T_662[.]20538[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

T_662.20538.zip
Size

442KB
MD5

50d2cd85d182b98704009d646e6a62b3
SHA1

8edf734147365e5a735c8e896a1422b777506dbf
SHA256

aa9483ac1bd7e7e78462f17a217546a7bac959191b17a817c377891eedc6f25e
SHA512

1aae0dee865d92efc0b506d4e42ee225a5d7e5d7f6264b594c85e60451a20832f6c06eb503be681fdee499c19ea425cbecd3468cefd2b6e17e088c87f86cab01
SSDEEP

12288:elgI2fm8hZJxxs3yFAXT08nMb0ldyVUX09hoE:e52fT7KCAjH3Xihn

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/I00751764271¬D.exe

Files

T_662.20538.zip
.zip
I00751764271¬D.exe
.exe windows x64

65d2a4768b2d3322c5409ac1e350769a

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

wininet

InternetReadFile
InternetCloseHandle
InternetOpenA
InternetOpenUrlA

kernel32

RtlPcToFileHeader
SetEndOfFile
HeapSize
CreateFileW
SetStdHandle
CreateMutexW
LCIDToLocaleName
GetLastError
GetUserDefaultLCID
CloseHandle
WideCharToMultiByte
GetComputerNameA
GetProcessHeap
SetEnvironmentVariableW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
GetOEMCP
GetACP
IsValidCodePage
FindNextFileW
FindFirstFileExW
FindClose
MultiByteToWideChar
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
DeleteCriticalSection
EncodePointer
DecodePointer
GetLocaleInfoEx
LCMapStringEx
GetStringTypeW
CompareStringEx
GetCPInfo
InitializeCriticalSectionAndSpinCount
SetEvent
ResetEvent
WaitForSingleObjectEx
CreateEventW
GetModuleHandleW
GetProcAddress
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
GetStartupInfoW
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
RtlUnwindEx
WriteConsoleW
RaiseException
SetLastError
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
LoadLibraryExW
RtlUnwind
QueryPerformanceFrequency
ExitProcess
GetModuleHandleExW
GetModuleFileNameW
GetStdHandle
WriteFile
GetFileSizeEx
SetFilePointerEx
GetFileType
HeapAlloc
FlushFileBuffers
GetConsoleOutputCP
GetConsoleMode
HeapFree
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
GetDateFormatW
GetTimeFormatW
CompareStringW
LCMapStringW
GetLocaleInfoW
IsValidLocale
EnumSystemLocalesW
WaitForSingleObject
GetExitCodeProcess
CreateProcessW
GetFileAttributesExW
ReadFile
ReadConsoleW
HeapReAlloc
GetTimeZoneInformation

shell32

SHCreateDirectoryExW
SHGetFolderPathA
ShellExecuteW

Sections

.text
Size: 462KB - Virtual size: 462KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 143KB - Virtual size: 142KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 17KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 348B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
______________________________________.xml
.exe windows x86

0d0ad7a4b0d798072363b08f823411a0

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

74:10:00:f6:01:81:2e:b3:6c:c3:65:9e:15:d6:16:89
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

03/04/2013, 00:00

Not After

02/06/2015, 23:59

Subject

CN=Wandou Technology Ltd,OU=Digital ID Class 3 - Microsoft Software Validation v2+OU=Wandou Technology Ltd,O=Wandou Technology Ltd,L=Beijing,ST=Beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

52:46:08:3f:11:74:7b:ac:18:db:cb:25:5b:c0:a3:76:06:a3:17:a8
Signer

Actual PE Digest

52:46:08:3f:11:74:7b:ac:18:db:cb:25:5b:c0:a3:76:06:a3:17:a8

Digest Algorithm

sha1

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Wandou Technology Ltd,OU=Digital ID Class 3 - Microsoft Software Validation v2+OU=Wandou Technology Ltd,O=Wandou Technology Ltd,L=Beijing,ST=Beijing,C=CN

11/01/2014, 07:21
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

LeaveCriticalSection
GetModuleFileNameW
MultiByteToWideChar
lstrlenW
RaiseException
GetLastError
SizeofResource
EnterCriticalSection
lstrcmpiW
DeleteCriticalSection
InitializeCriticalSection
GetModuleHandleW
InterlockedDecrement
InterlockedIncrement
LoadLibraryExW
LoadResource
FreeLibrary
GetProcAddress
FindResourceW
LCMapStringW
LCMapStringA
GetStringTypeW
GetStringTypeA
HeapFree
HeapAlloc
GetStartupInfoW
RtlUnwind
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
HeapCreate
VirtualFree
VirtualAlloc
HeapReAlloc
Sleep
ExitProcess
WriteFile
GetStdHandle
GetModuleFileNameA
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
SetLastError
GetCurrentThreadId
HeapSize
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
SetHandleCount
GetFileType
GetStartupInfoA
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
InitializeCriticalSectionAndSpinCount
LoadLibraryA
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
GetLocaleInfoA
WideCharToMultiByte
VirtualQuery

user32

CharNextW

advapi32

RegCloseKey
RegEnumKeyExW
RegOpenKeyExW
RegDeleteValueW
RegDeleteKeyW
RegQueryInfoKeyW
RegCreateKeyExW
RegSetValueExW

ole32

CoCreateInstance
CoTaskMemRealloc
CoTaskMemFree
CoTaskMemAlloc

oleaut32

VarUI4FromStr

shlwapi

PathRemoveFileSpecW

Sections

.text
Size: 46KB - Virtual size: 45KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 14KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 33KB - Virtual size: 33KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

65d2a4768b2d3322c5409ac1e350769a

Headers

DLL Characteristics

File Characteristics

Imports

wininet

kernel32

shell32

Sections

.text Size: 462KB - Virtual size: 462KB

.rdata Size: 143KB - Virtual size: 142KB

.data Size: 8KB - Virtual size: 19KB

.pdata Size: 17KB - Virtual size: 17KB

_RDATA Size: 512B - Virtual size: 348B

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 3KB - Virtual size: 3KB

0d0ad7a4b0d798072363b08f823411a0

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

74:10:00:f6:01:81:2e:b3:6c:c3:65:9e:15:d6:16:89Certificate

Extended Key Usages

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

52:46:08:3f:11:74:7b:ac:18:db:cb:25:5b:c0:a3:76:06:a3:17:a8Signer

Signature Validations

Verification

11/01/2014, 07:21 Valid: false

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

ole32

oleaut32

shlwapi

Sections

.text Size: 46KB - Virtual size: 45KB

.rdata Size: 14KB - Virtual size: 13KB

.data Size: 4KB - Virtual size: 7KB

.rsrc Size: 33KB - Virtual size: 33KB

.reloc Size: 6KB - Virtual size: 6KB

.text
Size: 462KB - Virtual size: 462KB

.rdata
Size: 143KB - Virtual size: 142KB

.data
Size: 8KB - Virtual size: 19KB

.pdata
Size: 17KB - Virtual size: 17KB

_RDATA
Size: 512B - Virtual size: 348B

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 3KB - Virtual size: 3KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

74:10:00:f6:01:81:2e:b3:6c:c3:65:9e:15:d6:16:89
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

52:46:08:3f:11:74:7b:ac:18:db:cb:25:5b:c0:a3:76:06:a3:17:a8
Signer

11/01/2014, 07:21
Valid: false

.text
Size: 46KB - Virtual size: 45KB

.rdata
Size: 14KB - Virtual size: 13KB

.data
Size: 4KB - Virtual size: 7KB

.rsrc
Size: 33KB - Virtual size: 33KB

.reloc
Size: 6KB - Virtual size: 6KB