Windows
Analysis Report
rFACTURA_FAC_2023_1-1000733.PDF.exe
Overview
General Information
Detection
Score: | 76 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- rFACTURA_FAC_2023_1-1000733.PDF.exe (PID: 5732 cmdline:
C:\Users\u ser\Deskto p\rFACTURA _FAC_2023_ 1-1000733. PDF.exe MD5: A6EF5ED777BA7369C2BB28E46B198BA6)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
CloudEyE, GuLoader | CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. | No Attribution |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GuLoader_5 | Yara detected GuLoader | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GuLoader_5 | Yara detected GuLoader | Joe Security | ||
JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security |
Click to jump to signature section
AV Detection |
---|
Source: | Virustotal: | Perma Link |
Source: | Static PE information: |
Source: | Registry value created: | Jump to behavior |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Code function: |
System Summary |
---|
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Code function: |
Source: | Code function: |
Source: | Static PE information: |
Source: | Process Stats: |
Source: | Virustotal: |
Source: | File read: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: |
Source: | Key value queried: |
Source: | Code function: |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Code function: |
Source: | File read: | Jump to behavior |
Source: | Code function: |
Source: | Registry value created: | Jump to behavior |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Data Obfuscation |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Code function: |
Source: | Static PE information: |
Source: | Code function: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | Static PE information: |
Source: | Process information set: |
Malware Analysis System Evasion |
---|
Source: | RDTSC instruction interceptor: |
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | API call chain: | ||
Source: | API call chain: |
Source: | Code function: |
Source: | Code function: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 1 Native API | 1 Windows Service | 1 Access Token Manipulation | 1 Masquerading | OS Credential Dumping | 1 Security Software Discovery | Remote Services | 1 Archive Collected Data | Exfiltration Over Other Network Medium | 1 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | 1 System Shutdown/Reboot |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 Windows Service | 1 Access Token Manipulation | LSASS Memory | 2 File and Directory Discovery | Remote Desktop Protocol | 1 Clipboard Data | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | 11 Obfuscated Files or Information | Security Account Manager | 13 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 1 Timestomp | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
20% | Virustotal | Browse | ||
5% | ReversingLabs | Win32.Trojan.Generic |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs | |||
0% | ReversingLabs | |||
0% | ReversingLabs | |||
0% | ReversingLabs |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high |
Joe Sandbox Version: | 37.0.0 Beryl |
Analysis ID: | 830399 |
Start date and time: | 2023-03-20 10:47:06 +01:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 9m 37s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 15 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample file name: | rFACTURA_FAC_2023_1-1000733.PDF.exe |
Detection: | MAL |
Classification: | mal76.troj.evad.winEXE@1/14@0/0 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
- Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtSetInformationFile calls found.
