Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Overview

General Information

Sample Name:CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Analysis ID:736949
MD5:045f22ce9be3d33b07a00780ee66fcfd
SHA1:91b74e75d55c33d8d82b10bed51ca7d3ad80147c
SHA256:e05ec32c2edc10b6917a3cbcac9d823cb37db908cc51f3ec459800992e2b8b37
Infos:

Detection

GuLoader
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected GuLoader
Initial sample is a PE file and has a suspicious name
Tries to detect virtualization through RDTSC time measurements
Executable has a suspicious name (potential lure to open the executable)
Uses 32bit PE files
Drops PE files
Contains functionality to shutdown / reboot the system
Detected potential crypto function
PE / OLE file has an invalid certificate
Contains functionality to dynamically determine API calls
Abnormal high CPU Usage
Contains functionality for read data from the clipboard

Classification

  • System is w10x64
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000000.00000002.835753026.0000000002A70000.00000040.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    No Sigma rule has matched
    No Snort rule has matched

    Click to jump to signature section

    Show All Signature Results
    Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeRegistry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\BestyrelsesformandenJump to behavior
    Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 0_2_0040676F FindFirstFileW,FindClose,
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 0_2_00405B23 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 0_2_00402902 FindFirstFileW,
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeFile opened: C:\Users\user\AppData\Roaming
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeFile opened: C:\Users\user
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeFile opened: C:\Users\user\AppData
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
    Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
    Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
    Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
    Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
    Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
    Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeString found in binary or memory: http://ocsp2.globalsign.com/rootr306
    Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeString found in binary or memory: http://ocsp2.globalsign.com/rootr606
    Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
    Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeString found in binary or memory: https://www.globalsign.com/repository/0
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 0_2_004055B8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

    System Summary

    barindex
    Source: initial sampleStatic PE information: Filename: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
    Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeStatic file information: Suspicious name
    Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 0_2_004034C5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 0_2_00407458
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 0_2_00406C81
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 0_2_739A1B5F
    Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeStatic PE information: invalid certificate
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeProcess Stats: CPU usage > 98%
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeFile read: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeJump to behavior
    Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 0_2_004034C5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeFile created: C:\Users\user\AppData\Roaming\ShovedJump to behavior
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeFile created: C:\Users\user\AppData\Local\Temp\nsc73B.tmpJump to behavior
    Source: classification engineClassification label: mal60.troj.evad.winEXE@1/3@0/0
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 0_2_004021A2 CoCreateInstance,
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 0_2_00404858 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeRegistry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\BestyrelsesformandenJump to behavior
    Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

    Data Obfuscation

    barindex
    Source: Yara matchFile source: 00000000.00000002.835753026.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 0_2_739A1B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeFile created: C:\Users\user\AppData\Local\Temp\nso5721.tmp\System.dllJump to dropped file
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion

