sample[.]zip | Triage

Sharing

Copy URL Twitter E-mail

General

Target

sample.zip
Size

1.1MB
MD5

787fac7b675f434c973279a04cdd7e0f
SHA1

5d61f9a5ee4a04db93349692f05bc09aab8635ba
SHA256

eef2966545c4e71b91ac451b980e6f663dbefe58a582e7cb1f3459fc6fb55f25
SHA512

30e78371ce266321368215d5e625b35abdf04e18a5ac72e2503997f4d9c4bee28fff569b3f89c0c2b11f59e43db2501b478c43ef4d0dcad45104d7191ada598a
SSDEEP

24576:MCClrfgeLm0bitVIrP2F+2vWOLRmy8DKZskRO4:M/ri0QXvWHluZsf4

Score

3^/10

Malware Config

Signatures

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/test/nellyzx.exe
unpack001/test/test.exe

Files

sample.zip
.zip

Password: infected
test/Bank details.doc
.rtf .doc
test/Return book loan.eml
.eml

Password: infected
Bank details.doc
.rtf .doc
email-html-1.txt
test/Zemana.sys
.sys windows:6 windows x64 arch:x64

1ef6998f22f7e6046b4905d4e21773b7

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

02:10:23:0f:d3:64:b4:69:09:1b:8a:44:40:14:5e:18
Certificate

Issuer

CN=DigiCert High Assurance Code Signing CA-1,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

16/12/2014, 00:00

Not After

20/12/2017, 12:00

Subject

CN=Zemana Ltd.,O=Zemana Ltd.,L=Edirne,C=TR

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:20:4d:b4:00:00:00:00:00:27
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15/04/2011, 19:45

Not After

15/04/2021, 19:55

Subject

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

02:c4:d1:e5:8a:4a:68:0c:56:8d:a3:04:7e:7e:4d:5f
Certificate

Issuer

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

11/02/2011, 12:00

Not After

10/02/2026, 12:00

Subject

CN=DigiCert High Assurance Code Signing CA-1,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0d:15:b7:de:0f:11:29:b5:40:f4:8d:7a:3c:ba:2c:6b:f5:d4:41:12
Signer

Actual PE Digest

0d:15:b7:de:0f:11:29:b5:40:f4:8d:7a:3c:ba:2c:6b:f5:d4:41:12

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

Z:\Zemana\Projects\AntiMalware\bin\zam64.pdb

Imports

ntoskrnl.exe

FsRtlIsNameInExpression
PsGetProcessImageFileName
ZwQueryInformationProcess
__C_specific_handler
strchr
RtlAppendUnicodeToString
KeInitializeSemaphore
KeReleaseSemaphore
KeWaitForSingleObject
KeAcquireSpinLockRaiseToDpc
KeReleaseSpinLock
PsCreateSystemThread
PsTerminateSystemThread
ZwQueryInformationFile
ZwWriteFile
PsGetCurrentThreadId
ZwDeleteFile
_vsnprintf
PsThreadType
PsSetCreateProcessNotifyRoutine
PsGetProcessSessionId
RtlAppendUnicodeStringToString
ZwDeleteValueKey
ZwSetValueKey
towupper
RtlIntegerToUnicodeString
KeInitializeEvent
KeSetEvent
KeAcquireSpinLockAtDpcLevel
KeReleaseSpinLockFromDpcLevel
MmProbeAndLockPages
IoAllocateIrp
IoAllocateMdl
IofCallDriver
IoFreeIrp
IoFreeMdl
IoGetDeviceObjectPointer
IoGetRelatedDeviceObject
ObCloseHandle
ObfReferenceObject
ZwSetInformationFile
ZwReadFile
ZwOpenSymbolicLinkObject
ZwQuerySymbolicLinkObject
IoCreateFileSpecifyDeviceObjectHint
IoGetDeviceAttachmentBaseRef
FsRtlGetFileSize
ObQueryNameString
IoFileObjectType
KeReadStateEvent
ExQueueWorkItem
ExGetPreviousMode
MmGetSystemRoutineAddress
NtOpenProcess
ZwCreateEvent
ZwWaitForSingleObject
ZwSetEvent
NtQuerySystemInformation
ExEventObjectType
NtBuildNumber
ZwDeleteKey
ObReferenceObjectByName
IoDriverObjectType
MmIsDriverVerifying
IofCompleteRequest
IoCreateDevice
IoCreateSymbolicLink
IoDeleteDevice
IoDeleteSymbolicLink
RtlSetDaclSecurityDescriptor
MmMapLockedPagesSpecifyCache
PsGetProcessId
IoThreadToProcess
PsGetCurrentProcessSessionId
ZwTerminateProcess
KeStackAttachProcess
KeUnstackDetachProcess
ZwOpenThread
PsProcessType
ExInterlockedInsertHeadList
ExInterlockedRemoveHeadList
CmRegisterCallback
CmUnRegisterCallback
RtlCreateRegistryKey
ZwOpenKey
ZwEnumerateKey
ZwQueryKey
ZwQueryValueKey
RtlUnicodeStringToAnsiString
RtlFreeAnsiString
ProbeForWrite
PsSetLoadImageNotifyRoutine
PsRemoveLoadImageNotifyRoutine
PsGetProcessSectionBaseAddress
MmSystemRangeStart
KeBugCheckEx
PsLookupProcessByProcessId
ZwOpenProcess
PsGetCurrentProcessId
RtlUpcaseUnicodeString
RtlUpperString
ZwClose
ZwCreateFile
ObfDereferenceObject
ObReferenceObjectByHandle
ProbeForRead
ExFreePoolWithTag
ExAllocatePoolWithTag
KeDelayExecutionThread
RtlGetVersion
DbgPrint
RtlCopyUnicodeString
RtlInitUnicodeString
wcsstr
ZwQuerySystemInformation
strstr

