4a6f8d2694e1fe50df9c6fa8d6bc2df8d95a151572d24eb5d4e25e42fb27b198[.]zip[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

4a6f8d2694e1fe50df9c6fa8d6bc2df8d95a151572d24eb5d4e25e42fb27b198.zip.zip
Size

742KB
MD5

4a50923815ad375235dcb12df684e57c
SHA1

db58a547e3f44beb63a06383529c24fb2ab31288
SHA256

fa4f5ddc40663ebbb5f4e405d017744e60e7c964a471ffff2ce454670444fe3b
SHA512

c495352938de386963e7cc1650a20d6749229843aba59cfac5afa3702b7e77608e8605d9bad2229fdbc2cc9e6e4f32536f6445ed935057629cd9b56d57ec937b
SSDEEP

12288:z1ZuJEL0Iusbc+6OjSyopVOTBAW3YBKa182MEsdmOniSqu2fmMmnFezBnWsjXppK:ziJERFbVIykwt/YBdlAjwF7WgpT2

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
static1/unpack002/winfbbcfg.exe	upx

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack002/WinFbb.exe
unpack002/winfbbcfg.exe

Files

4a6f8d2694e1fe50df9c6fa8d6bc2df8d95a151572d24eb5d4e25e42fb27b198.zip.zip
.zip

Password: infected
4a6f8d2694e1fe50df9c6fa8d6bc2df8d95a151572d24eb5d4e25e42fb27b198.zip
.zip
WinFbb.exe
.exe windows:4 windows x86

c6dba591c74eb3c83d068a30076b50a4

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

winmm

waveOutGetNumDevs
PlaySoundA

version

VerQueryValueA
GetFileVersionInfoA
GetFileVersionInfoSizeA

mfc42

ord4129
ord2763
ord5875
ord4277
ord5683
ord2567
ord5788
ord2614
ord858
ord2859
ord640
ord2405
ord323
ord2096
ord384
ord2408
ord686
ord539
ord807
ord3289
ord2120
ord554
ord2920
ord2012
ord939
ord940
ord1175
ord5787
ord537
ord2764
ord4202
ord5856
ord536
ord2452
ord6172
ord2753
ord5873
ord1195
ord3693
ord3573
ord3571
ord5860
ord1621
ord3986
ord5450
ord6394
ord1640
ord5440
ord6383
ord5785
ord4220
ord2584
ord1644
ord5572
ord2915
ord4163
ord3610
ord656
ord6199
ord3873
ord5981
ord2089
ord2116
ord4299
ord3874
ord6215
ord1907
ord5161
ord5162
ord5160
ord4905
ord4742
ord4976
ord4948
ord4377
ord5287
ord4835
ord616
ord609
ord768
ord489
ord2362
ord2301
ord4258
ord2642
ord6028
ord4160
ord4854
ord4358
ord1168
ord2575
ord4396
ord3574
ord2411
ord2023
ord4218
ord2578
ord4398
ord3582
ord1908
ord4715
ord1690
ord2528
ord5288
ord4439
ord2054
ord4431
ord771
ord1008
ord496
ord4259
ord4243
ord3286
ord6270
ord2455
ord4774
ord3742
ord818
ord6129
ord6130
ord5148
ord613
ord289
ord816
ord5789
ord562
ord5768
ord755
ord470
ord2754
ord692
ord1772
ord1771
ord6366
ord2413
ord2024
ord4219
ord2581
ord4401
ord3639
ord4224
ord793
ord2289
ord2294
ord3719
ord809
ord556
ord1929
ord1088
ord2122
ord6358
ord3797
ord6880
ord1200
ord926
ord2864
ord5606
ord2652
ord2817
ord1842
ord4242
ord2723
ord2390
ord3059
ord5100
ord5103
ord4467
ord4303
ord3350
ord5012
ord975
ord5472
ord3403
ord2879
ord2878
ord4151
ord4077
ord2863
ord6142
ord2649
ord1665
ord4436
ord4427
ord796
ord765
ord674
ord529
ord366
ord6068
ord6067
ord2011
ord6000
ord2117
ord6625
ord4457
ord5252
ord5882
ord5883
ord5030
ord3870
ord4776
ord3482
ord4724
ord4413
ord4499
ord3698
ord6453
ord2580
ord4400
ord3630
ord682
ord2152
ord1233
ord1768
ord2086
ord2516
ord361
ord6069
ord4615
ord4274
ord6375
ord4486
ord2554
ord2512
ord5731
ord3922
ord1089
ord5199
ord2396
ord3346
ord5300
ord5302
ord4079
ord5307
ord5714
ord4622
ord3738
ord815
ord561
ord5301
ord986
ord520
ord1199
ord1247
ord617
ord5214
ord296
ord4698
ord2725
ord5289
ord1825
ord4238
ord4696
ord3058
ord3065
ord6336
ord2510
ord2542
ord5243
ord5740
ord1746
ord5577
ord3172
ord5653
ord3830
ord4953
ord4858
ord2399
ord4387
ord3454
ord3198
ord6080
ord6175
ord4623
ord4426
ord338
ord652
ord4823
ord4614
ord4613
ord4685
ord4681
ord1841
ord4241
ord4589
ord4533
ord5076
ord4340
ord4347
ord4889
ord4531
ord4545
ord4543
ord4526
ord4529
ord4524
ord4963
ord4960
ord4108
ord6054
ord5240
ord5281
ord3748
ord1725
ord4432
ord364
ord784
ord5260
ord2091
ord2108
ord3294
ord5677
ord3495
ord4287
ord4284
ord4720
ord2535
ord3089
ord4480
ord2862
ord2976
ord3081
ord2985
ord3262
ord3136
ord4465
ord3259
ord3147
ord2982
ord5277
ord2124
ord2446
ord5261
ord1727
ord5065
ord3749
ord6376
ord2055
ord2648
ord4441
ord4837
ord3798
ord5280
ord4353
ord6374
ord5163
ord2385
ord5241
ord4407
ord1775
ord4078
ord6052
ord2514
ord4998
ord4853
ord4376
ord5265
ord3654
ord2438
ord823
ord772
ord500
ord3701
ord1099
ord1574
ord535
ord3640
ord941
ord1871
ord2582
ord3370
ord4402
ord3402
ord1146
ord567
ord1641
ord2379
ord2860
ord3619
ord3663
ord3626
ord2414
ord825
ord4275
ord2818
ord4476
ord4710
ord2645
ord3996
ord6334
ord2370
ord4234
ord2302
ord4424
ord795
ord3721
ord6055
ord5290
ord1776
ord860
ord324
ord540
ord800
ord641
ord693
ord4627
ord3597
ord4425
ord3825
ord4080
ord3079
ord5237
ord3831
ord5282
ord1669
ord4420
ord1576

