down[.]zip | Triage

Resubmissions

20/11/2023, 16:09

231120-tmalcsha77 10

Sharing

Copy URL Twitter E-mail

General

Target

down.zip
Size

1.6MB
MD5

f144b106ccc3094256d5a5fa41e27c91
SHA1

cc4b1b95bf6b74fff74480ccbc89eb58273248cf
SHA256

1861d9e5d96fcbb72d4b20d7858b3e652ab98f0c7a1af487a503ea1b67a2fc26
SHA512

5bfe109a79c4eacdaa2fbbd27584b4f3cdd6bb39dd7489f496bc6743a2ff6fd599ea2e2a322afc7efe7e84f578ea430f25e70efa9efa1755d1c8593176fede20
SSDEEP

49152:zg8mTyklBGAhW1QxzB1burWUptMMSBhYf5xN:MPyGdTXburzf5v

Score

1^/10

Malware Config

Signatures

Files

down.zip
.zip
down.vhd
.vhd
$RECYCLE.BIN/desktop.ini
AgenziaEntrateApp.exe
.exe windows:5 windows x86 arch:x86

862b480b8a3ed3404be46e3739bd8bd3

Code Sign

25:1f:5d:98:81:82:17:2e:3c:41:9e:01:4f:b0:40:4c
Certificate

Issuer

CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN

Not Before

08/08/2009, 01:00

Not After

08/08/2024, 01:00

Subject

CN=WoSign Time Stamping Signer,O=WoSign CA Limited,C=CN

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

5f:ae:e9:e8:3f:32:94:8f:3b:20:40:ac:6d:f0:14:5c
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

25/03/2015, 00:00

Not After

25/03/2016, 23:59

Subject

CN=Baidu Online Network Technology (Beijing) Co.\,Ltd.,OU=Baidu security,O=Baidu Online Network Technology (Beijing) Co.\,Ltd.,L=Beijing,ST=Beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

f6:06:2f:29:bd:e8:df:d0:f4:72:55:3a:8a:8c:17:a0:db:22:f4:3a
Signer

Actual PE Digest

f6:06:2f:29:bd:e8:df:d0:f4:72:55:3a:8a:8c:17:a0:db:22:f4:3a

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetPrivateProfileStringW
GetTimeZoneInformation
GetPrivateProfileSectionW
GetPrivateProfileIntW
GetTempPathW
GetTempFileNameW
CopyFileW
DeleteFileW
WriteFile
InterlockedIncrement
GetModuleHandleW
GetProcAddress
SetLastError
GetVersionExW
GetSystemDirectoryW
GetVersion
ProcessIdToSessionId
DebugBreak
VirtualProtect
IsBadCodePtr
IsBadReadPtr
GetModuleHandleExW
ExitThread
CreateDirectoryW
GetCommandLineW
InitializeCriticalSection
DeleteCriticalSection
GetModuleHandleA
LeaveCriticalSection
EnterCriticalSection
UnmapViewOfFile
MapViewOfFile
FlushInstructionCache
VirtualFree
Sleep
CreateFileMappingA
lstrlenW
GetWindowsDirectoryW
LocalFree
LocalAlloc
InterlockedExchange
InterlockedCompareExchange
WritePrivateProfileStringW
SystemTimeToFileTime
GetFileSizeEx
CreateProcessW
WTSGetActiveConsoleSessionId
WaitForSingleObject
ReadProcessMemory
VirtualQueryEx
InitializeCriticalSectionAndSpinCount
lstrlenA
CreateFileMappingW
HeapCreate
CreateEventW
AddVectoredExceptionHandler
SetUnhandledExceptionFilter
RemoveVectoredExceptionHandler
GetCurrentThreadId
TerminateProcess
VirtualQuery
GetModuleFileNameA
ReleaseMutex
LoadLibraryW
lstrcatA
GetThreadContext
Process32NextW
DuplicateHandle
VirtualAlloc
OpenFileMappingW
OpenEventW
lstrcpyA
VirtualAllocEx
VirtualFreeEx
GetCurrentThread
VirtualProtectEx
WriteProcessMemory
CreateRemoteThread
IsBadWritePtr
GetExitCodeThread
lstrcpyW
SetEndOfFile
SetFilePointer
GetPrivateProfileSectionNamesW
FlushFileBuffers
WriteConsoleW
GetConsoleOutputCP
WriteConsoleA
SetStdHandle
LoadLibraryA
GetLocaleInfoA
GetStringTypeW
LoadResource
GetStringTypeA
GetConsoleMode
Process32FirstW
CreateToolhelp32Snapshot
FindNextFileW
FindFirstFileW
GetCurrentProcess
GetTickCount
OpenProcess
FindClose
VerifyVersionInfoW
VerSetConditionMask
ReadFile
DeviceIoControl
CreateFileA
WideCharToMultiByte
MultiByteToWideChar
GlobalFree
GlobalAlloc
GetLocalTime
GetCurrentProcessId
GetModuleFileNameW
CreateMutexW
GetLastError
GetProcessHeap
HeapFree
HeapAlloc
GetFileSize
CreateFileW
CloseHandle
FindResourceExW
FindResourceW
SizeofResource
GetConsoleCP
QueryPerformanceCounter
GetStartupInfoA
GetFileType
SetHandleCount
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetStdHandle
ExitProcess
LCMapStringW
LCMapStringA
TlsFree
TlsSetValue
TlsAlloc
TlsGetValue
IsValidCodePage
GetOEMCP
GetACP
InterlockedDecrement
GetCPInfo
RtlUnwind
GetStartupInfoW
GetSystemTimeAsFileTime
IsDebuggerPresent
UnhandledExceptionFilter
HeapSize
HeapReAlloc
HeapDestroy
RaiseException
LockResource
OpenMutexW

