Malz2[.]zip | Triage

Resubmissions

02-08-2024 16:33

240802-t2wr5s1eqj 10

Sharing

Copy URL

Twitter E-mail

General

Target

Malz2.zip
Size

1.2MB
MD5

654152a72f0675390037696f07a2cff0
SHA1

301b458d91f832caf71cedbb5fd58231f82c7275
SHA256

22503a27c8bd1299e67f484b0c750276323d5a97b9dd45e1da7a935fe377ec1e
SHA512

a6cdbd8a0c46e1bc4522b9feda09aadae4625ff1911ae1934ea26bc97660810f62ff76b12ff7cd84d421856e93ae9ec69906f99c99f4e9db90702ffea89924be
SSDEEP

24576:IY3DYKwClIJ26eoyo5tRTc427AHK51fLl8L+dKm/mTkLSmZQ:r3zwCMeobta8HK5hWL+dKm/mTAHQ

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
static1/unpack001/Fallen.exe	upx

Unsigned PE 8 IoCs

Checks for missing Authenticode signature.

Processes:

resource
unpack001/1.exe
unpack001/Fallen.exe
unpack003/out.upx
unpack001/Inte.exe
unpack001/Server.exe
unpack001/hfs.exe
unpack001/hfs_1.exe
unpack001/moren.exe

Files

Malz2.zip
.zip

Password: infected
1.exe
.exe windows:4 windows x86 arch:x86

Password: 1234

e4067fd97549fe4826129912b2b7fb81

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

InitializeCriticalSection
DeleteCriticalSection
VirtualFree
LeaveCriticalSection
EnterCriticalSection
VirtualAlloc
CreateEventA
CloseHandle
WaitForSingleObject
ResetEvent
SetEvent
InterlockedExchange
CancelIo
Sleep
GetLastError
GetFileAttributesA
CreateProcessA
GetStartupInfoA
lstrcatA
GetWindowsDirectoryA
WinExec
GetProcAddress
LoadLibraryA
lstrlenA
GetVersionExA
CreateThread
lstrcpyA
TerminateThread
Process32Next
Process32First
CreateToolhelp32Snapshot
MoveFileA
DeleteFileA
HeapFree
HeapAlloc
GetProcessHeap
GlobalMemoryStatus
GetSystemInfo
OpenEventA
GetTickCount
SetErrorMode
CreateMutexA
CopyFileA
GetModuleFileNameA
GetSystemTime
GetCurrentThreadId
SetFileTime
LocalFileTimeToFileTime
SystemTimeToFileTime
WriteFile
ReadFile
GetFileSize
CreateFileA
GetSystemDirectoryA
CreatePipe
DisconnectNamedPipe
TerminateProcess
LocalFree
LocalAlloc
PeekNamedPipe
WaitForMultipleObjects
LocalSize
OpenProcess
LocalReAlloc
GetCurrentProcess
lstrcmpiA
RaiseException
FreeLibrary
GetModuleHandleA

msvcrt

ceil
_ftol
strlen
strstr
__CxxFrameHandler
memset
??2@YAPAXI@Z
memcmp
_CxxThrowException
strrchr
malloc
_iob
atoi
strncmp
strncpy
strcmp
strcat
free
_errno
exit
_except_handler3
strncat
strchr
strcpy
_beginthreadex
calloc
??1type_info@@UAE@XZ
_exit
_XcptFilter
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_controlfp
memmove
memcpy
??3@YAXPAX@Z
_strnicmp
_strupr
_strcmpi

Exports

Exports

QQ841374296
hongchen
miansha
xiaoyuan

Sections

PAGE
Size: 76KB - Virtual size: 76KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

eeeeeeee
Size: 416B - Virtual size: 414B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

adsss
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

vvvvvv
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 22KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.rsrc/0/360/360
.rsrc/1033/DIALOG/105
.rsrc/1033/DIALOG/106
.rsrc/1033/DIALOG/111
.rsrc/1033/DIALOG/205
.rsrc/1033/DIALOG/206
.rsrc/1033/DIALOG/211
.rsrc/1033/DIALOG/305
.rsrc/1033/DIALOG/306
.rsrc/1033/DIALOG/311
.rsrc/1033/GROUP_ICON/103
.rsrc/1033/ICON/1.ico
.rsrc/1033/ICON/2.ico
.rsrc/1033/ICON/3.ico
.rsrc/1033/ICON/4.ico
.rsrc/1033/MANIFEST/1
.xml
.rsrc/2052/version.txt
.rsrc_1
PAGE
adsss
eeeeeeee
vvvvvv
Fallen.exe
.exe windows:4 windows x86 arch:x86

