wisdom3[.]rar | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

wisdom3.rar
Size

2.7MB
MD5

a6a25a6801eeb505592dbcdd22701318
SHA1

e929f7e3d721fa9b8a52b086fed0f80c6e2f9f18
SHA256

f1e7adc7e2f088d94cbc2992351ce878eff8301430fc605a9fa2a7f33a581e19
SHA512

48df00bdb3b2abd3fe4db54e4e06a75b74c36d870edfd2e48862027bcd7773109519bc67c3a6ebe90d8248d544d83cf01076fef7b8ea5eb5857504510991af7b
SSDEEP

49152:U0gSIV3WV647AR+uBkIl+XU/VgEMbV3n5dtfq7J8D6Rw6bwJt0t8/0KO:llV647A4uD3CEMx3vtfOJq6V0jo8/0KO

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
static1/unpack001/wisdom3/Release/Wisdom.exe.bak	upx

Unsigned PE 4 IoCs

Checks for missing Authenticode signature.

resource
unpack001/wisdom3/Release/Wisdom.exe
unpack001/wisdom3/Release/Wisdom.exe.bak
unpack003/out.upx
unpack001/wisdom3/Release/setg.exe

Files

wisdom3.rar
.rar

Password: infected
wisdom3/Debug/Wisdom.pch
wisdom3/Debug/main.obj
wisdom3/Debug/vc60.idb
wisdom3/Debug/vc60.pdb
wisdom3/PSAPI.H
wisdom3/PSAPI.LIB
wisdom3/Release/Wisdom.exe
.exe windows x86

Password: infected

7c2e0427dc9884c5748d925abcb8ce88

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetVersionExA
GetSystemInfo
GlobalMemoryStatus
DeleteFileA
Sleep
ReadFile
GetFileSize
GetFileAttributesA
TerminateProcess
OpenProcess
FindClose
FindNextFileA
FindFirstFileA
lstrcmpA
lstrlenA
CreateMutexA
GetLastError
CreateThread
ExitProcess
GetTickCount
GetModuleFileNameA
GetWindowsDirectoryA
SetCurrentDirectoryA
CopyFileA
SetFileAttributesA
CreateFileA
WriteFile
CloseHandle
GetModuleHandleA
lstrcmpiA

user32

SetWindowsHookExA
SetKeyboardState
GetDesktopWindow
SetTimer
LoadCursorA
wsprintfA
GetWindowTextA
GetForegroundWindow
DefWindowProcA
IsWindow
UnhookWindowsHookEx
SendMessageA
DestroyWindow
GetActiveWindow
GetKeyNameTextA
GetKeyboardState
ToAscii
LoadIconA
ShowWindow
CreateWindowExA
MoveWindow
CallNextHookEx
CloseWindow
PostQuitMessage
RegisterClassExA
DispatchMessageA
TranslateMessage
GetMessageA

gdi32

GetDeviceCaps
CreateCompatibleDC
CreateDIBSection
SelectObject
BitBlt
GetDIBColorTable
DeleteObject
CreateDCA
DeleteDC

advapi32

RegCloseKey
RegCreateKeyExA
RegSetValueExA

shell32

ShellExecuteA

odbc32

ord41
ord24
ord75
ord11
ord31
ord9

msvcrt

??2@YAPAXI@Z
??3@YAXPAX@Z
strlen
malloc
free
strncat
srand
rand
strncpy
atoi
atol
sprintf
strtok
strstr
strcpy
memset
strcat
memcpy

wininet

InternetGetConnectedState

ws2_32

getsockname
inet_ntoa
gethostbyaddr
htonl
sendto
WSAGetLastError
accept
listen
bind
select
__WSAFDIsSet
send
recv
socket
setsockopt
WSAAsyncSelect
htons
inet_addr
gethostbyname
connect
WSAStartup
WSACleanup
ioctlsocket
closesocket

avicap32

capGetDriverDescriptionA
capCreateCaptureWindowA

mpr

WNetEnumResourceA
WNetOpenEnumA
WNetCloseEnum

psapi

GetModuleBaseNameA
GetModuleFileNameExA
EnumProcesses
EnumProcessModules

urlmon

URLDownloadToFileA

Sections

.text
Size: 36KB - Virtual size: 35KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
wisdom3/Release/Wisdom.exe.bak
.exe windows x86

