MDE_File_Sample_4c09e703a1ac7579fb4f6bccf605316aa19d25adddb0d5ee1ab71500958f7cc0[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

MDE_File_Sample_4c09e703a1ac7579fb4f6bccf605316aa19d25adddb0d5ee1ab71500958f7cc0.zip
Size

1.6MB
MD5

41970ffe9695ed9de8ff1e892e4e338b
SHA1

afc082722b69a73f5df94780ffaf1b65a9878502
SHA256

57b7558003515ee92d231e32e29dc4be975a9b1773df41ba7988ad999987d1fb
SHA512

44ce13a76471f3557bc0acdff6fd5d7186d7e2680fd171bce5ff5c65fcf4da7b59d9ce379d1e8b27d60aae9c3c9b95f5a6bd2f4dd9482bc9685edc6e915718c8
SSDEEP

49152:fnxGeSjsDKOikMUQ1PMJCbAFkLidCYnQStWZoEk1H:fxjSjs7ikMUgMJCMkidCSQJm

Score

1^/10

Malware Config

Signatures

Files

MDE_File_Sample_4c09e703a1ac7579fb4f6bccf605316aa19d25adddb0d5ee1ab71500958f7cc0.zip
.zip

Password: infected
FileChapter-1.zip
.zip
_Download.exe
.exe windows:6 windows x86

e50fdce5a650db4aa951dba88f776c1e

Code Sign

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

10/01/1997, 07:00

Not After

31/12/2020, 07:00

Subject

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

10/01/1997, 07:00

Not After

31/12/2020, 07:00

Subject

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

2e:ab:11:dc:50:ff:5c:9d:cb:c0
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

22/08/2007, 22:31

Not After

25/08/2012, 07:00

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:0f:78:4d:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/08/2007, 00:23

Not After

23/02/2009, 00:33

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

61:47:52:ba:00:00:00:00:00:04
Certificate

Issuer

CN=Microsoft Timestamping PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

16/09/2006, 01:53

Not After

16/09/2011, 02:03

Subject

CN=Microsoft Timestamping Service,OU=nCipher DSE ESN:D8A9-CFCC-579C,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

61:49:7c:ed:00:00:00:00:00:05
Certificate

Issuer

CN=Microsoft Timestamping PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

16/09/2006, 01:55

Not After

16/09/2011, 02:05

Subject

CN=Microsoft Timestamping Service,OU=nCipher DSE ESN:10D8-5847-CBF8,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

6a:0b:99:4f:c0:00:25:ab:11:db:45:1f:58:7a:67:a2
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

16/09/2006, 01:04

Not After

15/09/2019, 07:00

Subject

CN=Microsoft Timestamping PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

50:10:b2:51:49:2d:6b:4c:18:8d:3c:3d:36:da:a1:55:cd:2c:ff:8d
Signer

Actual PE Digest

50:10:b2:51:49:2d:6b:4c:18:8d:3c:3d:36:da:a1:55:cd:2c:ff:8d

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

advapi32

RegQueryValueW
RegCloseKey
RegOpenKeyExW
RegSetValueExW
GetSecurityDescriptorLength
MakeSelfRelativeSD
RegEnumKeyW
RegOpenKeyW
RegDeleteKeyW
RegQueryValueExW
RegEnumValueW
RegQueryInfoKeyW
SetSecurityDescriptorDacl
MakeAbsoluteSD
SetEntriesInAclW
GetExplicitEntriesFromAclW
GetSecurityDescriptorDacl
MapGenericMask
LookupAccountSidW
GetAce
CopySid
GetLengthSid
GetTokenInformation
OpenProcessToken
LookupAccountNameW
AddAce
GetAclInformation
InitializeAcl
AddAccessAllowedAce
EqualSid
InitializeSecurityDescriptor
IsValidSid
SetSecurityDescriptorOwner
SetSecurityDescriptorGroup
RegCreateKeyExW
RegDeleteValueW
FreeSid
AllocateAndInitializeSid

