xemu-win-release (1)[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

xemu-win-release (1).zip
Size

11.1MB
MD5

4ef9c5d66e25914791646b0c0476b85a
SHA1

6a0cf34b49e9d15015cf614131708a2c577d02ac
SHA256

d4866e1a131370d40c1b0556e1327e8a36ca0df7701b09695e9ca13f871afdba
SHA512

5f9a6aa0aa49f951aca59b4131cf6c3a6ebcca6e88ae40b2a1c63932087c556f14f0d0124ddc4e054af02afdc35db107158164bafbff92390719e33698dcd0fa
SSDEEP

196608:MZp1RGbejVcUQ6xUh3JOM9emPoM6ObShPruWXnvpnlBAS5NLtL7bO3IxLepTEewV:upvGS/Q6xU6M92iQi27AArqZzwR7hV

Score

3^/10

Malware Config

Signatures

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
static1/unpack001/xemu.exe	embeds_openssl

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/xemu.exe

Files

xemu-win-release (1).zip
.zip

Password: infected
LICENSE.txt
xemu.exe
.exe windows:4 windows x64 arch:x64

Password: infected

6b5f95c55ebc8c13cc324b73004bd29b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

D:\a\xemu\xemu\xemu-win-release\xemu.pdb

Imports

advapi32

CryptAcquireContextA
CryptAcquireContextW
CryptGenRandom
CryptReleaseContext
DeregisterEventSource
GetUserNameW
RegCloseKey
RegEnumKeyExA
RegGetValueW
RegLoadMUIStringW
RegOpenKeyExA
RegOpenKeyExW
RegQueryValueExA
RegQueryValueExW
RegisterEventSourceW
ReportEventW

comdlg32

GetOpenFileNameW
GetSaveFileNameW

crypt32

CertCloseStore
CertEnumCertificatesInStore
CertFindCertificateInStore
CertFreeCertificateContext
CertOpenSystemStoreW

gdi32

BitBlt
ChoosePixelFormat
CombineRgn
CreateBitmap
CreateCompatibleBitmap
CreateCompatibleDC
CreateDCW
CreateDIBSection
CreateFontIndirectW
CreateFontW
CreatePen
CreateRectRgn
CreateSolidBrush
DeleteDC
DeleteObject
DescribePixelFormat
ExtTextOutW
GetDIBits
GetDeviceCaps
GetDeviceGammaRamp
GetICMProfileW
GetPixelFormat
GetTextExtentPoint32A
GetTextExtentPoint32W
GetTextMetricsW
Rectangle
SelectObject
SetBkMode
SetDeviceGammaRamp
SetPixelFormat
SetTextColor
SwapBuffers

imm32

ImmAssociateContext
ImmGetCandidateListW
ImmGetCompositionStringW
ImmGetContext
ImmGetIMEFileNameA
ImmNotifyIME
ImmReleaseContext
ImmSetCandidateWindow
ImmSetCompositionStringW
ImmSetCompositionWindow

iphlpapi

ConvertInterfaceGuidToLuid
ConvertInterfaceLuidToAlias
GetAdaptersAddresses
GetNetworkParams

