blister | 18361400090[.]zip

Resubmissions

03-08-2024 17:24

240803-vyzv3avbqh 10

26-07-2024 19:48

240726-yjd7latfqb 10

Sharing

Copy URL

Twitter E-mail

General

Target

18361400090.zip
Size

1.9MB
MD5

412b8335629c9f631a329f3e29995fe3
SHA1

b1cc39e73c100bb874becadf6bc1206e738e4252
SHA256

8cd813676482dfdfee3dbde326d8926ca63e788ff010c40273b3bbaf941160c2
SHA512

dc5f123aa684c46a6420a1eebedb11122a8f0f104eb26e7429f6f863439b3f902ac70588d7d525750ac68a57be0fc816932f9cee787f0ac8128e9a8fd5028479
SSDEEP

49152:Y5dxqwV9w1tJvNzxpCgZiVKzNBUgUJrHOxkkyC:YrgtJkf2UpuWC

Score

10^/10

loader ransomware pyinstaller blister snakekeylogger legionlocker sodinokibi cobaltstrike

Malware Config

Signatures

Blister family
blister
Cobaltstrike family
cobaltstrike

Detect Blister loader x32 1 IoCs

loader

resource	yara_rule
static1/unpack001/f853f61205a1dcd0e3594d4eef4d73d7bd9f14851fdda5b023570b0291342b9c	family_blister_x32

Detected LegionLocker ransomware 1 IoCs

Sample contains strings associated with the LegionLocker family.

ransomware

resource	yara_rule
static1/unpack001/f853f61205a1dcd0e3594d4eef4d73d7bd9f14851fdda5b023570b0291342b9c	family_legionlocker

Legionlocker family
legionlocker

Snake Keylogger payload 1 IoCs

resource	yara_rule
static1/unpack001/f853f61205a1dcd0e3594d4eef4d73d7bd9f14851fdda5b023570b0291342b9c	family_snakekeylogger

Snakekeylogger family
snakekeylogger
Sodinokibi family
sodinokibi

Sodinokibi/Revil sample 1 IoCs

resource	yara_rule
static1/unpack001/f853f61205a1dcd0e3594d4eef4d73d7bd9f14851fdda5b023570b0291342b9c	family_sodinokobi

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
static1/unpack001/f853f61205a1dcd0e3594d4eef4d73d7bd9f14851fdda5b023570b0291342b9c	pyinstaller

Files

18361400090.zip
.zip

Password: infected
f853f61205a1dcd0e3594d4eef4d73d7bd9f14851fdda5b023570b0291342b9c
.exe windows:6 windows x64 arch:x64

f13c39f97e458850b8019fa8d4e1a916

Code Sign

33:00:00:05:4e:12:b9:0a:00:7b:12:49:99:00:00:00:00:05:4e
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2023 19:50

Not After

16-10-2024 19:50

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06-07-2010 20:40

Not After

06-07-2025 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

1c:08:2e:dc:8a:ea:f4:08:7e:8b:ff:de:5a:d9:82:be:42:21:4a:eb:de:0f:ad:2c:2b:29:8e:db:67:e6:4b:c8
Signer

Actual PE Digest

1c:08:2e:dc:8a:ea:f4:08:7e:8b:ff:de:5a:d9:82:be:42:21:4a:eb:de:0f:ad:2c:2b:29:8e:db:67:e6:4b:c8

Digest Algorithm

sha256

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

D:\dbs\sh\odct\0521_205857_1\client\onedrive\Product\UX\Exe\obj\amd64\OneDrive.pdb

