Windows Analysis Report ZGNX11JMSc

Overview

General Information

Sample Name: ZGNX11JMSc (renamed file extension from none to exe)
Analysis ID: 448876
MD5: fcfb0ec70f1419ede8a534cc95cb61e9
SHA1: d3b529d77f1de00d63a75b3956d4bcf6bbce30ca
SHA256: ff1b034c7060724133c6df0aa8cf5411ec0e6775d3aca83a127617340a8c588a
Tags: 32exeGuLoadertrojan
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected GuLoader
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
PE / OLE file has an invalid certificate
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: ZGNX11JMSc.exe Malware Configuration Extractor: GuLoader {"Payload URL": "http://ceattire.com/bin_UYDMbHwI28.bin"}

Compliance:

barindex
Uses 32bit PE files
Source: ZGNX11JMSc.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\ANTISOCIA.pdb source: ZGNX11JMSc.exe

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://ceattire.com/bin_UYDMbHwI28.bin
Source: ZGNX11JMSc.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: ZGNX11JMSc.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: ZGNX11JMSc.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: ZGNX11JMSc.exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: ZGNX11JMSc.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: ZGNX11JMSc.exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: ZGNX11JMSc.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: ZGNX11JMSc.exe String found in binary or memory: http://ocsp.digicert.com0O
Source: ZGNX11JMSc.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: ZGNX11JMSc.exe String found in binary or memory: https://www.digicert.com/CPS0

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_023154E7 NtAllocateVirtualMemory, 0_2_023154E7
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_023155AC NtAllocateVirtualMemory, 0_2_023155AC
Detected potential crypto function
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_023154E7 0_2_023154E7
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_02310EFE 0_2_02310EFE
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_023172C3 0_2_023172C3
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_023142CD 0_2_023142CD
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_02311B2D 0_2_02311B2D
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_02311B1A 0_2_02311B1A
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_02317F03 0_2_02317F03
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_02313F0C 0_2_02313F0C
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_02317B73 0_2_02317B73
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_02317F6D 0_2_02317F6D
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_02311B5F 0_2_02311B5F
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_02310FB5 0_2_02310FB5
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_02312793 0_2_02312793
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_02314785 0_2_02314785
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_02318385 0_2_02318385
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_02314B8E 0_2_02314B8E
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_023143F1 0_2_023143F1
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_02317036 0_2_02317036
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_0231341B 0_2_0231341B
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_0231100E 0_2_0231100E
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_02314071 0_2_02314071
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_0231844C 0_2_0231844C
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_02318C82 0_2_02318C82
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_02318CD5 0_2_02318CD5
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_023180D4 0_2_023180D4
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_023134C4 0_2_023134C4
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_0231350F 0_2_0231350F
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_02317D52 0_2_02317D52
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_02312958 0_2_02312958
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_02318D58 0_2_02318D58
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_02312940 0_2_02312940
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_023129B0 0_2_023129B0
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_02312183 0_2_02312183
PE / OLE file has an invalid certificate
Source: ZGNX11JMSc.exe Static PE information: invalid certificate
PE file contains strange resources
Source: ZGNX11JMSc.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ZGNX11JMSc.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ZGNX11JMSc.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: ZGNX11JMSc.exe, 00000000.00000000.216975638.0000000000438000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameANTISOCIA.exe vs ZGNX11JMSc.exe
Source: ZGNX11JMSc.exe Binary or memory string: OriginalFilenameANTISOCIA.exe vs ZGNX11JMSc.exe
Uses 32bit PE files
Source: ZGNX11JMSc.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal84.troj.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe File created: C:\Users\user\AppData\Local\Temp\~DF46939C48381DC1A3.TMP Jump to behavior
Source: ZGNX11JMSc.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: ZGNX11JMSc.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\ANTISOCIA.pdb source: ZGNX11JMSc.exe

