TewQ[.]zip | Triage

Sharing

Copy URL Twitter E-mail

General

Target

TewQ.zip
Size

569KB
MD5

1568d4f4704e5d3dc0f8e744f38773cd
SHA1

6b5e7686f92d36b6a1e2f100333d9ff372e93d2f
SHA256

cb4a01d1f500ce2bf4f77e306a82ee909bbe7ec48ddc4c0b6db96c0458fb236e
SHA512

15fcc4cf5a602d34dbfb15349abf5b0e3e9089cacbd2dcc51ea0f48cfaf74a34c19b63efeee4e986de9174f975198a196c9fadbccec6cc55fdb177b8c1fd295a
SSDEEP

12288:afCDcixNFkZgizMJg8jsi7g3Mig8jsw34:aaDBxNGz4Rjs4g8sjsS4

Score

3^/10

Malware Config

Signatures

Unsigned PE 3 IoCs

Checks for missing Authenticode signature.

resource
unpack001/Server/bin/Debug/Server.exe
unpack001/Server/obj/Debug/Server.exe
unpack001/Server/obj/Debug/TempPE/Properties.Resources.Designer.cs.dll

Files

TewQ.zip
.zip

Password: 123231435
Server/App.config
Server/Forms/AboutForm.Designer.cs
Server/Forms/AboutForm.cs
Server/Forms/AboutForm.resx
.vbs
Server/Forms/Anti_V1rus.Designer.cs
Server/Forms/Anti_V1rus.cs
Server/Forms/Anti_V1rus.resx
.vbs
Server/Forms/FMANAGER.Designer.cs
Server/Forms/FMANAGER.cs
Server/Forms/FMANAGER.resx
.vbs
Server/Forms/Form1.Designer.cs
Server/Forms/Form1.cs
.js
Server/Forms/Form1.resx
.vbs
Server/Forms/Form2.Designer.cs
Server/Forms/Form2.cs
Server/Forms/Form2.resx
.vbs
Server/Forms/Form3.Designer.cs
Server/Forms/Form3.cs
Server/Forms/Form3.resx
.vbs
Server/Forms/HulkPy.Designer.cs
Server/Forms/HulkPy.cs
Server/Forms/HulkPy.resx
.vbs
Server/Forms/KeyLogg.Designer.cs
Server/Forms/KeyLogg.cs
Server/Forms/KeyLogg.resx
.vbs
Server/Forms/Msg.Designer.cs
Server/Forms/Msg.cs
Server/Forms/Msg.resx
.vbs
Server/Forms/Newpu.Designer.cs
Server/Forms/Newpu.cs
Server/Forms/Newpu.resx
.vbs
Server/Forms/RMote.Designer.cs
Server/Forms/RMote.cs
Server/Forms/RMote.resx
.vbs
Server/Forms/RunFromLocal.Designer.cs
Server/Forms/RunFromLocal.cs
Server/Forms/RunFromLocal.resx
.vbs
Server/Forms/RunFromWEB.Designer.cs
Server/Forms/RunFromWEB.cs
Server/Forms/RunFromWEB.resx
.vbs
Server/Forms/RunPs.Designer.cs
Server/Forms/RunPs.cs
Server/Forms/RunPs.resx
.vbs
Server/Forms/Task_Manager.Designer.cs
Server/Forms/Task_Manager.cs
Server/Forms/Task_Manager.resx
.vbs
Server/Forms/Update.Designer.cs
Server/Forms/Update.cs
Server/Forms/Update.resx
.vbs
Server/Forms/WebsiteF.Designer.cs
Server/Forms/WebsiteF.cs
Server/Forms/WebsiteF.resx
.vbs
Server/Forms/mainy.Designer.cs
Server/Forms/mainy.cs
Server/Forms/mainy.resx
.vbs
Server/Forms/suur.Designer.cs
Server/Forms/suur.cs
Server/Forms/suur.resx
.vbs
Server/Program.cs
Server/Properties/AssemblyInfo.cs
Server/Properties/Resources.Designer.cs
.vbs
Server/Properties/Resources.resx
.vbs
Server/Properties/Settings.Designer.cs
Server/Properties/Settings.settings
Server/Server.csproj
Server/Settings/Main_settings.cs
Server/bin/Debug/Newtonsoft.Json.dll
.dll windows:4 windows x86 arch:x86

Password: 123231435

dae02f32a21e03ce65412f6e56942daa

Code Sign

02:ac:5c:26:6a:0b:40:9b:8f:0b:79:f2:ae:46:25:77
Certificate

Issuer

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

10/11/2006, 00:00

Not After

10/11/2031, 00:00

Subject

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

07:b0:41:8d:a5:1e:14:8c:33:1b:bc:de:b7:13:83:23
Certificate

Issuer

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

27/04/2018, 12:41

Not After

27/04/2028, 12:41

Subject

CN=.NET Foundation Projects Code Signing CA,O=.NET Foundation,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0a:71:a1:b0:c2:96:f5:c7:90:65:47:0a:3c:20:53:7e
Certificate

Issuer

CN=.NET Foundation Projects Code Signing CA,O=.NET Foundation,C=US

Not Before

25/10/2018, 00:00

Not After

29/10/2021, 12:00

Subject

SERIALNUMBER=603 389 068,CN=Json.NET (.NET Foundation),O=Json.NET (.NET Foundation),L=Redmond,ST=wa,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

04:cd:3f:85:68:ae:76:c6:1b:b0:fe:71:60:cc:a7:6d
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/10/2019, 00:00

Not After

17/10/2030, 00:00

Subject

CN=TIMESTAMP-SHA256-2019-10-15,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

