fck[.]rar | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

fck.rar
Size

67KB
MD5

5691e82f5952343aaf466702a99a0b43
SHA1

9dc065d0c731c4ca5e76b9a3d6a4d1ae20a2a1ec
SHA256

11c85b49fe301a079843363a2b89c02211b8465fdc4f29ac2d0f71ecf7c0a662
SHA512

a9b6a376cd795b2f8a37165b0f0b31d7cdb91fc96f652937b58a6148ee07c6710d895a7c85e40dad074579dd587a1e79a7cd7b69bec2986a6e2418ab0aef0b98
SSDEEP

1536:g8tYM3LVlqGZ8RpPIfO/9opmFb3jAqqP/XoKklkkX2w63ROE4MCrVq3Jqky:g82ALVlTKJIfO1YUDj5CYSdwgBRCrsZ4

Score

3^/10

Malware Config

Signatures

Unsigned PE 3 IoCs

Checks for missing Authenticode signature.

resource
unpack001/Taker
unpack001/icacls
unpack001/takeown

Files

fck.rar
.rar
Taker
.exe windows:4 windows x86 arch:x86

db509f0d296d268770c3b20bf5581bd7

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvcrt

memset
strncmp
memmove
strncpy
strstr
_strnicmp
_stricmp
strlen
strcmp
memcpy
sprintf
fabs
ceil
malloc
floor
free
fclose
strcpy
tolower

kernel32

GetModuleHandleA
HeapCreate
GetCommandLineA
RemoveDirectoryA
GetTempFileNameA
GetShortPathNameA
GetWindowsDirectoryA
GetSystemDirectoryA
HeapDestroy
ExitProcess
GetExitCodeProcess
GetNativeSystemInfo
FindResourceA
LoadResource
SizeofResource
HeapAlloc
HeapFree
Sleep
LoadLibraryA
GetProcAddress
FreeLibrary
GetCurrentThreadId
GetCurrentProcessId
CloseHandle
InitializeCriticalSection
GetModuleFileNameA
GetEnvironmentVariableA
SetEnvironmentVariableA
CreateFileA
ReadFile
WriteFile
SetFilePointer
DeleteFileA
GetFileSize
HeapReAlloc
GetCurrentProcess
TerminateProcess
SetUnhandledExceptionFilter
EnterCriticalSection
LeaveCriticalSection
GetVersionExA
SetLastError
HeapSize
TlsAlloc
GetCurrentDirectoryA
SetCurrentDirectoryA
GetTempPathA
SetFileAttributesA
CreateDirectoryA
DeleteCriticalSection
MultiByteToWideChar
WideCharToMultiByte

user32

CharUpperA
CharLowerA
MessageBoxA
SendMessageA
PostMessageA
GetWindowThreadProcessId
IsWindowVisible
GetWindowLongA
GetForegroundWindow
IsWindowEnabled
EnableWindow
EnumWindows
SetWindowPos
DestroyWindow
GetDC
GetWindowTextLengthA
GetWindowTextA
SetRect
DrawTextA
GetSystemMetrics
ReleaseDC
GetSysColor
GetSysColorBrush
CreateWindowExA
CallWindowProcA
SetWindowLongA
SetFocus
RedrawWindow
RemovePropA
DefWindowProcA
SetPropA
GetParent
GetPropA
GetWindow
SetActiveWindow
UnregisterClassA
DestroyAcceleratorTable
LoadIconA
LoadCursorA
RegisterClassA
AdjustWindowRectEx
ShowWindow
CreateAcceleratorTableA
PeekMessageA
MsgWaitForMultipleObjects
GetMessageA
GetActiveWindow
TranslateAcceleratorA
TranslateMessage
DispatchMessageA
GetFocus
GetClientRect
FillRect
EnumChildWindows
DefFrameProcA
GetWindowRect
IsChild
GetClassNameA
GetKeyState
DestroyIcon
RegisterWindowMessageA

gdi32

GetStockObject
SelectObject
SetBkColor
SetTextColor
GetTextExtentPoint32A
CreateSolidBrush
DeleteObject
GetObjectA
CreateCompatibleDC
GetDIBits
DeleteDC
GetObjectType
CreateDIBSection
BitBlt
CreateBitmap
SetPixel

comctl32

InitCommonControlsEx

ole32

CoInitialize
CoTaskMemFree
RevokeDragDrop

shell32

ShellExecuteExA

winmm

timeBeginPeriod

shlwapi

PathQuoteSpacesA
PathGetArgsA
PathAddBackslashA
PathRenameExtensionA
PathUnquoteSpacesA