msvcrt

__set_app_type
_controlfp
_adjust_fdiv
__setusermatherr
_initterm
__p__fmode
__getmainargs
_acmdln
_XcptFilter
_exit
?terminate@@YAXXZ
_except_handler3
_onexit
__dllonexit
atan2
pow
exit
atof
remove
cos
sin
sqrt
atan
_ftol
floor
fabs
modf
srand
rand
putc
getc
rename
fwrite
fread
_read
fclose
fputc
fgetc
fputs
fgets
tolower
_timezone
getenv
qsort
strerror
fopen
ftell
calloc
strchr
strncpy
fscanf
islower
vsprintf
clock
memcmp
printf
rewind
fflush
strstr
strncmp
isgraph
ctime
_access
_fstat
_strrev
_lseek
_cprintf
_fileno
_creat
_ltoa
_itoa
_strnicmp
_stricmp
_strcmpi
_strlwr
_fdopen
_sopen
_strupr
_close
_write
_open
_fcloseall
_errno
__CxxFrameHandler
isalnum
strcmp
strcpy
isspace
iscntrl
sscanf
toupper
strcat
strrchr
isalpha
strtok
atoi
strlen
_strdup
_setmbcp
_tell
_stat
sprintf
memcpy
_filelength
localtime
__p__commode
time
isdigit
memset
free
malloc
wcscpy
wcslen
wcscmp
memmove
isprint
fseek
fprintf
_pctype
_isctype
__mb_cur_max
atol
putchar
_iob
gmtime

kernel32

lstrcpyA
lstrlenA
lstrlenW
GetVersion
LockResource
LoadResource
GetCPInfo
lstrcatA
lstrcmpA
FindResourceA
GlobalLock
GlobalFree
GlobalUnlock
WinExec
MoveFileA
GlobalAlloc
GetFileAttributesA
GetCurrentDirectoryA
CopyFileA
LoadLibraryA
GetWindowsDirectoryA
FreeLibrary
LocalFree
MulDiv
LocalAlloc
GetProcAddress
SetErrorMode
OutputDebugStringA
lstrcmpiA
GetLastError
GetCurrentProcess
FormatMessageA
GetModuleFileNameA
CreateMutexA
GetLocalTime
GetSystemTime
Sleep
GetDiskFreeSpaceExA
GlobalMemoryStatus
lstrcpynA
FindNextFileA
FindFirstFileA
FindClose
RemoveDirectoryA
FileTimeToSystemTime
CreateDirectoryA
CompareFileTime
SystemTimeToFileTime
DeleteFileA
BuildCommDCBA
CreateFileA
SetCommState
WriteFile
ClearCommError
CloseHandle
GetStartupInfoA
GetModuleHandleA
GetVersionExA

