Malware-1[.]zip

Sharing

Copy URL

Twitter E-mail

General

Target

Malware-1.zip
Size

1.9MB
MD5

d640e9fdff24f5416fe64caa83ced813
SHA1

cdeca238a2507e9b0ca307cd3774512ed5a02096
SHA256

d832c8f49706ff93871a111be8fb280caedbad5b368f801dd720c7786f872e86
SHA512

322062336e9c02ee5062632294b127a601628aaf6de40a18003f45aa3af95fe3c34046734b56b3af2177fbd64f4f2d5fa49521bf737cb520e24d6c7dac51e6f5
SSDEEP

49152:+1bV6svOlB8cvjptfO3eQ8Me1oRTPIGR4fmrDcxsTxn:KvvO7vz0eQ8MOirMmPAe

Score

3^/10

Malware Config

Signatures

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

Processes:

resource
unpack001/02.dll
unpack001/qd_x86.exe

Files

Malware-1.zip
.zip
02.dll
.dll windows:6 windows x64 arch:x64

13904d1cc18631217d0dcb5bf82fbc09

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

C:\testing3\data\bdnc\BDNIMBUS-3071711\BDNIMBUS\bin\release\bdnc.pdb

Imports

user32

GetUserObjectInformationW
MessageBoxW
GetProcessWindowStation

crypt32

CertGetCertificateChain
CertFreeCertificateChain
CertEnumCertificatesInStore
CertCreateCertificateContext
CertFreeCertificateContext
CertEnumCRLsInStore
CertGetNameStringA
CertCloseStore
CertOpenSystemStoreA

winmm

timeGetTime

ws2_32

inet_ntoa
inet_addr
WSAGetOverlappedResult
select
getnameinfo
WSASend
WSARecv
getpeername
inet_ntop
gethostname
sendto
recvfrom
send
recv
freeaddrinfo
getaddrinfo
WSASetLastError
getprotobynumber
getservbyname
getservbyport
ntohl
gethostbyaddr
htonl
getsockopt
getsockname
ioctlsocket
connect
bind
accept
WSAWaitForMultipleEvents
WSASetEvent
WSAIoctl
WSAEventSelect
WSAEnumNetworkEvents
WSACreateEvent
WSACloseEvent
socket
closesocket
shutdown
WSAGetLastError
WSACleanup
WSAStartup
ntohs
htons
listen
gethostbyname
setsockopt

iphlpapi

if_nametoindex

advapi32

ReportEventW
RegisterEventSourceW
DeregisterEventSource
CryptGenRandom
CryptAcquireContextA
RegQueryValueExA
RegOpenKeyExA
RegQueryValueExW
RegOpenKeyExW
RegCloseKey

secur32

InitSecurityInterfaceA

bcrypt

BCryptGenRandom

kernel32

IsValidCodePage
FindFirstFileExW
FlushFileBuffers
GetFullPathNameW
GetCurrentDirectoryW
SetEndOfFile
GetConsoleOutputCP
GetTimeZoneInformation
LCMapStringW
CompareStringW
GetCommandLineW
FlsFree
GetEnvironmentStringsW
FlsGetValue
GetOEMCP
HeapReAlloc
HeapAlloc
HeapFree
FreeLibraryAndExitThread
ResumeThread
ExitThread
SetConsoleCtrlHandler
SetStdHandle
ExitProcess
FileTimeToSystemTime
SystemTimeToTzSpecificLocalTime
PeekNamedPipe
GetFileInformationByHandle
GetDriveTypeW
RtlPcToFileHeader
RaiseException
EncodePointer
LoadLibraryExW
InterlockedFlushSList
GetCPInfo
FlsAlloc
FreeEnvironmentStringsW
SetEnvironmentVariableW
GetProcessHeap
GetStringTypeW
GetCommandLineA
FlsSetValue
HeapSize
WriteConsoleW
GetSystemDirectoryA
RtlUnwindEx
GetStartupInfoW
IsDebuggerPresent
CloseHandle
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
SetEvent
WaitForSingleObject
CreateEventA
CreateThread
GetCurrentThreadId
GetThreadId
Sleep
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
CreateFileW
GetFileSize
ReadFile
GetLastError
ReleaseMutex
CreateMutexA
GetModuleFileNameW
MapViewOfFile
UnmapViewOfFile
CreateFileMappingA
DeleteFileW
GetFileSizeEx
GetFileTime
WriteFile
GetCurrentProcessId
MoveFileW
LocalFree
FormatMessageA
GetTickCount64
VirtualAlloc
VirtualFree
SetFilePointerEx
SwitchToThread
RtlUnwind
FreeLibrary
GetProcAddress
LoadLibraryA
LocalAlloc
GetVersion
InitializeCriticalSectionAndSpinCount
TryEnterCriticalSection
ResetEvent
GetTickCount
GetSystemInfo
QueryPerformanceCounter
QueryPerformanceFrequency
SetWaitableTimer
GetSystemTimeAsFileTime
CreateWaitableTimerA
CreateIoCompletionPort
GetQueuedCompletionStatus
PostQueuedCompletionStatus
ReleaseSemaphore
CreateSemaphoreA
SetLastError
GetSystemTime
SystemTimeToFileTime
GetModuleHandleExW
InitializeSRWLock
ReleaseSRWLockExclusive
ReleaseSRWLockShared
AcquireSRWLockExclusive
AcquireSRWLockShared
SwitchToFiber
DeleteFiber
CreateFiberEx
FindClose
FindFirstFileW
FindNextFileW
MultiByteToWideChar
WideCharToMultiByte
GetStdHandle
GetFileType
GetModuleHandleW
GetEnvironmentVariableW
GetACP
ConvertFiberToThread
ConvertThreadToFiberEx
GetCurrentProcess
TerminateProcess
LoadLibraryW
GetConsoleMode
SetConsoleMode
ReadConsoleA
ReadConsoleW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
InitializeSListHead

