ey[.]zip | Triage

Resubmissions

12/07/2023, 19:20

230712-x2jdlafe3y 3

12/07/2023, 19:16

230712-xyw6aafe2z 3

12/07/2023, 18:57

230712-xmcx9sed62 3

Sharing

Copy URL Twitter E-mail

General

Target

ey.zip
Size

8.9MB
MD5

33f6d9633fb89ea3e8f71c0bc0780f49
SHA1

19207a63e8e2426d3cfff1c2cdf362d3ccee2090
SHA256

2af2a97f3bee5e3e11fb957b43ba48641fccdc9562656e18e20dfbd6b4a5f752
SHA512

a0b105ca5c9886c44bbc17a506b34dbadd8e0cb6037fdc23be06a6902b01275a5b605f9436a7f589ba053addf9c330b2896bf208b267d16546a9711710476b13
SSDEEP

196608:6HkFkz5cZJrtYekO5sKRrCU7qYhHusxC98lZBXAW6EBxBcBIS41chiuRhsbGn+:S8kz2ZXYZOuy7qYhHuskGXXrBoI9YXR4

Score

3^/10

Malware Config

Signatures

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/avshadow.exe
unpack001/vssapi.dll

Files

ey.zip
.zip
avshadow.exe
.exe windows x64

21ee229318300615fc2912df8971d029

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

_amsg_exit
__CxxFrameHandler3
_commode
_fmode
exit
?terminate@@YAXXZ
_cexit
_wcmdln
_vsnwprintf
__setusermatherr
__C_specific_handler
__wgetmainargs
_initterm
__set_app_type
_onexit
_lock
_unlock
_exit
__dllonexit
_XcptFilter
free
_purecall
_wtoi
memcpy_s
_callnewh
malloc
memset

api-ms-win-core-com-l1-1-1

CoUninitialize
CoWaitForMultipleHandles
CoReleaseServerProcess
CLSIDFromString
CoCreateInstance
CoRegisterClassObject
CoResumeClassObjects
CoRevokeClassObject
CoInitializeEx
CoAddRefServerProcess
CoInitializeSecurity

api-ms-win-core-file-l1-2-1

SetFilePointer
ReadFile
GetFileAttributesW
CreateFileW

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleW
GetModuleHandleExW
GetModuleFileNameA
LoadStringW
LoadLibraryExW
GetProcAddress
FreeLibrary

api-ms-win-core-wow64-l1-1-1

GetSystemWow64Directory2W
IsWow64Process2

api-ms-win-core-synch-l1-2-0

ReleaseSRWLockExclusive
Sleep
AcquireSRWLockExclusive
WaitForSingleObjectEx
WaitForSingleObject
OpenSemaphoreW
AcquireSRWLockShared
CreateEventW
ReleaseSRWLockShared
CreateMutexExW
ReleaseSemaphore
ReleaseMutex
CreateSemaphoreExW
SetEvent

api-ms-win-core-heap-l1-2-0

HeapSetInformation
HeapAlloc
GetProcessHeap
HeapFree

api-ms-win-core-errorhandling-l1-1-1

SetErrorMode
SetUnhandledExceptionFilter
GetLastError
UnhandledExceptionFilter
SetLastError

api-ms-win-core-processenvironment-l1-2-0

SearchPathW
GetCommandLineW

api-ms-win-core-processthreads-l1-1-2

TerminateProcess
GetStartupInfoW
CreateProcessW
GetCurrentProcess
GetCurrentProcessId
ExitProcess
GetCurrentThreadId

