Oyster-Malware-2[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

Oyster-Malware-2.zip
Size

6.2MB
MD5

857ce1df4f88a1f153730f58432538d2
SHA1

f215fcf5c126d7abe2c1a97ce3272c9a3e91ab79
SHA256

0cf29b64ed8bee63878fa62d8d16c299730fadc7391fe9694bdd04502dcc6e01
SHA512

6070bbd8b3180b1747ef96a296030cdee3d81a4e4b124d0eba5919d500625804093f2979752a9b26ddaed417492e046d0f6e8b692293466f025915ed51a4909e
SSDEEP

196608:GIP8gwUVLkPabbfj3fXjnK3Psbb/X8iGf2hSUS:GUVwUVRDrQEP8jui

Score

3^/10

Malware Config

Signatures

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/Mp3tag.exe
unpack001/hollows_hunter64.exe

Files

Oyster-Malware-2.zip
.zip
Mp3tag.exe
.exe windows:6 windows x64 arch:x64

2ece89f1ca49ee419cde7f286c3ad97c

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

user32

BeginPaint
MessageBoxW
CharUpperBuffW

advapi32

RegCreateKeyExW

ole32

CoInitializeEx

shell32

ShellExecuteExW

kernel32

SetStdHandle
GetSystemTimeAsFileTime
HeapAlloc
HeapFree
ExitProcess
GetModuleHandleA
LoadLibraryA
GetProcAddress
LoadLibraryA
GetProcAddress
GetLastError
FreeLibrary
InitializeCriticalSection
GetModuleFileNameW
GetModuleHandleW
TerminateProcess
GetCurrentProcess
DeleteCriticalSection
LoadLibraryW
CreateEventW
CompareStringW
SetLastError
GetModuleHandleA
VirtualProtect
GetTickCount
EnterCriticalSection
LeaveCriticalSection
VirtualFree
VirtualAlloc
WriteProcessMemory
CreateToolhelp32Snapshot
GetCurrentProcessId
GetCurrentThreadId
Thread32First
OpenThread
Thread32Next
CloseHandle
SuspendThread
ResumeThread
GetSystemInfo
LoadResource
MultiByteToWideChar
WideCharToMultiByte
FindResourceExW
FindResourceExA
GetThreadLocale
GetUserDefaultLCID
GetSystemDefaultLCID
EnumResourceNamesA
EnumResourceNamesW
EnumResourceLanguagesA
EnumResourceLanguagesW
EnumResourceTypesA
EnumResourceTypesW
HeapAlloc
HeapFree
HeapDestroy
HeapCreate
GetSystemTime
GetLocalTime
SystemTimeToFileTime
CompareFileTime
FlsSetValue
GetCommandLineA
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
EncodePointer
DecodePointer
FlsGetValue
FlsFree
FlsAlloc
LCMapStringA
LCMapStringW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
WriteFile
GetStdHandle
GetModuleFileNameA
RaiseException
RtlPcToFileHeader
Sleep
ExitProcess
SetHandleCount
GetFileType
GetStartupInfoA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
HeapSetInformation
RtlUnwindEx
QueryPerformanceCounter
GetSystemTimeAsFileTime
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
HeapSize
SetFilePointer
GetConsoleCP
GetConsoleMode
HeapReAlloc
InitializeCriticalSectionAndSpinCount
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
CreateFileA
FlushFileBuffers
GetModuleFileNameW
GetModuleHandleA
LoadLibraryA
LocalAlloc
LocalFree
GetModuleFileNameA
ExitProcess

