2e18394457424727246f796b80d9c36ce095791b279c2eb55f61158eaa27edda

Sharing

Copy URL Twitter E-mail

General

Target

2e18394457424727246f796b80d9c36ce095791b279c2eb55f61158eaa27edda
Size

224KB
MD5

9077ec98bd1a022616452acdc2d59799
SHA1

b70a2e8f750b9ff50f6d747725c0ff0ec5ad7823
SHA256

2e18394457424727246f796b80d9c36ce095791b279c2eb55f61158eaa27edda
SHA512

45c6b984d084509122a4c8afe0e82f8a179614fe7f0498c9dfc37fe7561cd60a47224e7b724f9b381ec9802221d28819d11fe8ab01309b4110e49005fa9d261e
SSDEEP

6144:SVSkzVWbiexiQOCJAsCOrastbs+6HdwNg:S0kRiiTQOcnraEsZdL

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
static1/unpack002/WalmartForm_San_Antonio_78218.exe	upx

Unsigned PE 5 IoCs

Checks for missing Authenticode signature.

resource
unpack002/WalmartForm_San_Antonio_78218.exe
unpack003/out.upx
unpack002/d0000.dll
unpack004/80000.dll
unpack004/US_Airways_E-Ticket_Print_Doc.exe

Files

2e18394457424727246f796b80d9c36ce095791b279c2eb55f61158eaa27edda
.zip

Password: infected
newAsprox.zip
.zip

Password: infected
WalmartForm_San_Antonio_78218.exe
.exe windows:5 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

UPX0
Size: - Virtual size: 84KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 85KB - Virtual size: 88KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
out.upx
.exe windows:5 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 61KB - Virtual size: 61KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 59KB - Virtual size: 79KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
d0000.dll
.dll windows:5 windows x86 arch:x86

55919857b06f2ff04948543977f17f30

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

C:\Users\DmitryHELL\Documents\SysIQUA\loader_1.4 s\loader_v4\loader_v3\Release\dll.pdb

Imports

kernel32

CreateThread
LoadLibraryA
GetProcessHeap
CreateEventA
CopyFileW
GetVolumeInformationW
FindClose
FindNextFileW
SetFileAttributesW
FindFirstFileW
GetFileInformationByHandle
FindNextChangeNotification
WaitForMultipleObjects
FindFirstChangeNotificationW
DeviceIoControl
GetLogicalDrives
GetDriveTypeW
GetVolumePathNameW
GetVersionExA
HeapCreate
CreateMutexA
GetLastError
ReadFile
GetModuleHandleA
GetProcAddress
GetCurrentProcessId
OpenProcess
WideCharToMultiByte
OpenEventA
SetEvent
ResumeThread
CreateProcessA
VirtualAlloc
VirtualFree
GetCurrentProcess
TerminateProcess
GetTickCount
DeleteFileA
GetSystemTimeAsFileTime
CreateFileW
Sleep
HeapFree
CreateFileA
WriteFile
CloseHandle
HeapAlloc
ExitThread

user32

FindWindowA
DispatchMessageA
TranslateMessage
GetMessageA
SetWindowLongA
CreateWindowExA
RegisterClassExA
DefWindowProcA
GetWindowLongA
PostMessageA
FindWindowExA

advapi32

RegCloseKey
RegCreateKeyA
RegSetValueExA
RegOpenKeyA
RegEnumKeyExA
RegEnumValueA
CryptDestroyHash
CryptVerifySignatureA
CryptHashData
CryptCreateHash
CryptEncrypt
RegOpenKeyExA
RegDeleteValueA
RegQueryValueExA
CryptAcquireContextA
LookupAccountNameA
GetUserNameA
RegDeleteKeyA

shell32

SHGetSpecialFolderPathA
ShellExecuteA

ole32

CoSetProxyBlanket
CoInitialize
CoCreateInstance

oleaut32

VariantClear
SysAllocString
SysFreeString

ws2_32

inet_ntoa
WSAStartup
WSACleanup
inet_addr

wininet

HttpOpenRequestA
InternetConnectA
InternetOpenA
InternetCloseHandle
HttpSendRequestA
InternetReadFile

msvcrt

malloc
free
memset
wcstombs
_wcsicmp
mbstowcs
memcpy
sprintf
calloc
strstr
_wcsdup

crypt32

CryptImportPublicKeyInfo
CryptStringToBinaryA
CryptDecodeObjectEx

Exports

Exports

Work

Sections

.text
Size: 57KB - Virtual size: 56KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
olderAsprox.zip
.zip

