Sysmon[.]zip | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

Sysmon.zip
Size

522KB
MD5

241f066fbe90cb4817546bff520ccca4
SHA1

d753a9c6961a125a00f99fb2e24fa64ff5f4dcec
SHA256

28186e90ce6c0246c3eee0a8e66e242de9a70265a0aa376d13c7b1cfdff0be17
SHA512

1184f1c26a55ed266dd574446ae07b2b5a333b1f815aa93f85e2169b76cddeeb9a2a0a4f410c66ffec4d7b0c094a0ae9dde5b562f4f14dea1d613b7e5f6b4ed0
SSDEEP

12288:73ceDlhb2Ae7BsHunrgXU/ERfgr132TC30vB4gjFGyb7MeEt:AeDlcAelWunUjfy32GxALb7MeEt

Score

3^/10

Malware Config

Signatures

Unsigned PE 3 IoCs

Checks for missing Authenticode signature.

resource
unpack001/AppXor.exe
unpack001/Bunifu_UI_v1.52.dll
unpack001/mscoore.dll

Files

Sysmon.zip
.zip
AppXor.exe
.exe windows:4 windows x86 arch:x86

8c16c795b57934183422be5f6df7d891

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvbvm60

EVENT_SINK_GetIDsOfNames
ord690
_CIcos
_adj_fptan
__vbaStrI4
__vbaVarVargNofree
__vbaFreeVar
__vbaLenBstr
__vbaLateIdCall
__vbaPut3
__vbaEnd
__vbaFreeVarList
_adj_fdiv_m64
EVENT_SINK_Invoke
__vbaRaiseEvent
__vbaFreeObjList
ord516
__vbaStrErrVarCopy
ord517
_adj_fprem1
__vbaRecAnsiToUni
ord519
__vbaCopyBytes
__vbaStrCat
__vbaLsetFixstr
__vbaRecDestruct
__vbaSetSystemError
ord661
__vbaHresultCheckObj
__vbaNameFile
_adj_fdiv_m32
Zombie_GetTypeInfo
__vbaAryDestruct
ord669
ord593
__vbaExitProc
ord594
__vbaOnError
__vbaObjSet
_adj_fdiv_m16i
__vbaObjSetAddref
_adj_fdivr_m16i
ord598
__vbaFpR4
ord705
__vbaStrFixstr
_CIsin
ord631
ord709
ord525
__vbaChkstk
__vbaFileClose
EVENT_SINK_AddRef
__vbaGenerateBoundsError
__vbaGet3
__vbaStrCmp
ord529
__vbaGet4
__vbaPutOwner3
__vbaAryConstruct2
__vbaVarTstEq
__vbaI2I4
DllFunctionCall
__vbaFpUI1
__vbaRedimPreserve
__vbaStrR4
_adj_fpatan
__vbaLateIdCallLd
Zombie_GetTypeInfoCount
__vbaRedim
__vbaRecUniToAnsi
EVENT_SINK_Release
__vbaNew
ord600
__vbaUI1I2
_CIsqrt
EVENT_SINK_QueryInterface
__vbaExceptHandler
ord712
__vbaStrToUnicode
ord606
_adj_fprem
_adj_fdivr_m64
ord714
ord609
__vbaFPException
ord319
__vbaGetOwner3
__vbaUbound
ord535
__vbaFileSeek
ord537
_CIlog
__vbaErrorOverflow
__vbaFileOpen
ord648
ord570
__vbaNew2
__vbaInStr
_adj_fdiv_m32i
ord572
_adj_fdivr_m32i
__vbaStrCopy
__vbaI4Str
__vbaFreeStrList
_adj_fdivr_m32
_adj_fdiv_r
ord100
__vbaI4Var
ord689
__vbaAryLock
__vbaVarAdd
ord611
ord320
__vbaVarDup
__vbaStrToAnsi
ord321
__vbaFpI2
__vbaFpI4
ord616
__vbaLateMemCallLd
_CIatan
__vbaStrMove
ord618
__vbaCastObj
__vbaR8IntI4
ord650
_allmul
_CItan
__vbaAryUnlock
_CIexp
__vbaFreeObj
__vbaFreeStr
ord580
ord581

