d199[.]zip | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

d199.zip
Size

3.2MB
MD5

051aa6cd3749716c6f8a84d0a7676e85
SHA1

bf175e15e2ca25dab0cc5188ac8b189af9a0ecb8
SHA256

1a062ac431fb3b555721bc98e7730c5c88b628c29823af04f735b2f5cb92ebd7
SHA512

d71565e277c2c984be9949812a1246b58330b4629db653c65506be4b3101adf9be2e51e491b0591f9b73a90ed7878da7d2436765631b27f47e4a2854fc77cdfa
SSDEEP

98304:LEniLWGyBC9S/nv06//wKHOPUTCD5r7zIHQwhgV:LzLWGWCs6KHOM+DRHEQwS

Score

1^/10

Malware Config

Signatures

Files

d199.zip
.zip

Password: infected
uagytwinjf.exe
.exe windows:6 windows x64 arch:x64

a2441d00a298961cc2bfdf35cdf0b52a

Code Sign

67:f1:53:b2:0a:d3:39:9c:7e:dd:ce:2c:6c:af:d7:66
Certificate

Issuer

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

07-06-2017 00:00

Not After

20-07-2020 23:59

Subject

CN=AnchorFree Inc,O=AnchorFree Inc,L=Menlo Park,ST=California,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

10-12-2013 00:00

Not After

09-12-2023 23:59

Subject

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0c:a7:cf:5d:07:07:24:ac:89:e7:9a:3a
Certificate

Issuer

CN=GlobalSign Timestamping CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE

Not Before

19-02-2018 00:00

Not After

18-03-2029 10:00

Subject

CN=GlobalSign TSA for Advanced - G2

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

04:00:00:00:00:01:31:89:c6:50:04
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Not Before

02-08-2011 10:00

Not After

29-03-2029 10:00

Subject

CN=GlobalSign Timestamping CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

14:a3:b5:bb:49:a2:0e:f4:f5:6e:9a:1b:1d:8f:a0:b7:79:40:80:22:a2:5e:73:62:8a:c6:15:12:15:ab:a2:04
Signer

Actual PE Digest

14:a3:b5:bb:49:a2:0e:f4:f5:6e:9a:1b:1d:8f:a0:b7:79:40:80:22:a2:5e:73:62:8a:c6:15:12:15:ab:a2:04

Digest Algorithm

sha256

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

G:\RUST_DROPPER_EXE_PAYLOAD\DROPPER_MAIN\dropper_stub\target\release\deps\test_x64.pdb

Imports

ole32

CoUninitialize
OleSetContainedObject
OleUninitialize
OleInitialize
CoGetClassObject
CoInitializeEx

oleaut32

SysAllocStringLen
SysFreeString
SafeArrayCreate
SafeArrayDestroy
SafeArrayAccessData
VariantInit
VariantClear

gdi32

CreateSolidBrush
GetDeviceCaps

user32

GetMessageW
TranslateMessage
DispatchMessageW
PeekMessageW
PostMessageW
DefWindowProcW
PostQuitMessage
RegisterClassExW
CreateWindowExW
DestroyWindow
ShowWindow
SetWindowPos
IsIconic
IsZoomed
SetFocus
UpdateWindow
GetDC
ReleaseDC
SetWindowTextW
GetClientRect
GetWindowRect
AdjustWindowRect
GetWindowLongW
SetWindowLongW
GetClassNameW
SetWindowLongPtrW
SetClassLongPtrW
GetDesktopWindow
LoadImageW
SystemParametersInfoW
MonitorFromWindow
GetMonitorInfoW
SendMessageA
WaitForInputIdle
GetForegroundWindow
GetWindowTextW
MessageBoxW
MessageBeep
EnumChildWindows
EnumWindows
GetWindowLongPtrW

comdlg32

GetSaveFileNameW
ChooseColorW
GetOpenFileNameW

shell32

SHBrowseForFolderW
SHGetPathFromIDListW

api-ms-win-shcore-scaling-l1-1-1

SetProcessDpiAwareness

ntdll

NtWriteFile
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
RtlUnwindEx
NtQueryInformationProcess
RtlPcToFileHeader
RtlCreateProcessParametersEx
NtUnmapViewOfSection
RtlDestroyProcessParameters
NtDeviceIoControlFile
RtlNtStatusToDosError
NtCancelIoFileEx
NtCreateFile

kernel32

SetHandleInformation
GetSystemInfo
UnhandledExceptionFilter
SetFileCompletionNotificationModes
CreateIoCompletionPort
GetQueuedCompletionStatusEx
PostQueuedCompletionStatus
GetConsoleWindow
Sleep
GetModuleHandleA
ReadProcessMemory
WriteProcessMemory
SetConsoleOutputCP
SetConsoleCP
AddVectoredExceptionHandler
SetThreadStackGuarantee
SwitchToThread
QueryPerformanceCounter
SetLastError
GetCurrentDirectoryW
GetEnvironmentVariableW
WriteConsoleW
GetCommandLineW
SetFileInformationByHandle
ReadConsoleW
GetCurrentProcessId
TerminateProcess
QueryPerformanceFrequency
HeapAlloc
GetProcessHeap
HeapFree
SetConsoleMode
HeapReAlloc
ReleaseMutex
FindClose
CreateFileW
GetFileInformationByHandle
GetFileInformationByHandleEx
FindFirstFileW
GetFinalPathNameByHandleW
GetConsoleMode
FormatMessageW
GetFullPathNameW
ReleaseSRWLockShared
GetConsoleOutputCP
CreateThread
GetCurrentThread
GetSystemTimeAsFileTime
WaitForSingleObjectEx
LoadLibraryA
CreateMutexA
GetConsoleCP
GetACP
CreateProcessW
WaitForSingleObject
CloseHandle
Beep
AcquireSRWLockShared
GetStdHandle
WideCharToMultiByte
MultiByteToWideChar
MulDiv
GlobalFree
GlobalAlloc
GetProcAddress
GetModuleHandleW
GetModuleFileNameW
OutputDebugStringW
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
GetCurrentProcess
GetLastError
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
GetCurrentThreadId
InitializeSListHead
IsDebuggerPresent
RaiseException
EncodePointer
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TryAcquireSRWLockExclusive
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
LoadLibraryExW

