file[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

file.exe
Size

20.1MB
MD5

db3db5115c1e8b1efc0c8a9830be818c
SHA1

7cd287a57128cb071b6bd80eb0f1054756104ea6
SHA256

46e406fe4b978a36a98282420eed3c40ddb1c3818575015f9980597e770513d3
SHA512

a4c83ef36839f4f80174de62b2947cde0daefb517f06d1eb3d595b8eb4b2138c37de617cb86ddb2cb9bdf6561f4f032bb4f4f60af40aaf107e9fe83c431fef87
SSDEEP

393216:QaTLRoWAS5a0N7ux+7Pi0+odWwdazIawx1Vf9BRgZw2TsuQ:QELRoWt5n9EsPjdWwuA1V1BGZD2

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
sample	upx

Files

file.exe
.exe windows x86

Code Sign

96:7c:b0:89:86:80:d1:c1:74:b2:ba:ae:5f:a3:32:db
Certificate

Issuer

CN=Sectigo RSA Code Signing CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

11/08/2020, 00:00

Not After

11/08/2023, 23:59

Subject

CN=James Caulfield,O=James Caulfield,POSTALCODE=60506,STREET=2112 West Galena Blvd. Unit 8-515,L=Aurora,ST=Illinois,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

1d:a2:48:30:6f:9b:26:18:d0:82:e0:96:7d:33:d3:6a
Certificate

Issuer

CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US

Not Before

02/11/2018, 00:00

Not After

31/12/2030, 23:59

Subject

CN=Sectigo RSA Code Signing CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

01:f3:34:8d:90:45:50:d0:78:ff:2e:a0:21:eb:8e:86:8f:29:e0:5a
Signer

Actual PE Digest

01:f3:34:8d:90:45:50:d0:78:ff:2e:a0:21:eb:8e:86:8f:29:e0:5a

Digest Algorithm

sha1

PE Digest Matches

true

Signature Validations

Trusted

true

Verification

Signing Certificate

CN=James Caulfield,O=James Caulfield,POSTALCODE=60506,STREET=2112 West Galena Blvd. Unit 8-515,L=Aurora,ST=Illinois,C=US

17/11/2022, 13:15
Valid: true

Chain 1

CN=James Caulfield,O=James Caulfield,POSTALCODE=60506,STREET=2112 West Galena Blvd. Unit 8-515,L=Aurora,ST=Illinois,C=US

CN=Sectigo RSA Code Signing CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Sections

UPX0
Size: - Virtual size: 2.1MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 752KB - Virtual size: 756KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
out.upx
.exe windows x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Exports

Exports

TMethodImplementationIntercept

Sections

.text
Size: 2.5MB - Virtual size: 2.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.itext
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 38KB - Virtual size: 38KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 22KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.didata
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 512B - Virtual size: 91B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: - Virtual size: 64B

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 512B - Virtual size: 93B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 217KB - Virtual size: 216KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.rsrc
Size: 70KB - Virtual size: 70KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Code Sign

96:7c:b0:89:86:80:d1:c1:74:b2:ba:ae:5f:a3:32:dbCertificate

Extended Key Usages

Key Usages

1d:a2:48:30:6f:9b:26:18:d0:82:e0:96:7d:33:d3:6aCertificate

Extended Key Usages

Key Usages

01:f3:34:8d:90:45:50:d0:78:ff:2e:a0:21:eb:8e:86:8f:29:e0:5aSigner

Signature Validations

Verification

17/11/2022, 13:15 Valid: true

Chain 1

Headers

File Characteristics

Sections

UPX0 Size: - Virtual size: 2.1MB

UPX1 Size: 752KB - Virtual size: 756KB

.rsrc Size: 8KB - Virtual size: 8KB

Headers

File Characteristics

Exports

Exports

Sections

.text Size: 2.5MB - Virtual size: 2.5MB

.itext Size: 6KB - Virtual size: 5KB

.data Size: 38KB - Virtual size: 38KB

.bss Size: - Virtual size: 22KB

.idata Size: 16KB - Virtual size: 15KB

.didata Size: 3KB - Virtual size: 2KB

.edata Size: 512B - Virtual size: 91B

.tls Size: - Virtual size: 64B

.rdata Size: 512B - Virtual size: 93B

.reloc Size: 217KB - Virtual size: 216KB

.rsrc Size: 70KB - Virtual size: 70KB

96:7c:b0:89:86:80:d1:c1:74:b2:ba:ae:5f:a3:32:db
Certificate

1d:a2:48:30:6f:9b:26:18:d0:82:e0:96:7d:33:d3:6a
Certificate

01:f3:34:8d:90:45:50:d0:78:ff:2e:a0:21:eb:8e:86:8f:29:e0:5a
Signer

17/11/2022, 13:15
Valid: true

UPX0
Size: - Virtual size: 2.1MB

UPX1
Size: 752KB - Virtual size: 756KB

.rsrc
Size: 8KB - Virtual size: 8KB

.text
Size: 2.5MB - Virtual size: 2.5MB

.itext
Size: 6KB - Virtual size: 5KB

.data
Size: 38KB - Virtual size: 38KB

.bss
Size: - Virtual size: 22KB

.idata
Size: 16KB - Virtual size: 15KB

.didata
Size: 3KB - Virtual size: 2KB

.edata
Size: 512B - Virtual size: 91B

.tls
Size: - Virtual size: 64B

.rdata
Size: 512B - Virtual size: 93B

.reloc
Size: 217KB - Virtual size: 216KB

.rsrc
Size: 70KB - Virtual size: 70KB