Potsek[.]zip | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Potsek.zip
Size

7.3MB
MD5

eff3b01d9c836d84305cbda03c0137fd
SHA1

43d1818d1abdc67988dbc7a0b467300e6cfcf6db
SHA256

4728c2ec7e691285cf984c4d8ab38f4499adcaaf73628f8c018cf7f4a81fbd13
SHA512

7441a811098b07632ce2da88bd51a6ec8bfd5e2dd55f1639a696a2f00b1199e598afea4f71e8e95805525ec9f750171b11ef9cd7e3b6d817483ed3e73752e979
SSDEEP

196608:PTFz1X01eHlAA/QvvboTLH3xcbNiJmIKKW2Cx:LR10eHlAmEoXhcb8JJmx

Score

3^/10

pyinstaller

Malware Config

Signatures

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
static1/unpack001/申请文档.exe	pyinstaller

Unsigned PE 3 IoCs

Checks for missing Authenticode signature.

resource
unpack001/客户资料.exe
unpack001/文书证据.exe
unpack001/申请文档.exe

Files

Potsek.zip
.zip

Password: infected
客户资料.exe
.exe windows x64

336ea03f063d70d7828b1ca79d23bc32

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

RtlUnwindEx
GetACP
CloseHandle
LocalFree
VirtualProtect
QueryPerformanceFrequency
IsDebuggerPresent
VirtualFree
GetFullPathNameW
GetProcessHeap
ExitProcess
HeapAlloc
GetCPInfoExW
RtlUnwind
SetFilePointerEx
GetCPInfo
EnumSystemLocalesW
GetStdHandle
GetModuleHandleW
FreeLibrary
HeapDestroy
ReadFile
GetLastError
GetModuleFileNameW
SetLastError
GetNativeSystemInfo
lstrlenA
CreateThread
CompareStringW
GetFileSizeEx
lstrcpyA
LoadLibraryA
ResetEvent
GetVersion
RaiseException
OpenProcess
FormatMessageW
SwitchToThread
GetExitCodeThread
OutputDebugStringW
GetCurrentThread
LoadLibraryExW
GetCurrentThreadId
UnhandledExceptionFilter
VirtualQuery
VirtualQueryEx
Sleep
EnterCriticalSection
SetFilePointer
SuspendThread
GetTickCount
lstrcmpiA
GetStartupInfoW
InitializeCriticalSection
GetThreadPriority
SetThreadPriority
GetCurrentProcess
VirtualAlloc
GetCommandLineW
GetSystemInfo
LeaveCriticalSection
GetProcAddress
ResumeThread
GetVersionExW
VerifyVersionInfoW
HeapCreate
LCMapStringW
VerSetConditionMask
GetDiskFreeSpaceW
FindFirstFileW
GetUserDefaultUILanguage
lstrlenW
QueryPerformanceCounter
SetEndOfFile
HeapFree
WideCharToMultiByte
FindClose
MultiByteToWideChar
LoadLibraryW
SetEvent
GetLocaleInfoW
CreateFileW
GetLocalTime
WaitForSingleObject
WriteFile
ExitThread
DeleteCriticalSection
TlsGetValue
GetDateFormatW
GetLogicalProcessorInformation
IsValidLocale
TlsSetValue
GetSystemDefaultUILanguage
EnumCalendarInfoW
LocalAlloc
CreateEventW
QueryFullProcessImageNameW
SetThreadLocale
GetThreadLocale

ole32

CoInitialize
CoUninitialize

user32

CharLowerBuffW
PeekMessageW
CharUpperW
GetSystemMetrics
wsprintfW
MessageBoxA
MessageBoxW
CharUpperBuffW
CharNextW
MsgWaitForMultipleObjects
LoadStringW
GetCursorPos

oleaut32

SysFreeString
VariantClear
VariantInit
GetErrorInfo
SysReAllocStringLen
SafeArrayCreate
SysAllocStringLen
SafeArrayPtrOfIndex
SafeArrayGetUBound
SafeArrayGetLBound
VariantCopy
VariantChangeType

msvcrt

_strlwr

advapi32

CryptDeriveKey
CryptGetKeyParam
CryptSetKeyParam
CryptDecrypt
CryptEncrypt
CryptImportKey
CryptDestroyKey
CryptDestroyHash
RegOpenKeyExW
CryptGetHashParam
CryptReleaseContext
RegQueryValueExW
RegCloseKey
CryptHashData
CryptCreateHash
CryptAcquireContextA
CryptAcquireContextW

Sections

.text
Size: 1.2MB - Virtual size: 1.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 564KB - Virtual size: 564KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 49KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.didata
Size: 512B - Virtual size: 260B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: - Virtual size: 584B

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 512B - Virtual size: 109B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 68KB - Virtual size: 67KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.pdata
Size: 78KB - Virtual size: 77KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 160KB - Virtual size: 159KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
文书证据.exe
.exe windows x64

