analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Ginzo.exe

Full analysis: https://app.any.run/tasks/307541e4-a412-4c1f-ac63-3fbef21d79d0
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Analysis date: May 20, 2022, 23:11:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

9D754925AA0E92FCC36D052BAFA0CC1D

SHA1:

5F2AFA65A5A43CF21B5B6FA2933CA909989679AD

SHA256:

9D5C5EF922AA7343C1EC29D5A6EB1B006F4B3AEE817211EA958B6810DF28510B

SSDEEP:

3072:YE9x+shIEdVBdc3WKNiFh7eOS+1ejPNgqTTUibxt4cABti:DxBhL7c4C+1ejPNgqTTUibxt4cABt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes settings of System certificates

      • Ginzo.exe (PID: 688)
    • Connects to CnC server

      • Ginzo.exe (PID: 688)
    • Drops executable file immediately after starts

      • SearchProtocolHost.exe (PID: 3596)
      • Ginzo.exe (PID: 688)
    • Stealing of credential data

      • Ginzo.exe (PID: 688)
    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3596)
      • Ginzo.exe (PID: 688)
      • WerFault.exe (PID: 3392)
    • Actions looks like stealing of personal data

      • Ginzo.exe (PID: 688)
  • SUSPICIOUS

    • Reads the computer name

      • Ginzo.exe (PID: 688)
    • Checks supported languages

      • Ginzo.exe (PID: 688)
    • Reads Environment values

      • Ginzo.exe (PID: 688)
    • Executable content was dropped or overwritten

      • Ginzo.exe (PID: 688)
      • SearchProtocolHost.exe (PID: 3596)
    • Adds / modifies Windows certificates

      • Ginzo.exe (PID: 688)
    • Drops a file with a compile date too recent

      • Ginzo.exe (PID: 688)
      • SearchProtocolHost.exe (PID: 3596)
    • Executed via COM

      • DllHost.exe (PID: 2868)
  • INFO

    • Reads settings of System Certificates

      • Ginzo.exe (PID: 688)
    • Checks supported languages

      • WerFault.exe (PID: 3392)
      • explorer.exe (PID: 1328)
      • DllHost.exe (PID: 2868)
    • Reads the computer name

      • WerFault.exe (PID: 3392)
      • explorer.exe (PID: 1328)
      • DllHost.exe (PID: 2868)
    • Manual execution by user

      • explorer.exe (PID: 1328)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (61.6)
.dll | Win32 Dynamic Link Library (generic) (14.6)
.exe | Win32 Executable (generic) (10)
.exe | Win16/32 Executable Delphi generic (4.6)
.exe | Generic Win/DOS Executable (4.4)

EXIF

EXE

AssemblyVersion: 1.0.0.0
ProductVersion: 1.0.0.0
ProductName: -
OriginalFileName: Ginzo.exe
LegalTrademarks: -
LegalCopyright: Copyright © 2022
InternalName: Ginzo.exe
FileVersion: 1.0.0.0
FileDescription: -
CompanyName: -
Comments: -
CharacterSet: Unicode
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 1.0.0.0
FileVersionNumber: 1.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 6
ImageVersion: -
OSVersion: 4
EntryPoint: 0x3400a
UninitializedDataSize: -
InitializedDataSize: 53248
CodeSize: 134656
LinkerVersion: 48
PEType: PE32
TimeStamp: 2050:04:09 03:48:32+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 03-Mar-1914 19:20:16
Debug artifacts:
  • Ginzo.pdb
Comments: -
CompanyName: -
FileDescription: -
FileVersion: 1.0.0.0
InternalName: Ginzo.exe
LegalCopyright: Copyright © 2022
LegalTrademarks: -
OriginalFilename: Ginzo.exe
ProductName: -
ProductVersion: 1.0.0.0
Assembly Version: 1.0.0.0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000080

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 03-Mar-1914 19:20:16
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
\x15kft\x15#I\x1cP\xc9
0x00002000
0x0000C950
0x0000CA00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.99642
.text
0x00010000
0x00020B78
0x00020C00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
4.44036
.rsrc
0x00032000
0x00000344
0x00000400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
2.64191
0x00034000
0x00000010
0x00000200
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
0.142636
.reloc
0x00036000
0x0000000C
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
0.0980042

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.21525
748
UNKNOWN
UNKNOWN
RT_VERSION

Imports

mscoree.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
5
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start ginzo.exe searchprotocolhost.exe werfault.exe no specs explorer.exe no specs PhotoViewer.dll no specs

Process information

PID
CMD
Path
Indicators
Parent process
688"C:\Users\admin\Desktop\Ginzo.exe" C:\Users\admin\Desktop\Ginzo.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
3762504530
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\ginzo.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3596"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exe
SearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3392C:\Windows\system32\WerFault.exe -u -p 688 -s 1648C:\Windows\system32\WerFault.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1328"C:\Windows\explorer.exe" C:\Windows\explorer.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2868C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
Total events
5 918
Read events
5 881
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
3
Text files
5
Unknown types
2

