9387648954[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

9387648954.zip
Size

1016KB
MD5

01b4312f8e4eae9cbf0573a0623f7709
SHA1

600eefbc434be1c65ea41023163f5ab1ae0a433b
SHA256

e655df8ac75efab6ae55d8b31a4708304b851dca2cae6c15d8456a3e33d75a16
SHA512

149f2ec7af61df1249fc3bf8d56f78dd0d696bba69af7a01171a963339a3e4d6487b1730218f60e253ce77a75a795f3f3e50f9c0f7cafb6c9488a909bb04eb25
SSDEEP

24576:3t96PrXPvQ+Wh7IZhZ2tHJvPOIBKN8//KEEZUtRsVI7xBegyHjj8Ecu:3t9aLQ+WShZ2tHZN//KEEZ0tlBe9MEt

Score

1^/10

Malware Config

Signatures

Files

9387648954.zip
.zip

Password: 123
9387648954/MpClient.dll
.exe windows x86

Password: 123

8abecba2211e61763c4c9ffcaa13369e

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

mfc42

ord2770
ord356
ord2781
ord4058
ord3181
ord2764
ord1980
ord668
ord926
ord924
ord941
ord4129
ord537
ord540
ord6282
ord825
ord6283
ord5683
ord5710
ord858
ord800
ord535
ord859

msvcrt

_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp
__setusermatherr
_initterm
__getmainargs
_acmdln
exit
_XcptFilter
_exit
_beginthread
rand
fgetc
fputc
fwrite
rename
fopen
fseek
fread
fclose
_stat
__CxxFrameHandler
_mbscmp

kernel32

GetCurrentThread
GetCurrentProcess
SetPriorityClass
lstrcatA
lstrcpyA
GetEnvironmentVariableA
GetShortPathNameA
GetModuleFileNameA
GetFileAttributesA
DeleteFileA
SetFileAttributesA
GetSystemDirectoryA
WaitForSingleObject
CreateProcessA
Sleep
GetLogicalDrives
GetModuleHandleA
GetStartupInfoA
SetThreadPriority

user32

LoadIconA
MessageBoxA

shell32

ShellExecuteExA
SHChangeNotify

Sections

.text
Size: 8KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 352B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
9387648954/MpCmdRun.exe
.exe windows x64

Password: 123

468867ffbfff6d241e78757bad3cd605

Code Sign

33:00:00:03:f0:b3:c9:1e:ce:a8:0a:5b:3a:00:00:00:00:03:f0
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

13/10/2022, 19:43

Not After

11/10/2023, 19:43

Subject

CN=Microsoft Windows Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

25:2f:bc:d2:71:51:1d:70:b9:f5:b9:19:a5:62:e8:9e:5a:d3:d6:19:2a:f8:de:10:bc:a7:5e:2e:7e:23:8d:f7
Signer

Actual PE Digest

25:2f:bc:d2:71:51:1d:70:b9:f5:b9:19:a5:62:e8:9e:5a:d3:d6:19:2a:f8:de:10:bc:a7:5e:2e:7e:23:8d:f7

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Microsoft Windows Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

27/02/2023, 09:32
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

TraceMessage
EnumDependentServicesW
ChangeServiceConfigW
RegCloseKey
CloseServiceHandle
GetTraceLoggerHandle
GetTraceEnableLevel
GetTraceEnableFlags
RegisterTraceGuidsW
UnregisterTraceGuids
OpenSCManagerW
OpenServiceW
QueryServiceStatus
EventWriteTransfer
OpenProcessToken
CreateProcessAsUserW
CreateRestrictedToken
GetUserNameW
ReadEventLogW
RegOpenKeyExW
RegQueryValueExW
OpenEventLogW
GetOldestEventLogRecord
GetNumberOfEventLogRecords
CloseEventLog
QueryServiceStatusEx
ProcessTrace
CloseTrace
OpenTraceW
LookupPrivilegeValueW
AdjustTokenPrivileges
RegCreateKeyExW
RegEnumKeyExW
RegSetValueExW
RegEnumValueW
ChangeServiceConfig2W
ControlService
QueryServiceConfig2W
EventRegister
EventUnregister
CopySid
FreeSid
StartServiceW
AllocateAndInitializeSid
ConvertStringSidToSidW
EnumServicesStatusExW
CheckTokenMembership
ConvertSidToStringSidW
EqualSid
GetLengthSid
IsValidSid
QueryServiceConfigW

