Loading ...

Play interactive tourEdit tour

Windows Analysis Report ZGNX11JMSc

Overview

General Information

Sample Name:ZGNX11JMSc (renamed file extension from none to exe)
Analysis ID:448876
MD5:fcfb0ec70f1419ede8a534cc95cb61e9
SHA1:d3b529d77f1de00d63a75b3956d4bcf6bbce30ca
SHA256:ff1b034c7060724133c6df0aa8cf5411ec0e6775d3aca83a127617340a8c588a
Tags:32exeGuLoadertrojan
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected GuLoader
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
PE / OLE file has an invalid certificate
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • ZGNX11JMSc.exe (PID: 5764 cmdline: 'C:\Users\user\Desktop\ZGNX11JMSc.exe' MD5: FCFB0EC70F1419EDE8A534CC95CB61E9)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://ceattire.com/bin_UYDMbHwI28.bin"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
ZGNX11JMSc.exeJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.741035420.0000000002310000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      00000000.00000000.216935680.0000000000401000.00000020.00020000.sdmpJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
        00000000.00000002.739221783.0000000000401000.00000020.00020000.sdmpJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.ZGNX11JMSc.exe.400000.0.unpackJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
            0.0.ZGNX11JMSc.exe.400000.0.unpackJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

              Sigma Overview

              No Sigma rule has matched

              Jbx Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: ZGNX11JMSc.exeMalware Configuration Extractor: GuLoader {"Payload URL": "http://ceattire.com/bin_UYDMbHwI28.bin"}
              Source: ZGNX11JMSc.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\ANTISOCIA.pdb source: ZGNX11JMSc.exe

              Networking:

              barindex
              C2 URLs / IPs found in malware configurationShow sources
              Source: Malware configuration extractorURLs: http://ceattire.com/bin_UYDMbHwI28.bin
              Source: ZGNX11JMSc.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
              Source: ZGNX11JMSc.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
              Source: ZGNX11JMSc.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
              Source: ZGNX11JMSc.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
              Source: ZGNX11JMSc.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
              Source: ZGNX11JMSc.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
              Source: ZGNX11JMSc.exeString found in binary or memory: http://ocsp.digicert.com0C
              Source: ZGNX11JMSc.exeString found in binary or memory: http://ocsp.digicert.com0O
              Source: ZGNX11JMSc.exeString found in binary or memory: http://www.digicert.com/CPS0
              Source: ZGNX11JMSc.exeString found in binary or memory: https://www.digicert.com/CPS0
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeProcess Stats: CPU usage > 98%
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_023154E7 NtAllocateVirtualMemory,
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_023155AC NtAllocateVirtualMemory,
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_023154E7
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_02310EFE
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_023172C3
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_023142CD
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_02311B2D
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_02311B1A
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_02317F03
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_02313F0C
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_02317B73
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_02317F6D
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_02311B5F
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_02310FB5
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_02312793
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_02314785
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_02318385
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_02314B8E
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_023143F1
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_02317036
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_0231341B
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_0231100E
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_02314071
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_0231844C
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_02318C82
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_02318CD5
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_023180D4
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_023134C4
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_0231350F
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_02317D52
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_02312958
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_02318D58
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_02312940
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_023129B0
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_02312183
              Source: ZGNX11JMSc.exeStatic PE information: invalid certificate
              Source: ZGNX11JMSc.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: ZGNX11JMSc.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: ZGNX11JMSc.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: ZGNX11JMSc.exe, 00000000.00000000.216975638.0000000000438000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameANTISOCIA.exe vs ZGNX11JMSc.exe
              Source: ZGNX11JMSc.exeBinary or memory string: OriginalFilenameANTISOCIA.exe vs ZGNX11JMSc.exe
              Source: ZGNX11JMSc.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              Source: classification engineClassification label: mal84.troj.evad.winEXE@1/0@0/0
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeFile created: C:\Users\user\AppData\Local\Temp\~DF46939C48381DC1A3.TMPJump to behavior
              Source: ZGNX11JMSc.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: ZGNX11JMSc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\ANTISOCIA.pdb source: ZGNX11JMSc.exe

