Windows Analysis Report
SCOE-SP-21-091-003TKT KOREA.com.exe

Overview

General Information

Sample name: SCOE-SP-21-091-003TKT KOREA.com.exe
Analysis ID: 1445945
MD5: c4976d8e37740fb3b7c1443f52b7c8dd
SHA1: 0ab9131546ab7d2f2ed47928c0c6068c5de2841c
SHA256: e145e51d2851637cdfd9bd4f96fec35a785f91b15a0b42fef07f476205db4530
Tags: comexe
Infos:

Detection

GuLoader
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected GuLoader
AI detected suspicious sample
Opens the same file many times (likely Sandbox evasion)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SCOE-SP-21-091-003TKT KOREA.com.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: SCOE-SP-21-091-003TKT KOREA.com.exe ReversingLabs: Detection: 50%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 65.8% probability
Uses 32bit PE files
Source: SCOE-SP-21-091-003TKT KOREA.com.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: SCOE-SP-21-091-003TKT KOREA.com.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Code function: 0_2_0040646B FindFirstFileA,FindClose, 0_2_0040646B
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Code function: 0_2_004027A1 FindFirstFileA, 0_2_004027A1
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Code function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 0_2_004058BF
Source: SCOE-SP-21-091-003TKT KOREA.com.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: SCOE-SP-21-091-003TKT KOREA.com.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Code function: 0_2_0040535C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_0040535C
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Process Stats: CPU usage > 49%
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Code function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403348
Creates files inside the system directory
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe File created: C:\Windows\stepsire Jump to behavior
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe File created: C:\Windows\stepsire\Diamondbacks22 Jump to behavior
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe File created: C:\Windows\resources\0809 Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Code function: 0_2_00406945 0_2_00406945
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Code function: 0_2_0040711C 0_2_0040711C
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Code function: 0_2_6CEA1A98 0_2_6CEA1A98
Sample file is different than original file name gathered from version info
Source: SCOE-SP-21-091-003TKT KOREA.com.exe, 00000000.00000000.2008880634.0000000000455000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamesolaarene frankeniaceae.exe4 vs SCOE-SP-21-091-003TKT KOREA.com.exe
Source: SCOE-SP-21-091-003TKT KOREA.com.exe Binary or memory string: OriginalFilenamesolaarene frankeniaceae.exe4 vs SCOE-SP-21-091-003TKT KOREA.com.exe
Uses 32bit PE files
Source: SCOE-SP-21-091-003TKT KOREA.com.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal76.troj.evad.winEXE@1/20@0/0
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Code function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403348
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Code function: 0_2_0040460D GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_0040460D
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Code function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar, 0_2_0040216B
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe File created: C:\Users\user\AppData\Local\skolebetjents Jump to behavior
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe File created: C:\Users\user\AppData\Local\Temp\nsyD0EA.tmp Jump to behavior
Source: SCOE-SP-21-091-003TKT KOREA.com.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SCOE-SP-21-091-003TKT KOREA.com.exe ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe File read: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Jump to behavior
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: polres.lnk.0.dr LNK file: ..\..\user\AppData\Local\Temp\nsdD1A6.tmp\Revitalizers\Forsoldet.Cho46
Source: SCOE-SP-21-091-003TKT KOREA.com.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.4530936971.00000000086F6000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Code function: 0_2_6CEA1A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, 0_2_6CEA1A98
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Code function: 0_2_6CEA2F60 push eax; ret 0_2_6CEA2F8E
Drops PE files
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe File created: C:\Users\user\AppData\Local\Temp\nsdD1A6.tmp\nsDialogs.dll Jump to dropped file
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe File created: C:\Users\user\AppData\Local\Temp\nsdD1A6.tmp\UserInfo.dll Jump to dropped file
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe File created: C:\Users\user\AppData\Local\Temp\nsdD1A6.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Opens the same file many times (likely Sandbox evasion)
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\redargue\demonising.ini count: 411190 Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe RDTSC instruction interceptor: First address: 8BCC21D second address: 8BCC21D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 mov ecx, 53EB2BCDh 0x00000008 cmp ecx, 0000009Dh 0x0000000e je 00007FE5D4F64B87h 0x00000014 pop ecx 0x00000015 cmp ebx, ecx 0x00000017 jc 00007FE5D4F422E7h 0x00000019 inc ebp 0x0000001a inc ebx 0x0000001b rdtsc
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdD1A6.tmp\nsDialogs.dll Jump to dropped file
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdD1A6.tmp\UserInfo.dll Jump to dropped file
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdD1A6.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Code function: 0_2_0040646B FindFirstFileA,FindClose, 0_2_0040646B
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Code function: 0_2_004027A1 FindFirstFileA, 0_2_004027A1
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Code function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 0_2_004058BF
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe API call chain: ExitProcess graph end node
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Code function: 0_2_6CEA1A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, 0_2_6CEA1A98
Source: C:\Users\user\Desktop\SCOE-SP-21-091-003TKT KOREA.com.exe Code function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403348
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1445945 Sample: SCOE-SP-21-091-003TKT KOREA... Startdate: 22/05/2024 Architecture: WINDOWS Score: 76 15 Antivirus / Scanner detection for submitted sample 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Yara detected GuLoader 2->19 21 2 other signatures 2->21 5 SCOE-SP-21-091-003TKT KOREA.com.exe 44 2->5         started        process3 file4 9 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 5->9 dropped 11 C:\Users\user\AppData\Local\...\UserInfo.dll, PE32 5->11 dropped 13 C:\Users\user\AppData\Local\...\System.dll, PE32 5->13 dropped 23 Opens the same file many times (likely Sandbox evasion) 5->23 signatures5
No contacted IP infos