Sections

.code
Size: 13KB - Virtual size: 12KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.text
Size: 45KB - Virtual size: 44KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
icacls
.exe windows:6 windows x86 arch:x86

a4b760a1a7f466099eaa530f2cc4ef63

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

icacls.pdb

Imports

advapi32

GetLengthSid
DeleteAce
EqualSid
AddAce
InitializeAcl
SetSecurityInfo
SetSecurityAccessMask
IsValidAcl
GetSecurityInfo
GetSecurityDescriptorDacl
GetSecurityDescriptorSacl
CopySid
ConvertStringSidToSidW
LookupAccountNameW
LookupAccountSidW
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
ConvertSecurityDescriptorToStringSecurityDescriptorW
GetSecurityDescriptorControl
ConvertStringSecurityDescriptorToSecurityDescriptorW

kernel32

GetConsoleMode
GetFileType
LocalFree
WriteFile
WideCharToMultiByte
LocalAlloc
WriteConsoleW
GetLastError
FormatMessageW
SetLastError
CloseHandle
GetFinalPathNameByHandleW
LocalSize
GetCurrentProcess
FindClose
FindNextFileW
FindFirstFileW
GetFileAttributesW
HeapSetInformation
SetThreadPreferredUILanguages
GetStdHandle
TerminateProcess
GetSystemTimeAsFileTime
GetCurrentProcessId
GetCurrentThreadId
GetTickCount
QueryPerformanceCounter
UnhandledExceptionFilter
GetModuleHandleA
SetUnhandledExceptionFilter
InterlockedCompareExchange
Sleep
InterlockedExchange

msvcrt

_local_unwind4
fgetwc
wcsrchr
wcschr
wcsncpy_s
_wcsdup
fputws
fclose
_wperror
_wfopen
feof
_ultow
_wcsicmp
__wgetmainargs
_cexit
_exit
_XcptFilter
exit
_initterm
_amsg_exit
__setusermatherr
__p__commode
__p__fmode
__set_app_type
_except_handler4_common
?terminate@@YAXXZ
_controlfp
calloc
wcscpy_s
wcscat_s
_wcsnicmp
memcpy
realloc
malloc
printf
free
swprintf_s

ntdll

RtlFreeHeap
RtlReleaseRelativeName
NtClose
NtQueryInformationFile
NtOpenFile
RtlDosPathNameToRelativeNtPathName_U
RtlNtStatusToDosError

Sections

.text
Size: 21KB - Virtual size: 20KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
takeown
.exe windows:6 windows x86 arch:x86

06aaa17a234d9e965a577c00e3874cba

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

takeown.pdb

Imports

advapi32

OpenProcessToken
AdjustTokenPrivileges
LookupPrivilegeValueW
SetFileSecurityW
SetSecurityDescriptorOwner
SetSecurityDescriptorDacl
GetSecurityInfo
InitializeSecurityDescriptor
GetTokenInformation
AddAce
InitializeAcl
GetLengthSid
GetAclInformation
GetSecurityDescriptorDacl
GetFileSecurityW
FreeSid
LookupAccountNameW
AllocateAndInitializeSid
CheckTokenMembership

