Rootkit[.]zip | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

Rootkit.zip
Size

100KB
MD5

2e64ab572736dcc3af5e5dbc533b60ab
SHA1

1b26e99ebcd855e9ded11cee4fbb581471d9c872
SHA256

b2adc2e39cca2132b3098f7b8e46325b27e557f6a3c7f12bdb8c525c910e2eed
SHA512

88103a07ec10ff1f1ac29923cbfef77a0a6cd1e03e06498664ed7cb468bc7aad12af94b1ed2f41b5659a6c8c40485f0154119202c5ecc871fb24986e61a58ce1
SSDEEP

1536:qhbCu5faolIlqsfHPvxAJNFi38H8muFwA8wdOQ4/4/t3TipDeiD/h5e6RDRu:yx5y1wsfHPv47LHCwQdAmt3TipRDRu

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/973e8ee15e00b702b03fa42e45cce60344dbe7dbc7d3213a81a53623c303ff5c.exe

Files

Rootkit.zip
.zip

Password: infected
973e8ee15e00b702b03fa42e45cce60344dbe7dbc7d3213a81a53623c303ff5c.exe
.exe windows:6 windows x86

Password: infected

dda765b9352ee55eed4377f5697f2360

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

ResumeThread
GetModuleHandleA
DisconnectNamedPipe
OpenProcess
GetExitCodeThread
GetLastError
lstrcatW
LockResource
K32GetModuleInformation
CreateThread
LoadResource
GetThreadContext
GetProcAddress
VirtualAllocEx
LocalFree
LocalAlloc
ReadProcessMemory
CreateProcessW
GetModuleHandleW
FreeLibrary
WideCharToMultiByte
lstrcpyW
lstrcmpiA
K32EnumProcessModules
CreateFileMappingW
MapViewOfFile
SetThreadContext
lstrcmpiW
lstrcmpW
IsWow64Process
ConnectNamedPipe
WriteConsoleW
WaitForSingleObject
FindResourceA
K32GetModuleFileNameExW
CreateNamedPipeW
TerminateProcess
VirtualAlloc
GetCurrentProcess
VirtualProtect
WriteProcessMemory
SizeofResource
VerifyVersionInfoW
GetCurrentProcessId
VerSetConditionMask
ExitProcess
K32EnumProcesses
CloseHandle
Sleep
CreateFileW
WriteFile
lstrlenW
ReadFile
SetFilePointerEx
GetConsoleMode
GetConsoleOutputCP
FlushFileBuffers
HeapReAlloc
HeapSize
GetProcessHeap
GetStringTypeW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
RaiseException
RtlUnwind
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
LoadLibraryExW
GetStdHandle
GetModuleFileNameW
GetModuleHandleExW
LCMapStringW
HeapAlloc
HeapFree
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetCommandLineA
GetCommandLineW
MultiByteToWideChar
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetStdHandle
GetFileType
DecodePointer

advapi32

LookupPrivilegeValueW
SetSecurityDescriptorDacl
AdjustTokenPrivileges
RegDeleteKeyExW
RegQueryInfoKeyW
GetSidSubAuthorityCount
RegDeleteKeyW
AllocateAndInitializeSid
GetSidSubAuthority
SetEntriesInAclW
RegEnumKeyExW
RegSetKeySecurity
OpenProcessToken
InitializeSecurityDescriptor
ConvertStringSecurityDescriptorToSecurityDescriptorW
RegEnumValueW
GetTokenInformation
RegCloseKey
RegCreateKeyExW
RegSetValueExW
RegOpenKeyExW
RegDeleteValueW

shell32

ShellExecuteW

ole32

CoCreateInstance
CoInitialize
CoUninitialize

ntdll

NtQueryInformationProcess

shlwapi

PathFindFileNameW

Sections

.text
Size: 53KB - Virtual size: 53KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 26KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 107KB - Virtual size: 107KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

Password: infected

dda765b9352ee55eed4377f5697f2360

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

advapi32

shell32

ole32

ntdll

shlwapi

Sections

.text Size: 53KB - Virtual size: 53KB

.rdata Size: 26KB - Virtual size: 26KB

.data Size: 2KB - Virtual size: 4KB

.rsrc Size: 107KB - Virtual size: 107KB

.reloc Size: 4KB - Virtual size: 4KB

.text
Size: 53KB - Virtual size: 53KB

.rdata
Size: 26KB - Virtual size: 26KB

.data
Size: 2KB - Virtual size: 4KB

.rsrc
Size: 107KB - Virtual size: 107KB

.reloc
Size: 4KB - Virtual size: 4KB