s-w[.]zip | Triage

Sharing

Copy URL Twitter E-mail

General

Target

s-w.zip
Size

1.9MB
MD5

f238391d9d98cfa09183cfa28655a95c
SHA1

c165bfbf5a285ce13f75c884f6504cd9316700bf
SHA256

0849e39634d684127bb870778e5e2d1172880d33c98105e36b9aec03a5dd1801
SHA512

2400c868869f8c46a8b33543558fa4c56f29c8440f15d1ee1e91f024945e1e26aad57dba5c2e0d8f9a0a0677780ca313c9786fdcf932d405959b800e67381090
SSDEEP

49152:U2y6BZh0t9oftqwSYNoDP06RpDVp3HCw21/QJW86XxH2yzGZvs:/7/AwSYS7p7iw214JvMwy9

Score

1^/10

Malware Config

Signatures

Files

s-w.zip
.zip
ShadowsocksR-win-4.9.2/LICENSE
ShadowsocksR-win-4.9.2/ShadowsocksR-dotnet2.0.exe
.exe windows x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 987KB - Virtual size: 987KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 21KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
ShadowsocksR-win-4.9.2/ShadowsocksR-dotnet2.0.exe.sig
ShadowsocksR-win-4.9.2/ShadowsocksR-dotnet4.0.exe
.exe windows x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 989KB - Virtual size: 988KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 21KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
ShadowsocksR-win-4.9.2/ShadowsocksR-dotnet4.0.exe.sig
ShadowsocksR-win-4.9.2/chn_ip.txt
ShadowsocksR-win-4.9.2/gui-config.json
ShadowsocksR-win-4.9.2/gui-config.json.backup
ShadowsocksR-win-4.9.2/temp/ShadowsocksR-dotnet4.0.exe
.exe windows x86

4e114cb9809ba156f768b364ad683132

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Imports

msvcrt

_access
_putenv
_stat
_strdup
_tzset
__getmainargs
__lc_codepage
__mb_cur_max
__p___argc
__p___argv
__p__environ
__p__fmode
__set_app_type
_assert
_beginthread
_cexit
_errno
_filbuf
_iob
_isctype
_onexit
_pctype
_setmode
_stricmp
_strnicmp
abort
atexit
atoi
difftime
exit
fclose
fgets
fopen
fprintf
fputc
fputs
fread
free
fseek
ftell
fwrite
getenv
gmtime
localeconv
localtime
malloc
memcpy
memmove
memset
mktime
printf
puts
rand
realloc
setbuf
signal
sprintf
srand
sscanf
strcat
strchr
strcmp
strcpy
strerror
strftime
strlen
strncat
strncmp
strncpy
strpbrk
strstr
strtol
time
tolower
toupper
ungetc
vfprintf
wcslen

mgwz

inflate
inflateEnd
inflateInit2_

gdi32

DeleteObject
GetStockObject

kernel32

CloseHandle
CreateEventA
DeleteCriticalSection
EnterCriticalSection
ExitProcess
FormatMessageA
FreeLibrary
GetCommandLineA
GetCurrentThreadId
GetFullPathNameA
GetLastError
GetModuleFileNameA
GetModuleHandleA
GetProcAddress
GetStartupInfoA
GetSystemTimeAsFileTime
GetTickCount
InitializeCriticalSection
InterlockedExchange
IsDBCSLeadByteEx
LeaveCriticalSection
LoadLibraryA
MultiByteToWideChar
SetCurrentDirectoryA
SetEvent
SetLastError
SetUnhandledExceptionFilter
Sleep
VirtualProtect
VirtualQuery
WaitForSingleObject
WideCharToMultiByte

shell32

ShellExecuteA
Shell_NotifyIconA

user32

CallWindowProcA
CheckMenuItem
ClientToScreen
CreateWindowExA
DefWindowProcA
DestroyMenu
DestroyWindow
DispatchMessageA
EnableMenuItem
GetClientRect
GetCursorPos
GetKeyState
GetMessageA
GetSubMenu
GetWindowLongA
GetWindowTextLengthA
KillTimer
LoadIconA
LoadMenuA
MessageBoxA
PostMessageA
PostQuitMessage
RegisterClassA
RegisterClassExA
RegisterWindowMessageA
SendMessageA
SetForegroundWindow
SetTimer
SetWindowLongA
SetWindowPos
ShowWindow
TrackPopupMenu
TranslateMessage
UpdateWindow

ws2_32

WSAGetLastError
WSAStartup
__WSAFDIsSet
accept
bind
closesocket
connect
freeaddrinfo
getaddrinfo
gethostbyname
getnameinfo
getsockname
getsockopt
htonl
inet_addr
listen
recv
select
send
setsockopt
socket

