zebrocy | 34371c7833c38fa441316f238961d9a2[.]bin | Triage

Sharing

General

Target

34371c7833c38fa441316f238961d9a2.bin
Size

978KB
MD5

34371c7833c38fa441316f238961d9a2
SHA1

74e99094f77642ef2d803188121a9c61e73139fe
SHA256

444b77c224199fbcb8e1241f999ea02b68e5cee7d74f262c160ae45d85cf1105
SHA512

aba20341168f6f78cecb302c1544ad617a6dc4d5e081cb3ffbcfe0e67c9a5708ce7e9d264de78eb620c3acea19cf37789f25a48dbb080ed16542ccc4b780386a
SSDEEP

24576:VoyOrimyU/MAYycTwgadEhiU8BnM4XkEJ:CNyU/LYyQwdU8RkE

Score

10^/10

upx zebrocy ekans

Malware Config

Signatures

Ekans Ransomware 1 IoCs

Executable looks like Ekans ICS ransomware sample.

Processes:

resource	yara_rule
static1/unpack001/out.upx	family_ekans

Ekans family
ekans

Zebrocy Go Variant 1 IoCs

Processes:

resource	yara_rule
static1/unpack001/out.upx	Zebrocy

Zebrocy family
zebrocy
UPX packed file 1 IoCs
Detects executables packed with UPX/modified UPX open source packer.
upx

Processes:

resource yara_rule

sample upx

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

Processes:

resource
34371c7833c38fa441316f238961d9a2.bin
unpack001/out.upx

Files

34371c7833c38fa441316f238961d9a2.bin
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: - Virtual size: 2.7MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 977KB - Virtual size: 980KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX2
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
out.upx
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

.text
Size: 3.5MB - Virtual size: 3.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 87KB - Virtual size: 169KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 1024B - Virtual size: 882B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.symtab
Size: 512B - Virtual size: 4B

IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