zis[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

zis.exe
Size

12.6MB
MD5

a1b8cb0b6c0676b3c0927af7343f6d18
SHA1

5ac4cd24490957f30916b8844d1cd754d746b20f
SHA256

2faf7798c43a0ac09542d6254f10d6036b58e001780d02462490c674a3b35ac0
SHA512

b77694c28358452ccf9baebf19f43db30a114a8f186c1b5c8b1dc743aa2545ece98fd7816bfca58a644917a067a9957524c4c63c40a68e3c571f970cb50e0445
SSDEEP

393216:dj7ztZoTiyEskGE99WL+t0uGJsv6tWKFdu9ChBN3:tYTiyJG0PN

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
zis.exe

Files

zis.exe
.exe windows x86

2e4f495be50cb364f25e22d367c3d450

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Imports

advapi32

CopySid
CryptAcquireContextA
CryptGenRandom
CryptReleaseContext
DeregisterEventSource
FreeSid
GetLengthSid
GetTokenInformation
GetUserNameA
OpenProcessToken
RegCloseKey
RegCreateKeyExW
RegDeleteKeyW
RegDeleteValueW
RegEnumKeyExW
RegEnumValueW
RegFlushKey
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryValueExW
RegSetValueExW
RegisterEventSourceA
ReportEventA

gdi32

BitBlt
CreateCompatibleBitmap
CreateCompatibleDC
CreateDCA
DeleteDC
DeleteObject
GetBitmapBits
GetDeviceCaps
GetObjectA
SelectObject

kernel32

AreFileApisANSI
CloseHandle
CompareStringW
CopyFileW
CreateDirectoryW
CreateEventA
CreateEventW
CreateFileA
CreateFileMappingA
CreateFileMappingW
CreateFileW
CreateMutexW
CreatePipe
CreateProcessW
CreateSemaphoreA
CreateSemaphoreW
CreateThread
DeleteCriticalSection
DeleteFileA
DeleteFileW
DeviceIoControl
DuplicateHandle
EnterCriticalSection
ExitProcess
FileTimeToSystemTime
FindClose
FindFirstFileA
FindFirstFileExW
FindFirstFileW
FindNextFileA
FindNextFileW
FlushFileBuffers
FormatMessageA
FormatMessageW
FreeEnvironmentStringsW
FreeLibrary
GetACP
GetCommandLineW
GetCurrencyFormatW
GetCurrentDirectoryW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetDateFormatW
GetDiskFreeSpaceA
GetDiskFreeSpaceW
GetEnvironmentStringsW
GetExitCodeProcess
GetFileAttributesA
GetFileAttributesExW
GetFileAttributesW
GetFileInformationByHandle
GetFileSize
GetFileType
GetFullPathNameA
GetFullPathNameW
GetLastError
GetLocalTime
GetLocaleInfoW
GetLogicalDrives
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleW
GetOverlappedResult
GetProcAddress
GetStartupInfoW
GetStdHandle
GetSystemDirectoryW
GetSystemInfo
GetSystemTime
GetSystemTimeAsFileTime
GetTempPathA
GetTempPathW
GetThreadPriority
GetTickCount
GetTimeFormatW
GetUserDefaultLCID
GetUserDefaultUILanguage
GetVersion
GetVersionExA
GetVersionExW
GlobalFree
GlobalMemoryStatus
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
HeapValidate
InitializeCriticalSection
InterlockedCompareExchange
InterlockedDecrement
InterlockedExchange
InterlockedExchangeAdd
InterlockedIncrement
IsDBCSLeadByteEx
LeaveCriticalSection
LoadLibraryA
LoadLibraryExA
LoadLibraryExW
LoadLibraryW
LocalFree
LockFile
LockFileEx
MapViewOfFile
MoveFileW
MultiByteToWideChar
OutputDebugStringW
PeekNamedPipe
QueryPerformanceCounter
QueryPerformanceFrequency
ReadFile
ReleaseSemaphore
RemoveDirectoryW
ResetEvent
ResumeThread
SetCurrentDirectoryW
SetEndOfFile
SetErrorMode
SetEvent
SetFilePointer
SetFilePointerEx
SetLastError
SetThreadPriority
SetUnhandledExceptionFilter
Sleep
SwitchToThread
SystemTimeToFileTime
SystemTimeToTzSpecificLocalTime
TerminateProcess
TerminateThread
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
UnlockFile
UnlockFileEx
UnmapViewOfFile
VirtualProtect
VirtualQuery
WaitForMultipleObjects
WaitForSingleObject
WaitForSingleObjectEx
WideCharToMultiByte
WriteFile

