Static task
static1
Behavioral task
behavioral1
Sample
PO_Invoices_pdf.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
PO_Invoices_pdf.exe
Resource
win10v2004-en-20220113
General
-
Target
2ea073ddc357d19912eeb45d967fd80c742a676cf9f00ad8d7ade93be5e4b101
-
Size
1.2MB
-
MD5
472d076a50474e002f4bd798eac94876
-
SHA1
4d6f29a4f6a496394156ed800b4dfd6cd952d4f0
-
SHA256
2ea073ddc357d19912eeb45d967fd80c742a676cf9f00ad8d7ade93be5e4b101
-
SHA512
faaa86c4c78d4cd741d41842a09b457489346c32ab8ac5226641d60fc64d10a3d5abe64bff1bc2bd0ebd5b74f12e196f5dc959478fe57fb63d2722ce3591f3cb
-
SSDEEP
24576:z9mm9W50G+UvOKDMdh4DEW+jXqnSy5N16l6GOHRUVTR63:zB9lG2KDMdh4D8pAFFyVtc
Malware Config
Signatures
-
Beds Protector Packer 1 IoCs
Detects Beds Protector packer used to load .NET malware.
Processes:
resource yara_rule static1/unpack001/PO_Invoices_pdf.exe beds_protector
Files
-
2ea073ddc357d19912eeb45d967fd80c742a676cf9f00ad8d7ade93be5e4b101.zip
-
PO_Invoices_pdf.exe.exe windows x86
f34d5f2d4577ed6d9ceec516c1f5a744
Code Sign
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
mscoree
_CorExeMain
Sections
.text Size: 1.6MB - Virtual size: 1.6MB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 16KB - Virtual size: 16KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 12B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