File name: | UzAuto - Order Invoices 221205_pdf.exe |
Full analysis: | https://app.any.run/tasks/311b2fac-784d-44dc-bda2-670b2a212121 |
Verdict: | Malicious activity |
Threats: | GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities. |
Analysis date: | December 06, 2022, 01:30:33 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive |
MD5: | 09CD3F1C1529F7F4FBB7C7FF7BB31855 |
SHA1: | 3BD396B3F5C2AB6330B7A82AE8A2CC3078D67331 |
SHA256: | FEAD9F557555F4031A6CFDFACAC0DE185BA5941896766920F6421FDAE0BD9ACF |
SSDEEP: | 6144:zspNjlsMVuz6q7JLWDKoAX1GbfL4iCWyxU+iSwhvuXzQvva83Ai:zczVQ6q+cGM93ZiSwvcqC8D |
.exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
---|---|---|
.exe | | | Win64 Executable (generic) (37.3) |
.dll | | | Win32 Dynamic Link Library (generic) (8.8) |
.exe | | | Win32 Executable (generic) (6) |
.exe | | | Generic Win/DOS Executable (2.7) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 2016-Dec-11 21:50:55 |
Detected languages: |
|
CompanyName: | Udsathedens kolonnetypen Teknikerne |
LegalTrademarks: | Benchmen Spunsjernets |
e_magic: | MZ |
---|---|
e_cblp: | 144 |
e_cp: | 3 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | - |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | - |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 200 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 5 |
TimeDateStamp: | 2016-Dec-11 21:50:55 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 4096 | 25615 | 26112 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.43907 |
.rdata | 32768 | 5296 | 5632 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.03367 |
.data | 40960 | 176088 | 1536 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.03309 |
.ndata | 217088 | 270336 | 0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
.rsrc | 487424 | 175672 | 176128 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.67775 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 4.25375 | 67624 | UNKNOWN | English - United States | RT_ICON |
2 | 4.66005 | 38056 | UNKNOWN | English - United States | RT_ICON |
3 | 4.82009 | 21640 | UNKNOWN | English - United States | RT_ICON |
4 | 4.58191 | 16936 | UNKNOWN | English - United States | RT_ICON |
5 | 4.9037 | 9640 | UNKNOWN | English - United States | RT_ICON |
6 | 4.9961 | 4264 | UNKNOWN | English - United States | RT_ICON |
7 | 5.26323 | 3752 | UNKNOWN | English - United States | RT_ICON |
8 | 5.17093 | 2440 | UNKNOWN | English - United States | RT_ICON |
9 | 5.61393 | 2216 | UNKNOWN | English - United States | RT_ICON |
10 | 5.79207 | 1736 | UNKNOWN | English - United States | RT_ICON |
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
KERNEL32.dll |
SHELL32.dll |
USER32.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1752 | "C:\Users\admin\Desktop\UzAuto - Order Invoices 221205_pdf.exe" | C:\Users\admin\Desktop\UzAuto - Order Invoices 221205_pdf.exe | Explorer.EXE | |
User: admin Company: Udsathedens kolonnetypen Teknikerne Integrity Level: MEDIUM | ||||
576 | "C:\Users\admin\Desktop\UzAuto - Order Invoices 221205_pdf.exe" | C:\Users\admin\Desktop\UzAuto - Order Invoices 221205_pdf.exe | — | Explorer.EXE |
User: admin Company: Udsathedens kolonnetypen Teknikerne Integrity Level: MEDIUM | ||||
2592 | "C:\Users\admin\Desktop\UzAuto - Order Invoices 221205_pdf.exe" | C:\Users\admin\Desktop\UzAuto - Order Invoices 221205_pdf.exe | Explorer.EXE | |
User: admin Company: Udsathedens kolonnetypen Teknikerne Integrity Level: HIGH |
(PID) Process: | (1752) UzAuto - Order Invoices 221205_pdf.exe | Key: | HKEY_CURRENT_USER\Software\Inadhesive\Pip\Regelmssigere |
Operation: | write | Name: | Activises |
Value: %Sporochnus%\Circuminsession\quantal\Borh.Dem | |||
(PID) Process: | (576) UzAuto - Order Invoices 221205_pdf.exe | Key: | HKEY_CURRENT_USER\Software\Inadhesive\Pip\Regelmssigere |
Operation: | write | Name: | Activises |
Value: %Sporochnus%\Circuminsession\quantal\Borh.Dem | |||
(PID) Process: | (2592) UzAuto - Order Invoices 221205_pdf.exe | Key: | HKEY_CURRENT_USER\Software\Inadhesive\Pip\Regelmssigere |
Operation: | write | Name: | Activises |
Value: %Sporochnus%\Circuminsession\quantal\Borh.Dem | |||
(PID) Process: | (2592) UzAuto - Order Invoices 221205_pdf.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Bordvines\forsommerens\Maintaining |
Operation: | write | Name: | Sydevropiske |
Value: %Forskrkkes%\Estoil\Blseinstrumenter\Infraglenoid.Umi |
PID | Process | Filename | Type | |
---|---|---|---|---|
1752 | UzAuto - Order Invoices 221205_pdf.exe | C:\Users\admin\contobelb\Unwithholden\Angelkrog\Skaermfelter\Mirkas\Pigsticked.Isl | binary | |
MD5:129B7639680A1CC6E241E3233E1F45E8 | SHA256:D6DACE4EEEC76A3F95AF9308D6DD3C2C0B66548E2B2F1F11B017E3106DC59783 | |||
1752 | UzAuto - Order Invoices 221205_pdf.exe | C:\Users\admin\contobelb\Unwithholden\Angelkrog\Skaermfelter\Mirkas\Fere.Skk | binary | |
MD5:8A501C12CF426E290474421260A2EB5C | SHA256:3EBBEC31703AAD54E8C35DB9C6B97581E83A8EE4AE5BA89B8495F9E07206DCE1 | |||
1752 | UzAuto - Order Invoices 221205_pdf.exe | C:\Users\admin\AppData\Local\Temp\nsdF7CC.tmp\System.dll | executable | |
MD5:17ED1C86BD67E78ADE4712BE48A7D2BD | SHA256:BD046E6497B304E4EA4AB102CAB2B1F94CE09BDE0EEBBA4C59942A732679E4EB | |||
1752 | UzAuto - Order Invoices 221205_pdf.exe | C:\Users\admin\contobelb\Unwithholden\Angelkrog\Skaermfelter\Mirkas\network-vpn-acquiring-symbolic.svg | image | |
MD5:70D0AD0BEE8F414E0B1134BD5D6C9FBF | SHA256:D8A7BDF3F06ED9D1446AF5CF47741DBA94CFAF9C333147B598B8E56186843715 | |||
1752 | UzAuto - Order Invoices 221205_pdf.exe | C:\Users\admin\contobelb\Unwithholden\Angelkrog\Misilkrydseren\Undeviousness\semi-starred-symbolic-rtl.svg | image | |
MD5:13C934BEF141C2DF3E61B9F0D543F0D6 | SHA256:70DA430EFFD2BFF6822B5000B6488D4F7B5470BF02B14480982C66137752AC3A | |||
1752 | UzAuto - Order Invoices 221205_pdf.exe | C:\Users\admin\contobelb\Unwithholden\Angelkrog\Unregally\Irlnderens162\selection-end-symbolic.svg | image | |
MD5:F5BFE249EF4C8E3E07CFF67D67475FB1 | SHA256:888E8B29EF0ADF74E8FD49E5AFEFA74C3A06B02343C2D8EEBB62A3B3E92BC472 |