Password: 1234

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

UPX0
Size: - Virtual size: 16KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 9KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX2
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
out.upx
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 12KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Inte.exe
.exe windows:4 windows x86 arch:x86

Password: 1234

be0375efa131919229a0d4c3b42f1c53

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetCurrentThread
SetPriorityClass
GetCurrentProcess
lstrcatA
lstrcpyA
GetEnvironmentVariableA
GetShortPathNameA
GetModuleFileNameA
SetThreadPriority
GetLastError
CreateMutexA
lstrlenA
CopyFileA
GetSystemDirectoryA
CompareStringW
CompareStringA
CreateProcessA
ResumeThread
WaitForSingleObject
CloseHandle
GetTempPathA
LoadLibraryA
GetProcAddress
WinExec
CreateThread
GetCurrentProcessId
GetTickCount
Sleep
ExitProcess
ExitThread
LCMapStringW
LCMapStringA
SetStdHandle
GetOEMCP
GetACP
GetCPInfo
GetStringTypeW
GetStringTypeA
MultiByteToWideChar
FlushFileBuffers
SetEnvironmentVariableA
HeapReAlloc
VirtualAlloc
SetFilePointer
WriteFile
HeapFree
VirtualFree
HeapCreate
HeapDestroy
GetVersionExA
GetEnvironmentStringsW
GetEnvironmentStrings
RtlUnwind
GetTimeZoneInformation
GetSystemTime
GetLocalTime
TerminateProcess
GetModuleHandleA
GetStartupInfoA
GetCommandLineA
GetVersion
SetHandleCount
GetStdHandle
GetFileType
HeapAlloc
WideCharToMultiByte
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW

user32

wsprintfA

advapi32

CreateServiceA
OpenServiceA
StartServiceA
RegSetValueExA
CloseServiceHandle
StartServiceCtrlDispatcherA
RegisterServiceCtrlHandlerA
SetServiceStatus
RegOpenKeyExA
RegOpenKeyA
RegQueryValueExA
RegCloseKey
OpenSCManagerA

ws2_32

select
__WSAFDIsSet
recv
WSAIoctl
gethostname
inet_ntoa
socket
connect
send
WSAStartup
WSAGetLastError
setsockopt
htons
htonl
sendto
closesocket
WSACleanup
inet_addr
gethostbyname
WSASocketA

iphlpapi

GetIfTable

Sections

.text
Size: 36KB - Virtual size: 35KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
LX64
.elf linux x86
Server.exe
.exe windows:4 windows x86 arch:x86

Password: 1234

2f42d9bf2e4bd6a55ae0fba78a741ee5

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

ws2_32

inet_addr
inet_ntoa
gethostname
closesocket
sendto
htonl
htons
setsockopt
WSAGetLastError
WSASocketA
select
__WSAFDIsSet
recv
WSAIoctl
connect
send
socket
WSAStartup
gethostbyname

pdh

PdhAddCounterA
PdhCollectQueryData
PdhGetFormattedCounterValue
PdhEnumObjectItemsA
PdhOpenQueryA
PdhCloseQuery

iphlpapi

GetAdaptersInfo
GetIfTable

user32

wsprintfA

advapi32

CreateServiceA
OpenServiceA
StartServiceA
RegSetValueExA
CloseServiceHandle
RegOpenKeyExA
StartServiceCtrlDispatcherA
RegisterServiceCtrlHandlerA
SetServiceStatus
RegOpenKeyA
RegQueryValueExA
RegCloseKey
OpenSCManagerA

