17693067373[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

17693067373.zip
Size

1.3MB
MD5

7de70d26a1020e4625da268e61ddb418
SHA1

2444526ab4e5bcb0a23cf0fd9367e6547aa675ea
SHA256

2126f43d95f6772d470117660a2f7319c68b5b068830a3e706a202a11ab42178
SHA512

b071eaedeb30b6db4f840c6cacb04f666e9a6a303d173706a11d03c39bb638323fd0610c87d1e2f2670042e71002cb0df9f6eb570b22767d05b8fddc7c457dd4
SSDEEP

24576:B8zodVTxlJ1e9MEsWjY0Di9hTb39ekJswalg+4gn5zNW2WaZ/2qopRcGI:B8aVvJ09Q+LyhXQuwlg1gRfb5

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack002/Marybeth 2023 TAX ORGANIZER/IVIEWERS.dll

Files

17693067373.zip
.zip

Password: infected
75d33be96b8d9d74bc56a2f382982a714ba3e78beb0fad571236dfb15d4aa054
.zip
Marybeth 2023 TAX ORGANIZER/IVIEWERS.dll
.dll windows:5 windows x86 arch:x86

21312c342dfe15c1768ec19a879c07b1

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

c:\vmagent_new\bin\joblist\344211\out\Release\360NetBase.pdb

Imports

ws2_32

htons
getsockopt
recv
closesocket
socket
connect
WSASetLastError
freeaddrinfo
getaddrinfo
WSACleanup
WSAStartup
ioctlsocket
__WSAFDIsSet
select
send
getpeername
bind
ntohs
getsockname
setsockopt
WSAGetLastError
shutdown

user32

MessageBoxA
GetProcessWindowStation
GetUserObjectInformationW

kernel32

WriteConsoleW
TlsFree
GetConsoleOutputCP
WriteConsoleA
SetEnvironmentVariableA
CompareStringW
CompareStringA
DeleteCriticalSection
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
SetLastError
GetLastError
SleepEx
CloseHandle
WaitForSingleObject
ReleaseMutex
CreateMutexA
ExpandEnvironmentStringsA
Sleep
FormatMessageA
GetTickCount
MultiByteToWideChar
DeviceIoControl
CreateFileA
GetCurrentProcessId
WideCharToMultiByte
FreeLibrary
InterlockedCompareExchange
GetModuleFileNameW
GetModuleHandleW
GetProcAddress
LoadLibraryA
lstrlenA
LoadLibraryW
lstrlenW
FindClose
lstrcmpW
GetLongPathNameW
FindFirstFileW
ReadDirectoryChangesW
CreateFileW
CreateEventA
GetPrivateProfileStringW
lstrcmpiW
GetOverlappedResult
lstrcatW
lstrcpyW
GetSystemDirectoryW
WriteFile
SetEvent
GetCurrentProcess
GetModuleHandleA
GetVersionExA
GetSystemDirectoryA
InterlockedExchange
GetModuleFileNameA
WaitForMultipleObjects
FreeLibraryAndExitThread
CreateThread
GetModuleHandleExA
SystemTimeToFileTime
GetSystemTimeAsFileTime
LocalFileTimeToFileTime
SetEndOfFile
SetFilePointerEx
ReadFile
GetFileSizeEx
CreateMutexW
TlsGetValue
HeapAlloc
HeapFree
OutputDebugStringW
GetProcessHeap
TlsSetValue
HeapUnlock
OpenThread
HeapLock
HeapWalk
GetCurrentThreadId
TlsAlloc
GetVersion
GetFileType
GetStdHandle
QueryPerformanceCounter
GlobalMemoryStatus
FlushConsoleInputBuffer
GetSystemTime
ExitThread
HeapReAlloc
FileTimeToSystemTime
FileTimeToLocalFileTime
GetDriveTypeA
FindFirstFileA
RaiseException
RtlUnwind
GetCommandLineA
ExitProcess
SetConsoleCtrlHandler
ReadConsoleInputA
SetConsoleMode
GetConsoleMode
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsDebuggerPresent
InterlockedIncrement
InterlockedDecrement
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
SetHandleCount
GetStartupInfoA
HeapCreate
HeapDestroy
VirtualFree
VirtualAlloc
GetFullPathNameA
GetFileInformationByHandle
PeekNamedPipe
GetCurrentDirectoryA
LCMapStringA
LCMapStringW
GetConsoleCP
FlushFileBuffers
SetFilePointer
HeapSize
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
InitializeCriticalSectionAndSpinCount
SetStdHandle
GetTimeZoneInformation
GetStringTypeA
GetStringTypeW
GetLocaleInfoA

