6c7596aab5f425ebdaac1ddbd657813e4551d94391f3806917f10a2a78dbb7f1[.]zip[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

6c7596aab5f425ebdaac1ddbd657813e4551d94391f3806917f10a2a78dbb7f1.zip.zip
Size

40.9MB
MD5

36b4c40dd8bc82bc613629ec8f244c4f
SHA1

0db4b7dafa620b043335e13b90c50ad8c6cf5438
SHA256

6635353aae9a11f2a2a35f0731880b5fe2c12d78df3b01026cbe213dc4b3eebc
SHA512

b115b6a46bf4e8fd4eebb9822305e9901897b3fd68f9a6c2f240ca77c90088008e013fa63647a13a512987b166d5b9ca2af652d592e9f925cdf70866523aec83
SSDEEP

786432:ppD/8LCPfnXH9Ssu4wfmFCKsJ65S7k+JOUvvMw5mIIAOjtMLjnN1:zD/+Efn39SsuPuoKsw5S7kAtvESlOCvz

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://localhost/statuspage

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://localhost/statuspage

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack002/telegraf/Scripts/IAWebCommunicator.dll

Files

6c7596aab5f425ebdaac1ddbd657813e4551d94391f3806917f10a2a78dbb7f1.zip.zip
.zip

Password: infected
6c7596aab5f425ebdaac1ddbd657813e4551d94391f3806917f10a2a78dbb7f1.zip
.zip
telegraf/Scripts/IACL_MSMQ.ps1
.ps1
telegraf/Scripts/IADOM-PwdExp.ps1
.ps1
telegraf/Scripts/IAWebCommunicator.dll
.dll windows:4 windows x86

dae02f32a21e03ce65412f6e56942daa

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

mscoree

_CorDllMain

Sections

.text
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 952B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
telegraf/Scripts/IA_Login_GUI.ps1
.ps1
telegraf/Scripts/IA_Login_PCAD.ps1
.ps1
telegraf/Scripts/RDSLicenseUse.ps1
.ps1
telegraf/Scripts/SimpleHelp.ps1
.ps1
telegraf/Scripts/SimpleHelp_LS.ps1
.ps1
telegraf/Scripts/TA_jobcount.ps1
.ps1
telegraf/Scripts/ialogin.xml
telegraf/Scripts/ialogin_AESKey.dat
telegraf/Telegraf_InstallConfigure_v2_5.docx
.docx office2007
telegraf/config/1-telegraf-web.conf-web
telegraf/config/2-telegraf-iis6.conf-iis6
telegraf/config/3-telegraf-ASPNet.conf-ASPNet
telegraf/config/4-telegraf-FTP.conf-ftp
telegraf/config/4-telegraf-IADOM.conf-IADOM
telegraf/config/4-telegraf-IAServices.conf-IAServices
telegraf/config/4-telegraf-MediaDB.conf-mediadb
telegraf/config/4-telegraf-SMTP.conf-smtp
telegraf/config/4-telegraf-SimpleHelp.conf-simplehelp
telegraf/config/4-telegraf-SimpleHelpLS.conf-simplehelpLS
telegraf/config/4-telegraf-TransACT.conf-transact
telegraf/config/4-telegraf-WSUS.conf-wsus
telegraf/config/5-telegraf-IAAppPools.conf-IAAppPools
telegraf/config/6-telegraf-IAMSMQ-IACL.conf-IAMSMQ-IACL
telegraf/config/6-telegraf-IAMSMQ-IADL-IASA.conf-IAMSMQ-IADL-IASA
telegraf/config/7-telegraf-SQL-Cluster.conf-sql-cluster
.ps1
telegraf/config/7-telegraf-SQL.conf-sql
.ps1
telegraf/telegraf-cluster.conf
telegraf/telegraf.conf-physical-IA
telegraf/telegraf.conf-physical-SH
telegraf/telegraf.conf-vmware-IA
telegraf/telegraf.conf-vmware-SH
telegraf/telegraf.exe
.exe windows:6 windows x64

65892a964106b5e0c6c363fdf21975eb

Code Sign

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/08/2022, 00:00

Not After

09/11/2031, 23:59

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

23/03/2022, 00:00

Not After

22/03/2037, 23:59

Subject

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

29/04/2021, 00:00

Not After

28/04/2036, 23:59

Subject

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0c:4d:69:72:4b:94:fa:3c:2a:4a:3d:29:07:80:3d:5a
Certificate