Password: infected

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

UPX0
Size: - Virtual size: 44KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 14KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX2
Size: 1024B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
out.upx
.exe windows x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 49KB - Virtual size: 49KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
wisdom3/Release/Wisdom.pch
wisdom3/Release/main.obj
wisdom3/Release/setg.exe
.exe windows x86

Password: infected

7c2e0427dc9884c5748d925abcb8ce88

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetVersionExA
GetSystemInfo
GlobalMemoryStatus
DeleteFileA
Sleep
ReadFile
GetFileSize
GetFileAttributesA
TerminateProcess
OpenProcess
FindClose
FindNextFileA
FindFirstFileA
lstrcmpA
lstrlenA
CreateMutexA
GetLastError
CreateThread
ExitProcess
GetTickCount
GetModuleFileNameA
GetWindowsDirectoryA
SetCurrentDirectoryA
CopyFileA
SetFileAttributesA
CreateFileA
WriteFile
CloseHandle
GetModuleHandleA
lstrcmpiA

user32

SetWindowsHookExA
SetKeyboardState
GetDesktopWindow
SetTimer
LoadCursorA
wsprintfA
GetWindowTextA
GetForegroundWindow
DefWindowProcA
IsWindow
UnhookWindowsHookEx
SendMessageA
DestroyWindow
GetActiveWindow
GetKeyNameTextA
GetKeyboardState
ToAscii
LoadIconA
ShowWindow
CreateWindowExA
MoveWindow
CallNextHookEx
CloseWindow
PostQuitMessage
RegisterClassExA
DispatchMessageA
TranslateMessage
GetMessageA

gdi32

GetDeviceCaps
CreateCompatibleDC
CreateDIBSection
SelectObject
BitBlt
GetDIBColorTable
DeleteObject
CreateDCA
DeleteDC

advapi32

RegCloseKey
RegCreateKeyExA
RegSetValueExA

shell32

ShellExecuteA

odbc32

ord41
ord24
ord75
ord11
ord31
ord9

msvcrt

??2@YAPAXI@Z
??3@YAXPAX@Z
strlen
malloc
free
strncat
srand
rand
strncpy
atoi
atol
sprintf
strtok
strstr
strcpy
memset
strcat
memcpy

wininet

InternetGetConnectedState

ws2_32

getsockname
inet_ntoa
gethostbyaddr
htonl
sendto
WSAGetLastError
accept
listen
bind
select
__WSAFDIsSet
send
recv
socket
setsockopt
WSAAsyncSelect
htons
inet_addr
gethostbyname
connect
WSAStartup
WSACleanup
ioctlsocket
closesocket

avicap32

capGetDriverDescriptionA
capCreateCaptureWindowA

mpr

WNetEnumResourceA
WNetOpenEnumA
WNetCloseEnum

psapi

GetModuleBaseNameA
GetModuleFileNameExA
EnumProcesses
EnumProcessModules

urlmon

URLDownloadToFileA

Sections

.text
Size: 36KB - Virtual size: 35KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
wisdom3/Release/vc60.idb
wisdom3/Wisdom.dep
wisdom3/Wisdom.dsp
wisdom3/Wisdom.dsw
wisdom3/Wisdom.mak
wisdom3/Wisdom.opt
wisdom3/Wisdom.plg
.html
wisdom3/main.cpp
wisdom3/resource.h

Sharing

General

Malware Config

Signatures

Files

Password: infected

Password: infected

7c2e0427dc9884c5748d925abcb8ce88

Headers

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

odbc32

msvcrt

wininet

ws2_32

avicap32

mpr

psapi

urlmon

Sections

.text Size: 36KB - Virtual size: 35KB

Password: infected

Headers

File Characteristics

Sections

UPX0 Size: - Virtual size: 44KB

UPX1 Size: 14KB - Virtual size: 16KB

UPX2 Size: 1024B - Virtual size: 4KB

Headers

File Characteristics

Sections

.text Size: 49KB - Virtual size: 49KB

Password: infected

7c2e0427dc9884c5748d925abcb8ce88

Headers

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

odbc32

msvcrt

wininet

ws2_32

avicap32

mpr

psapi

urlmon

Sections

.text Size: 36KB - Virtual size: 35KB

.text
Size: 36KB - Virtual size: 35KB

UPX0
Size: - Virtual size: 44KB

UPX1
Size: 14KB - Virtual size: 16KB

UPX2
Size: 1024B - Virtual size: 4KB

.text
Size: 49KB - Virtual size: 49KB

.text
Size: 36KB - Virtual size: 35KB