40779ef914c5e97b97a152118232b6a7

Sharing

Copy URL Twitter E-mail

General

Target

40779ef914c5e97b97a152118232b6a7
Size

535KB
MD5

40779ef914c5e97b97a152118232b6a7
SHA1

32cd26ec865ae1b0b51ecebc28525d9704d8a24f
SHA256

06fccd70d13a2044e08597e6202cd53864d3d71db951b6748793fa5ffc6d6e36
SHA512

0d4936465cbaabebbab6b61fcf26fb593e35581a0024590397309ea565e8870122bf5cdf1d62668bf10d2dcca9da7a6a26dd9a7efe492a7b2d406afc7c50154b
SSDEEP

12288:qxzMajtd7f/iDXO8MIgluIMeyRchyCFfF9ft:IzMahVUO8MTgIMh+kCFDft

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
static1/unpack001/zyh/plugin/7za.exe	upx

Unsigned PE 6 IoCs

Checks for missing Authenticode signature.

resource
unpack001/zyh/Unzip32.dll
unpack001/zyh/ZYH.exe
unpack001/zyh/plugin/7za.exe
unpack001/zyh/plugin/PALEdit.exe
unpack001/zyh/plugin/Updater.exe
unpack001/zyh/plugin/ZYHEMUGBC.exe

Files

40779ef914c5e97b97a152118232b6a7
.rar
zyh/FIRSTRUN.ZYH
zyh/Unzip32.dll
.dll windows:4 windows x86 arch:x86

d7fb4de41cd6c7ef515f3cb090e706e1

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

InterlockedExchange
HeapAlloc
GetLastError
CreateFileA
GetCurrentProcess
GetVersion
SetFileTime
SetFileAttributesA
FileTimeToLocalFileTime
GetFullPathNameA
CloseHandle
CreateMutexA
FindClose
SetVolumeLabelA
GetFileAttributesA
GetFileTime
FileTimeToDosDateTime
lstrcpyA
GlobalLock
GlobalAlloc
GlobalFree
GlobalUnlock
InitializeCriticalSection
WaitForSingleObject
ReleaseMutex
GetVolumeInformationA
lstrlenA
lstrcmpiA
EnterCriticalSection
GetDriveTypeA
lstrcpynA
LeaveCriticalSection
GetProcessHeap
HeapFree
FindFirstFileA
FindNextFileA
HeapDestroy
TlsFree
SetLastError
GetCurrentDirectoryA
HeapReAlloc
InterlockedDecrement
InterlockedIncrement
GetCommandLineA
GetTimeZoneInformation
HeapCreate
VirtualFree
DeleteCriticalSection
ExitProcess
VirtualAlloc
RtlUnwind
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
TerminateProcess
FlushFileBuffers
WriteFile
WideCharToMultiByte
MultiByteToWideChar
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
GetCurrentThreadId
TlsSetValue
TlsAlloc
FileTimeToSystemTime
TlsGetValue
GetModuleFileNameA
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetEnvironmentStrings
GetEnvironmentStringsW
SetFilePointer
ReadFile
SetStdHandle
GetCPInfo
GetACP
GetOEMCP
GetProcAddress
LoadLibraryA
SetEndOfFile
CompareStringA
CompareStringW
SetEnvironmentVariableA
DeleteFileA
CreateDirectoryA

user32

CharToOemA
OemToCharA

advapi32

GetSecurityDescriptorControl
GetKernelObjectSecurity
AdjustTokenPrivileges
IsValidSecurityDescriptor
GetSecurityDescriptorDacl
SetKernelObjectSecurity
GetSecurityDescriptorSacl
GetSecurityDescriptorOwner
IsValidAcl
GetSecurityDescriptorGroup
GetSecurityDescriptorLength
IsValidSid
OpenProcessToken
LookupPrivilegeValueA

Exports

Exports

UzpFreeMemBuffer
UzpVersion
UzpVersion2
Wiz_Grep
Wiz_Init
Wiz_NoPrinting
Wiz_SetOpts
Wiz_SingleEntryUnzip
Wiz_Unzip
Wiz_UnzipToMemory
Wiz_Validate

Sections

.text
Size: 96KB - Virtual size: 92KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 20KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 840B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
zyh/ZYH.exe
.exe windows:4 windows x86 arch:x86

