16573267458[.]zip

Sharing

Copy URL

Twitter E-mail

General

Target

16573267458.zip
Size

103.4MB
MD5

2fff95aa3a040176b8164474a7b5476f
SHA1

a9fd1efc86de140c6fff51b64581deeb98a494f8
SHA256

3f0e07fc6345cc179b7571de8b9fb2bfee2f9bef92a4ec224b4e034cd49e697f
SHA512

9ba17cde95c39b06a7547f310c0c4d0329cb4dfce00f8ebc83f905a9deb48a1115eb7555fea9ddc5cbbfe69027af20b1bb8646c7af4fec66818130d12c534192
SSDEEP

3145728:V4THTqJkldBUEiVrMJ9aNuHDAiCaJbzour:yT0WdBUEbJ9aEHsiCwbzour

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs
Checks for missing Authenticode signature.

Processes:

resource

unpack002/g2m.dll

resource
unpack002/g2m.dll

Files

16573267458.zip
.zip

Password: infected
dd16df0f835f25fa6a81775ca4617fa381b35719ff3ee103f6dae44cb07aebb4
.zip
InstallerAPI.inf
.pdf
Tax Organizer.exe
.exe windows:5 windows x86 arch:x86

6eb9cccf95968b8becec4c870f1101db

Code Sign

79:a2:a5:85:f9:d1:15:42:13:d9:b8:3e:f6:b6:8d:ed
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

01-05-2012 00:00

Not After

31-12-2012 23:59

Subject

CN=Symantec Time Stamping Services Signer - G3,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04-12-2003 00:00

Not After

03-12-2013 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

5c:5f:2b:a5:c9:99:4b:e5:ef:25:4f:fe:51:12:88:e1
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

30-04-2012 00:00

Not After

01-05-2014 23:59

Subject

CN=Citrix Online,OU=Operations+OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Citrix Online,L=Fort Lauderdale,ST=Florida,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08-02-2010 00:00

Not After

07-02-2020 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

a9:67:63:96:99:c5:5b:7e:88:69:58:46:cb:9b:f7:d1:bb:bf:20:aa
Signer

Actual PE Digest

a9:67:63:96:99:c5:5b:7e:88:69:58:46:cb:9b:f7:d1:bb:bf:20:aa

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

c:\p4builds\Products\GoToMeeting\v5.4_builds\output\G2M_Exe.pdb

Imports

g2m

g2mcomm_winmain

kernel32

GetModuleHandleW
GetCommandLineW
GetProcAddress
GetModuleHandleA
GetModuleFileNameA
GetStartupInfoW
ExitProcess

user32

MessageBoxA

Sections

.text
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 684B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 4B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 4B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 29KB - Virtual size: 29KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
g2m.dll
.dll regsvr32 windows:5 windows x86 arch:x86

59dfb51e8ff8a618e14f9e6e82affff5

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

c:\p4builds\Products\GoToMeeting\v5.1_builds\output\G2M.pdb

Imports

rpcrt4

NdrDllGetClassObject
RpcStringFreeW
UuidToStringW
NdrOleAllocate
NdrOleFree
IUnknown_QueryInterface_Proxy
IUnknown_AddRef_Proxy
IUnknown_Release_Proxy
CStdStubBuffer_QueryInterface
CStdStubBuffer_AddRef
CStdStubBuffer_Connect
CStdStubBuffer_Disconnect
CStdStubBuffer_Invoke
CStdStubBuffer_IsIIDSupported
CStdStubBuffer_CountRefs
CStdStubBuffer_DebugServerQueryInterface
CStdStubBuffer_DebugServerRelease
NdrCStdStubBuffer_Release
UuidCreate

netapi32

Netbios

psapi

EnumProcesses
GetModuleBaseNameW
EnumProcessModules
GetModuleFileNameExW
GetModuleInformation

shlwapi

PathRemoveExtensionW
PathStripPathW
StrFormatByteSizeW
StrChrW

version

GetFileVersionInfoW
GetFileVersionInfoSizeW
VerQueryValueW

msacm32

acmStreamOpen
acmStreamConvert
acmStreamUnprepareHeader
acmStreamPrepareHeader

powrprof

CallNtPowerInformation

wininet

InternetReadFileExA
HttpOpenRequestW
InternetSetStatusCallbackW
HttpQueryInfoW
InternetSetOptionW
InternetOpenW
HttpSendRequestExW
InternetQueryOptionW
InternetCloseHandle
InternetConnectW
InternetErrorDlg
HttpEndRequestW