user32

GetLastInputInfo
PostQuitMessage
SetTimer
EndPaint
BeginPaint
DefWindowProcW
DestroyWindow
UpdateWindow
CreateWindowExW
RegisterClassExW
LoadCursorW
LoadIconW
ShowWindow
TranslateMessage
GetUserObjectInformationA
DispatchMessageW
GetMessageW
KillTimer
OpenInputDesktop
CloseDesktop
GetThreadDesktop

advapi32

RegOpenCurrentUser
SetSecurityDescriptorDacl
GetLengthSid
GetKernelObjectSecurity
AllocateAndInitializeSid
FreeSid
RegEnumKeyExW
CreateProcessAsUserW
DuplicateTokenEx
SetTokenInformation
GetTokenInformation
GetUserNameW
RegQueryValueExA
ConvertStringSecurityDescriptorToSecurityDescriptorW
RevertToSelf
ImpersonateLoggedOnUser
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
RegEnumValueW
RegSetValueExW
RegQueryValueExW
RegOpenKeyExW
RegCreateKeyExW
RegCloseKey
SetSecurityDescriptorSacl
GetSecurityDescriptorSacl
InitializeSecurityDescriptor

shell32

SHFileOperationW
SHGetSpecialFolderPathW
SHGetFolderPathW
ord165

ole32

CoCreateGuid

log

CloseLog
CreateLog
WriteLog

shlwapi

PathAppendW
PathRemoveFileSpecW
StrCpyW
PathFileExistsW
PathIsDirectoryW
PathAddBackslashW
SHGetValueW
SHSetValueW
SHDeleteValueW
PathIsDirectoryEmptyW
PathFindExtensionW
PathFindFileNameW

version

GetFileVersionInfoW
VerQueryValueW
GetFileVersionInfoSizeW

wtsapi32

WTSFreeMemory
WTSEnumerateSessionsW
WTSQueryUserToken

iphlpapi

GetAdaptersAddresses

rpcrt4

RpcStringFreeW
UuidToStringW
UuidCreate

winhttp

WinHttpOpenRequest
WinHttpConnect
WinHttpSendRequest
WinHttpWriteData
WinHttpAddRequestHeaders
WinHttpOpen
WinHttpCloseHandle
WinHttpSetOption
WinHttpReceiveResponse
WinHttpSetCredentials
WinHttpReadData
WinHttpQueryHeaders

psapi

GetModuleInformation
GetModuleFileNameExW

userenv

DestroyEnvironmentBlock
CreateEnvironmentBlock

Sections

.text
Size: 363KB - Virtual size: 362KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 88KB - Virtual size: 88KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 20KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
jouk.mpg
.png
log.dll
.dll windows:5 windows x86 arch:x86

3787119f8b88e0b67e9e2f9c939b5007

Code Sign

25:1f:5d:98:81:82:17:2e:3c:41:9e:01:4f:b0:40:4c
Certificate

Issuer

CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN

Not Before

08/08/2009, 01:00

Not After

08/08/2024, 01:00

Subject

CN=WoSign Time Stamping Signer,O=WoSign CA Limited,C=CN

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

5f:ae:e9:e8:3f:32:94:8f:3b:20:40:ac:6d:f0:14:5c
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

25/03/2015, 00:00

Not After

25/03/2016, 23:59

Subject

CN=Baidu Online Network Technology (Beijing) Co.\,Ltd.,OU=Baidu security,O=Baidu Online Network Technology (Beijing) Co.\,Ltd.,L=Beijing,ST=Beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

