| File name: | f8a6c58d226e584aad84d5ede794437d88f9a8b82cd1c899417c2572d5e4cba4.bin |
| Full analysis: | https://app.any.run/tasks/5466360c-b8d5-4695-8c12-88a65fb9a78c |
| Verdict: | Malicious activity |
| Threats: | GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities. |
| Analysis date: | May 15, 2025, 14:17:22 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections |
| MD5: | 5F0D70CE83681545008CE05B22081A61 |
| SHA1: | 06BDAD72FB94EEDD20FA745550D356FEE150222F |
| SHA256: | F8A6C58D226E584AAD84D5EDE794437D88F9A8B82CD1C899417C2572D5E4CBA4 |
| SSDEEP: | 24576:CCuANp9mIVvCiWCvXr8TnT+D8dCTjBrzzhoC2/oT4OS:VuANpoIVvCiWCvXr8TnT+D8dCTjBrzzq |
MALICIOUS
Run PowerShell with an invisible window
- powershell.exe (PID: 7288)
GULOADER has been detected
- f8a6c58d226e584aad84d5ede794437d88f9a8b82cd1c899417c2572d5e4cba4.bin.exe (PID: 7592)
Changes the autorun value in the registry
- reg.exe (PID: 7052)
SUSPICIOUS
Starts CMD.EXE for commands execution
- powershell.exe (PID: 7288)
- wab.exe (PID: 1184)
Starts POWERSHELL.EXE for commands execution
- f8a6c58d226e584aad84d5ede794437d88f9a8b82cd1c899417c2572d5e4cba4.bin.exe (PID: 7592)
Evaluates numerical expressions in cmd (potential data obfuscation)
- powershell.exe (PID: 7288)
Converts a specified value to a byte (POWERSHELL)
- powershell.exe (PID: 7288)
Gets information about processes (POWERSHELL)
- powershell.exe (PID: 7288)
Executable content was dropped or overwritten
- powershell.exe (PID: 7288)
Converts a string into array of characters (POWERSHELL)
- powershell.exe (PID: 7288)
Reads security settings of Internet Explorer
- wab.exe (PID: 1184)
Uses REG/REGEDIT.EXE to modify registry
- cmd.exe (PID: 516)
INFO
Checks supported languages
- f8a6c58d226e584aad84d5ede794437d88f9a8b82cd1c899417c2572d5e4cba4.bin.exe (PID: 7592)
- wab.exe (PID: 1184)
Reads the computer name
- f8a6c58d226e584aad84d5ede794437d88f9a8b82cd1c899417c2572d5e4cba4.bin.exe (PID: 7592)
- wab.exe (PID: 1184)
Creates files or folders in the user directory
- f8a6c58d226e584aad84d5ede794437d88f9a8b82cd1c899417c2572d5e4cba4.bin.exe (PID: 7592)
Checks whether the specified file exists (POWERSHELL)
- powershell.exe (PID: 7288)
Gets data length (POWERSHELL)
- powershell.exe (PID: 7288)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 7288)
Uses string split method (POWERSHELL)
- powershell.exe (PID: 7288)
The sample compiled with english language support
- powershell.exe (PID: 7288)
Converts byte array into ASCII string (POWERSHELL)
- powershell.exe (PID: 7288)
Checks proxy server information
- wab.exe (PID: 1184)
- slui.exe (PID: 7584)
Process checks computer location settings
- wab.exe (PID: 1184)
Reads the software policy settings
- slui.exe (PID: 7584)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (14.2) |
| .exe | | | Win32 Executable (generic) (9.7) |
| .exe | | | Generic Win/DOS Executable (4.3) |
| .exe | | | DOS Executable Generic (4.3) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2023:07:02 02:09:39+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 26112 |
| InitializedDataSize: | 139776 |
| UninitializedDataSize: | 2048 |
| EntryPoint: | 0x34fc |
| OSVersion: | 4 |
| ImageVersion: | 6 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 2.0.0.0 |
| ProductVersionNumber: | 2.0.0.0 |
| FileFlagsMask: | 0x0000 |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| Comments: | genudvinde aneroidbarometer |
| FileDescription: | srgemarch pendecagon |
| LegalCopyright: | svejsebrnderne bihule precoagulation |
| ProductVersion: | 2.0.0.0 |
Total processes
137
Monitored processes
10
Malicious processes
2