kernel32

CopyFileW
GetFileAttributesW
GetDiskFreeSpaceExW
GetTempFileNameW
FindFirstFileW
MoveFileW
GetSystemWindowsDirectoryW
GetLocaleInfoW
GetSystemInfo
GlobalMemoryStatusEx
lstrlenA
LocalAlloc
lstrcmpiW
ReleaseMutex
CreateMutexW
ResumeThread
GetThreadContext
SuspendThread
InterlockedIncrement
SetThreadPriority
GetThreadPriority
TerminateThread
CreateProcessW
TerminateProcess
GetExitCodeProcess
GetShortPathNameW
CompareFileTime
CreateDirectoryW
RemoveDirectoryW
GetSystemDirectoryW
GetCurrentDirectoryW
SetCurrentDirectoryW
GetLocalTime
InitializeCriticalSection
DeleteCriticalSection
TryEnterCriticalSection
EnterCriticalSection
LeaveCriticalSection
WaitForMultipleObjects
GetProcessTimes
GetTickCount
GetTimeFormatW
GetDateFormatW
GetTimeZoneInformation
QueryPerformanceCounter
QueryPerformanceFrequency
ResetEvent
OpenEventW
CreateEventW
FindVolumeClose
FindNextVolumeW
QueryDosDeviceW
FindFirstVolumeW
FindNextFileW
DeleteFileW
GetUserDefaultLCID
GetUserDefaultUILanguage
EnumResourceLanguagesW
OpenThread
GetThreadTimes
DisableThreadLibraryCalls
InterlockedDecrement
lstrlenW
SizeofResource
LoadResource
FindResourceW
OpenMutexW
SetEnvironmentVariableW
GetEnvironmentVariableW
GetWindowsDirectoryW
GetTempPathA
CreateDirectoryA
SetLastError
SetWaitableTimer
CreateWaitableTimerW
WritePrivateProfileStringW
GetPrivateProfileStringW
VirtualFree
VirtualAlloc
GlobalLock
GlobalFree
GlobalUnlock
GlobalAlloc
FlushInstructionCache
lstrcmpW
MulDiv
LockResource
GetVersionExA
ExpandEnvironmentStringsW
GetFileTime
ExitProcess
Thread32Next
Thread32First
CreateToolhelp32Snapshot
Process32NextW
Process32FirstW
SetThreadExecutionState
FlushFileBuffers
SetEndOfFile
SetFilePointer
WriteFile
ReadFile
FindClose
OpenProcess
GetCurrentThread
InterlockedExchange
MultiByteToWideChar
WideCharToMultiByte
GetSystemTime
SystemTimeToFileTime
FileTimeToSystemTime
TlsFree
HeapFree
HeapAlloc
HeapDestroy
HeapCreate
GetCurrentThreadId
GetTempPathW
CreateFileW
GetCurrentProcessId
GetFileSize
CreateFileMappingW
MapViewOfFile
SetEvent
WaitForSingleObject
UnmapViewOfFile
CloseHandle
GetSystemTimeAsFileTime
CreateEventA
LoadLibraryExW
OutputDebugStringW
LocalFree
GetLastError
SetUnhandledExceptionFilter
GetVersionExW
LoadLibraryW
Sleep
GetCurrentProcess
GetModuleFileNameW
FormatMessageW
IsBadReadPtr
GetModuleHandleW
GetProcAddress
TlsAlloc
TlsSetValue
TlsGetValue
RaiseException
FreeLibrary
FileTimeToLocalFileTime
GetDriveTypeA
ReadConsoleInputA
SetConsoleMode
LCMapStringA
InitializeCriticalSectionAndSpinCount
SetConsoleCtrlHandler
CompareStringW
GetDateFormatA
GetTimeFormatA
HeapReAlloc
GetFullPathNameA
PeekNamedPipe
GetCurrentDirectoryA
FoldStringW
GetConsoleMode
GetConsoleCP
HeapSize
GetModuleHandleA
LCMapStringW
IsValidCodePage
GetOEMCP
GetACP
GetCPInfo
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsA
GetModuleFileNameA
GetStartupInfoA
GetFileType
GetStdHandle
SetHandleCount
RtlUnwind
CreateThread
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
EnumSystemLocalesA
IsValidLocale
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
SetStdHandle
CreateFileA
GetProcessHeap
CompareStringA
SetEnvironmentVariableA
InterlockedCompareExchange
IsProcessorFeaturePresent
GetCommandLineW
ReleaseSemaphore
CreateSemaphoreW
GetVolumeInformationW
DuplicateHandle
GetVersion
ExitThread
IsDebuggerPresent
UnhandledExceptionFilter
GetCommandLineA
GetPrivateProfileSectionNamesW
FindFirstFileA
GlobalMemoryStatus
LoadLibraryA
GetSystemDefaultLCID
GetPrivateProfileSectionW
CancelWaitableTimer
DeleteFileA
GetFileAttributesExA
SetThreadAffinityMask
GetProcessAffinityMask
CreateWaitableTimerA
OutputDebugStringA
AllocConsole
FreeConsole
FormatMessageA
CreateSemaphoreA
SetPriorityClass
CreateMutexA
GetFileInformationByHandle
FlushConsoleInputBuffer

