File name: | guloader.exe |
Full analysis: | https://app.any.run/tasks/a00f3df1-5bed-404e-b90c-b4eb1e68f14f |
Verdict: | Malicious activity |
Threats: | GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities. |
Analysis date: | December 06, 2022, 06:05:53 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 2B40B86C870AB6B0E9B08F26BD231E1A |
SHA1: | 78A6FC51761C25FE571FEC37CA4BEAA13D7B5D48 |
SHA256: | 6C9C9BD77D704CA8C48A0125289E0E15E75F62F09D40FFAD58A24BD96C3A57C0 |
SSDEEP: | 3072:UwdK6g8IT9xE5GWp1icKAArDZz4N9GhbkrNEk1ACBynjTy9d41bd0XF:VK6g8ITep0yN90QE44joX |
.exe | | | Win32 MS Cabinet Self-Extractor (WExtract stub) (80.4) |
---|---|---|
.exe | | | Win32 Executable MS Visual C++ (generic) (8.2) |
.exe | | | Win64 Executable (generic) (7.3) |
.dll | | | Win32 Dynamic Link Library (generic) (1.7) |
.exe | | | Win32 Executable (generic) (1.1) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 2014-Oct-31 03:28:47 |
Detected languages: |
|
Debug artifacts: |
|
CompanyName: | Microsoft Corporation |
FileDescription: | Win32 Cabinet Self-Extractor |
FileVersion: | 11.00.9600.16384 (winblue_rtm.130821-1623) |
InternalName: | Wextract |
LegalCopyright: | © Microsoft Corporation. All rights reserved. |
OriginalFilename: | WEXTRACT.EXE .MUI |
ProductName: | Internet Explorer |
ProductVersion: | 11.00.9600.16384 |
e_magic: | MZ |
---|---|
e_cblp: | 144 |
e_cp: | 3 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | - |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | - |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 240 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 5 |
TimeDateStamp: | 2014-Oct-31 03:28:47 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 4096 | 26980 | 27136 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.35038 |
.data | 32768 | 6796 | 1024 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.17593 |
.idata | 40960 | 4220 | 4608 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.04714 |
.rsrc | 49152 | 180224 | 178176 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.46725 |
.reloc | 229376 | 2240 | 2560 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.37329 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.0699 | 1640 | Latin 1 / Western European | English - United States | RT_ICON |
2 | 3.15864 | 744 | Latin 1 / Western European | English - United States | RT_ICON |
3 | 3.07737 | 488 | Latin 1 / Western European | English - United States | RT_ICON |
4 | 3.50949 | 296 | Latin 1 / Western European | English - United States | RT_ICON |
5 | 5.56662 | 3752 | Latin 1 / Western European | English - United States | RT_ICON |
6 | 5.94251 | 2216 | Latin 1 / Western European | English - United States | RT_ICON |
7 | 5.99361 | 1736 | Latin 1 / Western European | English - United States | RT_ICON |
8 | 3.37828 | 1384 | Latin 1 / Western European | English - United States | RT_ICON |
9 | 7.98515 | 55762 | Latin 1 / Western European | English - United States | RT_ICON |
10 | 5.33023 | 9640 | Latin 1 / Western European | English - United States | RT_ICON |
ADVAPI32.dll |
COMCTL32.dll |
Cabinet.dll |
GDI32.dll |
KERNEL32.dll |
USER32.dll |
VERSION.dll |
msvcrt.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2956 | "C:\Users\admin\AppData\Local\Temp\guloader.exe" | C:\Users\admin\AppData\Local\Temp\guloader.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Win32 Cabinet Self-Extractor Version: 11.00.9600.16384 (winblue_rtm.130821-1623) Modules
| |||||||||||||||
3256 | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\Semiha.exe | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\Semiha.exe | guloader.exe | ||||||||||||
User: admin Company: Mapbox Integrity Level: MEDIUM Description: Mapbox Version: 1.00 Modules
guloader(PID) Process(3256) Semiha.exe C2 (1)https://drive.google.com/uc?export=download&id=1vqWz_R4BQMLYr0EwMvVJ53NsyRGjMpKl Strings (18)C:\Program Files\Qemu-ga\qemu-ga.exe C:\Program Files\qga\qga.exe Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko wininet.dll Msi.dll kernel32 advapi32 user32 ntdll windir= TEMP= msvbvm60.dll \system32\ \syswow64\ Set W = CreateObject("WScript.Shell")Set C = W.Exec (" Startup key Software\Microsoft\Windows\CurrentVersion\RunOnce shell32 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2956 | guloader.exe | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\Semiha.exe | executable | |
MD5:AE871D1957030344D4CEFC7295A1E964 | SHA256:6F8A836D10EADA55BB1D3901CEB5B97711AFC9F7018E3BD0F0A8E77521F18E5B |