1[.]zip | Triage

Sharing

Copy URL Twitter E-mail

General

Target

1.zip
Size

86KB
MD5

33110f98066b76da777e665d6ec29113
SHA1

a543532eb704850fe06e09f1475d63d073abe5dc
SHA256

b4b6375f01546510b62ccdb6337c6fd0e91448edc71817ed12d36fa81b56bcad
SHA512

d4cd8497be5cac92c781d1c091943e1f3613482a9f7035820200a0dc549725595ea2f2e8945f7e5d093a3be04f0c2ef9db7345f2f3ef735a77c9535c46a9d9d3
SSDEEP

1536:9RFPyPtqtOgf2c9RTdm3yYEWvH23LV8gX6SF3IvkClrRjoazEIdRzizOGadV4U/t:RyPt3gf2c9x43yY1EBqy30rrRUIjG44o

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/vjsc.dll

Files

1.zip
.zip

Password: infected
.bin
conmgr.ctf
conmgr.exe
.exe windows x86

Password: infected

e6fd38aa9efdba3a2cff8692f059ccfb

Code Sign

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

04/12/2003, 00:00

Not After

03/12/2008, 23:59

Subject

CN=VeriSign Time Stamping Services Signer,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

10/01/1997, 07:00

Not After

31/12/2020, 07:00

Subject

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

6a:0b:99:4f:c0:00:0c:ab:11:d8:22:ef:7d:6c:79:7e
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

23/05/2002, 08:00

Not After

25/09/2011, 08:00

Subject

CN=Microsoft Code Signing PCA,OU=Copyright (c) 2000 Microsoft Corp.,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageContentCommitment
KeyUsageCertSign
KeyUsageCRLSign

61:05:87:58:00:03:00:00:00:5a
Certificate

Issuer

CN=Microsoft Code Signing PCA,OU=Copyright (c) 2000 Microsoft Corp.,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

05/01/2005, 23:20

Not After

05/04/2006, 23:30

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

04:d4:77:e4:09:a1:b9:46:dd:46:0d:c7:be:39:49:6b:cb:30:b4:c5
Signer

Actual PE Digest

04:d4:77:e4:09:a1:b9:46:dd:46:0d:c7:be:39:49:6b:cb:30:b4:c5

Digest Algorithm

sha1

PE Digest Matches

false

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

25/04/2023, 11:09
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

msvcr80

_encode_pointer
__set_app_type
_unlock
__dllonexit
_lock
__p__fmode
_decode_pointer
_except_handler4_common
_invoke_watson
_controlfp_s
_crt_debugger_hook
__p__commode
_adjust_fdiv
__setusermatherr
_configthreadlocale
_initterm_e
_initterm
__winitenv
exit
_XcptFilter
_exit
_cexit
__wgetmainargs
_onexit
_amsg_exit

kernel32

SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
GetSystemTimeAsFileTime
GetCurrentProcessId
GetCurrentThreadId
GetTickCount
QueryPerformanceCounter
InterlockedCompareExchange
Sleep
InterlockedExchange
IsDebuggerPresent

vjsc

VJSCCommandLineCompile

Sections

.text
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 512B - Virtual size: 900B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 72KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
vjsc.dll
.dll windows x86

Password: infected

06b2e6e952f202daae64d0c6c170f83d

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

SetLastError
GetCurrentProcessId
GetLastError
GetModuleFileNameA
CreateFileA
GetFileSize
VirtualAlloc
ReadFile
CloseHandle
TerminateProcess
GetCurrentProcess
IsProcessorFeaturePresent
GetCurrentThreadId
DecodePointer
GetCommandLineA
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
EncodePointer
HeapAlloc
RaiseException
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
InterlockedIncrement
GetModuleHandleW
InterlockedDecrement
GetProcAddress
HeapFree
Sleep
ExitProcess
SetHandleCount
GetStdHandle
InitializeCriticalSectionAndSpinCount
GetFileType
GetStartupInfoW
DeleteCriticalSection
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStringsW
HeapCreate
HeapDestroy
QueryPerformanceCounter
GetTickCount
GetSystemTimeAsFileTime
HeapSize
WriteFile
GetModuleFileNameW
LeaveCriticalSection
EnterCriticalSection
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
HeapReAlloc
LoadLibraryW
RtlUnwind
LCMapStringW
MultiByteToWideChar
GetStringTypeW

user32

EnumWindows
GetWindowThreadProcessId
ShowWindow

Exports

Exports

VJSCCommandLineCompile

Sections

.text
Size: 19KB - Virtual size: 19KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 176B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

Password: infected

e6fd38aa9efdba3a2cff8692f059ccfb

Code Sign

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88Certificate

Extended Key Usages

Key Usages

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40Certificate

6a:0b:99:4f:c0:00:0c:ab:11:d8:22:ef:7d:6c:79:7eCertificate

Extended Key Usages

Key Usages

61:05:87:58:00:03:00:00:00:5aCertificate

Extended Key Usages

Key Usages

04:d4:77:e4:09:a1:b9:46:dd:46:0d:c7:be:39:49:6b:cb:30:b4:c5Signer

Signature Validations

Verification

25/04/2023, 11:09 Valid: false

Headers

DLL Characteristics

File Characteristics

Imports

msvcr80

kernel32

vjsc

Sections

.text Size: 3KB - Virtual size: 3KB

.data Size: 512B - Virtual size: 900B

.rsrc Size: 1KB - Virtual size: 72KB

Password: infected

06b2e6e952f202daae64d0c6c170f83d

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

Exports

Exports

Sections

.text Size: 19KB - Virtual size: 19KB

.rdata Size: 11KB - Virtual size: 10KB

.data Size: 3KB - Virtual size: 6KB

.rsrc Size: 512B - Virtual size: 176B

.reloc Size: 4KB - Virtual size: 3KB

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88
Certificate

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40
Certificate

6a:0b:99:4f:c0:00:0c:ab:11:d8:22:ef:7d:6c:79:7e
Certificate

61:05:87:58:00:03:00:00:00:5a
Certificate

04:d4:77:e4:09:a1:b9:46:dd:46:0d:c7:be:39:49:6b:cb:30:b4:c5
Signer

25/04/2023, 11:09
Valid: false

.text
Size: 3KB - Virtual size: 3KB

.data
Size: 512B - Virtual size: 900B

.rsrc
Size: 1KB - Virtual size: 72KB

.text
Size: 19KB - Virtual size: 19KB

.rdata
Size: 11KB - Virtual size: 10KB

.data
Size: 3KB - Virtual size: 6KB

.rsrc
Size: 512B - Virtual size: 176B

.reloc
Size: 4KB - Virtual size: 3KB