rx_dev_service_working_lsass_sasser_ftpd[.]rar

Sharing

Copy URL Twitter E-mail

General

Target

rx_dev_service_working_lsass_sasser_ftpd.rar
Size

463KB
MD5

9273d451ebdd01b9380efea5ea42948c
SHA1

7116fd4ca125519387b768150dbee45c2a7c0236
SHA256

d2764db8a60279dc7b775e09455538427a6c3b442f6c7b509a325f85e81887a0
SHA512

450bb86bc0b955b52eb2365a271e9421f991a4a50264826baee28cc9799c75cfdf20f11e65ba4ae0bd8c36bb54ba794e5cf64a013faeb20795b4507450529c29
SSDEEP

12288:o6YgyQTIp6y4TDpVCQBgoiDWOiTQvsfmq20zGRweMTsH:tYgyULmoiYTLRG+essH

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
static1/unpack001/rx_dev/rBot_041504/Release/upx.exe	upx

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/rx_dev/rBot_041504/Release/upx.exe
unpack001/rx_dev/rBot_041504/Release/upxscrambler.exe

Files

rx_dev_service_working_lsass_sasser_ftpd.rar
.rar

Password: infected
rx_dev/rBot_041504/CallDS.cpp
rx_dev/rBot_041504/CallDS.h
rx_dev/rBot_041504/CallDS2.cpp
rx_dev/rBot_041504/Release/rBot.bat
rx_dev/rBot_041504/Release/upx.exe
.exe windows x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

UPX0
Size: - Virtual size: 132KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 90KB - Virtual size: 92KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.jgd
Size: - Virtual size: 1B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
rx_dev/rBot_041504/Release/upxscrambler.exe
.exe windows x86

Password: infected

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Sections

code
Size: - Virtual size: 40KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

text
Size: 13KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 977B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.mjg
Size: - Virtual size: 1B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
rx_dev/rBot_041504/advscan.cpp
rx_dev/rBot_041504/advscan.h
rx_dev/rBot_041504/aliaslog.cpp
rx_dev/rBot_041504/aliaslog.h
rx_dev/rBot_041504/autostart.cpp
rx_dev/rBot_041504/autostart.h
rx_dev/rBot_041504/avirus.cpp
rx_dev/rBot_041504/avirus.h
rx_dev/rBot_041504/beagle.cpp
rx_dev/rBot_041504/beagle.h
rx_dev/rBot_041504/capture.cpp
rx_dev/rBot_041504/capture.h
rx_dev/rBot_041504/cdkeys.cpp
rx_dev/rBot_041504/cdkeys.h
rx_dev/rBot_041504/changes.txt
rx_dev/rBot_041504/configs.h
rx_dev/rBot_041504/crc32.cpp
rx_dev/rBot_041504/crc32.h
rx_dev/rBot_041504/crypt.cpp
rx_dev/rBot_041504/crypt.h
rx_dev/rBot_041504/dameware.cpp
rx_dev/rBot_041504/dameware.h
rx_dev/rBot_041504/dcc.cpp
rx_dev/rBot_041504/dcc.h
rx_dev/rBot_041504/dcom.cpp
rx_dev/rBot_041504/dcom.h
rx_dev/rBot_041504/dcom2.cpp
rx_dev/rBot_041504/dcom2.h
rx_dev/rBot_041504/ddos.cpp
rx_dev/rBot_041504/ddos.h
rx_dev/rBot_041504/defines.h
rx_dev/rBot_041504/download.cpp
rx_dev/rBot_041504/download.h
rx_dev/rBot_041504/driveinfo.cpp
rx_dev/rBot_041504/driveinfo.h
rx_dev/rBot_041504/ehandler.cpp
rx_dev/rBot_041504/ehandler.h
rx_dev/rBot_041504/externs.h
rx_dev/rBot_041504/findfile.cpp
rx_dev/rBot_041504/findfile.h
rx_dev/rBot_041504/findpass.cpp
rx_dev/rBot_041504/findpass.h
rx_dev/rBot_041504/fphost.cpp
rx_dev/rBot_041504/fphost.h
rx_dev/rBot_041504/ftpd.cpp
rx_dev/rBot_041504/ftpd.h
rx_dev/rBot_041504/functions.h
rx_dev/rBot_041504/globals.h
rx_dev/rBot_041504/httpd.cpp
rx_dev/rBot_041504/httpd.h
rx_dev/rBot_041504/icmpflood.cpp
rx_dev/rBot_041504/icmpflood.h
rx_dev/rBot_041504/ident.cpp
rx_dev/rBot_041504/ident.h
rx_dev/rBot_041504/iis5ssl.cpp
rx_dev/rBot_041504/iis5ssl.h
rx_dev/rBot_041504/includes.h
rx_dev/rBot_041504/irc_send.cpp
rx_dev/rBot_041504/irc_send.h
rx_dev/rBot_041504/keylogger.cpp
rx_dev/rBot_041504/keylogger.h
rx_dev/rBot_041504/kuang2.cpp
rx_dev/rBot_041504/kuang2.h
rx_dev/rBot_041504/list.txt
rx_dev/rBot_041504/loaddlls.cpp
rx_dev/rBot_041504/loaddlls.h
rx_dev/rBot_041504/lsass.cpp
rx_dev/rBot_041504/lsass.h
rx_dev/rBot_041504/misc.cpp
.vbs
rx_dev/rBot_041504/misc.h
rx_dev/rBot_041504/mssql.cpp
rx_dev/rBot_041504/mssql.h
rx_dev/rBot_041504/mydoom.cpp
rx_dev/rBot_041504/mydoom.h
rx_dev/rBot_041504/myshellcode.asm
rx_dev/rBot_041504/ncb
rx_dev/rBot_041504/net.cpp
rx_dev/rBot_041504/net.h
rx_dev/rBot_041504/netbios.cpp
rx_dev/rBot_041504/netbios.h
rx_dev/rBot_041504/netdevil.cpp
rx_dev/rBot_041504/netdevil.h
rx_dev/rBot_041504/netutils.cpp
rx_dev/rBot_041504/netutils.h
rx_dev/rBot_041504/nicklist.h
rx_dev/rBot_041504/optix.cpp
rx_dev/rBot_041504/optix.h
rx_dev/rBot_041504/passwd.h
rx_dev/rBot_041504/peer2peer.cpp
rx_dev/rBot_041504/peer2peer.h
rx_dev/rBot_041504/pingudp.cpp
rx_dev/rBot_041504/pingudp.h
rx_dev/rBot_041504/processes.cpp
rx_dev/rBot_041504/processes.h
rx_dev/rBot_041504/psniff.cpp
rx_dev/rBot_041504/psniff.h
rx_dev/rBot_041504/rBot.cpp
rx_dev/rBot_041504/rBot.dsp
rx_dev/rBot_041504/rBot.dsw
rx_dev/rBot_041504/rBot.h
rx_dev/rBot_041504/rBot.mak
rx_dev/rBot_041504/rBot.ncb
rx_dev/rBot_041504/rBot.opt
rx_dev/rBot_041504/rBot.plg
.html
rx_dev/rBot_041504/redirect.cpp
rx_dev/rBot_041504/redirect.h
rx_dev/rBot_041504/remotecmd.cpp
rx_dev/rBot_041504/remotecmd.h
rx_dev/rBot_041504/reqbuf.bin
rx_dev/rBot_041504/rlogind.cpp
rx_dev/rBot_041504/rlogind.h
rx_dev/rBot_041504/rndnick.cpp
rx_dev/rBot_041504/rndnick.h
rx_dev/rBot_041504/rshelld.h
rx_dev/rBot_041504/sasser.cpp
rx_dev/rBot_041504/sasser.h
rx_dev/rBot_041504/scan.cpp
rx_dev/rBot_041504/scan.h
rx_dev/rBot_041504/secure.cpp
rx_dev/rBot_041504/secure.h
rx_dev/rBot_041504/session.cpp
rx_dev/rBot_041504/session.h
rx_dev/rBot_041504/shellcode.cpp
rx_dev/rBot_041504/shellcode.h
rx_dev/rBot_041504/socks4.cpp
rx_dev/rBot_041504/socks4.h
rx_dev/rBot_041504/sub7.cpp
rx_dev/rBot_041504/sub7.h
rx_dev/rBot_041504/synflood.cpp
rx_dev/rBot_041504/synflood.h
rx_dev/rBot_041504/sysinfo.cpp
rx_dev/rBot_041504/sysinfo.h
rx_dev/rBot_041504/tcpflood.cpp
rx_dev/rBot_041504/tcpflood.h
rx_dev/rBot_041504/tcpflood2.cpp
rx_dev/rBot_041504/tcpflood2.h
rx_dev/rBot_041504/tcpip.h
rx_dev/rBot_041504/tftpd.cpp
rx_dev/rBot_041504/tftpd.h
rx_dev/rBot_041504/threads.cpp
rx_dev/rBot_041504/threads.h
rx_dev/rBot_041504/upnp.cpp
rx_dev/rBot_041504/upnp.h
rx_dev/rBot_041504/visit.cpp
rx_dev/rBot_041504/visit.h
rx_dev/rBot_041504/webdav.cpp
rx_dev/rBot_041504/webdav.h
rx_dev/rBot_041504/wildcard.cpp
rx_dev/rBot_041504/wildcard.h
rx_dev/rBot_041504/workstation.cpp
rx_dev/rBot_041504/workstation.h

Sharing

General

Malware Config

Signatures

Files

Password: infected

Headers

File Characteristics

Sections

UPX0 Size: - Virtual size: 132KB

UPX1 Size: 90KB - Virtual size: 92KB

.rsrc Size: 1024B - Virtual size: 4KB

.jgd Size: - Virtual size: 1B

Password: infected

Headers

File Characteristics

Sections

code Size: - Virtual size: 40KB

text Size: 13KB - Virtual size: 16KB

.rsrc Size: 977B - Virtual size: 4KB

.mjg Size: - Virtual size: 1B

UPX0
Size: - Virtual size: 132KB

UPX1
Size: 90KB - Virtual size: 92KB

.rsrc
Size: 1024B - Virtual size: 4KB

.jgd
Size: - Virtual size: 1B

code
Size: - Virtual size: 40KB

text
Size: 13KB - Virtual size: 16KB

.rsrc
Size: 977B - Virtual size: 4KB

.mjg
Size: - Virtual size: 1B