487acefe21075e4d1ea833af1a2325eeb1f76bbcdf52b557e0b82939a169bcfb[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

487acefe21075e4d1ea833af1a2325eeb1f76bbcdf52b557e0b82939a169bcfb.zip
Size

6.0MB
MD5

cc79a391701b5a5b55593e0db2d370b4
SHA1

4db239ec20fcd3f54f9c3b07e002c18ad3d3e687
SHA256

0acbe36a810ef9b24c352d269a3b2a5d2ed2856303bd67c130710264756e002d
SHA512

d354ba202bd1e7bdd2001618f77d2c3c46769c57130a558a0460997c0968e0c8c145e8633110d27808d477c2fc32343c5705c852118873b6627c3cf6078036b2
SSDEEP

98304:1kQIftUkKS5ct2sRXK7luhmnCT/Jf7JTuEY2yiKMAyVHdXGV8n9HwHpSRpV:KftS/tLRqumnCT/J5uQyiJhVHjxwJWpV

Score

1^/10

Malware Config

Signatures

Files

487acefe21075e4d1ea833af1a2325eeb1f76bbcdf52b557e0b82939a169bcfb.zip
.zip

Password: infected
QualysAgent.exe
.exe windows:5 windows x64

feccf35e7d0ce4e0895fda0cdc7eb83d

Code Sign

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/08/2022, 00:00

Not After

09/11/2031, 23:59

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

29/04/2021, 00:00

Not After

28/04/2036, 23:59

Subject

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0b:e9:9a:e9:84:38:c9:48:7d:2b:e6:f5:41:8f:e1:8e
Certificate

Issuer

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Not Before

01/11/2022, 00:00

Not After

02/11/2023, 23:59

Subject

CN=Qualys\, Inc,OU=Operations,O=Qualys\, Inc,L=Foster City,ST=California,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

0c:4d:69:72:4b:94:fa:3c:2a:4a:3d:29:07:80:3d:5a
Certificate

Issuer

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Not Before

21/09/2022, 00:00

Not After

21/11/2033, 23:59

Subject

CN=DigiCert Timestamp 2022 - 2,O=DigiCert,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

23/03/2022, 00:00

Not After

22/03/2037, 23:59

Subject

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/08/2022, 00:00

Not After

09/11/2031, 23:59

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

cd:d4:df:30:02:a8:a2:07:5a:d0:e9:e5:94:a7:3a:be:35:17:84:88:1b:d7:90:af:26:74:f9:8b:44:b5:bb:f9
Signer

Actual PE Digest

cd:d4:df:30:02:a8:a2:07:5a:d0:e9:e5:94:a7:3a:be:35:17:84:88:1b:d7:90:af:26:74:f9:8b:44:b5:bb:f9

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

CryptAcquireContextW
CryptCreateHash
CryptHashData
CryptVerifySignatureW
CryptDestroyKey
CryptDestroyHash
CryptReleaseContext
RegOpenKeyExW
RegQueryValueExW
RegSetValueExW
RegCloseKey
AllocateAndInitializeSid
SetEntriesInAclW
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
FreeSid
RegDeleteValueW
RegCreateKeyExW
RegDeleteKeyW
RegFlushKey
GetTokenInformation
CreateProcessAsUserW
DuplicateTokenEx
GetSecurityDescriptorOwner
GetSecurityDescriptorGroup
GetSecurityDescriptorDacl
SetNamedSecurityInfoW
InitiateSystemShutdownExW
OpenSCManagerW
OpenServiceW
QueryServiceStatusEx
CloseServiceHandle
StartServiceCtrlDispatcherW
RegisterServiceCtrlHandlerExW
SetServiceStatus
LookupAccountSidW
RegQueryInfoKeyW
RegEnumKeyExW
LookupPrivilegeValueA
CryptAcquireContextA
SystemFunction036
SetFileSecurityW
DeleteService
ControlService
StartServiceW
LsaEnumeratePrivileges
LsaEnumerateAccountsWithUserRight
RegEnumValueW
CryptImportKey
LsaLookupNames2
ConvertStringSidToSidW
ConvertSidToStringSidW
LsaQueryDomainInformationPolicy
GetNamedSecurityInfoW
QueryServiceConfigW
EnumServicesStatusExW
RegLoadKeyW
RegUnLoadKeyW
QueryServiceStatus
SetSecurityDescriptorSacl
LsaNtStatusToWinError
RegEnumKeyW
LsaClose
LsaQueryInformationPolicy
LsaOpenPolicy
LsaFreeMemory
RegOpenKeyW
CreateRestrictedToken
LogonUserW
CryptDeriveKey
CryptDecrypt
CryptEncrypt
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
RegNotifyChangeKeyValue
CryptGetHashParam
ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertSecurityDescriptorToStringSecurityDescriptorW
GetSecurityInfo
RegGetKeySecurity
GetFileSecurityW

