sample[.]zip | Triage

Sharing

Copy URL Twitter E-mail

General

Target

sample.zip
Size

3.1MB
MD5

780a257909e9cb4f714051143249eb16
SHA1

ffa8d9b41c5c10a87505a4d82f78c3a1811cac1f
SHA256

c0426b3b93673cc8297aed9a33b770d93263b9f3c9f01c23f9691507c812591b
SHA512

ece49b8730a5496171c7961788c77898ad59a6ca3fb8056b01ee4bb8cc0b41c27e229c5736c9b9aa0f31a527dac24f20912ff4369e9e3e3343fbad866fa9a084
SSDEEP

98304:dOmECjMiZqHH/LebDcy4SRI1wAhd0o0HPguAjq5nxT4CLKdn:dOmECjuHHjeUR3oxWgEZF

Score

1^/10

Malware Config

Signatures

Files

sample.zip
.zip
sample/sample.exe
.exe windows:4 windows x64 arch:x64

d1a356d45f33038ed7e54056b4b8647a

Code Sign

02:0e:b5:27:ba:c0:10:99:59:3e:2e:a9:02:e3:97:cb
Certificate

Issuer

CN=DigiCert Assured ID Code Signing CA-1,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

12/07/2018, 00:00

Not After

15/07/2021, 12:00

Subject

CN=Hangzhou Infogo Tech Co.\, Ltd.,O=Hangzhou Infogo Tech Co.\, Ltd.,L=Hangzhou,ST=Zhejiang,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

0f:a8:49:06:15:d7:00:a0:be:21:76:fd:c5:ec:6d:bd
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

11/02/2011, 12:00

Not After

10/02/2026, 12:00

Subject

CN=DigiCert Assured ID Code Signing CA-1,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

60:99:4c:40:f7:77:a0:9e:49:e0:3d:d5:fd:b9:20:1e:f7:52:e6:54
Signer

Actual PE Digest

60:99:4c:40:f7:77:a0:9e:49:e0:3d:d5:fd:b9:20:1e:f7:52:e6:54

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

d:\osce-common-xg_13.0\src\client\pccnt\service\cnttmntscan\release\x64\NTRtScan_64x.pdb

Imports

ws2_32

gethostbyname
WSACleanup
WSAStartup
htons
getservbyport
ntohs
gethostbyaddr
getservbyname
htonl
WSASetLastError
inet_ntoa
WSAGetLastError
inet_addr

version

GetFileVersionInfoSizeW
GetFileVersionInfoSizeA
GetFileVersionInfoA
GetFileVersionInfoW
VerQueryValueW

netapi32

NetApiBufferFree
NetShareGetInfo

advapi32

RegOpenKeyExW
GetAclInformation
GetAce
RegisterEventSourceW
ReportEventW
DeregisterEventSource
SetFileSecurityW
AddAccessAllowedAce
ConvertStringSidToSidW
RegCreateKeyA
RegDeleteKeyA
RegOpenKeyA
CryptAcquireContextA
RegDeleteKeyExA
RegOpenCurrentUser
CryptImportKey
CryptGetHashParam
CryptDecrypt
CryptEncrypt
CryptDestroyKey
CryptDestroyHash
CryptDeriveKey
CryptHashData
IsValidSid
GetSecurityDescriptorLength
MakeSelfRelativeSD
GetSecurityDescriptorOwner
GetSecurityDescriptorGroup
GetSecurityDescriptorDacl
GetSecurityDescriptorSacl
ConvertStringSecurityDescriptorToSecurityDescriptorA
QueryServiceStatusEx
OpenThreadToken
CryptCreateHash
CryptReleaseContext
CryptAcquireContextW
CryptSetKeyParam
RegOpenKeyExA
RegQueryValueExA
RegCreateKeyExA
ImpersonateSelf
LookupPrivilegeValueW
CloseServiceHandle
ChangeServiceConfigW
OpenServiceW
OpenSCManagerW
ChangeServiceConfig2W
RegDeleteValueW
RegEnumValueW
RegCloseKey
RegNotifyChangeKeyValue
RegCreateKeyExW
RegQueryValueExW
GetSecurityDescriptorControl
RegSetValueExW
RegEnumKeyExW
ImpersonateLoggedOnUser
OpenProcessToken
RevertToSelf
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
QueryServiceStatus
StartServiceW
SetServiceStatus
CreateServiceW
RegDeleteKeyExW
RegOpenKeyW
RegisterServiceCtrlHandlerExW
StartServiceCtrlDispatcherW
ControlService
QueryServiceConfigW
GetTokenInformation
GetUserNameW
CreateProcessAsUserA
DuplicateTokenEx
RegDeleteKeyW
DeleteService
CopySid
GetLengthSid
LookupAccountSidW
EqualSid
FreeSid
SetSecurityInfo
SetEntriesInAclW
AllocateAndInitializeSid
GetSecurityInfo
RegSetValueExA
AddAce
InitializeAcl
AdjustTokenPrivileges