advapi32

RegQueryValueExW
RegOpenKeyExW
RegisterEventSourceA
ReportEventA
DeregisterEventSource
RegEnumKeyExW
RegQueryValueExA
RegNotifyChangeKeyValue
RegEnumKeyExA
RegCloseKey

oleaut32

SysFreeString
VarBstrCmp
VariantClear
SysAllocStringLen
SysAllocString
SysAllocStringByteLen
SysStringByteLen

shlwapi

PathCombineA
StrStrIW
SHGetValueW
PathFileExistsW
PathAppendW
StrCmpIW
PathFileExistsA
PathFindFileNameA
PathRemoveFileSpecW

crypt32

CertEnumCertificatesInStore
CertOpenSystemStoreA
CertCloseStore

Exports

Exports

InitLibs

Sections

.text
Size: 1.0MB - Virtual size: 1.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 271KB - Virtual size: 272KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 42KB - Virtual size: 68KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 966KB - Virtual size: 965KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Marybeth 2023 TAX ORGANIZER/Im.data
Marybeth 2023 TAX ORGANIZER/Marybeth 1040_taxforms 2023.exe
.exe windows:6 windows x86 arch:x86

0f423532b297ae2286c4e94f73c70bde

Code Sign

2e:ab:11:dc:50:ff:5c:9d:cb:c0
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

22/08/2007, 22:31

Not After

25/08/2012, 07:00

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:06:27:81:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22/10/2008, 21:24

Not After

22/01/2010, 21:34

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:49:7c:ed:00:00:00:00:00:05
Certificate

Issuer

CN=Microsoft Timestamping PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

16/09/2006, 01:55

Not After

16/09/2011, 02:05

Subject

CN=Microsoft Timestamping Service,OU=nCipher DSE ESN:10D8-5847-CBF8,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

6a:0b:99:4f:c0:00:25:ab:11:db:45:1f:58:7a:67:a2
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

16/09/2006, 01:04

Not After

15/09/2019, 07:00

Subject

CN=Microsoft Timestamping PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

df:a6:c8:2b:db:96:3a:2c:70:04:57:bc:42:dd:25:51:b9:92:f3:18
Signer

Actual PE Digest

df:a6:c8:2b:db:96:3a:2c:70:04:57:bc:42:dd:25:51:b9:92:f3:18

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

OLEView.pdb

Imports

advapi32

RegQueryValueW
RegCloseKey
RegOpenKeyExW
RegSetValueExW
GetSecurityDescriptorLength
MakeSelfRelativeSD
RegEnumKeyW
RegOpenKeyW
RegDeleteKeyW
RegEnumKeyExW
RegQueryInfoKeyW
RegQueryValueExW
RegEnumValueW
SetSecurityDescriptorDacl
MakeAbsoluteSD
SetEntriesInAclW
GetExplicitEntriesFromAclW
GetSecurityDescriptorDacl
MapGenericMask
LookupAccountSidW
GetAce
CopySid
GetLengthSid
GetTokenInformation
OpenProcessToken
LookupAccountNameW
AddAce
GetAclInformation
InitializeAcl
AddAccessAllowedAce
EqualSid
InitializeSecurityDescriptor
IsValidSid
SetSecurityDescriptorOwner
SetSecurityDescriptorGroup
RegCreateKeyExW
RegDeleteValueW
FreeSid
AllocateAndInitializeSid

kernel32

LoadLibraryW
lstrcpyW
GetModuleHandleW
GetVersionExW
lstrlenW
lstrcmpW
lstrcmpiW
GetLastError
WinExec
ResumeThread
SuspendThread
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
LoadLibraryExW
GetUserDefaultLCID
GetSystemDefaultLCID
GlobalUnlock
GlobalLock
FreeLibrary
LocalAlloc
LocalFree
InterlockedIncrement
InterlockedDecrement
CloseHandle
GetCurrentProcess
lstrcatW
FormatMessageW
GlobalAlloc
GetTickCount
UnhandledExceptionFilter
TerminateProcess
GetSystemTimeAsFileTime
GetCurrentProcessId
GetCurrentThreadId
QueryPerformanceCounter
GetModuleHandleA
SetUnhandledExceptionFilter
RtlUnwind
GetStartupInfoW
InterlockedCompareExchange
Sleep
InterlockedExchange
GetProcAddress
GetModuleFileNameW