Password: infected
80000.dll
.dll windows:5 windows x86 arch:x86

47f9acc7750753590ec0a8ed77659d09

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

LoadLibraryA
GetFileInformationByHandle
GetCurrentProcess
GetVersionExA
HeapCreate
CreateMutexA
ReadFile
GetLastError
ExitProcess
Sleep
GetTickCount
DeleteFileA
GetSystemTimeAsFileTime
GetModuleHandleA
GetProcAddress
GetCurrentProcessId
OpenProcess
WideCharToMultiByte
OpenEventA
SetEvent
ResumeThread
CreateProcessA
VirtualAlloc
VirtualFree
CreateFileA
WriteFile
HeapFree
CloseHandle
HeapAlloc
GetProcessHeap

advapi32

RegDeleteValueA
LookupAccountNameA
CryptAcquireContextA
RegQueryValueExA
RegOpenKeyExA
CryptEncrypt
CryptCreateHash
CryptHashData
CryptVerifySignatureA
CryptDestroyHash
RegDeleteKeyA
RegCreateKeyA
RegSetValueExA
RegOpenKeyA
RegEnumKeyExA
RegEnumValueA
RegCloseKey
GetUserNameA

shell32

SHGetSpecialFolderPathA
ShellExecuteA

ole32

CoSetProxyBlanket
CoInitialize
CoCreateInstance

oleaut32

VariantClear
SysAllocString
SysFreeString

ws2_32

inet_ntoa
WSAStartup
WSACleanup
inet_addr

wininet

InternetCloseHandle
InternetReadFile
HttpSendRequestA
HttpOpenRequestA
InternetConnectA
InternetOpenA

msvcrt

free
malloc
memset
wcstombs
_wcsicmp
mbstowcs
memcpy
sprintf
calloc

crypt32

CryptImportPublicKeyInfo
CryptStringToBinaryA
CryptDecodeObjectEx

Exports

Exports

Work

Sections

.text
Size: 52KB - Virtual size: 51KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
US_Airways_E-Ticket_Print_Doc.exe
.exe windows:4 windows x86 arch:x86

1f2de6dceff082d461335fe4576c4fff

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

CloseHandle
ExitProcess
GetCommandLineA
GetModuleHandleA
RtlFillMemory
RtlMoveMemory
RtlUnwind
RtlZeroMemory
VerSetConditionMask
CreateThread

user32

LoadCursorA
GetWindowDC
GetMessageA
GetListBoxInfo
GetClipCursor
GetClientRect
FrameRect
EnumChildWindows
EndDialog
DrawMenuBar
LoadIconA
DispatchMessageA
DestroyMenu
DefWindowProcA
CreateWindowExA
CloseWindow
CheckRadioButton
CheckMenuRadioItem
CheckDlgButton
ChangeMenuA
wsprintfA
PaintDesktop
PostQuitMessage
RegisterClassExA
SendDlgItemMessageA
SendMessageA
SetMenuItemBitmaps
ShowWindow
TranslateMessage
UpdateWindow
DrawIcon

