.(..........G..).=.<.B...8.t.&.iy.../R8...W..Ji........cF...(.E..{c......B*>y..6.......1f.r../.....\.@..2J...w.....0.8..D.;.<de..p.G.i....'...*.&.B..W<..I2.......!..w&.=I.P..x..e.kH......K.......[*..9..3....(...,..T.i.JP.W.%w.w=..r.w7X... 6.....Z...Q..bN..H..<..d..Q7...w..?.. Q......Y[g._....e...%m+6k.h.oT.\..aF.(..%....k..*L.....O..........B........ .....B..9."....w. ..s..a....U@....N..(}.}D....8 ..k..Rp..\.1..).4.]{..9..&.X._...t}...v.1...p%Ts.B-'...`_>......0.<1..Cqd....l'.....c.}8XB..8..,.m6Zm.v..X+..wG.pq...MY`.g....hX..........2..%.G.O....h....I...G....c......J_.pF|;f.v.....X.i......b....7d.%...24..s..h......v`...M7....o.`....&..,.E.0:.u...F....q.;..n..,..s.-.r*..........S.m...5.+.U.....~.h7.Z..sX..>"...zU.g1<.hA...../%......N.G.n?..FJ.v.....k...$.X.LCN..T.^O..)..=.l..e,.P.*+xuF...Q.D..qC6...jr..I..7...Et...VV ..d1...2_W..Y&.;.
      Process:C:\Users\user\Desktop\Transferencia.exe
      File Type:ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):35
      Entropy (8bit):4.193429088311724
      Encrypted:false
      SSDEEP:3:Nn4y2XEIIz4Acv:t12ez4Acv
      MD5:459F02DD36C8D63BCDF3A4078AEBD592
      SHA1:C61BA4265FB1C24ED73775149BB1F9A62B688CC9
      SHA-256:428CF1D18B7B06811B313C57DF8D240EB44350F63336BD2822B3477525C8BC1A
      SHA-512:A90C2BF7B01C34C5E6E16BA0391258942EDE941424BEF83398F5FE6F8936D75AD68148787F51AE80E03F565D6533811726D8C958888DE02738F514383AA7F7F6
      Malicious:false
      Reputation:low
      Preview:[surucucu]..Lockram2=strandlberen..
      Process:C:\Users\user\Desktop\Transferencia.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):12288
      Entropy (8bit):5.814115788739565
      Encrypted:false
      SSDEEP:192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
      MD5:CFF85C549D536F651D4FB8387F1976F2
      SHA1:D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
      SHA-256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
      SHA-512:531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
      Malicious:false
      Antivirus:
      • Antivirus: Virustotal, Detection: 0%, Browse
      • Antivirus: Metadefender, Detection: 0%, Browse
      • Antivirus: ReversingLabs, Detection: 0%
      Reputation:moderate, very likely benign file
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."...........*.......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
      File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
      Entropy (8bit):7.5547497516761295
      TrID:
      • Win32 Executable (generic) a (10002005/4) 99.96%
      • Generic Win/DOS Executable (2004/3) 0.02%
      • DOS Executable Generic (2002/1) 0.02%
      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
      File name:Transferencia.exe
      File size:254208
      MD5:fb1d131568bdd2fa951608534f83a75c
      SHA1:ff02df2cb07c221b8ed3583c6dafb8c0e35684f8
      SHA256:42625067621ac2dba6b95e565a48454637f46185356034da214a00a3d453c971
      SHA512:ef46d1fc90b046234a2939d1cbbadeb99cca056bfba74b3b1480af1a1171698a436cc23a809c8f0ec9f2ce5ca45d91db31151311415ed38a137070924476dc10
      SSDEEP:6144:s3yztNlmkDzzo+3sYIEJwqq1XPo6BktVrQGs20z:s3+FvzxsPXj1/o6Aiz
      TLSH:2344D01E3225C4E6F88883765F3A9B0B198FAC03219105177772BBB99B39383C95F5D5
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!`G.@...@...@../OQ..@...@..I@../OS..@...c>..@..+F...@..Rich.@..........................PE..L...h.Oa.................h....:....
