hodur[.]zip | Triage

Sharing

Copy URL Twitter E-mail

General

Target

hodur.zip
Size

898KB
MD5

79a24694b2595bb769b7d8572665cb22
SHA1

ef2c3c78e30ee24a60c0fbbf123af0a14bbb80d5
SHA256

74b78d9eab6950cbd1da3da70d85555d566af2e5485cd6ae94bdcb097f870946
SHA512

01d08a7719f9b93d5c48e3d73b04820f433cccb4b29cfa9e3f10918694b65539436f4d57d9dc3f6da7f6d74e63da5c8d83c76e83b8736f88b842bb38b0342b83
SSDEEP

24576:1KoTfCdvCngrlLvrMq/LTyxzQmj9C4+J69N374TyCotji:MoTfCpCngrJ/Hyxzxjw69N3c2Co9i

Score

1^/10

Malware Config

Signatures

Files

hodur.zip
.zip
NoteLogger.dat
OneNoteM.exe
.exe windows:4 windows x86 arch:x86

20e222dbe9e50239ed495e9ab93f75a1

Code Sign

2e:ab:11:dc:50:ff:5c:9d:cb:c0
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

22/08/2007, 22:31

Not After

25/08/2012, 07:00

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:06:27:81:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22/10/2008, 21:24

Not After

22/01/2010, 21:34

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

6a:0b:99:4f:c0:00:25:ab:11:db:45:1f:58:7a:67:a2
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

16/09/2006, 01:04

Not After

15/09/2019, 07:00

Subject

CN=Microsoft Timestamping PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:05:a2:30:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Timestamping PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

25/07/2008, 19:01

Not After

25/07/2013, 19:11

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:85D3-305C-5BCF,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

40:0b:59:fa:6a:ec:0c:bc:cf:d1:25:01:d0:16:6e:e7:dc:18:47:86
Signer

Actual PE Digest

40:0b:59:fa:6a:ec:0c:bc:cf:d1:25:01:d0:16:6e:e7:dc:18:47:86

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

t:\onenote\x86\ship\0\onenotem.pdb

Imports

kernel32

SetProcessWorkingSetSize
GetCurrentProcess
HeapCompact
GetProcessHeap
CloseHandle
CreateProcessW
FreeLibrary
GetProcAddress
LoadLibraryW
GetLastError
CreateFileMappingW
GlobalLock
GlobalUnlock
GlobalFree
GlobalAlloc
GetModuleHandleW
GetVersionExW
Sleep
GetCommandLineW
GetCurrentThreadId
ReleaseMutex
UnmapViewOfFile
MapViewOfFile
WaitForSingleObject
CreateMutexW
ResumeThread
CreateThread
CompareStringW
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
CreateProcessA
LoadLibraryA
LocalAlloc
RaiseException
FoldStringW
GetLocaleInfoW
GetStringTypeW
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
TerminateProcess
GetStartupInfoA
InterlockedCompareExchange
InterlockedExchange
HeapAlloc
HeapFree
GetTempPathA
GetTempFileNameA
VirtualProtect

user32

PostMessageA
PostThreadMessageA
IsWindow
CreatePopupMenu
AppendMenuW
EnableMenuItem
SetMenuDefaultItem
CheckMenuItem
GetCursorPos
TrackPopupMenu
DestroyMenu
SendMessageW
RedrawWindow
EnumDisplayMonitors
FillRect
SetForegroundWindow
SetFocus
SetCapture
SetRectEmpty
DefWindowProcW
LoadCursorW
SetCursor
RegisterWindowMessageW
LoadIconW
RegisterClassExW
CreateWindowExW
GetDC
OpenClipboard
EmptyClipboard
RegisterClipboardFormatW
SetClipboardData
CloseClipboard
ReleaseDC
ShowWindow
WindowFromPoint
IsChild
LoadImageW
RegisterHotKey
GetMessageW
DispatchMessageW
TranslateMessage
UnregisterHotKey
MessageBoxW
InvalidateRect
SetRect
DestroyWindow
PostQuitMessage
IsRectEmpty
GetSysColorBrush
FrameRect
InflateRect
BeginPaint
EndPaint
UnionRect
LoadStringW
PostMessageW
SystemParametersInfoW

msvcr80

memmove
memcpy
_controlfp_s
_invoke_watson
_except_handler4_common
_crt_debugger_hook
_decode_pointer
_onexit
_lock
__dllonexit
_unlock
?terminate@@YAXXZ
__set_app_type
memset
__CxxFrameHandler3
wcscat_s
wcscpy_s
_CxxThrowException
wcsrchr
vswprintf_s
vsprintf_s
fclose
fwprintf_s
fopen_s
_amsg_exit
__getmainargs
_cexit
_exit
_XcptFilter
_ismbblead
exit
_acmdln
_initterm
_initterm_e
_configthreadlocale
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
_encode_pointer
?_type_info_dtor_internal_method@type_info@@QAEXXZ

Sections

.text
Size: 37KB - Virtual size: 37KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 47KB - Virtual size: 46KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
msi.dll
.dll windows:4 windows x86 arch:x86

7229e66998f7350647a7c5f1bae2687d

Code Sign

2e:ab:11:dc:50:ff:5c:9d:cb:c0
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

22/08/2007, 22:31

Not After

25/08/2012, 07:00

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:06:27:81:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22/10/2008, 21:24

Not After

22/01/2010, 21:34

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

6a:0b:99:4f:c0:00:25:ab:11:db:45:1f:58:7a:67:a2
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

16/09/2006, 01:04

Not After

15/09/2019, 07:00

Subject

CN=Microsoft Timestamping PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:05:a2:30:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Timestamping PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