    barindex
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeRDTSC instruction interceptor: First address: 0000000002A702EA second address: 0000000002A702EA instructions: 0x00000000 rdtsc 0x00000002 test cx, ax 0x00000005 test cx, cx 0x00000008 cmp ebx, ecx 0x0000000a jc 00007F4CDCB7714Fh 0x0000000c test al, bl 0x0000000e inc ebp 0x0000000f test ah, ah 0x00000011 inc ebx 0x00000012 clc 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 0_2_0040676F FindFirstFileW,FindClose,
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 0_2_00405B23 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 0_2_00402902 FindFirstFileW,
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeAPI call chain: ExitProcess graph end node
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeAPI call chain: ExitProcess graph end node
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeFile opened: C:\Users\user\AppData\Roaming
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeFile opened: C:\Users\user
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeFile opened: C:\Users\user\AppData
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 0_2_739A1B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,
    Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exeCode function: 0_2_004034C5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts1
    Native API
    1
    Windows Service
    1
    Access Token Manipulation
    1
    Masquerading
    OS Credential Dumping1
    Security Software Discovery
    Remote Services1
    Archive Collected Data
    Exfiltration Over Other Network Medium1
    Encrypted Channel
    Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
    System Shutdown/Reboot
    Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    Windows Service
    1
    Access Token Manipulation
    LSASS Memory3
    File and Directory Discovery
    Remote Desktop Protocol1
    Clipboard Data
    Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager13
    System Information Discovery
    SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand
    SourceDetectionScannerLabelLink
    CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe10%ReversingLabsWin32.Downloader.Minix
    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Local\Temp\nso5721.tmp\System.dll0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\nso5721.tmp\System.dll1%VirustotalBrowse
    C:\Users\user\AppData\Local\Temp\nso5721.tmp\System.dll4%MetadefenderBrowse
    No Antivirus matches
    No Antivirus matches
    No Antivirus matches
    No contacted domains info
    NameSourceMaliciousAntivirus DetectionReputation
    http://nsis.sf.net/NSIS_ErrorErrorCONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exefalse
      high
      No contacted IP infos
      Joe Sandbox Version:36.0.0 Rainbow Opal
      Analysis ID:736949
      Start date and time:2022-11-03 12:21:13 +01:00
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 7m 38s
      Hypervisor based Inspection enabled:false
      Report type:light
      Sample file name:CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Number of analysed new started processes analysed:6
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal60.troj.evad.winEXE@1/3@0/0
      EGA Information:
      • Successful, ratio: 100%
      HDC Information:
      • Successful, ratio: 85.3% (good quality ratio 83.8%)
      • Quality average: 86.9%
      • Quality standard deviation: 21.2%
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Found application associated with file extension: .exe
      • Override analysis time to 240s for sample files taking high CPU consumption
      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
      • Not all processes where analyzed, report is missing behavior information
      TimeTypeDescription
      12:22:10API Interceptor1x Sleep call for process: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe modified
      No context
      No context
      No context
      No context
      No context
      Process:C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):12288
      Entropy (8bit):5.737556724687435
      Encrypted:false
      SSDEEP:192:MenY0qWTlt70IAj/lQ0sEWc/wtYbBH2aDybC7y+XBaIwL:M8+Qlt70Fj/lQRY/9VjjgL
      MD5:6E55A6E7C3FDBD244042EB15CB1EC739
      SHA1:070EA80E2192ABC42F358D47B276990B5FA285A9
      SHA-256:ACF90AB6F4EDC687E94AAF604D05E16E6CFB5E35873783B50C66F307A35C6506
      SHA-512:2D504B74DA38EDC967E3859733A2A9CACD885DB82F0CA69BFB66872E882707314C54238344D45945DC98BAE85772ACEEF71A741787922D640627D3C8AE8F1C35
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      • Antivirus: Virustotal, Detection: 1%, Browse
      • Antivirus: Metadefender, Detection: 4%, Browse
      Reputation:moderate, very likely benign file
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L...X..`...........!....."...........).......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text...O .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
      Process:C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