api-ms-win-core-util-l1-1-0

EncodePointer
DecodePointer

api-ms-win-core-heap-l2-1-0

LocalFree
LocalAlloc

api-ms-win-core-sysinfo-l1-2-1

GetTickCount
GetSystemTimeAsFileTime
GetSystemDirectoryW

api-ms-win-core-winrt-error-l1-1-1

RoOriginateErrorW
RoOriginateError

api-ms-win-core-localization-l1-2-1

FormatMessageW

api-ms-win-core-console-l2-1-0

AttachConsole
FreeConsole

api-ms-win-core-debug-l1-1-1

OutputDebugStringW

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-path-l1-1-0

PathCchAppend

api-ms-win-core-console-l1-1-0

WriteConsoleW

api-ms-win-core-string-l1-1-0

WideCharToMultiByte
CompareStringW

api-ms-win-core-rtlsupport-l1-2-0

RtlVirtualUnwind
RtlCaptureContext
RtlLookupFunctionEntry

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-string-l2-1-0

CharNextW

api-ms-win-core-kernel32-private-l1-1-2

Wow64EnableWow64FsRedirection

api-ms-win-core-sidebyside-l1-1-0

ReleaseActCtx
QueryActCtxW
DeactivateActCtx
ActivateActCtx
CreateActCtxW

api-ms-win-downlevel-shlwapi-l1-1-1

PathIsRelativeW

api-ms-win-downlevel-shlwapi-l2-1-1

SHSetThreadRef

imagehlp

ImageDirectoryEntryToData

ntdll

NtClose
NtOpenProcessToken
RtlNtStatusToDosError
NtQueryInformationToken
RtlSetSearchPathMode
RtlWow64IsWowGuestMachineSupported
RtlImageNtHeader
NtQuerySystemInformation
NtSetInformationToken

api-ms-win-core-delayload-l1-1-1

DelayLoadFailureHook
ResolveDelayLoadedAPI

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

Sections

.text
Size: 24KB - Virtual size: 23KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 13KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 264B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 26KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 256B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
vssapi.dll
.dll windows x64

1d4310b236aabe11757a16f729fc65ed

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

oleaut32

SysFreeString
SysReAllocStringLen
SysAllocStringLen

advapi32

RegQueryValueExW
RegOpenKeyExW
RegCloseKey
RegSetValueExA
RegQueryValueExA
RegOpenKeyExA
RegCloseKey

user32

MessageBoxA
CharNextW
LoadStringW
MessageBoxW
LoadStringW
GetSystemMetrics
CharUpperBuffW
CharUpperW

kernel32

Sleep
VirtualFree
VirtualAlloc
lstrlenW
VirtualQuery
GetTickCount
GetSystemInfo
GetVersion
CompareStringW
IsDBCSLeadByteEx
IsValidLocale
SetThreadLocale
GetSystemDefaultUILanguage
GetUserDefaultUILanguage
GetLocaleInfoW
WideCharToMultiByte
MultiByteToWideChar
GetConsoleOutputCP
GetConsoleCP
GetACP
LoadLibraryExW
GetStartupInfoW
GetProcAddress
GetModuleHandleW
GetModuleFileNameW
GetCommandLineW
FreeLibrary
GetLastError
UnhandledExceptionFilter
RtlUnwindEx
RtlUnwind
RaiseException
ExitProcess
SwitchToThread
GetCurrentThreadId
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
FindFirstFileW
FindClose
WriteFile
SetFilePointer
SetEndOfFile
ReadFile
GetFileType
GetFileSize
CreateFileW
GetStdHandle
CloseHandle
GetProcAddress
RaiseException
LoadLibraryA
GetLastError
TlsSetValue
TlsGetValue
TlsFree
TlsAlloc
LocalFree
LocalAlloc
FreeLibrary
lstrlenA
lstrcpyA
lstrcmpiA
lstrcatA
WriteFile
WideCharToMultiByte
WaitForSingleObject
VirtualQuery
VirtualFree
VirtualAllocEx
VirtualAlloc
VerSetConditionMask
VerifyVersionInfoW
TerminateProcess
SetEvent
ResumeThread
ResetEvent
ReadFile
LoadLibraryA
LoadLibraryW
IsValidLocale
GlobalAlloc
GetWindowsDirectoryA
GetVersionExW
GetThreadLocale
GetTempPathA
GetSystemDirectoryA
GetStdHandle
GetProcAddress
GetModuleHandleW
GetModuleFileNameW
GetLocaleInfoW
GetLocalTime
GetFileSize
GetFileAttributesA
GetExitCodeProcess
GetDiskFreeSpaceW
GetCPInfo
FreeLibrary
ExpandEnvironmentStringsA
ExitProcess
EnumSystemLocalesW
EnumCalendarInfoW
CreateProcessA
CreateFileA
CreateEventW
CreateDirectoryA
CopyFileA
CompareStringW
CloseHandle
Sleep