              Data Obfuscation:

              barindex
              Yara detected GuLoaderShow sources
              Source: Yara matchFile source: 00000000.00000002.741035420.0000000002310000.00000040.00000001.sdmp, type: MEMORY
              Yara detected GuLoaderShow sources
              Source: Yara matchFile source: ZGNX11JMSc.exe, type: SAMPLE
              Source: Yara matchFile source: 0.2.ZGNX11JMSc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ZGNX11JMSc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.216935680.0000000000401000.00000020.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.739221783.0000000000401000.00000020.00020000.sdmp, type: MEMORY
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_0040495E push es; ret
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_02315F81 push ecx; ret
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_02319551 push edx; iretd
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion:

              barindex
              Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_02310EFE
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_023142CD
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_02311B1A
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_02311B5F
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_02310FB5
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_02312793
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_02316F9E
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_023143F1
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_02317036
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_0231341B
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_0231100E
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_02314071
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_02317D52
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_02312958
              Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeRDTSC instruction interceptor: First address: 00000000023101BE second address: 00000000023101BE instructions:
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeRDTSC instruction interceptor: First address: 00000000023170C1 second address: 00000000023170D5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add edx, ecx 0x0000000c neg ecx 0x0000000e pushad 0x0000000f mov edx, 000000D8h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeRDTSC instruction interceptor: First address: 0000000002318DB2 second address: 0000000002318DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, edi 0x0000000c test dl, dl 0x0000000e add eax, 00003004h 0x00000013 mov dword ptr [edi+00003000h], eax 0x00000019 test eax, eax 0x0000001b mov ecx, 07CEBD8Ah 0x00000020 cmp ax, 0000BB7Bh 0x00000024 sub ecx, 04255BC2h 0x0000002a xor ecx, 17A2670Fh 0x00000030 cmp al, bl 0x00000032 sub ecx, 140B05FBh 0x00000038 test eax, ebx 0x0000003a test edx, ebx 0x0000003c mov byte ptr [eax+ecx], 00000000h 0x00000040 dec ecx 0x00000041 mov dword ptr [ebp+0000025Ch], edi 0x00000047 mov edi, 4BBAF831h 0x0000004c pushad 0x0000004d rdtsc
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeRDTSC instruction interceptor: First address: 0000000002318DFF second address: 0000000002318DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test dl, dl 0x0000000c xor edi, 940AC00Fh 0x00000012 test eax, eax 0x00000014 xor edi, A987D7D4h 0x0000001a cmp ax, 0000BFCEh 0x0000001e sub edi, 7637EFEAh 0x00000024 cmp al, bl 0x00000026 cmp ecx, edi 0x00000028 mov edi, dword ptr [ebp+0000025Ch] 0x0000002e jnl 00007F588C90F2EFh 0x00000030 test edx, ebx 0x00000032 mov byte ptr [eax+ecx], 00000000h 0x00000036 dec ecx 0x00000037 mov dword ptr [ebp+0000025Ch], edi 0x0000003d mov edi, 4BBAF831h 0x00000042 pushad 0x00000043 rdtsc
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeRDTSC instruction interceptor: First address: 0000000002317A0D second address: 0000000002317A0D instructions:
              Tries to detect virtualization through RDTSC time measurementsShow sources
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeRDTSC instruction interceptor: First address: 00000000023101BE second address: 00000000023101BE instructions:
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeRDTSC instruction interceptor: First address: 00000000023170C1 second address: 00000000023170D5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add edx, ecx 0x0000000c neg ecx 0x0000000e pushad 0x0000000f mov edx, 000000D8h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeRDTSC instruction interceptor: First address: 0000000002318DB2 second address: 0000000002318DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, edi 0x0000000c test dl, dl 0x0000000e add eax, 00003004h 0x00000013 mov dword ptr [edi+00003000h], eax 0x00000019 test eax, eax 0x0000001b mov ecx, 07CEBD8Ah 0x00000020 cmp ax, 0000BB7Bh 0x00000024 sub ecx, 04255BC2h 0x0000002a xor ecx, 17A2670Fh 0x00000030 cmp al, bl 0x00000032 sub ecx, 140B05FBh 0x00000038 test eax, ebx 0x0000003a test edx, ebx 0x0000003c mov byte ptr [eax+ecx], 00000000h 0x00000040 dec ecx 0x00000041 mov dword ptr [ebp+0000025Ch], edi 0x00000047 mov edi, 4BBAF831h 0x0000004c pushad 0x0000004d rdtsc
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeRDTSC instruction interceptor: First address: 0000000002318DFF second address: 0000000002318DFF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a test dl, dl 0x0000000c xor edi, 940AC00Fh 0x00000012 test eax, eax 0x00000014 xor edi, A987D7D4h 0x0000001a cmp ax, 0000BFCEh 0x0000001e sub edi, 7637EFEAh 0x00000024 cmp al, bl 0x00000026 cmp ecx, edi 0x00000028 mov edi, dword ptr [ebp+0000025Ch] 0x0000002e jnl 00007F588C90F2EFh 0x00000030 test edx, ebx 0x00000032 mov byte ptr [eax+ecx], 00000000h 0x00000036 dec ecx 0x00000037 mov dword ptr [ebp+0000025Ch], edi 0x0000003d mov edi, 4BBAF831h 0x00000042 pushad 0x00000043 rdtsc
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeRDTSC instruction interceptor: First address: 0000000002317A0D second address: 0000000002317A0D instructions:
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_023154E7 rdtsc
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

