d6ffb33a7a796f68d2e07a1a79f4352ce60cf247b7747330ae1c7d6349779f03[.]zip

Sharing

Copy URL

Twitter E-mail

General

Target

d6ffb33a7a796f68d2e07a1a79f4352ce60cf247b7747330ae1c7d6349779f03.zip
Size

2.5MB
MD5

a5970023692f46c1e5a3ae7b26ed492e
SHA1

e5bcabe23802ed3d26ab0b1fe6e1fe0b668f36b2
SHA256

ceac1eb2d617c808d64ef8179721dc1f57fd61d09981aef3873e6159cedd5fe6
SHA512

d1307b7a14dcc5887bd2e6d3bd9e6fa2f26cf1dbc8e8e8408abc726665594eefe766e9dce1fe5d9a3c1eb8d85fa14f9534f83e3b5840734f6a2702c39b4eccaf
SSDEEP

49152:8PrkoASCO8Z5KOAqgtgnLuGbMUvH4A7qdxwxJkJLOd7QAIqh4FQDuA:5NOM5Sqg2LBbM+YjJLOJcdFyuA

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
static1/unpack001/d6ffb33a7a796f68d2e07a1a79f4352ce60cf247b7747330ae1c7d6349779f03	upx

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/d6ffb33a7a796f68d2e07a1a79f4352ce60cf247b7747330ae1c7d6349779f03

Files

d6ffb33a7a796f68d2e07a1a79f4352ce60cf247b7747330ae1c7d6349779f03.zip
.zip

Password: infected
d6ffb33a7a796f68d2e07a1a79f4352ce60cf247b7747330ae1c7d6349779f03
.exe windows:6 windows x64 arch:x64

Password: infected

b6ad1ea15356aea4060794d58f9d80d7

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

AllocateAndInitializeSid
RegQueryValueExW
SystemFunction036
RegOpenKeyExW
FreeSid
RegCloseKey
CheckTokenMembership
FreeSid

ucrtbase

_msize
malloc
_set_new_mode
realloc
calloc
free
_configthreadlocale
exp2f
_dclass
log
roundf
pow
ceil
__setusermatherr
powf
truncf
_configure_narrow_argv
_initialize_narrow_environment
_get_initial_narrow_environment
_seh_filter_exe
_initterm_e
_endthreadex
_register_onexit_function
_crt_atexit
_beginthreadex
abort
exit
_Exit
terminate
__p___argc
_initialize_onexit_table
__p___argv
_initterm
_cexit
_c_exit
_set_app_type
_register_thread_local_exe_atexit_callback
__p__commode
_set_fmode
strlen
strncmp
strcspn
strcpy_s
strcmp
wcsncmp
_localtime64_s
_rotl64
qsort
free
_configthreadlocale
log
exit
_set_fmode
strlen
_localtime64_s
qsort

bcrypt

BCryptCloseAlgorithmProvider
BCryptOpenAlgorithmProvider
BCryptGenRandom
BCryptGenRandom

crypt32

CertDuplicateStore
CryptUnprotectData
CertFreeCertificateChain
CertDuplicateCertificateChain
CertAddCertificateContextToStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
CertCloseStore
CertVerifyCertificateChainPolicy
CertGetCertificateChain
CertOpenStore
CertFreeCertificateContext
CertOpenStore

gdi32

CreateCompatibleBitmap
SelectObject
SetStretchBltMode
StretchBlt
GetDIBits
GetObjectW
DeleteObject
GetDeviceCaps
CreateCompatibleDC
CreateDCW
DeleteDC
DeleteDC