07/01/2016, 12:00

Not After

07/01/2031, 12:00

Subject

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

8c:10:56:8e:61:ed:4a:db:b2:78:fe:51:cd:63:62:ed:e4:18:e6:f9:b5:44:af:42:d1:80:41:52:2d:66:12:81
Signer

Actual PE Digest

8c:10:56:8e:61:ed:4a:db:b2:78:fe:51:cd:63:62:ed:e4:18:e6:f9:b5:44:af:42:d1:80:41:52:2d:66:12:81

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

/_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb

Imports

mscoree

_CorDllMain

Sections

.text
Size: 673KB - Virtual size: 673KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Server/bin/Debug/Newtonsoft.Json.xml
.xml
Server/bin/Debug/Server.exe
.exe windows:4 windows x86 arch:x86

Password: 123231435

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\tewni\source\repos\Server\Server\obj\Debug\Server.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 81KB - Virtual size: 81KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Server/bin/Debug/Server.exe.config
Server/bin/Debug/Server.pdb
Server/bin/Debug/Settings/settings.json
Server/obj/Debug/DesignTimeResolveAssemblyReferences.cache
Server/obj/Debug/DesignTimeResolveAssemblyReferencesInput.cache
Server/obj/Debug/Server.Form1.resources
Server/obj/Debug/Server.Form2.resources
Server/obj/Debug/Server.Forms.AboutForm.resources
Server/obj/Debug/Server.Forms.Anti_V1rus.resources
Server/obj/Debug/Server.Forms.File_Manager.resources
Server/obj/Debug/Server.Forms.Form3.resources
Server/obj/Debug/Server.Forms.HulkPy.resources
Server/obj/Debug/Server.Forms.KeyLogg.resources
Server/obj/Debug/Server.Forms.Msg.resources
Server/obj/Debug/Server.Forms.Newpu.resources
Server/obj/Debug/Server.Forms.RMote.resources
Server/obj/Debug/Server.Forms.RunFromLocal.resources
Server/obj/Debug/Server.Forms.RunFromWEB.resources
Server/obj/Debug/Server.Forms.RunPs.resources
Server/obj/Debug/Server.Forms.Task_Manager.resources
Server/obj/Debug/Server.Forms.Update.resources
Server/obj/Debug/Server.Forms.WebsiteF.resources
Server/obj/Debug/Server.Forms.mainy.resources
Server/obj/Debug/Server.Forms.suur.resources
Server/obj/Debug/Server.Properties.Resources.resources
Server/obj/Debug/Server.csproj.CoreCompileInputs.cache
Server/obj/Debug/Server.csproj.FileListAbsolute.txt
Server/obj/Debug/Server.csproj.GenerateResource.cache
Server/obj/Debug/Server.csprojAssemblyReference.cache
Server/obj/Debug/Server.exe
.exe windows:4 windows x86 arch:x86

Password: 123231435

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\tewni\source\repos\Server\Server\obj\Debug\Server.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 81KB - Virtual size: 81KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Server/obj/Debug/Server.pdb
Server/obj/Debug/TempPE/Properties.Resources.Designer.cs.dll
.dll windows:4 windows x86 arch:x86

Password: 123231435

dae02f32a21e03ce65412f6e56942daa

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

mscoree

_CorDllMain

Sections

.text
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Server/packages.config
Server/test.cs

Sharing

General

Malware Config

Signatures

Files

Password: 123231435

Password: 123231435

dae02f32a21e03ce65412f6e56942daa

Code Sign

02:ac:5c:26:6a:0b:40:9b:8f:0b:79:f2:ae:46:25:77Certificate

Key Usages

07:b0:41:8d:a5:1e:14:8c:33:1b:bc:de:b7:13:83:23Certificate

Extended Key Usages

Key Usages

0a:71:a1:b0:c2:96:f5:c7:90:65:47:0a:3c:20:53:7eCertificate

Extended Key Usages

Key Usages

04:cd:3f:85:68:ae:76:c6:1b:b0:fe:71:60:cc:a7:6dCertificate

Extended Key Usages

Key Usages

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15Certificate

Extended Key Usages

Key Usages

8c:10:56:8e:61:ed:4a:db:b2:78:fe:51:cd:63:62:ed:e4:18:e6:f9:b5:44:af:42:d1:80:41:52:2d:66:12:81Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

mscoree

Sections

.text Size: 673KB - Virtual size: 673KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 12B

Password: 123231435

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

mscoree

Sections

.text Size: 81KB - Virtual size: 81KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 12B

Password: 123231435

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

mscoree

Sections

.text Size: 81KB - Virtual size: 81KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 12B

Password: 123231435

dae02f32a21e03ce65412f6e56942daa

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

.text Size: 2KB - Virtual size: 2KB

.reloc Size: 512B - Virtual size: 12B

02:ac:5c:26:6a:0b:40:9b:8f:0b:79:f2:ae:46:25:77
Certificate

07:b0:41:8d:a5:1e:14:8c:33:1b:bc:de:b7:13:83:23
Certificate

0a:71:a1:b0:c2:96:f5:c7:90:65:47:0a:3c:20:53:7e
Certificate

04:cd:3f:85:68:ae:76:c6:1b:b0:fe:71:60:cc:a7:6d
Certificate

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

8c:10:56:8e:61:ed:4a:db:b2:78:fe:51:cd:63:62:ed:e4:18:e6:f9:b5:44:af:42:d1:80:41:52:2d:66:12:81
Signer

.text
Size: 673KB - Virtual size: 673KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 12B

.text
Size: 81KB - Virtual size: 81KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 12B

.text
Size: 81KB - Virtual size: 81KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 12B

.text
Size: 2KB - Virtual size: 2KB

.reloc
Size: 512B - Virtual size: 12B