78:8a:4d:8e:ab:3d:e8:9b:5d:3a:f9:31:69:c9:a1:c3:79:47:f9:ca
Signer

Actual PE Digest

78:8a:4d:8e:ab:3d:e8:9b:5d:3a:f9:31:69:c9:a1:c3:79:47:f9:ca

Digest Algorithm

sha1

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
FileTimeToSystemTime
CreateFileW
MultiByteToWideChar
FlushFileBuffers
GetLastError
MoveFileW
WideCharToMultiByte
GetLocalTime
GetFileAttributesExW
QueryPerformanceFrequency
DeleteCriticalSection
GetCurrentThreadId
CloseHandle
DeleteFileW
LocalFree
WriteFile
OutputDebugStringW
SystemTimeToTzSpecificLocalTime
SetFilePointer
EnterCriticalSection
GetFileSize
GetCommandLineA
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetModuleHandleW
GetProcAddress
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
InterlockedDecrement
Sleep
HeapSize
ExitProcess
GetStdHandle
GetModuleFileNameA
HeapFree
HeapAlloc
RaiseException
SetHandleCount
GetFileType
GetStartupInfoA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
HeapCreate
HeapDestroy
VirtualFree
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
GetConsoleCP
GetConsoleMode
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
HeapReAlloc
VirtualAlloc
LoadLibraryA
RtlUnwind
GetLocaleInfoA
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
CreateFileA
GetModuleHandleA

advapi32

GetSecurityDescriptorSacl
ConvertStringSecurityDescriptorToSecurityDescriptorW
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
SetSecurityDescriptorSacl

Exports

Exports

CloseLog
CreateLog
WriteData
WriteLog
WriteLogA
WriteVLog

Sections

.text
Size: 70KB - Virtual size: 69KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Resubmissions

Sharing

General

Malware Config

Signatures

Files

862b480b8a3ed3404be46e3739bd8bd3

Code Sign

25:1f:5d:98:81:82:17:2e:3c:41:9e:01:4f:b0:40:4cCertificate

Extended Key Usages

Key Usages

5f:ae:e9:e8:3f:32:94:8f:3b:20:40:ac:6d:f0:14:5cCertificate

Extended Key Usages

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

f6:06:2f:29:bd:e8:df:d0:f4:72:55:3a:8a:8c:17:a0:db:22:f4:3aSigner

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

shell32

ole32

log

shlwapi

version

wtsapi32

iphlpapi

rpcrt4

winhttp

psapi

userenv

Sections

.text Size: 363KB - Virtual size: 362KB

.rdata Size: 88KB - Virtual size: 88KB

.data Size: 6KB - Virtual size: 20KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 20KB - Virtual size: 20KB

3787119f8b88e0b67e9e2f9c939b5007

Code Sign

25:1f:5d:98:81:82:17:2e:3c:41:9e:01:4f:b0:40:4cCertificate

Extended Key Usages

Key Usages

5f:ae:e9:e8:3f:32:94:8f:3b:20:40:ac:6d:f0:14:5cCertificate

Extended Key Usages

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

78:8a:4d:8e:ab:3d:e8:9b:5d:3a:f9:31:69:c9:a1:c3:79:47:f9:caSigner

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

advapi32

Exports

Exports

Sections

.text Size: 70KB - Virtual size: 69KB

.rdata Size: 12KB - Virtual size: 12KB

.data Size: 5KB - Virtual size: 11KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 6KB - Virtual size: 6KB

25:1f:5d:98:81:82:17:2e:3c:41:9e:01:4f:b0:40:4c
Certificate

5f:ae:e9:e8:3f:32:94:8f:3b:20:40:ac:6d:f0:14:5c
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

f6:06:2f:29:bd:e8:df:d0:f4:72:55:3a:8a:8c:17:a0:db:22:f4:3a
Signer

.text
Size: 363KB - Virtual size: 362KB

.rdata
Size: 88KB - Virtual size: 88KB

.data
Size: 6KB - Virtual size: 20KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 20KB - Virtual size: 20KB

25:1f:5d:98:81:82:17:2e:3c:41:9e:01:4f:b0:40:4c
Certificate

5f:ae:e9:e8:3f:32:94:8f:3b:20:40:ac:6d:f0:14:5c
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

78:8a:4d:8e:ab:3d:e8:9b:5d:3a:f9:31:69:c9:a1:c3:79:47:f9:ca
Signer

.text
Size: 70KB - Virtual size: 69KB

.rdata
Size: 12KB - Virtual size: 12KB

.data
Size: 5KB - Virtual size: 11KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 6KB - Virtual size: 6KB