crypt32

CertGetNameStringW
CryptMsgClose
CertCloseStore
CertFreeCertificateContext
CertFindCertificateInStore
CryptMsgGetParam
CryptQueryObject
CryptUnprotectData
CryptProtectData

shlwapi

PathAddBackslashA
PathFindExtensionA
StrStrIW
PathFindExtensionW
PathRemoveBackslashW
PathAppendA
PathFileExistsA
PathFileExistsW
PathRemoveFileSpecW
PathFindFileNameA
PathFindFileNameW
PathAddBackslashW
PathAppendW
PathUnquoteSpacesW

rpcrt4

UuidToStringW
RpcStringFreeW
UuidCreate

kernel32

CreateWaitableTimerA
OpenEventA
SetWaitableTimer
TlsGetValue
TerminateThread
PulseEvent
GetThreadLocale
WriteConsoleW
GetConsoleOutputCP
WriteConsoleA
SetEnvironmentVariableA
GetLocaleInfoW
IsValidLocale
EnumSystemLocalesA
GetUserDefaultLCID
SetStdHandle
FlushFileBuffers
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
SetEvent
GetPrivateProfileIntW
CloseHandle
ResetEvent
WaitForMultipleObjects
CreateEventW
GetLastError
TerminateProcess
OpenProcess
CopyFileW
ProcessIdToSessionId
CreateThread
GetSystemDirectoryW
GetCurrentThreadId
GetLongPathNameW
GetShortPathNameW
GetPrivateProfileStringW
FindClose
FindNextFileW
FindFirstFileW
GetFullPathNameW
WaitForSingleObject
CreateTimerQueue
DeleteTimerQueueEx
CreateTimerQueueTimer
DeleteTimerQueueTimer
Process32NextW
Process32FirstW
CreateToolhelp32Snapshot
GetVersionExW
CreateProcessW
QueueUserWorkItem
GetTickCount
ExpandEnvironmentStringsW
GetFileSize
CreateFileW
GetWindowsDirectoryW
TryEnterCriticalSection
lstrlenW
GetLocalTime
DefineDosDeviceW
Sleep
DeleteFileW
DeviceIoControl
GetLogicalDriveStringsW
GetDriveTypeW
GetStartupInfoW
GetFileSizeEx
CreateMutexW
WritePrivateProfileStringW
ReadDirectoryChangesW
SetThreadPriority
GetEnvironmentVariableW
GetCurrentThread
SignalObjectAndWait
FreeLibrary
LoadLibraryExW
FileTimeToSystemTime
SetCurrentDirectoryW
GetCurrentDirectoryW
Thread32Next
Thread32First
GetSystemTimeAsFileTime
GetFileTime
OpenEventW
RemoveDirectoryW
SetFileAttributesW
MultiByteToWideChar
GetVolumePathNamesForVolumeNameW
GetVolumeNameForVolumeMountPointW
CreateDirectoryW
SetErrorMode
SetProcessWorkingSetSize
GetCurrentProcess
SetConsoleCtrlHandler
GetModuleHandleW
AddVectoredExceptionHandler
WriteFile
LoadLibraryA
SetFilePointer
GetFileAttributesW
GetModuleFileNameW
WideCharToMultiByte
CreateSemaphoreW
LoadLibraryW
QueryDosDeviceW
LocalFree
LocalAlloc
ReleaseMutex
GetComputerNameW
WaitForMultipleObjectsEx
SystemTimeToFileTime
GetSystemTime
GetSystemDefaultLangID
ReadFile
SetLastError
GetComputerNameA
GetLogicalDrives
GetSystemInfo
GetThreadTimes
OpenThread
SetThreadExecutionState
QueryPerformanceCounter
GetCurrentProcessId
FormatMessageW
GetExitCodeProcess
MapViewOfFileEx
CreateFileMappingW
UnmapViewOfFile
GetTimeZoneInformation
FindVolumeClose
FindNextVolumeW
FindFirstVolumeW
HeapFree
HeapAlloc
GetProcessHeap
GetVolumeInformationW
CreateFileA
CreateMailslotW
SleepEx
GetOverlappedResult
CreateEventA
GetModuleHandleA
FormatMessageA
SwitchToThread
LockFileEx
UnlockFileEx
WaitForSingleObjectEx
MapViewOfFile
DuplicateHandle
GetConsoleMode
GetConsoleCP
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsA
GetStartupInfoA
SetHandleCount
HeapDestroy
HeapCreate
HeapSetInformation
HeapSize
IsValidCodePage
GetOEMCP
RtlVirtualUnwind
FlsAlloc
TlsSetValue
FlsFree
CompareStringW
GetVersion
GetPrivateProfileIntA
GetStringTypeExW
TlsFree
GetVersionExA
lstrcatA
lstrcpyA
MoveFileExW
GetPrivateProfileSectionW
MoveFileW
GetSystemDirectoryA
ResumeThread
CompareStringA
FlsSetValue
FileTimeToLocalFileTime
QueryPerformanceFrequency
WritePrivateProfileStringA
TlsAlloc
FlsGetValue
GetStdHandle
ExitProcess
GetStringTypeW
GetStringTypeA
GetCPInfo
LCMapStringW
LCMapStringA
GetFileType
GetTimeFormatA
GetDateFormatA
GetDriveTypeA
GetCommandLineA
GetCurrentDirectoryA
SetEnvironmentVariableW
ExitThread
RtlPcToFileHeader
RtlCaptureContext
IsDebuggerPresent
UnhandledExceptionFilter
RtlUnwindEx
RtlLookupFunctionEntry
GetLocaleInfoA
GetACP
GetQueuedCompletionStatus
PostQueuedCompletionStatus
CreateIoCompletionPort
CreateDirectoryA
GetProcessTimes
IsBadWritePtr
IsBadReadPtr
GetTempFileNameW
OpenFile
DeleteFileA
AreFileApisANSI
GlobalMemoryStatus
FlushConsoleInputBuffer
GetSystemPowerStatus
GetFileInformationByHandle
GetVolumePathNameW
HeapReAlloc
GetDiskFreeSpaceExW
SetNamedPipeHandleState
WaitNamedPipeW
CreateFileMappingA
ReadConsoleInputA
SetConsoleMode
SetUnhandledExceptionFilter
RaiseException
GetTempPathW
lstrlenA
GetPrivateProfileStringA
GetModuleFileNameA
GetFileAttributesA
GetProcAddress
SetEndOfFile
MoveFileExA
TzSpecificLocalTimeToSystemTime
GetTempFileNameA
GetUserDefaultLangID
VirtualProtect

