MDE_File_Sample_33caab06908096fd26df99bd4f4e5cf7761c7cbf[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

MDE_File_Sample_33caab06908096fd26df99bd4f4e5cf7761c7cbf.zip
Size

4.5MB
MD5

a1d87ecc4cb59b6e575096bf6ed8de71
SHA1

5b5f828c1cac60e77d2266e8f13579b4d9142c5e
SHA256

cf5f974fc40c938de9bf36ef49aaf241dddc615ab5ebcaa50fcdbc8aa7f9ae3e
SHA512

015de5e11c13c0a4adf2967003d67940ca358523f30733dd6f34813d5a88d188214cbad24cb77bc2a1c479f313fcd03ffe4b1ddb319e835c9f2e50c9f240fd8d
SSDEEP

98304:ZaanYANssqf/98I6DvXojztpKDcaNuoPG4naLtqklSN0y1yfrlhcGDuV:Za8YAusUADv4vtpWcAu4G4nax3lEN1ya

Score

N/A

Malware Config

Signatures

Files

MDE_File_Sample_33caab06908096fd26df99bd4f4e5cf7761c7cbf.zip
.zip

Password: Malware123.
ZSATunnel.exe
.exe windows x64

Password: Malware123.

5caacc9e550908edaee2da6e8e94ffc8

Code Sign

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/01/2021, 00:00

Not After

06/01/2031, 00:00

Subject

CN=DigiCert Timestamp 2021,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

01:4f:1b:7d:7b:2c:8c:17:91:02:66:54:38:5a:f2:d2
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Code Signing CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

02/03/2021, 00:00

Not After

25/03/2024, 23:59

Subject

CN=Zscaler\, Inc.,O=Zscaler\, Inc.,L=San Jose,ST=California,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

04:09:18:1b:5f:d5:bb:66:75:53:43:b5:6f:95:50:08
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

22/10/2013, 12:00

Not After

22/10/2028, 12:00

Subject

CN=DigiCert SHA2 Assured ID Code Signing CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

07/01/2016, 12:00

Not After

07/01/2031, 12:00

Subject

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

35:3e:93:62:4e:e1:2d:f0:e9:a0:54:b3:6d:13:32:43:36:b8:ad:43
Signer

Actual PE Digest

35:3e:93:62:4e:e1:2d:f0:e9:a0:54:b3:6d:13:32:43:36:b8:ad:43

Digest Algorithm

sha1

PE Digest Matches

true

Signature Validations

Trusted

true

Verification

Signing Certificate

CN=Zscaler\, Inc.,O=Zscaler\, Inc.,L=San Jose,ST=California,C=US

25/02/2022, 16:44
Valid: true

Chain 1

CN=Zscaler\, Inc.,O=Zscaler\, Inc.,L=San Jose,ST=California,C=US

CN=DigiCert SHA2 Assured ID Code Signing CA,OU=www.digicert.com,O=DigiCert Inc,C=US