gdi32

DeleteObject

user32

ScreenToClient
EnableWindow
SendMessageW
SetCursor
LoadCursorW
LoadIconW
GetWindowRect
SetActiveWindow
DeleteMenu
EnableMenuItem
GetSubMenu
OpenClipboard
LoadBitmapW
GetMessagePos
UpdateWindow
wsprintfW
CloseClipboard
SetClipboardData
EmptyClipboard
MessageBoxW
RedrawWindow
LoadMenuW
GetFocus

mfc42u

ord922
ord3993
ord773
ord501
ord2857
ord5596
ord4269
ord815
ord540
ord561
ord3733
ord4418
ord4616
ord4075
ord3074
ord3820
ord3826
ord3825
ord2971
ord3076
ord2980
ord3257
ord3131
ord4459
ord3254
ord3142
ord2977
ord5710
ord5285
ord5303
ord4074
ord5298
ord5296
ord3341
ord2388
ord5193
ord1089
ord3917
ord5727
ord2504
ord2546
ord4480
ord6371
ord800
ord4692
ord2717
ord825
ord823
ord1165
ord1172
ord1143
ord641
ord6398
ord858
ord3494
ord2507
ord355
ord1197
ord940
ord538
ord4155
ord2810
ord3516
ord5977
ord4604
ord986
ord520
ord2089
ord384
ord2613
ord6112
ord1202
ord1808
ord609
ord693
ord4419
ord4621
ord5273
ord2116
ord2438
ord5257
ord1720
ord5059
ord3744
ord6372
ord2047
ord2640
ord4831
ord3793
ord4347
ord6370
ord5157
ord2377
ord5237
ord4401
ord1767
ord4073
ord6048
ord2506
ord4992
ord4370
ord5261
ord4229
ord6330
ord4435
ord5276
ord3133
ord2371
ord567
ord3569
ord3397
ord5286
ord4390
ord1768
ord6051
ord2567
ord3635
ord3365
ord4396
ord2574
ord324
ord2294
ord4704
ord2634
ord4219
ord6193
ord656
ord3605
ord861
ord2362
ord2293
ord3870
ord6195
ord3592
ord4847
ord2637
ord3297
ord1833
ord784
ord804
ord795
ord810
ord4426
ord2083
ord1718
ord3743
ord5277
ord5236
ord6050
ord4103
ord4954
ord4957
ord4518
ord4523
ord4520
ord4537
ord4539
ord4525
ord4883
ord4341
ord4334
ord4527
ord4886
ord4364
ord4893
ord4582
ord4583
ord4236
ord326
ord5256
ord2078
ord3716
ord3728
ord3393
ord3724
ord3389
ord4400
ord2579
ord364
ord5031
ord6127
ord6212
ord4714
ord6211
ord2644
ord1662
ord1899
ord768
ord4829
ord5283
ord4848
ord4371
ord4352
ord4942
ord4970
ord4736
ord4899
ord5154
ord5156
ord5155
ord4253
ord489
ord1817
ord4233
ord4414
ord652
ord860
ord338
ord4420
ord4617
ord6171
ord6076
ord3193
ord3449
ord4381
ord2391
ord4852
ord4947
ord5649
ord3167
ord5573
ord1739
ord5736
ord5239
ord2534
ord2502
ord6332
ord3060
ord3053
ord4690
ord1900
ord1008
ord771
ord497
ord498
ord4425
ord2046
ord4433
ord5284
ord2520
ord1683
ord4254
ord4709
ord616
ord3087
ord3867
ord3577
ord4392
ord2570
ord4213
ord2015
ord2403
ord3871
ord4118
ord2756
ord1834
ord4237
ord4146
ord439
ord3574
ord3348
ord3269
ord5681
ord4538
ord4519
ord4524
ord736
ord2859
ord4158
ord807
ord796
ord794
ord674
ord554
ord529
ord527
ord366
ord4421
ord5248
ord4430
ord1658
ord2641
ord5278
ord5233
ord4072
ord2873
ord2874
ord3398
ord5468
ord975
ord5006
ord3345
ord4298
ord5097
ord5094
ord3054
ord2382
ord2715
ord2550
ord6063
ord3477
ord5996
ord2109
ord5867
ord2112
ord4451
ord5491
ord5906
ord5848
ord3476
ord2244
ord6399
ord5568
ord3792
ord2910
ord2970
ord3865
ord2385
ord6191
ord6205
ord1258
ord3517
ord4493
ord1934
ord1863
ord4267
ord1262
ord5255
ord4501
ord3658
ord6325
ord2855
ord3649
ord2576
ord4215
ord2430
ord2858
ord1637
ord813
ord303
ord3729
ord3394
ord1719
ord4955
ord4958
ord4884
ord4717
ord4343
ord4335
ord5070
ord4526
ord543
ord3579
ord803
ord5617
ord4078
ord1105
ord1083
ord925
ord537
ord6266
ord3909
ord1569