              Anti Debugging:

              barindex
              Found potential dummy code loops (likely to delay analysis)Show sources
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeProcess Stats: CPU usage > 90% for more than 60s
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_023154E7 rdtsc
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_02316B93 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_0231341B mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_023150CA mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_02317D52 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_02312958 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_023171A9 mov eax, dword ptr fs:[00000030h]
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: ZGNX11JMSc.exe, 00000000.00000002.740243158.0000000000DB0000.00000002.00000001.sdmpBinary or memory string: Program Manager
              Source: ZGNX11JMSc.exe, 00000000.00000002.740243158.0000000000DB0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: ZGNX11JMSc.exe, 00000000.00000002.740243158.0000000000DB0000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: ZGNX11JMSc.exe, 00000000.00000002.740243158.0000000000DB0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\ZGNX11JMSc.exeCode function: 0_2_0231054C cpuid

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery41Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery311Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              ZGNX11JMSc.exe7%ReversingLabsWin32.Trojan.Vebzenpak

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://ceattire.com/bin_UYDMbHwI28.bin0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://ceattire.com/bin_UYDMbHwI28.bintrue
              • Avira URL Cloud: safe
              unknown

              Contacted IPs

              No contacted IP infos

              General Information

              Joe Sandbox Version:33.0.0 White Diamond
              Analysis ID:448876
              Start date:14.07.2021
              Start time:19:51:35
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 8m 8s
              Hypervisor based Inspection enabled:false
              Report type:light
              Sample file name:ZGNX11JMSc (renamed file extension from none to exe)
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:33
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal84.troj.evad.winEXE@1/0@0/0
              EGA Information:Failed
              HDC Information:Failed
              HCA Information:Failed
              Cookbook Comments:
              • Adjust boot time
              • Enable AMSI
              • Override analysis time to 240s for sample files taking high CPU consumption
              Warnings:
              Show All
              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
              • Not all processes where analyzed, report is missing behavior information
              • VT rate limit hit for: /opt/package/joesandbox/database/analysis/448876/sample/ZGNX11JMSc.exe

              Simulations

              Behavior and APIs

              No simulations

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASN

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              No created / dropped files found

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows
              Entropy (8bit):4.7769054763067915
              TrID:
              • Win32 Executable (generic) a (10002005/4) 99.15%
              • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:ZGNX11JMSc.exe
              File size:267376
              MD5:fcfb0ec70f1419ede8a534cc95cb61e9
              SHA1:d3b529d77f1de00d63a75b3956d4bcf6bbce30ca
              SHA256:ff1b034c7060724133c6df0aa8cf5411ec0e6775d3aca83a127617340a8c588a
              SHA512:ffec36b157f889a2bd351b9d8423b247138a5fd2e57de83bb1253336518431136a265d244b653af470a8d04e2674c4cadf467c065a7fc38f10effedd705ab248
              SSDEEP:1536:x2M5j2eBXFScbssSe/W+dMa27qQ0Z9Dfs4IwNAvgiIOm72tNHLg/8A:T5FXrbVTeE2uQU7s49AMUrg/8A
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........y.....................................Rich............PE..L.....FR.................`..........p........p....@................

              File Icon

              Icon Hash:e8ccce8e8ececce8

              Static PE Info

              General

              Entrypoint:0x401470
              Entrypoint Section:.text
              Digitally signed:true
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              DLL Characteristics:
              Time Stamp:0x5246CAE2 [Sat Sep 28 12:26:10 2013 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:a6a8fddf213e725d12277ffa52409c50

              Authenticode Signature

              Signature Valid:false
              Signature Issuer:E=Overbee@NONASSUM.DRA, CN=skrdd, OU=UNDE, O=prototypi, L=Nyordn5, S=sobs, C=MG
              Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
              Error Number:-2146762487
              Not Before, Not After
              • 7/13/2021 10:05:37 AM 7/13/2022 10:05:37 AM
              Subject Chain
              • E=Overbee@NONASSUM.DRA, CN=skrdd, OU=UNDE, O=prototypi, L=Nyordn5, S=sobs, C=MG
              Version:3
              Thumbprint MD5:9036914828CBB0BD5603E92A0629EBCE
              Thumbprint SHA-1:502D44A3683EF19D6EE93B5A0BA39CEF214FA587
              Thumbprint SHA-256:D8DC1D893CD8ACCF7B4CB8910AC7F2C4539AB530AD74E93F825CCDA9E5C58408
              Serial:00

