Windows Analysis Report
pago.exe

Overview

General Information

Sample Name: pago.exe
Analysis ID: 634139
MD5: 41db491c763c2aa61a8f4305591e3139
SHA1: 20c45ae71feccf738620764f70154f0ac5b6ac59
SHA256: 904211f6f92bb8e96d8a56077c3b95ed22c746ee17caf7fb769d786821521585
Infos:

Detection

GuLoader
Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
PE file does not import any functions
PE file contains strange resources
Drops PE files
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Binary contains a suspicious time stamp
Detected potential crypto function
PE / OLE file has an invalid certificate
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
PE file contains executable resources (Code or Archives)
Abnormal high CPU Usage
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Found malware configuration
Source: 00000000.00000002.905489212.0000000002940000.00000040.00001000.00020000.00000000.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=14p4RqgiFGwvudzlCweA8Cs_gKBFB_1pQ'`5"}
Multi AV Scanner detection for submitted file
Source: pago.exe Virustotal: Detection: 31% Perma Link
Uses 32bit PE files
Source: pago.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: pago.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: System.Runtime.CompilerServices.VisualC.ni.pdb source: System.Runtime.CompilerServices.VisualC.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.VisualC\net6.0-Release\System.Runtime.CompilerServices.VisualC.pdb source: System.Runtime.CompilerServices.VisualC.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.VisualC\net6.0-Release\System.Runtime.CompilerServices.VisualC.pdbRSDS source: System.Runtime.CompilerServices.VisualC.dll.0.dr
Source: C:\Users\user\Desktop\pago.exe Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405C49
Source: C:\Users\user\Desktop\pago.exe Code function: 0_2_00406873 FindFirstFileW,FindClose, 0_2_00406873
Source: C:\Users\user\Desktop\pago.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&id=14p4RqgiFGwvudzlCweA8Cs_gKBFB_1pQ'`5
Source: pago.exe String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: pago.exe String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: pago.exe String found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: pago.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: pago.exe String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: pago.exe String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: pago.exe String found in binary or memory: http://repository.certum.pl/ctsca2021.cer0
Source: pago.exe String found in binary or memory: http://subca.ocsp-certum.com01
Source: pago.exe String found in binary or memory: http://subca.ocsp-certum.com02
Source: pago.exe String found in binary or memory: http://subca.ocsp-certum.com05
Source: pago.exe String found in binary or memory: http://www.certum.pl/CPS0
Source: System.Runtime.CompilerServices.VisualC.dll.0.dr String found in binary or memory: https://github.com/dotnet/runtime
Source: System.Runtime.CompilerServices.VisualC.dll.0.dr String found in binary or memory: https://github.com/dotnet/runtimeBSJB
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\pago.exe Code function: 0_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004056DE
Uses 32bit PE files
Source: pago.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
PE file does not import any functions
Source: System.Runtime.CompilerServices.VisualC.dll.0.dr Static PE information: No import functions for PE file found
PE file contains strange resources
Source: pago.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\pago.exe Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040352D
Detected potential crypto function
Source: C:\Users\user\Desktop\pago.exe Code function: 0_2_0040755C 0_2_0040755C
Source: C:\Users\user\Desktop\pago.exe Code function: 0_2_00406D85 0_2_00406D85
Source: C:\Users\user\Desktop\pago.exe Code function: 0_2_732D1BFF 0_2_732D1BFF
PE / OLE file has an invalid certificate
Source: pago.exe Static PE information: invalid certificate
PE file contains executable resources (Code or Archives)
Source: System.Runtime.CompilerServices.VisualC.dll.0.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\pago.exe Process Stats: CPU usage > 98%
Source: pago.exe Virustotal: Detection: 31%
Source: C:\Users\user\Desktop\pago.exe File read: C:\Users\user\Desktop\pago.exe Jump to behavior
Source: pago.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\pago.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\pago.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\pago.exe Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040352D
Source: C:\Users\user\Desktop\pago.exe File created: C:\Users\user\AppData\Local\Temp\nsiA766.tmp Jump to behavior
Source: classification engine Classification label: mal72.troj.evad.winEXE@1/7@0/0
Source: C:\Users\user\Desktop\pago.exe Code function: 0_2_004021AA CoCreateInstance, 0_2_004021AA
Source: C:\Users\user\Desktop\pago.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\pago.exe Code function: 0_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_0040498A
Source: pago.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: System.Runtime.CompilerServices.VisualC.ni.pdb source: System.Runtime.CompilerServices.VisualC.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.VisualC\net6.0-Release\System.Runtime.CompilerServices.VisualC.pdb source: System.Runtime.CompilerServices.VisualC.dll.0.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.VisualC\net6.0-Release\System.Runtime.CompilerServices.VisualC.pdbRSDS source: System.Runtime.CompilerServices.VisualC.dll.0.dr

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.905489212.0000000002940000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\pago.exe Code function: 0_2_732D30C0 push eax; ret 0_2_732D30EE
Binary contains a suspicious time stamp
Source: System.Runtime.CompilerServices.VisualC.dll.0.dr Static PE information: 0xC22B5F28 [Fri Mar 24 23:05:12 2073 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\pago.exe Code function: 0_2_732D1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_732D1BFF
Drops PE files
Source: C:\Users\user\Desktop\pago.exe File created: C:\Users\user\AppData\Local\Temp\System.Runtime.CompilerServices.VisualC.dll Jump to dropped file
Source: C:\Users\user\Desktop\pago.exe File created: C:\Users\user\AppData\Local\Temp\nsaB9F5.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\pago.exe RDTSC instruction interceptor: First address: 0000000002942688 second address: 0000000002942688 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F841CCD5786h 0x00000006 cmp cl, dl 0x00000008 inc ebp 0x00000009 inc ebx 0x0000000a cmp eax, ecx 0x0000000c rdtsc
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\pago.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\System.Runtime.CompilerServices.VisualC.dll Jump to dropped file
Source: C:\Users\user\Desktop\pago.exe Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405C49
Source: C:\Users\user\Desktop\pago.exe Code function: 0_2_00406873 FindFirstFileW,FindClose, 0_2_00406873
Source: C:\Users\user\Desktop\pago.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\Desktop\pago.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\pago.exe API call chain: ExitProcess graph end node
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\pago.exe Code function: 0_2_732D1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_732D1BFF
Source: C:\Users\user\Desktop\pago.exe Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040352D
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 634139 Sample: pago.exe Startdate: 25/05/2022 Architecture: WINDOWS Score: 72 13 Found malware configuration 2->13 15 Multi AV Scanner detection for submitted file 2->15 17 Yara detected GuLoader 2->17 19 C2 URLs / IPs found in malware configuration 2->19 5 pago.exe 4 23 2->5         started        process3 file4 9 C:\Users\user\AppData\Local\...\System.dll, PE32 5->9 dropped 11 System.Runtime.Com...ervices.VisualC.dll, PE32+ 5->11 dropped 21 Tries to detect virtualization through RDTSC time measurements 5->21 signatures5
No contacted IP infos