TreeSizeFree[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

TreeSizeFree.exe
Size

3.8MB
MD5

68cc95d9774100c28377f8ae6244ea2c
SHA1

89f51656047b9fd4b48203df22605936455d42e5
SHA256

676904ecd6ecc9706ddd0d7a1cead6e56ee9add6ea307dc63f7583784200aaf1
SHA512

a6290dd8e2921661ee9981320641714b948986b099b64b15fd6678c27c3edd9f002251fbd51c857e78cb0880b371206e1dc1e1d93394f0517400dc3aebfae7b9
SSDEEP

98304:kk1O4/AbdiETR8eAgpkOzCfCVYmrTxlA39OI:9O4IEEPAgWObe5

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
sample	upx

Files

TreeSizeFree.exe
.exe windows x86

Code Sign

04:00:00:00:00:01:31:89:c6:4d:e1
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Not Before

02/08/2011, 10:00

Not After

02/08/2019, 10:00

Subject

CN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

11:21:99:e9:16:80:bd:51:06:af:94:85:8f:45:d7:2b:58:f4
Certificate

Issuer

CN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE

Not Before

14/01/2016, 11:36

Not After

14/01/2019, 11:36

Subject

SERIALNUMBER=HRB 4920,CN=JAM Software GmbH,O=JAM Software GmbH,STREET=Am Wissenschaftspark 26,L=Trier,ST=Rheinland-Pfalz,C=DE,1.3.6.1.4.1.311.60.2.1.1=#1308576974746c696368,1.3.6.1.4.1.311.60.2.1.2=#130f526865696e6c616e642d5066616c7a,1.3.6.1.4.1.311.60.2.1.3=#13024445,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

11:21:45:02:eb:63:15:0c:a5:b1:95:23:f1:53:56:91:2f:e5
Certificate

Issuer

CN=GlobalSign Timestamping CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

03/02/2015, 00:00

Not After

03/03/2026, 00:00

Subject

CN=GlobalSign TSA for Standard - G2,O=GMO GlobalSign Pte Ltd,C=SG

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

04:00:00:00:00:01:2f:4e:e1:52:d7
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13/04/2011, 10:00

Not After

28/01/2028, 12:00

Subject

CN=GlobalSign Timestamping CA - G2,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

04:00:00:00:00:01:31:89:c6:4d:e1
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Not Before

02/08/2011, 10:00

Not After

02/08/2019, 10:00

Subject

CN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

11:21:99:e9:16:80:bd:51:06:af:94:85:8f:45:d7:2b:58:f4
Certificate

Issuer

CN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE

Not Before

14/01/2016, 11:36

Not After

14/01/2019, 11:36

Subject

SERIALNUMBER=HRB 4920,CN=JAM Software GmbH,O=JAM Software GmbH,STREET=Am Wissenschaftspark 26,L=Trier,ST=Rheinland-Pfalz,C=DE,1.3.6.1.4.1.311.60.2.1.1=#1308576974746c696368,1.3.6.1.4.1.311.60.2.1.2=#130f526865696e6c616e642d5066616c7a,1.3.6.1.4.1.311.60.2.1.3=#13024445,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

11:21:16:c0:09:98:dc:c6:8f:a2:7d:25:c3:86:36:a8:83:bb
Certificate

Issuer

CN=GlobalSign Timestamping CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE

Not Before

03/02/2015, 00:00

Not After

03/03/2026, 00:00

Subject

CN=GlobalSign TSA for Advanced - G2,O=GMO GlobalSign Pte Ltd,C=SG

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

04:00:00:00:00:01:31:89:c6:50:04
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Not Before

02/08/2011, 10:00

Not After

29/03/2029, 10:00

Subject

CN=GlobalSign Timestamping CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

c4:4b:70:d7:e2:f3:4e:8b:af:2f:54:70:e5:eb:d1:c5:0a:35:b9:36:e9:f7:5d:e2:b4:82:86:9b:f5:83:65:72
Signer