Exports

Exports

u�Κ�so��n�{�&%�){KQ�ȨN6��tË��rA�9�s�fx��ӵ�k��;AV��䙆eڄ٣˟�Z�$2p�%-c�'�!m#�:<��x��K6�>��3�`�-K7Da"/�H��rm�Hb��5EIZ�x�Ǧ�gR��&"f/R��S�fd~sЀO��#M7��fղ �Y� ��{�=�l<��^e�n��$��[PMb�� M��K�ڋ�z�� `s@��b*�!��E H �,�<��ԋ��*Ie��~��&)��c�y��Cw�C5��A��/�ؚ(Z�}��h�>O��w�lfޥ"/��Q��Q`�;[�k|.\Š"��Hk��_�Iɿv0}��R';@�2��s`�jS�G��d�S=��lqf��T�+� ��F9z̗��R��<3��eJ��A�'𱳅L��*�b��S�=�_�d��c_�i$�?<��:�OJ��̛�F�$�1DW��zcx_Ǻ��Dq�ͤ�� Q�f��~�Kw�CƬ%o(�$6F��o�*>�=�srק�x�M��Ҿ��T�yà�F��R�Z��_�c�8-<@�y��RC��l(��Yh��c��j��i�֨�F��^��A�1��$p>n�v�Y��#��t3oꡦ+%:C3{�7��:�lbw��}�X��iM*R�(a�Fx�b�X�Ϙ)L0�td�w��S^![��^�[K}i��~O��+9��n 6�ɖ�H��Y�!gѭ�/��zx��w�H�ce]`?�j��lӠ��MD R�~P��9�ќ��Ê.P��픭�\��p{�[�!�T�}��0ȁ0��,��ͅD3��*5j�*��"�mtq�1��OZ�� y�!2`�I��E��=i��9�b@Fi렘��uB��ˆ�qR��R�;5aV��>m�b��8&o��E��1,8R��E|T��jmb��ƨ�g��3�ue;��=�� /*&�|��b�g�x��ڈ�A�:��ْƝM��E��k�`��/�j3�E�m��k>�p��7�`��PI��V��q��] ��O��@wٷ�^$�%�y_r��4^�c7��Le\�B��s��0��E:Y�':M-��k#W�x�y��Ѐ��{iikŰ�%�ə�5�ϭ�_��$��|��.�I��-p�iU�� Pʋ�V�Y)#7".T�D�$ AR9� E?L�!��~}l�KL�ʧϣr]B6�7~GE:��猱QN��.�VT�l�5�뇈@y��6\��I�w ��R��Lg��K�px|yo��,A��ʋ�n ��`��!K�#a�# �@]��pq�F�ewz~�50٭��9c��=��fL[��Ōd�5�w�n*�f�F��^��d��<n��҄��J��l��l8G��-�� c4>�ء:�#��S}��ƺ� E1�L�[$��Z ��=g>��ȩ7�$�&�&f+k�q@�WN+�u�"��UP�Ƹ2�4uZ��<u+U��y� ��y>&��Kf��yB+��)�Zʓ�=�l�N��D�� [��g{�m*�k�%eQ�j��I�d+�ֿ8��l��d�H%Fe/ҘY�"'��.� �&��}Ty@�cqT��Յ��nl�� 9�)��F8^x�:�B�0O�|��~��۰�N��&A���'q��4��T��{��$S' �20�?FX1�uǉR9-� 9I��iJ-��$�O�e(�0�o��Z��Կ�>��, ��[-�8�QTJ �dފ��VL/��a��z��p��P�.�z9��1z��&ҩRJ��eB��4?L8�k�vuC^ !�ZW'Ŀ�� er��6��d��x�i�6�V��ق��?�.q4��a��vH�R�*v��4 �&{O�)'8!LN��Ms2*ŗ_��Fܡ��l�Ϋ�C�N��w�+�I"l9��%�/�A��uáp��|��H��je=�g�s9��cmhN@ �m{&�&�C[1x��oݡ�}�U; �럊��8gB{+�Z�Y��&��B3/�`�#�H�]r�u_�D:>��ﱯ�ӭ�:�GD��ƾ� �2��H0�h�j �^G�*j֣��[d�b��ǹh��9s�N��CBi��K{�2�Ehp߲y!�b[�9f��(Ԯ�gq�QL+5��=Pɽz��Ƈy-N�g}�5��~��W$��N9gܲ߮&�y�]R�S`��2b�S�t�6�� -��}2�1��7ʐ�3�#�r��mLJ6O;��3>4٩L�TO(8�'��h�9�ڠ��_�� (M��F.*��L��dL� p�d&- �`%�X�i{�h!U�Z�-� �h]�9Yk�K%�n �Qb��L�Lv�#�$;�c.��A��޶�f��:q��x��:�AN�Rd.�'d��nhl��*V E�8{��E#�CG�Q8v�_�×�G�G�AB��Yl��j)��L� ��%��0Z��H��0��z4�2��%�m�A@U'�Da;�!�YO�|�˅X<��IC�[�`�䛻��gS��{6�Z�U%��ӏ�N��I��(�� ^�'4�E�G�.�@R��Og`Nt��LE��4�o�Q\�H��-/^&��%�_�P@��ϭ(nn*$��!�Ƭn�$;f�f�U�֊lt8ӎ�'9�cC4��c�X��*4`��G~V+��B�azQ�X�FCϺ�i�g��%�f��Ce�{��Tܺ3)�SCFw/��:��]=�C��Y\�_GzF<��o@x�g��a4v��=�2ߺ�[�Ld�B��xO2�&��W��j�dAz��J ��W�wc��r˵M��i��D +s��

