Sewi[.]rar | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Sewi.rar
Size

862KB
MD5

cad98f93410cb4c7c688509867e50a3a
SHA1

dc9e8e233c01884445aa351700e489992536d5b4
SHA256

56f07ce45b2c7c9cb917e7b7bc1c056537b768c6b5bd3ccdf91345019a9e8a17
SHA512

16730e46f1ab16359203c196293f8a73be192a1be1af54aebbcd6656156e17d9b3b828a1bbfc32a440448d23dd27799943d4a39169574e05a45c6c927936f0cf
SSDEEP

24576:sWFWsj4ns033pMtFgb/9dEWeKvTRY6tM/UcED:sVsjRQ3pMtFg5dU4i6eFED

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/Sewi.exe

Files

Sewi.rar
.rar

Password: 123
Sewi.exe
.exe windows:6 windows x64 arch:x64

Password: 123

d34eed44db328d2e496951f9c30d2670

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\tha8b\OneDrive\Desktop\new injectors\MW2019 AIO DEV LOADER - Copy\x64\Release\zim.pdb

Imports

kernel32

ReadFile
WriteFile
Beep
GetLastError
Sleep
GetCurrentProcess
GetWindowsDirectoryW
VirtualAlloc
VirtualFree
FreeLibrary
GetProcAddress
LoadLibraryExA
GetFileSize
LoadLibraryW
CreateToolhelp32Snapshot
Process32First
Process32Next
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
IsDebuggerPresent
IsProcessorFeaturePresent
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
DeleteFileW
DeviceIoControl
CloseHandle
LoadLibraryA
CreateFileW
GetModuleHandleW
CreateEventW
WaitForSingleObjectEx
ResetEvent
SetEvent
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
EnterCriticalSection
InitializeSListHead

user32

IsWindowVisible
PostThreadMessageA
GetWindowThreadProcessId
GetWindow
EnumWindows
UnhookWindowsHookEx
SetWindowsHookExA

shell32

ShellExecuteW

msvcp140

?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?uncaught_exception@std@@YA_NXZ
?_Xout_of_range@std@@YAXPEBD@Z
?_Xlength_error@std@@YAXPEBD@Z

ntdll

RtlLookupFunctionEntry
RtlCaptureContext
RtlImageNtHeader
RtlVirtualUnwind

vcruntime140

__current_exception
__C_specific_handler
__std_exception_copy
memcmp
__std_terminate
memset
memmove
memcpy
_CxxThrowException
__std_exception_destroy
__current_exception_context

vcruntime140_1

__CxxFrameHandler4

api-ms-win-crt-runtime-l1-1-0

_initialize_onexit_table
_register_onexit_function
_crt_atexit
_cexit
_invalid_parameter_noinfo_noreturn
_initialize_narrow_environment
_set_app_type
_configure_narrow_argv
_get_initial_narrow_environment
_initterm
_initterm_e
_exit
__p___argc
__p___argv
_c_exit
_register_thread_local_exe_atexit_callback
_seh_filter_exe
exit
terminate

api-ms-win-crt-string-l1-1-0

_stricmp
strcpy_s

api-ms-win-crt-heap-l1-1-0

_set_new_mode
free
malloc
_callnewh

api-ms-win-crt-stdio-l1-1-0

__p__commode
_set_fmode

api-ms-win-crt-utility-l1-1-0

rand

api-ms-win-crt-math-l1-1-0

__setusermatherr

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

Sections

.text
Size: 39KB - Virtual size: 38KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.8MB - Virtual size: 1.8MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 275KB - Virtual size: 277KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 15KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 140B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: 123

Password: 123

d34eed44db328d2e496951f9c30d2670

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

shell32

msvcp140

ntdll

vcruntime140

vcruntime140_1

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-locale-l1-1-0

Sections

.text Size: 39KB - Virtual size: 38KB

.rdata Size: 1.8MB - Virtual size: 1.8MB

.data Size: 275KB - Virtual size: 277KB

.pdata Size: 2KB - Virtual size: 2KB

.rsrc Size: 15KB - Virtual size: 15KB

.reloc Size: 512B - Virtual size: 140B

.text
Size: 39KB - Virtual size: 38KB

.rdata
Size: 1.8MB - Virtual size: 1.8MB

.data
Size: 275KB - Virtual size: 277KB

.pdata
Size: 2KB - Virtual size: 2KB

.rsrc
Size: 15KB - Virtual size: 15KB

.reloc
Size: 512B - Virtual size: 140B