kernel32

GetStringTypeA
MultiByteToWideChar
FlushFileBuffers
SetFilePointer
SetUnhandledExceptionFilter
WriteFile
GetEnvironmentStringsW
GetEnvironmentStrings
GetStringTypeW
FreeEnvironmentStringsW
FreeEnvironmentStringsA
UnhandledExceptionFilter
HeapSize
IsBadWritePtr
HeapReAlloc
VirtualAlloc
VirtualFree
HeapCreate
IsBadReadPtr
IsBadCodePtr
GetCPInfo
GetACP
GetOEMCP
SetStdHandle
LCMapStringA
LCMapStringW
CompareStringA
CompareStringW
SetEnvironmentVariableA
WideCharToMultiByte
SetPriorityClass
GetTickCount
GetLocalTime
Sleep
ExitThread
GetCurrentProcessId
GetLastError
GetSystemTimes
GetVersionExA
CreateThread
WinExec
GetProcAddress
GetTempPathA
LoadLibraryA
ResumeThread
CreateProcessA
SetThreadPriority
GetCurrentThread
GetCurrentProcess
lstrcatA
lstrcpyA
GetEnvironmentVariableA
GetShortPathNameA
GetModuleFileNameA
SetFileAttributesA
GetWindowsDirectoryA
CloseHandle
WaitForSingleObject
ExitProcess
CreateMutexA
lstrlenA
CopyFileA
RtlUnwind
GetTimeZoneInformation
GetSystemTime
GetSystemTimeAsFileTime
HeapFree
HeapAlloc
CreateDirectoryA
TerminateProcess
GetModuleHandleA
GetStartupInfoA
GetCommandLineA
GetVersion
RaiseException
SetHandleCount
GetStdHandle
GetFileType
HeapDestroy

Sections

.text
Size: 64KB - Virtual size: 62KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 16KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.sxdata
Size: 4KB - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
hfs.exe
.exe windows:4 windows x86 arch:x86

Password: 1234

360ea2f619fcb0363e7f11284453b54f

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

HeapAlloc
GetProcessHeap
VirtualAlloc
Sleep
VirtualProtect
VirtualFree
GetProcAddress
LoadLibraryA
IsBadReadPtr
HeapFree
FreeLibrary
LockResource
LoadResource
SizeofResource
FindResourceA
GetLastError
RaiseException
InterlockedExchange
LocalAlloc
GetStartupInfoA
GetModuleHandleA

msvcrt

_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp
exit
_exit
??2@YAPAXI@Z
free
realloc
??3@YAXPAX@Z
_XcptFilter
_stricmp

Exports

Exports

Ip

Sections

.text
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 142KB - Virtual size: 142KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
hfs_1.exe
.exe windows:4 windows x86 arch:x86

Password: 1234

360ea2f619fcb0363e7f11284453b54f

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

HeapAlloc
GetProcessHeap
VirtualAlloc
Sleep
VirtualProtect
VirtualFree
GetProcAddress
LoadLibraryA
IsBadReadPtr
HeapFree
FreeLibrary
LockResource
LoadResource
SizeofResource
FindResourceA
GetLastError
RaiseException
InterlockedExchange
LocalAlloc
GetStartupInfoA
GetModuleHandleA

msvcrt

_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp
exit
_exit
??2@YAPAXI@Z
free
realloc
??3@YAXPAX@Z
_XcptFilter
_stricmp

Exports

Exports

Ip

Sections

.text
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 142KB - Virtual size: 142KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
hg
.elf linux x86
java
.elf linux x86
moren.exe
.exe windows:4 windows x86 arch:x86

Password: 1234

360ea2f619fcb0363e7f11284453b54f

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

HeapAlloc
GetProcessHeap
VirtualAlloc
Sleep
VirtualProtect
VirtualFree
GetProcAddress
LoadLibraryA
IsBadReadPtr
HeapFree
FreeLibrary
LockResource
LoadResource
SizeofResource
FindResourceA
GetLastError
RaiseException
InterlockedExchange
LocalAlloc
GetStartupInfoA
GetModuleHandleA

msvcrt

_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp
exit
_exit
??2@YAPAXI@Z
free
realloc
??3@YAXPAX@Z
_XcptFilter
_stricmp

