c6654eff5d8f413e54ede205dff909db5c82f28c887b71e53e7555fe00ce86fd[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

c6654eff5d8f413e54ede205dff909db5c82f28c887b71e53e7555fe00ce86fd.zip
Size

9.6MB
MD5

da41eafb85f998baa214c311881f4ef8
SHA1

1962e0f8559c0e718fca6df077d775e1fc871b63
SHA256

6fcc311c9e4350a71eec91b0d6adf305ec9f6878746866d8d2804ce1d971f71b
SHA512

b8789122c574f96d5417e3e1109f99b5a20ac2db22a05c4aa02ff6b04a50fb6c030fa70b274497bd90bec7a9ec43835cdd9698a29dc5e49a94fb0cceff2b0c11
SSDEEP

196608:lfPkeEwfA3B+PWrfwMuXxOA9qOdY00bbbhhCau9zgE1Wrl53SUHLOwcWjW:x9EwXawFXxOA9MHpu9zXWLvOwS

Score

5^/10

Malware Config

Signatures

Detect suspicious telegram bot 1 IoCs

Detect suspicious telegram bot.

resource	yara_rule
static1/unpack001/c6654eff5d8f413e54ede205dff909db5c82f28c887b71e53e7555fe00ce86fd	suspicious_telegram_bot

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/c6654eff5d8f413e54ede205dff909db5c82f28c887b71e53e7555fe00ce86fd

Files

c6654eff5d8f413e54ede205dff909db5c82f28c887b71e53e7555fe00ce86fd.zip
.zip

Password: infected
c6654eff5d8f413e54ede205dff909db5c82f28c887b71e53e7555fe00ce86fd
.exe windows:4 windows x64 arch:x64

Password: infected

25d6626451558b65aa64c702ae85326f

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED

Imports

kernel32

RaiseException
RtlUnwindEx
VirtualProtect
VirtualQuery
__C_specific_handler
AddVectoredExceptionHandler
AreFileApisANSI
CancelIo
CancelIoEx
CloseHandle
CompareStringOrdinal
ConnectNamedPipe
CopyFileExW
CreateDirectoryW
CreateEventA
CreateEventW
CreateFileA
CreateFileMappingA
CreateFileMappingW
CreateFileW
CreateHardLinkW
CreateIoCompletionPort
CreateMutexW
CreateNamedPipeW
CreateProcessW
CreateSymbolicLinkW
CreateThread
CreateToolhelp32Snapshot
CreateWaitableTimerExW
DeleteCriticalSection
DeleteFileA
DeleteFileW
DeleteProcThreadAttributeList
DeviceIoControl
DisconnectNamedPipe
DuplicateHandle
EnterCriticalSection
ExitProcess
FileTimeToSystemTime
FindClose
FindFirstFileW
FindFirstVolumeW
FindNextFileW
FindNextVolumeW
FindVolumeClose
FlushFileBuffers
FlushViewOfFile
FormatMessageA
FormatMessageW
FreeEnvironmentStringsW
FreeLibrary
GetCommandLineW
GetComputerNameExW
GetConsoleMode
GetConsoleScreenBufferInfo
GetCurrentDirectoryW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetDiskFreeSpaceA
GetDiskFreeSpaceExW
GetDiskFreeSpaceW
GetDriveTypeW
GetEnvironmentStringsW
GetEnvironmentVariableW
GetExitCodeProcess
GetFileAttributesA
GetFileAttributesExW
GetFileAttributesW
GetFileInformationByHandle
GetFileInformationByHandleEx
GetFileSize
GetFileType
GetFinalPathNameByHandleW
GetFullPathNameA
GetFullPathNameW
GetLastError
GetLogicalDrives
GetLogicalProcessorInformation
GetLogicalProcessorInformationEx
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleW
GetNamedPipeInfo
GetNativeSystemInfo
GetOverlappedResult
GetProcAddress
GetProcessHeap
GetProcessId
GetProcessIoCounters
GetProcessTimes
GetQueuedCompletionStatusEx
GetStartupInfoA
GetStdHandle
GetSystemDefaultLocaleName
GetSystemDirectoryW
GetSystemInfo
GetSystemTime
GetSystemTimeAsFileTime
GetSystemTimePreciseAsFileTime
GetSystemTimes
GetTempPathA
GetTempPathW
GetTickCount
GetTickCount64
GetTimeZoneInformationForYear
GetUserDefaultLocaleName
GetVolumeInformationW
GetVolumePathNamesForVolumeNameW
GetWindowsDirectoryW
GlobalMemoryStatusEx
HeapAlloc
HeapCompact
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
HeapValidate
InitOnceBeginInitialize
InitOnceComplete
InitializeCriticalSection
InitializeProcThreadAttributeList
K32GetPerformanceInfo
LeaveCriticalSection
LoadLibraryA
LoadLibraryExA
LoadLibraryExW
LoadLibraryW
LocalAlloc
LocalFree
LockFile
LockFileEx
MapViewOfFile
Module32FirstW
Module32NextW
MoveFileExW
MultiByteToWideChar
OpenProcess
OutputDebugStringA
OutputDebugStringW
PostQueuedCompletionStatus
ProcessIdToSessionId
QueryPerformanceCounter
QueryPerformanceFrequency
ReadConsoleW
ReadFile
ReadFileEx
ReadProcessMemory
RegisterWaitForSingleObject
RemoveDirectoryW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
SetConsoleCtrlHandler
SetConsoleMode
SetConsoleTextAttribute
SetCurrentDirectoryW
SetEndOfFile
SetEnvironmentVariableW
SetEvent
SetFileAttributesW
SetFileCompletionNotificationModes
SetFileInformationByHandle
SetFilePointer
SetFilePointerEx
SetFileTime
SetHandleInformation
SetLastError
SetThreadStackGuarantee
SetUnhandledExceptionFilter
SetWaitableTimer
Sleep
SleepEx
SwitchToThread
SystemTimeToFileTime
TerminateProcess
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
TryEnterCriticalSection
UnlockFile
UnlockFileEx
UnmapViewOfFile
UpdateProcThreadAttribute
VirtualQueryEx
WaitForMultipleObjects
WaitForSingleObject
WaitForSingleObjectEx
WideCharToMultiByte
WriteConsoleW
WriteFile
WriteFileEx

