QEK[.]zip | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

QEK.zip
Size

862KB
MD5

8440700ec4ae3139e2cfa49af6cf9b33
SHA1

b030847c0c8d788dc035ee8b61419f1350982f06
SHA256

b6269018ac32484bdc093a6bec324fc9aa7990104a297f55600d31bff95ed6fd
SHA512

4b1f1c6459ff7f51dbc141a6864b71246c6a518486fb753dc1c3797e9364746a441da451159c8f67a90f0572a703b6b41eb44bafe6289f4905654b6b4b0c2128
SSDEEP

24576:a+TaOijDryUFpCmRn8rFNXf2uopYVxLfUwK8Rq2:a+DizymR8rFLWOfxZ

Score

3^/10

pdf link

Malware Config

Signatures

One or more HTTP URLs in PDF identified
Detects presence of HTTP links in PDF files.
pdf link

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/i1v/zN/JI/eWJM/MVst/qI/1Q52/uURq/QIPJ/J4Xw/J6V/CO/bOs8/GMV/N53B/bootim.exe
unpack001/i1v/zN/JI/eWJM/MVst/qI/1Q52/uURq/QIPJ/J4Xw/J6V/CO/bOs8/GMV/N53B/xSa.log

Files

QEK.zip
.zip

Password: 678
WX.pdf.lnk
.lnk
i1v/zN/JI/eWJM/MVst/qI/1Q52/uURq/QIPJ/J4Xw/J6V/CO/bOs8/GMV/N53B/Abqd.pdf
.pdf
Password: 678
- http://www.benefits.ml.com
i1v/zN/JI/eWJM/MVst/qI/1Q52/uURq/QIPJ/J4Xw/J6V/CO/bOs8/GMV/N53B/bootim.exe
.exe windows:10 windows x64

Password: 678

518ddf1b5d2eaa775607e0d8b554c455

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

user32

GetSystemMetrics

msvcrt

_wcmdln
_fmode
_XcptFilter
_wtol
_commode
__C_specific_handler
_initterm
_wcsnicmp
wcschr
memset
_lock
_amsg_exit
_unlock
__dllonexit
_wcsicmp
memcpy_s
__setusermatherr
_cexit
_onexit
_exit
_vsnwprintf
exit
?terminate@@YAXXZ
__set_app_type
__wgetmainargs

bootux

ord9
ord12

api-ms-win-core-libraryloader-l1-2-0

GetProcAddress
GetModuleFileNameA
GetModuleHandleW
GetModuleHandleExW

api-ms-win-core-synch-l1-1-0

ReleaseMutex
WaitForSingleObjectEx
WaitForSingleObject
ReleaseSemaphore
CreateSemaphoreExW
CreateMutexExW
OpenSemaphoreW

api-ms-win-core-heap-l1-1-0

HeapFree
HeapAlloc
GetProcessHeap

api-ms-win-core-errorhandling-l1-1-0

UnhandledExceptionFilter
SetLastError
SetUnhandledExceptionFilter
GetLastError

api-ms-win-core-processenvironment-l1-1-0

GetCommandLineW

api-ms-win-core-registry-l1-1-0

RegGetValueW
RegCloseKey
RegOpenKeyExW

api-ms-win-core-processthreads-l1-1-0

TerminateProcess
GetCurrentProcessId
GetCurrentThreadId
GetCurrentProcess
GetStartupInfoW

api-ms-win-core-localization-l1-2-0

FormatMessageW
SetProcessPreferredUILanguages

api-ms-win-core-debug-l1-1-0

DebugBreak
IsDebuggerPresent
OutputDebugStringW

api-ms-win-core-registry-l1-1-1

RegDeleteKeyValueW

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-heap-l2-1-0

LocalFree

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-rtlsupport-l1-1-0

RtlCaptureContext
RtlVirtualUnwind
RtlLookupFunctionEntry

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime
GetTickCount

api-ms-win-shcore-obsolete-l1-1-0

CommandLineToArgvW

api-ms-win-core-shlwapi-obsolete-l1-1-0

StrToIntExW

ntdll

RtlNtStatusToDosError
NtQuerySystemInformation

Sections

.text
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1024B - Virtual size: 720B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 52B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
i1v/zN/JI/eWJM/MVst/qI/1Q52/uURq/QIPJ/J4Xw/J6V/CO/bOs8/GMV/N53B/bow.sct
i1v/zN/JI/eWJM/MVst/qI/1Q52/uURq/QIPJ/J4Xw/J6V/CO/bOs8/GMV/N53B/xSa.log
.dll windows:6 windows x86

Password: 678

d7637d01603047c46356b8ae53adf518

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GetProcessHeap
CreateFileA
CloseHandle
GetLastError
ConvertThreadToFiber
SwitchToFiber
CreateActCtxA
ActivateActCtx
DeactivateActCtx
FindFirstFileA
FindNextFileA
GetSystemDirectoryA
SetCurrentDirectoryA
ReadFile
SetFilePointer
ReleaseActCtx
SetFileTime
VirtualAlloc
DeviceIoControl
GetLocalTime

Exports

Exports

GPa606j
HUF_inc_var
Tsw3286E

Sections

.text
Size: 22KB - Virtual size: 21KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 298KB - Virtual size: 298KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 531KB - Virtual size: 530KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: 678

Password: 678

Password: 678

518ddf1b5d2eaa775607e0d8b554c455

Headers

DLL Characteristics

File Characteristics

Imports

user32

msvcrt

bootux

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-registry-l1-1-1

api-ms-win-core-handle-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-shcore-obsolete-l1-1-0

api-ms-win-core-shlwapi-obsolete-l1-1-0

ntdll

Sections

.text Size: 13KB - Virtual size: 13KB

.rdata Size: 7KB - Virtual size: 6KB

.data Size: 512B - Virtual size: 2KB

.pdata Size: 1024B - Virtual size: 720B

.rsrc Size: 2KB - Virtual size: 2KB

.reloc Size: 512B - Virtual size: 52B

Password: 678

d7637d01603047c46356b8ae53adf518

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

Exports

Exports

Sections

.text Size: 22KB - Virtual size: 21KB

.rdata Size: 298KB - Virtual size: 298KB

.data Size: 531KB - Virtual size: 530KB

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 2KB - Virtual size: 1KB

.text
Size: 13KB - Virtual size: 13KB

.rdata
Size: 7KB - Virtual size: 6KB

.data
Size: 512B - Virtual size: 2KB

.pdata
Size: 1024B - Virtual size: 720B

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 512B - Virtual size: 52B

.text
Size: 22KB - Virtual size: 21KB

.rdata
Size: 298KB - Virtual size: 298KB

.data
Size: 531KB - Virtual size: 530KB

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 2KB - Virtual size: 1KB