kernel32

CloseHandle
OpenProcess
GetCurrentProcessId
GetLastError
GetComputerNameW
LocalFree
CreateFileW
GetVolumeInformationW
GetVolumePathNameW
FindClose
FindNextFileW
FindFirstFileW
GetCurrentDirectoryW
ReadFile
FlushConsoleInputBuffer
SetConsoleMode
GetConsoleMode
GetStdHandle
GetFileAttributesW
GetFullPathNameW
HeapSetInformation
SetThreadUILanguage
SetLastError
GetComputerNameExW
GetModuleFileNameW
ReadConsoleW
WriteConsoleW
ExitProcess
GetConsoleOutputCP
HeapReAlloc
HeapFree
HeapSize
HeapAlloc
GetProcessHeap
HeapValidate
WideCharToMultiByte
MultiByteToWideChar
CompareStringA
GetThreadLocale
CompareStringW
lstrlenW
lstrlenA
GetFileType
VerSetConditionMask
VerifyVersionInfoW
FormatMessageW
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
GetSystemTimeAsFileTime
InterlockedExchange
Sleep
InterlockedCompareExchange
SetUnhandledExceptionFilter
GetCurrentThreadId
GetTickCount
QueryPerformanceCounter
GetModuleHandleA

msvcrt

_controlfp
_except_handler4_common
?terminate@@YAXXZ
__set_app_type
__p__fmode
__p__commode
__setusermatherr
_amsg_exit
_initterm
exit
_XcptFilter
_exit
_cexit
__wgetmainargs
wcsrchr
wcspbrk
_wcsicmp
memcpy
memset
wcstok
_iob
_vsnwprintf
_memicmp
_get_osfhandle
_errno
_fileno
toupper
fflush
fprintf
__iob_func
wcstod
wcstoul
wcstol

user32

CharUpperW
LoadStringW

mpr

WNetCancelConnection2W
WNetGetLastErrorW
WNetAddConnection2W

secur32

GetUserNameExW

ws2_32

WSACleanup
GetAddrInfoW
WSAGetLastError
FreeAddrInfoW
GetNameInfoW
WSAStartup

shlwapi

StrStrIW
StrChrW
StrStrW
StrChrIW

netapi32

NetApiBufferFree
NetServerGetInfo

version

VerQueryValueW
GetFileVersionInfoSizeW
GetFileVersionInfoW

Sections

.text
Size: 43KB - Virtual size: 43KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

db509f0d296d268770c3b20bf5581bd7

Headers

File Characteristics

Imports

msvcrt

kernel32

user32

gdi32

comctl32

ole32

shell32

winmm

shlwapi

Sections

.code Size: 13KB - Virtual size: 12KB

.text Size: 45KB - Virtual size: 44KB

.rdata Size: 2KB - Virtual size: 2KB

.data Size: 5KB - Virtual size: 7KB

.rsrc Size: 1KB - Virtual size: 1KB

a4b760a1a7f466099eaa530f2cc4ef63

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

advapi32

kernel32

msvcrt

ntdll

Sections

.text Size: 21KB - Virtual size: 20KB

.data Size: 1024B - Virtual size: 1KB

.rsrc Size: 2KB - Virtual size: 1KB

.reloc Size: 1KB - Virtual size: 1KB

06aaa17a234d9e965a577c00e3874cba

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

advapi32

kernel32

msvcrt

user32

mpr

secur32

ws2_32

shlwapi

netapi32

version

Sections

.text Size: 43KB - Virtual size: 43KB

.data Size: 512B - Virtual size: 1KB

.rsrc Size: 2KB - Virtual size: 2KB

.reloc Size: 2KB - Virtual size: 2KB

.code
Size: 13KB - Virtual size: 12KB

.text
Size: 45KB - Virtual size: 44KB

.rdata
Size: 2KB - Virtual size: 2KB

.data
Size: 5KB - Virtual size: 7KB

.rsrc
Size: 1KB - Virtual size: 1KB

.text
Size: 21KB - Virtual size: 20KB

.data
Size: 1024B - Virtual size: 1KB

.rsrc
Size: 2KB - Virtual size: 1KB

.reloc
Size: 1KB - Virtual size: 1KB

.text
Size: 43KB - Virtual size: 43KB

.data
Size: 512B - Virtual size: 1KB

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 2KB - Virtual size: 2KB