      File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):286
      Entropy (8bit):6.880810677512409
      Encrypted:false
      SSDEEP:6:6v/lhPysDQqinrW8/97kGwr/F+Elz3hsKrnLIuYK/SwtNVp:6v/7ZiK817kG3Mz3ZIiSoN7
      MD5:03DEC13C99CA8B2766C9B4468E0E781B
      SHA1:DA2202AF040D5494D7281FAB003C748457255CEE
      SHA-256:DEBC1949821086D01AE4A60BFFF1A73CFF47E7AB100E9028556496C254C05655
      SHA-512:566533ABC453A817570660154026D2206866073AB28CA6243C15AFF6A57C4A8B686EB7F23B4161EF4AE2A2C5C71F3DD6FD7271F4667A8C2E606D7CA19CC71FE7
      Malicious:false
      Reputation:low
      Preview:.PNG........IHDR................a....sBIT....|.d.....IDAT8...?J.A.....A....../.%.2....<.......6...H..i..-.'Eva.qw_.`.|.3.0.s.....O_2..Y=....p..N..].J.......t.Q6..y... ..u.......|.u....1.D..b...2|..H..........HS]=...~.M..$.>q.............|..wq.~vZ.|a..f..Tg.x._I....IEND.B`.
      Process:C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
      File Type:data
      Category:dropped
      Size (bytes):106887
      Entropy (8bit):7.75553468119485
      Encrypted:false
      SSDEEP:1536:bYpDSzihO1IsnBzEfH5ZR0fha22stcSuYZtL+8VdfWuZTJrBWmlRsMM:mDcgO1IeQfH5ZRXstcgKodfhrBBDM
      MD5:73A6739AA8670352F00CA22E28B2E5E3
      SHA1:14B5E6BB7FA6A534D9CCB20C19F57D82C8C8D634
      SHA-256:1E182B58911811ED9709B682EFE83DD96093AC013DA58698D2687E526E4D3B96
      SHA-512:46D0E7F0B7EC4042B66B0CF98076D9E59157B3A011A9EB2E1238D4B5B579B9B9194F257F3B6DB9191F66F135232B0D9DA85360CBC8F87B612847FAE471083971
      Malicious:false
      Reputation:low
      Preview:Tw8... ......x.q.f..a.!..P..........r...D..L.i.:....D...|..$d.....u......................<..g..b..`..........3...<....;......^.........#............;<._......W<V....s.w......5XU....F...5G*6.<Q..%-L...<...,-...C....y5........<`........[1.......`@......@..m<s@.....@<L..K=L...u..W..........l.......`]h.Q..&.-.X[?S..;.c..vh..^.!....o.......ue.@....C&<..}....G/.E....N.b.Sx.k..*.0..-.V..F.....gCV....a$r".q..<2)..@^$.i ...5./.Y...z'...5)jJI..:.J.[S.....`e.D_(.yp.[?....A..6uD7+......WHf..Vp....\g.8.;....k.9....Z.W....8D.+..+..+..+..+..+..+..+..+..+..+..+.~..{.q...p...9..t...G.X.e.X.\..D.V...8H.+..+..+..+..+..+..+..+..+..+..+..+..+..~p....W...qr..?...|.]q,..t.2.....!0I.V...q.C..l..A-.'R..*.....pf...'..q.%........V.!>...4.......,;c.....5\%\q/.]..Y......W..p.a...%.?. &...`.u/E..R.]h.h.b....~p...5P..|V....m.W.~....n.`......&.l5v..E.a.q..E..?......U......Uz...~p.e...~p..U.i..(.c..`.........5...a.|V............@|N......|.X..V..h.a... &
      File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
      Entropy (8bit):7.688048037898308
      TrID:
      • Win32 Executable (generic) a (10002005/4) 99.96%
      • Generic Win/DOS Executable (2004/3) 0.02%
      • DOS Executable Generic (2002/1) 0.02%
      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
      File name:CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
      File size:236896
      MD5:045f22ce9be3d33b07a00780ee66fcfd
      SHA1:91b74e75d55c33d8d82b10bed51ca7d3ad80147c
      SHA256:e05ec32c2edc10b6917a3cbcac9d823cb37db908cc51f3ec459800992e2b8b37
      SHA512:c363c64fe3b52d615601810b577168be5b3339ba6bde011ae0c76bbee76718782f8b737b0c9f6d82d34197045ce1c35389cba26622349bb2c0c77f62ed29d063
      SSDEEP:6144:vT4DtMeWIPR0PVPCespE0s67yIMYxrzWJougaEzEk:vTpeZ00SI18ogC
      TLSH:2134014177B5C463ED564A30C813A7F2A9B97C11D9E89F4707423E8EBC76382DA1A32D
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...P..`.................h.........
      Icon Hash:879b931b3bb3b393
      Entrypoint:0x4034c5
      Entrypoint Section:.text
      Digitally signed:true
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Time Stamp:0x60FC9250 [Sat Jul 24 22:21:04 2021 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:4
      OS Version Minor:0
      File Version Major:4
      File Version Minor:0
      Subsystem Version Major:4
      Subsystem Version Minor:0
      Import Hash:6e7f9a29f2c85394521a08b9f31f6275
      Signature Valid:false
      Signature Issuer:OU="Squatterism Autodialing ", E=Wirestitched@Longobardian.No, O=driftier, L=West Tarbert, S=Scotland, C=GB
      Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
      Error Number:-2146762487
      Not Before, Not After
      • 7/17/2022 6:44:12 PM 7/16/2025 6:44:12 PM
      Subject Chain
      • OU="Squatterism Autodialing ", E=Wirestitched@Longobardian.No, O=driftier, L=West Tarbert, S=Scotland, C=GB
      Version:3
      Thumbprint MD5:CE0B0A248006454637FB21369D393B35
      Thumbprint SHA-1:FDB8159D5CAE5E96B90D0300979493249FE76435
      Thumbprint SHA-256:67AA1334C6C443A496FCD527B5F1A30A2CA661AC20D33E7BCCADEF6982D2575C
      Serial:33616A6CE5467077
      Instruction
      sub esp, 000002D4h
      push ebx
      push esi
      push edi
      push 00000020h
      pop edi
      xor ebx, ebx
      push 00008001h
      mov dword ptr [esp+14h], ebx
      mov dword ptr [esp+10h], 0040A2E0h
      mov dword ptr [esp+1Ch], ebx
      call dword ptr [004080CCh]
      call dword ptr [004080D0h]
      and eax, BFFFFFFFh
      cmp ax, 00000006h
      mov dword ptr [00434F0Ch], eax
      je 00007F4CDCBD8053h
      push ebx