crypt32

CryptDecodeObject
CryptMsgGetParam
CertFindCertificateInStore
CertGetNameStringW
CertEnumCertificatesInStore
CertOpenSystemStoreW
CryptBinaryToStringA
CryptStringToBinaryW
CertCreateCertificateContext
CryptImportPublicKeyInfo
CertFreeCertificateContext
CertOpenStore
CertAddEncodedCertificateToStore
CertCloseStore
CryptUnprotectData
CryptMsgClose
CryptBinaryToStringW
CryptStringToBinaryA
CryptDecryptMessage
CryptMsgUpdate
CryptMsgOpenToDecode
CertGetCertificateContextProperty
CryptQueryObject

dhcpcsvc

DhcpCApiInitialize
DhcpRequestParams
DhcpCApiCleanup

iphlpapi

GetExtendedTcpTable
GetIpForwardTable
GetAdaptersInfo
GetAdaptersAddresses
GetExtendedUdpTable
GetIpAddrTable

kernel32

GetTimeZoneInformation
SetFileAttributesW
FindNextFileW
RemoveDirectoryW
FindResourceW
LoadResource
SizeofResource
LockResource
FileTimeToLocalFileTime
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
GetLocalTime
ExpandEnvironmentStringsW
GetComputerNameExW
GetCurrentProcessId
ReleaseMutex
GetWindowsDirectoryW
GetCommandLineW
CreateTimerQueueTimer
DeleteTimerQueueTimer
WTSGetActiveConsoleSessionId
OutputDebugStringW
DebugBreak
HeapSize
RaiseException
DecodePointer
HeapDestroy
OpenThread
SuspendThread
GetSystemInfo
CreateThread
QueryDosDeviceW
FileTimeToSystemTime
SystemTimeToFileTime
GetTempPathW
GetCurrentProcess
OpenMutexW
VirtualQueryEx
CreateMutexA
GetOEMCP
IsValidCodePage
FindNextFileA
FindFirstFileExW
FindFirstFileExA
SetConsoleCtrlHandler
WriteConsoleW
SetStdHandle
CreateProcessA
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetTimeFormatW
GetDateFormatW
GetACP
GetModuleFileNameA
GetCommandLineA
ReadConsoleW
GetConsoleMode
SystemTimeToTzSpecificLocalTime
GetFileType
GetCurrentDirectoryA
SetCurrentDirectoryA
SetEnvironmentVariableA
ExitProcess
OpenEventW
ExitThread
RtlUnwindEx
UnregisterWaitEx
QueryDepthSList
InterlockedFlushSList
InterlockedPushEntrySList
InterlockedPopEntrySList
SetProcessAffinityMask
VirtualProtect
FreeLibraryAndExitThread
GetThreadTimes
UnregisterWait
RegisterWaitForSingleObject
GetNumaHighestNodeNumber
GetLogicalProcessorInformation
GetThreadPriority
SwitchToThread
SignalObjectAndWait
CreateTimerQueue
InitializeSListHead
GetStartupInfoW
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
CancelWaitableTimer
GetLocaleInfoW
LCMapStringW
GetSystemDefaultLCID
CompareStringW
TlsFree
GetModuleFileNameW
FindClose
FindFirstFileW
Sleep
GetProcAddress
FreeLibrary
GetModuleHandleW
LoadLibraryW
ResumeThread
GetProcessId
CreateDirectoryW
GetProcessTimes
TlsSetValue
TlsGetValue
TlsAlloc
GetCPInfo
QueueUserWorkItem
DeleteCriticalSection
CreateWaitableTimerW
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
EnterCriticalSection
GetCurrentThreadId
ResetEvent
SetEvent
FormatMessageW
LocalAlloc
LocalFree
CreateEventW
GetSystemTime
SetLastError
GlobalAlloc
GlobalFree
DeleteFileW
HeapReAlloc
HeapAlloc
SetFilePointer
WaitForMultipleObjectsEx
WaitForSingleObject
GetProcessHeap
HeapFree
CloseHandle
GetFileSizeEx
GetLastError
OpenProcess
CopyFileW
GetFileAttributesW
QueryPerformanceFrequency
RtlCaptureStackBackTrace
EncodePointer
RtlPcToFileHeader
GetExitCodeProcess
MoveFileW
GetTempFileNameW
WaitForMultipleObjects
TerminateProcess
CreateProcessW
DisconnectNamedPipe
ReadFile
GetOverlappedResult
ConnectNamedPipe
CreateNamedPipeW
MoveFileExW
GetNativeSystemInfo
GetExitCodeThread
GetStringTypeW
IsDebuggerPresent
FileTimeToDosDateTime
DosDateTimeToFileTime
WriteFile
CreateFileW
SetWaitableTimer
GetModuleHandleExW
TerminateThread
GetCurrentDirectoryW
SetUnhandledExceptionFilter
GetConsoleCP
MultiByteToWideChar
WideCharToMultiByte
GetFullPathNameW
GetVersion
VerSetConditionMask
VerifyVersionInfoW
GetDriveTypeW
CompareFileTime
GetCurrentThread
SetThreadPriority
CreatePipe
SetHandleInformation
PeekNamedPipe
GetFileInformationByHandle
GetSystemDirectoryW
LoadLibraryExW
GetSystemTimeAsFileTime
GetFileSize
FlushFileBuffers
GetTickCount
QueryPerformanceCounter
MapViewOfFile
CreateFileMappingW
FormatMessageA
LockFileEx
CreateFileMappingA
UnlockFile
HeapCompact
DeleteFileA
GetVersionExA
WaitForSingleObjectEx
LoadLibraryA
CreateFileA
FlushViewOfFile
GetFileAttributesExW
GetFileAttributesA
GetDiskFreeSpaceA
GetTempPathA
HeapValidate
UnmapViewOfFile
GetVersionExW
CreateMutexW
UnlockFileEx
SetEndOfFile
GetFullPathNameA
LockFile
OutputDebugStringA
GetDiskFreeSpaceW
HeapCreate
AreFileApisANSI
InitializeCriticalSection
TryEnterCriticalSection
ReadProcessMemory
ChangeTimerQueueTimer
GetEnvironmentVariableW
SetEnvironmentVariableW
lstrcmpA
DuplicateHandle
SetFilePointerEx
VirtualAlloc
VirtualFree
IsProcessorFeaturePresent
SetThreadAffinityMask
ReleaseSemaphore
CreateSemaphoreW
LoadLibraryExA
SetErrorMode
GetComputerNameExA
Thread32First
Thread32Next
SetFileTime
GetModuleHandleA
FindCloseChangeNotification
FindFirstChangeNotificationW
GetLogicalDriveStringsW
GetStdHandle
GetProcessAffinityMask
GlobalMemoryStatusEx
AssignProcessToJobObject
CreateJobObjectW
SetInformationJobObject
ExpandEnvironmentStringsA
TerminateJobObject
MoveFileExA
WaitNamedPipeW
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetLongPathNameW
GetShortPathNameW
GetFileTime
DeviceIoControl
GetVolumePathNamesForVolumeNameW
FindFirstVolumeW
FindNextVolumeW
FindVolumeClose
GetPrivateProfileStringW
IsWow64Process
ReadDirectoryChangesW
GetTempFileNameA
LocalFileTimeToFileTime
ReadFileEx
WriteFileEx
SetCurrentDirectoryW