Exports

Exports

CreateVssBackupComponentsInternal
CreateVssExamineWriterMetadataInternal
CreateVssExpressWriterInternal
CreateWriter
CreateWriterEx
DllCanUnloadNow
DllGetClassObject
GetProviderMgmtInterface
GetProviderMgmtInterfaceInternal
IsVolumeSnapshotted
IsVolumeSnapshottedInternal
ShouldBlockRevert
ShouldBlockRevertInternal
VssFreeSnapshotProperties
VssFreeSnapshotPropertiesInternal
__dbk_fcall_wrapper
dbkFCallWrapperAddr

Sections

.text
Size: 200KB - Virtual size: 200KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 69KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.didata
Size: 512B - Virtual size: 448B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 1024B - Virtual size: 640B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.pdata
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Resubmissions

Sharing

General

Malware Config

Signatures

Files

21ee229318300615fc2912df8971d029

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

api-ms-win-core-com-l1-1-1

api-ms-win-core-file-l1-2-1

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-wow64-l1-1-1

api-ms-win-core-synch-l1-2-0

api-ms-win-core-heap-l1-2-0

api-ms-win-core-errorhandling-l1-1-1

api-ms-win-core-processenvironment-l1-2-0

api-ms-win-core-processthreads-l1-1-2

api-ms-win-core-util-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-sysinfo-l1-2-1

api-ms-win-core-winrt-error-l1-1-1

api-ms-win-core-localization-l1-2-1

api-ms-win-core-console-l2-1-0

api-ms-win-core-debug-l1-1-1

api-ms-win-core-handle-l1-1-0

api-ms-win-core-path-l1-1-0

api-ms-win-core-console-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-rtlsupport-l1-2-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-string-l2-1-0

api-ms-win-core-kernel32-private-l1-1-2

api-ms-win-core-sidebyside-l1-1-0

api-ms-win-downlevel-shlwapi-l1-1-1

api-ms-win-downlevel-shlwapi-l2-1-1

imagehlp

ntdll

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-apiquery-l1-1-0

Sections

.text Size: 24KB - Virtual size: 23KB

.rdata Size: 13KB - Virtual size: 12KB

.data Size: 512B - Virtual size: 2KB

.pdata Size: 1KB - Virtual size: 1KB

.didat Size: 512B - Virtual size: 264B

.rsrc Size: 26KB - Virtual size: 25KB

.reloc Size: 512B - Virtual size: 256B

1d4310b236aabe11757a16f729fc65ed

Headers

File Characteristics

Imports

oleaut32

advapi32

user32

kernel32

Exports

Exports

Sections

.text Size: 200KB - Virtual size: 200KB

.data Size: 20KB - Virtual size: 19KB

.bss Size: - Virtual size: 69KB

.idata Size: 5KB - Virtual size: 4KB

.didata Size: 512B - Virtual size: 448B

.edata Size: 1024B - Virtual size: 640B

.reloc Size: 7KB - Virtual size: 7KB

.pdata Size: 8KB - Virtual size: 8KB

.rsrc Size: 5KB - Virtual size: 5KB

.text
Size: 24KB - Virtual size: 23KB

.rdata
Size: 13KB - Virtual size: 12KB

.data
Size: 512B - Virtual size: 2KB

.pdata
Size: 1KB - Virtual size: 1KB

.didat
Size: 512B - Virtual size: 264B

.rsrc
Size: 26KB - Virtual size: 25KB

.reloc
Size: 512B - Virtual size: 256B

.text
Size: 200KB - Virtual size: 200KB

.data
Size: 20KB - Virtual size: 19KB

.bss
Size: - Virtual size: 69KB

.idata
Size: 5KB - Virtual size: 4KB

.didata
Size: 512B - Virtual size: 448B

.edata
Size: 1024B - Virtual size: 640B

.reloc
Size: 7KB - Virtual size: 7KB

.pdata
Size: 8KB - Virtual size: 8KB

.rsrc
Size: 5KB - Virtual size: 5KB