Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.Evo-gen.11060.2891.exe

Overview

General Information

Sample Name:SecuriteInfo.com.Win32.Evo-gen.11060.2891.exe
Analysis ID:755965
MD5:7081c4822cf1c7572dd82822b8f27c49
SHA1:4ee3b6c423b1c9ebf5befbc73d1eef0c576cf026
SHA256:b5330f82f3c5c3f223ae9decd3ebdcd74d1a13d95b1c42bd7b2de4e6c6cb0083
Infos:

Detection

GuLoader
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Tries to detect Any.run
Uses 32bit PE files
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Stores files to the Windows start menu directory
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality for execution timing, often used to detect debuggers
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
PE / OLE file has an invalid certificate
PE file contains more sections than normal
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

  • System is w10x64native
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000001.00000002.39673477269.0000000003320000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000005.00000000.39479578905.0000000001660000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      No Sigma rule has matched
      No Snort rule has matched

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: SecuriteInfo.com.Win32.Evo-gen.11060.2891.exeVirustotal: Detection: 29%Perma Link
      Source: SecuriteInfo.com.Win32.Evo-gen.11060.2891.exeReversingLabs: Detection: 19%
      Source: SecuriteInfo.com.Win32.Evo-gen.11060.2891.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: SecuriteInfo.com.Win32.Evo-gen.11060.2891.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: mshtml.pdb source: SecuriteInfo.com.Win32.Evo-gen.11060.2891.exe, 00000005.00000001.39482313722.0000000000649000.00000008.00000001.01000000.00000005.sdmp
      Source: Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Win32.Evo-gen.11060.2891.exe, 00000005.00000003.39652897969.000000001D5B7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.11060.2891.exe, 00000005.00000002.44194181907.000000001D88D000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.11060.2891.exe, 00000005.00000002.44191646427.000000001D760000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.11060.2891.exe, 00000005.00000003.39647697379.000000001D40D000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: wntdll.pdb source: SecuriteInfo.com.Win32.Evo-gen.11060.2891.exe, SecuriteInfo.com.Win32.Evo-gen.11060.2891.exe, 00000005.00000003.39652897969.000000001D5B7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.11060.2891.exe, 00000005.00000002.44194181907.000000001D88D000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.11060.2891.exe, 00000005.00000002.44191646427.000000001D760000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.11060.2891.exe, 00000005.00000003.39647697379.000000001D40D000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: mshtml.pdbUGP source: SecuriteInfo.com.Win32.Evo-gen.11060.2891.exe, 00000005.00000001.39482313722.0000000000649000.00000008.00000001.01000000.00000005.sdmp
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.11060.2891.exeCode function: 1_2_00406555 FindFirstFileW,FindClose,1_2_00406555
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.11060.2891.exeCode function: 1_2_00405A03 CloseHandle,GetT