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

SetConsoleTextAttribute
GetOverlappedResult
K32GetModuleFileNameExW
SetDefaultDllDirectories
SetUnhandledExceptionFilter
GetConsoleScreenBufferInfo
LoadLibraryExA
VirtualQuery
FormatMessageA
GetCurrentThread
RtlCaptureStackBackTrace
GetSystemInfo
GetSystemFirmwareTable
lstrcmpiW
WaitForMultipleObjects
GetExitCodeProcess
SetDllDirectoryW
GetSystemWindowsDirectoryW
QueryFullProcessImageNameW
Module32NextW
CreateProcessW
Module32FirstW
GetNativeSystemInfo
WriteConsoleW
HeapSize
GetFullPathNameW
SetCurrentDirectoryW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetOEMCP
GetACP
GetFileAttributesA
OpenEventW
LocalAlloc
FindClose
CreatePipe
GetLocaleInfoEx
GetModuleFileNameW
RemoveDirectoryW
GetStdHandle
FindNextFileW
FindFirstFileW
ReadFile
Process32FirstW
CreateFileA
Process32NextW
CreateToolhelp32Snapshot
GetProcessId
GetProcessHeap
HeapAlloc
HeapFree
VerifyVersionInfoW
GetModuleHandleW
VerSetConditionMask
GetProcAddress
LoadLibraryW
CreateEventW
WaitForSingleObject
DeviceIoControl
GetCurrentProcess
GetSystemTimeAsFileTime
DeleteFileA
FlushFileBuffers
GetComputerNameExA
LocalFree
DeleteFileW
CreateFileW
WriteFile
SleepEx
LoadLibraryExW
FreeLibrary
Sleep
FindNextVolumeW
GetVolumePathNamesForVolumeNameW
FindVolumeClose
K32EnumProcesses
CloseHandle
GetLastError
OpenProcess
K32GetProcessImageFileNameW
TerminateProcess
FindFirstVolumeW
QueryDosDeviceW
WideCharToMultiByte
ResetEvent
SetEvent
LeaveCriticalSection
EnterCriticalSection
IsValidCodePage
FindFirstFileExW
RtlUnwind
PeekConsoleInputA
ReadConsoleInputW
GetNumberOfConsoleInputEvents
SetConsoleMode
HeapReAlloc
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetTimeFormatW
GetDateFormatW
ReadConsoleW
GetConsoleMode
SetFilePointerEx
SetStdHandle
FileTimeToSystemTime
SystemTimeToTzSpecificLocalTime
PeekNamedPipe
GetFileInformationByHandle
GetDriveTypeW
GetCommandLineW
GetCommandLineA
GetConsoleCP
SetConsoleCtrlHandler
ExitThread
ExitProcess
RtlUnwindEx
WaitForMultipleObjectsEx
UnregisterWaitEx
QueryDepthSList
InterlockedFlushSList
InterlockedPushEntrySList
InterlockedPopEntrySList
VirtualFree
VirtualProtect
VirtualAlloc
GetModuleHandleA
FreeLibraryAndExitThread
GetThreadTimes
OutputDebugStringW
UnregisterWait
RegisterWaitForSingleObject
GetNumaHighestNodeNumber
DeleteTimerQueueTimer
ChangeTimerQueueTimer
CreateTimerQueueTimer
GetLogicalProcessorInformation
CreateThread
FormatMessageW
TryEnterCriticalSection
DeleteCriticalSection
GetCurrentThreadId
DuplicateHandle
WaitForSingleObjectEx
SwitchToThread
GetExitCodeThread
QueryPerformanceCounter
QueryPerformanceFrequency
RtlPcToFileHeader
EncodePointer
DecodePointer
RaiseException
IsProcessorFeaturePresent
QueueUserWorkItem
GetModuleHandleExW
MultiByteToWideChar
GetStringTypeW
SetLastError
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetTickCount
GetCPInfo
CompareStringW
LCMapStringW
GetLocaleInfoW
CreateDirectoryW
GetDiskFreeSpaceExW
GetFileAttributesW
GetFileAttributesExW
SetEndOfFile
SetFileAttributesW
SetFilePointer
SetFileTime
CopyFileW
MoveFileExW
CreateHardLinkW
CreateSymbolicLinkW
ExpandEnvironmentStringsW
GetCurrentDirectoryW
GetLogicalDriveStringsW
GetLongPathNameW
GetTempPathW
GetSystemDirectoryW
SetThreadPriority
ReleaseMutex
CreateMutexW
GetTimeZoneInformation
GetProcessTimes
GetCurrentProcessId
GetStartupInfoW
GetConsoleWindow
FindCloseChangeNotification
FindFirstChangeNotificationW
FindNextChangeNotification
GetEnvironmentVariableW
SetEnvironmentVariableW
GetVersionExA
GetVersionExW
GetComputerNameW
RtlVirtualUnwind
GetFileType
GetVersion
GlobalMemoryStatus
FlushConsoleInputBuffer
LoadLibraryA
GetSystemTime
SystemTimeToFileTime
InitializeSListHead
RtlCaptureContext
RtlLookupFunctionEntry
UnhandledExceptionFilter
IsDebuggerPresent
CreateEventA
MapViewOfFile
UnmapViewOfFile
CreateFileMappingA
GetSystemDirectoryA
SetWaitableTimer
CreateWaitableTimerA
CreateIoCompletionPort
GetQueuedCompletionStatus
PostQueuedCompletionStatus
ReleaseSemaphore
CreateSemaphoreA
GetThreadPriority
SuspendThread
ResumeThread
GetThreadContext
SetThreadContext
GetProcessAffinityMask
SetProcessAffinityMask
SetThreadAffinityMask
CreateTimerQueue
SignalObjectAndWait

