Kelihos[.]zip | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Kelihos.zip
Size

4.0MB
MD5

49ed03d641ec291d81e5967e90f7ba8c
SHA1

4770d73d0e167361d17e5d5dc25150d12864bbb2
SHA256

f7803e659612be3c6a251173442633a04897e23089af0996ff2fd7472aea509e
SHA512

f92c8db7759f907850ac854e0de365e26c410a488fede17557d79710cabd42d351fabaef9dc9e17cc9127488c5ffb469f88096d1cf39496230f9905f7fae9e82
SSDEEP

98304:LXzhNnsbs6VWMRrZ+7d0GVwR1SjOYJZ3Ses89qoM:vheb5VWM5cbVsS7Z3s8goM

Score

3^/10

Malware Config

Signatures

Unsigned PE 5 IoCs

Checks for missing Authenticode signature.

resource
unpack001/dumped.exe
unpack001/file_4571518150a8181b403df4ae7ad54ce8b16ded0c.exe
unpack001/kelihos/9B68B45AFA269BA1B0C01749FA4B942F/Fake Intel (1).exe
unpack001/kelihos/dumped.exe
unpack001/kelihos/file_4571518150a8181b403df4ae7ad54ce8b16ded0c.exe

Files

Kelihos.zip
.zip

Password: infected
dumped.exe
.exe windows:5 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 657KB - Virtual size: 656KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 32KB - Virtual size: 47KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 2B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 110KB - Virtual size: 110KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
file_4571518150a8181b403df4ae7ad54ce8b16ded0c.exe
.exe windows:4 windows x86 arch:x86

6feb3b0c7428b23dfd3ace5bc2c883ef

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetCurrentProcessId
FindAtomA
HeapCreate
GetStdHandle
GetCommandLineA
GetModuleFileNameA
DeleteAtom
IsBadCodePtr
GetEnvironmentVariableA
GetFileAttributesA
CreateMailslotW
HeapDestroy
DeleteFileA
GetModuleHandleA
CloseHandle
GetProcessTimes
GetPriorityClass
SuspendThread
GetStartupInfoA
ReadFile

user32

DrawTextW
GetKeyState
DispatchMessageA
GetSysColor
GetClassInfoA
DestroyMenu
GetWindowLongA
SetFocus
IsZoomed
GetClientRect
CallWindowProcW
GetWindowInfo
DispatchMessageA
DestroyMenu

msctfp

DllCanUnloadNow
DllCanUnloadNow
DllCanUnloadNow
DllCanUnloadNow

Sections

.text
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1KB - Virtual size: 1.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 843KB - Virtual size: 842KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
kelihos/9B68B45AFA269BA1B0C01749FA4B942F/Fake Intel (1).exe
.exe windows:4 windows x86 arch:x86

0cca810de65c2e0f17da0c2629e8e114

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

c:\To\CALs\The.pdb

Imports

kernel32

GlobalHandle
GlobalReAlloc
GlobalUnlock
InitializeCriticalSection
ReadFile
ResetEvent
SetEndOfFile
SetEvent
SetFilePointer
SetLastError
SystemTimeToFileTime
WaitForSingleObject
TlsSetValue
RaiseException
WriteFile
ExitProcess
FindFirstFileA
GetCommandLineA
GetStartupInfoA
LoadLibraryExA
lstrcpynA
lstrlenA
MultiByteToWideChar
VirtualQuery
InterlockedIncrement
GetVersion
LocalAlloc
VirtualAlloc
EnterCriticalSection
DisableThreadLibraryCalls
UnhandledExceptionFilter
InterlockedExchange
GetModuleHandleA
GetWindowsDirectoryW
FindFirstFileW
FindNextFileW
GlobalAlloc
GetFullPathNameW
GetFileAttributesW
LoadLibraryW
FileTimeToSystemTime
GetDateFormatW
CloseHandle
LocalFree
TlsAlloc
TlsGetValue
TlsFree
GetModuleHandleW
GetLastError
InterlockedDecrement
HeapFree
Sleep
GetStdHandle
GetFileType
DeleteCriticalSection
GetModuleFileNameA
WideCharToMultiByte
GetEnvironmentStringsW
HeapCreate
QueryPerformanceCounter
GetSystemTimeAsFileTime
LeaveCriticalSection
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
HeapAlloc
GetModuleFileNameW
RtlUnwind
LCMapStringW
FreeLibrary
GetProcAddress
LoadLibraryA
GetTimeZoneInformation
GetThreadLocale
GetStringTypeExA
GetLocaleInfoA
GetLocalTime
GetFullPathNameA
GetDiskFreeSpaceA
CreateFileA
CreateEventA
CompareStringW
FindClose
CompareStringA

user32

GetSystemMetrics
CharNextA
LoadStringA
GetKeyboardType
CharNextW
CharToOemA

advapi32

RegSetValueExW
OpenServiceW
OpenSCManagerW
RegQueryValueExA
RegDeleteValueW
RegCloseKey
OpenProcessToken
LookupPrivilegeValueW
AdjustTokenPrivileges
InitiateSystemShutdownExW
CloseServiceHandle

ole32

CoCreateInstance
CoUninitialize
CoInitialize

oleaut32

SysAllocStringLen
SafeArrayGetUBound
SafeArrayGetLBound
SafeArrayCreate
VariantChangeType
VariantCopy
VariantClear
VariantInit
SysFreeString

