yara-4[.]3[.]1-2141-win64[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

yara-4.3.1-2141-win64.zip
Size

2.1MB
MD5

0c536c9d0dc51958cd3982fd0a1f4d51
SHA1

7177f69133d314892484c33b7ac7defa36072c68
SHA256

841f0295380e549195b67bce492611826194fbf6fa9d941a08c8626fb9d7dd14
SHA512

bcd9a4e8b7ddd3fe904234e9fcbebc7c68afa5159f8e466d0b83aec3bcb91c3f5f4e970e42c7d05b66e488f77f87b6edfbdd65f0c345948daa60d91e7026cd22
SSDEEP

49152:gn4U6ke5ltbFm9AnnIs22u/lnEDQCheS6GhSZ5eD6pyXq2zl+oOw3PGat:g4Ye5xS6LK18QCUkhG5eDCyXq6DPGat

Score

3^/10

Malware Config

Signatures

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/yara64.exe
unpack001/yarac64.exe

Files

yara-4.3.1-2141-win64.zip
.zip

Password: purpl3sp1d3r.infected
yara64.exe
.exe windows x64

Password: purpl3sp1d3r.infected

9ace0f62c9d3d5c347e279a54c80e661

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

HeapReAlloc
HeapFree
QueryPerformanceCounter
QueryPerformanceFrequency
GetCurrentThreadId
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetCurrentProcess
OpenProcess
GetSystemInfo
VirtualQueryEx
ReadProcessMemory
GetStdHandle
GetEnvironmentVariableW
GetFileType
WriteFile
GetModuleHandleW
GetProcAddress
MultiByteToWideChar
SetLastError
GetCurrentProcessId
SwitchToThread
HeapAlloc
InitializeCriticalSectionAndSpinCount
GetModuleHandleExW
RtlVirtualUnwind
DeleteFiber
GetSystemTimeAsFileTime
ConvertFiberToThread
FreeLibrary
LoadLibraryA
LoadLibraryW
GetConsoleMode
SetConsoleMode
ReadConsoleA
ReadConsoleW
IsDebuggerPresent
InitializeSListHead
IsProcessorFeaturePresent
TerminateProcess
HeapDestroy
HeapCreate
UnmapViewOfFile
MapViewOfFile
CreateFileMappingW
GetFileSizeEx
CreateFileA
GetFileSize
GetFileAttributesW
CreateFileW
FindClose
VirtualAlloc
FindNextFileW
FindFirstFileW
ReadFile
CreateSemaphoreW
DeleteCriticalSection
CreateThread
CloseHandle
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlLookupFunctionEntry
RtlCaptureContext
GetLastError
WaitForSingleObject
InitializeCriticalSection
LeaveCriticalSection
ReleaseSemaphore
EnterCriticalSection
GetModuleHandleA
WideCharToMultiByte

user32

GetUserObjectInformationW
MessageBoxW
GetProcessWindowStation

advapi32

CryptExportKey
AdjustTokenPrivileges
LookupPrivilegeValueW
DeregisterEventSource
RegisterEventSourceW
ReportEventW
CryptAcquireContextW
CryptEnumProvidersW
CryptSignHashW
CryptDestroyHash
CryptCreateHash
CryptDecrypt
OpenProcessToken
CryptGetUserKey
CryptGetProvParam
CryptSetHashParam
CryptDestroyKey
CryptReleaseContext

bcrypt

BCryptGenRandom

vcruntime140

memset
strchr
wcsstr
memcpy
memcmp
strstr
longjmp
wcschr
memmove
__intrinsic_setjmp
__C_specific_handler
strrchr
memchr

api-ms-win-crt-runtime-l1-1-0

raise
_errno
_exit
terminate
exit
_crt_atexit
_wassert
_register_onexit_function
signal
_seh_filter_exe
_set_app_type
_configure_wide_argv
_initialize_wide_environment
_get_initial_wide_environment
_initterm
_initterm_e
_initialize_onexit_table
__p___argc
__p___wargv
_cexit
_c_exit
_register_thread_local_exe_atexit_callback
strerror_s
abort