25/07/2008, 19:01

Not After

25/07/2013, 19:11

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:85D3-305C-5BCF,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

6d:4c:7c:a2:92:45:b8:df:f9:a8:cf:7f:74:37:5f:51:58:c6:76:b1
Signer

Actual PE Digest

6d:4c:7c:a2:92:45:b8:df:f9:a8:cf:7f:74:37:5f:51:58:c6:76:b1

Digest Algorithm

sha1

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_DLL

Imports

kernel32

DeleteCriticalSection
EnterCriticalSection
FreeLibrary
GetLastError
GetModuleHandleA
GetModuleHandleW
GetProcAddress
InitializeCriticalSection
IsDBCSLeadByteEx
LeaveCriticalSection
LoadLibraryA
MultiByteToWideChar
Sleep
TlsGetValue
VirtualAlloc
VirtualFree
VirtualProtect
VirtualQuery
WideCharToMultiByte

msvcrt

__mb_cur_max
_amsg_exit
_errno
_fileno
_initterm
_iob
_lock
_setjmp3
_setmode
_unlock
abort
atoi
calloc
exit
fflush
fputc
free
fwrite
localeconv
longjmp
malloc
memcmp
memcpy
memset
realloc
setlocale
signal
strchr
strerror
strlen
strncmp
vfprintf
wcslen

Exports

Exports

DllMain@12
MsiProvideQualifiedComponentW
NimMain

Sections

.text
Size: 55KB - Virtual size: 54KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 200B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.eh_fram
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 37KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 512B - Virtual size: 127B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 44B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 8B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 548B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

20e222dbe9e50239ed495e9ab93f75a1

Code Sign

2e:ab:11:dc:50:ff:5c:9d:cb:c0Certificate

Extended Key Usages

Key Usages

61:06:27:81:00:00:00:00:00:08Certificate

Extended Key Usages

Key Usages

6a:0b:99:4f:c0:00:25:ab:11:db:45:1f:58:7a:67:a2Certificate

Extended Key Usages

Key Usages

61:05:a2:30:00:00:00:00:00:08Certificate

Extended Key Usages

Key Usages

40:0b:59:fa:6a:ec:0c:bc:cf:d1:25:01:d0:16:6e:e7:dc:18:47:86Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

msvcr80

Sections

.text Size: 37KB - Virtual size: 37KB

.data Size: 1024B - Virtual size: 2KB

.rsrc Size: 47KB - Virtual size: 46KB

.reloc Size: 3KB - Virtual size: 2KB

7229e66998f7350647a7c5f1bae2687d

Code Sign

2e:ab:11:dc:50:ff:5c:9d:cb:c0Certificate

Extended Key Usages

Key Usages

61:06:27:81:00:00:00:00:00:08Certificate

Extended Key Usages

Key Usages

6a:0b:99:4f:c0:00:25:ab:11:db:45:1f:58:7a:67:a2Certificate

Extended Key Usages

Key Usages

61:05:a2:30:00:00:00:00:00:08Certificate

Extended Key Usages

Key Usages

6d:4c:7c:a2:92:45:b8:df:f9:a8:cf:7f:74:37:5f:51:58:c6:76:b1Signer

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

msvcrt

Exports

Exports

Sections

.text Size: 55KB - Virtual size: 54KB

.data Size: 512B - Virtual size: 200B

.rdata Size: 6KB - Virtual size: 5KB

.eh_fram Size: 13KB - Virtual size: 13KB

.bss Size: - Virtual size: 37KB

.edata Size: 512B - Virtual size: 127B

.idata Size: 1KB - Virtual size: 1KB

.CRT Size: 512B - Virtual size: 44B

.tls Size: 512B - Virtual size: 8B

.rsrc Size: 1024B - Virtual size: 548B

.reloc Size: 2KB - Virtual size: 2KB

2e:ab:11:dc:50:ff:5c:9d:cb:c0
Certificate

61:06:27:81:00:00:00:00:00:08
Certificate

6a:0b:99:4f:c0:00:25:ab:11:db:45:1f:58:7a:67:a2
Certificate

61:05:a2:30:00:00:00:00:00:08
Certificate

40:0b:59:fa:6a:ec:0c:bc:cf:d1:25:01:d0:16:6e:e7:dc:18:47:86
Signer

.text
Size: 37KB - Virtual size: 37KB

.data
Size: 1024B - Virtual size: 2KB

.rsrc
Size: 47KB - Virtual size: 46KB

.reloc
Size: 3KB - Virtual size: 2KB

2e:ab:11:dc:50:ff:5c:9d:cb:c0
Certificate

61:06:27:81:00:00:00:00:00:08
Certificate

6a:0b:99:4f:c0:00:25:ab:11:db:45:1f:58:7a:67:a2
Certificate

61:05:a2:30:00:00:00:00:00:08
Certificate

6d:4c:7c:a2:92:45:b8:df:f9:a8:cf:7f:74:37:5f:51:58:c6:76:b1
Signer

.text
Size: 55KB - Virtual size: 54KB

.data
Size: 512B - Virtual size: 200B

.rdata
Size: 6KB - Virtual size: 5KB

.eh_fram
Size: 13KB - Virtual size: 13KB

.bss
Size: - Virtual size: 37KB

.edata
Size: 512B - Virtual size: 127B

.idata
Size: 1KB - Virtual size: 1KB

.CRT
Size: 512B - Virtual size: 44B

.tls
Size: 512B - Virtual size: 8B

.rsrc
Size: 1024B - Virtual size: 548B

.reloc
Size: 2KB - Virtual size: 2KB