msvcrt

_close
_fdopen
_fstat
_lseek
_open
_putenv
_stat
_strdup
_write
__getmainargs
__mb_cur_max
__p__environ
__p__fmode
__set_app_type
_assert
_atoi64
_beginthreadex
_cexit
_clearfp
_close
_control87
_endthreadex
_errno
_exit
_filbuf
_filelengthi64
_flsbuf
_ftime
_get_osfhandle
_getch
_getdrive
_getpid
_iob
_isctype
_lseeki64
_mkdir
_onexit
_open
_open_osfhandle
_pctype
_read
_setmode
_snprintf
_stat
_strdup
_stricmp
_strnicmp
_tzname
_tzset
_vsnprintf
_waccess
_wchmod
_wfopen
_wgetdcwd
_wgetenv
_write
abort
acos
asctime
asin
atan2
atexit
atof
atoi
atol
calloc
ceil
cos
exit
fclose
fflush
fgetc
fgetpos
fgets
floor
fmod
fopen
fprintf
fputc
fputs
fread
free
frexp
fseek
fsetpos
ftell
fwrite
getenv
gmtime
ldexp
localeconv
localtime
malloc
memchr
memcmp
memcpy
memmove
memset
mktime
pow
printf
puts
qsort
raise
rand
realloc
rewind
setlocale
signal
sin
sprintf
sqrt
srand
sscanf
strcat
strchr
strcmp
strcpy
strerror
strftime
strlen
strncat
strncmp
strncpy
strpbrk
strrchr
strspn
strstr
strtol
strtoul
time
tolower
toupper
vfprintf
wcschr
wcslen
wcsstr

odbc32

SQLAllocHandle
SQLBindParameter
SQLCloseCursor
SQLColAttributeW
SQLColumnsW
SQLDescribeColW
SQLDisconnect
SQLDriverConnectW
SQLEndTran
SQLExecDirectW
SQLExecute
SQLFetch
SQLFetchScroll
SQLFreeHandle
SQLGetData
SQLGetDiagRecW
SQLGetFunctions
SQLGetInfoW
SQLGetStmtAttrW
SQLMoreResults
SQLNumResultCols
SQLPrepareW
SQLPrimaryKeysW
SQLRowCount
SQLSetConnectAttrW
SQLSetEnvAttr
SQLSetStmtAttrW
SQLSpecialColumnsW
SQLTablesW

ole32

CoCreateGuid
CoCreateInstance
CoInitialize
CoUninitialize

secur32

AcquireCredentialsHandleA
DeleteSecurityContext
FreeContextBuffer
FreeCredentialsHandle
InitializeSecurityContextA

shell32

SHGetFolderPathA
SHGetMalloc
SHGetPathFromIDListA
SHGetSpecialFolderLocation

user32

CallNextHookEx
CharNextExA
CreateWindowExW
DefWindowProcW
DestroyWindow
DispatchMessageW
EnumWindows
GetDesktopWindow
GetMessageW
GetProcessWindowStation
GetQueueStatus
GetUserObjectInformationW
GetWindowLongW
GetWindowThreadProcessId
KillTimer
MessageBoxA
MsgWaitForMultipleObjectsEx
PeekMessageW
PostMessageW
PostThreadMessageW
RegisterClassW
SetTimer
SetWindowLongW
SetWindowsHookExW
TranslateMessage
UnhookWindowsHookEx
UnregisterClassW

ws2_32

WSAAccept
WSAAsyncSelect
WSACleanup
WSAConnect
WSAEnumNetworkEvents
WSAEnumProtocolsA
WSAGetLastError
WSAHtonl
WSAHtons
WSAIoctl
WSANtohl
WSANtohs
WSARecv
WSARecvFrom
WSASend
WSASendTo
WSASetLastError
WSASocketA
WSASocketW
WSAStartup
__WSAFDIsSet
bind
closesocket
connect
gethostbyaddr
gethostbyname
gethostname
getpeername
getservbyname
getsockname
getsockopt
htonl
htons
inet_addr
inet_ntoa
ioctlsocket
listen
ntohl
ntohs
recv
select
send
sendto
setsockopt
shutdown
socket

Sections

.text
Size: 8.4MB - Virtual size: 8.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 70KB - Virtual size: 69KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 2.7MB - Virtual size: 2.7MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.eh_fram
Size: 1.5MB - Virtual size: 1.5MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 31KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 32B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

2e4f495be50cb364f25e22d367c3d450

Headers

File Characteristics

Imports

advapi32

gdi32

kernel32

msvcrt

odbc32

ole32

secur32

shell32

user32

ws2_32

Sections

.text Size: 8.4MB - Virtual size: 8.4MB

.data Size: 70KB - Virtual size: 69KB

.rdata Size: 2.7MB - Virtual size: 2.7MB

.eh_fram Size: 1.5MB - Virtual size: 1.5MB

.bss Size: - Virtual size: 31KB

.idata Size: 12KB - Virtual size: 11KB

.CRT Size: 512B - Virtual size: 24B

.tls Size: 512B - Virtual size: 32B

.text
Size: 8.4MB - Virtual size: 8.4MB

.data
Size: 70KB - Virtual size: 69KB

.rdata
Size: 2.7MB - Virtual size: 2.7MB

.eh_fram
Size: 1.5MB - Virtual size: 1.5MB

.bss
Size: - Virtual size: 31KB

.idata
Size: 12KB - Virtual size: 11KB

.CRT
Size: 512B - Virtual size: 24B

.tls
Size: 512B - Virtual size: 32B