user32

GetWindowPlacement
MessageBoxA
CreatePopupMenu
SetMenu
RegisterWindowMessageA
OemToCharBuffA
IsIconic
SetActiveWindow
GetMenu
MoveWindow
LoadImageA
GetDialogBaseUnits
GetParent
SetCapture
InflateRect
PtInRect
MessageBeep
CopyIcon
SetCursor
ReleaseCapture
LoadBitmapA
OemToCharA
GetCursorPos
OpenClipboard
LoadMenuA
InvertRect
EmptyClipboard
CloseClipboard
PostMessageA
IsMenu
LoadStringA
wsprintfA
GetWindowRect
LoadIconA
GetKeyState
CharToOemA
ReleaseDC
GetDC
RemoveMenu
ModifyMenuA
InsertMenuA
GetSubMenu
GetMenuStringA
GetMenuState
GetMenuItemID
GetMenuItemCount
AppendMenuA
DeleteMenu
GetDesktopWindow
UpdateWindow
GetSysColorBrush
CreateMenu
DrawEdge
SetRect
FillRect
CopyRect
DrawIconEx
GetSystemMetrics
DrawTextA
SystemParametersInfoA
DestroyIcon
GetSysColor
EnableWindow
GetMenuItemInfoA
LoadCursorA
SendMessageA
KillTimer
SetTimer
ExitWindowsEx
IsWindow
ShowWindow
GetClientRect
InvalidateRect
SetClipboardData

gdi32

Ellipse
CreateCompatibleBitmap
GetTextExtentPoint32A
ExtTextOutA
GetTextMetricsA
GetStockObject
GetDeviceCaps
TextOutA
GetBkMode
CreatePen
CreateCompatibleDC
CreateDIBSection
SelectObject
BitBlt
CreateSolidBrush
DeleteObject
DeleteDC
GetTextExtentPoint32W
GetObjectA
CreateFontIndirectA
PatBlt
SetPixel

comdlg32

GetSaveFileNameA
GetOpenFileNameA

advapi32

RegEnumValueA
RegQueryValueA
RegCloseKey
RegEnumKeyA
RegOpenKeyExA
RegQueryValueExA
OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges
RegCreateKeyExA
RegDeleteKeyA
RegEnumKeyExA
RegSetValueExA

shell32

Shell_NotifyIconA
ShellExecuteA

comctl32

ImageList_AddMasked
ImageList_Draw
ImageList_ReplaceIcon
ImageList_GetIcon
ImageList_GetIconSize
ImageList_SetBkColor

Sections

.text
Size: 800KB - Virtual size: 799KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 40KB - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 264KB - Virtual size: 310KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 16KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 196KB - Virtual size: 194KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 60KB - Virtual size: 57KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
history.txt
winfbbcfg.exe
.exe windows:1 windows x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_BYTES_REVERSED_HI

Sections

UPX0
Size: - Virtual size: 708KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 351KB - Virtual size: 352KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 5KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

Password: infected

c6dba591c74eb3c83d068a30076b50a4

Headers

File Characteristics

Imports

winmm

version

mfc42

msvcrt

kernel32

user32

gdi32

comdlg32

advapi32

shell32

comctl32

Sections

.text Size: 800KB - Virtual size: 799KB

.rdata Size: 40KB - Virtual size: 36KB

.data Size: 264KB - Virtual size: 310KB

.idata Size: 16KB - Virtual size: 12KB

.rsrc Size: 196KB - Virtual size: 194KB

.reloc Size: 60KB - Virtual size: 57KB

Headers

File Characteristics

Sections

UPX0 Size: - Virtual size: 708KB

UPX1 Size: 351KB - Virtual size: 352KB

.rsrc Size: 5KB - Virtual size: 8KB

.text
Size: 800KB - Virtual size: 799KB

.rdata
Size: 40KB - Virtual size: 36KB

.data
Size: 264KB - Virtual size: 310KB

.idata
Size: 16KB - Virtual size: 12KB

.rsrc
Size: 196KB - Virtual size: 194KB

.reloc
Size: 60KB - Virtual size: 57KB

UPX0
Size: - Virtual size: 708KB

UPX1
Size: 351KB - Virtual size: 352KB

.rsrc
Size: 5KB - Virtual size: 8KB