gdi32

CreateDCW
GetRegionData
ExtTextOutW
OffsetRgn
GetRgnBox
EqualRgn
CreateBitmap
SetROP2
FillRgn
CreateRectRgnIndirect
DPtoLP
Ellipse
RestoreDC
Polyline
SaveDC
CreatePen
SetPolyFillMode
GetSystemPaletteEntries
CreatePalette
GetPaletteEntries
GetDIBColorTable
SetDIBColorTable
CreateDIBSection
GetDCOrgEx
Polygon
FrameRgn
PaintRgn
CreatePolygonRgn
CreateRoundRectRgn
SetStretchBltMode
StretchBlt
GetDIBits
CreateDIBitmap
SetDIBits
SelectClipRgn
ExcludeClipRect
SetMapMode
SetWindowExtEx
SetViewportExtEx
SetWindowOrgEx
SetViewportOrgEx
LineTo
MoveToEx
GetClipBox
SetPixelV
GetTextMetricsW
GetTextExtentPoint32W
SetBkColor
CreateRectRgn
SetRectRgn
CombineRgn
GetBitmapBits
SetTextColor
TextOutW
GetBkMode
GetTextColor
CreateFontW
CreateFontIndirectW
GetStockObject
GetObjectW
GetDeviceCaps
BitBlt
CreateSolidBrush
GetPixel
SetBkMode
SetBrushOrgEx
CreateCompatibleDC
CreateCompatibleBitmap
SelectObject
CreatePatternBrush
DeleteDC
DeleteObject
SetPixel

comdlg32

GetOpenFileNameW
CommDlgExtendedError
ChooseColorW
GetSaveFileNameW

ole32

CoGetCallContext
CoRevokeClassObject
CoRegisterClassObject
CoInitializeSecurity
CoGetObject
CoDisconnectObject
CoGetCurrentProcess
CoCreateFreeThreadedMarshaler
CoTaskMemFree
CoTaskMemAlloc
CoFreeUnusedLibraries
StringFromGUID2
CoCreateInstance
CoCreateGuid
CLSIDFromProgID
OleLockRunning
CoGetClassObject
CLSIDFromString
CreateStreamOnHGlobal
CoInitialize
CoSetProxyBlanket
OleUninitialize
CoUninitialize
CoInitializeEx
CoTaskMemRealloc
OleInitialize
CoRegisterPSClsid
StringFromCLSID

oleaut32

SystemTimeToVariantTime
UnRegisterTypeLi
LoadTypeLi
SysAllocString
SysFreeString
SysStringLen
RegisterTypeLi
VarUI4FromStr
LPSAFEARRAY_UserSize
LPSAFEARRAY_UserMarshal
LPSAFEARRAY_UserUnmarshal
OleCreateFontIndirect
LoadRegTypeLi
OleLoadPicture
LPSAFEARRAY_UserFree
SysStringByteLen
SysAllocStringLen
BSTR_UserUnmarshal
DispCallFunc
BSTR_UserFree
SafeArrayGetElement
SafeArrayDestroy
SafeArrayPutElement
SafeArrayCreate
SysAllocStringByteLen
VariantCopy
BSTR_UserSize
OleCreatePropertyFrame
VariantInit
VarBstrCat
VarBstrCmp
OleLoadPicturePath
BSTR_UserMarshal
VariantClear
VariantChangeType

secur32

GetUserNameExW
InitSecurityInterfaceA

wtsapi32

WTSQuerySessionInformationW
WTSFreeMemory

comctl32

InitCommonControlsEx

userenv

DestroyEnvironmentBlock
CreateEnvironmentBlock

winmm

mixerGetDevCapsA
mixerGetLineControlsA
mixerGetLineInfoA
waveInGetDevCapsA
waveOutGetDevCapsA
mixerGetControlDetailsA
timeSetEvent
timeGetTime
timeKillEvent
mmioOpenA
timeEndPeriod
timeBeginPeriod
waveInUnprepareHeader
waveInReset
waveInPrepareHeader
waveInAddBuffer
waveInStart
waveInStop
waveInGetErrorTextW
waveInGetPosition
mmioOpenW
mmioDescend
mmioAscend
waveOutUnprepareHeader
waveOutReset
waveOutPrepareHeader
mmioRead
waveOutPause
waveOutWrite
mmioClose
mixerGetNumDevs
mixerOpen
mixerSetControlDetails
mixerGetLineInfoW
mixerGetDevCapsW
waveInOpen
waveOutOpen
waveOutGetPosition
waveOutClose
mixerGetID
waveInGetID
waveOutGetID
mixerGetLineControlsW
mixerGetControlDetailsW
waveOutGetNumDevs
waveInGetNumDevs
waveInGetDevCapsW
waveOutGetDevCapsW
mixerClose
waveOutGetVolume
waveOutSetVolume
waveInClose