advapi32

GetTokenInformation
OpenProcessToken
LookupAccountSidW
RegOpenKeyExW
RegCloseKey
RegCreateKeyW
RegSetValueExW
SystemFunction036
RegQueryValueExW

secur32

InitializeSecurityContextW
FreeCredentialsHandle
AcceptSecurityContext
FreeContextBuffer
DecryptMessage
EncryptMessage
ApplyControlToken
QueryContextAttributesW
DeleteSecurityContext
AcquireCredentialsHandleA

crypt32

CertGetCertificateChain
CertVerifyCertificateChainPolicy
CertCloseStore
CertDuplicateCertificateContext
CertFreeCertificateContext
CertDuplicateStore
CertFreeCertificateChain
CertDuplicateCertificateChain
CertEnumCertificatesInStore
CertAddCertificateContextToStore
CertOpenStore

ws2_32

closesocket
bind
connect
getsockname
getpeername
shutdown
recv
send
WSASend
WSAIoctl
getsockopt
setsockopt
ioctlsocket
WSAGetLastError
WSAStartup
WSACleanup
freeaddrinfo
getaddrinfo
WSASocketW

bcrypt

BCryptGenRandom

api-ms-win-crt-string-l1-1-0

isxdigit
strlen
wcscmp
wcslen
strncmp
wcscat
wcscpy
tolower
wcsncpy
strcat
strcmp
strcpy
strncat
strcpy_s
strncpy
wcsncmp
strpbrk

api-ms-win-crt-heap-l1-1-0

malloc
free
calloc
realloc
_set_new_mode

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vfprintf
_popen
__p__commode
_pclose
fputc
fopen
_set_fmode
__stdio_common_vsprintf
__acrt_iob_func
fputws
_wfopen
fgets
fclose
__stdio_common_vswprintf
_getcwd

api-ms-win-crt-filesystem-l1-1-0

remove
_wstat64
_wremove
_stat64
_stat64i32

api-ms-win-crt-convert-l1-1-0

wcstoul
strtoul

api-ms-win-crt-environment-l1-1-0

_wgetenv
getenv

api-ms-win-crt-runtime-l1-1-0

exit
abort
_exit
terminate
_cexit
_c_exit
_initialize_onexit_table
_seh_filter_exe
_register_thread_local_exe_atexit_callback
_register_onexit_function
_configure_narrow_argv
_initialize_narrow_environment
system
_get_initial_narrow_environment
__p___argc
__p___argv
_crt_atexit
_initterm_e
_set_app_type
_initterm

api-ms-win-crt-conio-l1-1-0

_getch

api-ms-win-crt-math-l1-1-0

__setusermatherr
pow

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

Sections

.text
Size: 8.7MB - Virtual size: 8.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.4MB - Virtual size: 1.4MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 25KB - Virtual size: 39KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 369KB - Virtual size: 368KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 348B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 23KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.rsrc
Size: 34KB - Virtual size: 34KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

a2441d00a298961cc2bfdf35cdf0b52a

Code Sign

67:f1:53:b2:0a:d3:39:9c:7e:dd:ce:2c:6c:af:d7:66Certificate

Extended Key Usages

Key Usages

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2aCertificate

Extended Key Usages

Key Usages

0c:a7:cf:5d:07:07:24:ac:89:e7:9a:3aCertificate

Extended Key Usages

Key Usages

04:00:00:00:00:01:31:89:c6:50:04Certificate

Key Usages

14:a3:b5:bb:49:a2:0e:f4:f5:6e:9a:1b:1d:8f:a0:b7:79:40:80:22:a2:5e:73:62:8a:c6:15:12:15:ab:a2:04Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ole32

oleaut32

gdi32

user32

comdlg32

shell32

api-ms-win-shcore-scaling-l1-1-1

ntdll

kernel32

advapi32

secur32

crypt32

ws2_32

bcrypt

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-environment-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-conio-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-locale-l1-1-0

Sections

.text Size: 8.7MB - Virtual size: 8.7MB

.rdata Size: 1.4MB - Virtual size: 1.4MB

.data Size: 25KB - Virtual size: 39KB

.pdata Size: 369KB - Virtual size: 368KB

_RDATA Size: 512B - Virtual size: 348B

.reloc Size: 23KB - Virtual size: 22KB

.rsrc Size: 34KB - Virtual size: 34KB

67:f1:53:b2:0a:d3:39:9c:7e:dd:ce:2c:6c:af:d7:66
Certificate

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

0c:a7:cf:5d:07:07:24:ac:89:e7:9a:3a
Certificate

04:00:00:00:00:01:31:89:c6:50:04
Certificate

14:a3:b5:bb:49:a2:0e:f4:f5:6e:9a:1b:1d:8f:a0:b7:79:40:80:22:a2:5e:73:62:8a:c6:15:12:15:ab:a2:04
Signer

.text
Size: 8.7MB - Virtual size: 8.7MB

.rdata
Size: 1.4MB - Virtual size: 1.4MB

.data
Size: 25KB - Virtual size: 39KB

.pdata
Size: 369KB - Virtual size: 368KB

_RDATA
Size: 512B - Virtual size: 348B

.reloc
Size: 23KB - Virtual size: 22KB

.rsrc
Size: 34KB - Virtual size: 34KB