Actual PE Digest

c4:4b:70:d7:e2:f3:4e:8b:af:2f:54:70:e5:eb:d1:c5:0a:35:b9:36:e9:f7:5d:e2:b4:82:86:9b:f5:83:65:72

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

true

Verification

Signing Certificate

SERIALNUMBER=HRB 4920,CN=JAM Software GmbH,O=JAM Software GmbH,STREET=Am Wissenschaftspark 26,L=Trier,ST=Rheinland-Pfalz,C=DE,1.3.6.1.4.1.311.60.2.1.1=#1308576974746c696368,1.3.6.1.4.1.311.60.2.1.2=#130f526865696e6c616e642d5066616c7a,1.3.6.1.4.1.311.60.2.1.3=#13024445,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

02/03/2016, 09:55
Valid: true

Chain 1

SERIALNUMBER=HRB 4920,CN=JAM Software GmbH,O=JAM Software GmbH,STREET=Am Wissenschaftspark 26,L=Trier,ST=Rheinland-Pfalz,C=DE,1.3.6.1.4.1.311.60.2.1.1=#1308576974746c696368,1.3.6.1.4.1.311.60.2.1.2=#130f526865696e6c616e642d5066616c7a,1.3.6.1.4.1.311.60.2.1.3=#13024445,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

CN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

2b:6c:dc:9b:54:a0:52:fc:76:47:bc:cb:50:b0:45:ba:99:91:bd:62
Signer

Actual PE Digest

2b:6c:dc:9b:54:a0:52:fc:76:47:bc:cb:50:b0:45:ba:99:91:bd:62

Digest Algorithm

sha1

PE Digest Matches

true

Signature Validations

Trusted

true

Verification

Signing Certificate

SERIALNUMBER=HRB 4920,CN=JAM Software GmbH,O=JAM Software GmbH,STREET=Am Wissenschaftspark 26,L=Trier,ST=Rheinland-Pfalz,C=DE,1.3.6.1.4.1.311.60.2.1.1=#1308576974746c696368,1.3.6.1.4.1.311.60.2.1.2=#130f526865696e6c616e642d5066616c7a,1.3.6.1.4.1.311.60.2.1.3=#13024445,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

02/03/2016, 09:55
Valid: true

Chain 1

SERIALNUMBER=HRB 4920,CN=JAM Software GmbH,O=JAM Software GmbH,STREET=Am Wissenschaftspark 26,L=Trier,ST=Rheinland-Pfalz,C=DE,1.3.6.1.4.1.311.60.2.1.1=#1308576974746c696368,1.3.6.1.4.1.311.60.2.1.2=#130f526865696e6c616e642d5066616c7a,1.3.6.1.4.1.311.60.2.1.3=#13024445,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

CN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_BYTES_REVERSED_HI

Sections

UPX0
Size: - Virtual size: 13.5MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 3.8MB - Virtual size: 3.8MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 65KB - Virtual size: 68KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
out.upx
.exe windows x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_BYTES_REVERSED_HI

Exports

Exports

TMethodImplementationIntercept
madTraceProcess

Sections

.text
Size: 9.6MB - Virtual size: 9.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.itext
Size: 18KB - Virtual size: 18KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 170KB - Virtual size: 169KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 1.9MB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 27KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.didata
Size: 24KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 512B - Virtual size: 124B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: - Virtual size: 1KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 512B - Virtual size: 93B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 822KB - Virtual size: 822KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.rsrc
Size: 4.2MB - Virtual size: 4.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Code Sign

