gg_wonder[.]zip

Sharing

Copy URL

Twitter E-mail

General

Target

gg_wonder.zip
Size

1.3MB
MD5

02a64a96d8253603670dccb060db8c18
SHA1

c2ff43623ae66962a52ad03a11dcc5ef3468b57f
SHA256

17e578eca724060f200c456077b4f3ed32a81f5e26b132c470faac1ef3384bd5
SHA512

b0e8dc6f4c5e9d38bc8d5132b92dcaff476632f2ee05f9b1c38ca360eeb325dc99ede1d36a930660bf42d98c7d6efa97c91907e2f6b3ed55435a53bfa14c55a1
SSDEEP

24576:7NGvRRClnuG8l03w/mLaSnMUIxQasJvBcQCYOe8OTzME/C/8joPZ581FuNMEFI:70vOtuG8lkw/8a7UIxeqTe8MR/C/izTv

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/multi/phantom_multi.exe

Files

gg_wonder.zip
.zip

Password: 1237
multi/phantom_multi.exe
.exe windows:4 windows x64 arch:x64

Password: 1237

081a3ed5c6a81f135366c9e245629174

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED

Imports

advapi32

CryptAcquireContextW
CryptDestroyKey
CryptImportKey
CryptReleaseContext
OpenProcessToken
RegCloseKey
RegEnumKeyExW
RegEnumValueW
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryValueExW
SystemFunction036

kernel32

AcquireSRWLockExclusive
AcquireSRWLockShared
AddVectoredExceptionHandler
CancelIo
CancelIoEx
CloseHandle
CompareStringOrdinal
ConnectNamedPipe
CopyFileExW
CreateDirectoryW
CreateEventW
CreateFileMappingA
CreateFileW
CreateHardLinkW
CreateIoCompletionPort
CreateNamedPipeW
CreateProcessW
CreateSymbolicLinkW
CreateThread
CreateToolhelp32Snapshot
CreateWaitableTimerExW
DeleteFileW
DeleteProcThreadAttributeList
DeviceIoControl
DisconnectNamedPipe
DuplicateHandle
ExitProcess
FileTimeToSystemTime
FindClose
FindFirstFileW
FindNextFileW
FlushFileBuffers
FormatMessageW
FreeEnvironmentStringsW
FreeLibrary
GetCommandLineW
GetConsoleMode
GetCurrentDirectoryW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetEnvironmentStringsW
GetEnvironmentVariableW
GetExitCodeProcess
GetFileAttributesW
GetFileInformationByHandle
GetFileInformationByHandleEx
GetFileType
GetFinalPathNameByHandleW
GetFullPathNameW
GetLastError
GetLogicalProcessorInformation
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleW
GetNamedPipeInfo
GetOverlappedResult
GetProcAddress
GetProcessHeap
GetProcessId
GetQueuedCompletionStatusEx
GetStdHandle
GetSystemDirectoryW
GetSystemInfo
GetSystemTimeAsFileTime
GetTempPathW
GetWindowsDirectoryW
HeapAlloc
HeapFree
HeapReAlloc
InitOnceBeginInitialize
InitOnceComplete
InitializeProcThreadAttributeList
LoadLibraryA
LocalFree
MapViewOfFile
Module32FirstW
Module32NextW
MoveFileExW
MultiByteToWideChar
PostQueuedCompletionStatus
QueryPerformanceCounter
QueryPerformanceFrequency
ReadConsoleW
ReadFile
ReadFileEx
RegisterWaitForSingleObject
ReleaseSRWLockExclusive
ReleaseSRWLockShared
RemoveDirectoryW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
SetConsoleCtrlHandler
SetCurrentDirectoryW
SetEnvironmentVariableW
SetFileAttributesW
SetFileCompletionNotificationModes
SetFileInformationByHandle
SetFilePointerEx
SetFileTime
SetHandleInformation
SetLastError
SetThreadStackGuarantee
SetUnhandledExceptionFilter
SetWaitableTimer
Sleep
SleepConditionVariableSRW
SleepEx
SwitchToThread
TerminateProcess
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
TryAcquireSRWLockExclusive
UnmapViewOfFile
UnregisterWaitEx
UpdateProcThreadAttribute
VirtualAlloc
VirtualProtect
WaitForMultipleObjects
WaitForSingleObject
WakeAllConditionVariable
WakeConditionVariable
WideCharToMultiByte
WriteConsoleW
WriteFile
WriteFileEx
WriteProcessMemory
DeleteCriticalSection
EnterCriticalSection
InitializeCriticalSection
LeaveCriticalSection
RaiseException
RtlUnwindEx
VirtualQuery
__C_specific_handler