Sections

.text
Size: 252KB - Virtual size: 252KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 77KB - Virtual size: 76KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 13KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 31KB - Virtual size: 31KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
ShadowsocksR-win-4.9.2/temp/libsscrypto.dll
.dll windows x64

5d34552f4e93524c8581dbcbe0064dbf

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
GetModuleHandleW
RtlUnwindEx
InterlockedFlushSList
GetLastError
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
GetProcAddress
LoadLibraryExW
ExitProcess
GetModuleHandleExW
GetModuleFileNameA
MultiByteToWideChar
WideCharToMultiByte
HeapFree
HeapAlloc
CloseHandle
GetConsoleMode
RtlLookupFunctionEntry
LCMapStringW
GetStdHandle
GetFileType
GetACP
FindClose
FindFirstFileExA
FindNextFileA
IsValidCodePage
GetOEMCP
GetCPInfo
GetCommandLineA
GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetProcessHeap
GetStringTypeW
CreateFileW
SetStdHandle
FlushFileBuffers
WriteFile
GetConsoleCP
SetFilePointerEx
HeapSize
HeapReAlloc
WriteConsoleW
RaiseException
GetSystemInfo
InitializeCriticalSection
Sleep
RtlCaptureContext

advapi32

SystemFunction036

Exports

Exports

cipher_auth_decrypt
cipher_auth_encrypt
cipher_free
cipher_get_size_ex
cipher_info_from_string
cipher_init
cipher_reset
cipher_set_iv
cipher_setkey
cipher_setup
cipher_update
crypto_aead_aes256gcm_decrypt
crypto_aead_aes256gcm_encrypt
crypto_aead_aes256gcm_is_available
crypto_aead_chacha20poly1305_ietf_decrypt
crypto_aead_chacha20poly1305_ietf_encrypt
crypto_stream_chacha20_ietf_xor_ic
crypto_stream_chacha20_xor_ic
crypto_stream_salsa20_xor_ic
crypto_stream_xchacha20_xor_ic
crypto_stream_xsalsa20_xor_ic
hkdf
md5
sodium_increment
sodium_init
ss_hmac_ex
ss_md

Sections

.text
Size: 197KB - Virtual size: 197KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 93KB - Virtual size: 93KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
ShadowsocksR-win-4.9.2/temp/mgwz.dll
.dll windows x86

6e0d411d3fcca5990423266db759d223

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Imports

msvcrt

_fdopen
__dllonexit
__lc_codepage
__mb_cur_max
_errno
_vsnprintf
clearerr
fclose
fflush
fopen
fputc
fread
free
fseek
ftell
fwrite
getenv
localeconv
malloc
memcpy
memset
strcat
strcpy
strerror
strlen
wcslen

kernel32

DeleteCriticalSection
EnterCriticalSection
InitializeCriticalSection
InterlockedExchange
IsDBCSLeadByteEx
LeaveCriticalSection
MultiByteToWideChar
Sleep
WideCharToMultiByte

Exports

Exports

_dist_code
_get_output_format
_length_code
_tr_align
_tr_flush_block
_tr_init
_tr_stored_block
_tr_tally
adler32
adler32_combine
compress
compress2
compressBound
crc32
crc32_combine
deflate
deflateBound
deflateCopy
deflateEnd
deflateInit2_
deflateInit_
deflateParams
deflatePrime
deflateReset
deflateSetDictionary
deflateSetHeader
deflateTune
deflate_copyright
get_crc_table
gzclearerr
gzclose
gzdirect
gzdopen
gzeof
gzerror
gzflush
gzgetc
gzgets
gzopen
gzprintf
gzputc
gzputs
gzread
gzrewind
gzseek
gzsetparams
gztell
gzungetc
gzwrite
inflate
inflateBack
inflateBackEnd
inflateBackInit_
inflateCopy
inflateEnd
inflateGetHeader
inflateInit2_
inflateInit_
inflatePrime
inflateReset
inflateSetDictionary
inflateSync
inflateSyncPoint
inflate_copyright
inflate_fast
inflate_table
uncompress
zError
z_errmsg
zcalloc
zcfree
zlibCompileFlags
zlibVersion