msvcrt

__wgetmainargs
_cexit
_exit
_XcptFilter
_wcmdln
_initterm
_amsg_exit
__setusermatherr
__p__commode
__p__fmode
__set_app_type
??1type_info@@UAE@XZ
_unlock
__dllonexit
_lock
?terminate@@YAXXZ
_controlfp
__CxxFrameHandler
isspace
isdigit
wcsrchr
free
malloc
_vsnwprintf
_wcsnicmp
wcstol
_wtoi
wcstok
??_U@YAPAXI@Z
memset
??_V@YAXPAX@Z
toupper
isxdigit
_wcsicmp
memcpy
exit
_itow
_onexit

comctl32

ImageList_AddMasked

shell32

DragQueryFileW
DragFinish
ExtractIconW
ShellAboutW

shlwapi

wnsprintfW

ole32

CreateBindCtx
MkParseDisplayName
StringFromCLSID
CoTaskMemFree
CoGetClassObject
CLSIDFromString
CLSIDFromProgID
CoCreateInstance
StringFromGUID2
CoFreeUnusedLibraries

oleaut32

LoadRegTypeLi
LoadTypeLi

Sections

.text
Size: 125KB - Virtual size: 124KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 38KB - Virtual size: 37KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

21312c342dfe15c1768ec19a879c07b1

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ws2_32

user32

kernel32

advapi32

oleaut32

shlwapi

crypt32

Exports

Exports

Sections

.text Size: 1.0MB - Virtual size: 1.0MB

.rdata Size: 271KB - Virtual size: 272KB

.data Size: 42KB - Virtual size: 68KB

.rsrc Size: 966KB - Virtual size: 965KB

0f423532b297ae2286c4e94f73c70bde

Code Sign

2e:ab:11:dc:50:ff:5c:9d:cb:c0Certificate

Extended Key Usages

Key Usages

61:06:27:81:00:00:00:00:00:08Certificate

Extended Key Usages

Key Usages

61:49:7c:ed:00:00:00:00:00:05Certificate

Extended Key Usages

Key Usages

6a:0b:99:4f:c0:00:25:ab:11:db:45:1f:58:7a:67:a2Certificate

Extended Key Usages

Key Usages

df:a6:c8:2b:db:96:3a:2c:70:04:57:bc:42:dd:25:51:b9:92:f3:18Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

advapi32

kernel32

gdi32

user32

mfc42u

msvcrt

comctl32

shell32

shlwapi

ole32

oleaut32

Sections

.text Size: 125KB - Virtual size: 124KB

.data Size: 3KB - Virtual size: 4KB

.rsrc Size: 38KB - Virtual size: 37KB

.reloc Size: 11KB - Virtual size: 11KB

.text
Size: 1.0MB - Virtual size: 1.0MB

.rdata
Size: 271KB - Virtual size: 272KB

.data
Size: 42KB - Virtual size: 68KB

.rsrc
Size: 966KB - Virtual size: 965KB

2e:ab:11:dc:50:ff:5c:9d:cb:c0
Certificate

61:06:27:81:00:00:00:00:00:08
Certificate

61:49:7c:ed:00:00:00:00:00:05
Certificate

6a:0b:99:4f:c0:00:25:ab:11:db:45:1f:58:7a:67:a2
Certificate

df:a6:c8:2b:db:96:3a:2c:70:04:57:bc:42:dd:25:51:b9:92:f3:18
Signer

.text
Size: 125KB - Virtual size: 124KB

.data
Size: 3KB - Virtual size: 4KB

.rsrc
Size: 38KB - Virtual size: 37KB

.reloc
Size: 11KB - Virtual size: 11KB