gu[.]zip | Triage

Sharing

Copy URL Twitter E-mail

General

Target

gu.zip
Size

130KB
MD5

8853fd5813df7b6d09e7bed1a6d1e2fd
SHA1

a59116aa61f7165c8b9792a24b773d3a27c2f22b
SHA256

1b1dd7197a71ad853ea2fd5ad10311cb74102b1c5dd7b2c49a76e32b6d3b1c1a
SHA512

26328a974c3a4b558d729aaee690954130f2f29101ac97fc4c895819c74efc3cf3b1f60f02efd4755795792ac4b05d518d2010702f6932540d115e8bd16e3df7
SSDEEP

3072:QXk0Vu6ZQQ/uAA68LQp/e6+0gnzW/A+qoMrvBFr5V3z:QXkYu65/uAA+p/e6+0gzWPqooBt5V3z

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/20e5192ce29f2d7823cab0de81eb97c1cf28119b4379dffed88099cb2f3988b1

Files

gu.zip
.zip

Password: infected
20e5192ce29f2d7823cab0de81eb97c1cf28119b4379dffed88099cb2f3988b1
.exe windows:5 windows x86 arch:x86

9d7ac77a44667ba5186f7bb12dfd9d42

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

C:\Users\谷堕\Desktop\2022远程管理gfi\cangku\WinOsClientProject\Release-exe\上线模块.pdb

Imports

kernel32

CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
CloseHandle
LoadLibraryW
GetProcAddress
CreateFileW
GetCurrentProcess
lstrcpyW
GetLastError
HeapAlloc
GetProcessHeap
HeapFree
OpenProcess
GetDriveTypeW
GetDiskFreeSpaceExW
GlobalMemoryStatusEx
GetSystemInfo
FreeLibrary
GetModuleFileNameW
GetCommandLineW
GetStartupInfoW
CreateProcessW
ExitProcess
WideCharToMultiByte
CreateFileA
DeviceIoControl
QueryPerformanceFrequency
CreateEventW
SetEvent
ResetEvent
QueryPerformanceCounter
WaitForSingleObject
InterlockedExchange
GetConsoleWindow
ExpandEnvironmentStringsW
CopyFileW
GetFileAttributesW
CreateEventA
FormatMessageW
SetLastError
VirtualProtect
IsBadReadPtr
LoadLibraryA
GetNativeSystemInfo
SetErrorMode
SetUnhandledExceptionFilter
GetCurrentThreadId
CreateThread
CreateMutexW
GetFileSize
DeleteFileW
ReleaseMutex
SetFilePointer
RaiseException
InitializeCriticalSectionAndSpinCount
GetModuleHandleW
LocalFree
ReadFile
LCMapStringW
FlushFileBuffers
SetStdHandle
WriteConsoleW
lstrcmpW
GetTickCount
Sleep
lstrcatW
GetSystemDirectoryW
GetLocaleInfoW
GetLocalTime
GetCurrentProcessId
MultiByteToWideChar
lstrlenW
InterlockedDecrement
VirtualAlloc
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
VirtualFree
WriteFile
GetSystemTimeAsFileTime
GetFileType
SetHandleCount
GetEnvironmentStringsW
FreeEnvironmentStringsW
IsValidCodePage
InitializeCriticalSection
HeapCreate
HeapDestroy
CreateWaitableTimerW
GetOEMCP
GetACP
GetCPInfo
GetStringTypeW
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
HeapSize
GetStdHandle
GetConsoleMode
GetConsoleCP
IsProcessorFeaturePresent
IsDebuggerPresent
UnhandledExceptionFilter
TerminateProcess
RtlUnwind
HeapSetInformation
HeapReAlloc
ExitThread
EncodePointer
DecodePointer
TryEnterCriticalSection
CancelWaitableTimer
SetWaitableTimer
lstrlenA
UnmapViewOfFile
SwitchToThread
CreateFileMappingW
MapViewOfFileEx
InterlockedIncrement
InterlockedCompareExchange

user32

GetForegroundWindow
GetMonitorInfoW
GetWindowTextW
MsgWaitForMultipleObjects
PeekMessageW
TranslateMessage
DispatchMessageW
GetLastInputInfo
SendMessageW
FindWindowA
GetWindowTextA
GetWindow
GetClassNameA
OpenWindowStationW
SetProcessWindowStation
IsWindow
PostThreadMessageA
GetInputState
EnumDisplayMonitors
wsprintfW

advapi32

RegSetValueExW
RegCreateKeyW
RegDeleteValueW
RegQueryValueExW
RegOpenKeyExW
LookupAccountSidW
GetTokenInformation
OpenProcessToken
FreeSid
CheckTokenMembership
AllocateAndInitializeSid
RegCloseKey
RegEnumKeyExA
RegQueryInfoKeyW
RegOpenKeyExA
GetCurrentHwProfileW

shell32

SHGetFolderPathW

ole32

CoUninitialize
CoCreateInstance
CoInitialize

oleaut32

SysStringLen
SysFreeString
SysAllocString

ws2_32

WSAAddressToStringW
WSASetLastError
WSAStringToAddressW
shutdown
send
setsockopt
WSAIoctl
ntohs
WSAGetLastError
inet_ntoa
gethostbyname
gethostname
getsockname
freeaddrinfo
getaddrinfo
WSAStartup
WSAResetEvent
WSAEventSelect
WSACleanup
bind
connect
recv
WSACloseEvent
WSACreateEvent
socket
WSAEnumNetworkEvents
WSAWaitForMultipleEvents
closesocket
htons

shlwapi

StrChrW
StrPBrkW
PathIsDirectoryA

netapi32

NetWkstaGetInfo

dinput8

DirectInput8Create

winmm

timeGetDevCaps
timeEndPeriod
timeBeginPeriod
timeGetTime

Sections

.text
Size: 165KB - Virtual size: 164KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 44KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 40KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 436B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 22KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

9d7ac77a44667ba5186f7bb12dfd9d42

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

advapi32

shell32

ole32

oleaut32

ws2_32

shlwapi

netapi32

dinput8

winmm

Sections

.text Size: 165KB - Virtual size: 164KB

.rdata Size: 44KB - Virtual size: 44KB

.data Size: 20KB - Virtual size: 40KB

.rsrc Size: 512B - Virtual size: 436B

.reloc Size: 22KB - Virtual size: 21KB

.text
Size: 165KB - Virtual size: 164KB

.rdata
Size: 44KB - Virtual size: 44KB

.data
Size: 20KB - Virtual size: 40KB

.rsrc
Size: 512B - Virtual size: 436B

.reloc
Size: 22KB - Virtual size: 21KB