user32

GetUserObjectInformationW
GetProcessWindowStation
GetDesktopWindow
MessageBoxW
CharUpperW
MessageBeep
GetWindowThreadProcessId
FindWindowW
SendMessageW
LoadStringW
wsprintfW
wsprintfA
RegisterDeviceNotificationW
UnregisterDeviceNotification
LoadStringA

shell32

SHGetFolderPathW

ole32

CoInitializeSecurity
CoInitializeEx
CoSetProxyBlanket
CoInitialize
CoCreateInstance
CoUninitialize

oleaut32

VariantClear
SysFreeString
SysAllocString

wintrust

WinVerifyTrust

dbghelp

MiniDumpWriteDump

setupapi

SetupDiDestroyDeviceInfoList
SetupDiDeleteDeviceInterfaceData
CM_Get_Parent
CM_Get_Device_IDW
SetupDiGetDeviceInstanceIdW
SetupDiGetDeviceInterfaceDetailW
SetupDiOpenDeviceInterfaceW
SetupDiCreateDeviceInfoList
InstallHinfSectionW

Sections

.text
Size: 4.7MB - Virtual size: 4.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.9MB - Virtual size: 1.9MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 260KB - Virtual size: 400KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 278KB - Virtual size: 277KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 2B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 634KB - Virtual size: 633KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 42KB - Virtual size: 42KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

d1a356d45f33038ed7e54056b4b8647a

Code Sign

02:0e:b5:27:ba:c0:10:99:59:3e:2e:a9:02:e3:97:cbCertificate

Extended Key Usages

Key Usages

0f:a8:49:06:15:d7:00:a0:be:21:76:fd:c5:ec:6d:bdCertificate

Extended Key Usages

Key Usages

60:99:4c:40:f7:77:a0:9e:49:e0:3d:d5:fd:b9:20:1e:f7:52:e6:54Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ws2_32

version

netapi32

advapi32

crypt32

shlwapi

rpcrt4

kernel32

user32

shell32

ole32

oleaut32

wintrust

dbghelp

setupapi

Sections

.text Size: 4.7MB - Virtual size: 4.7MB

.rdata Size: 1.9MB - Virtual size: 1.9MB

.data Size: 260KB - Virtual size: 400KB

.pdata Size: 278KB - Virtual size: 277KB

.tls Size: 512B - Virtual size: 2B

.rsrc Size: 634KB - Virtual size: 633KB

.reloc Size: 42KB - Virtual size: 42KB

02:0e:b5:27:ba:c0:10:99:59:3e:2e:a9:02:e3:97:cb
Certificate

0f:a8:49:06:15:d7:00:a0:be:21:76:fd:c5:ec:6d:bd
Certificate

60:99:4c:40:f7:77:a0:9e:49:e0:3d:d5:fd:b9:20:1e:f7:52:e6:54
Signer

.text
Size: 4.7MB - Virtual size: 4.7MB

.rdata
Size: 1.9MB - Virtual size: 1.9MB

.data
Size: 260KB - Virtual size: 400KB

.pdata
Size: 278KB - Virtual size: 277KB

.tls
Size: 512B - Virtual size: 2B

.rsrc
Size: 634KB - Virtual size: 633KB

.reloc
Size: 42KB - Virtual size: 42KB