api-ms-win-crt-stdio-l1-1-0

_set_fmode
fputs
fread
fflush
_setmode
_fileno
_read
fopen
fgets
feof
fwrite
fseek
ftell
__stdio_common_vsprintf
_close
_filelength
_wfopen
__stdio_common_vfprintf
fclose
__stdio_common_vsscanf
getc
__stdio_common_vswprintf
ferror
__stdio_common_vfwprintf
clearerr
__acrt_iob_func
_sopen_s
__p__commode

api-ms-win-crt-convert-l1-1-0

strtol
atof
strtoll
wcstol
wcstoll
strtod
atoi
strtoul
_strtoi64

api-ms-win-crt-heap-l1-1-0

realloc
calloc
free
_set_new_mode
malloc

api-ms-win-crt-filesystem-l1-1-0

_stat64i32
_waccess_s

api-ms-win-crt-string-l1-1-0

strcmp
isdigit
_wcsdup
strspn
isspace
_strdup
wcstok_s
isxdigit
strncpy
strncmp
_strnicmp
_stricmp
strcspn
strnlen
isprint
tolower

api-ms-win-crt-time-l1-1-0

_gmtime64_s
_time64
_mkgmtime64

api-ms-win-crt-utility-l1-1-0

srand
qsort
rand

api-ms-win-crt-math-l1-1-0

_dclass
pow
__setusermatherr
_isnan
log2

api-ms-win-crt-locale-l1-1-0

localeconv
_configthreadlocale

api-ms-win-crt-environment-l1-1-0

getenv

ws2_32

WSASetLastError
send
closesocket
WSACleanup
WSAGetLastError
recv

crypt32

CertGetCertificateContextProperty
CertFreeCertificateContext
CertDuplicateCertificateContext
CertFindCertificateInStore
CertEnumCertificatesInStore
CertOpenStore
CertCloseStore

Sections

.text
Size: 1.6MB - Virtual size: 1.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 549KB - Virtual size: 549KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 77KB - Virtual size: 92KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 64KB - Virtual size: 63KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.gfids
Size: 512B - Virtual size: 28B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
yarac64.exe
.exe windows x64

Password: purpl3sp1d3r.infected

35fb083b691fba73700620556d8a3165

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

QueryPerformanceCounter
GetStdHandle
GetEnvironmentVariableW
GetFileType
WriteFile
GetLastError
GetModuleHandleW
GetProcAddress
MultiByteToWideChar
SetLastError
GetCurrentProcessId
SwitchToThread
GetModuleHandleA
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
GetModuleHandleExW
RtlVirtualUnwind
GetSystemTimeAsFileTime
ConvertFiberToThread
FreeLibrary
LoadLibraryA
LoadLibraryW
FindClose
FindFirstFileW
FindNextFileW
GetConsoleMode
SetConsoleMode
ReadConsoleA
ReadConsoleW
IsDebuggerPresent
InitializeSListHead
IsProcessorFeaturePresent
TerminateProcess
GetCurrentProcess
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
GetCurrentThreadId
HeapFree
HeapReAlloc
HeapAlloc
HeapDestroy
HeapCreate
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlLookupFunctionEntry
RtlCaptureContext
CloseHandle
DeleteFiber
WideCharToMultiByte

user32

GetProcessWindowStation
MessageBoxW
GetUserObjectInformationW

advapi32

CryptExportKey
DeregisterEventSource
RegisterEventSourceW
ReportEventW
CryptAcquireContextW
CryptEnumProvidersW
CryptSignHashW
CryptDestroyHash
CryptCreateHash
CryptDecrypt
CryptGetUserKey
CryptGetProvParam
CryptSetHashParam
CryptDestroyKey
CryptReleaseContext

bcrypt

BCryptGenRandom

vcruntime140

memcpy
__C_specific_handler
memcmp
strrchr
strchr
wcsstr
wcschr
__intrinsic_setjmp
longjmp
memmove
strstr
memchr
memset