kernel32

lstrcpyW
GetModuleFileNameW
FreeLibrary
lstrlenW
lstrcmpW
lstrcmpiW
GetLastError
WinExec
ResumeThread
SuspendThread
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
LoadLibraryExW
GetUserDefaultLCID
GlobalUnlock
GlobalLock
GlobalAlloc
LocalAlloc
LoadLibraryW
InterlockedIncrement
InterlockedDecrement
CloseHandle
GetCurrentProcess
lstrcatW
FormatMessageW
LocalFree
GetProcAddress
UnhandledExceptionFilter
TerminateProcess
GetSystemTimeAsFileTime
GetCurrentProcessId
GetCurrentThreadId
QueryPerformanceCounter
GetModuleHandleA
SetUnhandledExceptionFilter
RtlUnwind
GetStartupInfoW
InterlockedCompareExchange
Sleep
InterlockedExchange
GetTickCount
GetVersionExW

gdi32

DeleteObject

user32

ScreenToClient
EnableWindow
SendMessageW
SetCursor
LoadCursorW
LoadIconW
GetWindowRect
SetActiveWindow
DeleteMenu
EnableMenuItem
GetSubMenu
OpenClipboard
LoadBitmapW
GetMessagePos
UpdateWindow
wsprintfW
CloseClipboard
SetClipboardData
EmptyClipboard
MessageBoxW
RedrawWindow
LoadMenuW
GetFocus

mfc42u

ord922
ord3993
ord773
ord501
ord2857
ord5596
ord4269
ord815
ord540
ord561
ord3733
ord4418
ord4616
ord4075
ord3074
ord3820
ord3826
ord3825
ord2971
ord3076
ord2980
ord3257
ord3131
ord4459
ord3254
ord3142
ord2977
ord5710
ord5285
ord5303
ord4074
ord5298
ord5296
ord3341
ord2388
ord5193
ord1089
ord3917
ord5727
ord2504
ord2546
ord4480
ord6371
ord800
ord4692
ord2717
ord825
ord823
ord1165
ord1172
ord1143
ord641
ord6398
ord858
ord3494
ord2507
ord355
ord1197
ord940
ord538
ord4155
ord2810
ord3516
ord5977
ord4604
ord986
ord520
ord2089
ord384
ord2613
ord6112
ord1202
ord1808
ord609
ord693
ord4419
ord4621
ord5273
ord2116
ord2438
ord5257
ord1720
ord5059
ord3744
ord6372
ord2047
ord2640
ord4831
ord3793
ord4347
ord6370
ord5157
ord2377
ord5237
ord4401
ord1767
ord4073
ord6048
ord2506
ord4992
ord4370
ord5261
ord4229
ord6330
ord4435
ord5276
ord3133
ord2371
ord567
ord3569
ord3397
ord5286
ord4390
ord1768
ord6051
ord2567
ord3635
ord3365
ord4396
ord2574
ord324
ord2294
ord4704
ord2634
ord4219
ord6193
ord656
ord3605
ord861
ord2362
ord2293
ord3870
ord6195
ord3592
ord4847
ord2637
ord3297
ord1833
ord784
ord804
ord795
ord810
ord4426
ord2083
ord1718
ord3743
ord5277
ord5236
ord6050
ord4103
ord4954
ord4957
ord4518
ord4523
ord4520
ord4537
ord4539
ord4525
ord4883
ord4341
ord4334
ord4527
ord4886
ord4364
ord4893
ord4582
ord4583
ord4236
ord326
ord5256
ord2078
ord3716
ord3728
ord3393
ord3724
ord3389
ord4400
ord2579
ord364
ord5031
ord6127
ord6212
ord4714
ord6211
ord2644
ord1662
ord1899
ord768
ord4829
ord5283
ord4848
ord4371
ord4352
ord4942
ord4970
ord4736
ord4899
ord5154
ord5156
ord5155
ord4253
ord489
ord1817
ord4233
ord4414
ord652
ord860
ord338
ord4420
ord4617
ord6171
ord6076
ord3193
ord3449
ord4381
ord2391
ord4852
ord4947
ord5649
ord3167
ord5573
ord1739
ord5736
ord5239
ord2534
ord2502
ord6332
ord3060
ord3053
ord4690
ord1900
ord1008
ord771
ord497
ord498
ord4425
ord2046
ord4433
ord5284
ord2520
ord1683
ord4254
ord4709
ord616
ord3087
ord3867
ord3577
ord4392
ord2570
ord4213
ord2015
ord2403
ord3871
ord4118
ord2756
ord1834
ord4237
ord4146
ord439
ord3574
ord3348
ord3269
ord5681
ord4538
ord4519
ord4524
ord736
ord2859
ord4158
ord807
ord796
ord794
ord674
ord554
ord529
ord527
ord366
ord4421
ord5248
ord4430
ord1658
ord2641
ord5278
ord5233
ord4072
ord2873
ord2874
ord3398
ord5468
ord975
ord5006
ord3345
ord4298
ord5097
ord5094
ord3054
ord2382
ord2715
ord2550
ord6063
ord3477
ord5996
ord2109
ord5867
ord2112
ord4451
ord5491
ord5906
ord5848
ord3476
ord2244
ord6399
ord5568
ord3792
ord2910
ord2970
ord3865
ord2385
ord6191
ord6205
ord1258
ord3517
ord4493
ord1934
ord1863
ord4267
ord1262
ord5255
ord4501
ord3658
ord6325
ord2855
ord3649
ord2576
ord4215
ord2430
ord2858
ord1637
ord813
ord303
ord3729
ord3394
ord1719
ord4955
ord4958
ord4884
ord4717
ord4343
ord4335
ord5070
ord4526
ord543
ord3579
ord803
ord5617
ord4078
ord1105
ord1083
ord925
ord537
ord6266
ord3909
ord1569

