17205346461[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

17205346461.zip
Size

101.0MB
MD5

c47bb0d7b26bbf7fad6d49754c99ac50
SHA1

f391e8cbcf294f4ada3010653f256f4beafa0d99
SHA256

f38893f6750a755f163cb833b6aa9c9af5b1c3cbffa2d2f331f890468aa8db42
SHA512

13e9fc5744c649ff90d7c9ae39291be7a39c01560bf43a1584d378bf60c36ef5fd5aea857ecc164e95c4d537c397f296c3fc8b3104098ec54cc94fbd2188a742
SSDEEP

3145728:wl2kD5RzowMbcZlorenXPhBF4xY5nwZjHWj:uDPzofAjXa4w9U

Score

6^/10

pdf evasion

Malware Config

Signatures

Malformed or missing cross-reference table in PDF
Malformed or missing cross-reference tables are often used to evade detection
pdf evasion

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack002/w2_1040 tax forms/g2m.dll

Files

17205346461.zip
.zip

Password: infected
e8943ca9072d92c62c9c707ae8cc351e724aebe6bf45345a1570224f12f321d4
.zip
w2_1040 tax forms/1099Misc.inf
.pdf
w2_1040 tax forms/Marybeth 2023 Tax Docs.exe
.exe windows:6 windows x86 arch:x86

5419c6d0b7a37c6f48c0d961a0d909db

Code Sign

42:1a:f2:94:09:84:19:1f:52:0a:4b:c6:24:26:a7:4b
Certificate

Issuer

CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE

Not Before

07/06/2005, 08:09

Not After

30/05/2020, 10:48

Subject

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

62:5c:4d:90:8c:d5:42:fb:ab:2e:a5:73:3f:f1:54:19
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

27/04/2011, 00:00

Not After

30/05/2020, 10:48

Subject

CN=COMODO Time Stamping CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2b:73:db:74:63:11:4c:5a:5b:32:4a:f2:30:57:72:49
Certificate

Issuer

CN=COMODO Time Stamping CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

02/05/2019, 00:00

Not After

30/05/2020, 10:48

Subject

CN=Sectigo SHA-1 Time Stamping Signer,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

07:77:dd:21:cf:5d:c9:dc:78:5a:cb:ae:2a:02:bb:26
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Code Signing CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

26/10/2018, 00:00

Not After

03/11/2021, 12:00

Subject

CN=LogMeIn\, Inc.,O=LogMeIn\, Inc.,L=Boston,ST=Massachusetts,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

04:09:18:1b:5f:d5:bb:66:75:53:43:b5:6f:95:50:08
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

22/10/2013, 12:00

Not After

22/10/2028, 12:00

Subject

CN=DigiCert SHA2 Assured ID Code Signing CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

90:10:c1:28:da:90:ce:50:43:d1:8e:83:8b:91:69:13:ad:36:49:d0:e1:e4:4b:74:ec:98:20:87:00:85:01:37
Signer

Actual PE Digest

90:10:c1:28:da:90:ce:50:43:d1:8e:83:8b:91:69:13:ad:36:49:d0:e1:e4:4b:74:ec:98:20:87:00:85:01:37

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

c:\jenkins\workspace\Communication_Cloud\G2MWTEndpoint\Production\build-g2mwt-endpoint\output\G2M_Exe.pdb

Imports

kernel32

GetStartupInfoW
GetModuleFileNameA
GetCommandLineW
GetModuleHandleA
GetProcAddress
ExitProcess
GetModuleHandleW

user32

MessageBoxA

g2m

g2mcomm_winmain

Sections

.text
Size: 1024B - Virtual size: 973B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 4B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 4B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
w2_1040 tax forms/g2m.dll
.dll regsvr32 windows:5 windows x86 arch:x86

8d92ce4913322e1cf2d6cd6654f2944f

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

c:\p4builds\Products\GoToMeeting\v4.8_builds\output\G2M.pdb

Imports

rpcrt4

IUnknown_AddRef_Proxy
IUnknown_Release_Proxy
CStdStubBuffer_QueryInterface
CStdStubBuffer_AddRef
CStdStubBuffer_Connect
IUnknown_QueryInterface_Proxy
CStdStubBuffer_Invoke
CStdStubBuffer_IsIIDSupported
CStdStubBuffer_CountRefs
CStdStubBuffer_DebugServerQueryInterface
CStdStubBuffer_DebugServerRelease
NdrCStdStubBuffer_Release
RpcStringFreeW
NdrOleAllocate
NdrOleFree
UuidCreate
CStdStubBuffer_Disconnect
UuidToStringW
NdrDllGetClassObject

psapi

GetModuleBaseNameW
EnumProcessModules
GetModuleFileNameExW
GetModuleInformation
EnumProcesses

