File name:

facturasolicitada..exe

Full analysis: https://app.any.run/tasks/92b94d01-69bf-4636-b6cc-2e78ac337641
Verdict: Malicious activity
Threats:

GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities.

Malware Trends Tracker     >>>
Analysis date: February 17, 2025, 12:07:19
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
guloader
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

6124034FE55707E3EC7A9940B36A2640

SHA1:

FA817C784D46FDCFC065A264713C82F5F53B7288

SHA256:

AA928F80E184381E6CB9E2A8E159334E3494999165CF97BCD71BDFBB61DCE2BF

SSDEEP:

24576:RAaIWsvu8AND85grwTiRnPvXpV6dNe6K3d:CaIWsvu8AND85grwTiRnPvXpV6dNe6KN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 1488)

    • GULOADER has been detected

      • facturasolicitada..exe (PID: 3436)

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • facturasolicitada..exe (PID: 3436)

    • Starts POWERSHELL.EXE for commands execution

      • facturasolicitada..exe (PID: 3436)

  • INFO

    • Checks supported languages

      • facturasolicitada..exe (PID: 3436)

    • The sample compiled with english language support

      • facturasolicitada..exe (PID: 3436)

    • Creates files or folders in the user directory

      • facturasolicitada..exe (PID: 3436)

    • Reads the computer name

      • facturasolicitada..exe (PID: 3436)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 1488)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:12:11 21:50:38+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 24064
InitializedDataSize: 118272
UninitializedDataSize: 1024
EntryPoint: 0x316d
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.5.0.0
ProductVersionNumber: 1.5.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
Comments: bishoprics stalagmitterne
FileDescription: embryologi opbryde
InternalName: mellemteksten.exe
LegalCopyright: lasernes
OriginalFileName: mellemteksten.exe
ProductName: entitle vrdifuldes anale
ProductVersion: 1.5.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
121
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #GULOADER facturasolicitada..exe no specs powershell.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
732\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1488powershell.exe -windowstyle hidden "$Trafikerer=Get-Content -Raw 'C:\Users\admin\AppData\Local\unproselyte\besparelses\Concludence.Cha';$Superego=$Trafikerer.SubString(52777,3);.$Superego($Trafikerer) "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exefacturasolicitada..exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3436"C:\Users\admin\Desktop\facturasolicitada..exe" C:\Users\admin\Desktop\facturasolicitada..exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
embryologi opbryde
Modules
Images
c:\users\admin\desktop\facturasolicitada..exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
7 560
Read events
7 560
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
5
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
1488powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_1ee1tuwy.qqg.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3436facturasolicitada..exeC:\Users\admin\AppData\Local\unproselyte\besparelses\Concludence.Chatext
MD5:1678EAEBCC616FDD486B73C0D0F9A765
SHA256:EE054A99730186790F4A20ABE48B59B4254B5BB5888B4CF685F7A74092A9A6E6
3436facturasolicitada..exeC:\Users\admin\AppData\Local\unproselyte\besparelses\baisse.Nenbinary
MD5:6BBDEC47B65750CD9266F720D99E76F3
SHA256:A08FDA28BC74D30F706F36A65975FB4EA8CF0EFBAB4DFC74AF016E5B3B6CEE3D
3436facturasolicitada..exeC:\Users\admin\AppData\Local\unproselyte\besparelses\Chemiotaxic\Tautochronism.txttext
MD5:C036A95DC18FF025D50162C2F98A2BB6
SHA256:E6CE84A048A9DF2891B22750D506341AAF6088D1CC3028F951D380A6C023704B
3436facturasolicitada..exeC:\Users\admin\AppData\Local\unproselyte\besparelses\Detentionens.txttext
MD5:1B3C81323896BC6C8EAE3D515B30B374
SHA256:828C5D969BEC4F80DD439CDAF0D7263A5C9D3B9032511C61B07BC74AB0D5058E
3436facturasolicitada..exeC:\Users\admin\AppData\Local\unproselyte\besparelses\Ovolytic\undertavlers.txttext
MD5:8C3120C247F1EAD031171917C083CB45
SHA256:EB9A4876E963719EC3E100DADAABD0303D3506A233E1FE02C76B63676FE9D81D
3436facturasolicitada..exeC:\Users\admin\AppData\Local\unproselyte\besparelses\Chemiotaxic\Ulykkesbilernes214.ovebinary
MD5:7AEB58D533D979653278E3957F5D10C6
SHA256:8F50404FC1EB9B40FB941182A9CA5196834D2084E8E4B8CD08322817A934167B
3436facturasolicitada..exeC:\Users\admin\AppData\Local\unproselyte\besparelses\Chemiotaxic\emissionsspektrummerne.trabinary
MD5:2CCB0A124328C367EC033641F3E23D07
SHA256:8B25390E85DCD74028C2CB0D5CAA301424E9DC25C37811A493F46C5CF1D387BB
3436facturasolicitada..exeC:\Users\admin\AppData\Local\unproselyte\besparelses\Ovolytic\systemisable.blabinary
MD5:40F062040AFB2447BB045CD7DA4BD507
SHA256:1E256AB480595E2188CC5B695AA94C7CDAD924DA82821A3B67888B4471BBCE6D
1488powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCachebinary
MD5:5F62DFB53E47D6CD6715ABE772A855F8
SHA256:C327736DF96A1BC7AC8A64CFC9935A7665EE601ACCC469BAB24E3822FA7AEFC0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
23
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
236
RUXIMICS.exe
GET
200
23.48.23.145:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
1.01 Kb
whitelisted
2356
svchost.exe
GET
200
23.48.23.145:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
1.01 Kb
whitelisted
236
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.145:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
1.01 Kb
whitelisted
2356
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
92.123.104.10:443
www.bing.com
Akamai International B.V.
DE
whitelisted
2356
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
236
RUXIMICS.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2356
svchost.exe
23.48.23.145:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
236
RUXIMICS.exe
23.48.23.145:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.145:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2356
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 92.123.104.10
  • 92.123.104.65
  • 92.123.104.67
  • 92.123.104.63
  • 92.123.104.66
  • 92.123.104.6
  • 92.123.104.9
  • 92.123.104.5
  • 92.123.104.12
whitelisted
google.com
  • 142.250.185.78
whitelisted
crl.microsoft.com
  • 23.48.23.145
  • 23.48.23.147
  • 23.48.23.194
  • 23.48.23.180
  • 23.48.23.156
  • 23.48.23.164
  • 23.48.23.173
  • 23.48.23.177
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
self.events.data.microsoft.com
  • 20.189.173.8
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
facturasolicitada..exe