gu[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

gu.exe
Size

1.1MB
MD5

4351154c0ab6a92b6adec0e05d01dc1d
SHA1

c61d8f95d16eb05df69995068f37b0a53cef8ecd
SHA256

e323815d9542852c623c93db5c70c8d5e8fa581d5bf8d6850a70af7c518d71e9
SHA512

47d70b741df94d513a26712ff8f722f1b3c8b1bd2bd39c64fcdf3f9661830455f27ff25b4618ffb524748c918a6af272cfd198d388b8c13204168b578b9e6e9b
SSDEEP

24576:W3sv0VDpJGbXsV6j34SUWcFoPcygd7Z9ShkZdQS4orCxPw1+u/1:90XoZb4SUWv6d7uhkZd/tC68q1

Score

1^/10

Malware Config

Signatures

Files

gu.exe
.exe windows x86

997169d5294c70991bc114fa4b08350a

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

18:49:28:1f:cc:45:5d:00:43:21:a1:47:8b:88:4e:e3
Certificate

Issuer

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

10/05/2017, 00:00

Not After

10/05/2018, 23:59

Subject

CN=INFOTEKH & SERVIS\, TOO,O=INFOTEKH & SERVIS\, TOO,POSTALCODE=050050,STREET=43 V prospekt Ryskulova,L=Almaty,ST=Almaty,C=KZ

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:af
Certificate

Issuer

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

09/05/2013, 00:00

Not After

08/05/2028, 23:59

Subject

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

9f:17:ab:27:da:7c:3a:16:5d:84:4f:16:30:ec:e5:e0:1d:f1:b0:4a:53:89:3c:44:47:79:a3:1e:9a:b2:98:58
Signer

Actual PE Digest

9f:17:ab:27:da:7c:3a:16:5d:84:4f:16:30:ec:e5:e0:1d:f1:b0:4a:53:89:3c:44:47:79:a3:1e:9a:b2:98:58

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

nedmalloc

nedrealloc
nedcalloc
nedmalloc
nedfree

kernel32

GetProcAddress
GetPrivateProfileStringA
LoadLibraryA
GetVersionExA
GetCurrentProcessId
LocalFree
Sleep
FindFirstFileA
FindClose
GetLocalTime
FindNextFileA
lstrcpyA
ReleaseSemaphore
OpenSemaphoreA
CreateSemaphoreA
SearchPathA
HeapReAlloc
InterlockedIncrement
SetErrorMode
GetVersion
GetFileSize
WriteFile
ReadFile
GetModuleHandleA
HeapFree
GetProcessHeap
HeapAlloc
TlsFree
GetCurrentThreadId
GetLastError
GetSystemTime
SystemTimeToFileTime
TlsAlloc
TlsGetValue
TlsSetValue
GetEnvironmentVariableA
GetVolumeInformationA
ReleaseMutex
CreateMutexA
InterlockedCompareExchange
InterlockedDecrement
CreateFileA
DeviceIoControl
GetCurrentProcess
CloseHandle
WaitForSingleObject
FormatMessageA
QueryPerformanceCounter
DeleteTimerQueueTimer
CreateTimerQueueTimer
GetComputerNameA
InitializeCriticalSection
EnterCriticalSection
DeleteCriticalSection
LeaveCriticalSection
LocalAlloc
IsDebuggerPresent
GetSystemTimeAsFileTime
FreeLibrary
GlobalMemoryStatus
GetModuleFileNameA
GetPrivateProfileIntA
GlobalFree
GlobalAlloc
GetTickCount
InterlockedExchange
GetStartupInfoA
TerminateProcess
FileTimeToSystemTime
SetUnhandledExceptionFilter
UnhandledExceptionFilter