89ec9933fef67f89f7c4574b120b3f1a

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

oleaut32

SysFreeString
SysReAllocStringLen
SysAllocStringLen
SafeArrayPtrOfIndex
SafeArrayGetUBound
SafeArrayGetLBound
SafeArrayCreate
VariantChangeType
VariantCopy
VariantClear
VariantInit
GetErrorInfo
SysFreeString

advapi32

RegQueryValueExW
RegOpenKeyExW
RegCloseKey
CryptDestroyHash
CryptGetHashParam
CryptHashData
CryptCreateHash
CryptAcquireContextA
CryptGetHashParam
CryptAcquireContextW
CryptCreateHash
CryptHashData
CryptDeriveKey
CryptReleaseContext
CryptDestroyHash
CryptDestroyKey
CryptImportKey
CryptSetKeyParam
CryptGetKeyParam
CryptDecrypt
CryptEncrypt

user32

MessageBoxA
CharNextW
LoadStringW
wsprintfW
MessageBoxW
LoadStringW
GetSystemMetrics
GetCursorPos
CharUpperBuffW
CharUpperW
CharLowerBuffW

kernel32

Sleep
VirtualFree
VirtualAlloc
GetLogicalProcessorInformation
lstrlenW
VirtualQuery
QueryPerformanceCounter
GetTickCount
GetSystemInfo
GetVersion
CompareStringW
IsValidLocale
SetThreadLocale
GetSystemDefaultUILanguage
GetUserDefaultUILanguage
GetLocaleInfoW
WideCharToMultiByte
MultiByteToWideChar
GetACP
LoadLibraryExW
GetStartupInfoW
GetProcAddress
GetModuleHandleW
GetModuleFileNameW
GetCommandLineW
FreeLibrary
GetLastError
UnhandledExceptionFilter
RtlUnwindEx
RtlUnwind
RaiseException
ExitProcess
SwitchToThread
GetCurrentThreadId
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
FindFirstFileW
FindClose
WriteFile
GetStdHandle
CloseHandle
GetProcAddress
RaiseException
LoadLibraryA
GetLastError
TlsSetValue
TlsGetValue
LocalFree
LocalAlloc
GetModuleHandleW
FreeLibrary
lstrlenA
lstrlenW
lstrcpyA
lstrcmpiA
WriteFile
WideCharToMultiByte
WaitForSingleObject
VirtualQueryEx
VirtualQuery
VirtualProtect
VirtualFree
VirtualAlloc
VerSetConditionMask
VerifyVersionInfoW
Sleep
SetFilePointerEx
SetFilePointer
SetEvent
SetEndOfFile
ResetEvent
ReadFile
OutputDebugStringW
OpenProcess
LocalFree
IsValidLocale
HeapSize
HeapFree
HeapDestroy
HeapCreate
HeapAlloc
GetVersionExW
GetTickCount
GetThreadLocale
GetNativeSystemInfo
GetStdHandle
GetProcAddress
GetModuleHandleW
GetModuleFileNameW
GetLocaleInfoW
GetLocalTime
GetLastError
GetFullPathNameW
GetDiskFreeSpaceW
GetDateFormatW
GetCurrentThreadId
GetCurrentProcess
GetCPInfoExW
GetCPInfo
GetACP
FreeLibrary
FormatMessageW
ExitProcess
EnumSystemLocalesW
EnumCalendarInfoW
CreateThread
CreateFileW
CreateEventW
CompareStringW
CloseHandle
Sleep
GetFileSizeEx
QueryFullProcessImageNameW

ole32

CoUninitialize
CoInitialize

msvcrt

_strlwr

Sections

.text
Size: 1.3MB - Virtual size: 1.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 752KB - Virtual size: 752KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 39KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.didata
Size: 512B - Virtual size: 210B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: - Virtual size: 432B

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 512B - Virtual size: 109B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 71KB - Virtual size: 70KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.pdata
Size: 75KB - Virtual size: 74KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 183KB - Virtual size: 182KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
申请文档.exe
.exe windows x64

1e92fd54d65284238a0e3b74b2715062

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

user32

CreateWindowExW
MessageBoxW
MessageBoxA
SystemParametersInfoW
DestroyIcon
SetWindowLongPtrW
GetWindowLongPtrW
GetClientRect
InvalidateRect
ReleaseDC
GetDC
DrawTextW
GetDialogBaseUnits
EndDialog
DialogBoxIndirectParamW
MoveWindow
SendMessageW