fltmgr.sys

FltSendMessage
FltCloseCommunicationPort
FltCreateCommunicationPort
FltReleaseContext
FltGetStreamHandleContext
FltSetStreamHandleContext
FltAllocateContext
FltCancelFileOpen
FltQueryInformationFile
FltReadFile
FltParseFileNameInformation
FltReleaseFileNameInformation
FltGetFileNameInformation
FltFreePoolAlignedWithTag
FltAllocatePoolAlignedWithTag
FltStartFiltering
FltUnregisterFilter
FltRegisterFilter
FltBuildDefaultSecurityDescriptor

Sections

.text
Size: 134KB - Virtual size: 133KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.hook
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 18KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 26KB - Virtual size: 335KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 616B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 96B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
test/nellyzx.exe
.exe windows:4 windows x64 arch:x64

Password: infected

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

.text
Size: 573KB - Virtual size: 572KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
test/test.exe
.exe windows:4 windows x64 arch:x64

Password: infected

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

.text
Size: 536KB - Virtual size: 535KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

Password: infected

1ef6998f22f7e6046b4905d4e21773b7

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

02:10:23:0f:d3:64:b4:69:09:1b:8a:44:40:14:5e:18Certificate

Extended Key Usages

Key Usages

61:20:4d:b4:00:00:00:00:00:27Certificate

Key Usages

02:c4:d1:e5:8a:4a:68:0c:56:8d:a3:04:7e:7e:4d:5fCertificate

Extended Key Usages

Key Usages

0d:15:b7:de:0f:11:29:b5:40:f4:8d:7a:3c:ba:2c:6b:f5:d4:41:12Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

fltmgr.sys

Sections

.text Size: 134KB - Virtual size: 133KB

.hook Size: 2KB - Virtual size: 2KB

.rdata Size: 18KB - Virtual size: 17KB

.data Size: 26KB - Virtual size: 335KB

.pdata Size: 2KB - Virtual size: 2KB

INIT Size: 4KB - Virtual size: 4KB

.rsrc Size: 1024B - Virtual size: 616B

.reloc Size: 512B - Virtual size: 96B

Password: infected

Headers

DLL Characteristics

File Characteristics

Sections

.text Size: 573KB - Virtual size: 572KB

.rsrc Size: 2KB - Virtual size: 2KB

Password: infected

Headers

DLL Characteristics

File Characteristics

Sections

.text Size: 536KB - Virtual size: 535KB

.rsrc Size: 2KB - Virtual size: 1KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

02:10:23:0f:d3:64:b4:69:09:1b:8a:44:40:14:5e:18
Certificate

61:20:4d:b4:00:00:00:00:00:27
Certificate

02:c4:d1:e5:8a:4a:68:0c:56:8d:a3:04:7e:7e:4d:5f
Certificate

0d:15:b7:de:0f:11:29:b5:40:f4:8d:7a:3c:ba:2c:6b:f5:d4:41:12
Signer

.text
Size: 134KB - Virtual size: 133KB

.hook
Size: 2KB - Virtual size: 2KB

.rdata
Size: 18KB - Virtual size: 17KB

.data
Size: 26KB - Virtual size: 335KB

.pdata
Size: 2KB - Virtual size: 2KB

INIT
Size: 4KB - Virtual size: 4KB

.rsrc
Size: 1024B - Virtual size: 616B

.reloc
Size: 512B - Virtual size: 96B

.text
Size: 573KB - Virtual size: 572KB

.rsrc
Size: 2KB - Virtual size: 2KB

.text
Size: 536KB - Virtual size: 535KB

.rsrc
Size: 2KB - Virtual size: 1KB