Gulagger[.]rar

Sharing

Copy URL Twitter E-mail

General

Target

Gulagger.rar
Size

2.8MB
MD5

9b957972403be1ca4992e39204f01488
SHA1

e4e75ae0172be1ec47546e007b53cfbcf03cbb94
SHA256

57357568656b7b091b78b023c3e0702a62a61e373e7ace935ee03add63abd1f8
SHA512

62298002b8508f2e9fd1cc5a8c7cb3c555d812dec42d9fa933fb67eecf9895bac58ccf790d114adcb26d8dc008b2cfbf7928e8b51907f77fef063b51e5d6c7f0
SSDEEP

49152:JuU2EylNpSZ8fj5whhOmV64wYLy36Ot1kPOE1JWfgtnWwEFHeLsIhMb+:nylNQZgWyZ2m6OtCP9EgtnOdeLsIWb+

Score

1^/10

Malware Config

Signatures

Files

Gulagger.rar
.rar
CONTRIBUTING.md
Kill Active.bat
Kill Gulagger.bat
LEGAL.md
LICENSE
README.md
UploadThese/config.json
UploadThese/ct0.txt
UploadThese/discord_injection.js
.js
UploadThese/embed.json
build.bat
build.js
.js
config.js
default.ico
fix.bat
fix.js
.js
gulagger.js
.js
install.bat
package.json
sigthief.py
.py .sh linux
unsigned/Windows10Upgrade9252.exe
.exe windows:10 windows x86 arch:x86

007db55b0c9d2f882a812da02400b3b4

Code Sign

33:00:00:02:cb:b7:75:39:fb:02:71:42:36:00:00:00:00:02:cb
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

12/05/2022, 20:45

Not After

11/05/2023, 20:45

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/07/2011, 20:59

Not After

08/07/2026, 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

3a:af:df:1e:1e:fd:ba:15:40:ca:03:00:b3:fb:ce:3d:ef:e3:f6:e9:e1:33:10:7c:47:ce:88:ba:29:e9:d9:ae
Signer

Actual PE Digest

3a:af:df:1e:1e:fd:ba:15:40:ca:03:00:b3:fb:ce:3d:ef:e3:f6:e9:e1:33:10:7c:47:ce:88:ba:29:e9:d9:ae

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

upgraderstub.pdb

Imports

advapi32

EnableTraceEx2
RegQueryValueExW
ConvertStringSecurityDescriptorToSecurityDescriptorW
QueryTraceW
EventUnregister
ControlTraceW
RegOpenKeyExW
RegSetValueExW
RegSetKeySecurity
EventSetInformation
RegCreateKeyExW
RegDeleteKeyW
EventRegister
EventWriteTransfer
RegCloseKey
StartTraceW
GetSecurityDescriptorDacl
AdjustTokenPrivileges
OpenProcessToken
GetSecurityDescriptorOwner
GetSecurityDescriptorGroup
GetSecurityDescriptorSacl
GetSecurityDescriptorControl
GetSecurityDescriptorLength
GetAclInformation
RevertToSelf
OpenEncryptedFileRawW
WriteEncryptedFileRaw
CloseEncryptedFileRaw

kernel32

GetVolumePathNamesForVolumeNameW
TlsSetValue
TlsGetValue
TlsFree
TlsAlloc
WaitForMultipleObjectsEx
GlobalMemoryStatusEx
GetVolumeInformationByHandleW
UnmapViewOfFile
MapViewOfFile
CreateFileMappingW
CreateSemaphoreW
WaitForMultipleObjects
GetPrivateProfileSectionW
UnlockFileEx
LockFileEx
InitializeCriticalSectionAndSpinCount
CreateEventW
GetVolumeInformationW
GetCurrentThread
SetThreadIdealProcessor
GetSystemInfo
GetOverlappedResult
GetHandleInformation
DeleteCriticalSection
LocalFree
CreateThread
GlobalFree
DeleteFileW
InitOnceComplete
GetExitCodeThread
GetFileAttributesW
LocalAlloc
CreateMutexW
GetTempPathW
InitializeCriticalSection
LeaveCriticalSection
GetModuleFileNameW
GetFullPathNameW
GetCommandLineW
EnterCriticalSection
SetDefaultDllDirectories
CompareStringW
WritePrivateProfileStringW
InitOnceBeginInitialize
CreateDirectoryW
IsDebuggerPresent
DebugBreak
GetModuleHandleW
GetProcessHeap
GetCurrentProcessId
CreateMutexExW
GetProcAddress
HeapAlloc
CloseHandle
OpenSemaphoreW
WaitForSingleObjectEx
OutputDebugStringW
GetLastError
FormatMessageW
ReleaseMutex
GetCurrentThreadId
WaitForSingleObject
GetModuleHandleExW
ReleaseSemaphore
SetLastError
HeapFree
CreateSemaphoreExW
GetModuleFileNameA
Sleep
GetStartupInfoW
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
QueryPerformanceCounter
GetSystemTimeAsFileTime
GetTickCount
GetFileInformationByHandleEx
FindFirstFileW
FindNextFileW
DeviceIoControl
FindClose
CreateFileW
SetFileAttributesW
GetFileInformationByHandle
SetFileInformationByHandle
CopyFileExW
FlushFileBuffers
GetFileSizeEx
GetCurrentDirectoryW
FreeLibrary
LoadLibraryExW
GetLongPathNameW
GetFinalPathNameByHandleW
GetVolumePathNameW
GetVolumeNameForVolumeMountPointW
GetDriveTypeW
GetEnvironmentVariableW
SetEvent
ResetEvent
WideCharToMultiByte
MultiByteToWideChar
RemoveDirectoryW
CreateFileA
GlobalAlloc
SetFilePointerEx
ReadFile
WriteFile
SetFilePointer
HeapReAlloc
HeapSize
GetShortPathNameW
SetEndOfFile
DuplicateHandle
SetFileTime
LocalFileTimeToFileTime
DosDateTimeToFileTime
OpenProcess
OpenMutexW
LoadLibraryW
GetTempFileNameW
MoveFileW
VerifyVersionInfoW
UnhandledExceptionFilter
VerSetConditionMask

