popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Request for Quote 30-08-2021·pdf.exe

GuLoader UPX PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Sept. 6, 2021, 1:34 p.m. Sept. 6, 2021, 1:36 p.m.
Size 112.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 612bb2a0321b426e684e268ed72e9776
SHA256 3c5274e97f7c385ed2cebb06a3b0ec49159027b9de3668206044ec4ed52709e5
CRC32 E60F9A96
ssdeep 1536:PWxwIvagrZAyQY754JiXst92OvAdBtG/sPY/A6rE0FXEoekX:P0laGAyQYt4Ji8vhAA/G09EoRX
Yara
  • PE_Header_Zero - PE File Signature
  • GuLoader_IN - GuLoader
  • UPX_Zero - UPX packed file
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
drive.google.com
A 142.250.196.110
172.217.175.14
IP Address Status Action
142.250.196.110 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49201 -> 142.250.196.110:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49201
142.250.196.110:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 CN=*.google.com 8f:b6:6e:35:48:00:39:39:d4:59:1a:58:7b:b6:38:5a:92:b0:b6:9f

resource name CUSTOM
request GET https://drive.google.com/uc?export=download&id=1gBqvywOWfsStLEvq5ZjLlqCoaQdniUCl
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2972
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72d72000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2972
region_size: 90112
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2972
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 876544
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x773b0000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2840
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 876544
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x773b0000
process_handle: 0xffffffff
1 0 0
domain drive.google.com
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2972
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 24576
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x003e0000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

EnumServicesStatusA

 service_handle: 0x00520868
service_type: 48
service_status: 3
0 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob
Bkav W32.AIDetect.malware1
Lionic Worm.Win32.WBVB.o!c
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.46896494
FireEye Generic.mg.612bb2a0321b426e
ALYac Trojan.Agent.GuLoader
Cylance Unsafe
Alibaba Trojan:Win32/GenKryptik.2e2ce285
Cybereason malicious.ebd721
Cyren W32/VBKrypt.AZM.gen!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/GenKryptik.FJSR
APEX Malicious
Paloalto generic.ml
Kaspersky Backdoor.Win32.Androm.utki
BitDefender Trojan.GenericKD.46896494
Avast Win32:Trojan-gen
Ad-Aware Trojan.GenericKD.46896494
Sophos Mal/Generic-S
McAfee-GW-Edition BehavesLike.Win32.Trojan.cm
Emsisoft Trojan.GenericKD.46896650 (B)
SentinelOne Static AI - Malicious PE
Microsoft Trojan:Win32/VBObfuse.BBC!MTB
GData Trojan.GenericKD.46896494
McAfee GuLoader-FDCG!612BB2A0321B
MAX malware (ai score=88)
Malwarebytes Trojan.GuLoader
Rising Downloader.Guloader!1.D907 (CLASSIC)
Yandex Trojan.AvsArher.bTx33N
Ikarus Trojan.VB.Crypt
Fortinet Malicious_Behavior.SB
BitDefenderTheta Gen:NN.ZevbaF.34110.hm0@a4TW33ji
AVG Win32:Trojan-gen