File name:

guloader.exe

Full analysis: https://app.any.run/tasks/a00f3df1-5bed-404e-b90c-b4eb1e68f14f
Verdict: Malicious activity
Threats:

GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities.

Analysis date: December 06, 2022, 06:05:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
guloader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

2B40B86C870AB6B0E9B08F26BD231E1A

SHA1:

78A6FC51761C25FE571FEC37CA4BEAA13D7B5D48

SHA256:

6C9C9BD77D704CA8C48A0125289E0E15E75F62F09D40FFAD58A24BD96C3A57C0

SSDEEP:

3072:UwdK6g8IT9xE5GWp1icKAArDZz4N9GhbkrNEk1ACBynjTy9d41bd0XF:VK6g8ITep0yN90QE44joX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • GULOADER detected by memory dumps

      • Semiha.exe (PID: 3256)
    • Drops the executable file immediately after the start

      • guloader.exe (PID: 2956)
    • Application was dropped or rewritten from another process

      • Semiha.exe (PID: 3256)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • guloader.exe (PID: 2956)
  • INFO

    • Checks supported languages

      • Semiha.exe (PID: 3256)
      • guloader.exe (PID: 2956)
    • Reads the computer name

      • Semiha.exe (PID: 3256)
    • Creates a file in a temporary directory

      • guloader.exe (PID: 2956)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

guloader

(PID) Process(3256) Semiha.exe
Strings (18)C:\Program Files\Qemu-ga\qemu-ga.exe
C:\Program Files\qga\qga.exe
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
wininet.dll
Msi.dll
kernel32
advapi32
user32
ntdll
windir=
TEMP=
msvbvm60.dll
\system32\
\syswow64\
Set W = CreateObject("WScript.Shell")Set C = W.Exec ("
Startup key
Software\Microsoft\Windows\CurrentVersion\RunOnce
shell32
C2 (1)https://drive.google.com/uc?export=download&id=1vqWz_R4BQMLYr0EwMvVJ53NsyRGjMpKl
No Malware configuration.

TRiD

.exe | Win32 MS Cabinet Self-Extractor (WExtract stub) (80.4)
.exe | Win32 Executable MS Visual C++ (generic) (8.2)
.exe | Win64 Executable (generic) (7.3)
.dll | Win32 Dynamic Link Library (generic) (1.7)
.exe | Win32 Executable (generic) (1.1)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2014-Oct-31 03:28:47
Detected languages:
  • English - United States
Debug artifacts:
  • wextract.pdb
CompanyName: Microsoft Corporation
FileDescription: Win32 Cabinet Self-Extractor
FileVersion: 11.00.9600.16384 (winblue_rtm.130821-1623)
InternalName: Wextract
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFilename: WEXTRACT.EXE .MUI
ProductName: Internet Explorer
ProductVersion: 11.00.9600.16384

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: 0
e_cparhdr: 4
e_minalloc: 0
e_maxalloc: 65535
e_ss: 0
e_sp: 184
e_csum: 0
e_ip: 0
e_cs: 0
e_ovno: 0
e_oemid: 0
e_oeminfo: 0
e_lfanew: 240

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 5
TimeDateStamp: 2014-Oct-31 03:28:47
PointerToSymbolTable: 0
NumberOfSymbols: 0
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
4096
26980
27136
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.35038
.data
32768
6796
1024
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.17593
.idata
40960
4220
4608
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.04714
.rsrc
49152
180224
178176
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.46725
.reloc
229376
2240
2560
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.37329

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.0699
1640
Latin 1 / Western European
English - United States
RT_ICON
2
3.15864
744
Latin 1 / Western European
English - United States
RT_ICON
3
3.07737
488
Latin 1 / Western European
English - United States
RT_ICON
4
3.50949
296
Latin 1 / Western European
English - United States
RT_ICON
5
5.56662
3752
Latin 1 / Western European
English - United States
RT_ICON
6
5.94251
2216
Latin 1 / Western European
English - United States
RT_ICON
7
5.99361
1736
Latin 1 / Western European
English - United States
RT_ICON
8
3.37828
1384
Latin 1 / Western European
English - United States
RT_ICON
9
7.98515
55762
Latin 1 / Western European
English - United States
RT_ICON
10
5.33023
9640
Latin 1 / Western European
English - United States
RT_ICON

Imports

ADVAPI32.dll
COMCTL32.dll
Cabinet.dll
GDI32.dll
KERNEL32.dll
USER32.dll
VERSION.dll
msvcrt.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start guloader.exe #GULOADER semiha.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2956"C:\Users\admin\AppData\Local\Temp\guloader.exe" C:\Users\admin\AppData\Local\Temp\guloader.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Win32 Cabinet Self-Extractor
Version:
11.00.9600.16384 (winblue_rtm.130821-1623)
Modules
Images
c:\users\admin\appdata\local\temp\guloader.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3256C:\Users\admin\AppData\Local\Temp\IXP000.TMP\Semiha.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\Semiha.exe
guloader.exe
User:
admin
Company:
Mapbox
Integrity Level:
MEDIUM
Description:
Mapbox
Version:
1.00
Modules
Images
c:\users\admin\appdata\local\temp\ixp000.tmp\semiha.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
guloader
(PID) Process(3256) Semiha.exe
Strings (18)C:\Program Files\Qemu-ga\qemu-ga.exe
C:\Program Files\qga\qga.exe
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
wininet.dll
Msi.dll
kernel32
advapi32
user32
ntdll
windir=
TEMP=
msvbvm60.dll
\system32\
\syswow64\
Set W = CreateObject("WScript.Shell")Set C = W.Exec ("
Startup key
Software\Microsoft\Windows\CurrentVersion\RunOnce
shell32
C2 (1)https://drive.google.com/uc?export=download&id=1vqWz_R4BQMLYr0EwMvVJ53NsyRGjMpKl
Total events
371
Read events
371
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2956guloader.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\Semiha.exeexecutable
MD5:AE871D1957030344D4CEFC7295A1E964
SHA256:6F8A836D10EADA55BB1D3901CEB5B97711AFC9F7018E3BD0F0A8E77521F18E5B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info