Process: | C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 22842 |
Entropy (8bit): | 2.691165226704503 |
Encrypted: | false |
SSDEEP: | 384:WHfXmxNkvIy6aQ+y57fZOKip2EuiP7Ecw8b:WHfWxNkvIy6axy57fAK82EuiP7Ecw8b |
MD5: | 27DC252D9E7B26BA6BF2C6D437997658 |
SHA1: | F81398F1F6FC24692BA8DF740CA2BF2AB73B27D6 |
SHA-256: | 530F4F75B62CB7E1B585671E4F184AC9C667FC4335CDA4120D27136E6F4F0100 |
SHA-512: | 473F5FED1BA3F62088A6ABE0D383EE9220DAABCB8524EFE8AC502B7503F4ACBA3DDAC69BBF1E046B5235C51129F2BF55F54C1D75285D7C5EE824C6DCA88D323D |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\System.Reflection.TypeExtensions.dll
Download File
Process: | C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 32368 |
Entropy (8bit): | 6.393948275188786 |
Encrypted: | false |
SSDEEP: | 384:yWweWqlXnYcLpSfX0lawccfNXLWrdzy+A2jc2EPLNtAf/uPHRN7AJ/AlGseC62c:EqlXYcgEAwcc17Wc+bj+PLHuMU/xjx2c |
MD5: | F2A123183E106BB1CF19376A8079D171 |
SHA1: | 2B96296BE92D5F2EF7C59A70858AF4CAABC99A9D |
SHA-256: | 896D4ED138C35ECF19AE432380096562872EAB103F7E352C15D214FD875B337A |
SHA-512: | FCA6A89EFB16780A06CD25A55638882970F03E1535180A0E463AF9794184B04EB345CF29B12D4F261094E04A584E9225A7AD36A62631227451059F64A77B3C67 |
Malicious: | false |
Antivirus: |
|
Reputation: | moderate, very likely benign file |
Preview: |
C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\antiphthisical\Primar\Cunicular\Densimetric\System.Reflection.Primitives.dll
Download File
Process: | C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 14952 |
Entropy (8bit): | 6.599053939997928 |
Encrypted: | false |
SSDEEP: | 192:mrlnC6xxk2R5Ws+Wql73WOL8/pCuPHnhWgN7aoWTF6lI+XqnajlkEv:6nbW2R5Ws+Wql7//uPHRN7SIImlqW |
MD5: | EDA04E04EBC0EBF7F8BBF30C4DAE6DE3 |
SHA1: | 7BC4D50E6EEC7F04A9272BFEE4E4DB6F278DBE63 |
SHA-256: | F3E55CB3ADFA93F563B09114D93062E680AB0864C220491458FBE151798B862F |
SHA-512: | 7027DA3404675596B71394B660E600DA12C0750895F624776362167869760555EE9990699FFC9E4407301FC9437B2F638E2734B8BDEF3C7054990FD5A9C86550 |
Malicious: | false |
Antivirus: |
|
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\antiphthisical\Primar\Cunicular\Densimetric\Talestrmmene.Unr
Download File
Process: | C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 224632 |
Entropy (8bit): | 7.3469254146259635 |
Encrypted: | false |
SSDEEP: | 3072:WQyWMNv4aM4IqtUHXAxcNxBrQeb8hlosuRUVGiyKrFyPlWUUVkUiXPQW/NhrsPPR:IWEbtUAixGhlo2I+hyEUJXVFm0XQ |
MD5: | D2BE5DE19D44424CCB3F89510938FB53 |
SHA1: | B98E5FD30E1DE7437187787AFE48AD516223E01F |
SHA-256: | 0796783FC019D2AD4F01FF7AF14C24A9D3CFBAAB2BB9B44945231A46B6774D2B |
SHA-512: | 6E54E8C97F5A10921DAD011AAD9FBBA1D4D622CF78F4C977A366EF6C7C49B35552A6100BFAFCC4464B34B351CC200AD9EE12406DDE37FC96C2614BD24A5D0553 |
Malicious: | true |
Yara Hits: |
|
Preview: |
C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\battery-level-90-charging-symbolic.svg
Download File
Process: | C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 6689 |
Entropy (8bit): | 5.135211840989561 |
Encrypted: | false |
SSDEEP: | 192:VkjcMIy2+X2I2F2C2G2fH7y8cQaVB2nnuy1FQOcQaVv2q22L2k2s:mjcM7u8xaV8nnL1FQOxaVu6 |
MD5: | C96D0DD361AFC6B812BDDD390B765A26 |
SHA1: | 71081F096719CAA70B9BAEF86FE642635D8E2765 |
SHA-256: | 6690799E5FA3FB0DD6CCE4BAC5AA1607C8A6BB16507854A87520C7DE53052E1B |
SHA-512: | 7C73BC880A9401C64AB0571957B414180C1B94137C7BC870BA602979E7A990640A37991CB87A40BC7E5942A37FDA25EFC58C759C00F4344BA3D88B9AA64182DA |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\colorimeter-colorhug-symbolic.symbolic.png
Download File
Process: | C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 227 |
Entropy (8bit): | 6.604776901672149 |
Encrypted: | false |