avifil32

AVIStreamWrite
AVIFileInit
AVIFileExit
AVIFileRelease
AVIFileCreateStreamA
AVIStreamRead
AVIStreamTimeToSample
AVIStreamSampleToTime
AVIStreamFindSample
AVIStreamLength
AVIStreamReadFormat
AVIStreamRelease
AVIStreamSetFormat
AVIFileOpenA
AVIFileGetStream
AVIFileInfoA

msvfw32

ICOpen
ICDecompress
ICSendMessage
ICClose

avicap32

capGetDriverDescriptionA
capCreateCaptureWindowA

d3d9

Direct3DCreate9

wsock32

recvfrom
htonl
getsockname
gethostname
getsockopt
inet_ntoa
select
WSACleanup
closesocket
shutdown
WSAGetLastError
recv
WSASetLastError
send
inet_addr
ntohs
sendto
htons
ioctlsocket
WSAStartup
gethostbyname
ntohl
socket
setsockopt
accept
listen
bind
connect
getpeername
__WSAFDIsSet

ws2_32

WSAWaitForMultipleEvents
WSAResetEvent
WSAEnumNetworkEvents
WSACreateEvent
WSACloseEvent
WSASetEvent
WSAEventSelect
getnameinfo
WSAIoctl

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer
g2mchat_winmain
g2mcomm_winmain
g2mfeedback_winmain
g2mhost_winmain
g2minstaller_winmain
g2minsthigh_winmain
g2mlauncher_winmain
g2mmatchmaking_winmain
g2mmaterials_winmain
g2mpolling_winmain
g2mqanda_winmain
g2mrecorder_winmain
g2msessioncontrol_winmain
g2mstart_winmain
g2mtesting_winmain
g2mtranscoder_winmain
g2mui_winmain
g2muninstall_winmain
g2mvideoconference_winmain
g2mview_winmain

Sections

.text
Size: 11.9MB - Virtual size: 11.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.orpc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2.2MB - Virtual size: 2.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 187KB - Virtual size: 684KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 794KB - Virtual size: 794KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

6eb9cccf95968b8becec4c870f1101db

Code Sign

79:a2:a5:85:f9:d1:15:42:13:d9:b8:3e:f6:b6:8d:edCertificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

5c:5f:2b:a5:c9:99:4b:e5:ef:25:4f:fe:51:12:88:e1Certificate

Extended Key Usages

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

a9:67:63:96:99:c5:5b:7e:88:69:58:46:cb:9b:f7:d1:bb:bf:20:aaSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

g2m

kernel32

user32

Sections

.text Size: 1KB - Virtual size: 1KB

.rdata Size: 1024B - Virtual size: 684B

.data Size: - Virtual size: 4B

.CRT Size: 512B - Virtual size: 4B

.rsrc Size: 29KB - Virtual size: 29KB

59dfb51e8ff8a618e14f9e6e82affff5

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

rpcrt4

netapi32

psapi

shlwapi

version

msacm32

powrprof

wininet

kernel32

gdi32

comdlg32

ole32

oleaut32

secur32

wtsapi32

comctl32

userenv

winmm

avifil32

msvfw32

avicap32

d3d9

wsock32

ws2_32

Exports

Exports

Sections

.text Size: 11.9MB - Virtual size: 11.9MB

.orpc Size: 2KB - Virtual size: 4KB

.rdata Size: 2.2MB - Virtual size: 2.2MB

.data Size: 187KB - Virtual size: 684KB

.tls Size: 512B - Virtual size: 4KB

.rsrc Size: 794KB - Virtual size: 794KB

79:a2:a5:85:f9:d1:15:42:13:d9:b8:3e:f6:b6:8d:ed
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

5c:5f:2b:a5:c9:99:4b:e5:ef:25:4f:fe:51:12:88:e1
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

a9:67:63:96:99:c5:5b:7e:88:69:58:46:cb:9b:f7:d1:bb:bf:20:aa
Signer

.text
Size: 1KB - Virtual size: 1KB

.rdata
Size: 1024B - Virtual size: 684B

.data
Size: - Virtual size: 4B

.CRT
Size: 512B - Virtual size: 4B

.rsrc
Size: 29KB - Virtual size: 29KB

.text
Size: 11.9MB - Virtual size: 11.9MB

.orpc
Size: 2KB - Virtual size: 4KB

.rdata
Size: 2.2MB - Virtual size: 2.2MB

.data
Size: 187KB - Virtual size: 684KB

.tls
Size: 512B - Virtual size: 4KB

.rsrc
Size: 794KB - Virtual size: 794KB