Pop[.]zip | Triage

General

Target

Pop.zip
Size

9.0MB
MD5

eb1f847e4a5632f2e2f1e0fac8e82d53
SHA1

667803161a849311e27896070ace375d5102ed50
SHA256

ce7957edb81774674e1364e1377e195060bb508330f30007a9e2b62ec5dd1aca
SHA512

810e70219c95d1f5348e4e59bcd0b97a20a60143a1cd7851ed74cd6beae85eafbf888862c10c53289e27c339a7a4540c25cd22970be145615811e7c6395f4044
SSDEEP

196608:ogfa9YHgKizGmmgouCLX45c99PoN1HDKxaC/nmnWqawaXsC:TfktemmgoB05cXPoN1HvC/mWqaGC

Score

7^/10

agilenet

Malware Config

Signatures

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
static1/unpack001/AgileDotNet.VMRuntime.dll	agile_net
static1/unpack001/Pop.exe	agile_net

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

Processes:

resource
unpack001/AgileDotNet.VMRuntime.dll
unpack001/Pop.exe

Files

Pop.zip
.zip
AgileDotNet.VMRuntime.dll
.dll windows x86

dae02f32a21e03ce65412f6e56942daa

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

mscoree

_CorDllMain

Sections

.text
Size: 696KB - Virtual size: 695KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Pop.exe
.exe windows x64

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 8.9MB - Virtual size: 8.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 85KB - Virtual size: 84KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

dae02f32a21e03ce65412f6e56942daa

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

.text Size: 696KB - Virtual size: 695KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 12B

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

.text Size: 8.9MB - Virtual size: 8.9MB

.rsrc Size: 85KB - Virtual size: 84KB

.reloc Size: 512B - Virtual size: 12B

.text
Size: 696KB - Virtual size: 695KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 12B

.text
Size: 8.9MB - Virtual size: 8.9MB

.rsrc
Size: 85KB - Virtual size: 84KB

.reloc
Size: 512B - Virtual size: 12B