04:00:00:00:00:01:31:89:c6:4d:e1Certificate

Extended Key Usages

Key Usages

11:21:99:e9:16:80:bd:51:06:af:94:85:8f:45:d7:2b:58:f4Certificate

Extended Key Usages

Key Usages

11:21:45:02:eb:63:15:0c:a5:b1:95:23:f1:53:56:91:2f:e5Certificate

Extended Key Usages

Key Usages

04:00:00:00:00:01:2f:4e:e1:52:d7Certificate

Key Usages

04:00:00:00:00:01:31:89:c6:4d:e1Certificate

Extended Key Usages

Key Usages

11:21:99:e9:16:80:bd:51:06:af:94:85:8f:45:d7:2b:58:f4Certificate

Extended Key Usages

Key Usages

11:21:16:c0:09:98:dc:c6:8f:a2:7d:25:c3:86:36:a8:83:bbCertificate

Extended Key Usages

Key Usages

04:00:00:00:00:01:31:89:c6:50:04Certificate

Key Usages

c4:4b:70:d7:e2:f3:4e:8b:af:2f:54:70:e5:eb:d1:c5:0a:35:b9:36:e9:f7:5d:e2:b4:82:86:9b:f5:83:65:72Signer

Signature Validations

Verification

02/03/2016, 09:55 Valid: true

Chain 1

2b:6c:dc:9b:54:a0:52:fc:76:47:bc:cb:50:b0:45:ba:99:91:bd:62Signer

Signature Validations

Verification

02/03/2016, 09:55 Valid: true

Chain 1

Headers

DLL Characteristics

File Characteristics

Sections

UPX0 Size: - Virtual size: 13.5MB

UPX1 Size: 3.8MB - Virtual size: 3.8MB

.rsrc Size: 65KB - Virtual size: 68KB

Headers

DLL Characteristics

File Characteristics

Exports

Exports

Sections

.text Size: 9.6MB - Virtual size: 9.6MB

.itext Size: 18KB - Virtual size: 18KB

.data Size: 170KB - Virtual size: 169KB

.bss Size: - Virtual size: 1.9MB

.idata Size: 27KB - Virtual size: 26KB

.didata Size: 24KB - Virtual size: 24KB

.edata Size: 512B - Virtual size: 124B

.tls Size: - Virtual size: 1KB

.rdata Size: 512B - Virtual size: 93B

.reloc Size: 822KB - Virtual size: 822KB

.rsrc Size: 4.2MB - Virtual size: 4.2MB

04:00:00:00:00:01:31:89:c6:4d:e1
Certificate

11:21:99:e9:16:80:bd:51:06:af:94:85:8f:45:d7:2b:58:f4
Certificate

11:21:45:02:eb:63:15:0c:a5:b1:95:23:f1:53:56:91:2f:e5
Certificate

04:00:00:00:00:01:2f:4e:e1:52:d7
Certificate

04:00:00:00:00:01:31:89:c6:4d:e1
Certificate

11:21:99:e9:16:80:bd:51:06:af:94:85:8f:45:d7:2b:58:f4
Certificate

11:21:16:c0:09:98:dc:c6:8f:a2:7d:25:c3:86:36:a8:83:bb
Certificate

04:00:00:00:00:01:31:89:c6:50:04
Certificate

c4:4b:70:d7:e2:f3:4e:8b:af:2f:54:70:e5:eb:d1:c5:0a:35:b9:36:e9:f7:5d:e2:b4:82:86:9b:f5:83:65:72
Signer

02/03/2016, 09:55
Valid: true

2b:6c:dc:9b:54:a0:52:fc:76:47:bc:cb:50:b0:45:ba:99:91:bd:62
Signer

02/03/2016, 09:55
Valid: true

UPX0
Size: - Virtual size: 13.5MB

UPX1
Size: 3.8MB - Virtual size: 3.8MB

.rsrc
Size: 65KB - Virtual size: 68KB

.text
Size: 9.6MB - Virtual size: 9.6MB

.itext
Size: 18KB - Virtual size: 18KB

.data
Size: 170KB - Virtual size: 169KB

.bss
Size: - Virtual size: 1.9MB

.idata
Size: 27KB - Virtual size: 26KB

.didata
Size: 24KB - Virtual size: 24KB

.edata
Size: 512B - Virtual size: 124B

.tls
Size: - Virtual size: 1KB

.rdata
Size: 512B - Virtual size: 93B

.reloc
Size: 822KB - Virtual size: 822KB

.rsrc
Size: 4.2MB - Virtual size: 4.2MB