Sections

.text
Size: - Virtual size: 167KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 75KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 5.5MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: - Virtual size: 348B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

./.e
Size: - Virtual size: 1.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.!%e
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.e2B
Size: 5.1MB - Virtual size: 5.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

,BYR
Size: 733KB - Virtual size: 732KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 48B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

'w!:
Size: 96KB - Virtual size: 96KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Run-Hollows-Hunter-1.bat
hollows_hunter64.exe
.exe windows:5 windows x64 arch:x64

7aa06c9c4b7d50fc6df4834fb03c800b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

psapi

GetModuleFileNameExA
GetProcessImageFileNameA
GetMappedFileNameA
EnumProcessModulesEx
QueryWorkingSet

ntdll

NtCreateFile
ZwQueryInformationFile
NtQuerySystemInformation
RtlInitUnicodeString
RtlLookupFunctionEntry
RtlUnwindEx
RtlPcToFileHeader
RtlVirtualUnwind
RtlCaptureContext

shlwapi

PathCanonicalizeA

imagehlp

SymFunctionTableAccess64
SymGetModuleBase64
SymInitialize
SymCleanup
StackWalk64

kernel32

EnumSystemLocalesA
GetLocaleInfoA
GetUserDefaultLCID
HeapSize
QueryPerformanceCounter
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetModuleFileNameA
GetTimeZoneInformation
SetFilePointer
IsValidCodePage
GetOEMCP
GetConsoleScreenBufferInfo
GetStdHandle
SetConsoleTextAttribute
FlushConsoleInputBuffer
GetProcAddress
GetModuleHandleA
CloseHandle
OpenProcess
GetCurrentProcess
TerminateProcess
Process32Next
Process32First
GetLastError
CreateToolhelp32Snapshot
GetTickCount
GetCurrentProcessId
GetCurrentThread
GetProcessTimes
IsBadWritePtr
IsBadReadPtr
SetLastError
LoadLibraryA
FreeLibrary
CreateFileA
IsValidLocale
QueryDosDeviceA
GetLogicalDrives
GetCurrentDirectoryA
GetLongPathNameA
TerminateThread
GetProcessId
WaitForSingleObject
CreateThread
GetFileAttributesA
GetWindowsDirectoryA
GetFullPathNameA
CreateDirectoryA
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
VirtualQueryEx
GetThreadContext
GetExitCodeThread
OpenThread
Thread32Next
Thread32First
UnmapViewOfFile
GetFileSize
MapViewOfFile
CreateFileMappingA
WriteFile
ReadFile
VirtualAlloc
VirtualFree
ReadProcessMemory
VirtualProtectEx
SetEnvironmentVariableA
GetACP
FlushFileBuffers
LoadLibraryW
WriteConsoleW
SetStdHandle
CreateFileW
SetEndOfFile
GetProcessHeap
ExpandEnvironmentStringsA
GetConsoleMode
GetConsoleCP
ExitProcess
GetModuleHandleW
WideCharToMultiByte
MultiByteToWideChar
GetStringTypeW
Sleep
EncodePointer
DecodePointer
GetLocaleInfoW
HeapFree
RaiseException
GetSystemTimeAsFileTime
GetDateFormatA
GetTimeFormatA
GetCommandLineA
GetCPInfo
HeapAlloc
HeapReAlloc
LCMapStringW
CompareStringW
HeapSetInformation
GetVersion
HeapCreate
FlsGetValue
FlsSetValue
FlsFree
GetCurrentThreadId
FlsAlloc
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetModuleFileNameW
SetHandleCount
InitializeCriticalSectionAndSpinCount
GetFileType
GetStartupInfoW