SSDEEP: | 6:6v/lhPysE9Xj1F/bkqdXujFErL4MImATQZu22F+p:6v/7kR7/bjd8Kgm2Q/2y |
MD5: | 7843C38CC42C6786B3373F166AF10172 |
SHA1: | BA0163109D9B641B1312230B3F62E1E10A61AA5E |
SHA-256: | E3AF1293F8E8AB5C81300196AF55A7C15D5608291D46A2B86D4255910A7D0E59 |
SHA-512: | B1D3DF6A0A8CACD729CD9A2FD5AB0F74ED611270FA172CDBEB13D46FA71DD5CC5540A2FBFDB6C3004E652D317C8FAD4EC3AE437DF1C082B629870A33CC6BD34F |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\media-playlist-consecutive-symbolic.svg
Download File
Process: | C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1329 |
Entropy (8bit): | 4.950241534342892 |
Encrypted: | false |
SSDEEP: | 24:t4Cp/YHyKbRAecFxVrGDT/Gfd8hTdyKbRAecFxVrGDT/bNxNxZrGQ:9YHNtAecFmDT/s8hdNtAecFmDT/j3YQ |
MD5: | 021A9F00A28C9D496E490AE951E8EF12 |
SHA1: | F8A6392065D07BAC72E138B0E47A24FFDCCEE74B |
SHA-256: | B420561770B77FCB47F69B6198B34B11155535F8A2E907BC4A0998CE74AFD340 |
SHA-512: | 7F4F2D904EA968BF68E35E0D7F1EAE9718234757D1989879996BFB49D9C447F67544CB0E1C441FD6539D58B5F2C6ACA7E9E0208738C235D9AF0C093511760212 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\network-offline-symbolic.svg
Download File
Process: | C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1155 |
Entropy (8bit): | 5.154592341044034 |
Encrypted: | false |
SSDEEP: | 24:t4CpQyhEXQDWu4AeWrGMyRQJaPahrGDfJcghSvOqlIQX6e4AeWrGMyp:vhjDWu4Ae3M5wSgDDontqe4Ae3MO |
MD5: | EFB3C780BC44B346B50B1F0DC6CF6D0F |
SHA1: | 472B0EDD1C4C3092BC7C4DF934ABE126885B1780 |
SHA-256: | 990859D3B2C830E23EC276BF1D38A38EE1BA3D89BF04CB138107E4CDE31167B5 |
SHA-512: | 5B9C96F146C6A065C89172D02BDE8020876DC9C78859AD2B8B9529C615215F88BA85C2789544F5C5A247C148BB52FE4B5FCA325E7EAC4826D31A0365A0B8BCBE |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 891 |
Entropy (8bit): | 7.745720384539504 |
Encrypted: | false |
SSDEEP: | 24:d4qWCHdkXfUZEcO5MkIi416cOQSkye9V+:d4qnHd8MkIi4Dpb6 |
MD5: | 5AF147D26AD399F83825377F04FD56A1 |
SHA1: | B378A498B0DB8114C794E21D533E80CEBE5DDE04 |
SHA-256: | 6147A091847FCC9D9EDB22E655C4FC9DE6632C76D4252350400FA286F9791109 |
SHA-512: | EEC16DE49A4698FE4F03F841FBCF045FBBDC9D634EB73ED35DB544B6DB4BC0135CD8E1DF102FD1E8BDE9FC75380948B4C0459685EE2C21858D645B7973759EA6 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\preferences-desktop-font-symbolic.symbolic.png
Download File
Process: | C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 225 |
Entropy (8bit): | 6.596645802250635 |
Encrypted: | false |
SSDEEP: | 6:6v/lhPysi5NuhsPwRngRfPq/3+phjSfVsup:6v/7thstJACSNsc |
MD5: | F894266AB6A933B2FDA751E6490C319A |
SHA1: | 2D2D3635198FEEFCB64D1D6B3CDCCDC4EA3DF4B0 |
SHA-256: | 95F533585B4C61936C369557B3B7E397E56545A4C9DB9A5BDDD0E9ABB7A7F7E7 |
SHA-512: | 977ED04753C3CB2B883D03A2A55001F6FCC8617DC3060B6C25AB7E5C691C3F76049E7DEADC7F6567AB7E8DC8492DE2874E8E632CF3EAD7B39ABC8CC98D331442 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\task-due-symbolic.symbolic.png
Download File
Process: | C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 263 |
Entropy (8bit): | 6.731374842054556 |
Encrypted: | false |
SSDEEP: | 6:6v/lhPysw9TXm0RZC/8xhbPgfdSwj4vw29OjuAO4+ZvYNVp:6v/7QVXm0a/8xhbPgfdSBvNYn2ZvYd |
MD5: | 003B524806C1CA654CAC6ED2EB883E1B |
SHA1: | F6F6ACA125DC4DB3B33378404017B5EE7D21D334 |
SHA-256: | 2899E53769FA741E2C0675A2C69D2C246A8F34601BEE58DD66B16261005962A9 |
SHA-512: | AA905997F9CE39F039E33C4CCA167C0137775D91B4929D918528BA00B92737C448EC46D91A4221644CCC00D1FCAA403AFF83F07276BAB6FD80D4B9E88E652F87 |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 337 |
Entropy (8bit): | 7.143668471552015 |
Encrypted: | false |
SSDEEP: | 6:6v/lhPWFmX9Ckymx8BZhCjO5QO6MsHqd+K/eBDQeU2oG9xqgjp:6v/7K0omx8yOqVtHH1U2oGR |
MD5: | 7FBFE5B0A7AD2A67AACFD8481F8DCA01 |