              Entrypoint Preview

              Instruction
              push 004316D0h
              call 00007F588CC1EB63h
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              xor byte ptr [eax], al
              add byte ptr [eax], al
              cmp byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              mov dl, 30h
              sal dword ptr [edx+edx*2-43B57C63h], 1
              mov dl, 66h
              imul edi, eax, 78h
              inc eax
              pop edx
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add dword ptr [eax], eax
              add byte ptr [eax], al
              inc edx
              add byte ptr [esi], al
              push eax
              add dword ptr [ecx], 55h
              insb
              outsb
              imul eax, dword ptr [eax], 00006496h
              add byte ptr [eax], al
              add bh, bh
              int3
              xor dword ptr [eax], eax
              adc dl, ch
              popfd
              or al, 2Dh
              stc
              cli
              inc edi
              cmp byte ptr [ebx+68h], FFFFFF94h
              fdivr st(0), st(3)
              dec esp
              push ds
              sbb ecx, dword ptr fs:[ebx]
              dec edx
              xchg eax, esi
              add dword ptr [esi-51C24BC0h], ebx
              retf 1486h
              outsb
              sbb eax, 33AD4F3Ah
              cdq
              iretw
              adc dword ptr [edi+00AA000Ch], esi
              pushad
              rcl dword ptr [ebx+00000000h], cl
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              jbe 00007F588CC1EB72h
              add eax, dword ptr [eax]
              xor byte ptr [ebp+00h], dh
              add byte ptr [eax], al
              add eax, 6D655400h
              jo 00007F588CC1EBA5h
              add byte ptr [53000501h], cl
              inc ecx
              dec ebp
              dec ebp
              inc ebp
              add byte ptr [ecx], bl
              add dword ptr [eax], eax
              inc edx
              add byte ptr [edx], ah
              add byte ptr [ebx], ah
              out dx, al
              je 00007F588CC1EB72h

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x364040x28.text
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x380000x7a92.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x400580x1418
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
              IMAGE_DIRECTORY_ENTRY_DEBUG0x11200x1c.text
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
              IMAGE_DIRECTORY_ENTRY_IAT0x10000x118.text
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x359300x36000False0.255479600694data4.71656794382IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              .data0x370000xbd40x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
              .rsrc0x380000x7a920x8000False0.294891357422data4.41054714474IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountry
              RT_ICON0x3f42a0x668data
              RT_ICON0x3f1420x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 998965248, next used block 48059
              RT_ICON0x3ef5a0x1e8data
              RT_ICON0x3ee320x128GLS_BINARY_LSB_FIRST
              RT_ICON0x3df8a0xea8data
              RT_ICON0x3d6e20x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0
              RT_ICON0x3d01a0x6c8data
              RT_ICON0x3cab20x568GLS_BINARY_LSB_FIRST
              RT_ICON0x3a50a0x25a8data
              RT_ICON0x394620x10a8data
              RT_ICON0x38ada0x988data
              RT_ICON0x386720x468GLS_BINARY_LSB_FIRST
              RT_GROUP_ICON0x385c40xaedata
              RT_VERSION0x383000x2c4dataSwahiliKenya
              RT_VERSION0x383000x2c4dataSwahiliMozambiq

              Imports

              DLLImport
              MSVBVM60.DLL_CIcos, _adj_fptan, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenBstrB, _adj_fdiv_m32, __vbaAryVar, __vbaAryDestruct, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFPFix, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, __vbaRecUniToAnsi, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaFileOpen, __vbaNew2, __vbaInStr, __vbaR8Str, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaI4Var, __vbaLateMemCall, __vbaStrToAnsi, __vbaVarDup, __vbaFpI4, _CIatan, __vbaStrMove, __vbaAryCopy, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

              Version Infos

              DescriptionData
              Translation0x0441 0x04b0
              LegalCopyrightON24
              InternalNameANTISOCIA
              FileVersion7.00
              CompanyNameON24
              LegalTrademarksON24
              CommentsON24
              ProductNameON24
              ProductVersion7.00
              FileDescriptionON24
              OriginalFilenameANTISOCIA.exe

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              SwahiliKenya
              SwahiliMozambiq

              Network Behavior

              No network behavior found

              Code Manipulations

              Statistics

              System Behavior

              General

              Start time:19:52:30
              Start date:14/07/2021
              Path:C:\Users\user\Desktop\ZGNX11JMSc.exe
              Wow64 process (32bit):true
              Commandline:'C:\Users\user\Desktop\ZGNX11JMSc.exe'
              Imagebase:0x400000
              File size:267376 bytes
              MD5 hash:FCFB0EC70F1419EDE8A534CC95CB61E9
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:Visual Basic
              Yara matches:
              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.741035420.0000000002310000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000000.00000000.216935680.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000000.00000002.739221783.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
              Reputation:low

              Disassembly

              Code Analysis

              Reset < >