analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

f9f9b4e7abf29743486aeb210d474fee24b38a0e2f97d082ab0fe3dabc14b47b.zip

Full analysis: https://app.any.run/tasks/6e81fe96-d520-483e-86fe-499d3a127e13
Verdict: Malicious activity
Threats:

GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities.

Analysis date: May 30, 2020, 13:49:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
guloader
loader
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

723C28A1BD28B7FF9D624084A8D6BB9B

SHA1:

66FB5AA6DA297D9A87F22D9182770233ED333DC2

SHA256:

FB69EBBB65C1426AE5126A06467C3681BD1F756FA94FBBC5719AEF0DA2FDB12B

SSDEEP:

768:ESdUfOmv9Cshhed+4CEEAX4hUGvNPwSOE:XA2d+jESakP1OE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • f9f9b4e7abf29743486aeb210d474fee24b38a0e2f97d082ab0fe3dabc14b47b.exe (PID: 4064)
      • f9f9b4e7abf29743486aeb210d474fee24b38a0e2f97d082ab0fe3dabc14b47b.exe (PID: 2332)
    • Changes the autorun value in the registry

      • f9f9b4e7abf29743486aeb210d474fee24b38a0e2f97d082ab0fe3dabc14b47b.exe (PID: 2332)
    • GULOADER was detected

      • f9f9b4e7abf29743486aeb210d474fee24b38a0e2f97d082ab0fe3dabc14b47b.exe (PID: 4064)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2120)
    • Reads Internet Cache Settings

      • f9f9b4e7abf29743486aeb210d474fee24b38a0e2f97d082ab0fe3dabc14b47b.exe (PID: 4064)
    • Application launched itself

      • f9f9b4e7abf29743486aeb210d474fee24b38a0e2f97d082ab0fe3dabc14b47b.exe (PID: 2332)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0003
ZipCompression: Unknown (99)
ZipModifyDate: 2020:05:30 13:39:27
ZipCRC: 0x0911a108
ZipCompressedSize: 28299
ZipUncompressedSize: 65536
ZipFileName: f9f9b4e7abf29743486aeb210d474fee24b38a0e2f97d082ab0fe3dabc14b47b.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start winrar.exe f9f9b4e7abf29743486aeb210d474fee24b38a0e2f97d082ab0fe3dabc14b47b.exe #GULOADER f9f9b4e7abf29743486aeb210d474fee24b38a0e2f97d082ab0fe3dabc14b47b.exe

Process information

PID
CMD
Path
Indicators
Parent process
2120"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\f9f9b4e7abf29743486aeb210d474fee24b38a0e2f97d082ab0fe3dabc14b47b.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2332"C:\Users\admin\AppData\Local\Temp\Rar$EXb2120.44703\f9f9b4e7abf29743486aeb210d474fee24b38a0e2f97d082ab0fe3dabc14b47b.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb2120.44703\f9f9b4e7abf29743486aeb210d474fee24b38a0e2f97d082ab0fe3dabc14b47b.exe
WinRAR.exe
User:
admin
Company:
VideoLAN
Integrity Level:
MEDIUM
Description:
VLC media player
Exit code:
0
Version:
3.00.0008
4064"C:\Users\admin\AppData\Local\Temp\Rar$EXb2120.44703\f9f9b4e7abf29743486aeb210d474fee24b38a0e2f97d082ab0fe3dabc14b47b.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb2120.44703\f9f9b4e7abf29743486aeb210d474fee24b38a0e2f97d082ab0fe3dabc14b47b.exe
f9f9b4e7abf29743486aeb210d474fee24b38a0e2f97d082ab0fe3dabc14b47b.exe
User:
admin
Company:
VideoLAN
Integrity Level:
MEDIUM
Description:
VLC media player
Version:
3.00.0008
Total events
464
Read events
440
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2332f9f9b4e7abf29743486aeb210d474fee24b38a0e2f97d082ab0fe3dabc14b47b.exeC:\Users\admin\AppData\Local\Temp\~DF99A69F71116366F8.TMPbinary
MD5:4E6C1559A7A347A529D7767E3C473011
SHA256:102339844EC6EB2D1AFF3D1A81996DA8637C14A1860C7539AC243A7660ECF3AA
2120WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb2120.44703\f9f9b4e7abf29743486aeb210d474fee24b38a0e2f97d082ab0fe3dabc14b47b.exeexecutable
MD5:4C4F3C4C8145B2BB3F79DC1A79F013A9
SHA256:F9F9B4E7ABF29743486AEB210D474FEE24B38A0E2F97D082AB0FE3DABC14B47B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4064
f9f9b4e7abf29743486aeb210d474fee24b38a0e2f97d082ab0fe3dabc14b47b.exe
GET
162.144.97.35:80
http://pashupatiexports.com/bin_hzgJnJgi173.bin
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4064
f9f9b4e7abf29743486aeb210d474fee24b38a0e2f97d082ab0fe3dabc14b47b.exe
162.144.97.35:80
pashupatiexports.com
Unified Layer
US
malicious

DNS requests

Domain
IP
Reputation
pashupatiexports.com
  • 162.144.97.35
unknown

Threats

PID
Process
Class
Message
4064
f9f9b4e7abf29743486aeb210d474fee24b38a0e2f97d082ab0fe3dabc14b47b.exe
A Network Trojan was detected
MALWARE [PTsecurity] EJNT_Loader
1 ETPRO signatures available at the full report
No debug info