Sections

.text
Size: 104KB - Virtual size: 100KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 4KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 8KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Bunifu_UI_v1.52.dll
.dll windows:4 windows x86 arch:x86

dae02f32a21e03ce65412f6e56942daa

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

mscoree

_CorDllMain

Sections

.text
Size: 218KB - Virtual size: 217KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
mscoore.dll
.dll windows:6 windows x86 arch:x86

1968aa52fd534f7b0e071aebfa112108

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

C:\Users\10\Downloads\LoadLibray-Injector-VAC-Bypass-main-main\LoadLibray-Injector-VAC-Bypass-main-main\Injector\Release\SamarindaCheat.pdb

Imports

kernel32

Thread32First
GetVolumeInformationA
WaitForSingleObject
GetModuleHandleA
CreateToolhelp32Snapshot
Sleep
TerminateThread
CloseHandle
K32GetModuleInformation
CreateThread
AddVectoredExceptionHandler
GetProcAddress
ExitProcess
FlushInstructionCache
IsBadReadPtr
Thread32Next
GetTickCount
VirtualQuery
OpenThread
GetComputerNameA
SetPriorityClass
DeviceIoControl
GetLastError
CreateFileA
GetVersionExA
InitializeSListHead
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
GetCurrentProcess
VirtualProtect
GetModuleFileNameA
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
WakeAllConditionVariable
SleepConditionVariableSRW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
SetLastError

user32

GetCursorPos
ScreenToClient
GetForegroundWindow
MessageBoxA

advapi32

GetUserNameA

msvcp140

_Query_perf_counter
?_Xlength_error@std@@YAXPBD@Z
?_Xout_of_range@std@@YAXPBD@Z
?_Xinvalid_argument@std@@YAXPBD@Z
_Query_perf_frequency

ws2_32

connect
inet_addr
htons

vcruntime140

_except_handler4_common
_CxxThrowException
__std_type_info_destroy_list
__std_exception_destroy
__CxxFrameHandler3
memcpy
memmove
memset
strchr
strstr
__std_exception_copy

api-ms-win-crt-heap-l1-1-0

_callnewh
malloc
free

api-ms-win-crt-convert-l1-1-0

strtof

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vsprintf
__stdio_common_vsprintf_s

api-ms-win-crt-runtime-l1-1-0

_crt_atexit
_cexit
_initterm
_initterm_e
_execute_onexit_table
_register_onexit_function
_errno
_invalid_parameter_noinfo_noreturn
_initialize_onexit_table
_seh_filter_dll
_configure_narrow_argv
_initialize_narrow_environment

api-ms-win-crt-string-l1-1-0

isspace
_strdup
strncpy
tolower
isprint
isalnum

api-ms-win-crt-math-l1-1-0

_libm_sse2_sqrt_precise

Sections

.text
Size: 99KB - Virtual size: 98KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 22KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 31.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

8c16c795b57934183422be5f6df7d891

Headers

File Characteristics

Imports

msvbvm60

Sections

.text Size: 104KB - Virtual size: 100KB

.data Size: 4KB - Virtual size: 6KB

.rsrc Size: 8KB - Virtual size: 5KB

dae02f32a21e03ce65412f6e56942daa

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

.text Size: 218KB - Virtual size: 217KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 12B

1968aa52fd534f7b0e071aebfa112108

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

advapi32

msvcp140

ws2_32

vcruntime140

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-math-l1-1-0

Sections

.text Size: 99KB - Virtual size: 98KB

.rdata Size: 22KB - Virtual size: 21KB

.data Size: 1KB - Virtual size: 31.2MB

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 9KB - Virtual size: 9KB

.text
Size: 104KB - Virtual size: 100KB

.data
Size: 4KB - Virtual size: 6KB

.rsrc
Size: 8KB - Virtual size: 5KB

.text
Size: 218KB - Virtual size: 217KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 12B

.text
Size: 99KB - Virtual size: 98KB

.rdata
Size: 22KB - Virtual size: 21KB

.data
Size: 1KB - Virtual size: 31.2MB

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 9KB - Virtual size: 9KB