shlwapi

PathStripPathW
StrFormatByteSizeW
StrChrW
PathRemoveExtensionW

version

VerQueryValueW
GetFileVersionInfoSizeW
GetFileVersionInfoW

winmm

mixerClose
waveOutGetDevCapsW
waveInGetDevCapsW
waveInGetNumDevs
waveOutGetNumDevs
timeKillEvent
timeSetEvent
mixerGetDevCapsA
waveOutGetPosition
waveOutSetVolume
waveOutGetVolume
mixerGetControlDetailsA
waveOutGetDevCapsA
waveInGetDevCapsA
mixerGetLineInfoA
mixerGetLineControlsA
waveInUnprepareHeader
waveInReset
waveInPrepareHeader
waveInAddBuffer
waveInStart
waveInStop
waveInGetErrorTextW
waveInGetPosition
mmioOpenW
mmioDescend
mmioAscend
waveOutUnprepareHeader
waveOutReset
waveOutPrepareHeader
mmioRead
waveOutPause
waveOutWrite
mmioClose
mixerGetNumDevs
mixerOpen
mixerSetControlDetails
mixerGetLineInfoW
mixerGetDevCapsW
waveInOpen
waveOutOpen
waveInClose
waveOutClose
mixerGetID
waveInGetID
waveOutGetID
mixerGetLineControlsW
mixerGetControlDetailsW
timeGetTime

msacm32

acmStreamUnprepareHeader
acmStreamClose
acmStreamPrepareHeader
acmStreamOpen
acmStreamConvert

wininet

InternetSetOptionW
InternetOpenW
InternetCloseHandle
InternetConnectW
InternetErrorDlg
HttpEndRequestW
InternetQueryOptionW
HttpSendRequestExW
HttpQueryInfoW
InternetReadFileExA
InternetSetStatusCallbackW
HttpOpenRequestW

kernel32

GetFileType
GetStdHandle
SetHandleCount
RtlUnwind
CreateThread
ExitThread
FreeLibrary
RaiseException
TlsGetValue
TlsSetValue
TlsAlloc
GetProcAddress
GetModuleHandleW
IsBadReadPtr
FormatMessageW
GetModuleFileNameW
GetCurrentProcess
Sleep
LoadLibraryW
GetVersionExW
SetUnhandledExceptionFilter
GetLastError
LocalFree
OutputDebugStringW
LoadLibraryExW
CreateEventA
GetSystemTimeAsFileTime
CloseHandle
UnmapViewOfFile
WaitForSingleObject
SetEvent
MapViewOfFile
CreateFileMappingW
GetFileSize
GetCurrentProcessId
CreateFileW
GetTempPathW
GetCurrentThreadId
HeapCreate
HeapDestroy
HeapAlloc
HeapFree
TlsFree
FileTimeToSystemTime
SystemTimeToFileTime
GetSystemTime
WideCharToMultiByte
MultiByteToWideChar
GetCurrentThread
OpenProcess
FindClose
ReadFile
WriteFile
SetFilePointer
SetEndOfFile
FlushFileBuffers
DeleteFileW
CopyFileW
GetFileAttributesW
GetDiskFreeSpaceExW
GetTempFileNameW
FindFirstFileW
MoveFileW
GetSystemWindowsDirectoryW
GetLocaleInfoW
GetStartupInfoA
GlobalMemoryStatusEx
lstrlenA
LocalAlloc
lstrcmpiW
ReleaseMutex
CreateMutexW
ResumeThread
GetThreadContext
SuspendThread
InterlockedIncrement
SetThreadPriority
TerminateThread
CreateProcessW
TerminateProcess
GetExitCodeProcess
GetShortPathNameW
CompareFileTime
CreateDirectoryW
RemoveDirectoryW
GetSystemDirectoryW
GetCurrentDirectoryW
SetCurrentDirectoryW
GetLocalTime
InitializeCriticalSection
DeleteCriticalSection
TryEnterCriticalSection
EnterCriticalSection
LeaveCriticalSection
WaitForMultipleObjects
GetTickCount
GetTimeFormatW
GetDateFormatW
GetTimeZoneInformation
QueryPerformanceCounter
QueryPerformanceFrequency
ResetEvent
OpenEventW
CreateEventW
FindVolumeClose
FindNextVolumeW
QueryDosDeviceW
FindFirstVolumeW
FindNextFileW
GetSystemDefaultLCID
GetUserDefaultLCID
GetUserDefaultUILanguage
EnumResourceLanguagesW
DisableThreadLibraryCalls
InterlockedDecrement
lstrlenW
SizeofResource
LoadResource
FindResourceW
OpenMutexW
GetWindowsDirectoryW
GetTempPathA
CreateDirectoryA
SetLastError
SetWaitableTimer
CreateWaitableTimerW
WritePrivateProfileStringW
GetPrivateProfileStringW
VirtualFree
VirtualAlloc
GlobalLock
GlobalFree
GlobalUnlock
GlobalAlloc
FlushInstructionCache
lstrcmpW
MulDiv
LockResource
GetVersionExA
ExpandEnvironmentStringsW
Thread32Next
Thread32First
CreateToolhelp32Snapshot
Process32NextW
Process32FirstW
GetFileTime
ExitProcess
GetModuleFileNameA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
LCMapStringW
GetModuleHandleA
HeapSize
GetConsoleCP
GetConsoleMode
HeapReAlloc
GetTimeFormatA
GetDateFormatA
CompareStringW
SetConsoleCtrlHandler
InitializeCriticalSectionAndSpinCount
LCMapStringA
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
EnumSystemLocalesA
IsValidLocale
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
SetStdHandle
CreateFileA
GetProcessHeap
CompareStringA
SetEnvironmentVariableA
InterlockedCompareExchange
IsProcessorFeaturePresent
GetCommandLineW
ReleaseSemaphore
CreateSemaphoreW
GetVolumeInformationW
DuplicateHandle
GetVersion
GlobalMemoryStatus
GetFileInformationByHandle
GetPrivateProfileSectionW
GetPrivateProfileSectionNamesW
CreateMutexA
FileTimeToLocalFileTime
GetDriveTypeA
FindFirstFileA
GetFullPathNameA
PeekNamedPipe
GetCurrentDirectoryA
FoldStringW
FlushConsoleInputBuffer
ReadConsoleInputA
SetConsoleMode
IsDebuggerPresent
UnhandledExceptionFilter
GetCommandLineA
LoadLibraryA
InterlockedExchange
GetSystemInfo