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 516 | "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Provianteredes% -windowstyle minimized $Pedalets=(Get-ItemProperty -Path 'HKCU:\Bovbladenes\').Preflagellated;%Provianteredes% ($Pedalets)" | C:\Windows\SysWOW64\cmd.exe | — | wab.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1184 | "C:\Program Files (x86)\windows mail\wab.exe" | C:\Program Files (x86)\Windows Mail\wab.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Contacts Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2196 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5304 | "C:\WINDOWS\system32\cmd.exe" "/c set /A 1^^0" | C:\Windows\SysWOW64\cmd.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6564 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6620 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7052 | REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Provianteredes% -windowstyle minimized $Pedalets=(Get-ItemProperty -Path 'HKCU:\Bovbladenes\').Preflagellated;%Provianteredes% ($Pedalets)" | C:\Windows\SysWOW64\reg.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7288 | "powershell.exe" -windowstyle hidden "$Combretaceous=Get-Content 'C:\Users\admin\AppData\Roaming\illuminatus\sadeltasker\jungermanniaceae\Forjtter\Wakened.Syn';$Trylleslaget32=$Combretaceous.SubString(54382,3);.$Trylleslaget32($Combretaceous)" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | f8a6c58d226e584aad84d5ede794437d88f9a8b82cd1c899417c2572d5e4cba4.bin.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7584 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7592 | "C:\Users\admin\Desktop\f8a6c58d226e584aad84d5ede794437d88f9a8b82cd1c899417c2572d5e4cba4.bin.exe" | C:\Users\admin\Desktop\f8a6c58d226e584aad84d5ede794437d88f9a8b82cd1c899417c2572d5e4cba4.bin.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: srgemarch pendecagon Exit code: 4294967295 Modules
| |||||||||||||||
Total events
6 304
Read events
6 301
Write events
3
Delete events
0
Modification events
| (PID) Process: | (1184) wab.exe | Key: | HKEY_CURRENT_USER\Bovbladenes |
| Operation: | write | Name: | Preflagellated |
Value: $Combretaceous=Get-Content 'C:\Users\admin\AppData\Roaming\illuminatus\sadeltasker\jungermanniaceae\Forjtter\Wakened.Syn';$Trylleslaget32=$Combretaceous.SubString(54382,3);.$Trylleslaget32($Combretaceous) | |||
| (PID) Process: | (1184) wab.exe | Key: | HKEY_CURRENT_USER\Environment |
| Operation: | write | Name: | Provianteredes |
Value: c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | |||
| (PID) Process: | (7052) reg.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | Startup key |
Value: %Provianteredes% -windowstyle minimized $Pedalets=(Get-ItemProperty -Path 'HKCU:\Bovbladenes\').Preflagellated;%Provianteredes% ($Pedalets) | |||
Executable files
1
Suspicious files
18
Text files
4
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7592 | f8a6c58d226e584aad84d5ede794437d88f9a8b82cd1c899417c2572d5e4cba4.bin.exe | C:\Users\admin\AppData\Roaming\illuminatus\sadeltasker\jungermanniaceae\Forjtter\Wakened.Syn | text | |
MD5:BE3296CAA4CCC763A4B336752879D1C2 | SHA256:E35F07932BC31FA58C8CA4C514B2C9FF6AE189166EA156A455AA0DA3B6C3DCA8 | |||
| 7592 | f8a6c58d226e584aad84d5ede794437d88f9a8b82cd1c899417c2572d5e4cba4.bin.exe | C:\Users\admin\AppData\Roaming\illuminatus\sadeltasker\jungermanniaceae\Forjtter\Dekupr.hex | binary | |
MD5:FC888F25454E2ED8EA81227E37935AB5 | SHA256:848DEAE68D86059401775AFB1E5C0848F29C4156A6B2DD8AA66CF9B2C9B22E9E | |||
| 7592 | f8a6c58d226e584aad84d5ede794437d88f9a8b82cd1c899417c2572d5e4cba4.bin.exe | C:\Users\admin\AppData\Roaming\illuminatus\sadeltasker\jungermanniaceae\Forjtter\Balke.bis | binary | |
MD5:932078E3A21A48F2415A0F34590B00A0 | SHA256:14436F981840E171A1FAB86117B177303A9229DB182FE3E45F47F97530DB1362 | |||