msvcrt

__getmainargs
__initenv
__iob_func
__set_app_type
__setusermatherr
_acmdln
_amsg_exit
_beginthreadex
_cexit
_commode
_endthreadex
_errno
_fmode
_fpreset
_initterm
_localtime64
_onexit
abort
calloc
ceil
exit
exp
fprintf
free
fwrite
log
malloc
memcmp
memcpy
memmove
memset
pow
qsort
realloc
signal
strcmp
strcspn
strlen
strncmp
strrchr
strspn
vfprintf
wcslen

advapi32

ConvertSidToStringSidW
ConvertStringSidToSidW
CopySid
CryptAcquireContextW
CryptDestroyKey
CryptImportKey
CryptReleaseContext
GetLengthSid
GetTokenInformation
GetUserNameW
IsValidSid
LookupAccountSidW
OpenProcessToken
RegCloseKey
RegEnumKeyExW
RegEnumValueW
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryValueExW
SystemFunction036

api-ms-win-core-synch-l1-2-0

WaitOnAddress
WakeByAddressAll
WakeByAddressSingle

bcrypt

BCryptGenRandom

crypt32

CertAddCertificateContextToStore
CertAddEncodedCTLToStore
CertAddEncodedCertificateToStore
CertCloseStore
CertCreateCTLEntryFromCertificateContextProperties
CertCreateCertificateContext
CertDeleteCertificateFromStore
CertDuplicateCertificateChain
CertDuplicateCertificateContext
CertDuplicateStore
CertEnumCertificatesInStore
CertFreeCTLContext
CertFreeCertificateChain
CertFreeCertificateContext
CertGetCertificateChain
CertGetCertificateContextProperty
CertGetEnhancedKeyUsage
CertOpenStore
CertSetCertificateContextProperty
CertVerifyCertificateChainPolicy
CertVerifyTimeValidity
CryptAcquireCertificatePrivateKey
CryptBinaryToStringA
CryptDecodeObjectEx
CryptEncodeObjectEx
CryptHashCertificate
CryptMsgEncodeAndSignCTL
CryptStringToBinaryA
PFXExportCertStore
PFXImportCertStore

iphlpapi

FreeMibTable
GetAdaptersAddresses
GetIfEntry2
GetIfTable2

ncrypt

NCryptFreeObject

netapi32

NetApiBufferFree
NetGroupEnum
NetGroupGetInfo
NetUserEnum
NetUserGetInfo
NetUserGetLocalGroups

ntdll

NtCancelIoFileEx
NtCreateFile
NtDeviceIoControlFile
NtQueryInformationProcess
NtQuerySystemInformation
NtReadFile
NtWriteFile
RtlGetVersion
RtlNtStatusToDosError

ole32

CoCreateGuid
CoCreateInstance
CoInitializeEx
CoInitializeSecurity
CoSetProxyBlanket
CoUninitialize

oleaut32

GetErrorInfo
SafeArrayAccessData
SafeArrayDestroy
SafeArrayGetLBound
SafeArrayGetUBound
SafeArrayUnaccessData
SetErrorInfo
SysAllocString
SysAllocStringLen
SysFreeString
SysStringLen
VariantClear

pdh

PdhAddEnglishCounterA
PdhAddEnglishCounterW
PdhCloseQuery
PdhCollectQueryData
PdhCollectQueryDataEx
PdhGetFormattedCounterValue
PdhOpenQueryA
PdhRemoveCounter

powrprof

CallNtPowerInformation

psapi

GetModuleFileNameExW
GetPerformanceInfo
GetProcessMemoryInfo

secur32

AcceptSecurityContext
AcquireCredentialsHandleA
ApplyControlToken
DecryptMessage
DeleteSecurityContext
EncryptMessage
FreeContextBuffer
FreeCredentialsHandle
GetUserNameExW
InitializeSecurityContextW
LsaEnumerateLogonSessions
LsaFreeReturnBuffer
LsaGetLogonSessionData
QueryContextAttributesW

shell32

CommandLineToArgvW

user32

GetSystemMetrics

userenv

GetUserProfileDirectoryW

ws2_32

WSACleanup
WSADuplicateSocketW
WSAGetLastError
WSAIoctl
WSAPoll
WSARecv
WSARecvFrom
WSASend
WSASendMsg
WSASendTo
WSASocketW
WSAStartup
accept
bind
closesocket
connect
freeaddrinfo
getaddrinfo
getpeername
getsockname
getsockopt
ioctlsocket
listen
recv
recvfrom
select
send
sendto
setsockopt
shutdown
socket

bcryptprimitives

ProcessPrng

Sections

.text
Size: 14.4MB - Virtual size: 14.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 48KB - Virtual size: 47KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 2.7MB - Virtual size: 2.7MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.pdata
Size: 500KB - Virtual size: 500KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.xdata
Size: 1.2MB - Virtual size: 1.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 1KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 16KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 104B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 97KB - Virtual size: 96KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

Password: infected

25d6626451558b65aa64c702ae85326f

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

msvcrt

advapi32

api-ms-win-core-synch-l1-2-0

bcrypt

crypt32

iphlpapi

ncrypt

netapi32

ntdll

ole32

oleaut32

pdh

powrprof

psapi

secur32

shell32

user32

userenv

ws2_32

bcryptprimitives

Sections

.text Size: 14.4MB - Virtual size: 14.4MB

.data Size: 48KB - Virtual size: 47KB

.rdata Size: 2.7MB - Virtual size: 2.7MB

.pdata Size: 500KB - Virtual size: 500KB

.xdata Size: 1.2MB - Virtual size: 1.2MB

.bss Size: - Virtual size: 1KB

.idata Size: 16KB - Virtual size: 16KB

.CRT Size: 512B - Virtual size: 104B

.tls Size: 512B - Virtual size: 16B

.reloc Size: 97KB - Virtual size: 96KB

.text
Size: 14.4MB - Virtual size: 14.4MB

.data
Size: 48KB - Virtual size: 47KB

.rdata
Size: 2.7MB - Virtual size: 2.7MB

.pdata
Size: 500KB - Virtual size: 500KB

.xdata
Size: 1.2MB - Virtual size: 1.2MB

.bss
Size: - Virtual size: 1KB

.idata
Size: 16KB - Virtual size: 16KB

.CRT
Size: 512B - Virtual size: 104B

.tls
Size: 512B - Virtual size: 16B

.reloc
Size: 97KB - Virtual size: 96KB