msvcrt

__wgetmainargs
_cexit
_exit
_XcptFilter
_wcmdln
_initterm
_amsg_exit
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
??1type_info@@UAE@XZ
_unlock
__dllonexit
_lock
?terminate@@YAXXZ
_controlfp
__CxxFrameHandler
isspace
isdigit
wcsrchr
free
malloc
_vsnwprintf
_wcsnicmp
_wtoi
wcstok
??_U@YAPAXI@Z
wcstol
??_V@YAXPAX@Z
_itow
toupper
isxdigit
_wcsicmp
memcpy
exit
memset
_onexit

comctl32

ImageList_AddMasked

shell32

DragQueryFileW
DragFinish
ExtractIconW
ShellAboutW

shlwapi

wnsprintfW

ole32

CreateBindCtx
MkParseDisplayName
StringFromCLSID
CoTaskMemFree
CoGetClassObject
CLSIDFromString
CLSIDFromProgID
CoCreateInstance
StringFromGUID2
CoFreeUnusedLibraries

oleaut32

LoadRegTypeLi
LoadTypeLi

Sections

.text
Size: 124KB - Virtual size: 123KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 37KB - Virtual size: 37KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
aclui.dll
.dll windows:6 windows x86

8cb1566c87449c3d29b977e7033cf0bb

Code Sign

33:00:00:01:52:9b:40:9f:50:56:99:75:88:00:00:00:00:01:52
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/05/2019, 21:37

Not After

02/05/2020, 21:37

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/07/2011, 20:59

Not After

08/07/2026, 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

d7:2f:bc:98:b7:d7:d1:3a:66:6e:5e:2c:df:87:3b:c1:ca:1f:70:54:a8:6d:4a:3c:84:d3:c5:55:dc:05:3b:63
Signer

Actual PE Digest

d7:2f:bc:98:b7:d7:d1:3a:66:6e:5e:2c:df:87:3b:c1:ca:1f:70:54:a8:6d:4a:3c:84:d3:c5:55:dc:05:3b:63

Digest Algorithm

sha256

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

user32

DialogBoxIndirectParamW
DlgDirListComboBoxA
EnumDesktopsA
FindWindowW
GetCursor
GetFocus
GetThreadDesktop
SetClipboardData
SystemParametersInfoW

kernel32

CloseHandle
CreateMutexW
ExpandEnvironmentStringsA
GetPrivateProfileSectionA
IsValidLocale
Sleep
SystemTimeToTzSpecificLocalTime

