银狐[.]zip | Triage

Sharing

Copy URL Twitter E-mail

General

Target

银狐.zip
Size

719KB
MD5

24ad316e3cc15895aab7a439f75c66f8
SHA1

1b2b0f23afdbe5aa7e4315cb1a4f08971543edc0
SHA256

7c50917d593707f87a2703060c80aeccae6594f25c9523187ade74627a65aea7
SHA512

8e4910e44c248fced8ca4a4cf2c2ccf076fb2e202e2b8aa0cdc51d99b868b4b09e1b9b9b299fc2f6516bc8d6ed32001228abddef47663bde8646cc5c3048c9d5
SSDEEP

12288:SJ9hLMGD62u7+VSpSWwxil70rOcdniU2yWra+9+vZtzKDfiwQ6NMzzGn9:SJ7LnuiVvWwxil7cnlB+Z9+vzGriO2G9

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/0bd18b1dd1786554fee71ab886a348c40e8f951e715613fd64198957e9b474c3.exe

Files

银狐.zip
.zip

Password: infected
0bd18b1dd1786554fee71ab886a348c40e8f951e715613fd64198957e9b474c3.exe
.exe windows x64

557d953bf697ff1355a8bba8036a3c6f

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

SetThreadStackGuarantee
GetFileInformationByHandle
GetFileInformationByHandleEx
SetFilePointerEx
VirtualAlloc
CreateThread
WaitForSingleObject
VirtualProtect
VirtualFree
QueryPerformanceCounter
QueryPerformanceFrequency
CreateIoCompletionPort
SetFileCompletionNotificationModes
SetLastError
GetFinalPathNameByHandleW
GetQueuedCompletionStatusEx
TryAcquireSRWLockExclusive
Sleep
GetModuleHandleA
GetProcAddress
CompareStringW
LCMapStringW
SwitchToThread
GetStringTypeW
GetFileType
SetStdHandle
SetEnvironmentVariableW
HeapSize
FlushFileBuffers
FreeEnvironmentStringsW
GetEnvironmentStringsW
WideCharToMultiByte
GetLastError
GetConsoleOutputCP
GetCPInfo
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
GetOEMCP
HeapReAlloc
GetACP
IsValidCodePage
SetHandleInformation
GetCurrentThread
GetStdHandle
GetConsoleMode
MultiByteToWideChar
WriteConsoleW
WaitForSingleObjectEx
LoadLibraryA
CreateMutexA
GetCurrentProcess
ReleaseMutex
GetEnvironmentVariableW
RtlLookupFunctionEntry
GetModuleHandleW
FormatMessageW
GetFullPathNameW
CreateFileW
FindNextFileW
FindFirstFileExW
FindClose
CloseHandle
GetCurrentDirectoryW
RtlCaptureContext
AcquireSRWLockShared
ReleaseSRWLockShared
GetCommandLineW
PostQueuedCompletionStatus
GetProcessHeap
GetCommandLineA
GetModuleHandleExW
TerminateProcess
AddVectoredExceptionHandler
ExitProcess
HeapAlloc
HeapFree
GetModuleFileNameW
WriteFile
RtlPcToFileHeader
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
RtlVirtualUnwind
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoW
IsProcessorFeaturePresent
RtlUnwindEx
EncodePointer
RaiseException
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
LoadLibraryExW

ws2_32

WSASend
getsockopt
connect
shutdown
freeaddrinfo
WSAStartup
WSACleanup
recv
WSASocketW
send
getsockname
WSAGetLastError
getpeername
closesocket
bind
WSAIoctl
setsockopt
ioctlsocket
getaddrinfo

ntdll

NtCancelIoFileEx
RtlNtStatusToDosError
NtDeviceIoControlFile
NtCreateFile
NtWriteFile
NtReadFile

crypt32

CertVerifyCertificateChainPolicy
CertFreeCertificateChain
CertGetCertificateChain
CertEnumCertificatesInStore
CertDuplicateCertificateChain
CertAddCertificateContextToStore
CertOpenStore
CertDuplicateStore
CertDuplicateCertificateContext
CertCloseStore
CertFreeCertificateContext

secur32

AcceptSecurityContext
DeleteSecurityContext
FreeContextBuffer
EncryptMessage
AcquireCredentialsHandleA
ApplyControlToken
FreeCredentialsHandle
DecryptMessage
QueryContextAttributesW
InitializeSecurityContextW

advapi32

RegQueryValueExW
RegCloseKey
SystemFunction036
RegOpenKeyExW

bcrypt

BCryptGenRandom

Sections

.text
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 434KB - Virtual size: 434KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 22KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 244B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

557d953bf697ff1355a8bba8036a3c6f

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

ws2_32

ntdll

crypt32

secur32

advapi32

bcrypt

Sections

.text Size: 1.1MB - Virtual size: 1.1MB

.rdata Size: 434KB - Virtual size: 434KB

.data Size: 3KB - Virtual size: 7KB

.pdata Size: 22KB - Virtual size: 21KB

_RDATA Size: 512B - Virtual size: 244B

.rsrc Size: 2KB - Virtual size: 1KB

.reloc Size: 8KB - Virtual size: 7KB

.text
Size: 1.1MB - Virtual size: 1.1MB

.rdata
Size: 434KB - Virtual size: 434KB

.data
Size: 3KB - Virtual size: 7KB

.pdata
Size: 22KB - Virtual size: 21KB

_RDATA
Size: 512B - Virtual size: 244B

.rsrc
Size: 2KB - Virtual size: 1KB

.reloc
Size: 8KB - Virtual size: 7KB