zebrocy | setup[.]exe | Triage

Sharing

General

Target

setup.exe
Size

3.5MB
MD5

b91097bff5f741a965eb80edfcc97b0b
SHA1

fdebe47b69442a312c1008c7a5ee71b3f41b4a68
SHA256

de4da24486f406177afea313e60468918398dbbdb3551a7290a4050966494728
SHA512

21b96d15a463a5cdc7e2016a8a1e1cf636b1c4d13343f66fdcad24deecba56a29797600701ac3a382133ca585c89eb81fab085853991c19ccf245ff11de91514
SSDEEP

49152:JAdGB73ejP3+EMfRdASVaAvrC5Xh602+:JAgR3epMjASHch

Score

10^/10

zebrocy ekans

Malware Config

Signatures

Ekans Ransomware 1 IoCs
Executable looks like Ekans ICS ransomware sample.

Processes:

resource yara_rule

sample family_ekans
Ekans family
ekans
Zebrocy Go Variant 1 IoCs

Processes:

resource yara_rule

sample Zebrocy
Zebrocy family
zebrocy
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.

Processes:

resource

setup.exe

Files

setup.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

.text
Size: 3.5MB - Virtual size: 3.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 87KB - Virtual size: 169KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 1024B - Virtual size: 882B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.symtab
Size: 512B - Virtual size: 4B

IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