kernel32

GetCommandLineA
GetSystemInfo
LoadLibraryExA
VirtualProtect
GetSystemFirmwareTable
VirtualQuery
HeapSetInformation
GetNativeSystemInfo
GetSystemDirectoryW
QueryFullProcessImageNameW
QueryPerformanceFrequency
OpenProcess
CreateTimerQueueTimer
CreateThreadpoolTimer
SetThreadpoolTimer
CloseThreadpoolTimer
WaitForThreadpoolTimerCallbacks
InitializeSRWLock
FileTimeToDosDateTime
FindResourceW
LoadResource
LockResource
SizeofResource
SystemTimeToFileTime
LoadLibraryW
Module32NextW
Module32FirstW
DeleteTimerQueueTimer
ConvertDefaultLocale
GetComputerNameExW
GetSystemPowerStatus
InterlockedPushEntrySList
InitializeSListHead
QueryPerformanceCounter
CreateEventW
ResetEvent
SetEvent
HeapSize
SetEnvironmentVariableW
FreeEnvironmentStringsW
GetEnvironmentStringsW
WriteConsoleW
GetModuleFileNameW
SetStdHandle
GetOEMCP
GetACP
IsValidCodePage
ExitProcess
ReadConsoleW
RaiseException
ReadFile
GetFileSizeEx
GetTimeZoneInformation
GetConsoleOutputCP
CreateSemaphoreExW
CreateMutexExW
GetCurrentProcessId
OpenSemaphoreW
WaitForSingleObjectEx
ReleaseMutex
ReleaseSemaphore
OutputDebugStringW
IsDebuggerPresent
GetModuleHandleW
GetModuleFileNameA
GetModuleHandleExW
HeapFree
GetProcessHeap
HeapAlloc
lstrlenA
MultiByteToWideChar
GetSystemDefaultUILanguage
GetProcAddress
TerminateProcess
CompareFileTime
GetTimeFormatW
GetDateFormatW
SetConsoleMode
GetConsoleMode
GetStdHandle
LoadLibraryExW
ExpandEnvironmentStringsW
FileTimeToLocalFileTime
Process32NextW
Process32FirstW
CreateToolhelp32Snapshot
FindClose
FindNextFileW
GetSystemTime
FindFirstFileW
WaitForSingleObject
CreateProcessW
SetHandleInformation
CreatePipe
CopyFileW
GetLocalTime
CreateDirectoryW
DeleteFileW
GetExitCodeProcess
GetCurrentProcess
GetCommandLineW
GetCurrentThreadId
SetLastError
GetTickCount
LocalFree
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
GetLastError
DebugBreak
GetSystemTimeAsFileTime
FormatMessageW
SetErrorMode
CloseHandle
FreeLibrary
Sleep
WideCharToMultiByte
FormatMessageA
GetStringTypeW
TryAcquireSRWLockExclusive
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
ReleaseSRWLockShared
AcquireSRWLockShared
GetFileInformationByHandleEx
FindFirstFileExW
DeviceIoControl
GetFinalPathNameByHandleW
SetEndOfFile
GetTempPathW
CreateFileW
GetFileAttributesW
SetFileAttributesW
GetFileInformationByHandle
GetFileAttributesExW
SetFileInformationByHandle
SetFilePointerEx
MoveFileExW
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
DeleteCriticalSection
EncodePointer
DecodePointer
LCMapStringEx
GetLocaleInfoEx
GetCPInfo
CompareStringEx
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
HeapReAlloc
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
InitializeCriticalSectionAndSpinCount
CompareStringW
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
GetFileType
GetStartupInfoW
FlushFileBuffers
WriteFile

crypt32

CertVerifyCertificateChainPolicy

rpcrt4

UuidFromStringW
UuidCreate

userenv

LoadUserProfileW
UnloadUserProfile
DestroyEnvironmentBlock
CreateEnvironmentBlock

wintrust

CryptCATAdminReleaseContext
WinVerifyTrust
WTHelperProvDataFromStateData
WTHelperGetProvSignerFromChain
CryptCATAdminCalcHashFromFileHandle
CryptCATAdminAcquireContext
CryptCATAdminEnumCatalogFromHash
CryptCATCatalogInfoFromContext
CryptCATAdminReleaseCatalogContext

bcrypt

BCryptOpenAlgorithmProvider
BCryptGetProperty
BCryptDestroyHash
BCryptCreateHash
BCryptHashData
BCryptFinishHash
BCryptCloseAlgorithmProvider

