9fa1ba3e7d6e32f240c790753cdaaf8e[.]bin

General

Target

9fa1ba3e7d6e32f240c790753cdaaf8e.bin
Size

1.7MB
MD5

9c94d56dbd7081d164318cad59408e0d
SHA1

aa197b09a902482914a1039e45c8ff2664d77996
SHA256

e5e978c87ca89c047d9337601024d729586b355566432c9d86bf34d858ad7b4c
SHA512

d66f4831664ba417f4484a57d044171c18d6bc3c45a9360f4495021fcff6472b12faa2b9de4d6db8e072d2a592185900e58b6148407ee193b4ea93b745b164c9
SSDEEP

49152:laPGjn1gLCHhkwgS9rA6v5QoY6tPMIPWw88s:lYGjnmMkwhrA64ErE8s

Score

9^/10

cryptone packer

Malware Config

Signatures

CryptOne packer 1 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

Processes:

resource	yara_rule
static1/unpack001/fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87.bin	cryptone

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

Processes:

resource
unpack001/fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87.bin

Files

9fa1ba3e7d6e32f240c790753cdaaf8e.bin
.zip

Password: infected
fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87.bin
.exe windows:5 windows x64

Password: infected

7bb84c055e762f3b23509e70313814ed

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

LoadLibraryA
GetModuleHandleA
GetProcAddress

user32

GetMenuCheckMarkDimensions
IsCharAlphaA
ShowCaret
GetDesktopWindow
GetForegroundWindow
GetLastActivePopup
GetQueueStatus
CloseWindow
CharNextW
GetAsyncKeyState
VkKeyScanW
IsCharUpperA
GetCapture
GetKeyboardLayout
GetDialogBaseUnits
GetOpenClipboardWindow
LoadIconA
GetDC

gdi32

GdiFlush
GetTextCharacterExtra
CreateMetaFileA
AddFontResourceA
GetTextCharset
SaveDC
AbortDoc
EndDoc
GetColorSpace
DeleteMetaFile
GetMapMode
GetStretchBltMode
CreateMetaFileW

advapi32

RegQueryValueExW
RegOpenKeyW

Sections

.text
Size: 1.8MB - Virtual size: 1.8MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 156B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 37KB - Virtual size: 37KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.l2
Size: 37KB - Virtual size: 37KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

Password: infected

7bb84c055e762f3b23509e70313814ed

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

Sections

.text Size: 1.8MB - Virtual size: 1.8MB

.rdata Size: 1KB - Virtual size: 1KB

.data Size: 512B - Virtual size: 1KB

.pdata Size: 512B - Virtual size: 156B

.rsrc Size: 37KB - Virtual size: 37KB

.l2 Size: 37KB - Virtual size: 37KB

.text
Size: 1.8MB - Virtual size: 1.8MB

.rdata
Size: 1KB - Virtual size: 1KB

.data
Size: 512B - Virtual size: 1KB

.pdata
Size: 512B - Virtual size: 156B

.rsrc
Size: 37KB - Virtual size: 37KB

.l2
Size: 37KB - Virtual size: 37KB