Windows Analysis Report
-pdf.bat.exe

Overview

General Information

Sample name: -pdf.bat.exe
renamed because original name is a hash value
Original sample name: SZLEME ARTLARI (YEN SPAR SZLEMES)-pdf.bat.exe
Analysis ID: 1525544
MD5: c8c2fa1b682b0bca8ed9de83455e8977
SHA1: ff96ea1f052d0e7745a4fe30bacb8362ea57ba2c
SHA256: 4af23250a740fc8e855879c8f0492b8be3613ef015db4347d14885f57e25ee93
Tags: batexegeoGuLoaderTURuser-abuse_ch
Infos:

Detection

GuLoader
Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
AI detected suspicious sample
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: -pdf.bat.exe ReversingLabs: Detection: 36%
Source: -pdf.bat.exe Virustotal: Detection: 57% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 98.9% probability
Machine Learning detection for sample
Source: -pdf.bat.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: -pdf.bat.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: -pdf.bat.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\-pdf.bat.exe Code function: 0_2_0040682E GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_0040682E
Source: C:\Users\user\Desktop\-pdf.bat.exe Code function: 0_2_004066E4 FindFirstFileW,FindClose, 0_2_004066E4
Source: C:\Users\user\Desktop\-pdf.bat.exe Code function: 0_2_00402B75 FindFirstFileW, 0_2_00402B75
Source: -pdf.bat.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\-pdf.bat.exe Code function: 0_2_00404C33 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00404C33
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\-pdf.bat.exe Process Stats: CPU usage > 49%
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\-pdf.bat.exe Code function: 0_2_00403804 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx, 0_2_00403804
Detected potential crypto function
Source: C:\Users\user\Desktop\-pdf.bat.exe Code function: 0_2_00404521 0_2_00404521
Source: C:\Users\user\Desktop\-pdf.bat.exe Code function: 0_2_00407235 0_2_00407235
Source: C:\Users\user\Desktop\-pdf.bat.exe Code function: 0_2_70442351 0_2_70442351
Sample file is different than original file name gathered from version info
Source: -pdf.bat.exe, 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamesloffens.exeDVarFileInfo$ vs -pdf.bat.exe
Source: -pdf.bat.exe Binary or memory string: OriginalFilenamesloffens.exeDVarFileInfo$ vs -pdf.bat.exe
Uses 32bit PE files
Source: -pdf.bat.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal68.troj.evad.winEXE@1/7@0/0
Source: C:\Users\user\Desktop\-pdf.bat.exe Code function: 0_2_00403804 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx, 0_2_00403804
Source: C:\Users\user\Desktop\-pdf.bat.exe Code function: 0_2_00404188 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,EnableWindow, 0_2_00404188
Source: C:\Users\user\Desktop\-pdf.bat.exe Code function: 0_2_0040234F CoCreateInstance, 0_2_0040234F
Source: C:\Users\user\Desktop\-pdf.bat.exe File created: C:\Users\user\AppData\Local\Anvilled Jump to behavior
Source: C:\Users\user\Desktop\-pdf.bat.exe File created: C:\Users\user~1\AppData\Local\Temp\nslF5A9.tmp Jump to behavior
Source: -pdf.bat.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\-pdf.bat.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\-pdf.bat.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: -pdf.bat.exe ReversingLabs: Detection: 36%
Source: -pdf.bat.exe Virustotal: Detection: 57%
Source: C:\Users\user\Desktop\-pdf.bat.exe File read: C:\Users\user\Desktop\-pdf.bat.exe Jump to behavior
Source: C:\Users\user\Desktop\-pdf.bat.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\-pdf.bat.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\-pdf.bat.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\-pdf.bat.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\-pdf.bat.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\-pdf.bat.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\-pdf.bat.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\-pdf.bat.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\-pdf.bat.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\-pdf.bat.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\-pdf.bat.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\-pdf.bat.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\-pdf.bat.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\-pdf.bat.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\-pdf.bat.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\-pdf.bat.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\-pdf.bat.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\-pdf.bat.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\-pdf.bat.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\-pdf.bat.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\-pdf.bat.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\-pdf.bat.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\-pdf.bat.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\-pdf.bat.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: -pdf.bat.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.3780975442.00000000054C5000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\-pdf.bat.exe Code function: 0_2_70442351 GlobalFree,GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_70442351
Drops PE files
Source: C:\Users\user\Desktop\-pdf.bat.exe File created: C:\Users\user\AppData\Local\Temp\nsk89.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\-pdf.bat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\-pdf.bat.exe RDTSC instruction interceptor: First address: 58016BE second address: 58016BE instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F5F6C51E543h 0x00000006 cmp ah, 00000006h 0x00000009 inc ebp 0x0000000a test bl, bl 0x0000000c inc ebx 0x0000000d test bh, bh 0x0000000f rdtsc
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\-pdf.bat.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsk89.tmp\System.dll Jump to dropped file
Found evaded block containing many API calls
Source: C:\Users\user\Desktop\-pdf.bat.exe Evaded block: after key decision
Source: C:\Users\user\Desktop\-pdf.bat.exe Code function: 0_2_0040682E GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_0040682E
Source: C:\Users\user\Desktop\-pdf.bat.exe Code function: 0_2_004066E4 FindFirstFileW,FindClose, 0_2_004066E4
Source: C:\Users\user\Desktop\-pdf.bat.exe Code function: 0_2_00402B75 FindFirstFileW, 0_2_00402B75
Source: C:\Users\user\Desktop\-pdf.bat.exe API call chain: ExitProcess graph end node
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\-pdf.bat.exe Code function: 0_2_70442351 GlobalFree,GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_70442351
Source: C:\Users\user\Desktop\-pdf.bat.exe Code function: 0_2_00403804 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx, 0_2_00403804
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1525544 Sample: -pdf.bat.exe Startdate: 04/10/2024 Architecture: WINDOWS Score: 68 11 Multi AV Scanner detection for submitted file 2->11 13 Yara detected GuLoader 2->13 15 Machine Learning detection for sample 2->15 17 AI detected suspicious sample 2->17 5 -pdf.bat.exe 2 23 2->5         started        process3 file4 9 C:\Users\user\AppData\Local\...\System.dll, PE32 5->9 dropped 19 Tries to detect virtualization through RDTSC time measurements 5->19 signatures5
No contacted IP infos

Contacted Domains

Name IP Active
s-part-0017.t-0009.fb-t-msedge.net 13.107.253.45 true