Issuer

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Not Before

21/09/2022, 00:00

Not After

21/11/2033, 23:59

Subject

CN=DigiCert Timestamp 2022 - 2,O=DigiCert,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

0c:4f:64:a3:e2:d5:58:b9:69:2f:10:50:47:63:e1:03
Certificate

Issuer

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Not Before

25/01/2023, 00:00

Not After

27/01/2026, 23:59

Subject

CN=InfluxData\, Inc,O=InfluxData\, Inc,L=San Francisco,ST=California,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

2a:c8:51:f3:33:6c:5a:cc:af:e4:41:71:66:3c:d0:ab:07:b1:6a:c9
Signer

Actual PE Digest

2a:c8:51:f3:33:6c:5a:cc:af:e4:41:71:66:3c:d0:ab:07:b1:6a:c9

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED

Imports

kernel32

WriteFile
WriteConsoleW
WaitForMultipleObjects
WaitForSingleObject
VirtualQuery
VirtualFree
VirtualAlloc
TlsAlloc
SwitchToThread
SuspendThread
SetWaitableTimer
SetUnhandledExceptionFilter
SetThreadPriority
SetProcessPriorityBoost
SetEvent
SetErrorMode
SetConsoleCtrlHandler
ResumeThread
PostQueuedCompletionStatus
LoadLibraryA
LoadLibraryW
SetThreadContext
GetThreadContext
GetSystemInfo
GetSystemDirectoryA
GetStdHandle
GetQueuedCompletionStatusEx
GetProcessAffinityMask
GetProcAddress
GetEnvironmentStringsW
GetConsoleMode
FreeEnvironmentStringsW
ExitProcess
DuplicateHandle
CreateWaitableTimerExW
CreateWaitableTimerA
CreateThread
CreateIoCompletionPort
CreateFileA
CreateEventA
CloseHandle
AddVectoredExceptionHandler

Sections

.text
Size: 72.6MB - Virtual size: 72.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 75.8MB - Virtual size: 75.8MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2.0MB - Virtual size: 2.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1.4MB - Virtual size: 1.4MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.symtab
Size: 512B - Virtual size: 4B

IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.rsrc
Size: 18KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Files

Password: infected

dae02f32a21e03ce65412f6e56942daa

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

.text Size: 6KB - Virtual size: 6KB

.rsrc Size: 1024B - Virtual size: 952B

.reloc Size: 512B - Virtual size: 12B

65892a964106b5e0c6c363fdf21975eb

Code Sign

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5aCertificate

Key Usages

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5bCertificate

Extended Key Usages

Key Usages

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9Certificate

Extended Key Usages

Key Usages

0c:4d:69:72:4b:94:fa:3c:2a:4a:3d:29:07:80:3d:5aCertificate

Extended Key Usages

Key Usages

0c:4f:64:a3:e2:d5:58:b9:69:2f:10:50:47:63:e1:03Certificate

Extended Key Usages

Key Usages

2a:c8:51:f3:33:6c:5a:cc:af:e4:41:71:66:3c:d0:ab:07:b1:6a:c9Signer

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

Sections

.text Size: 72.6MB - Virtual size: 72.6MB

.rdata Size: 75.8MB - Virtual size: 75.8MB

.data Size: 2.0MB - Virtual size: 2.6MB

.idata Size: 1KB - Virtual size: 1KB

.reloc Size: 1.4MB - Virtual size: 1.4MB

.symtab Size: 512B - Virtual size: 4B

.rsrc Size: 18KB - Virtual size: 17KB

.text
Size: 6KB - Virtual size: 6KB

.rsrc
Size: 1024B - Virtual size: 952B

.reloc
Size: 512B - Virtual size: 12B

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9
Certificate

0c:4d:69:72:4b:94:fa:3c:2a:4a:3d:29:07:80:3d:5a
Certificate

0c:4f:64:a3:e2:d5:58:b9:69:2f:10:50:47:63:e1:03
Certificate

2a:c8:51:f3:33:6c:5a:cc:af:e4:41:71:66:3c:d0:ab:07:b1:6a:c9
Signer

.text
Size: 72.6MB - Virtual size: 72.6MB

.rdata
Size: 75.8MB - Virtual size: 75.8MB

.data
Size: 2.0MB - Virtual size: 2.6MB

.idata
Size: 1KB - Virtual size: 1KB

.reloc
Size: 1.4MB - Virtual size: 1.4MB

.symtab
Size: 512B - Virtual size: 4B

.rsrc
Size: 18KB - Virtual size: 17KB