File name: | fe05b02fda8dc707ceb4143b4a2e4d6553d5410f226907cf0ae318b54edf28b2 |
Full analysis: | https://app.any.run/tasks/0373d325-246e-43bb-87f9-60bdeb8d3efe |
Verdict: | Malicious activity |
Threats: | GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities. |
Analysis date: | January 10, 2025, 20:17:28 |
OS: | Windows 10 Professional (build: 19045, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.microsoft.portable-executable |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections |
MD5: | F2827F013A265DE94993C62BF9756B00 |
SHA1: | 9CC4CC403434E08C9C2E2AB312980CAD6B2470CA |
SHA256: | FE05B02FDA8DC707CEB4143B4A2E4D6553D5410F226907CF0AE318B54EDF28B2 |
SSDEEP: | 49152:LqC3bp6TtRykHanwanXEYJ3UbFYOzsgPAEqG3yfaPJ87bMsoX+OLNtGQEtBwG+lI:LqXtVqwanzOjsgjsCJYMs5OPtGG7roT/ |
.exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
---|---|---|
.exe | | | Win64 Executable (generic) (37.3) |
.dll | | | Win32 Dynamic Link Library (generic) (8.8) |
.exe | | | Win32 Executable (generic) (6) |
.exe | | | Generic Win/DOS Executable (2.7) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2013:05:19 23:53:05+00:00 |
ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
PEType: | PE32 |
LinkerVersion: | 6 |
CodeSize: | 25088 |
InitializedDataSize: | 186368 |
UninitializedDataSize: | 2048 |
EntryPoint: | 0x31dd |
OSVersion: | 4 |
ImageVersion: | 6 |
SubsystemVersion: | 4 |
Subsystem: | Windows GUI |
FileVersionNumber: | 2.5.0.0 |
ProductVersionNumber: | 2.5.0.0 |
FileFlagsMask: | 0x0000 |
FileFlags: | (none) |
FileOS: | Win32 |
ObjectFileType: | Executable application |
FileSubtype: | - |
LanguageCode: | English (U.S.) |
CharacterSet: | Windows, Latin1 |
Comments: | nonrustic |
FileDescription: | distruster fejlreaktion |
InternalName: | hampert.exe |
OriginalFileName: | hampert.exe |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2632 | "C:\Users\admin\AppData\Local\Temp\fe05b02fda8dc707ceb4143b4a2e4d6553d5410f226907cf0ae318b54edf28b2.exe" | C:\Users\admin\AppData\Local\Temp\fe05b02fda8dc707ceb4143b4a2e4d6553d5410f226907cf0ae318b54edf28b2.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: distruster fejlreaktion Exit code: 0 Modules
| |||||||||||||||
5836 | "powershell.exe" -windowstyle minimized "$Yderpunktets=Get-Content -Raw 'C:\Users\admin\AppData\Roaming\Polysulfonate\sangersken\Circulation\Jul.Emb';$Disna=$Yderpunktets.SubString(22405,3);.$Disna($Yderpunktets)" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | — | fe05b02fda8dc707ceb4143b4a2e4d6553d5410f226907cf0ae318b54edf28b2.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
132 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
4932 | "C:\WINDOWS\SysWOW64\msiexec.exe" | C:\Windows\SysWOW64\msiexec.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
6092 | "C:\WINDOWS\SysWOW64\msiexec.exe" | C:\Windows\SysWOW64\msiexec.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
4528 | "C:\WINDOWS\SysWOW64\msiexec.exe" | C:\Windows\SysWOW64\msiexec.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
2412 | "C:\WINDOWS\SysWOW64\msiexec.exe" | C:\Windows\SysWOW64\msiexec.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
3876 | "C:\WINDOWS\SysWOW64\msiexec.exe" | C:\Windows\SysWOW64\msiexec.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
6012 | "C:\WINDOWS\SysWOW64\msiexec.exe" | C:\Windows\SysWOW64\msiexec.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
