=
We are hiring! Windows Kernel Developer (Remote), apply here!
flash

3GJ6S3Kwnb.exe

Status: finished
Submission Time: 2022-05-10 20:51:12 +02:00
Malicious
Trojan
Evader
GuLoader

Comments

Tags

  • exe
  • GuLoader

Details

  • Analysis ID:
    623825
  • API (Web) ID:
    991323
  • Analysis Started:
    2022-05-10 21:02:38 +02:00
  • Analysis Finished:
    2022-05-10 21:25:44 +02:00
  • MD5:
    6c6a52c18f0ca26d357f2b4430f31568
  • SHA1:
    9b32a592e54100a67d907e2ad039b164961dc042
  • SHA256:
    cbd91a64900eacff9502b5509769b33adb8472efadd2861d99fd95a06c5630be
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
72/100

System: Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run Condition: Suspected Instruction Hammering

malicious
80/100

malicious
29/69

malicious
10/41

IPs

IP Country Detection
46.30.213.33
Denmark

Domains

Name IP Detection
bprbeulentechnik.ch
46.30.213.33

URLs

Name Detection
http://bprbeulentechnik.ch/loader/amagidom_VRCLkUVry246.bin
http://bprbeulentechnik.ch/loader/amagidom_VRCLkUVry246.bink
http://bprbeulentechnik.ch/loader/amagidom_VRCLkUVry246.bin-
Click to see the 24 hidden entries
http://bprbeulentechnik.ch/loader/amagidom_VRCLkUVry246.binl
http://bprbeulentechnik.ch/loader/amagidom_VRCLkUVry246.bin3
http://bprbeulentechnik.ch/loader/amagidom_VRCLkUVry246.bin2
http://bprbeulentechnik.ch/loader/amagidom_VRCLkUVry246.bin-3778222414-1001/
http://bprbeulentechnik.ch/loader/amagidom_VRCLkUVry246.bink.ch/loader/amagidom
http://bprbeulentechnik.ch/loader/amagidom_VRCLkUVry246.bintemRx9
http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
http://bprbeulentechnik.ch/loader/amagidom_VRCLkUVry246.binom_VRCLkUVry246.bin
http://nsis.sf.net/NSIS_ErrorError
http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD
http://www.gopher.ftp://ftp.
http://bprbeulentechnik.ch/loader/amagidom_VRCLkUVry246.binmswsock.dll.muin
http://bprbeulentechnik.ch/loader/amagidom_VRCLkUVry246.binvarnish
http://bprbeulentechnik.ch/loader/amagidom_VRCLkUVry246.binwshqos.dll.mui
http://bprbeulentechnik.ch/loader/amagidom_VRCLkUVry246.binH
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
http://bprbeulentechnik.ch/loader/amagidom_VRCLkUVry246.binM
http://bprbeulentechnik.ch/loader/amagidom_VRCLkUVry246.binS
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
http://bprbeulentechnik.ch/loader/amagidom_VRCLkUVry246.bin8
http://bprbeulentechnik.ch/loader/amagidom_VRCLkUVry246.bin=
http://bprbeulentechnik.ch/loader/amagidom_VRCLkUVry246.binC
http://bprbeulentechnik.ch/loader/amagidom_VRCLkUVry246.binW9x

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Temp\Airplane_6.bmp
JPEG image data, JFIF standard 1.01, resolution (DPI), density 100x100, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=3], baseline, precision 8, 110x110, frames 3
#
C:\Users\user\AppData\Local\Temp\Bluetooth Suite help_SL.chm
MS Windows HtmlHelp Data
#
C:\Users\user\AppData\Local\Temp\DiFxAPI.dll
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
#
Click to see the 7 hidden entries
C:\Users\user\AppData\Local\Temp\HPPrintScanDoctorDeploymentMgr.exe
PE32+ executable (GUI) x86-64, for MS Windows
#
C:\Users\user\AppData\Local\Temp\NativeAdapter.dll
PE32+ executable (DLL) (GUI) x86-64 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Local\Temp\REINSPECTED.lnk
MS Windows shortcut, Item id list present, Has Relative path, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
#
C:\Users\user\AppData\Local\Temp\Tilplant\stygial.exe
data
#
C:\Users\user\AppData\Local\Temp\Velsespladser5.tmp
data
#
C:\Users\user\AppData\Local\Temp\igoAudSessionMonitor.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
#
C:\Users\user\AppData\Local\Temp\nszC32E.tmp\System.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#