kernel32

GetConsoleMode
WriteConsoleW
WaitForSingleObjectEx
LoadLibraryA
CreateMutexA
GetCurrentProcess
ReleaseMutex
GetEnvironmentVariableW
GetModuleHandleW
FormatMessageW
GetTempPathW
SetFilePointerEx
GetFileInformationByHandleEx
GetFullPathNameW
FlushFileBuffers
FindNextFileW
CreateDirectoryW
FindFirstFileW
GetSystemInfo
WakeConditionVariable
GetStdHandle
SetFileCompletionNotificationModes
CreateIoCompletionPort
SetHandleInformation
TryAcquireSRWLockExclusive
GetEnvironmentStringsW
FreeEnvironmentStringsW
CompareStringOrdinal
GetSystemDirectoryW
GetWindowsDirectoryW
CreateProcessW
GetFileAttributesW
DuplicateHandle
GetCurrentProcessId
CreateNamedPipeW
CreateThread
ReadFileEx
SleepEx
WriteFileEx
ReleaseSRWLockExclusive
GetCurrentThread
WaitForMultipleObjects
GetOverlappedResult
CreateEventW
CancelIo
ReadFile
FatalExit
GetProcAddress
QueryPerformanceFrequency
GetSystemTimeAsFileTime
GetCurrentDirectoryW
AcquireSRWLockShared
ReleaseSRWLockShared
DeleteFileW
LoadLibraryExW
PostQueuedCompletionStatus
GetFinalPathNameByHandleW
SetLastError
GetQueuedCompletionStatusEx
WakeAllConditionVariable
GetModuleHandleA
SwitchToThread
CreateFileW
SetFileInformationByHandle
GetModuleFileNameW
HeapReAlloc
GetProcessHeap
HeapAlloc
Sleep
GetExitCodeProcess
GetTickCount
MapViewOfFile
CreateFileMappingW
FormatMessageA
GetSystemTime
WideCharToMultiByte
FreeLibrary
SystemTimeToFileTime
GetFileSize
LockFileEx
LocalFree
UnlockFile
HeapDestroy
HeapCompact
LoadLibraryW
DeleteFileA
CreateFileA
FlushViewOfFile
OutputDebugStringW
GetFileAttributesExW
GetFileAttributesA
GetDiskFreeSpaceA
GetTempPathA
MultiByteToWideChar
HeapSize
HeapValidate
UnmapViewOfFile
CreateMutexW
UnlockFileEx
SetEndOfFile
GetFullPathNameA
SetFilePointer
LockFile
OutputDebugStringA
GetDiskFreeSpaceW
WriteFile
HeapCreate
AreFileApisANSI
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
TryEnterCriticalSection
DeleteCriticalSection
GetCurrentThreadId
WaitForSingleObject
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetFileInformationByHandle
TerminateProcess
SetThreadStackGuarantee
AddVectoredExceptionHandler
CloseHandle
FindClose
QueryPerformanceCounter
IsProcessorFeaturePresent
InitializeSListHead
IsDebuggerPresent
GetLastError
AcquireSRWLockExclusive
HeapFree
EncodePointer
RaiseException
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
CopyFileExW
LoadLibraryA
FatalExit
GetProcAddress
VirtualProtect

kernelbase

SleepConditionVariableSRW
WaitOnAddress
WakeByAddressSingle
FlsAlloc
FlsSetValue
InitializeCriticalSectionEx

ntdll

NtDeviceIoControlFile
NtCreateFile
RtlLookupFunctionEntry
RtlCaptureContext
RtlNtStatusToDosError
NtCancelIoFileEx
RtlUnwindEx
RtlPcToFileHeader
RtlVirtualUnwind
RtlUnwindEx

combase

CoInitializeSecurity
CoCreateInstance
CoSetProxyBlanket
CoInitializeEx
CoInitializeEx

oleaut32

SafeArrayDestroy
VariantClear
SafeArrayAccessData
SafeArrayGetUBound
SysAllocStringLen
SafeArrayUnaccessData
SysFreeString
SafeArrayGetLBound
VariantClear

rstrtmgr

RmStartSession
RmRegisterResources
RmGetList
RmGetList

secur32

UnsealMessage
ApplyControlToken
SealMessage
DeleteSecurityContext
FreeCredentialsHandle
AcquireCredentialsHandleA
QueryContextAttributesW
InitializeSecurityContextW
AcceptSecurityContext
FreeContextBuffer
UnsealMessage

user32

GetMonitorInfoW
EnumDisplaySettingsExW
EnumDisplayMonitors
GetMonitorInfoW

ws2_32

ioctlsocket
WSASocketW
getsockname
getpeername
setsockopt
WSAIoctl
socket
getaddrinfo
freeaddrinfo
WSAStartup
WSACleanup
WSAGetLastError
accept
closesocket
listen
bind
select
getsockopt
recv
send
WSASend
connect
shutdown
WSACleanup
bind

Sections

UPX0
Size: 3.1MB - Virtual size: 3.1MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

UPX1
Size: 2.2MB - Virtual size: 2.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

UPX2
Size: 17KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

Password: infected

Password: infected

b6ad1ea15356aea4060794d58f9d80d7

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

ucrtbase

bcrypt

crypt32

gdi32

kernel32

kernelbase

ntdll

combase

oleaut32

rstrtmgr

secur32

user32

ws2_32

Sections

UPX0 Size: 3.1MB - Virtual size: 3.1MB

UPX1 Size: 2.2MB - Virtual size: 2.2MB

UPX2 Size: 17KB - Virtual size: 17KB

UPX0
Size: 3.1MB - Virtual size: 3.1MB

UPX1
Size: 2.2MB - Virtual size: 2.2MB

UPX2
Size: 17KB - Virtual size: 17KB