Exports

Exports

Ip

Sections

.text
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 142KB - Virtual size: 142KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Resubmissions

Sharing

General

Malware Config

Signatures

Files

Password: infected

Password: 1234

e4067fd97549fe4826129912b2b7fb81

Headers

File Characteristics

Imports

kernel32

msvcrt

Exports

Exports

Sections

PAGE Size: 76KB - Virtual size: 76KB

eeeeeeee Size: 416B - Virtual size: 414B

adsss Size: 1KB - Virtual size: 1KB

vvvvvv Size: 2KB - Virtual size: 2KB

.rsrc Size: 22KB - Virtual size: 22KB

Password: 1234

Headers

File Characteristics

Sections

UPX0 Size: - Virtual size: 16KB

UPX1 Size: 9KB - Virtual size: 12KB

UPX2 Size: 512B - Virtual size: 4KB

Headers

File Characteristics

Sections

.text Size: 12KB - Virtual size: 10KB

.rdata Size: 4KB - Virtual size: 2KB

.data Size: 4KB - Virtual size: 2KB

Password: 1234

be0375efa131919229a0d4c3b42f1c53

Headers

File Characteristics

Imports

kernel32

user32

advapi32

ws2_32

iphlpapi

Sections

.text Size: 36KB - Virtual size: 35KB

.rdata Size: 4KB - Virtual size: 3KB

.data Size: 12KB - Virtual size: 17KB

Password: 1234

2f42d9bf2e4bd6a55ae0fba78a741ee5

Headers

File Characteristics

Imports

ws2_32

pdh

iphlpapi

user32

advapi32

kernel32

Sections

.text Size: 64KB - Virtual size: 62KB

.rdata Size: 8KB - Virtual size: 5KB

.data Size: 16KB - Virtual size: 19KB

.sxdata Size: 4KB - Virtual size: 24B

Password: 1234

360ea2f619fcb0363e7f11284453b54f

Headers

File Characteristics

Imports

kernel32

msvcrt

Exports

Exports

Sections

.text Size: 6KB - Virtual size: 5KB

.rdata Size: 2KB - Virtual size: 2KB

.data Size: 1KB - Virtual size: 3KB

.rsrc Size: 142KB - Virtual size: 142KB

Password: 1234

PAGE
Size: 76KB - Virtual size: 76KB

eeeeeeee
Size: 416B - Virtual size: 414B

adsss
Size: 1KB - Virtual size: 1KB

vvvvvv
Size: 2KB - Virtual size: 2KB

.rsrc
Size: 22KB - Virtual size: 22KB

UPX0
Size: - Virtual size: 16KB

UPX1
Size: 9KB - Virtual size: 12KB

UPX2
Size: 512B - Virtual size: 4KB

.text
Size: 12KB - Virtual size: 10KB

.rdata
Size: 4KB - Virtual size: 2KB

.data
Size: 4KB - Virtual size: 2KB

.text
Size: 36KB - Virtual size: 35KB

.rdata
Size: 4KB - Virtual size: 3KB

.data
Size: 12KB - Virtual size: 17KB

.text
Size: 64KB - Virtual size: 62KB

.rdata
Size: 8KB - Virtual size: 5KB

.data
Size: 16KB - Virtual size: 19KB

.sxdata
Size: 4KB - Virtual size: 24B

.text
Size: 6KB - Virtual size: 5KB

.rdata
Size: 2KB - Virtual size: 2KB

.data
Size: 1KB - Virtual size: 3KB

.rsrc
Size: 142KB - Virtual size: 142KB

.text
Size: 6KB - Virtual size: 5KB

.rdata
Size: 2KB - Virtual size: 2KB

.data
Size: 1KB - Virtual size: 3KB

.rsrc
Size: 142KB - Virtual size: 142KB

.text
Size: 6KB - Virtual size: 5KB

.rdata
Size: 2KB - Virtual size: 2KB

.data
Size: 1KB - Virtual size: 3KB

.rsrc
Size: 142KB - Virtual size: 142KB