api-ms-win-crt-runtime-l1-1-0

_errno
exit
_wassert
abort
terminate
_exit
signal
_seh_filter_exe
_set_app_type
strerror_s
_configure_wide_argv
_initialize_wide_environment
_get_initial_wide_environment
_initterm
_initterm_e
_crt_atexit
__p___argc
__p___wargv
_cexit
_c_exit
_register_thread_local_exe_atexit_callback
raise
_initialize_onexit_table
_register_onexit_function

api-ms-win-crt-stdio-l1-1-0

__p__commode
_set_fmode
fputs
fopen
_read
fread
fseek
ftell
_setmode
fwrite
_fileno
fgets
fflush
__stdio_common_vsprintf
_close
_sopen_s
_wfopen
__stdio_common_vfprintf
fclose
clearerr
__stdio_common_vswprintf
ferror
__stdio_common_vfwprintf
getc
__acrt_iob_func
__stdio_common_vsscanf
feof
_filelength

api-ms-win-crt-convert-l1-1-0

_strtoi64
strtod
atoi
strtol
strtoul
atof
wcstol
wcstoll
strtoll

api-ms-win-crt-heap-l1-1-0

malloc
realloc
calloc
free
_set_new_mode

api-ms-win-crt-filesystem-l1-1-0

_stat64i32
_waccess_s

api-ms-win-crt-string-l1-1-0

isdigit
strcspn
tolower
strspn
isspace
_strdup
strnlen
isxdigit
strncpy
strncmp
_strnicmp
_stricmp
strcmp
isprint

api-ms-win-crt-utility-l1-1-0

srand
qsort

api-ms-win-crt-time-l1-1-0

_mkgmtime64
_time64
_gmtime64_s

api-ms-win-crt-math-l1-1-0

__setusermatherr
log2
_dclass
pow
_isnan

api-ms-win-crt-locale-l1-1-0

_configthreadlocale
localeconv

api-ms-win-crt-environment-l1-1-0

getenv

ws2_32

WSASetLastError
send
WSACleanup
WSAGetLastError
recv
closesocket

crypt32

CertGetCertificateContextProperty
CertFreeCertificateContext
CertDuplicateCertificateContext
CertFindCertificateInStore
CertEnumCertificatesInStore
CertOpenStore
CertCloseStore

Sections

.text
Size: 1.6MB - Virtual size: 1.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 541KB - Virtual size: 540KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 75KB - Virtual size: 90KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 62KB - Virtual size: 62KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.gfids
Size: 512B - Virtual size: 28B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: purpl3sp1d3r.infected

Password: purpl3sp1d3r.infected

9ace0f62c9d3d5c347e279a54c80e661

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

bcrypt

vcruntime140

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-environment-l1-1-0

ws2_32

crypt32

Sections

.text Size: 1.6MB - Virtual size: 1.6MB

.rdata Size: 549KB - Virtual size: 549KB

.data Size: 77KB - Virtual size: 92KB

.pdata Size: 64KB - Virtual size: 63KB

.gfids Size: 512B - Virtual size: 28B

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 20KB - Virtual size: 19KB

Password: purpl3sp1d3r.infected

35fb083b691fba73700620556d8a3165

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

bcrypt

vcruntime140

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-environment-l1-1-0

ws2_32

crypt32

Sections

.text Size: 1.6MB - Virtual size: 1.6MB

.rdata Size: 541KB - Virtual size: 540KB

.data Size: 75KB - Virtual size: 90KB

.pdata Size: 62KB - Virtual size: 62KB

.gfids Size: 512B - Virtual size: 28B

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 20KB - Virtual size: 19KB

.text
Size: 1.6MB - Virtual size: 1.6MB

.rdata
Size: 549KB - Virtual size: 549KB

.data
Size: 77KB - Virtual size: 92KB

.pdata
Size: 64KB - Virtual size: 63KB

.gfids
Size: 512B - Virtual size: 28B

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 20KB - Virtual size: 19KB

.text
Size: 1.6MB - Virtual size: 1.6MB

.rdata
Size: 541KB - Virtual size: 540KB

.data
Size: 75KB - Virtual size: 90KB

.pdata
Size: 62KB - Virtual size: 62KB

.gfids
Size: 512B - Virtual size: 28B

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 20KB - Virtual size: 19KB