abc[.]rar | Triage

Sharing

Copy URL Twitter E-mail

General

Target

abc.rar
Size

2.8MB
MD5

6496fffd3a7fc83b786690986c97fa34
SHA1

162d536533799cc3ea7ef572ba374b24061f6d0f
SHA256

097281e671b5765f646ec878a2312f246b9956cc264d71002b7a9e2fb4333883
SHA512

c9d55690e73eaa5db8a5de62d0e28b7c87055186249b7ebadd7c09b3deed763c3845e7763a7cecdb154fa4ba45949450ae956ce0245ef265f82ca174c7f3fbe8
SSDEEP

49152:DxMOZK3HnnTthdtXha8jNkN5+pDy8gvWAUNBQ3b/JOSwGDdILcxN4YbuHIL:D1ZuHnTtBx3mNIpDy8gvTMBQ3bxlwSdr

Score

N/A

Malware Config

Signatures

Files

abc.rar
.rar
abc/athena_client.exe
.exe windows x64

ade042ae26147043cb5c2fbe9d79b3ac

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

user32

FindWindowA
GetAsyncKeyState
GetWindowThreadProcessId
MessageBoxA
UnregisterClassA

kernel32

AreFileApisANSI
CloseHandle
CreateEventW
CreateFileA
CreateFileW
CreateRemoteThread
CreateThread
DecodePointer
DeleteCriticalSection
DeviceIoControl
EnterCriticalSection
FormatMessageA
FreeLibrary
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentVariableA
GetFileAttributesExW
GetFileAttributesW
GetFileInformationByHandleEx
GetFileSizeEx
GetFileType
GetFullPathNameW
GetLastError
GetModuleFileNameA
GetModuleHandleA
GetModuleHandleW
GetProcAddress
GetProcessHeap
GetStdHandle
GetSystemDirectoryA
GetSystemTimeAsFileTime
GetTempPathW
GetTickCount
GetTickCount64
HeapAlloc
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
InitializeCriticalSectionAndSpinCount
InitializeCriticalSectionEx
InitializeSListHead
IsDebuggerPresent
IsProcessorFeaturePresent
IsWow64Process
LeaveCriticalSection
LoadLibraryA
LoadLibraryExA
LocalFree
MoveFileExA
MultiByteToWideChar
OpenProcess
OutputDebugStringW
PeekNamedPipe
Process32First
Process32Next
QueryPerformanceCounter
QueryPerformanceFrequency
RaiseException
ReadFile
ReadProcessMemory
ResetEvent
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
SetEvent
SetFileInformationByHandle
SetLastError
SetUnhandledExceptionFilter
Sleep
SleepEx
TerminateProcess
UnhandledExceptionFilter
VerSetConditionMask
VerifyVersionInfoA
VirtualAlloc
VirtualFree
WaitForMultipleObjects
WaitForSingleObjectEx
WideCharToMultiByte
WinExec
WriteProcessMemory

advapi32

AdjustTokenPrivileges
ConvertSidToStringSidA
CopySid
CryptAcquireContextA
CryptCreateHash
CryptDestroyHash
CryptDestroyKey
CryptEncrypt
CryptGenRandom
CryptGetHashParam
CryptHashData
CryptImportKey
CryptReleaseContext
GetLengthSid
GetTokenInformation
GetUserNameA
IsValidSid
LookupPrivilegeValueW
OpenProcessToken
RegCloseKey
RegCreateKeyA
RegCreateKeyExA
RegDeleteKeyA
RegOpenKeyA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA

msvcp140

??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0_Lockit@std@@QEAA@H@Z
??0ios_base@std@@IEAA@XZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1_Lockit@std@@QEAA@XZ
??1ios_base@std@@UEAA@XZ
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?_Id_cnt@id@locale@std@@0HA
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?_Syserror_map@std@@YAPEBDH@Z
?_Throw_C_error@std@@YAXH@Z
?_Throw_Cpp_error@std@@YAXH@Z
?_Winerror_map@std@@YAHH@Z
?_Xbad_function_call@std@@YAXXZ
?_Xlength_error@std@@YAXPEBD@Z
?_Xout_of_range@std@@YAXPEBD@Z
?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
?good@ios_base@std@@QEBA_NXZ
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?id@?$ctype@D@std@@2V0locale@2@A
?init@?$basic_ios@DU?$char_traits@D@std@@@std@@IEAAXPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@_N@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?uncaught_exception@std@@YA_NXZ
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
_Cnd_do_broadcast_at_thread_exit
_Mtx_destroy_in_situ
_Mtx_init_in_situ
_Mtx_lock
_Mtx_unlock
_Query_perf_counter
_Query_perf_frequency
_Thrd_id
_Thrd_join
_Thrd_sleep
_Xtime_get_ticks

ntdll

NtLoadDriver
NtQueryInformationProcess
NtQuerySystemInformation
NtUnloadDriver
RtlAnsiStringToUnicodeString
RtlInitAnsiString
RtlInitUnicodeString