gdi32

CreateDCW
CreatePen
SetPolyFillMode
Polygon
FrameRgn
PaintRgn
CreatePolygonRgn
ExtTextOutW
CreateBitmap
SetROP2
FillRgn
Polyline
GetRegionData
CreateRectRgnIndirect
OffsetRgn
GetRgnBox
EqualRgn
GetSystemPaletteEntries
CreatePalette
GetPaletteEntries
GetDIBColorTable
SetDIBColorTable
CreateDIBSection
RestoreDC
SaveDC
CreateRoundRectRgn
GetBitmapBits
GetTextMetricsW
SetBkColor
SetStretchBltMode
StretchBlt
GetDIBits
CreateDIBitmap
SetDIBits
SelectClipRgn
ExcludeClipRect
SetMapMode
SetWindowExtEx
SetViewportExtEx
SetWindowOrgEx
SetViewportOrgEx
LineTo
MoveToEx
SetPixelV
GetTextExtentPoint32W
CreateRectRgn
SetRectRgn
CombineRgn
GetClipBox
GetDCOrgEx
SetTextColor
TextOutW
GetTextColor
CreateFontW
CreateFontIndirectW
GetStockObject
GetObjectW
GetDeviceCaps
BitBlt
CreateSolidBrush
GetPixel
SetPixel
SetBkMode
SetBrushOrgEx
CreateCompatibleDC
CreateCompatibleBitmap
SelectObject
CreatePatternBrush
DeleteDC
DeleteObject
GetBkMode

comdlg32

ChooseColorW
GetOpenFileNameW
GetSaveFileNameW
CommDlgExtendedError

ole32

CoInitializeSecurity
CoGetObject
CoDisconnectObject
OleInitialize
CoGetCurrentProcess
OleUninitialize
CoUninitialize
CoInitializeEx
CoCreateFreeThreadedMarshaler
CoTaskMemFree
CoRegisterClassObject
CoRevokeClassObject
CoGetCallContext
CoInitialize
CreateStreamOnHGlobal
CLSIDFromString
CoGetClassObject
OleLockRunning
CLSIDFromProgID
CoCreateGuid
CoRegisterPSClsid
StringFromCLSID
CoSetProxyBlanket
CoCreateInstance
StringFromGUID2
CoTaskMemRealloc
CoTaskMemAlloc

oleaut32

BSTR_UserFree
BSTR_UserUnmarshal
BSTR_UserMarshal
BSTR_UserSize
LPSAFEARRAY_UserFree
LPSAFEARRAY_UserUnmarshal
LPSAFEARRAY_UserMarshal
LPSAFEARRAY_UserSize
VarUI4FromStr
RegisterTypeLi
SysStringLen
SafeArrayDestroy
SysAllocString
SysAllocStringByteLen
UnRegisterTypeLi
SystemTimeToVariantTime
SysStringByteLen
SysAllocStringLen
VariantInit
VariantClear
OleCreateFontIndirect
LoadRegTypeLi
OleLoadPicture
DispCallFunc
VarBstrCat
VarBstrCmp
OleLoadPicturePath
SafeArrayGetElement
SafeArrayCreate
LoadTypeLi
SafeArrayPutElement
SysFreeString

secur32

GetUserNameExW

wtsapi32

WTSFreeMemory
WTSQuerySessionInformationW

comctl32

InitCommonControlsEx

userenv

DestroyEnvironmentBlock
CreateEnvironmentBlock

wsock32

WSASetLastError
ntohs
ioctlsocket
htons
gethostname
connect
socket
send
shutdown
getsockname
setsockopt
select
__WSAFDIsSet
recv
inet_ntoa
gethostbyname
WSAStartup
WSACleanup
WSAGetLastError
getpeername
closesocket
inet_addr