msvcrt

wcschr
towlower
towupper
iswalpha
wcsrchr
wprintf
memset
fputs
fputws
printf

setupapi

SetupDiDestroyDeviceInfoList
SetupDiCallClassInstaller
SetupDiOpenDevRegKey
SetupScanFileQueueW
SetupOpenFileQueue
SetupDiSetSelectedDriverW
SetupDiGetDriverInstallParamsW
SetupDiOpenClassRegKeyExW
SetupDiEnumDeviceInfo
SetupDiGetDriverInfoDetailW
SetupDiCreateDeviceInfoList
SetupDiCreateDeviceInfoW
SetupDiBuildClassInfoListExW
SetupDiClassNameFromGuidExW
SetupCopyOEMInfW
SetupDiSetDeviceRegistryPropertyW
SetupDiSetClassInstallParamsW
SetupOpenInfFileW
SetupFindFirstLineW
SetupGetStringFieldW
SetupDiGetClassDescriptionExW
SetupDiGetDeviceInfoListDetailW
SetupDiOpenDeviceInfoW
SetupDiClassGuidsFromNameExW
SetupDiDestroyDriverInfoList
SetupDiSetDeviceInstallParamsW
SetupDiBuildDriverInfoList
SetupCloseInfFile

ws2_32

shutdown
setsockopt
send
getsockname
getpeername
ioctlsocket
closesocket
WSAStartup
WSACleanup
WSAGetLastError
gethostbyname

Sections

.text
Size: 128KB - Virtual size: 126KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 72KB - Virtual size: 70KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 88KB - Virtual size: 2.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 36KB - Virtual size: 33KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
kelihos/dumped.exe
.exe windows:5 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 657KB - Virtual size: 656KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 32KB - Virtual size: 47KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 2B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 110KB - Virtual size: 110KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
kelihos/file_4571518150a8181b403df4ae7ad54ce8b16ded0c.exe
.exe windows:4 windows x86 arch:x86

6feb3b0c7428b23dfd3ace5bc2c883ef

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetCurrentProcessId
FindAtomA
HeapCreate
GetStdHandle
GetCommandLineA
GetModuleFileNameA
DeleteAtom
IsBadCodePtr
GetEnvironmentVariableA
GetFileAttributesA
CreateMailslotW
HeapDestroy
DeleteFileA
GetModuleHandleA
CloseHandle
GetProcessTimes
GetPriorityClass
SuspendThread
GetStartupInfoA
ReadFile

user32

DrawTextW
GetKeyState
DispatchMessageA
GetSysColor
GetClassInfoA
DestroyMenu
GetWindowLongA
SetFocus
IsZoomed
GetClientRect
CallWindowProcW
GetWindowInfo
DispatchMessageA
DestroyMenu

msctfp

DllCanUnloadNow
DllCanUnloadNow
DllCanUnloadNow
DllCanUnloadNow

Sections

.text
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1KB - Virtual size: 1.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 843KB - Virtual size: 842KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

Headers

DLL Characteristics

File Characteristics

Sections

.text Size: 1.1MB - Virtual size: 1.1MB

.rdata Size: 657KB - Virtual size: 656KB

.data Size: 32KB - Virtual size: 47KB

.tls Size: 512B - Virtual size: 2B

.reloc Size: 110KB - Virtual size: 110KB

6feb3b0c7428b23dfd3ace5bc2c883ef

Headers

File Characteristics

Imports

kernel32

user32

msctfp

Sections

.text Size: 5KB - Virtual size: 5KB

.rdata Size: 1KB - Virtual size: 1.2MB

.data Size: 2KB - Virtual size: 1KB

.rsrc Size: 843KB - Virtual size: 842KB

0cca810de65c2e0f17da0c2629e8e114

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

advapi32

ole32

oleaut32

msvcrt

setupapi

ws2_32

Sections

.text Size: 128KB - Virtual size: 126KB

.rdata Size: 72KB - Virtual size: 70KB

.data Size: 88KB - Virtual size: 2.2MB

.rsrc Size: 36KB - Virtual size: 33KB

Headers

DLL Characteristics

File Characteristics

Sections

.text Size: 1.1MB - Virtual size: 1.1MB

.rdata Size: 657KB - Virtual size: 656KB

.data Size: 32KB - Virtual size: 47KB

.tls Size: 512B - Virtual size: 2B

.reloc Size: 110KB - Virtual size: 110KB

6feb3b0c7428b23dfd3ace5bc2c883ef

Headers

File Characteristics

Imports

kernel32

user32

msctfp

Sections

.text Size: 5KB - Virtual size: 5KB

.rdata Size: 1KB - Virtual size: 1.2MB

.data Size: 2KB - Virtual size: 1KB

.rsrc Size: 843KB - Virtual size: 842KB

.text
Size: 1.1MB - Virtual size: 1.1MB

.rdata
Size: 657KB - Virtual size: 656KB

.data
Size: 32KB - Virtual size: 47KB

.tls
Size: 512B - Virtual size: 2B

.reloc
Size: 110KB - Virtual size: 110KB

.text
Size: 5KB - Virtual size: 5KB

.rdata
Size: 1KB - Virtual size: 1.2MB

.data
Size: 2KB - Virtual size: 1KB

.rsrc
Size: 843KB - Virtual size: 842KB

.text
Size: 128KB - Virtual size: 126KB

.rdata
Size: 72KB - Virtual size: 70KB

.data
Size: 88KB - Virtual size: 2.2MB

.rsrc
Size: 36KB - Virtual size: 33KB

.text
Size: 1.1MB - Virtual size: 1.1MB

.rdata
Size: 657KB - Virtual size: 656KB

.data
Size: 32KB - Virtual size: 47KB

.tls
Size: 512B - Virtual size: 2B

.reloc
Size: 110KB - Virtual size: 110KB

.text
Size: 5KB - Virtual size: 5KB

.rdata
Size: 1KB - Virtual size: 1.2MB

.data
Size: 2KB - Virtual size: 1KB

.rsrc
Size: 843KB - Virtual size: 842KB