Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
98765434567890.exe

Overview

General Information

Sample Name:98765434567890.exe
Analysis ID:755084
MD5:1c4e3e615e3596572062bca5ec498d41
SHA1:40365b3026ba2fca699462877fc106d58d2406c2
SHA256:622163e09e5ad5324887c02d7834628d7213015fc48d286d69b4a90fa17a772d
Tags:exesigned
Infos:

Detection

GuLoader
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected GuLoader
Tries to detect virtualization through RDTSC time measurements
Uses 32bit PE files
Drops PE files
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Stores files to the Windows start menu directory
PE / OLE file has an invalid certificate
PE file contains more sections than normal
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Abnormal high CPU Usage
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • 98765434567890.exe (PID: 5852 cmdline: C:\Users\user\Desktop\98765434567890.exe MD5: 1C4E3E615E3596572062BCA5EC498D41)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.765192426.0000000003410000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000000.00000002.764218177.0000000000840000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security
      Process Memory Space: 98765434567890.exe PID: 5852JoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security

        Sigma Signatures

        No Sigma rule has matched

        Snort Signatures

        No Snort rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results
        Source: 98765434567890.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
        Source: 98765434567890.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: C:\Users\user\Desktop\98765434567890.exeCode function: 0_2_00406555 FindFirstFileW,FindClose,0_2_00406555
        Source: C:\Users\user\Desktop\98765434567890.exeCode function: 0_2_00405A03 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405A03
        Source: C:\Users\user\Desktop\98765434567890.exeCode function: 0_2_0040287E FindFirstFileW,0_2_0040287E
        Source: 98765434567890.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
        Source: 98765434567890.exeString found in binary or memory: http://s.symcb.com/universal-root.crl0
        Source: 98765434567890.exeString found in binary or memory: http://s.symcd.com06
        Source: 98765434567890.exeString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
        Source: 98765434567890.exeString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
        Source: 98765434567890.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
        Source: 98765434567890.exeString found in binary or memory: https://d.symcb.com/cps0%
        Source: 98765434567890.exeString found in binary or memory: https://d.symcb.com/rpa0
        Source: 98765434567890.exeString found in binary or memory: https://d.symcb.com/rpa0.
        Source: C:\Users\user\Desktop\98765434567890.exeCode function: 0_2_004054B0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004054B0
        Source: 98765434567890.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
        Source: C:\Users\user\Desktop\98765434567890.exeCode function: 0_2_0040344A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040344A
        Source: C:\Users\user\Desktop\98765434567890.exeCode function: 0_2_00404CED0_2_00404CED
        Source: C:\Users\user\Desktop\98765434567890.exeCode function: 0_2_004068DA0_2_004068DA
        Source: 98765434567890.exeStatic PE information: invalid certificate
        Source: libgiognutls.dll.0.drStatic PE information: Number of sections : 11 > 10
        Source: C:\Users\user\Desktop\98765434567890.exeProcess Stats: CPU usage > 98%
        Source: C:\Users\user\Desktop\98765434567890.exeFile read: C:\Users\user\Desktop\98765434567890.exeJump to behavior
        Source: 98765434567890.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\98765434567890.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\Desktop\98765434567890.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\98765434567890.exeCode function: 0_2_0040344A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040344A
        Source: C:\Users\user\Desktop\98765434567890.exeFile created: C:\Users\user~1\AppData\Local\Temp\nsf214F.tmpJump to behavior
        Source: classification engineClassification label: mal60.troj.evad.winEXE@1/4@0/0
        Source: C:\Users\user\Desktop\98765434567890.exeCode function: 0_2_00402104 CoCreateInstance,0_2_00402104
        Source: C:\Users\user\Desktop\98765434567890.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\98765434567890.exeCode function: 0_2_00404771 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404771
        Source: 98765434567890.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

        Data Obfuscation

        barindex
        Yara detected GuLoader
        Source: Yara matchFile source: 00000000.00000002.764218177.0000000000840000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 98765434567890.exe PID: 5852, type: MEMORYSTR
        Source: Yara matchFile source: 00000000.00000002.765192426.0000000003410000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: C:\Users\user\Desktop\98765434567890.exeCode function: 0_2_10002DE0 push eax; ret 0_2_10002E0E
        Source: libgiognutls.dll.0.drStatic PE information: section name: .xdata
        Source: C:\Users\user\Desktop\98765434567890.exeCode function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_10001B18
        Source: C:\Users\user\Desktop\98765434567890.exeFile created: C:\Users\user\AppData\Local\Temp\nsa22B8.tmp\System.dllJump to dropped file
        Source: C:\Users\user\Desktop\98765434567890.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\X\Unsalty\libgiognutls.dllJump to dropped file
        Source: C:\Users\user\Desktop\98765434567890.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93Jump to behavior
        Source: C:\Users\user\Desktop\98765434567890.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\antagonizingJump to behavior
        Source: C:\Users\user\Desktop\98765434567890.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\antagonizing\TrespassageJump to behavior
        Source: C:\Users\user\Desktop\98765434567890.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\antagonizing\Trespassage\Importprisernes.QuiJump to behavior
        Source: C:\Users\user\Desktop\98765434567890.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\XJump to behavior
        Source: C:\Users\user\Desktop\98765434567890.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\X\UnsaltyJump to behavior
        Source: C:\Users\user\Desktop\98765434567890.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\X\Unsalty\libgiognutls.dllJump to behavior
        Source: C:\Users\user\Desktop\98765434567890.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\X\Unsalty\Epithem.DreJump to behavior
        Source: C:\Users\user\Desktop\98765434567890.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Tries to detect virtualization through RDTSC time measurements
        Source: C:\Users\user\Desktop\98765434567890.exeRDTSC instruction interceptor: First address: 0000000003415088 second address: 0000000003415088 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FB4785ACE05h 0x00000006 cmp dh, ah 0x00000008 inc ebp 0x00000009 cmp ax, cx 0x0000000c inc ebx 0x0000000d rdtsc
        Source: C:\Users\user\Desktop\98765434567890.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\X\Unsalty\libgiognutls.dllJump to dropped file
        Source: C:\Users\user\Desktop\98765434567890.exeCode function: 0_2_00406555 FindFirstFileW,FindClose,0_2_00406555
        Source: C:\Users\user\Desktop\98765434567890.exeCode function: 0_2_00405A03 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405A03
        Source: C:\Users\user\Desktop\98765434567890.exeCode function: 0_2_0040287E FindFirstFileW,0_2_0040287E
        Source: C:\Users\user\Desktop\98765434567890.exeAPI call chain: ExitProcess graph end nodegraph_0-4480
        Source: C:\Users\user\Desktop\98765434567890.exeAPI call chain: ExitProcess graph end nodegraph_0-4322
        Source: C:\Users\user\Desktop\98765434567890.exeCode function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_10001B18
        Source: C:\Users\user\Desktop\98765434567890.exeCode function: 0_2_0040344A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040344A

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts1
        Native API        		1
        Registry Run Keys / Startup Folder        		1
        Access Token Manipulation        		1
        Access Token Manipulation        		OS Credential Dumping1
        Security Software Discovery        		Remote Services1
        Archive Collected Data        		Exfiltration Over Other Network Medium1
        Encrypted Channel        		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
        System Shutdown/Reboot
        Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
        Registry Run Keys / Startup Folder        		1
        Obfuscated Files or Information        		LSASS Memory2
        File and Directory Discovery        		Remote Desktop Protocol1
        Clipboard Data        		Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager13
        System Information Discovery        		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.