Imports

kernel32

GetFileSizeEx
GetFileType
GetFinalPathNameByHandleW
GetVolumePathNameW
ReadFile
RemoveDirectoryW
SetFileAttributesW
SetFileInformationByHandle
SetFilePointer
GetCompressedFileSizeW
FindFirstFileNameW
IsDebuggerPresent
SetHandleInformation
CreatePipe
CreateIoCompletionPort
GetQueuedCompletionStatus
PostQueuedCompletionStatus
DeviceIoControl
IsWow64Process
LoadLibraryExW
GlobalAlloc
GlobalUnlock
GlobalLock
GlobalFree
ReadDirectoryChangesW
CreateSymbolicLinkW
CompareStringOrdinal
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
GetProcessIoCounters
GetPrivateProfileStringW
WritePrivateProfileStringW
CopyFileW
MoveFileExW
ReplaceFileW
GetComputerNameW
RegisterApplicationRestart
GetFileInformationByHandleEx
OpenFileById
GetDllDirectoryW
WriteConsoleW
ReadConsoleW
SetEndOfFile
GetConsoleMode
GetConsoleOutputCP
FlushFileBuffers
SetFilePointerEx
SetStdHandle
GetFileSize
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineA
FindNextFileW
FindFirstFileExW
GetOEMCP
GetACP
IsValidCodePage
GetTimeZoneInformation
EnumSystemLocalesW
IsValidLocale
GetLocaleInfoW
GetFileInformationByHandle
GetFileAttributesExW
GetFileAttributesW
GetDiskFreeSpaceExW
FindVolumeClose
FindNextVolumeW
FindFirstVolumeW
CreateFileW
CreateDirectoryW
SetThreadInformation
GetSystemTimes
SetProcessShutdownParameters
GetExitCodeProcess
GetProcessTimes
WaitForMultipleObjects
CreateEventW
ReleaseMutex
GetLongPathNameW
SetLastError
VerifyVersionInfoW
GetProductInfo
VerSetConditionMask
ExpandEnvironmentStringsW
GetEnvironmentVariableW
GetCommandLineW
K32GetModuleFileNameExW
GetUserDefaultLCID
GetUserGeoID
LCIDToLocaleName
SystemTimeToFileTime
MoveFileW
LocalAlloc
GetModuleFileNameW
GetVersionExW
GetSystemTimeAsFileTime
GetSystemTime
OpenProcess
TerminateProcess
GetCurrentProcess
CreateMutexW
WaitForSingleObject
GetProcessHeap
HeapSize
HeapFree
HeapReAlloc
HeapAlloc
FindFirstFileW
FindClose
InitializeCriticalSectionEx
DeleteFileW
LCMapStringW
WideCharToMultiByte
MultiByteToWideChar
CloseHandle
CreateProcessW
GetCurrentProcessId
FreeLibrary
GetProcAddress
LoadLibraryW
SetDllDirectoryW
CompareStringW
GetTimeFormatW
GetDateFormatW
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
WriteFile
GetStdHandle
ExitProcess
GetModuleHandleExW
FreeLibraryAndExitThread
ResumeThread
ExitThread
CreateThread
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
RtlPcToFileHeader
RtlUnwindEx
InitializeSListHead
GetCurrentThreadId
QueryPerformanceCounter
GetStartupInfoW
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
Sleep
LocalFree
DeleteCriticalSection
DecodePointer
GetLastError
SetEnvironmentVariableW
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
GetModuleHandleW
WaitForSingleObjectEx
ResetEvent
SetEvent
InitializeCriticalSectionAndSpinCount
GetCPInfo
CompareStringEx
LCMapStringEx
EncodePointer
GetLocaleInfoEx
GetStringTypeW
LeaveCriticalSection
EnterCriticalSection
RaiseException
OutputDebugStringW

user32

RegisterClipboardFormatW
PostMessageW
EnumWindows
GetClassNameW
GetWindowThreadProcessId
SystemParametersInfoW
SendMessageTimeoutW
GetMessageW
TranslateMessage
DispatchMessageW
RegisterPowerSettingNotification
UnregisterPowerSettingNotification
RegisterClassW
SetClipboardData
CloseClipboard
OpenClipboard
CreateWindowExW
DestroyWindow
ShowWindow

advapi32

RegisterServiceCtrlHandlerW
AdjustTokenPrivileges
CreateProcessWithTokenW
GetUserNameW
SetFileSecurityW
ConvertSidToStringSidW
SetNamedSecurityInfoW
GetNamedSecurityInfoW
SetEntriesInAclW
StartServiceW
StartServiceCtrlDispatcherW
SetServiceStatus
QueryServiceStatusEx
QueryServiceStatus
QueryServiceConfigW
OpenServiceW
OpenSCManagerW
DeleteService
CreateServiceW
ControlService
CloseServiceHandle
ChangeServiceConfig2W
ChangeServiceConfigW
RegDeleteTreeW
RegUnLoadKeyW
RegLoadKeyW
RegEnumKeyW
RegDeleteKeyExW
RegCreateKeyTransactedW
GetAclInformation
FreeSid
DuplicateTokenEx
CreateWellKnownSid
AllocateAndInitializeSid
CreateProcessAsUserW
ConvertStringSecurityDescriptorToSecurityDescriptorW
CryptDestroyHash
CryptHashData
CryptCreateHash
CryptGetHashParam
CryptReleaseContext
CryptAcquireContextW
RegGetValueW
RegSetKeyValueW
RegSetValueExW
RegQueryValueExW
RegQueryInfoKeyW
RegOpenKeyExW
RegEnumValueW
RegEnumKeyExW
RegDeleteValueW
RegCreateKeyExW
RegCloseKey
LookupPrivilegeValueW
GetTokenInformation
OpenProcessToken