Exports

Exports

bdnimbus_ask
bdnimbus_ask_async
bdnimbus_ask_bin
bdnimbus_ask_bin_async
bdnimbus_ask_json
bdnimbus_ask_json_async
bdnimbus_dup_option
bdnimbus_file_upload
bdnimbus_file_upload_async
bdnimbus_free_option
bdnimbus_free_response
bdnimbus_gen_upload
bdnimbus_gen_upload_async
bdnimbus_get_option
bdnimbus_init
bdnimbus_json_alloc
bdnimbus_json_array_at
bdnimbus_json_array_size
bdnimbus_json_foreach
bdnimbus_json_free
bdnimbus_json_long
bdnimbus_json_object
bdnimbus_json_path
bdnimbus_json_real
bdnimbus_json_string
bdnimbus_json_type_of
bdnimbus_mem_upload
bdnimbus_mem_upload_async
bdnimbus_push_bin
bdnimbus_push_info
bdnimbus_push_json
bdnimbus_set_option
bdnimbus_set_optionv
bdnimbus_text
bdnimbus_uninit
checkit

Sections

.text
Size: 2.3MB - Virtual size: 2.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 845KB - Virtual size: 844KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 33KB - Virtual size: 56KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 141KB - Virtual size: 140KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 244B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 180KB - Virtual size: 179KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 34KB - Virtual size: 34KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Run-Malware-1.bat
qd_x86.exe
.exe windows:6 windows x86 arch:x86

14e3d57d9f86b144f92a9d94ef2c3bb8

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

Z:\j\projects\qbot4\Release\Win32\qd_x86.pdb

Imports

shell32

CommandLineToArgvW

kernel32

lstrlenA
GetFileAttributesW
GetModuleHandleA
DisconnectNamedPipe
Sleep
GetLastError
lstrcpyW
lstrcmpW
ConnectNamedPipe
GetNumberFormatA
FindFirstFileW
FindNextFileW
SetFileAttributesW
GetFileAttributesA
MoveFileW
lstrcatA
MultiByteToWideChar
lstrcatW
lstrcpyA
WideCharToMultiByte
HeapCreate
HeapFree
HeapAlloc
HeapDestroy
SetNamedPipeHandleState
CreateNamedPipeA
FlushFileBuffers
LoadLibraryA
GetProcAddress
FreeLibrary
GetSystemTimeAsFileTime
lstrlenW
GetCommandLineW
GetCommandLineA
GetVersionExA
GetSystemInfo
GetCurrentDirectoryW
GetWindowsDirectoryW
GetCurrentProcessId
LocalAlloc
GetCurrentThread
lstrcmpiW
Thread32Next
Thread32First
GetCurrentThreadId
lstrcmpA
SuspendThread
GetExitCodeProcess
CreateFileW
ReadConsoleW
CloseHandle
HeapReAlloc
ReadFile
WriteConsoleW
CallNamedPipeA
InitializeSListHead
HeapSize
SetFilePointerEx
QueryPerformanceCounter
DecodePointer
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoW
IsProcessorFeaturePresent
GetModuleHandleW
GetCurrentProcess
TerminateProcess
InterlockedPushEntrySList
InterlockedFlushSList
RtlUnwind
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
LoadLibraryExW
EncodePointer
RaiseException
ExitProcess
GetModuleHandleExW
GetStdHandle
WriteFile
GetModuleFileNameW
GetTempPathW
GetDateFormatW
GetTimeFormatW
CompareStringW
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
GetFileType
OutputDebugStringW
FindClose
FindFirstFileExW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
SetStdHandle
GetStringTypeW
GetProcessHeap
SetConsoleCtrlHandler
GetConsoleOutputCP
GetConsoleMode
GetFileSizeEx

user32

CharUpperBuffA
CharUpperBuffW

advapi32

RegDeleteKeyA
GetUserNameW
SetFileSecurityA

ole32

CoCreateInstance

Sections

.text
Size: 408KB - Virtual size: 408KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 80KB - Virtual size: 80KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

13904d1cc18631217d0dcb5bf82fbc09

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

user32

crypt32

winmm

ws2_32

iphlpapi

advapi32

secur32

bcrypt

kernel32

Exports

Exports

Sections

.text Size: 2.3MB - Virtual size: 2.3MB

.rdata Size: 845KB - Virtual size: 844KB

.data Size: 33KB - Virtual size: 56KB

.pdata Size: 141KB - Virtual size: 140KB

_RDATA Size: 512B - Virtual size: 244B

.rsrc Size: 180KB - Virtual size: 179KB

.reloc Size: 34KB - Virtual size: 34KB

14e3d57d9f86b144f92a9d94ef2c3bb8

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

shell32

kernel32

user32

advapi32

ole32

Sections

.text Size: 408KB - Virtual size: 408KB

.rdata Size: 80KB - Virtual size: 80KB

.data Size: 20KB - Virtual size: 27KB

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 11KB - Virtual size: 11KB

.text
Size: 2.3MB - Virtual size: 2.3MB

.rdata
Size: 845KB - Virtual size: 844KB

.data
Size: 33KB - Virtual size: 56KB

.pdata
Size: 141KB - Virtual size: 140KB

_RDATA
Size: 512B - Virtual size: 244B

.rsrc
Size: 180KB - Virtual size: 179KB

.reloc
Size: 34KB - Virtual size: 34KB

.text
Size: 408KB - Virtual size: 408KB

.rdata
Size: 80KB - Virtual size: 80KB

.data
Size: 20KB - Virtual size: 27KB

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 11KB - Virtual size: 11KB