comctl32

ord380

kernel32

IsValidCodePage
GetStringTypeW
GetFileAttributesExW
HeapReAlloc
FlushFileBuffers
GetCurrentDirectoryW
GetACP
GetOEMCP
GetModuleHandleW
MulDiv
GetLastError
SetDllDirectoryW
GetModuleFileNameW
GetProcAddress
GetCommandLineW
GetCPInfo
SetEnvironmentVariableW
ExpandEnvironmentStringsW
CreateDirectoryW
GetTempPathW
WaitForSingleObject
Sleep
GetExitCodeProcess
CreateProcessW
GetStartupInfoW
FreeLibrary
LoadLibraryExW
FindClose
FindFirstFileExW
CloseHandle
GetCurrentProcess
LocalFree
FormatMessageW
MultiByteToWideChar
WideCharToMultiByte
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetProcessHeap
GetTimeZoneInformation
HeapSize
WriteConsoleW
SetEndOfFile
GetEnvironmentVariableW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
RtlUnwindEx
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
EncodePointer
RaiseException
RtlPcToFileHeader
GetCommandLineA
CreateFileW
GetDriveTypeW
GetFileInformationByHandle
GetFileType
PeekNamedPipe
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
GetFullPathNameW
RemoveDirectoryW
FindNextFileW
SetStdHandle
SetConsoleCtrlHandler
DeleteFileW
ReadFile
GetStdHandle
WriteFile
ExitProcess
GetModuleHandleExW
HeapFree
GetConsoleMode
ReadConsoleW
SetFilePointerEx
GetConsoleOutputCP
GetFileSizeEx
HeapAlloc
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
CompareStringW
LCMapStringW

advapi32

OpenProcessToken
GetTokenInformation
ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertSidToStringSidW

gdi32

SelectObject
DeleteObject
CreateFontIndirectW

Sections

.text
Size: 162KB - Virtual size: 161KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 74KB - Virtual size: 74KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 64KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 348B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 53KB - Virtual size: 52KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

336ea03f063d70d7828b1ca79d23bc32

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

ole32

user32

oleaut32

msvcrt

advapi32

Sections

.text Size: 1.2MB - Virtual size: 1.2MB

.data Size: 564KB - Virtual size: 564KB

.bss Size: - Virtual size: 49KB

.idata Size: 5KB - Virtual size: 5KB

.didata Size: 512B - Virtual size: 260B

.tls Size: - Virtual size: 584B

.rdata Size: 512B - Virtual size: 109B

.reloc Size: 68KB - Virtual size: 67KB

.pdata Size: 78KB - Virtual size: 77KB

.rsrc Size: 160KB - Virtual size: 159KB

89ec9933fef67f89f7c4574b120b3f1a

Headers

File Characteristics

Imports

oleaut32

advapi32

user32

kernel32

ole32

msvcrt

Sections

.text Size: 1.3MB - Virtual size: 1.3MB

.data Size: 752KB - Virtual size: 752KB

.bss Size: - Virtual size: 39KB

.idata Size: 6KB - Virtual size: 6KB

.didata Size: 512B - Virtual size: 210B

.tls Size: - Virtual size: 432B

.rdata Size: 512B - Virtual size: 109B

.reloc Size: 71KB - Virtual size: 70KB

.pdata Size: 75KB - Virtual size: 74KB

.rsrc Size: 183KB - Virtual size: 182KB

1e92fd54d65284238a0e3b74b2715062

Headers

DLL Characteristics

File Characteristics

Imports

user32

comctl32

kernel32

advapi32

gdi32

Sections

.text Size: 162KB - Virtual size: 161KB

.rdata Size: 74KB - Virtual size: 74KB

.data Size: 3KB - Virtual size: 64KB

.pdata Size: 8KB - Virtual size: 8KB

_RDATA Size: 512B - Virtual size: 348B

.rsrc Size: 53KB - Virtual size: 52KB

.reloc Size: 2KB - Virtual size: 1KB

.text
Size: 1.2MB - Virtual size: 1.2MB

.data
Size: 564KB - Virtual size: 564KB

.bss
Size: - Virtual size: 49KB

.idata
Size: 5KB - Virtual size: 5KB

.didata
Size: 512B - Virtual size: 260B

.tls
Size: - Virtual size: 584B

.rdata
Size: 512B - Virtual size: 109B

.reloc
Size: 68KB - Virtual size: 67KB

.pdata
Size: 78KB - Virtual size: 77KB

.rsrc
Size: 160KB - Virtual size: 159KB

.text
Size: 1.3MB - Virtual size: 1.3MB

.data
Size: 752KB - Virtual size: 752KB

.bss
Size: - Virtual size: 39KB

.idata
Size: 6KB - Virtual size: 6KB

.didata
Size: 512B - Virtual size: 210B

.tls
Size: - Virtual size: 432B

.rdata
Size: 512B - Virtual size: 109B

.reloc
Size: 71KB - Virtual size: 70KB

.pdata
Size: 75KB - Virtual size: 74KB

.rsrc
Size: 183KB - Virtual size: 182KB

.text
Size: 162KB - Virtual size: 161KB

.rdata
Size: 74KB - Virtual size: 74KB

.data
Size: 3KB - Virtual size: 64KB

.pdata
Size: 8KB - Virtual size: 8KB

_RDATA
Size: 512B - Virtual size: 348B

.rsrc
Size: 53KB - Virtual size: 52KB

.reloc
Size: 2KB - Virtual size: 1KB