4512 | "C:\WINDOWS\SysWOW64\msiexec.exe" | C:\Windows\SysWOW64\msiexec.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.19041.3636 (WinBuild.160101.0800) Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
5836 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_wktmmyzg.uwr.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
5836 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_04ngrydo.hqu.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
2632 | fe05b02fda8dc707ceb4143b4a2e4d6553d5410f226907cf0ae318b54edf28b2.exe | C:\Users\admin\AppData\Roaming\Polysulfonate\sangersken\Circulation\Jul.Emb | text | |
MD5:48C389453F2D33288CC98CEBDF2CB813 | SHA256:9FF2EF5992F74954230F92775E391F7FB06989860E4573D609015A4B4D219CA0 | |||
2632 | fe05b02fda8dc707ceb4143b4a2e4d6553d5410f226907cf0ae318b54edf28b2.exe | C:\Users\admin\AppData\Roaming\Polysulfonate\sangersken\Circulation\Hendecasyllabic\solvejg.non | binary | |
MD5:0EC84A842970A2C0B04893F66217F733 | SHA256:6B3552FC5295BE3AE9FADD8AFA8A06103BD60DDB6E0BE924C61B346895505A7A | |||
2632 | fe05b02fda8dc707ceb4143b4a2e4d6553d5410f226907cf0ae318b54edf28b2.exe | C:\Users\admin\AppData\Roaming\Polysulfonate\sangersken\Circulation\Hendecasyllabic\hogni.opd | abr | |
MD5:7586252625434A405256063977B84D0D | SHA256:5AFA5BC29281632F196999E16D8F4B26F2C14EC6A8A5F589DC5932B6DE78A2A7 | |||
2632 | fe05b02fda8dc707ceb4143b4a2e4d6553d5410f226907cf0ae318b54edf28b2.exe | C:\Users\admin\AppData\Roaming\Polysulfonate\sangersken\Circulation\brugerinstallation.cry | abr | |
MD5:77218C2134D28A666F2FDEAA5E452489 | SHA256:A901A3525DC18A4A9E6EF655931252D8258D954D419FCE81668F251C8EF54EE5 | |||
5836 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_q24ownwo.i5c.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
2632 | fe05b02fda8dc707ceb4143b4a2e4d6553d5410f226907cf0ae318b54edf28b2.exe | C:\Users\admin\AppData\Roaming\Polysulfonate\sangersken\Circulation\Detergenternes.bre | abr | |
MD5:858C7D246EC84B37359FDE23A9F8898A | SHA256:100C199A129F94FB16BDD51943FB691AB055CEA690088691C0F989D4C1C75884 | |||
5836 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_jbm1s2y2.p2p.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
2632 | fe05b02fda8dc707ceb4143b4a2e4d6553d5410f226907cf0ae318b54edf28b2.exe | C:\Users\admin\AppData\Roaming\Polysulfonate\sangersken\Circulation\cloner.hol | binary | |
MD5:E4AC954ED484155B2A165BF00B1E8A4F | SHA256:3078C30C80C29C473A796C4E1FE5F89A175D9B23FC88DBCD0262D93B0C67BEED |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
6584 | SIHClient.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
1176 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
5064 | SearchApp.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D | unknown | — | — | whitelisted |
6584 | SIHClient.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
6204 | backgroundTaskHost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 2.16.241.12:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4712 | MoUsoCoreWorker.exe | 2.16.241.12:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
— | — | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
5064 | SearchApp.exe | 2.23.227.215:443 | www.bing.com | Ooredoo Q.S.C. | QA | whitelisted |
1076 | svchost.exe | 2.23.242.9:443 | go.microsoft.com | Ooredoo Q.S.C. | QA | whitelisted |
1176 | svchost.exe | 20.190.159.4:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
1176 | svchost.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
Domain | IP | Reputation |
---|---|---|
google.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |