bin[.]zip | Triage

Sharing

Copy URL Twitter E-mail

General

Target

bin.zip
Size

477KB
MD5

471c8a857dfb5e6b5c3a1b92021391e2
SHA1

d7a0043173e0d67b75a4a77a9cc3e84256998484
SHA256

1e27c1627a6cf27b8d992cc0e4b560644868a3549c203b00413abb5d0eec72d4
SHA512

4f11da5dc21af58a4b33c43f8a2700249423b7c5bc9bb3c62017616c1a83f7fdfe9dc2bf28153d8079fad5e73a0fbd5b067ce099a12ce5765cdf6d6f7657b093
SSDEEP

12288:OQymU1WMQbOugQPuy1HjgC3KvPZRGE2wbqkB1S:OVmU3QbOuGy1HHannGE2eqkBY

Score

3^/10

Malware Config

Signatures

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/bin/Release-x64/Moonlight.exe
unpack001/bin/Release-x64/moonlight.dll

Files

bin.zip
.zip
bin/Release-x64/Moonlight.exe
.exe windows:6 windows x64 arch:x64

32ebda22bd1255c81ec15f7b143057be

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

D:\a\wuwa-moonlight\wuwa-moonlight\bin\Release-x64\Moonlight.pdb

Imports

kernel32

GetLastError
UpdateProcThreadAttribute
CloseHandle
DeleteProcThreadAttributeList
Process32First
CreateToolhelp32Snapshot
Process32Next
Sleep
WriteProcessMemory
WaitForSingleObject
GetModuleHandleA
GetProcAddress
VirtualAllocEx
CreateRemoteThread
VirtualFreeEx
ReleaseSRWLockShared
ResumeThread
OpenProcess
InitializeProcThreadAttributeList
GetExitCodeProcess
GetCurrentProcess
AcquireSRWLockExclusive
AcquireSRWLockShared
InitializeSListHead
SetCurrentDirectoryW
GetCurrentDirectoryW
AreFileApisANSI
GetModuleHandleW
MultiByteToWideChar
WideCharToMultiByte
LocalFree
FormatMessageA
GetLocaleInfoEx
WakeAllConditionVariable
SleepConditionVariableSRW
RtlCaptureContext
RtlLookupFunctionEntry
ReleaseSRWLockExclusive
RtlVirtualUnwind
UnhandledExceptionFilter
GetSystemTimeAsFileTime
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId

comdlg32

GetOpenFileNameA

advapi32

OpenProcessToken
CreateProcessAsUserA

msvcp140

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
?_Xlength_error@std@@YAXPEBD@Z
?uncaught_exceptions@std@@YAHXZ
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Xout_of_range@std@@YAXPEBD@Z
?_Winerror_map@std@@YAHH@Z
?good@ios_base@std@@QEBA_NXZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?_Syserror_map@std@@YAPEBDH@Z

vcruntime140_1

__CxxFrameHandler4

vcruntime140

memmove
__std_exception_destroy
__std_exception_copy
_purecall
__std_terminate
__C_specific_handler
_CxxThrowException
__current_exception
__current_exception_context
memcmp
memcpy
memset

api-ms-win-crt-heap-l1-1-0

_callnewh
_set_new_mode
free
malloc

api-ms-win-crt-runtime-l1-1-0

exit
_initterm_e
_invalid_parameter_noinfo_noreturn
_get_initial_narrow_environment
__p___argc
_set_app_type
_seh_filter_exe
_cexit
_crt_atexit
_register_onexit_function
_initialize_onexit_table
_initialize_narrow_environment
_configure_narrow_argv
__p___argv
_c_exit
_register_thread_local_exe_atexit_callback
terminate
_exit
_initterm
system

api-ms-win-crt-stdio-l1-1-0

fread
__stdio_common_vfprintf
fseek
fclose
fopen_s
fputs
__acrt_iob_func
ftell
_set_fmode
__p__commode
__stdio_common_vsprintf

api-ms-win-crt-multibyte-l1-1-0

_mbsicmp

api-ms-win-crt-locale-l1-1-0

_configthreadlocale
___lc_codepage_func

api-ms-win-crt-math-l1-1-0

__setusermatherr

Sections

.text
Size: 43KB - Virtual size: 43KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 17KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 216B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
bin/Release-x64/moonlight.dll
.dll windows:6 windows x64 arch:x64

38b57687f8938d32e26add9b4f7abde8

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

D:\a\wuwa-moonlight\wuwa-moonlight\bin\Release-x64\moonlight.pdb

Imports

kernel32

CloseHandle
MultiByteToWideChar
GlobalAlloc
GlobalFree
GlobalLock
WideCharToMultiByte
GlobalUnlock
GetLocaleInfoA
LoadLibraryA
QueryPerformanceFrequency
GetProcAddress
QueryPerformanceCounter
VirtualFree
VirtualAlloc
GetSystemInfo
VirtualQuery
HeapCreate
VirtualProtect
HeapFree
GetCurrentProcess
Thread32Next
Thread32First
GetCurrentThreadId
SuspendThread
AllocConsole
CreateToolhelp32Snapshot
HeapReAlloc
HeapAlloc
GetThreadContext
GetCurrentProcessId
FlushInstructionCache
SetThreadContext
OpenThread
ExitProcess
InitializeSListHead
GetSystemTimeAsFileTime
IsDebuggerPresent
IsProcessorFeaturePresent
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
AcquireSRWLockShared
AcquireSRWLockExclusive
ReleaseSRWLockShared
ReleaseSRWLockExclusive
CreateThread
DisableThreadLibraryCalls
Sleep
GetModuleHandleA
ResumeThread

user32

DestroyWindow
DefWindowProcA
CreateWindowExA
UnregisterClassA
RegisterClassExA
GetMessageExtraInfo
LoadCursorA
GetCursorPos
ScreenToClient
GetCapture
ClientToScreen
TrackMouseEvent
GetKeyboardLayout
OpenClipboard
GetForegroundWindow
SetCapture
SetCursor
CloseClipboard
EmptyClipboard
GetClipboardData
SetClipboardData
GetKeyState
GetAsyncKeyState
CallWindowProcA
SetWindowLongPtrA
SetCursorPos
ReleaseCapture
IsWindowUnicode
GetClientRect

msvcp140

?_Xout_of_range@std@@YAXPEBD@Z
?_Xbad_function_call@std@@YAXXZ
?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
_Query_perf_frequency
?uncaught_exceptions@std@@YAHXZ
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Xlength_error@std@@YAXPEBD@Z
_Query_perf_counter
_Xtime_get_ticks
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@PEBX@Z
?good@ios_base@std@@QEBA_NXZ

imm32

ImmSetCandidateWindow
ImmReleaseContext
ImmGetContext
ImmSetCompositionWindow

d3dcompiler_47

D3DCompile

vcruntime140_1

__CxxFrameHandler4

vcruntime140

__std_exception_destroy
__std_exception_copy
__std_type_info_destroy_list
memset
memmove
memcpy
memcmp
memchr
_CxxThrowException
__C_specific_handler
strstr
__std_terminate

api-ms-win-crt-heap-l1-1-0

free
_callnewh
malloc
calloc

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vsprintf
__acrt_iob_func
freopen_s
ftell
fflush
__stdio_common_vsscanf
fread
_wfopen
fwrite
fclose
fseek
__stdio_common_vfprintf
__stdio_common_vsprintf_s

api-ms-win-crt-runtime-l1-1-0

_configure_narrow_argv
_seh_filter_dll
_initialize_narrow_environment
_invalid_parameter_noinfo_noreturn
_initterm_e
_initialize_onexit_table
_initterm
_cexit
_crt_atexit
_execute_onexit_table
_register_onexit_function

api-ms-win-crt-utility-l1-1-0

qsort

api-ms-win-crt-string-l1-1-0

strncmp
strncpy
strcmp

api-ms-win-crt-convert-l1-1-0

atof

api-ms-win-crt-time-l1-1-0

_ctime64

api-ms-win-crt-math-l1-1-0

acosf
ceilf
cosf
fmodf
sinf
sqrtf

Sections

.text
Size: 284KB - Virtual size: 284KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 70KB - Virtual size: 69KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 485KB - Virtual size: 486KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

32ebda22bd1255c81ec15f7b143057be

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

comdlg32

advapi32

msvcp140

vcruntime140_1

vcruntime140

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-multibyte-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-math-l1-1-0

Sections

.text Size: 43KB - Virtual size: 43KB

.rdata Size: 17KB - Virtual size: 16KB

.data Size: 1KB - Virtual size: 2KB

.pdata Size: 3KB - Virtual size: 2KB

.rsrc Size: 13KB - Virtual size: 13KB

.reloc Size: 512B - Virtual size: 216B

38b57687f8938d32e26add9b4f7abde8

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

msvcp140

imm32

d3dcompiler_47

vcruntime140_1

vcruntime140

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-math-l1-1-0

Sections

.text Size: 284KB - Virtual size: 284KB

.rdata Size: 70KB - Virtual size: 69KB

.data Size: 485KB - Virtual size: 486KB

.pdata Size: 12KB - Virtual size: 12KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 2KB - Virtual size: 1KB

.text
Size: 43KB - Virtual size: 43KB

.rdata
Size: 17KB - Virtual size: 16KB

.data
Size: 1KB - Virtual size: 2KB

.pdata
Size: 3KB - Virtual size: 2KB

.rsrc
Size: 13KB - Virtual size: 13KB

.reloc
Size: 512B - Virtual size: 216B

.text
Size: 284KB - Virtual size: 284KB

.rdata
Size: 70KB - Virtual size: 69KB

.data
Size: 485KB - Virtual size: 486KB

.pdata
Size: 12KB - Virtual size: 12KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 2KB - Virtual size: 1KB