bcrypt

BCryptGenRandom

crypt32

CertAddCertificateContextToStore
CertAddEncodedCTLToStore
CertAddEncodedCertificateToStore
CertCloseStore
CertCreateCTLEntryFromCertificateContextProperties
CertCreateCertificateContext
CertDeleteCertificateFromStore
CertDuplicateCertificateChain
CertDuplicateCertificateContext
CertDuplicateStore
CertEnumCertificatesInStore
CertFreeCTLContext
CertFreeCertificateChain
CertFreeCertificateContext
CertGetCertificateChain
CertGetCertificateContextProperty
CertGetEnhancedKeyUsage
CertOpenStore
CertSetCertificateContextProperty
CertVerifyCertificateChainPolicy
CertVerifyTimeValidity
CryptAcquireCertificatePrivateKey
CryptBinaryToStringA
CryptDecodeObjectEx
CryptEncodeObjectEx
CryptHashCertificate
CryptMsgEncodeAndSignCTL
CryptStringToBinaryA
PFXExportCertStore
PFXImportCertStore

ncrypt

NCryptFreeObject

ntdll

NtCancelIoFileEx
NtCreateFile
NtDeviceIoControlFile
NtReadFile
NtWriteFile
RtlNtStatusToDosError

secur32

AcceptSecurityContext
AcquireCredentialsHandleA
ApplyControlToken
DecryptMessage
DeleteSecurityContext
EncryptMessage
FreeContextBuffer
FreeCredentialsHandle
InitializeSecurityContextW
QueryContextAttributesW

userenv

GetUserProfileDirectoryW

ws2_32

WSACleanup
WSADuplicateSocketW
WSAGetLastError
WSAIoctl
WSAPoll
WSARecv
WSARecvFrom
WSASend
WSASendMsg
WSASendTo
WSASocketW
WSAStartup
accept
bind
closesocket
connect
freeaddrinfo
getaddrinfo
getpeername
getsockname
getsockopt
ioctlsocket
listen
recv
recvfrom
select
send
sendto
setsockopt
shutdown
socket

msvcrt

__getmainargs
__initenv
__iob_func
__set_app_type
__setusermatherr
_amsg_exit
_cexit
_commode
_errno
_fmode
_fpreset
_initterm
_onexit
abort
calloc
exit
fprintf
free
fwrite
malloc
memcmp
memcpy
memmove
memset
pow
signal
strlen
strncmp
vfprintf

Sections

.text
Size: 2.3MB - Virtual size: 2.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 19KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 820KB - Virtual size: 819KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.eh_fram
Size: 512B - Virtual size: 4B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 76KB - Virtual size: 76KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.xdata
Size: 95KB - Virtual size: 94KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 1KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 112B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 26KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
multi/readme.txt

Sharing

General

Malware Config

Signatures

Files

Password: 1237

Password: 1237

081a3ed5c6a81f135366c9e245629174

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

kernel32

bcrypt

crypt32

ncrypt

ntdll

secur32

userenv

ws2_32

msvcrt

Sections

.text Size: 2.3MB - Virtual size: 2.3MB

.data Size: 19KB - Virtual size: 19KB

.rdata Size: 820KB - Virtual size: 819KB

.eh_fram Size: 512B - Virtual size: 4B

.pdata Size: 76KB - Virtual size: 76KB

.xdata Size: 95KB - Virtual size: 94KB

.bss Size: - Virtual size: 1KB

.idata Size: 11KB - Virtual size: 10KB

.CRT Size: 512B - Virtual size: 112B

.tls Size: 512B - Virtual size: 16B

.reloc Size: 26KB - Virtual size: 25KB

.text
Size: 2.3MB - Virtual size: 2.3MB

.data
Size: 19KB - Virtual size: 19KB

.rdata
Size: 820KB - Virtual size: 819KB

.eh_fram
Size: 512B - Virtual size: 4B

.pdata
Size: 76KB - Virtual size: 76KB

.xdata
Size: 95KB - Virtual size: 94KB

.bss
Size: - Virtual size: 1KB

.idata
Size: 11KB - Virtual size: 10KB

.CRT
Size: 512B - Virtual size: 112B

.tls
Size: 512B - Virtual size: 16B

.reloc
Size: 26KB - Virtual size: 25KB