1ae3a3776427f2be2daddc068eb45171

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvbvm60

__vbaStrI2
_CIcos
_adj_fptan
__vbaVarMove
__vbaStrI4
__vbaVarVargNofree
__vbaFreeVar
ord588
__vbaLineInputStr
__vbaStrVarMove
__vbaLenBstr
__vbaPut3
__vbaFreeVarList
__vbaEnd
_adj_fdiv_m64
__vbaFreeObjList
__vbaGetFxStr4
ord516
ord517
_adj_fprem1
__vbaRecAnsiToUni
ord519
__vbaStrCat
__vbaLsetFixstr
__vbaRecDestruct
__vbaSetSystemError
__vbaHresultCheckObj
_adj_fdiv_m32
ord667
__vbaAryDestruct
__vbaBoolStr
__vbaExitProc
__vbaFileCloseAll
__vbaOnError
__vbaObjSet
ord595
ord596
_adj_fdiv_m16i
__vbaObjSetAddref
_adj_fdivr_m16i
ord598
ord520
__vbaStrFixstr
__vbaFPFix
__vbaBoolVarNull
_CIsin
ord631
__vbaErase
ord525
ord632
__vbaChkstk
ord526
__vbaFileClose
EVENT_SINK_AddRef
ord527
__vbaGet3
__vbaStrCmp
ord529
__vbaGet4
__vbaAryConstruct2
__vbaPutOwner3
__vbaVarTstEq
__vbaPrintObj
DllFunctionCall
ord670
__vbaVarOr
__vbaFpUI1
__vbaRedimPreserve
_adj_fpatan
__vbaFixstrConstruct
__vbaLateIdCallLd
__vbaRedim
__vbaRecUniToAnsi
EVENT_SINK_Release
__vbaNew
ord600
_CIsqrt
EVENT_SINK_QueryInterface
__vbaVarMul
__vbaStrUI1
__vbaExceptHandler
__vbaInputFile
__vbaPrintFile
__vbaStrToUnicode
ord606
_adj_fprem
_adj_fdivr_m64
__vbaI2Str
ord607
ord608
ord530
ord531
__vbaFPException
__vbaInStrVar
__vbaGetOwner3
__vbaUbound
__vbaStrVarVal
__vbaGetOwner4
__vbaVarCat
ord535
__vbaLsetFixstrFree
__vbaI2Var
ord644
ord537
ord645
_CIlog
__vbaFileOpen
ord570
__vbaInStr
__vbaNew2
ord648
ord571
_adj_fdiv_m32i
ord572
_adj_fdivr_m32i
ord573
__vbaStrCopy
ord681
__vbaI4Str
__vbaFreeStrList
_adj_fdivr_m32
__vbaPowerR8
_adj_fdiv_r
ord685
ord100
__vbaI4Var
__vbaVarCmpEq
__vbaAryLock
__vbaVarAdd
__vbaVarDup
__vbaStrToAnsi
ord613
__vbaFpI2
__vbaVarCopy
__vbaVarTstGe
__vbaFpI4
ord616
__vbaRecDestructAnsi
ord617
_CIatan
__vbaAryCopy
__vbaUI1Str
__vbaStrMove
__vbaCastObj
__vbaStrVarCopy
__vbaR8IntI4
ord619
_allmul
_CItan
__vbaUI1Var
__vbaFPInt
__vbaAryUnlock
_CIexp
__vbaMidStmtBstr
__vbaFreeObj
__vbaFreeStr
ord581

Sections

.text
Size: 540KB - Virtual size: 537KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
zyh/background/zyh emulator 1x.jpg
.jpg
zyh/plugin/7za.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

UPX0
Size: - Virtual size: 100KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 67KB - Virtual size: 68KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 5KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
zyh/plugin/PALEdit.exe
.exe windows:4 windows x86 arch:x86

7d5f8d9ce89ee7e77687cb6817dee5b5

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvbvm60

__vbaVarTstGt
__vbaVarSub
_CIcos
_adj_fptan
__vbaVarMove
__vbaFreeVar
__vbaStrVarMove
__vbaLenBstr
ord588
__vbaLineInputStr
__vbaFreeVarList
__vbaEnd
_adj_fdiv_m64
__vbaFreeObjList
__vbaVarFix
__vbaStrErrVarCopy
_adj_fprem1
__vbaStrCat
__vbaHresultCheckObj
__vbaLenVar
_adj_fdiv_m32
__vbaExitProc
__vbaVarForInit
__vbaObjSet
ord595
__vbaOnError
ord596
_adj_fdiv_m16i
__vbaObjSetAddref
_adj_fdivr_m16i
__vbaVarTstLt
_CIsin
ord632
__vbaChkstk
__vbaFileClose
EVENT_SINK_AddRef
ord528
__vbaGenerateBoundsError
__vbaStrCmp
__vbaPutOwner3
__vbaVarTstEq
__vbaPrintObj
ord561
__vbaVarLateMemSt
_adj_fpatan
__vbaR4Var
__vbaRedim
EVENT_SINK_Release
_CIsqrt
EVENT_SINK_QueryInterface
__vbaVarMul
__vbaExceptHandler
_adj_fprem
_adj_fdivr_m64
__vbaVarDiv
__vbaFPException
__vbaStrVarVal
__vbaGetOwner3
__vbaUbound
__vbaVarCat
__vbaI2Var
ord645
_CIlog
__vbaErrorOverflow
__vbaFileOpen
ord570
__vbaNew2
_adj_fdiv_m32i
_adj_fdivr_m32i
ord573
__vbaStrCopy
__vbaFreeStrList
_adj_fdivr_m32
_adj_fdiv_r
ord100
__vbaVarTstNe
__vbaI4Var
__vbaVarAdd
__vbaAryLock
__vbaVarDup
ord617
_CIatan
__vbaUI1Str
__vbaStrMove
ord619
_allmul
_CItan
__vbaAryUnlock
__vbaVarForNext
_CIexp
__vbaFreeObj
__vbaFreeStr
__vbaI4ErrVar
__vbaR8FixI2

Sections

.text
Size: 40KB - Virtual size: 39KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
zyh/plugin/Updater.exe
.exe windows:4 windows x86 arch:x86

d544dbab9b54bd0cf765b9a9308ac4f4

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

urlmon

URLDownloadToFileA

msvbvm60

__vbaVarSub
_CIcos
_adj_fptan
__vbaVarMove
__vbaFreeVar
ord588
__vbaStrVarMove
__vbaLineInputStr
__vbaFreeVarList
_adj_fdiv_m64
__vbaFreeObjList
_adj_fprem1
__vbaResume
__vbaStrCat
__vbaSetSystemError
__vbaHresultCheckObj
_adj_fdiv_m32
EVENT_SINK2_Release
ord592
__vbaVarForInit
__vbaExitProc
__vbaObjSet
__vbaOnError
ord595
_adj_fdiv_m16i
__vbaObjSetAddref
_adj_fdivr_m16i
ord598
__vbaVarIndexLoad
__vbaVarTstLt
__vbaRefVarAry
_CIsin
__vbaChkstk
__vbaFileClose
EVENT_SINK_AddRef
__vbaStrCmp
ord529
__vbaPrintObj
DllFunctionCall
ord670
_adj_fpatan
EVENT_SINK_Release
_CIsqrt
EVENT_SINK_QueryInterface
__vbaVarMul
__vbaExceptHandler
ord711
__vbaStrToUnicode
_adj_fprem
_adj_fdivr_m64
__vbaVarDiv
__vbaFPException
__vbaUbound
__vbaI2Var
ord645
_CIlog
__vbaErrorOverflow
__vbaFileOpen
__vbaNew2
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaStrCopy
EVENT_SINK2_AddRef
__vbaFreeStrList
_adj_fdivr_m32
_adj_fdiv_r
ord100
__vbaVarAdd
__vbaLateMemCall
__vbaStrToAnsi
__vbaVarDup
__vbaFpI2
__vbaFpI4
_CIatan
__vbaCastObj
__vbaStrMove
__vbaR8IntI4
_allmul
__vbaFpCSngR4
_CItan
__vbaVarForNext
_CIexp
__vbaFreeStr
__vbaFreeObj

Sections

.text
Size: 24KB - Virtual size: 20KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
zyh/plugin/ZYHEMUGBC.exe
.exe windows:4 windows x86 arch:x86

e2f3a20bcfe266d924c4de5fea315cd1

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvbvm60

ord690
__vbaStrI2
_CIcos
_adj_fptan
__vbaStrI4
__vbaVarMove
__vbaFreeVar
ord588
__vbaLenBstr
__vbaStrVarMove
__vbaLineInputStr
__vbaFreeVarList
__vbaEnd
_adj_fdiv_m64
__vbaFreeObjList
_adj_fprem1
__vbaCopyBytes
__vbaStrCat
ord660
__vbaSetSystemError
__vbaHresultCheckObj
_adj_fdiv_m32
__vbaAryDestruct
__vbaStrBool
__vbaBoolStr
__vbaExitProc
ord595
__vbaOnError
__vbaObjSet
_adj_fdiv_m16i
__vbaObjSetAddref
_adj_fdivr_m16i
ord305
__vbaBoolVarNull
_CIsin
__vbaChkstk
__vbaFileClose
EVENT_SINK_AddRef
__vbaStrCmp
__vbaPutOwner3
__vbaAryConstruct2
__vbaR4Str
DllFunctionCall
__vbaVarLateMemSt
__vbaFpUI1
__vbaStrR4
_adj_fpatan
__vbaLateIdCallLd
__vbaRedim
__vbaR8Cy
EVENT_SINK_Release
__vbaNew
_CIsqrt
__vbaObjIs
ord311
EVENT_SINK_QueryInterface
__vbaExceptHandler
ord313
_adj_fprem
_adj_fdivr_m64
ord608
__vbaFPException
ord717
__vbaUbound
__vbaGetOwner3
__vbaStrVarVal
__vbaVarCat
_CIlog
__vbaFileOpen
__vbaNew2
ord571
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaStrCopy
__vbaI4Str
__vbaFreeStrList
_adj_fdivr_m32
__vbaPowerR8
_adj_fdiv_r
ord578
ord685
ord100
__vbaI4Var
ord689
__vbaFpCy
__vbaAryLock
__vbaVarDup
__vbaFpI4
_CIatan
__vbaCastObj
__vbaStrMove
ord650
_allmul
_CItan
__vbaAryUnlock
_CIexp
__vbaFreeObj
__vbaFreeStr

Sections

.text
Size: 104KB - Virtual size: 102KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 8KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
zyh/roms/最终鬼畜ZYH Emulator.nes
zyh/sound/ZYH Emulator.wav
zyh/sound/八音盒.ZMY
zyh/sound/小霸王其乐无穷啊.wav
zyh/sound/管弦乐器.ZMY
zyh/sound/贝司音色.ZMY
zyh/sound/钟声回荡.ZMY
zyh/sound/钢片敲击.ZMY
zyh/sound/钢琴音色.ZMY
zyh/sound/默认.ZMY
zyh/zyh.pal
zyh/新云软件.url
.url

Sharing

General

Malware Config

Signatures

Files

d7fb4de41cd6c7ef515f3cb090e706e1

Headers

File Characteristics

Imports

kernel32

user32

advapi32

Exports

Exports

Sections

.text Size: 96KB - Virtual size: 92KB

.rdata Size: 20KB - Virtual size: 16KB

.data Size: 8KB - Virtual size: 12KB

.rsrc Size: 4KB - Virtual size: 840B

.reloc Size: 8KB - Virtual size: 5KB

1ae3a3776427f2be2daddc068eb45171

Headers

File Characteristics

Imports

msvbvm60

Sections

.text Size: 540KB - Virtual size: 537KB

.data Size: 4KB - Virtual size: 25KB

.rsrc Size: 4KB - Virtual size: 3KB

Headers

File Characteristics

Sections

UPX0 Size: - Virtual size: 100KB

UPX1 Size: 67KB - Virtual size: 68KB

.rsrc Size: 5KB - Virtual size: 8KB

7d5f8d9ce89ee7e77687cb6817dee5b5

Headers

File Characteristics

Imports

msvbvm60

Sections

.text Size: 40KB - Virtual size: 39KB

.data Size: 4KB - Virtual size: 6KB

.rsrc Size: 4KB - Virtual size: 2KB

d544dbab9b54bd0cf765b9a9308ac4f4

Headers

File Characteristics

Imports

urlmon

msvbvm60

Sections

.text Size: 24KB - Virtual size: 20KB

.data Size: 4KB - Virtual size: 2KB

.rsrc Size: 4KB - Virtual size: 2KB

e2f3a20bcfe266d924c4de5fea315cd1

Headers

File Characteristics

Imports

msvbvm60

Sections

.text Size: 104KB - Virtual size: 102KB

.data Size: 4KB - Virtual size: 9KB

.rsrc Size: 8KB - Virtual size: 4KB

.text
Size: 96KB - Virtual size: 92KB

.rdata
Size: 20KB - Virtual size: 16KB

.data
Size: 8KB - Virtual size: 12KB

.rsrc
Size: 4KB - Virtual size: 840B

.reloc
Size: 8KB - Virtual size: 5KB

.text
Size: 540KB - Virtual size: 537KB

.data
Size: 4KB - Virtual size: 25KB

.rsrc
Size: 4KB - Virtual size: 3KB

UPX0
Size: - Virtual size: 100KB

UPX1
Size: 67KB - Virtual size: 68KB

.rsrc
Size: 5KB - Virtual size: 8KB

.text
Size: 40KB - Virtual size: 39KB

.data
Size: 4KB - Virtual size: 6KB

.rsrc
Size: 4KB - Virtual size: 2KB

.text
Size: 24KB - Virtual size: 20KB

.data
Size: 4KB - Virtual size: 2KB

.rsrc
Size: 4KB - Virtual size: 2KB

.text
Size: 104KB - Virtual size: 102KB

.data
Size: 4KB - Virtual size: 9KB

.rsrc
Size: 8KB - Virtual size: 4KB