Report - Request for Quote 30-08-2021·pdf.exe

GuLoader UPX PE File PE32
ScreenShot
Created 2021.09.06 13:39 Machine s1_win7_x6401
Filename Request for Quote 30-08-2021·pdf.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
6
Behavior Score
4.0
ZERO API file : clean
VT API (file) 33 detected (AIDetect, malware1, WBVB, malicious, high confidence, GenericKD, GuLoader, Unsafe, GenKryptik, VBKrypt, Eldorado, Attribute, HighConfidence, FJSR, Androm, utki, Static AI, Malicious PE, VBObfuse, FDCG, ai score=88, CLASSIC, AvsArher, bTx33N, Behavior, ZevbaF, hm0@a4TW33ji)
md5 612bb2a0321b426e684e268ed72e9776
sha256 3c5274e97f7c385ed2cebb06a3b0ec49159027b9de3668206044ec4ed52709e5
ssdeep 1536:PWxwIvagrZAyQY754JiXst92OvAdBtG/sPY/A6rE0FXEoekX:P0laGAyQYt4Ji8vhAA/G09EoRX
imphash c42d5cd53ab0f6ec2316f135b7a5f0ad
impfuzzy 6:HHTNczvDnORq5BBMNeSq8rT/VC1nq4Hn1rnOZTCR6lJU1UUbUtpUWByrLo:nTOfEqKNevoTY1n9H1TEhlaeNt6WBio
  Network IP location

Signature (8cnts)

Level Description
danger File has been identified by 33 AntiVirus engines on VirusTotal as malicious
watch Attempts to create or modify system certificates
watch Enumerates services
notice Allocates read-write-execute memory (usually to unpack itself)
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Downloads a file or document from Google Drive
notice Performs some HTTP requests
info The file contains an unknown PE resource name possibly indicative of a packer

Rules (4cnts)

Level Name Description Collection
danger GuLoader_IN GuLoader binaries (upload)
watch UPX_Zero UPX packed file binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (3cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://drive.google.com/uc?export=download&id=1gBqvywOWfsStLEvq5ZjLlqCoaQdniUCl US GOOGLE 142.250.196.110 mailcious
drive.google.com US GOOGLE 172.217.175.14 mailcious
142.250.196.110 US GOOGLE 142.250.196.110 suspicious

Suricata ids

PE API

IAT(Import Address Table) Library

MSVBVM60.DLL
 0x401000 None
 0x401004 MethCallEngine
 0x401008 None
 0x40100c None
 0x401010 None
 0x401014 None
 0x401018 EVENT_SINK_AddRef
 0x40101c None
 0x401020 DllFunctionCall
 0x401024 EVENT_SINK_Release
 0x401028 EVENT_SINK_QueryInterface
 0x40102c __vbaExceptHandler
 0x401030 None
 0x401034 None
 0x401038 None
 0x40103c None
 0x401040 None
 0x401044 None
 0x401048 None
 0x40104c None
 0x401050 None
 0x401054 None
 0x401058 None
 0x40105c None

EAT(Export Address Table) is none



Similarity measure (PE file only) - Checking for service failure