| 7592 | f8a6c58d226e584aad84d5ede794437d88f9a8b82cd1c899417c2572d5e4cba4.bin.exe | C:\Users\admin\AppData\Roaming\illuminatus\sadeltasker\jungermanniaceae\Forjtter\clinquant.aut | binary | |
MD5:FD3720DB76DE05E391F91B656CB5EE24 | SHA256:4FE45ED05B9AA92AFCA10C11C66404D64365F4514EF9F397F0256204970FFB2F | |||
| 7592 | f8a6c58d226e584aad84d5ede794437d88f9a8b82cd1c899417c2572d5e4cba4.bin.exe | C:\Users\admin\AppData\Roaming\illuminatus\sadeltasker\jungermanniaceae\Plausibleness.Byu | binary | |
MD5:95EA45D3D48A2AD9E40405BCC7522578 | SHA256:200BB9B08E65F7959B7B25B1C2239094C491E99E073DCE40ED6C2C7F679F741D | |||
| 7592 | f8a6c58d226e584aad84d5ede794437d88f9a8b82cd1c899417c2572d5e4cba4.bin.exe | C:\Users\admin\AppData\Roaming\illuminatus\sadeltasker\jungermanniaceae\Forjtter\illusionisterne.sho | binary | |
MD5:1804F6B249C3BAAF77ECDA5BD1597794 | SHA256:FA05D19535F8AF21B80D1B833E047AD3F57525AB56F5ECBF86FC73B68068735D | |||
| 7592 | f8a6c58d226e584aad84d5ede794437d88f9a8b82cd1c899417c2572d5e4cba4.bin.exe | C:\Users\admin\AppData\Roaming\illuminatus\sadeltasker\jungermanniaceae\Forjtter\Spagettier80.nul | binary | |
MD5:FEB6DEF24E5A52076019CF89F6077B2B | SHA256:F754F20BF00D72572AD544E507FB1DEED90514ED34EDD7DD93AD0CA10A1E9BE9 | |||
| 7592 | f8a6c58d226e584aad84d5ede794437d88f9a8b82cd1c899417c2572d5e4cba4.bin.exe | C:\Users\admin\AppData\Roaming\illuminatus\sadeltasker\jungermanniaceae\Forjtter\basaltes.tel | binary | |
MD5:015F562D4E2B1C01869E5756446A24C6 | SHA256:DAF07084E072298B4FAF1A961B8561BB73566B9F8540CAE74E5DD8D9ECD1861F | |||
| 7592 | f8a6c58d226e584aad84d5ede794437d88f9a8b82cd1c899417c2572d5e4cba4.bin.exe | C:\Users\admin\AppData\Roaming\illuminatus\sadeltasker\jungermanniaceae\Forjtter\indstillingsskala.txt | text | |
MD5:1ADE934FF0660D19609EE9534A117F9A | SHA256:83ECC6BDA62E6EB18130408FEFA8D5FAF07E578B29B65AFF9BA3EB3031DF73E6 | |||
| 7592 | f8a6c58d226e584aad84d5ede794437d88f9a8b82cd1c899417c2572d5e4cba4.bin.exe | C:\Users\admin\AppData\Roaming\illuminatus\sadeltasker\jungermanniaceae\Forjtter\Lungehindebetndelse.for | binary | |
MD5:55FDFA034A1D0DCFA8BE68417B45A91D | SHA256:D3189B893E6577DF9217C6E90252DAC1C012C8592A2E71768E402E7FCCA93882 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
17
DNS requests
30
Threats
4
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
6544 | svchost.exe | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
5344 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
5344 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 20.73.194.208:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
2432 | RUXIMICS.exe | 20.73.194.208:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
2104 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3216 | svchost.exe | 172.211.123.250:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
5344 | SIHClient.exe | 172.202.163.200:443 | slscr.update.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | GB | whitelisted |
5344 | SIHClient.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
5344 | SIHClient.exe | 52.165.164.15:443 | fe3cr.delivery.mp.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
7492 | slui.exe | 20.83.72.98:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
vauxhall.top |
| unknown |
activation-v2.sls.microsoft.com |
| whitelisted |
nexusrules.officeapps.live.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2196 | svchost.exe | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |
2196 | svchost.exe | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |
2196 | svchost.exe | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |
2196 | svchost.exe | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |