lnk[.]zip | Triage

Sharing

Copy URL Twitter E-mail

General

Target

lnk.zip
Size

3.8MB
MD5

5a11eec8664920a150d449d31fd31eb2
SHA1

6890a000542ad6d1a292c41d9be5612242012ec6
SHA256

4bea420baefa6c615cb3cca42920d4a3f6469d5206d3e460083528ae3f2a9fb2
SHA512

864d9143c26897df12949ce1c0b9357f3e7dec9666d5da304af02d9b903428c36ffe0af37b7717174da5259c9726a69b61e5cb8432d295f89673f9cdcef947fe
SSDEEP

98304:ZlsQZ36fIyUNw9+sIyAcp0gAmqA9uoolIQBh2byFrrm:zPF6zUFVkAaolIQCOy

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/triage.dll

Files

lnk.zip
.zip
run.bat
triage.dll
.dll regsvr32 windows:6 windows x64 arch:x64

9d279e025ab5bf893ee134845c8c47ae

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

wsock32

WSASetLastError
WSACleanup
socket
WSAGetLastError
htonl
closesocket
connect
inet_ntoa
getsockopt
select
setsockopt
getsockname
ntohs
gethostbyname
shutdown
WSAStartup
listen
bind
accept
send
recv
getservbyname
getservbyport
gethostbyaddr
inet_addr
ioctlsocket
htons

crypt32

CryptUnprotectData

kernel32

GetModuleHandleW
CloseHandle
GetLastError
SetLastError
HeapAlloc
HeapFree
GetProcessHeap
CreateIoCompletionPort
GetQueuedCompletionStatus
PostQueuedCompletionStatus
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
SetEvent
ReleaseSemaphore
WaitForSingleObject
SleepEx
WaitForSingleObjectEx
WaitForMultipleObjectsEx
CreateEventA
CreateEventW
SetWaitableTimer
WaitForMultipleObjects
QueueUserAPC
TerminateThread
LocalFree
FormatMessageA
FormatMessageW
CreateSemaphoreA
WideCharToMultiByte
QueryPerformanceCounter
QueryPerformanceFrequency
GlobalAlloc
GlobalUnlock
GlobalLock
FindClose
FindFirstFileW
GetModuleFileNameW
GetSystemTimeAsFileTime
CreateWaitableTimerA
CreateFileW
GetFileType
GetCurrentProcessId
CreateToolhelp32Snapshot
Process32First
Process32Next
GetCommandLineW
TerminateProcess
GetExitCodeProcess
CreateProcessW
ExitProcess
EnumSystemLocalesW
OpenThread
LoadLibraryW
Thread32Next
Sleep
InitializeSRWLock
ReleaseSRWLockExclusive
ReleaseSRWLockShared
AcquireSRWLockExclusive
AcquireSRWLockShared
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetStdHandle
WriteFile
MultiByteToWideChar
RtlVirtualUnwind
GetSystemDirectoryA
LoadLibraryA
GetEnvironmentVariableW
GetACP
GetModuleHandleExW
GetSystemInfo
VirtualFree
SwitchToFiber
DeleteFiber
CreateFiberEx
FindNextFileW
ConvertFiberToThread
ConvertThreadToFiberEx
GetCurrentProcess
GetConsoleMode
SetConsoleMode
ReadConsoleA
ReadConsoleW
GetSystemTime
SystemTimeToFileTime
CompareStringW
GetTimeFormatW
GetDateFormatW
FileTimeToSystemTime
SystemTimeToTzSpecificLocalTime
PeekNamedPipe
GetDriveTypeW
SetConsoleCtrlHandler
FreeLibraryAndExitThread
ExitThread
CreateThread
LoadLibraryExW
InterlockedFlushSList
InterlockedPushEntrySList
RtlUnwindEx
GetStartupInfoW
IsDebuggerPresent
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
GetProcAddress
FreeLibrary
LCMapStringW
GetLocaleInfoW
IsValidLocale
Thread32First
GetUserDefaultLCID
GetConsoleOutputCP
GetFileSizeEx
IsValidCodePage
GetOEMCP
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
SetStdHandle
GetTimeZoneInformation
FindFirstFileExW
GetCommandLineA
WriteConsoleW
GetCurrentThreadId
RtlUnwind
UnhandledExceptionFilter
RtlLookupFunctionEntry
RtlCaptureContext
InitializeSListHead
CopyFileExW
CreateDirectoryExW
DeviceIoControl
SetFilePointerEx
SetFileAttributesW
RemoveDirectoryW
GetFileTime
GetFileInformationByHandle
CreateDirectoryW
GetCurrentDirectoryW
SetCurrentDirectoryW
GetModuleHandleA
ResumeThread
OpenEventA
ResetEvent
GetCPInfo
CompareStringEx
GetStringTypeW
GetLocaleInfoEx
FlushFileBuffers
GetTickCount
MapViewOfFile
CreateFileMappingW
GetFileSize
LockFileEx
UnlockFile
HeapDestroy
HeapCompact
HeapReAlloc
DeleteFileW
DeleteFileA
CreateFileA
FlushViewOfFile
OutputDebugStringW
GetFileAttributesExW
GetFileAttributesA
GetDiskFreeSpaceA
GetTempPathA
HeapSize
HeapValidate
UnmapViewOfFile
GetFileAttributesW
CreateMutexW
GetTempPathW
UnlockFileEx
SetEndOfFile
GetFullPathNameA
SetFilePointer
LockFile
OutputDebugStringA
GetDiskFreeSpaceW
GetFullPathNameW
HeapCreate
ReadFile
AreFileApisANSI
InitializeCriticalSection
TryEnterCriticalSection
ReleaseMutex
CreateMutexA
RtlPcToFileHeader
RaiseException
GetNativeSystemInfo
InitializeCriticalSectionEx
EncodePointer
DecodePointer
LCMapStringEx

user32

GetUserObjectInformationW
TranslateMessage
DispatchMessageA
MessageBoxW
GetMessageA
GetSystemMetrics
DefWindowProcA
RegisterClassW
CreateWindowExW
OpenClipboard
CloseClipboard
SetClipboardData
GetClipboardData
GetProcessWindowStation
IsClipboardFormatAvailable
AddClipboardFormatListener
GetDC
ReleaseDC
EmptyClipboard

gdi32

CreateCompatibleDC
DeleteDC
DeleteObject
CreateCompatibleBitmap
BitBlt
SelectObject

advapi32

CryptGenRandom
CryptReleaseContext
CryptAcquireContextW
ReportEventW
RegisterEventSourceW
DeregisterEventSource
CredFree
CryptEnumProvidersA
CryptAcquireContextA
CredEnumerateA
GetSidSubAuthorityCount
GetSidSubAuthority
CreateProcessAsUserW
GetTokenInformation
OpenProcessToken
RegEnumValueW
RegEnumKeyW
RegEnumValueA
RegGetValueW
RegOpenKeyExW
RegCloseKey

shell32

CommandLineToArgvW

ole32

CoCreateInstance
CoInitializeEx
CoUninitialize

oleaut32

SysAllocString
VariantClear

ws2_32

WSASend
inet_pton
WSAStringToAddressW
WSAIoctl
getaddrinfo
freeaddrinfo
WSARecv
WSASocketW
__WSAFDIsSet

gdiplus

GdiplusStartup
GdipCreateBitmapFromHBITMAP
GdipSaveImageToFile
GdiplusShutdown

rpcrt4

UuidFromStringA

wtsapi32

WTSQueryUserToken
WTSFreeMemory
WTSEnumerateSessionsW

userenv

CreateEnvironmentBlock
DestroyEnvironmentBlock
GetUserProfileDirectoryW

Exports

Exports

DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 4.1MB - Virtual size: 4.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2.4MB - Virtual size: 2.4MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 101KB - Virtual size: 134KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 184KB - Virtual size: 183KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 244B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 47KB - Virtual size: 46KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

9d279e025ab5bf893ee134845c8c47ae

Headers

DLL Characteristics

File Characteristics

Imports

wsock32

crypt32

kernel32

user32

gdi32

advapi32

shell32

ole32

oleaut32

ws2_32

gdiplus

rpcrt4

wtsapi32

userenv

Exports

Exports

Sections

.text Size: 4.1MB - Virtual size: 4.1MB

.rdata Size: 2.4MB - Virtual size: 2.4MB

.data Size: 101KB - Virtual size: 134KB

.pdata Size: 184KB - Virtual size: 183KB

_RDATA Size: 512B - Virtual size: 244B

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 47KB - Virtual size: 46KB

.text
Size: 4.1MB - Virtual size: 4.1MB

.rdata
Size: 2.4MB - Virtual size: 2.4MB

.data
Size: 101KB - Virtual size: 134KB

.pdata
Size: 184KB - Virtual size: 183KB

_RDATA
Size: 512B - Virtual size: 244B

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 47KB - Virtual size: 46KB