advapi32

GetTokenInformation
GetSidSubAuthorityCount
GetSidSubAuthority
OpenThreadToken
ImpersonateSelf
LookupPrivilegeValueA
AdjustTokenPrivileges
OpenProcessToken

Sections

.text
Size: 713KB - Virtual size: 712KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 179KB - Virtual size: 179KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 16KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 33KB - Virtual size: 33KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

text
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE

data
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 164KB - Virtual size: 163KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

2ece89f1ca49ee419cde7f286c3ad97c

Headers

DLL Characteristics

File Characteristics

Imports

user32

advapi32

ole32

shell32

kernel32

Exports

Exports

Sections

.text Size: - Virtual size: 167KB

.rdata Size: - Virtual size: 75KB

.data Size: - Virtual size: 5.5MB

.pdata Size: - Virtual size: 8KB

_RDATA Size: - Virtual size: 348B

./.e Size: - Virtual size: 1.1MB

.!%e Size: 3KB - Virtual size: 2KB

.e2B Size: 5.1MB - Virtual size: 5.1MB

,BYR Size: 733KB - Virtual size: 732KB

.tls Size: 512B - Virtual size: 48B

'w!: Size: 96KB - Virtual size: 96KB

.rsrc Size: 1KB - Virtual size: 1KB

7aa06c9c4b7d50fc6df4834fb03c800b

Headers

DLL Characteristics

File Characteristics

Imports

psapi

ntdll

shlwapi

imagehlp

kernel32

advapi32

Sections

.text Size: 713KB - Virtual size: 712KB

.rdata Size: 179KB - Virtual size: 179KB

.data Size: 16KB - Virtual size: 28KB

.pdata Size: 33KB - Virtual size: 33KB

text Size: 1KB - Virtual size: 1KB

data Size: 13KB - Virtual size: 13KB

.rsrc Size: 164KB - Virtual size: 163KB

.reloc Size: 6KB - Virtual size: 5KB

.text
Size: - Virtual size: 167KB

.rdata
Size: - Virtual size: 75KB

.data
Size: - Virtual size: 5.5MB

.pdata
Size: - Virtual size: 8KB

_RDATA
Size: - Virtual size: 348B

./.e
Size: - Virtual size: 1.1MB

.!%e
Size: 3KB - Virtual size: 2KB

.e2B
Size: 5.1MB - Virtual size: 5.1MB

,BYR
Size: 733KB - Virtual size: 732KB

.tls
Size: 512B - Virtual size: 48B

'w!:
Size: 96KB - Virtual size: 96KB

.rsrc
Size: 1KB - Virtual size: 1KB

.text
Size: 713KB - Virtual size: 712KB

.rdata
Size: 179KB - Virtual size: 179KB

.data
Size: 16KB - Virtual size: 28KB

.pdata
Size: 33KB - Virtual size: 33KB

text
Size: 1KB - Virtual size: 1KB

data
Size: 13KB - Virtual size: 13KB

.rsrc
Size: 164KB - Virtual size: 163KB

.reloc
Size: 6KB - Virtual size: 5KB