shell32

ShellExecuteA

psapi

GetModuleInformation

ws2_32

WSACleanup
WSAGetLastError
WSAIoctl
WSASetLastError
WSAStartup
__WSAFDIsSet
accept
bind
closesocket
connect
freeaddrinfo
getaddrinfo
gethostname
getpeername
getsockname
getsockopt
htonl
htons
ioctlsocket
listen
ntohl
ntohs
recv
recvfrom
select
send
sendto
setsockopt
socket

userenv

UnloadUserProfile

crypt32

CertAddCertificateContextToStore
CertCloseStore
CertCreateCertificateChainEngine
CertEnumCertificatesInStore
CertFindCertificateInStore
CertFindExtension
CertFreeCertificateChain
CertFreeCertificateChainEngine
CertFreeCertificateContext
CertGetCertificateChain
CertGetNameStringA
CertOpenStore
CryptDecodeObjectEx
CryptQueryObject
CryptStringToBinaryA
PFXImportCertStore

wldap32

ord301
ord45
ord22
ord32
ord26
ord30
ord35
ord143
ord200
ord41
ord33
ord27
ord50
ord211
ord60
ord217
ord46
ord79

normaliz

IdnToAscii

vcruntime140

_CxxThrowException
__C_specific_handler
__CxxFrameHandler3
__current_exception
__current_exception_context
__std_exception_copy
__std_exception_destroy
__std_terminate
_purecall
memchr
memcmp
memcpy
memmove
memset
strchr
strrchr
strstr

api-ms-win-crt-locale-l1-1-0

___lc_codepage_func
_configthreadlocale
localeconv

api-ms-win-crt-stdio-l1-1-0

__acrt_iob_func
__p__commode
__stdio_common_vfprintf
__stdio_common_vsprintf
__stdio_common_vsscanf
_close
_fseeki64
_get_stream_buffer_pointers
_lseeki64
_open
_pclose
_popen
_read
_set_fmode
_write
fclose
feof
fflush
fgetc
fgetpos
fgets
fopen
fputc
fputs
fread
fseek
fsetpos
ftell
fwrite
setvbuf
ungetc

api-ms-win-crt-runtime-l1-1-0

__p___argc
__p___argv
__sys_nerr
_beginthreadex
_c_exit
_cexit
_configure_narrow_argv
_crt_atexit
_errno
_exit
_get_initial_narrow_environment
_getpid
_initialize_narrow_environment
_initialize_onexit_table
_initterm
_initterm_e
_invalid_parameter_noinfo
_invalid_parameter_noinfo_noreturn
_register_onexit_function
_register_thread_local_exe_atexit_callback
_resetstkoflw
_seh_filter_exe
_set_app_type
abort
exit
strerror
system
terminate

api-ms-win-crt-filesystem-l1-1-0

_access
_fstat64
_lock_file
_stat64
_unlink
_unlock_file

api-ms-win-crt-math-l1-1-0

__setusermatherr
_dtest

api-ms-win-crt-time-l1-1-0

_gmtime64
_localtime64_s
_time64
strftime

api-ms-win-crt-heap-l1-1-0

_callnewh
_recalloc
_set_new_mode
calloc
free
malloc
realloc

api-ms-win-crt-string-l1-1-0

_strdup
_stricmp
isupper
strcmp
strcspn
strlen
strncmp
strncpy
strpbrk
strspn
tolower
wcscpy_s
wcslen

api-ms-win-crt-convert-l1-1-0

atoi
strtod
strtol
strtoll
strtoul
strtoull

api-ms-win-crt-environment-l1-1-0

getenv

api-ms-win-crt-utility-l1-1-0

qsort
rand
srand

Sections

.text
Size: 19.6MB - Virtual size: 19.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 176KB - Virtual size: 175KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 38KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 43KB - Virtual size: 42KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.00cfg
Size: 512B - Virtual size: 56B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.retplne
Size: 512B - Virtual size: 140B

.tls
Size: 512B - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 424B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

ade042ae26147043cb5c2fbe9d79b3ac

Headers

DLL Characteristics

File Characteristics

Imports

user32

kernel32

advapi32

msvcp140

ntdll

shell32

psapi

ws2_32

userenv

crypt32

wldap32

normaliz

vcruntime140

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-environment-l1-1-0

api-ms-win-crt-utility-l1-1-0

Sections

.text Size: 19.6MB - Virtual size: 19.6MB

.rdata Size: 176KB - Virtual size: 175KB

.data Size: 2KB - Virtual size: 38KB

.pdata Size: 43KB - Virtual size: 42KB

.00cfg Size: 512B - Virtual size: 56B

.retplne Size: 512B - Virtual size: 140B

.tls Size: 512B - Virtual size: 9B

.rsrc Size: 512B - Virtual size: 424B

.reloc Size: 1KB - Virtual size: 1KB

.text
Size: 19.6MB - Virtual size: 19.6MB

.rdata
Size: 176KB - Virtual size: 175KB

.data
Size: 2KB - Virtual size: 38KB

.pdata
Size: 43KB - Virtual size: 42KB

.00cfg
Size: 512B - Virtual size: 56B

.retplne
Size: 512B - Virtual size: 140B

.tls
Size: 512B - Virtual size: 9B

.rsrc
Size: 512B - Virtual size: 424B

.reloc
Size: 1KB - Virtual size: 1KB