advapi32

SetServiceObjectSecurity
RegisterEventSourceW
ReportEventW
RegEnumKeyW
RegNotifyChangeKeyValue
CredWriteW
CryptDestroyKey
LookupPrivilegeValueW
CryptGetUserKey
SetSecurityDescriptorDacl
AdjustTokenPrivileges
RevertToSelf
CreateServiceW
CryptAcquireContextW
RegQueryInfoKeyW
CredReadW
GetAce
EqualSid
CloseServiceHandle
OpenSCManagerW
AllocateAndInitializeSid
ChangeServiceConfig2W
SetEntriesInAclW
RegCreateKeyExA
CredFree
RegCreateKeyExW
DeleteService
ControlService
CryptExportKey
RegEnumKeyExW
ImpersonateLoggedOnUser
RegDeleteTreeW
RegSetValueExA
LookupAccountSidA
OpenProcessToken
FreeSid
StartServiceW
InitializeSecurityDescriptor
RegGetValueW
CreateProcessAsUserW
ChangeServiceConfigW
OpenServiceW
DuplicateTokenEx
IsValidAcl
CredDeleteW
QueryServiceStatusEx
LookupAccountNameW
CryptReleaseContext
QueryServiceObjectSecurity
GetTokenInformation
ConvertSidToStringSidW
GetSecurityDescriptorDacl
ConvertSecurityDescriptorToStringSecurityDescriptorW
IsValidSecurityDescriptor
SetSecurityInfo
ConvertStringSecurityDescriptorToSecurityDescriptorW
GetSecurityInfo
RegCreateKeyA
RegQueryValueExA
RegOpenKeyExA
RegCreateKeyW
RegEnumKeyExA
RegCloseKey
CryptAcquireContextA
CryptGenRandom
CryptSetHashParam
CryptGetProvParam
CryptDecrypt
CryptCreateHash
CryptDestroyHash
CryptSignHashW
CryptEnumProvidersW
StartServiceCtrlDispatcherW
RegDeleteKeyExW
DeregisterEventSource
RegisterServiceCtrlHandlerExW
SetServiceStatus
RegQueryValueExW
RegOpenKeyExW
RegSetValueExW

shell32

SHGetKnownFolderPath
SHGetFolderPathW

ole32

CoInitializeSecurity
CoCreateInstance
CoInitializeEx
CoTaskMemFree
StringFromCLSID
CoSetProxyBlanket
StringFromGUID2
CoUninitialize

oleaut32

SafeArrayPutElement
SafeArrayCreate
CreateErrorInfo
GetErrorInfo
VariantInit
VariantChangeType
VariantClear
SysAllocString
SysStringByteLen
SysAllocStringByteLen
SysFreeString
SetErrorInfo

version

GetFileVersionInfoW
GetFileVersionInfoSizeW
VerQueryValueW

crypt32

CertGetCertificateContextProperty
CertOpenStore
CertCompareIntegerBlob
CertGetNameStringW
CertFindCertificateInStore
CryptUnprotectData
CryptProtectData
CryptBinaryToStringW
CertCreateCertificateContext
CertDeleteCertificateFromStore
CertAddEncodedCertificateToStore
CertGetCertificateChain
CertFreeCertificateContext
CertVerifyRevocation
CertOpenSystemStoreW
CertEnumCertificatesInStore
CertNameToStrW
CryptQueryObject
CertDuplicateCertificateContext
CertCloseStore
CryptMsgGetParam
CertFreeCertificateChain

iphlpapi

IcmpSendEcho2
if_nametoindex
IcmpCreateFile
SetIpInterfaceEntry
GetIpInterfaceEntry
GetAdaptersAddresses
GetIpForwardTable2
CancelMibChangeNotify2
GetIpForwardEntry2
NotifyUnicastIpAddressChange
GetTcpTable
GetPerTcpConnectionEStats
GetTcpTable2
SetPerTcpConnectionEStats
GetExtendedTcpTable
GetIpForwardTable
FreeMibTable
GetIfTable2
GetAdaptersInfo
GetIfEntry2
GetNetworkParams
GetBestInterfaceEx
GetIpAddrTable
ConvertInterfaceLuidToNameA
CreateIpForwardEntry
DeleteIpForwardEntry
AddIPAddress
FlushIpNetTable
ConvertInterfaceLuidToGuid
ConvertInterfaceLuidToAlias
GetInterfaceInfo
DeleteIPAddress
NotifyIpInterfaceChange

dbghelp

SymInitialize
SymFunctionTableAccess64
SymGetModuleBase64
StackWalk64
MiniDumpWriteDump
SymFromAddr
SymGetLineFromAddr64

userenv

DestroyEnvironmentBlock
CreateEnvironmentBlock

wtsapi32

WTSEnumerateSessionsW
WTSQueryUserToken
WTSQuerySessionInformationW
WTSFreeMemory