      Icon Hash:8803969c49c2c3c0
      Entrypoint:0x40350a
      Entrypoint Section:.text
      Digitally signed:true
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Time Stamp:0x614F9A68 [Sat Sep 25 21:53:44 2021 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:4
      OS Version Minor:0
      File Version Major:4
      File Version Minor:0
      Subsystem Version Major:4
      Subsystem Version Minor:0
      Import Hash:56a78d55f3f7af51443e58e0ce2fb5f6
      Signature Valid:false
      Signature Issuer:CN=&#34;Talonen Pral NONPERFECTIBILITY Unmigrant6 &#34;, O=ORDLYDEN, L=Bourg-Saint-Maurice, S=Auvergne-Rh&#195;&#180;ne-Alpes, C=FR
      Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
      Error Number:-2146762487
      Not Before, Not After
      • 5/10/2022 12:58:17 PM 5/10/2023 12:58:17 PM
      Subject Chain
      • CN=&#34;Talonen Pral NONPERFECTIBILITY Unmigrant6 &#34;, O=ORDLYDEN, L=Bourg-Saint-Maurice, S=Auvergne-Rh&#195;&#180;ne-Alpes, C=FR
      Version:3
      Thumbprint MD5:C01462F3E1A1421FC7156C98C104EC74
      Thumbprint SHA-1:92A7393883A3AF47A744D137119C6E6BAEA9BC27
      Thumbprint SHA-256:41ACF6A35BC3571C0748976A332965863E86A47C8FBBED9FE240EE0D66E8DEA9
      Serial:F7E6FA3055C43850
      Instruction
      push ebp
      mov ebp, esp
      sub esp, 000003F4h
      push ebx
      push esi
      push edi
      push 00000020h
      pop edi
      xor ebx, ebx
      push 00008001h
      mov dword ptr [ebp-14h], ebx
      mov dword ptr [ebp-04h], 0040A2E0h
      mov dword ptr [ebp-10h], ebx
      call dword ptr [004080CCh]
      mov esi, dword ptr [004080D0h]
      lea eax, dword ptr [ebp-00000140h]
      push eax
      mov dword ptr [ebp-0000012Ch], ebx
      mov dword ptr [ebp-2Ch], ebx
      mov dword ptr [ebp-28h], ebx
      mov dword ptr [ebp-00000140h], 0000011Ch
      call esi
      test eax, eax
      jne 00007F0474C9CC0Ah
      lea eax, dword ptr [ebp-00000140h]
      mov dword ptr [ebp-00000140h], 00000114h
      push eax
      call esi
      mov ax, word ptr [ebp-0000012Ch]
      mov ecx, dword ptr [ebp-00000112h]
      sub ax, 00000053h
      add ecx, FFFFFFD0h
      neg ax
      sbb eax, eax
      mov byte ptr [ebp-26h], 00000004h
      not eax
      and eax, ecx
      mov word ptr [ebp-2Ch], ax
      cmp dword ptr [ebp-0000013Ch], 0Ah
      jnc 00007F0474C9CBDAh
      and word ptr [ebp-00000132h], 0000h
      mov eax, dword ptr [ebp-00000134h]
      movzx ecx, byte ptr [ebp-00000138h]
      mov dword ptr [007A8B18h], eax
      xor eax, eax
      mov ah, byte ptr [ebp-0000013Ch]
      movzx eax, ax
      or eax, ecx
      xor ecx, ecx
      mov ch, byte ptr [ebp-2Ch]
      movzx ecx, cx
      shl eax, 10h
      or eax, ecx
      Programming Language:
      • [EXP] VC++ 6.0 SP5 build 8804
      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x85040xa0.rdata
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x3da0000x139f0.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x3da380x6c8.data
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x10000x66700x6800False0.667931189904data6.43600264122IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      .rdata0x80000x139a0x1400False0.45data5.14577456407IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .data0xa0000x39eb780x600unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
      .ndata0x3a90000x310000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .rsrc0x3da0000x139f00x13a00False0.570872312898data6.54983643379IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      NameRVASizeTypeLanguageCountry
      RT_ICON0x3da3580x8592PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
      RT_ICON0x3e28f00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 1056964863EnglishUnited States
      RT_ICON0x3e6b180x25a8dataEnglishUnited States
      RT_ICON0x3e90c00x1a68dataEnglishUnited States
      RT_ICON0x3eab280x10a8dataEnglishUnited States
      RT_ICON0x3ebbd00x988dataEnglishUnited States
      RT_ICON0x3ec5580x6b8dataEnglishUnited States
      RT_ICON0x3ecc100x468GLS_BINARY_LSB_FIRSTEnglishUnited States
      RT_DIALOG0x3ed0780x100dataEnglishUnited States
      RT_DIALOG0x3ed1780x11cdataEnglishUnited States
      RT_DIALOG0x3ed2980xc4dataEnglishUnited States
      RT_DIALOG0x3ed3600x60dataEnglishUnited States
      RT_GROUP_ICON0x3ed3c00x76dataEnglishUnited States
      RT_VERSION0x3ed4380x274dataEnglishUnited States
      RT_MANIFEST0x3ed6b00x33eXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States
      DLLImport
      ADVAPI32.dllRegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
      SHELL32.dllSHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
      ole32.dllOleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
      COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
      USER32.dllGetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
      GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
      KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW
      DescriptionData
      LegalCopyrightMarkedsana
      FileVersion24.8.29
      CompanyNamevugvalidatin
      LegalTrademarksMETACINNAB
      CommentsSpiroloculin113
      ProductNameLeuk
      FileDescriptionJanfridelefrek82
      Translation0x0409 0x04b0
      Language of compilation systemCountry where language is spokenMap
      EnglishUnited States
      No network behavior found
      No statistics
      Target ID:0
      Start time:13:18:06
      Start date:11/05/2022
      Path:C:\Users\user\Desktop\Transferencia.exe
      Wow64 process (32bit):true
      Commandline:"C:\Users\user\Desktop\Transferencia.exe"
      Imagebase:0x400000
      File size:254208 bytes
      MD5 hash:FB1D131568BDD2FA951608534F83A75C
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Yara matches:
      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.756250628.0000000002D50000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
      Reputation:low

      No disassembly