Sections

.text
Size: 60KB - Virtual size: 59KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 100B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 18KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 2KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
ShadowsocksR-win-4.9.2/temp/privoxy.conf
ShadowsocksR-win-4.9.2/templates/cgi-error-404
ShadowsocksR-win-4.9.2/templates/cgi-error-bad-param
ShadowsocksR-win-4.9.2/templates/cgi-error-disabled
ShadowsocksR-win-4.9.2/templates/cgi-error-file
ShadowsocksR-win-4.9.2/templates/cgi-error-parse
ShadowsocksR-win-4.9.2/templates/cgi-style.css
ShadowsocksR-win-4.9.2/templates/edit-actions-add-url-form
ShadowsocksR-win-4.9.2/templates/edit-actions-for-url-filter
ShadowsocksR-win-4.9.2/templates/edit-actions-list-button
ShadowsocksR-win-4.9.2/templates/mod-local-help
ShadowsocksR-win-4.9.2/templates/mod-title
ShadowsocksR-win-4.9.2/templates/mod-unstable-warning
ShadowsocksR-win-4.9.2/templates/url-info-osd.xml
.xml
ShadowsocksR-win-4.9.2/transfer_log.json
ShadowsocksR-win-4.9.2/user.rule

Sharing

General

Malware Config

Signatures

Files

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

.text Size: 987KB - Virtual size: 987KB

.rsrc Size: 21KB - Virtual size: 20KB

.reloc Size: 512B - Virtual size: 12B

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

.text Size: 989KB - Virtual size: 988KB

.rsrc Size: 21KB - Virtual size: 20KB

.reloc Size: 512B - Virtual size: 12B

4e114cb9809ba156f768b364ad683132

Headers

File Characteristics

Imports

msvcrt

mgwz

gdi32

kernel32

shell32

user32

ws2_32

Sections

.text Size: 252KB - Virtual size: 252KB

.data Size: 3KB - Virtual size: 2KB

.rdata Size: 77KB - Virtual size: 76KB

.bss Size: - Virtual size: 13KB

.idata Size: 5KB - Virtual size: 4KB

.rsrc Size: 31KB - Virtual size: 31KB

5d34552f4e93524c8581dbcbe0064dbf

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

advapi32

Exports

Exports

Sections

.text Size: 197KB - Virtual size: 197KB

.rdata Size: 93KB - Virtual size: 93KB

.data Size: 3KB - Virtual size: 15KB

.pdata Size: 7KB - Virtual size: 6KB

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 2KB - Virtual size: 2KB

6e0d411d3fcca5990423266db759d223

Headers

File Characteristics

Imports

msvcrt

kernel32

Exports

Exports

Sections

.text Size: 60KB - Virtual size: 59KB

.data Size: 512B - Virtual size: 100B

.rdata Size: 18KB - Virtual size: 17KB

.bss Size: - Virtual size: 2KB

.edata Size: 2KB - Virtual size: 1KB

.idata Size: 1KB - Virtual size: 1KB

.reloc Size: 1KB - Virtual size: 1KB

.text
Size: 987KB - Virtual size: 987KB

.rsrc
Size: 21KB - Virtual size: 20KB

.reloc
Size: 512B - Virtual size: 12B

.text
Size: 989KB - Virtual size: 988KB

.rsrc
Size: 21KB - Virtual size: 20KB

.reloc
Size: 512B - Virtual size: 12B

.text
Size: 252KB - Virtual size: 252KB

.data
Size: 3KB - Virtual size: 2KB

.rdata
Size: 77KB - Virtual size: 76KB

.bss
Size: - Virtual size: 13KB

.idata
Size: 5KB - Virtual size: 4KB

.rsrc
Size: 31KB - Virtual size: 31KB

.text
Size: 197KB - Virtual size: 197KB

.rdata
Size: 93KB - Virtual size: 93KB

.data
Size: 3KB - Virtual size: 15KB

.pdata
Size: 7KB - Virtual size: 6KB

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 2KB - Virtual size: 2KB

.text
Size: 60KB - Virtual size: 59KB

.data
Size: 512B - Virtual size: 100B

.rdata
Size: 18KB - Virtual size: 17KB

.bss
Size: - Virtual size: 2KB

.edata
Size: 2KB - Virtual size: 1KB

.idata
Size: 1KB - Virtual size: 1KB

.reloc
Size: 1KB - Virtual size: 1KB