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.741035420.0000000002310000.00000040.00000001.sdmp, type: MEMORY
Yara detected GuLoader
Source: Yara match File source: ZGNX11JMSc.exe, type: SAMPLE
Source: Yara match File source: 0.2.ZGNX11JMSc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.ZGNX11JMSc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.216935680.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.739221783.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_0040495E push es; ret 0_2_00404963
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_02315F81 push ecx; ret 0_2_02315F82
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_02319551 push edx; iretd 0_2_023196B3
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_02310EFE 0_2_02310EFE
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_023142CD 0_2_023142CD
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_02311B1A 0_2_02311B1A
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_02311B5F 0_2_02311B5F
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_02310FB5 0_2_02310FB5
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_02312793 0_2_02312793
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_02316F9E 0_2_02316F9E
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_023143F1 0_2_023143F1
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_02317036 0_2_02317036
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_0231341B 0_2_0231341B
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_0231100E 0_2_0231100E
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_02314071 0_2_02314071
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_02317D52 0_2_02317D52
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_02312958 0_2_02312958
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe RDTSC instruction interceptor: First address: 00000000023101BE second address: 00000000023101BE instructions:
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe RDTSC instruction interceptor: First address: 00000000023170C1 second address: 00000000023170D5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add edx, ecx 0x0000000c neg ecx 0x0000000e pushad 0x0000000f mov edx, 000000D8h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe RDTSC instruction interceptor: First address: 0000000002318DB2 second address: 0000000002318DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, edi 0x0000000c test dl, dl 0x0000000e add eax, 00003004h 0x00000013 mov dword ptr [edi+00003000h], eax 0x00000019 test eax, eax 0x0000001b mov ecx, 07CEBD8Ah 0x00000020 cmp ax, 0000BB7Bh 0x00000024 sub ecx, 04255BC2h 0x0000002a xor ecx, 17A2670Fh 0x00000030 cmp al, bl 0x00000032 sub ecx, 140B05FBh 0x00000038 test eax, ebx 0x0000003a test edx, ebx 0x0000003c mov byte ptr [eax+ecx], 00000000h 0x00000040 dec ecx 0x00000041 mov dword ptr [ebp+0000025Ch], edi 0x00000047 mov edi, 4BBAF831h 0x0000004c pushad 0x0000004d rdtsc
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe RDTSC instruction interceptor: First address: 0000000002318DFF second address: 0000000002318DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test dl, dl 0x0000000c xor edi, 940AC00Fh 0x00000012 test eax, eax 0x00000014 xor edi, A987D7D4h 0x0000001a cmp ax, 0000BFCEh 0x0000001e sub edi, 7637EFEAh 0x00000024 cmp al, bl 0x00000026 cmp ecx, edi 0x00000028 mov edi, dword ptr [ebp+0000025Ch] 0x0000002e jnl 00007F588C90F2EFh 0x00000030 test edx, ebx 0x00000032 mov byte ptr [eax+ecx], 00000000h 0x00000036 dec ecx 0x00000037 mov dword ptr [ebp+0000025Ch], edi 0x0000003d mov edi, 4BBAF831h 0x00000042 pushad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe RDTSC instruction interceptor: First address: 0000000002317A0D second address: 0000000002317A0D instructions:
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe RDTSC instruction interceptor: First address: 00000000023101BE second address: 00000000023101BE instructions:
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe RDTSC instruction interceptor: First address: 00000000023170C1 second address: 00000000023170D5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add edx, ecx 0x0000000c neg ecx 0x0000000e pushad 0x0000000f mov edx, 000000D8h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe RDTSC instruction interceptor: First address: 0000000002318DB2 second address: 0000000002318DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, edi 0x0000000c test dl, dl 0x0000000e add eax, 00003004h 0x00000013 mov dword ptr [edi+00003000h], eax 0x00000019 test eax, eax 0x0000001b mov ecx, 07CEBD8Ah 0x00000020 cmp ax, 0000BB7Bh 0x00000024 sub ecx, 04255BC2h 0x0000002a xor ecx, 17A2670Fh 0x00000030 cmp al, bl 0x00000032 sub ecx, 140B05FBh 0x00000038 test eax, ebx 0x0000003a test edx, ebx 0x0000003c mov byte ptr [eax+ecx], 00000000h 0x00000040 dec ecx 0x00000041 mov dword ptr [ebp+0000025Ch], edi 0x00000047 mov edi, 4BBAF831h 0x0000004c pushad 0x0000004d rdtsc
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe RDTSC instruction interceptor: First address: 0000000002318DFF second address: 0000000002318DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test dl, dl 0x0000000c xor edi, 940AC00Fh 0x00000012 test eax, eax 0x00000014 xor edi, A987D7D4h 0x0000001a cmp ax, 0000BFCEh 0x0000001e sub edi, 7637EFEAh 0x00000024 cmp al, bl 0x00000026 cmp ecx, edi 0x00000028 mov edi, dword ptr [ebp+0000025Ch] 0x0000002e jnl 00007F588C90F2EFh 0x00000030 test edx, ebx 0x00000032 mov byte ptr [eax+ecx], 00000000h 0x00000036 dec ecx 0x00000037 mov dword ptr [ebp+0000025Ch], edi 0x0000003d mov edi, 4BBAF831h 0x00000042 pushad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe RDTSC instruction interceptor: First address: 0000000002317A0D second address: 0000000002317A0D instructions:
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_023154E7 rdtsc 0_2_023154E7
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_023154E7 rdtsc 0_2_023154E7
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_02316B93 mov eax, dword ptr fs:[00000030h] 0_2_02316B93
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_0231341B mov eax, dword ptr fs:[00000030h] 0_2_0231341B
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_023150CA mov eax, dword ptr fs:[00000030h] 0_2_023150CA
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_02317D52 mov eax, dword ptr fs:[00000030h] 0_2_02317D52
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_02312958 mov eax, dword ptr fs:[00000030h] 0_2_02312958
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_023171A9 mov eax, dword ptr fs:[00000030h] 0_2_023171A9
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: ZGNX11JMSc.exe, 00000000.00000002.740243158.0000000000DB0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: ZGNX11JMSc.exe, 00000000.00000002.740243158.0000000000DB0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: ZGNX11JMSc.exe, 00000000.00000002.740243158.0000000000DB0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: ZGNX11JMSc.exe, 00000000.00000002.740243158.0000000000DB0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\ZGNX11JMSc.exe Code function: 0_2_0231054C cpuid 0_2_0231054C
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 448876 Sample: ZGNX11JMSc Startdate: 14/07/2021 Architecture: WINDOWS Score: 84 8 Found malware configuration 2->8 10 Yara detected GuLoader 2->10 12 Yara detected GuLoader 2->12 14 C2 URLs / IPs found in malware configuration 2->14 5 ZGNX11JMSc.exe 1 2->5         started        process3 signatures4 16 Contains functionality to detect hardware virtualization (CPUID execution measurement) 5->16 18 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 5->18 20 Found potential dummy code loops (likely to delay analysis) 5->20 22 Tries to detect virtualization through RDTSC time measurements 5->22
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://ceattire.com/bin_UYDMbHwI28.bin true
  • Avira URL Cloud: safe
 unknown