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer
g2mchat_winmain
g2mcomm_winmain
g2mfeedback_winmain
g2mhost_winmain
g2minstaller_winmain
g2minsthigh_winmain
g2mlauncher_winmain
g2mmatchmaking_winmain
g2mmaterials_winmain
g2mpolling_winmain
g2mqanda_winmain
g2mrecorder_winmain
g2msessioncontrol_winmain
g2mstart_winmain
g2mtesting_winmain
g2mtranscoder_winmain
g2mui_winmain
g2muninstall_winmain
g2mvideoconference_winmain
g2mview_winmain

Sections

.text
Size: 5.9MB - Virtual size: 5.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.orpc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.5MB - Virtual size: 1.5MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 151KB - Virtual size: 216KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 963KB - Virtual size: 962KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

5419c6d0b7a37c6f48c0d961a0d909db

Code Sign

42:1a:f2:94:09:84:19:1f:52:0a:4b:c6:24:26:a7:4bCertificate

Key Usages

62:5c:4d:90:8c:d5:42:fb:ab:2e:a5:73:3f:f1:54:19Certificate

Extended Key Usages

Key Usages

2b:73:db:74:63:11:4c:5a:5b:32:4a:f2:30:57:72:49Certificate

Extended Key Usages

Key Usages

07:77:dd:21:cf:5d:c9:dc:78:5a:cb:ae:2a:02:bb:26Certificate

Extended Key Usages

Key Usages

04:09:18:1b:5f:d5:bb:66:75:53:43:b5:6f:95:50:08Certificate

Extended Key Usages

Key Usages

90:10:c1:28:da:90:ce:50:43:d1:8e:83:8b:91:69:13:ad:36:49:d0:e1:e4:4b:74:ec:98:20:87:00:85:01:37Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

g2m

Sections

.text Size: 1024B - Virtual size: 973B

.rdata Size: 1KB - Virtual size: 1KB

.data Size: - Virtual size: 4B

.CRT Size: 512B - Virtual size: 4B

.rsrc Size: 20KB - Virtual size: 19KB

8d92ce4913322e1cf2d6cd6654f2944f

Headers

File Characteristics

PDB Paths

Imports

rpcrt4

psapi

shlwapi

version

winmm

msacm32

wininet

kernel32

gdi32

comdlg32

ole32

oleaut32

secur32

wtsapi32

comctl32

userenv

wsock32

Exports

Exports

Sections

.text Size: 5.9MB - Virtual size: 5.9MB

.orpc Size: 2KB - Virtual size: 4KB

.rdata Size: 1.5MB - Virtual size: 1.5MB

.data Size: 151KB - Virtual size: 216KB

.tls Size: 512B - Virtual size: 4KB

.rsrc Size: 963KB - Virtual size: 962KB

42:1a:f2:94:09:84:19:1f:52:0a:4b:c6:24:26:a7:4b
Certificate

62:5c:4d:90:8c:d5:42:fb:ab:2e:a5:73:3f:f1:54:19
Certificate

2b:73:db:74:63:11:4c:5a:5b:32:4a:f2:30:57:72:49
Certificate

07:77:dd:21:cf:5d:c9:dc:78:5a:cb:ae:2a:02:bb:26
Certificate

04:09:18:1b:5f:d5:bb:66:75:53:43:b5:6f:95:50:08
Certificate

90:10:c1:28:da:90:ce:50:43:d1:8e:83:8b:91:69:13:ad:36:49:d0:e1:e4:4b:74:ec:98:20:87:00:85:01:37
Signer

.text
Size: 1024B - Virtual size: 973B

.rdata
Size: 1KB - Virtual size: 1KB

.data
Size: - Virtual size: 4B

.CRT
Size: 512B - Virtual size: 4B

.rsrc
Size: 20KB - Virtual size: 19KB

.text
Size: 5.9MB - Virtual size: 5.9MB

.orpc
Size: 2KB - Virtual size: 4KB

.rdata
Size: 1.5MB - Virtual size: 1.5MB

.data
Size: 151KB - Virtual size: 216KB

.tls
Size: 512B - Virtual size: 4KB

.rsrc
Size: 963KB - Virtual size: 962KB