shell32

CommandLineToArgvW
SHFileOperationW
SHGetSpecialFolderPathW
SHGetKnownFolderPath
SHChangeNotify
SHParseDisplayName
ShellExecuteExW
SHCreateItemFromParsingName
SHAssocEnumHandlers
SHCreateDirectoryExW
SHGetFolderPathW
SHGetFolderPathAndSubDirW
SHSetKnownFolderPath
ord526

ole32

CoInitialize
CoInitializeSecurity
CoUninitialize
StringFromCLSID
CoTaskMemFree
CoCreateInstance
StringFromGUID2
CreateBindCtx
CoCreateGuid
CoInitializeEx
CoSetProxyBlanket
CreateItemMoniker
GetRunningObjectTable

oleaut32

LoadTypeLi
LoadRegTypeLi
GetRecordInfoFromTypeInfo

crypt32

CertFindExtension
CryptStringToBinaryW
CryptBinaryToStringW

rpcrt4

RpcBindingFree
RpcBindingFromStringBindingW
RpcBindingVectorFree
RpcStringBindingComposeW
RpcStringFreeW
RpcServerInqBindings
RpcServerRegisterIfEx
RpcServerUnregisterIf
RpcServerUseProtseqW
RpcBindingSetAuthInfoExW
RpcEpRegisterW
RpcEpUnregister
RpcServerInqCallAttributesW

secur32

GetUserNameExW

shlwapi

PathStripPathW
PathIsDirectoryW
PathFileExistsW
PathIsDirectoryEmptyW
PathRemoveFileSpecW
StrStrIW
SHCreateStreamOnFileW
AssocQueryStringW
SHRegGetBoolUSValueW
SHRegGetPathW
SHRegGetValueW
SHSetValueW
SHGetValueA
SHDeleteValueW
SHDeleteKeyW
PathIsPrefixW
SHRegGetUSValueW
SHGetValueW

version

VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW

wininet

InternetCheckConnectionW
InternetCanonicalizeUrlW

wtsapi32

WTSQuerySessionInformationW
WTSFreeMemory
WTSQueryUserToken
WTSEnumerateSessionsW

userenv

CreateEnvironmentBlock
GetDefaultUserProfileDirectoryW

Sections

.text
Size: 648KB - Virtual size: 647KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 196KB - Virtual size: 196KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 17KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 28KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 348B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 2.8MB - Virtual size: 2.8MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Resubmissions

Sharing

General

Malware Config

Signatures

Files

Password: infected

f13c39f97e458850b8019fa8d4e1a916

Code Sign

33:00:00:05:4e:12:b9:0a:00:7b:12:49:99:00:00:00:00:05:4eCertificate

Extended Key Usages

61:0c:52:4c:00:00:00:00:00:03Certificate

Key Usages

1c:08:2e:dc:8a:ea:f4:08:7e:8b:ff:de:5a:d9:82:be:42:21:4a:eb:de:0f:ad:2c:2b:29:8e:db:67:e6:4b:c8Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

advapi32

shell32

ole32

oleaut32

crypt32

rpcrt4

secur32

shlwapi

version

wininet

wtsapi32

userenv

Sections

.text Size: 648KB - Virtual size: 647KB

.rdata Size: 196KB - Virtual size: 196KB

.data Size: 17KB - Virtual size: 28KB

.pdata Size: 28KB - Virtual size: 28KB

_RDATA Size: 512B - Virtual size: 348B

.rsrc Size: 2.8MB - Virtual size: 2.8MB

.reloc Size: 6KB - Virtual size: 6KB

33:00:00:05:4e:12:b9:0a:00:7b:12:49:99:00:00:00:00:05:4e
Certificate

61:0c:52:4c:00:00:00:00:00:03
Certificate

1c:08:2e:dc:8a:ea:f4:08:7e:8b:ff:de:5a:d9:82:be:42:21:4a:eb:de:0f:ad:2c:2b:29:8e:db:67:e6:4b:c8
Signer

.text
Size: 648KB - Virtual size: 647KB

.rdata
Size: 196KB - Virtual size: 196KB

.data
Size: 17KB - Virtual size: 28KB

.pdata
Size: 28KB - Virtual size: 28KB

_RDATA
Size: 512B - Virtual size: 348B

.rsrc
Size: 2.8MB - Virtual size: 2.8MB

.reloc
Size: 6KB - Virtual size: 6KB