ole32

StgIsStorageFile
OleRun
StgOpenStorage
IIDFromString
StgOpenStorageEx
StgOpenStorageOnILockBytes
PropVariantClear
CreateILockBytesOnHGlobal
StgIsStorageILockBytes
CoSetProxyBlanket
CoCreateInstance
CoUninitialize
CoInitializeEx
StringFromGUID2
CreateStreamOnHGlobal
CoCreateGuid
CLSIDFromString

oleaut32

SysFreeString
CreateErrorInfo
SetErrorInfo
GetErrorInfo
VariantClear
SafeArrayGetElement
SafeArrayGetUBound
SafeArrayGetLBound
VariantCopy
SysAllocStringLen
SysStringLen
SysAllocStringByteLen
SysStringByteLen
VariantChangeType
VariantInit
VariantTimeToSystemTime
SysAllocString

psapi

GetModuleFileNameExW

shell32

SHFileOperationW
CommandLineToArgvW
SHGetFileInfoW
SHGetFolderPathW
SHCreateDirectoryExW

shlwapi

StrChrW
PathIsDirectoryEmptyW
PathStripPathA
PathRemoveFileSpecW
PathIsRelativeW
StrStrIA
PathCanonicalizeW
PathAppendW
StrStrW
PathFileExistsW
PathCombineW
PathIsDirectoryW
PathFindExtensionW
PathFindFileNameW
PathStripPathW
StrStrIW
PathFileExistsA

