sample[.]zip | Triage

Resubmissions

01/08/2023, 09:51

230801-lvhmyagb3y 8

01/08/2023, 09:09

230801-k4yj3seg86 7

Sharing

Copy URL Twitter E-mail

General

Target

sample.zip
Size

165.5MB
MD5

ee3cfa2542252f6251c86e24c4ee8671
SHA1

d182a715c2f1cbe6a04033de1966a3e36ff905e9
SHA256

70c49dfc6cb7ae0fb8a919738afd7394e854c5a96d56f1455ed10ff0bc996e54
SHA512

2574a987865cd5b96452992c4fe579673c7f8c705042760d14b5200b1c7e9e314f9eaa3c1b1cbb733283f84c77622659345b0adb50aede93d8055c8ea2dfb6f4
SSDEEP

3145728:zLBwA00nfdGkQMQjuyJu6H1u2RH8fO4SfxPANb/4QaaUI3e8xU20hmqnoai5ql0A:zLBwA0efddQhjuyJu4RRHgOPPApNNp34

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/FortiClientSetup_7.2.1_x64.exe

Files

sample.zip
.zip

Password: infected
FortiClientSetup_7.2.1_x64.exe
.exe windows x86

Password: infected

3df615c3915d589ae5357365f4ef2659

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

CreateDirectoryW
FindFirstFileW
FindNextFileW
FindClose
CreateFileW
GetFileAttributesW
GetVersionExW
GetFileInformationByHandle
GetLastError
LoadLibraryA
CloseHandle
GetProcAddress
FreeLibrary
CopyFileW
TerminateProcess
WaitForSingleObject
CreateProcessW
GetExitCodeProcess
FileTimeToSystemTime
CompareStringW
GetSystemDefaultLCID
RemoveDirectoryW
GetTempPathW
DeleteFileW
GetCurrentDirectoryW
MoveFileExW
WriteFile
OutputDebugStringA
LoadLibraryW
GetCurrentProcessId
ReadFile
GetFileSizeEx
GetFullPathNameW
lstrlenW
ExpandEnvironmentStringsW
Sleep
SetFilePointerEx
HeapFree
HeapSize
HeapReAlloc
HeapAlloc
GetProcessHeap
GetModuleFileNameW
GetLocalTime
SizeofResource
LockResource
FindResourceExW
LoadResource
LoadLibraryExW
MultiByteToWideChar
FormatMessageW
LocalFree
LCMapStringW
WideCharToMultiByte
SetDefaultDllDirectories
SetSearchPathMode
ExitProcess
GetCommandLineW
GetDriveTypeW
GetCurrentProcess
WaitForMultipleObjects
CreateEventW
GetStdHandle
GetEnvironmentVariableW
GetFileType
GetModuleHandleW
SetEnvironmentVariableW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineA
GetOEMCP
GetACP
RaiseException
GetSystemInfo
VirtualProtect
VirtualQuery
LoadLibraryExA
GetVolumeInformationW
QueryPerformanceCounter
SetEndOfFile
UnmapViewOfFile
GetFileSize
CreateFileMappingW
MapViewOfFile
InitializeSRWLock
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
DeleteCriticalSection
SetLastError
GetCurrentThreadId
GetSystemTimeAsFileTime
GlobalMemoryStatus
GetTickCount
SystemTimeToFileTime
GetSystemTime
OutputDebugStringW
GetModuleHandleExW
DeleteFiber
ConvertFiberToThread
GetConsoleMode
SetConsoleMode
ReadConsoleA
ReadConsoleW
OpenProcess
TlsSetValue
GetFileAttributesExW
TlsAlloc
TlsGetValue
GetConsoleScreenBufferInfo
SetConsoleTextAttribute
SetEvent
DeleteFileA
SetUnhandledExceptionFilter
InitializeCriticalSectionEx
DecodePointer
OpenMutexW
GetLongPathNameW
ProcessIdToSessionId
K32EnumProcesses
VerSetConditionMask
VerifyVersionInfoW
SetNamedPipeHandleState
CreateMutexW
ReleaseMutex
ResetEvent
GetOverlappedResult
WaitNamedPipeW
QueryDosDeviceW
GetLogicalDrives
FindFirstVolumeMountPointW
FindFirstVolumeW
FindVolumeMountPointClose
K32GetModuleFileNameExW
GetVolumePathNameW
GetVolumeNameForVolumeMountPointW
CreateToolhelp32Snapshot
Process32NextW
FindNextVolumeMountPointW
Process32FirstW
FindVolumeClose
FindNextVolumeW
FindFirstFileExW
AreFileApisANSI
GetStringTypeW
InitializeCriticalSectionAndSpinCount
SwitchToThread
TlsFree
EncodePointer
GetCPInfo
GetLocaleInfoW
WaitForSingleObjectEx
UnhandledExceptionFilter
IsProcessorFeaturePresent
IsDebuggerPresent
GetStartupInfoW
InitializeSListHead
RtlUnwind
GetConsoleCP
SetConsoleCtrlHandler
PeekNamedPipe
SystemTimeToTzSpecificLocalTime
GetDateFormatW
GetTimeFormatW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
SetStdHandle
GetTimeZoneInformation
FlushFileBuffers
IsValidCodePage
WriteConsoleW

ncrypt

BCryptGenRandom

dbghelp

MakeSureDirectoryPathExists

Sections

.text
Size: 1.5MB - Virtual size: 1.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 477KB - Virtual size: 476KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 14KB - Virtual size: 229KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 183.3MB - Virtual size: 183.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 67KB - Virtual size: 66KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Resubmissions

Sharing

General

Malware Config

Signatures

Files

Password: infected

Password: infected

3df615c3915d589ae5357365f4ef2659

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

ncrypt

dbghelp

Sections

.text Size: 1.5MB - Virtual size: 1.5MB

.rdata Size: 477KB - Virtual size: 476KB

.data Size: 14KB - Virtual size: 229KB

.rsrc Size: 183.3MB - Virtual size: 183.3MB

.reloc Size: 67KB - Virtual size: 66KB

.text
Size: 1.5MB - Virtual size: 1.5MB

.rdata
Size: 477KB - Virtual size: 476KB

.data
Size: 14KB - Virtual size: 229KB

.rsrc
Size: 183.3MB - Virtual size: 183.3MB

.reloc
Size: 67KB - Virtual size: 66KB