      call 00007F4CDCBDB341h
      cmp eax, ebx
      je 00007F4CDCBD8049h
      push 00000C00h
      call eax
      mov esi, 004082B0h
      push esi
      call 00007F4CDCBDB2BBh
      push esi
      call dword ptr [00408154h]
      lea esi, dword ptr [esi+eax+01h]
      cmp byte ptr [esi], 00000000h
      jne 00007F4CDCBD802Ch
      push 0000000Bh
      call 00007F4CDCBDB314h
      push 00000009h
      call 00007F4CDCBDB30Dh
      push 00000007h
      mov dword ptr [00434F04h], eax
      call 00007F4CDCBDB301h
      cmp eax, ebx
      je 00007F4CDCBD8051h
      push 0000001Eh
      call eax
      test eax, eax
      je 00007F4CDCBD8049h
      or byte ptr [00434F0Fh], 00000040h
      push ebp
      call dword ptr [00408038h]
      push ebx
      call dword ptr [00408298h]
      mov dword ptr [00434FD8h], eax
      push ebx
      lea eax, dword ptr [esp+34h]
      push 000002B4h
      push eax
      push ebx
      push 0042B228h
      call dword ptr [0040818Ch]
      push 0040A2C8h
      Programming Language:
      • [EXP] VC++ 6.0 SP5 build 8804
      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x86100xa0.rdata
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x7e0000x147e8.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x37ca80x20b8.ndata
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x10000x67930x6800False0.6720628004807693data6.495258513279076IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .rdata0x80000x14a40x1600False0.4385653409090909data5.01371465125838IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .data0xa0000x2b0180x600False0.5240885416666666data4.155579717739458IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .ndata0x360000x480000x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .rsrc0x7e0000x147e80x14800False0.8290658346036586data7.314494987254223IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      NameRVASizeTypeLanguageCountry
      RT_BITMAP0x7e4f00x368Device independent bitmap graphic, 96 x 16 x 4, image size 768EnglishUnited States
      RT_ICON0x7e8580x820bPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
      RT_ICON0x86a680x39acPNG image data, 256 x 256, 8-bit colormap, non-interlacedEnglishUnited States
      RT_ICON0x8a4180x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States
      RT_ICON0x8c9c00x14faPNG image data, 256 x 256, 4-bit colormap, non-interlacedEnglishUnited States
      RT_ICON0x8dec00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States
      RT_ICON0x8ef680xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304EnglishUnited States
      RT_ICON0x8fe100x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024EnglishUnited States
      RT_ICON0x906b80x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States
      RT_ICON0x90d200x568Device independent bitmap graphic, 16 x 32 x 8, image size 256EnglishUnited States
      RT_ICON0x912880x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States
      RT_ICON0x916f00x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States
      RT_ICON0x919d80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States
      RT_DIALOG0x91b000x144dataEnglishUnited States
      RT_DIALOG0x91c480x13cdataEnglishUnited States
      RT_DIALOG0x91d880x100dataEnglishUnited States
      RT_DIALOG0x91e880x11cdataEnglishUnited States
      RT_DIALOG0x91fa80xc4dataEnglishUnited States
      RT_DIALOG0x920700xb6dataEnglishUnited States
      RT_DIALOG0x921280x60dataEnglishUnited States
      RT_GROUP_ICON0x921880xaedataEnglishUnited States
      RT_VERSION0x922380x270dataEnglishUnited States
      RT_MANIFEST0x924a80x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States
      DLLImport
      ADVAPI32.dllRegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
      SHELL32.dllSHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
      ole32.dllOleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
      COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
      USER32.dllGetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, SetWindowPos, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
      GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
      KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersion, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, ExitProcess, CopyFileW, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW
      Language of compilation systemCountry where language is spokenMap
      EnglishUnited States
      No network behavior found
      No statistics
      Target ID:0
      Start time:12:22:10
      Start date:03/11/2022
      Path:C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
      Wow64 process (32bit):true
      Commandline:C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
      Imagebase:0x400000
      File size:236896 bytes
      MD5 hash:045F22CE9BE3D33B07A00780EE66FCFD
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Yara matches:
      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.835753026.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
      Reputation:low

      No disassembly