Exports

Exports

bhwspdvgeawu
bwbqiv
bzlxrvukeowj
ckqhgjrltudx
ctzhtrfov
cwseqoslij
cxadfbwgl
dbkkxl
edgxtaqzchp
hajclqfliu
hsbyaubbwwz
ixqkaet
jckjcvhxnwgo
mfztfcopqt
mtrpssried
ofeeuvhcegk
ovbffbs
qbhvhfguvzf
qwdqcgbnb
rmfcil
rvbgnudt
shvxxw
tyilenqdj
ukwxyxwiwk
vmjhuyrkonaf
wfxotrwmyz
wktfrvnzj
xbzphsjxrcef
ykosdpldjxrl
yzypqu

Sections

.text
Size: 163KB - Virtual size: 162KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1.4MB - Virtual size: 1.4MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 40B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

e50fdce5a650db4aa951dba88f776c1e

Code Sign

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40Certificate

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40Certificate

2e:ab:11:dc:50:ff:5c:9d:cb:c0Certificate

Extended Key Usages

Key Usages

61:0f:78:4d:00:00:00:00:00:03Certificate

Extended Key Usages

Key Usages

61:47:52:ba:00:00:00:00:00:04Certificate

Extended Key Usages

Key Usages

61:49:7c:ed:00:00:00:00:00:05Certificate

Extended Key Usages

Key Usages

6a:0b:99:4f:c0:00:25:ab:11:db:45:1f:58:7a:67:a2Certificate

Extended Key Usages

Key Usages

50:10:b2:51:49:2d:6b:4c:18:8d:3c:3d:36:da:a1:55:cd:2c:ff:8dSigner

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

kernel32

gdi32

user32

mfc42u

msvcrt

comctl32

shell32

shlwapi

ole32

oleaut32

Sections

.text Size: 124KB - Virtual size: 123KB

.data Size: 3KB - Virtual size: 4KB

.rsrc Size: 37KB - Virtual size: 37KB

.reloc Size: 11KB - Virtual size: 11KB

8cb1566c87449c3d29b977e7033cf0bb

Code Sign

33:00:00:01:52:9b:40:9f:50:56:99:75:88:00:00:00:00:01:52Certificate

Extended Key Usages

61:0e:90:d2:00:00:00:00:00:03Certificate

Key Usages

d7:2f:bc:98:b7:d7:d1:3a:66:6e:5e:2c:df:87:3b:c1:ca:1f:70:54:a8:6d:4a:3c:84:d3:c5:55:dc:05:3b:63Signer

Headers

DLL Characteristics

File Characteristics

Imports

user32

kernel32

Exports

Exports

Sections

.text Size: 163KB - Virtual size: 162KB

.rdata Size: 10KB - Virtual size: 9KB

.data Size: 1.4MB - Virtual size: 1.4MB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 40B

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40
Certificate

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40
Certificate

2e:ab:11:dc:50:ff:5c:9d:cb:c0
Certificate

61:0f:78:4d:00:00:00:00:00:03
Certificate

61:47:52:ba:00:00:00:00:00:04
Certificate

61:49:7c:ed:00:00:00:00:00:05
Certificate

6a:0b:99:4f:c0:00:25:ab:11:db:45:1f:58:7a:67:a2
Certificate

50:10:b2:51:49:2d:6b:4c:18:8d:3c:3d:36:da:a1:55:cd:2c:ff:8d
Signer

.text
Size: 124KB - Virtual size: 123KB

.data
Size: 3KB - Virtual size: 4KB

.rsrc
Size: 37KB - Virtual size: 37KB

.reloc
Size: 11KB - Virtual size: 11KB

33:00:00:01:52:9b:40:9f:50:56:99:75:88:00:00:00:00:01:52
Certificate

61:0e:90:d2:00:00:00:00:00:03
Certificate

d7:2f:bc:98:b7:d7:d1:3a:66:6e:5e:2c:df:87:3b:c1:ca:1f:70:54:a8:6d:4a:3c:84:d3:c5:55:dc:05:3b:63
Signer

.text
Size: 163KB - Virtual size: 162KB

.rdata
Size: 10KB - Virtual size: 9KB

.data
Size: 1.4MB - Virtual size: 1.4MB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 40B