user32

UnregisterClassW
PostThreadMessageW
CharUpperW
CharPrevExA
DestroyIcon
MessageBeep

winhttp

WinHttpSendRequest
WinHttpAddRequestHeaders
WinHttpGetDefaultProxyConfiguration
WinHttpOpenRequest
WinHttpSetOption
WinHttpWriteData
WinHttpReceiveResponse
WinHttpQueryDataAvailable
WinHttpReadData
WinHttpQueryHeaders
WinHttpCloseHandle
WinHttpGetProxyForUrl
WinHttpCrackUrl
WinHttpOpen
WinHttpSetTimeouts
WinHttpSetStatusCallback
WinHttpConnect

userenv

DestroyEnvironmentBlock
CreateEnvironmentBlock

wtsapi32

WTSQueryUserToken
WTSFreeMemory
WTSEnumerateSessionsW
WTSQuerySessionInformationW

ws2_32

WSAAddressToStringA
WSAGetLastError
WSAAddressToStringW
ntohs
WSAStartup
inet_addr
WSACleanup

version

GetFileVersionInfoSizeW
VerQueryValueW
GetFileVersionInfoW

dbghelp

MiniDumpWriteDump
SymSetOptions
SymInitialize
SymCleanup
SymGetModuleInfoW64

dnsapi

DnsFree
DnsQuery_W

netapi32

NetLocalGroupGetMembers
NetLocalGroupEnum
NetUserGetInfo
NetUserModalsGet
NetUserEnum
NetApiBufferFree
NetShareEnum
NetShareGetInfo

wintrust

CryptCATAdminReleaseContext
CryptCATAdminReleaseCatalogContext
CryptCATCatalogInfoFromContext
CryptCATAdminEnumCatalogFromHash
CryptCATAdminCalcHashFromFileHandle
CryptCATAdminAcquireContext
WinVerifyTrust

ntdll

NtClose

fltlib

FilterDetach
FilterAttach
FilterSendMessage
FilterConnectCommunicationPort

Sections

.text
Size: 10.2MB - Virtual size: 10.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4.1MB - Virtual size: 4.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 183KB - Virtual size: 283KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 464KB - Virtual size: 463KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 61B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 120KB - Virtual size: 120KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 49KB - Virtual size: 49KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

feccf35e7d0ce4e0895fda0cdc7eb83d

Code Sign

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5aCertificate

Key Usages

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9Certificate

Extended Key Usages

Key Usages

0b:e9:9a:e9:84:38:c9:48:7d:2b:e6:f5:41:8f:e1:8eCertificate

Extended Key Usages

Key Usages

0c:4d:69:72:4b:94:fa:3c:2a:4a:3d:29:07:80:3d:5aCertificate

Extended Key Usages

Key Usages

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5bCertificate

Extended Key Usages

Key Usages

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5aCertificate

Key Usages

cd:d4:df:30:02:a8:a2:07:5a:d0:e9:e5:94:a7:3a:be:35:17:84:88:1b:d7:90:af:26:74:f9:8b:44:b5:bb:f9Signer

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

crypt32

dhcpcsvc

iphlpapi

kernel32

ole32

oleaut32

psapi

shell32

shlwapi

user32

winhttp

userenv

wtsapi32

ws2_32

version

dbghelp

dnsapi

netapi32

wintrust

ntdll

fltlib

Sections

.text Size: 10.2MB - Virtual size: 10.2MB

.rdata Size: 4.1MB - Virtual size: 4.1MB

.data Size: 183KB - Virtual size: 283KB

.pdata Size: 464KB - Virtual size: 463KB

.tls Size: 512B - Virtual size: 61B

.rsrc Size: 120KB - Virtual size: 120KB

.reloc Size: 49KB - Virtual size: 49KB

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9
Certificate

0b:e9:9a:e9:84:38:c9:48:7d:2b:e6:f5:41:8f:e1:8e
Certificate

0c:4d:69:72:4b:94:fa:3c:2a:4a:3d:29:07:80:3d:5a
Certificate

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

cd:d4:df:30:02:a8:a2:07:5a:d0:e9:e5:94:a7:3a:be:35:17:84:88:1b:d7:90:af:26:74:f9:8b:44:b5:bb:f9
Signer

.text
Size: 10.2MB - Virtual size: 10.2MB

.rdata
Size: 4.1MB - Virtual size: 4.1MB

.data
Size: 183KB - Virtual size: 283KB

.pdata
Size: 464KB - Virtual size: 463KB

.tls
Size: 512B - Virtual size: 61B

.rsrc
Size: 120KB - Virtual size: 120KB

.reloc
Size: 49KB - Virtual size: 49KB