File name:

fe05b02fda8dc707ceb4143b4a2e4d6553d5410f226907cf0ae318b54edf28b2

Full analysis: https://app.any.run/tasks/0373d325-246e-43bb-87f9-60bdeb8d3efe
Verdict: Malicious activity
Threats:

GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities.

Analysis date: January 10, 2025, 20:17:28
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
guloader
loader
reflection
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

F2827F013A265DE94993C62BF9756B00

SHA1:

9CC4CC403434E08C9C2E2AB312980CAD6B2470CA

SHA256:

FE05B02FDA8DC707CEB4143B4A2E4D6553D5410F226907CF0AE318B54EDF28B2

SSDEEP:

49152:LqC3bp6TtRykHanwanXEYJ3UbFYOzsgPAEqG3yfaPJ87bMsoX+OLNtGQEtBwG+lI:LqXtVqwanzOjsgjsCJYMs5OPtGG7roT/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • GULOADER has been detected

      • fe05b02fda8dc707ceb4143b4a2e4d6553d5410f226907cf0ae318b54edf28b2.exe (PID: 2632)
  • SUSPICIOUS

    • Starts POWERSHELL.EXE for commands execution

      • fe05b02fda8dc707ceb4143b4a2e4d6553d5410f226907cf0ae318b54edf28b2.exe (PID: 2632)
    • Detects reflection assembly loader (YARA)

      • powershell.exe (PID: 5836)
    • Converts a specified value to a byte (POWERSHELL)

      • powershell.exe (PID: 5836)
  • INFO

    • Creates files or folders in the user directory

      • fe05b02fda8dc707ceb4143b4a2e4d6553d5410f226907cf0ae318b54edf28b2.exe (PID: 2632)
    • Reads the computer name

      • fe05b02fda8dc707ceb4143b4a2e4d6553d5410f226907cf0ae318b54edf28b2.exe (PID: 2632)
    • Checks supported languages

      • fe05b02fda8dc707ceb4143b4a2e4d6553d5410f226907cf0ae318b54edf28b2.exe (PID: 2632)
    • The sample compiled with english language support

      • fe05b02fda8dc707ceb4143b4a2e4d6553d5410f226907cf0ae318b54edf28b2.exe (PID: 2632)
    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 5836)
    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 5836)
    • The process uses the downloaded file

      • powershell.exe (PID: 5836)
    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 5836)
    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 5836)
    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 5836)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

OriginalFileName: hampert.exe
InternalName: hampert.exe
FileDescription: distruster fejlreaktion
Comments: nonrustic
CharacterSet: Windows, Latin1
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 2.5.0.0
FileVersionNumber: 2.5.0.0
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: 6
OSVersion: 4
EntryPoint: 0x31dd
UninitializedDataSize: 2048
InitializedDataSize: 186368
CodeSize: 25088
LinkerVersion: 6
PEType: PE32
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
TimeStamp: 2013:05:19 23:53:05+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
1 308
Monitored processes
1 179
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #GULOADER fe05b02fda8dc707ceb4143b4a2e4d6553d5410f226907cf0ae318b54edf28b2.exe no specs powershell.exe no specs conhost.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs