beta[.]rar | Triage

Sharing

Copy URL Twitter E-mail

General

Target

beta.rar
Size

219KB
MD5

9142539ff177f33ea3926e9348a6a26c
SHA1

b23cc994f818c71e0a709f89d70315d8225e80ef
SHA256

b7716bb647f9c4e33bc03b783450579fa41f1fa2cfad3f9ef709f4eaaef64d4b
SHA512

216ef2ce910921480d0186f02b2f45db4bb071991bb349d6fb88fab657c97395b6de1d766c3414f327dbdf5e1bf96cb3687832cf31c4027d815577411a8a810c
SSDEEP

6144:Zv9tJ6LndhbgRiAxGx93r0eP87dibkbPch9d7:Zv16L3GMRAe+I

Score

3^/10

Malware Config

Signatures

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/beta/celestial_injector.exe
unpack001/beta/pipe_communication.exe

Files

beta.rar
.rar
beta/celestial_injector.exe
.exe windows x86

bd51e57d569e63e96e0b31a813f6f911

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ws2_32

ntohl
gethostname
ioctlsocket
sendto
recvfrom
freeaddrinfo
getaddrinfo
listen
htonl
accept
select
__WSAFDIsSet
WSACleanup
WSAStartup
WSAIoctl
WSASetLastError
socket
setsockopt
ntohs
htons
getsockopt
getsockname
getpeername
connect
bind
recv
WSAGetLastError
send
closesocket
WSAWaitForMultipleEvents
WSAResetEvent
WSAEventSelect
WSAEnumNetworkEvents
WSACreateEvent
WSACloseEvent

crypt32

CertFreeCertificateContext
CertCloseStore
CertFreeCertificateChain
CertGetCertificateChain
CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
CryptQueryObject
CertGetNameStringA
CertFindExtension
CertAddCertificateContextToStore
CryptDecodeObjectEx
PFXImportCertStore
CryptStringToBinaryA
CertEnumCertificatesInStore
CertFindCertificateInStore
CertOpenStore

wldap32

ord301
ord200
ord30
ord79
ord35
ord33
ord32
ord27
ord26
ord143
ord41
ord22
ord50
ord45
ord60
ord211
ord46
ord217

kernel32

AreFileApisANSI
GetFileAttributesExW
CreateFileW
GetLocaleInfoEx
FormatMessageA
LocalFree
InitializeSListHead
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
GetFileInformationByHandleEx
OutputDebugStringW
IsProcessorFeaturePresent
TerminateProcess
GetCurrentProcess
InitializeCriticalSectionAndSpinCount
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetModuleHandleW
CreateEventW
InitializeCriticalSectionEx
Sleep
GetLastError
DeleteCriticalSection
GetConsoleWindow
FindFirstFileW
FindClose
CloseHandle
FreeConsole
SetLastError
FormatMessageW
EnterCriticalSection
LeaveCriticalSection
SleepEx
QueryPerformanceFrequency
GetSystemDirectoryA
FreeLibrary
GetModuleHandleA
GetProcAddress
LoadLibraryA
QueryPerformanceCounter
GetTickCount
MultiByteToWideChar
WideCharToMultiByte
MoveFileExA
WaitForSingleObjectEx
GetEnvironmentVariableA
GetStdHandle
GetFileType
ReadFile
PeekNamedPipe
WaitForMultipleObjects
VerSetConditionMask
VerifyVersionInfoA
CreateFileA
GetFileSizeEx
IsDebuggerPresent

normaliz

IdnToAscii

user32

GetCursorPos
SetForegroundWindow
FindWindowA
ShowWindow
AppendMenuW
LoadCursorW
TranslateMessage
CreateWindowExA
DispatchMessageW
MessageBoxA
GetMessageW
PostQuitMessage
CreatePopupMenu
RegisterClassExW
TrackPopupMenu
DefWindowProcW

gdi32

GetStockObject

advapi32

CryptDestroyHash
CryptAcquireContextA
CryptReleaseContext
CryptGetHashParam
CryptGenRandom
CryptCreateHash
CryptHashData
CryptDestroyKey
CryptImportKey
CryptEncrypt

shell32

Shell_NotifyIconW
SHGetKnownFolderPath

msvcp140

?put@?$time_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@QBE?AV?$ostreambuf_iterator@DU?$char_traits@D@std@@@2@V32@AAVios_base@2@DPBUtm@@PBD3@Z
?_Getcat@?$time_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z
_Xtime_get_ticks
?id@?$time_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@2V0locale@2@A
??Bid@locale@std@@QAEIXZ
?always_noconv@codecvt_base@std@@QBE_NXZ
?_Getcat@?$ctype@D@std@@SAIPAPBVfacet@locale@2@PBV42@@Z
?getloc@ios_base@std@@QBE?AVlocale@2@XZ
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UAE@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD@Z
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PAD1AAPAD@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDD@Z
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@D@Z
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE_N_N@Z
?id@?$ctype@D@std@@2V0locale@2@A
?_Fiopen@std@@YAPAU_iobuf@@PBDHH@Z
?_Xbad_function_call@std@@YAXXZ
?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ
??0_Lockit@std@@QAE@H@Z
??1_Lockit@std@@QAE@XZ
?uncaught_exceptions@std@@YAHXZ
?_Xlength_error@std@@YAXPBD@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J@Z
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEPAV12@PAD_J@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEXABVlocale@2@@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UAE@XZ
?good@ios_base@std@@QBE_NXZ
?_Syserror_map@std@@YAPBDH@Z
?_Winerror_map@std@@YAHH@Z

vcruntime140

strchr
strrchr
memcpy
memmove
strstr
memset
__current_exception
__current_exception_context
_CxxThrowException
_except_handler4_common
memchr
__CxxFrameHandler3
__std_exception_destroy
__std_exception_copy
__std_terminate

api-ms-win-crt-heap-l1-1-0

malloc
realloc
calloc
_callnewh
free
_set_new_mode

api-ms-win-crt-stdio-l1-1-0

ftell
fseek
feof
__acrt_iob_func
_open
__stdio_common_vsscanf
fputs
fputc
_close
fopen
_write
_read
fgets
fflush
_get_stream_buffer_pointers
_fseeki64
fread
fsetpos
ungetc
setvbuf
fgetpos
__p__commode
__stdio_common_vsprintf
_set_fmode
fwrite
_lseeki64
fclose
__stdio_common_vfprintf
fgetc

api-ms-win-crt-runtime-l1-1-0

_errno
__p___argc
__p___argv
_c_exit
_register_thread_local_exe_atexit_callback
_initterm_e
_initterm
_get_initial_narrow_environment
terminate
_controlfp_s
_set_app_type
_configure_narrow_argv
_seh_filter_exe
_initialize_narrow_environment
strerror
__sys_nerr
exit
_cexit
_crt_atexit
_beginthreadex
_exit
_register_onexit_function
_initialize_onexit_table
_invalid_parameter_noinfo_noreturn
system
_getpid

api-ms-win-crt-convert-l1-1-0

strtol
strtoul
atoi
strtoll
strtoull
strtod
wcstombs

api-ms-win-crt-filesystem-l1-1-0

_unlink
_mkdir
_stat64
_access
_unlock_file
_lock_file
_fstat64

api-ms-win-crt-locale-l1-1-0

_configthreadlocale
localeconv
___lc_codepage_func

api-ms-win-crt-time-l1-1-0

_time64
_localtime64
_gmtime64

api-ms-win-crt-string-l1-1-0

isupper
strpbrk
strncpy
strncmp
_strdup
strspn
strcspn
tolower

api-ms-win-crt-utility-l1-1-0

qsort

api-ms-win-crt-math-l1-1-0

__setusermatherr
_dclass

Sections

.text
Size: 396KB - Virtual size: 395KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 74KB - Virtual size: 74KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 18KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
beta/pipe_communication.exe
.exe windows x64

1632e7a87ec4a17fecaabaa278a6daee

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

ReadFile
CreateNamedPipeW
ConnectNamedPipe
DisconnectNamedPipe
CreateThread
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetModuleHandleW
RtlCaptureContext

msvcp140

?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?uncaught_exception@std@@YA_NXZ
?_Xlength_error@std@@YAXPEBD@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ

vcruntime140_1

__CxxFrameHandler4

vcruntime140

__current_exception_context
__current_exception
_CxxThrowException
memmove
__C_specific_handler
__std_terminate
__std_exception_copy
__std_exception_destroy
memset
memcpy

api-ms-win-crt-stdio-l1-1-0

__acrt_iob_func
_set_fmode
__p__commode
__stdio_common_vfprintf

api-ms-win-crt-runtime-l1-1-0

_register_onexit_function
_crt_atexit
_initialize_onexit_table
_register_thread_local_exe_atexit_callback
_c_exit
_configure_narrow_argv
_cexit
_exit
exit
_initterm_e
_initterm
_get_initial_narrow_environment
_initialize_narrow_environment
__p___argv
_set_app_type
_seh_filter_exe
__p___argc
terminate
_invalid_parameter_noinfo_noreturn

api-ms-win-crt-heap-l1-1-0

_set_new_mode
_callnewh
malloc
free

api-ms-win-crt-math-l1-1-0

__setusermatherr

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

Sections

.text
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1024B - Virtual size: 696B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 88B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
beta/virustotal.txt

Sharing

General

Malware Config

Signatures

Files

bd51e57d569e63e96e0b31a813f6f911

Headers

DLL Characteristics

File Characteristics

Imports

ws2_32

crypt32

wldap32

kernel32

normaliz

user32

gdi32

advapi32

shell32

msvcp140

vcruntime140

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-math-l1-1-0

Sections

.text Size: 396KB - Virtual size: 395KB

.rdata Size: 74KB - Virtual size: 74KB

.data Size: 2KB - Virtual size: 4KB

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 18KB - Virtual size: 17KB

1632e7a87ec4a17fecaabaa278a6daee

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

msvcp140

vcruntime140_1

vcruntime140

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-locale-l1-1-0

Sections

.text Size: 7KB - Virtual size: 6KB

.rdata Size: 7KB - Virtual size: 6KB

.data Size: 512B - Virtual size: 1KB

.pdata Size: 1024B - Virtual size: 696B

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 512B - Virtual size: 88B

.text
Size: 396KB - Virtual size: 395KB

.rdata
Size: 74KB - Virtual size: 74KB

.data
Size: 2KB - Virtual size: 4KB

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 18KB - Virtual size: 17KB

.text
Size: 7KB - Virtual size: 6KB

.rdata
Size: 7KB - Virtual size: 6KB

.data
Size: 512B - Virtual size: 1KB

.pdata
Size: 1024B - Virtual size: 696B

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 512B - Virtual size: 88B