Poweliks[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

Poweliks.zip
Size

112KB
MD5

1a1c9e567fb8a496e59ec64a2053282d
SHA1

27f39f2299cd30763edf69ab4a0df7c9904ef40b
SHA256

069f8465baeaa5b1b95e68f68db2a98f59025b9fa88bbcb80fc775d0efd2d67d
SHA512

0c10250e43e4d46e2a82e3f592a453825efd9f6ab99bdf6a47b3a8d0d5ed5dff3a9224fae70111359274c81122e264e0a4eacb120678f71603b2b41f17e01ff0
SSDEEP

3072:7AE0TV7F0otlGdtMcjQYdyBVxsPRc3VOnpJZdj3WmLZOwg:kEaV7NGdtjjpqXsPRjnpF3WaZOwg

Score

3^/10

Malware Config

Signatures

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/dropper.ex_
unpack001/payload.dll

Files

Poweliks.zip
.zip

Password: infected
PayloadA.txt
PayloadA_decoded.bin
ScriptA.txt
.ps1
ScriptB.txt
.ps1
dropper.ex_
.exe windows:5 windows x86 arch:x86

5cafa89cc24cd000febd858ff526290b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

shlwapi

ord29
StrChrW

kernel32

FindFirstFileA
IsDBCSLeadByteEx
LocalAlloc
GetExitCodeThread
GetProfileStringA
GetThreadPriority
lstrcmpiW
GetFileAttributesExW
GetStringTypeExA
GetVersion
GetFileInformationByHandle
GlobalAddAtomW
GetPrivateProfileSectionW
SetFileAttributesW
GetVolumeInformationW
ExitThread
GetEnvironmentVariableA
GetSystemDirectoryA
FileTimeToSystemTime
DeleteVolumeMountPointW
GetThreadContext
SizeofResource
OpenProcess
ReadConsoleW
GetTickCount
FlushConsoleInputBuffer
GetUserDefaultLCID
CreateDirectoryW
LoadLibraryExW
UnmapViewOfFile
GetStringTypeA
GetShortPathNameW

user32

UnregisterClassW
RemovePropW
SwapMouseButton
UnloadKeyboardLayout
CloseWindowStation
LoadBitmapA
CharUpperA
IsCharAlphaW
WindowFromPoint
IsCharLowerA
GetWindowLongW
AppendMenuW
GetWindowLongA
GetClipboardData
GetWindowTextW
IsCharLowerW
GetClassInfoA
AppendMenuA
wvsprintfA
ClipCursor
DefDlgProcA
GetDialogBaseUnits
SetThreadDesktop

gdi32

OffsetViewportOrgEx
CreateEllipticRgnIndirect
Escape
GetTextExtentExPointA
CreateCompatibleBitmap
PtInRegion
SetRectRgn
DeleteObject
ExcludeClipRect
CreateFontIndirectA
WidenPath
GetEnhMetaFileBits
SetViewportOrgEx
GetTextExtentPoint32A
PatBlt
SetDIBitsToDevice
CreatePolygonRgn
GetTextColor

Exports

Exports

?ErrorCommon@@YGEPAG@Z
Feus_Yeah_Mace_Gilt_Paid_Iota_Roesow

Sections

.text
Size: 18KB - Virtual size: 18KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.itext
Size: 512B - Virtual size: 316B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.crt
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 26KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 788B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
payload.dll
.dll windows:5 windows x86 arch:x86

67412f20a27799b0714ecf390d4d1ec5

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_DLL

Imports

kernel32

GetModuleHandleA
GetProcAddress

ntdll

atoi

ws2_32

recv

shlwapi

StrStrA

wininet

InternetCrackUrlA

rpcrt4

UuidCreateSequential

imagehlp

CheckSumMappedFile

userenv

CreateEnvironmentBlock

advapi32

RegCloseKey

ole32

CoInitialize

Sections

.MPRESS1
Size: 8KB - Virtual size: 35.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.MPRESS2
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
unpacked_dropper.ex_
.exe .ps1 windows:5 windows x86 arch:x86

Sharing

General

Malware Config

Signatures

Files

Password: infected

5cafa89cc24cd000febd858ff526290b

Headers

DLL Characteristics

File Characteristics

Imports

shlwapi

kernel32

user32

gdi32

Exports

Exports

Sections

.text Size: 18KB - Virtual size: 18KB

.itext Size: 512B - Virtual size: 316B

.crt Size: 20KB - Virtual size: 19KB

.data Size: 26KB - Virtual size: 26KB

.rsrc Size: 1024B - Virtual size: 788B

.reloc Size: 2KB - Virtual size: 2KB

67412f20a27799b0714ecf390d4d1ec5

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

ntdll

ws2_32

shlwapi

wininet

rpcrt4

imagehlp

userenv

advapi32

ole32

Sections

.MPRESS1 Size: 8KB - Virtual size: 35.2MB

.MPRESS2 Size: 1KB - Virtual size: 1KB

.text
Size: 18KB - Virtual size: 18KB

.itext
Size: 512B - Virtual size: 316B

.crt
Size: 20KB - Virtual size: 19KB

.data
Size: 26KB - Virtual size: 26KB

.rsrc
Size: 1024B - Virtual size: 788B

.reloc
Size: 2KB - Virtual size: 2KB

.MPRESS1
Size: 8KB - Virtual size: 35.2MB

.MPRESS2
Size: 1KB - Virtual size: 1KB