user32

LoadStringW
CharUpperW
MessageBoxW

msvcrt

memcmp
strcpy_s
memcpy
memmove
_wcsicmp
wcsrchr
_wcsnicmp
iswspace
towupper
_vscwprintf
qsort
_except_handler4_common
_controlfp
??1type_info@@UAE@XZ
?terminate@@YAXXZ
_onexit
__dllonexit
_unlock
_lock
_acmdln
_initterm
__setusermatherr
_ismbblead
__p__fmode
_cexit
_exit
exit
__set_app_type
__getmainargs
_amsg_exit
__p__commode
_XcptFilter
_CxxThrowException
sprintf_s
memmove_s
wcschr
??0exception@@QAE@ABQBD@Z
?what@exception@@UBEPBDXZ
_purecall
iswdigit
wcsnlen
_vsnprintf_s
??0exception@@QAE@ABV0@@Z
??0exception@@QAE@XZ
??1exception@@UAE@XZ
memcpy_s
_vsnwprintf
__CxxFrameHandler3
swscanf_s
wcsncmp
wcsstr
memset

ole32

CoInitialize
CoTaskMemFree
CoUninitialize

rpcrt4

RpcStringFreeW
UuidCreate
UuidToStringW

shell32

CommandLineToArgvW
ShellExecuteExW
SHGetSpecialFolderPathW

shlwapi

PathRemoveFileSpecW
StrStrIW
PathFindFileNameW

cabinet

ord22
ord20
ord23

version

GetFileVersionInfoW
VerQueryValueW
GetFileVersionInfoSizeW

ntdll

NtYieldExecution
NtQueryInformationFile
RtlAdjustPrivilege
RtlGetLastNtStatus
RtlSetControlSecurityDescriptor
RtlFindAceByType
NtSetSecurityObject
NtQueryVolumeInformationFile
NtQueryInformationProcess
RtlDosPathNameToNtPathName_U
NtCreateFile
NtClose
RtlInitializeResource
RtlAcquireResourceExclusive
RtlAcquireResourceShared
RtlReleaseResource
RtlDeleteResource
RtlImpersonateSelf
NtSetEaFile
DbgPrintEx
RtlFreeHeap
RtlAllocateHeap
RtlNtStatusToDosError
NtSetInformationFile
RtlReAllocateHeap
RtlRaiseStatus

psapi

GetModuleFileNameExW
EnumProcesses

bcrypt

BCryptCreateHash
BCryptCloseAlgorithmProvider
BCryptDestroyHash
BCryptFinishHash
BCryptOpenAlgorithmProvider
BCryptHashData
BCryptGetProperty

Sections

.text
Size: 462KB - Virtual size: 462KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.boxload
Size: 512B - Virtual size: 86B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 263KB - Virtual size: 264KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 15KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

007db55b0c9d2f882a812da02400b3b4

Code Sign

33:00:00:02:cb:b7:75:39:fb:02:71:42:36:00:00:00:00:02:cbCertificate

Extended Key Usages

61:0e:90:d2:00:00:00:00:00:03Certificate

Key Usages

3a:af:df:1e:1e:fd:ba:15:40:ca:03:00:b3:fb:ce:3d:ef:e3:f6:e9:e1:33:10:7c:47:ce:88:ba:29:e9:d9:aeSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

advapi32

kernel32

user32

msvcrt

ole32

rpcrt4

shell32

shlwapi

cabinet

version

ntdll

psapi

bcrypt

Sections

.text Size: 462KB - Virtual size: 462KB

.data Size: 1KB - Virtual size: 7KB

.idata Size: 7KB - Virtual size: 7KB

.boxload Size: 512B - Virtual size: 86B

.rsrc Size: 263KB - Virtual size: 264KB

.reloc Size: 15KB - Virtual size: 15KB

33:00:00:02:cb:b7:75:39:fb:02:71:42:36:00:00:00:00:02:cb
Certificate

61:0e:90:d2:00:00:00:00:00:03
Certificate

3a:af:df:1e:1e:fd:ba:15:40:ca:03:00:b3:fb:ce:3d:ef:e3:f6:e9:e1:33:10:7c:47:ce:88:ba:29:e9:d9:ae
Signer

.text
Size: 462KB - Virtual size: 462KB

.data
Size: 1KB - Virtual size: 7KB

.idata
Size: 7KB - Virtual size: 7KB

.boxload
Size: 512B - Virtual size: 86B

.rsrc
Size: 263KB - Virtual size: 264KB

.reloc
Size: 15KB - Virtual size: 15KB