mpclient

MpGetNpSupportFile
MpGetTaskSchedulerStrings
MpDynamicSignatureEnumerate
MpDynamicSignatureOpen
MpRemoveDynamicSignatureFile
MpAddDynamicSignatureFile
MpUpdateStartEx
MpCleanStart
MpCleanOpen
MpGetTDTFeatureStatusEx
MpScanControl
MpScanResult
MpGetTDTFeatureStatus
MpThreatOpen
MpConfigUninitialize
MpServiceLogMessage
MpUnblockSignatures
MpUnblockEngine
MpThreatEnumerate
MpRollbackPlatform
MpWDEnable
MpManagerEnable
MpConfigInitialize
MpUpdateTSModeEx
MpGetTSModeInfo
MpClientUtilExportFunctions
MpConfigClose
MpConfigSetValue
MpConfigGetValue
MpGetTPStateInfo
MpUpdatePlatform
MpManagerStatusQuery
MpManagerOpen
MpConfigGetValueAlloc
MpConfigOpen
MpFreeMemory
MpHandleClose
MpManagerVersionQuery
MpConfigIteratorOpen
MpConfigIteratorEnum
MpConfigIteratorClose
MpNetworkCapture
MpConfigDelValue
MpQuarantineRequest
MpManagerStatusQueryEx
MpUpdateStart
MpSampleQuery
MpSampleSubmit
MpConveySampleSubmissionResult
MpGetSampleChunk
MpQueryEngineConfigDword
MpGetDeviceControlSecurityPolicies
MpSetTPState
MpAllocMemory
MpUtilsExportFunctions
MpScanStartEx
MpUnblockPlatform

api-ms-win-service-private-l1-1-0

SubscribeServiceChangeNotifications
UnsubscribeServiceChangeNotifications

ntdll

RtlCompareMemory
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
RtlUnwindEx
RtlUnwind
RtlPcToFileHeader
NtQueryInformationProcess
RtlLengthSid

Sections

.text
Size: 1.0MB - Virtual size: 1.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 344KB - Virtual size: 342KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 28KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 40KB - Virtual size: 37KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 288B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 52KB - Virtual size: 49KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: 123

Password: 123

8abecba2211e61763c4c9ffcaa13369e

Headers

File Characteristics

Imports

mfc42

msvcrt

kernel32

user32

shell32

Sections

.text Size: 8KB - Virtual size: 5KB

.rdata Size: 4KB - Virtual size: 1KB

.data Size: 4KB - Virtual size: 352B

.rsrc Size: 4KB - Virtual size: 3KB

Password: 123

468867ffbfff6d241e78757bad3cd605

Code Sign

33:00:00:03:f0:b3:c9:1e:ce:a8:0a:5b:3a:00:00:00:00:03:f0Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

25:2f:bc:d2:71:51:1d:70:b9:f5:b9:19:a5:62:e8:9e:5a:d3:d6:19:2a:f8:de:10:bc:a7:5e:2e:7e:23:8d:f7Signer

Signature Validations

Verification

27/02/2023, 09:32 Valid: false

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

kernel32

crypt32

rpcrt4

userenv

wintrust

bcrypt

mpclient

api-ms-win-service-private-l1-1-0

ntdll

Sections

.text Size: 1.0MB - Virtual size: 1.0MB

.rdata Size: 344KB - Virtual size: 342KB

.data Size: 28KB - Virtual size: 35KB

.pdata Size: 40KB - Virtual size: 37KB

.didat Size: 4KB - Virtual size: 288B

.rsrc Size: 52KB - Virtual size: 49KB

.reloc Size: 8KB - Virtual size: 6KB

.text
Size: 8KB - Virtual size: 5KB

.rdata
Size: 4KB - Virtual size: 1KB

.data
Size: 4KB - Virtual size: 352B

.rsrc
Size: 4KB - Virtual size: 3KB

33:00:00:03:f0:b3:c9:1e:ce:a8:0a:5b:3a:00:00:00:00:03:f0
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

25:2f:bc:d2:71:51:1d:70:b9:f5:b9:19:a5:62:e8:9e:5a:d3:d6:19:2a:f8:de:10:bc:a7:5e:2e:7e:23:8d:f7
Signer

27/02/2023, 09:32
Valid: false

.text
Size: 1.0MB - Virtual size: 1.0MB

.rdata
Size: 344KB - Virtual size: 342KB

.data
Size: 28KB - Virtual size: 35KB

.pdata
Size: 40KB - Virtual size: 37KB

.didat
Size: 4KB - Virtual size: 288B

.rsrc
Size: 52KB - Virtual size: 49KB

.reloc
Size: 8KB - Virtual size: 6KB