SHA1: | 21BABB6B7EC4746835DB43DC6A69A4AF0EFECA2D |
SHA-256: | 0B4CD789E087F712F131FACCD754DC461774498DF3CA19B346D461D18A0AE622 |
SHA-512: | 3A8F0D9653301F789A0588E848C40FFC92394461BF70A3421ABC85647F2C115948134FE9E161D055A11D200536356A15677D9C0E645346D27E122001F67FE22B |
Malicious: | false |
Preview: |
Process: | C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 6144 |
Entropy (8bit): | 4.496995234059773 |
Encrypted: | false |
SSDEEP: | 96:1IUNaXnnXyEIPtXvZhr5RwiULuxDtJ1+wolpE:1Ix3XyEwXvZh1RwnLUDtf+I |
MD5: | E8B67A37FB41D54A7EDA453309D45D97 |
SHA1: | 96BE9BF7A988D9CEA06150D57CD1DE19F1FEC19E |
SHA-256: | 2AD232BCCF4CA06CF13475AF87B510C5788AA790785FD50509BE483AFC0E0BCF |
SHA-512: | 20EFFAE18EEBB2DF90D3186A281FA9233A97998F226F7ADEAD0784FBC787FEEE419973962F8369D8822C1BBCDFB6E7948D9CA6086C9CF90190C8AB3EC97F4C38 |
Malicious: | false |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 11776 |
Entropy (8bit): | 5.659384359264642 |
Encrypted: | false |
SSDEEP: | 192:ex24sihno00Wfl97nH6BenXwWobpWBTtvShJ5omi7dJWjOlESlS:h8QIl972eXqlWBFSt273YOlEz |
MD5: | 8B3830B9DBF87F84DDD3B26645FED3A0 |
SHA1: | 223BEF1F19E644A610A0877D01EADC9E28299509 |
SHA-256: | F004C568D305CD95EDBD704166FCD2849D395B595DFF814BCC2012693527AC37 |
SHA-512: | D13CFD98DB5CA8DC9C15723EEE0E7454975078A776BCE26247228BE4603A0217E166058EBADC68090AFE988862B7514CB8CB84DE13B3DE35737412A6F0A8AC03 |
Malicious: | false |
Antivirus: |
|
Preview: |
File type: | |
Entropy (8bit): | 7.02530526585537 |
TrID: |
|
File name: | rFACTURA_FAC_2023_1-1000733.PDF.exe |
File size: | 431872 |
MD5: | a6ef5ed777ba7369c2bb28e46b198ba6 |
SHA1: | f707bc0343f41d95f57e776a9f85f6a2c5791aa7 |
SHA256: | 878d710875b07ec61bef0b198ba67bf81ad0730a3a483d5762cd18e13fb4b525 |
SHA512: | 3b0bbbf4199dfc669a75a8fb62cfa55423e2331358f43057219ee2a4099cc9c2b007d85b2cb1b6cd9c64d8d8421575690bed95556ca788cf13d6a53c96b3a2eb |
SSDEEP: | 6144:B6bAcJvkzKmPPzS58G93IuZCBabjYBNwmlJ8kUEe/oqBaH0NxsvLg/nkrIak7r8m:a7ubCHICiwkBySs/vBGwxs0vh7rXN |
TLSH: | B194F161BFDBE857D02278B4A09ADE1E5E74EF14A249E307F3B139ACE5752513C1B202 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!`G.@...@...@../OQ..@...@..I@../OS..@...c>..@..+F...@..Rich.@..........................PE..L.....uY.................d....:.... |
Icon Hash: | 20c4f8f8e8f0f24c |
Entrypoint: | 0x403350 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x59759518 [Mon Jul 24 06:35:04 2017 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | b34f154ec913d2d2c435cbd644e91687 |
Signature Valid: | false |
Signature Issuer: | E=Giordano@Agencies.ano, OU="Desidiose Haarvkstens ", O=Percussion, L=Mccomb, S=Mississippi, C=US |
Signature Validation Error: | A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider |
Error Number: | -2146762487 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | B7600E9E947B9005922C17012BBF815F |
Thumbprint SHA-1: | F61732487D62043541218B18386BFA3513D9C7CF |
Thumbprint SHA-256: | C6510EBAF8763805CB5E0AAB32A94AEEFD9E39180B9A6D5F85E0272807031574 |
Serial: | 1B9B07C3A599FD0DBF3CF80F5B8149857D2F3BA7 |
Instruction |
---|
sub esp, 000002D4h |
push ebx |
push esi |
push edi |
push 00000020h |
pop edi |
xor ebx, ebx |
push 00008001h |
mov dword ptr [esp+14h], ebx |
mov dword ptr [esp+10h], 0040A2E0h |
mov dword ptr [esp+1Ch], ebx |
call dword ptr [004080A8h] |
call dword ptr [004080A4h] |
and eax, BFFFFFFFh |
cmp ax, 00000006h |
mov dword ptr [007A8A2Ch], eax |
je 00007F0591104523h |
push ebx |
call 00007F05911077B9h |
cmp eax, ebx |
je 00007F0591104519h |
push 00000C00h |
call eax |
mov esi, 004082B0h |
push esi |
call 00007F0591107733h |
push esi |
call dword ptr [00408150h] |
lea esi, dword ptr [esi+eax+01h] |