Dropped files

PID
Process
Filename
Type
3392WerFault.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_Ginzo.exe_2435faba581c3482fad5d18f5dc616ef2ef5f91_0d5147e3\Report.wer
MD5:
SHA256:
3392WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\Ginzo.exe.688.dmp
MD5:
SHA256:
3596SearchProtocolHost.exeC:\Users\admin\Desktop\x64\SQLite.Interop.dllexecutable
MD5:7E664B470DAB78122A2205297B52021C
SHA256:AFA2B5F4E9CBF88E1AFC343270E5708C89F5F6237CE6931A6722A009DBF0EA70
688Ginzo.exeC:\Users\admin\AppData\Local\Temp\CabEA71.tmpcompressed
MD5:B9F21D8DB36E88831E5352BB82C438B3
SHA256:998E0209690A48ED33B79AF30FC13851E3E3416BED97E3679B6030C10CAB361E
688Ginzo.exeC:\Users\admin\AppData\Local\Temp\TarEA72.tmpcat
MD5:E721613517543768F0DE47A6EEEE3475
SHA256:3163B82D1289693122EF99ED6C3C1911F68AA2A7296907CEBF84C897141CED4E
688Ginzo.exeC:\Users\admin\AppData\Local\GinzoFolder\Screenshot.pngimage
MD5:6A491CAE3849C80FEA44B54928D69776
SHA256:639D064F73C571EB34476591A3A6B602BF5D52CD367874A6D7BB702C21B18E53
688Ginzo.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:B9F21D8DB36E88831E5352BB82C438B3
SHA256:998E0209690A48ED33B79AF30FC13851E3E3416BED97E3679B6030C10CAB361E
688Ginzo.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:655B1EA68C8F3B6BE4DD431245AEFBBC
SHA256:037F3BA66D2F12980346429314C35A5CC30A94CD79B4EC0B3B48574F5C3DBD1D
688Ginzo.exeC:\Users\admin\AppData\Local\GinzoFolder\Desktop Files\ccontract.pngimage
MD5:C649E1905A7C6F06170C8A285AF9D7C1
SHA256:EFBA72D20F36A4F1FDE815F8470E67B8AAC57ADF314BC940EC1B0AC51B693A2B
688Ginzo.exeC:\Users\admin\AppData\Local\GinzoFolder\Desktop Files\chinauser.jpgimage
MD5:28216C00E5110BEE2CAEEE9CD0DB24FF
SHA256:B399E9DDD0FA752259A081489D7F2DD71C3C8C465667DC0B090FF2A43EBB486D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
6
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
688
Ginzo.exe
GET
200
178.79.242.128:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?a66bc4f9c0bdeb27
DE
compressed
60.0 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
688
Ginzo.exe
188.114.96.10:443
nominally.ru
Cloudflare Inc
US
malicious
688
Ginzo.exe
178.79.242.128:80
ctldl.windowsupdate.com
Limelight Networks, Inc.
DE
malicious
688
Ginzo.exe
188.114.97.10:443
nominally.ru
Cloudflare Inc
US
malicious
188.114.97.10:443
nominally.ru
Cloudflare Inc
US
malicious
688
Ginzo.exe
75.2.60.5:443
ipbase.com
AT&T Services, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
nominally.ru
  • 188.114.97.10
  • 188.114.96.10
malicious
dns.msftncsi.com
  • 131.107.255.255
shared
ctldl.windowsupdate.com
  • 178.79.242.128
whitelisted
freegeoip.app
  • 188.114.97.10
  • 188.114.96.10
whitelisted
ipbase.com
  • 75.2.60.5
  • 99.83.231.61
suspicious

Threats

PID
Process
Class
Message
688
Ginzo.exe
A Network Trojan was detected
ET TROJAN Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI)
Potentially Bad Traffic
ET INFO External IP Lookup Domain Domain in DNS Lookup (ipbase .com)
688
Ginzo.exe
Potentially Bad Traffic
ET INFO Observed External IP Lookup Domain (ipbase .com in TLS SNI)
2 ETPRO signatures available at the full report
Process
Message
Ginzo.exe
Native library pre-loader is trying to load native SQLite library "C:\Users\admin\Desktop\x86\SQLite.Interop.dll"...
Ginzo.exe
Verify completed in 0 milliseconds, total of 1 times in 0 milliseconds.
Ginzo.exe
SQLite error (1): no such column: date_password_modified in "SELECT origin_url,action_url,username_element,username_value,password_element,password_value,submit_element,signon_realm,date_created,blacklisted_by_user,scheme,passw
Ginzo.exe
System.Transactions Critical: 0 :
Ginzo.exe
<TraceRecord xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord" Severity="Critical"><TraceIdentifier>http://msdn.microsoft.com/TraceCodes/System/ActivityTracing/2004/07/Reliability/Exception/Unhandled</TraceIdentifier><Description>Unhandled exception</Description><AppDomain>Ginzo.exe</AppDomain><Exception><ExceptionType>System.IO.FileNotFoundException, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType><Message>Could not load file or assembly 'DotNetZip, Version=1.16.0.0, Culture=neutral, PublicKeyToken=6583c7c814667745' or one of its dependencies. The system cannot find the file specified.</Message><StackTrace> at ?????????????????????????????????????????.?????????????????????????????????????????() at ?????????????????????????????????????????.?????????????????????????????????????????() at ?????????????????????????????????????????.?????????????????????????????????????????()</StackTrace><ExceptionString>System.IO.FileNotFoundException: Could not load file or assembly 'DotNetZip, Version=1.16.0.0, Culture=neutral, PublicKeyToken=6583c7c814667745' or one of its dependencies. The system cannot find the file specified. File name: 'DotNetZip, Version=1.16.0.0, Culture=neutral, PublicKeyToken=6583c7c814667745' at ?????????????????????????????????????????.?????????????????????????????????????????() at ?????????????????????????????????????????.?????????????????????????????????????????() at ?????????????????????????????????????????.?????????????????????????????????????????() WRN: Assembly binding logging is turned OFF. To enable assembly bind failure logging, set the registry value [HKLM\Software\Microsoft\Fusion!EnableLog] (DWORD) to 1. Note: There is some performance penalty associated with assembly bind failure logging. To turn this feature off, remove the registry value [HKLM\Software\Microsoft\Fusion!EnableLog]. </ExceptionString></Exception></TraceRecord>