glu32

gluUnProject
gluTessVertex
gluTessProperty
gluTessNormal
gluTessEndPolygon
gluTessEndContour
gluTessCallback
gluTessBeginPolygon
gluTessBeginContour
gluSphere
gluScaleImage
gluQuadricTexture
gluQuadricOrientation
gluQuadricNormals
gluQuadricDrawStyle
gluQuadricCallback
gluPwlCurve
gluProject
gluPickMatrix
gluPerspective
gluPartialDisk
gluOrtho2D
gluNurbsSurface
gluNurbsProperty
gluNurbsCurve
gluNurbsCallback
gluBeginCurve
gluBeginPolygon
gluBeginSurface
gluBeginTrim
gluBuild1DMipmaps
gluBuild2DMipmaps
gluCylinder
gluDeleteNurbsRenderer
gluDeleteQuadric
gluDeleteTess
gluDisk
gluEndCurve
gluEndPolygon
gluEndSurface
gluEndTrim
gluErrorString
gluErrorUnicodeStringEXT
gluGetNurbsProperty
gluGetString
gluGetTessProperty
gluLoadSamplingMatrices
gluLookAt
gluNewNurbsRenderer
gluNewQuadric
gluNewTess
gluNextContour

gdi32

WidenPath
SetTextAlign
SetMapMode
PathToRegion
OffsetRgn
LPtoDP
GetTextCharset
GetSystemPaletteEntries
GetCharacterPlacementW
GetCharABCWidthsA
GetBoundsRect
GetBitmapDimensionEx
ColorCorrectPalette
Chord
AbortDoc

Sections

.text
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 73KB - Virtual size: 73KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

Password: infected

Password: infected

Headers

DLL Characteristics

File Characteristics

Sections

UPX0 Size: - Virtual size: 84KB

UPX1 Size: 85KB - Virtual size: 88KB

.rsrc Size: 4KB - Virtual size: 8KB

Headers

DLL Characteristics

File Characteristics

Sections

.text Size: 61KB - Virtual size: 61KB

.rdata Size: 12KB - Virtual size: 11KB

.data Size: 59KB - Virtual size: 79KB

.rsrc Size: 4KB - Virtual size: 4KB

55919857b06f2ff04948543977f17f30

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

advapi32

shell32

ole32

oleaut32

ws2_32

wininet

msvcrt

crypt32

Exports

Exports

Sections

.text Size: 57KB - Virtual size: 56KB

.rdata Size: 8KB - Virtual size: 8KB

.data Size: 4KB - Virtual size: 5KB

.reloc Size: 3KB - Virtual size: 2KB

Password: infected

47f9acc7750753590ec0a8ed77659d09

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

advapi32

shell32

ole32

oleaut32

ws2_32

wininet

msvcrt

crypt32

Exports

Exports

Sections

.text Size: 52KB - Virtual size: 51KB

.rdata Size: 5KB - Virtual size: 5KB

.data Size: 4KB - Virtual size: 5KB

.reloc Size: 3KB - Virtual size: 2KB

1f2de6dceff082d461335fe4576c4fff

Headers

File Characteristics

Imports

kernel32

user32

glu32

gdi32

Sections

.text Size: 4KB - Virtual size: 4KB

.rdata Size: 3KB - Virtual size: 2KB

.data Size: 73KB - Virtual size: 73KB

.rsrc Size: 10KB - Virtual size: 9KB

UPX0
Size: - Virtual size: 84KB

UPX1
Size: 85KB - Virtual size: 88KB

.rsrc
Size: 4KB - Virtual size: 8KB

.text
Size: 61KB - Virtual size: 61KB

.rdata
Size: 12KB - Virtual size: 11KB

.data
Size: 59KB - Virtual size: 79KB

.rsrc
Size: 4KB - Virtual size: 4KB

.text
Size: 57KB - Virtual size: 56KB

.rdata
Size: 8KB - Virtual size: 8KB

.data
Size: 4KB - Virtual size: 5KB

.reloc
Size: 3KB - Virtual size: 2KB

.text
Size: 52KB - Virtual size: 51KB

.rdata
Size: 5KB - Virtual size: 5KB

.data
Size: 4KB - Virtual size: 5KB

.reloc
Size: 3KB - Virtual size: 2KB

.text
Size: 4KB - Virtual size: 4KB

.rdata
Size: 3KB - Virtual size: 2KB

.data
Size: 73KB - Virtual size: 73KB

.rsrc
Size: 10KB - Virtual size: 9KB