wintrust

WinVerifyTrust
WTHelperGetProvCertFromChain
WTHelperGetProvSignerFromChain
WTHelperProvDataFromStateData

ncrypt

NCryptOpenKey
NCryptOpenStorageProvider
NCryptGetProperty
NCryptFreeObject

shlwapi

PathFileExistsW

setupapi

SetupDiGetClassDevsW
SetupDiDestroyDeviceInfoList
SetupDiEnumDeviceInterfaces
SetupDiGetDeviceInterfaceDetailW

rpcrt4

RpcStringFreeW
NdrClientCall2
RpcBindingFromStringBindingW
RpcAsyncInitializeHandle
RpcAsyncCompleteCall
RpcAsyncCancelCall
NdrAsyncClientCall
NdrServerCall2
RpcServerUseProtseqEpW
RpcServerRegisterIf2
RpcMgmtIsServerListening
RpcServerListen
RpcServerInqCallAttributesW
RpcBindingFree
RpcMgmtStopServerListening
RpcStringBindingComposeW

user32

GetProcessWindowStation
ReleaseDC
MessageBoxW
GetDesktopWindow
GetUserObjectInformationW
GetDC

gdi32

GetDeviceCaps
GetDIBits
GetObjectW
DeleteObject
CreateCompatibleBitmap

Sections

.text
Size: 7.2MB - Virtual size: 7.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

fipstx
Size: 62KB - Virtual size: 61KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2.4MB - Virtual size: 2.4MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 405KB - Virtual size: 475KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 374KB - Virtual size: 373KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 1024B - Virtual size: 640B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

fipsro
Size: 40KB - Virtual size: 40KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

fipsda
Size: 29KB - Virtual size: 29KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

fipsrd
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 33KB - Virtual size: 33KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 45KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: Malware123.

Password: Malware123.

5caacc9e550908edaee2da6e8e94ffc8

Code Sign

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:ddCertificate

Extended Key Usages

Key Usages

01:4f:1b:7d:7b:2c:8c:17:91:02:66:54:38:5a:f2:d2Certificate

Extended Key Usages

Key Usages

04:09:18:1b:5f:d5:bb:66:75:53:43:b5:6f:95:50:08Certificate

Extended Key Usages

Key Usages

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15Certificate

Extended Key Usages

Key Usages

35:3e:93:62:4e:e1:2d:f0:e9:a0:54:b3:6d:13:32:43:36:b8:ad:43Signer

Signature Validations

Verification

25/02/2022, 16:44 Valid: true

Chain 1

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

advapi32

shell32

ole32

oleaut32

version

crypt32

iphlpapi

dbghelp

userenv

wtsapi32

wintrust

ncrypt

shlwapi

setupapi

rpcrt4

user32

gdi32

Sections

.text Size: 7.2MB - Virtual size: 7.2MB

fipstx Size: 62KB - Virtual size: 61KB

.rdata Size: 2.4MB - Virtual size: 2.4MB

.data Size: 405KB - Virtual size: 475KB

.pdata Size: 374KB - Virtual size: 373KB

.didat Size: 1024B - Virtual size: 640B

fipsro Size: 40KB - Virtual size: 40KB

fipsda Size: 29KB - Virtual size: 29KB

fipsrd Size: 11KB - Virtual size: 10KB

.rsrc Size: 33KB - Virtual size: 33KB

.reloc Size: 45KB - Virtual size: 44KB

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

01:4f:1b:7d:7b:2c:8c:17:91:02:66:54:38:5a:f2:d2
Certificate

04:09:18:1b:5f:d5:bb:66:75:53:43:b5:6f:95:50:08
Certificate

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

35:3e:93:62:4e:e1:2d:f0:e9:a0:54:b3:6d:13:32:43:36:b8:ad:43
Signer

25/02/2022, 16:44
Valid: true

.text
Size: 7.2MB - Virtual size: 7.2MB

fipstx
Size: 62KB - Virtual size: 61KB

.rdata
Size: 2.4MB - Virtual size: 2.4MB

.data
Size: 405KB - Virtual size: 475KB

.pdata
Size: 374KB - Virtual size: 373KB

.didat
Size: 1024B - Virtual size: 640B

fipsro
Size: 40KB - Virtual size: 40KB

fipsda
Size: 29KB - Virtual size: 29KB

fipsrd
Size: 11KB - Virtual size: 10KB

.rsrc
Size: 33KB - Virtual size: 33KB

.reloc
Size: 45KB - Virtual size: 44KB