user32

PostMessageA
MessageBoxA
SendMessageA
wsprintfA
CharUpperA

shlwapi

PathAppendA

msvcr90

fwrite
fgetc
fopen_s
strlen
_CxxThrowException
__CxxFrameHandler3
_stricmp
_read
_close
_itoa
_open
_tell
_lseek
_write
_unlink
_filelength
_strnicmp
memset
_aligned_free
??9type_info@@QBE_NABV0@@Z
??8type_info@@QBE_NABV0@@Z
_aligned_malloc
??0bad_cast@std@@QAE@ABV01@@Z
??1bad_cast@std@@UAE@XZ
??0exception@std@@QAE@ABQBDH@Z
isalpha
toupper
tolower
_mbsrchr
localeconv
strcspn
sprintf_s
memcmp
?terminate@@YAXXZ
_unlock
__dllonexit
_encode_pointer
_lock
_onexit
_CIsqrt
_amsg_exit
__getmainargs
_cexit
_exit
_XcptFilter
_ismbblead
_acmdln
_initterm
_initterm_e
_configthreadlocale
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
?_name_internal_method@type_info@@QBEPBDPAU__type_info_node@@@Z
_except_handler4_common
_crt_debugger_hook
?_type_info_dtor_internal_method@type_info@@QAEXXZ
_invoke_watson
_controlfp_s
islower
_calloc_crt
___lc_handle_func
___lc_codepage_func
isupper
__pctype_func
__crtLCMapStringA
setlocale
__uncaught_exception
printf
_chsize
_mktime64
atoi
memcpy_s
_locking
??0exception@std@@QAE@ABV01@@Z
??0exception@std@@QAE@ABQBD@Z
??0exception@std@@QAE@XZ
??1exception@std@@UAE@XZ
?what@exception@std@@UBEPBDXZ
_lseeki64
memmove_s
abort
memchr
__iob_func
_invalid_parameter_noinfo
remove
srand
strncpy
_sleep
strstr
rewind
ceil
_time64
_localtime64
atol
asctime
fprintf
fseek
clock
fgetpos
strchr
strncmp
sscanf
vfprintf
fflush
vprintf
sprintf
exit
fclose
rand
fread
fopen
??2@YAPAXI@Z
strrchr
??3@YAXPAX@Z
_purecall
??_V@YAXPAX@Z
?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z
_free_locale
_CIlog10
??0bad_cast@std@@QAE@PBD@Z
_decode_pointer

ws2_32

socket
connect
accept
select
htons
bind
listen
inet_addr
gethostbyname
closesocket
WSACleanup
WSAStartup
send
recv
gethostname
WSAGetLastError

advapi32

GetUserNameA
CryptGenRandom
CryptReleaseContext
CryptAcquireContextA

Exports

Exports

DoGU

Sections

.text
Size: 897KB - Virtual size: 896KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 130KB - Virtual size: 130KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 95KB - Virtual size: 1.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 688B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

997169d5294c70991bc114fa4b08350a

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

18:49:28:1f:cc:45:5d:00:43:21:a1:47:8b:88:4e:e3Certificate

Extended Key Usages

Key Usages

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:afCertificate

Extended Key Usages

Key Usages

9f:17:ab:27:da:7c:3a:16:5d:84:4f:16:30:ec:e5:e0:1d:f1:b0:4a:53:89:3c:44:47:79:a3:1e:9a:b2:98:58Signer

Headers

DLL Characteristics

File Characteristics

Imports

nedmalloc

kernel32

user32

shlwapi

msvcr90

ws2_32

advapi32

Exports

Exports

Sections

.text Size: 897KB - Virtual size: 896KB

.rdata Size: 130KB - Virtual size: 130KB

.data Size: 95KB - Virtual size: 1.3MB

.rsrc Size: 1024B - Virtual size: 688B

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

18:49:28:1f:cc:45:5d:00:43:21:a1:47:8b:88:4e:e3
Certificate

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:af
Certificate

9f:17:ab:27:da:7c:3a:16:5d:84:4f:16:30:ec:e5:e0:1d:f1:b0:4a:53:89:3c:44:47:79:a3:1e:9a:b2:98:58
Signer

.text
Size: 897KB - Virtual size: 896KB

.rdata
Size: 130KB - Virtual size: 130KB

.data
Size: 95KB - Virtual size: 1.3MB

.rsrc
Size: 1024B - Virtual size: 688B