cmp byte ptr [esi], 00000000h |
jne 00007F05911044FCh |
push 0000000Ah |
call 00007F059110778Ch |
push 00000008h |
call 00007F0591107785h |
push 00000006h |
mov dword ptr [007A8A24h], eax |
call 00007F0591107779h |
cmp eax, ebx |
je 00007F0591104521h |
push 0000001Eh |
call eax |
test eax, eax |
je 00007F0591104519h |
or byte ptr [007A8A2Fh], 00000040h |
push ebp |
call dword ptr [00408044h] |
push ebx |
call dword ptr [004082A0h] |
mov dword ptr [007A8AF8h], eax |
push ebx |
lea eax, dword ptr [esp+34h] |
push 000002B4h |
push eax |
push ebx |
push 0079FEE0h |
call dword ptr [00408188h] |
push 0040A2C8h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x84fc | 0xa0 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x3d0000 | 0x28268 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x67500 | 0x2200 | .data |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x8000 | 0x2b0 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x63c8 | 0x6400 | False | 0.6766015625 | data | 6.504099201068482 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x8000 | 0x138e | 0x1400 | False | 0.4509765625 | data | 5.146454805063938 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0xa000 | 0x39eb38 | 0x600 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.ndata | 0x3a9000 | 0x27000 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x3d0000 | 0x28268 | 0x28400 | False | 0.3355129076086957 | data | 4.767250735975199 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x3d0310 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 65536 | English | United States |
RT_ICON | 0x3e0b38 | 0x94a8 | Device independent bitmap graphic, 96 x 192 x 32, image size 36864 | English | United States |
RT_ICON | 0x3e9fe0 | 0x5488 | Device independent bitmap graphic, 72 x 144 x 32, image size 20736 | English | United States |
RT_ICON | 0x3ef468 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16384 | English | United States |
RT_ICON | 0x3f3690 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9216 | English | United States |
RT_ICON | 0x3f5c38 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4096 | English | United States |
RT_ICON | 0x3f6ce0 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2304 | English | United States |
RT_ICON | 0x3f7668 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1024 | English | United States |
RT_DIALOG | 0x3f7ad0 | 0x100 | data | English | United States |
RT_DIALOG | 0x3f7bd0 | 0xf8 | data | English | United States |
RT_DIALOG | 0x3f7cc8 | 0xa0 | data | English | United States |
RT_DIALOG | 0x3f7d68 | 0x60 | data | English | United States |
RT_GROUP_ICON | 0x3f7dc8 | 0x76 | data | English | United States |
RT_MANIFEST | 0x3f7e40 | 0x423 | XML 1.0 document, ASCII text, with very long lines (1059), with no line terminators | English | United States |
DLL | Import |
---|---|
KERNEL32.dll | SetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW |
USER32.dll | GetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage |
GDI32.dll | SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor |
SHELL32.dll | SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW |
ADVAPI32.dll | AdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW |
COMCTL32.dll | ImageList_Create, ImageList_AddMasked, ImageList_Destroy |
ole32.dll | OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Target ID: | 0 |
Start time: | 10:48:04 |
Start date: | 20/03/2023 |
Path: | C:\Users\user\Desktop\rFACTURA_FAC_2023_1-1000733.PDF.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 431872 bytes |
MD5 hash: | A6EF5ED777BA7369C2BB28E46B198BA6 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |