Edit tour
Windows
Analysis Report
SecuriteInfo.com.Win32.Evo-gen.11060.2891.exe
Overview
General Information
| Sample Name: | SecuriteInfo.com.Win32.Evo-gen.11060.2891.exe |
| Analysis ID: | 755965 |
| MD5: | 7081c4822cf1c7572dd82822b8f27c49 |
| SHA1: | 4ee3b6c423b1c9ebf5befbc73d1eef0c576cf026 |
| SHA256: | b5330f82f3c5c3f223ae9decd3ebdcd74d1a13d95b1c42bd7b2de4e6c6cb0083 |
| Infos: |  |
 | |
Detection
GuLoader
| Score: | 60 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Tries to detect Any.run
Uses 32bit PE files
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Stores files to the Windows start menu directory
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality for execution timing, often used to detect debuggers
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
PE / OLE file has an invalid certificate
PE file contains more sections than normal
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard
Classification
- System is w10x64native
SecuriteInfo.com.Win32.Evo-gen.11060.2891.exe (PID: 6064 cmdline: C:\Users\u ser\Deskto p\Securite Info.com.W in32.Evo-g en.11060.2 891.exe MD5: 7081C4822CF1C7572DD82822B8F27C49) - SecuriteInfo.com.Win32.Evo-gen.11060.2891.exe (PID: 6832 cmdline:
C:\Users\u ser\Deskto p\Securite Info.com.W in32.Evo-g en.11060.2 891.exe MD5: 7081C4822CF1C7572DD82822B8F27C49)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
| JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security |
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 1_2_00406555 | |
| Source: | Code function: | ||