kernel32

AcquireSRWLockExclusive
AcquireSRWLockShared
AddVectoredExceptionHandler
AllocConsole
AttachConsole
CancelIo
ClearCommError
CloseHandle
CompareStringA
ConnectNamedPipe
ConvertFiberToThread
ConvertThreadToFiber
ConvertThreadToFiberEx
CreateDirectoryW
CreateEventA
CreateEventW
CreateFiber
CreateFiberEx
CreateFileA
CreateFileMappingW
CreateFileW
CreateIoCompletionPort
CreateNamedPipeA
CreateProcessW
CreateSemaphoreA
CreateSemaphoreW
CreateThread
DebugBreak
DeleteCriticalSection
DeleteFiber
DeviceIoControl
DuplicateHandle
EnterCriticalSection
EnumResourceLanguagesA
EnumResourceNamesW
EnumSystemLocalesA
ExitProcess
ExpandEnvironmentStringsW
FileTimeToSystemTime
FindClose
FindFirstFileW
FindFirstVolumeW
FindNextFileW
FindNextVolumeW
FindVolumeClose
FlushFileBuffers
FormatMessageA
FormatMessageW
FreeEnvironmentStringsW
FreeLibrary
GetACP
GetCPInfo
GetCommandLineW
GetComputerNameW
GetConsoleMode
GetConsoleOutputCP
GetCurrentDirectoryA
GetCurrentDirectoryW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetDateFormatW
GetDefaultCommConfigA
GetDiskFreeSpaceA
GetDiskFreeSpaceExA
GetDiskFreeSpaceExW
GetDriveTypeA
GetEnvironmentStringsW
GetEnvironmentVariableA
GetEnvironmentVariableW
GetExitCodeProcess
GetExitCodeThread
GetFileAttributesA
GetFileAttributesW
GetFileInformationByHandle
GetFileInformationByHandleEx
GetFileSize
GetFileSizeEx
GetFileTime
GetFileType
GetHandleInformation
GetLastError
GetLocaleInfoA
GetLocaleInfoW
GetLogicalDriveStringsA
GetLogicalProcessorInformation
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleExW
GetModuleHandleW
GetNativeSystemInfo
GetOverlappedResult
GetProcAddress
GetProcessAffinityMask
GetProcessHeap
GetProcessId
GetProcessTimes
GetQueuedCompletionStatus
GetShortPathNameW
GetStartupInfoA
GetStdHandle
GetSystemDirectoryA
GetSystemDirectoryW
GetSystemInfo
GetSystemPowerStatus
GetSystemTime
GetSystemTimeAdjustment
GetSystemTimeAsFileTime
GetThreadContext
GetThreadLocale
GetThreadPriority
GetThreadTimes
GetTickCount
GetTimeFormatW
GetTimeZoneInformation
GetVersion
GetVolumeInformationW
GetWindowsDirectoryW
GlobalAlloc
GlobalFree
GlobalLock
GlobalMemoryStatusEx
GlobalUnlock
HeapAlloc
HeapFree
InitializeConditionVariable
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
InitializeSRWLock
IsDBCSLeadByteEx
IsDebuggerPresent
IsValidCodePage
LeaveCriticalSection
LoadLibraryA
LoadLibraryExW
LoadLibraryW
LocalFree
MapViewOfFile
MoveFileExA
MoveFileExW
MulDiv
MultiByteToWideChar
OpenProcess
OpenThread
OutputDebugStringA
OutputDebugStringW
PeekConsoleInputW
PeekNamedPipe
QueryPerformanceCounter
QueryPerformanceFrequency
RaiseException
ReadConsoleA
ReadConsoleInputA
ReadConsoleInputW
ReadConsoleW
ReadFile
ReleaseSRWLockExclusive
ReleaseSRWLockShared
ReleaseSemaphore
RemoveVectoredExceptionHandler
ResetEvent
ResumeThread
RtlCaptureContext
RtlLookupFunctionEntry
RtlUnwindEx
RtlVirtualUnwind
SetCommMask
SetCommState
SetCommTimeouts
SetConsoleCtrlHandler
SetConsoleMode
SetEndOfFile
SetEnvironmentVariableA
SetEnvironmentVariableW
SetErrorMode
SetEvent
SetFilePointer
SetFilePointerEx
SetLastError
SetProcessAffinityMask
SetSystemTime
SetThreadContext
SetThreadExecutionState
SetThreadPriority
SetUnhandledExceptionFilter
SetupComm
Sleep
SleepConditionVariableCS
SleepConditionVariableSRW
SleepEx
SuspendThread
SwitchToFiber
SystemTimeToFileTime
TerminateProcess
TerminateThread
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
TryAcquireSRWLockExclusive
TryEnterCriticalSection
UnmapViewOfFile
VerSetConditionMask
VerifyVersionInfoW
VirtualAlloc
VirtualFree
VirtualLock
VirtualProtect
VirtualQuery
WaitForMultipleObjects
WaitForMultipleObjectsEx
WaitForSingleObject
WaitForSingleObjectEx
WakeAllConditionVariable
WakeConditionVariable
WideCharToMultiByte
WriteFile
__C_specific_handler
lstrlenA

msvcrt

___lc_codepage_func
___mb_cur_max_func
__argv
__getmainargs
__initenv
__iob_func
__set_app_type
__setusermatherr
_access
_acmdln
_aligned_free
_aligned_malloc
_amsg_exit
_assert
_beginthreadex
_cexit
_chsize
_close
_commit
_commode
_dup2
_endthreadex
_errno
_execv
_exit
_filelengthi64
_fileno
_findclose
_findfirst64
_findnext64
_fmode
_fstat64
_fullpath
_get_osfhandle
_getdrive
_gmtime64
_i64toa
_initterm
_isatty
_isctype
_ismbblead
_kbhit
_localtime64
_lock
_lseeki64
_ltoa
_mkgmtime64
_mktime64
_onexit
_open
_open_osfhandle
_pipe
_read
_setjmp
_setmode
_snwprintf_s
_sopen
_stat64
_strdup
_stricmp
_strlwr
_strnicmp
_strrev
_ui64toa_s
_wmakepath_s
_wsplitpath_s
fopen_s
freopen_s
strncpy_s
_strupr
_telli64
_time64
_timezone
_ui64toa
_ultoa
_unlock
_utime64
_vscprintf
_vsnprintf
_vsnwprintf
_waccess
_wchdir
_wchmod
_wcreat
_wcsdup
_wcsicmp
_wcsnicmp
_wfindfirst64
_wfindnext64
_wfopen
_wfreopen
_wfullpath
_wgetcwd
_wmkdir
_wopen
_wputenv
_wremove
_wrmdir
_wspawnv
_wspawnve
_wspawnvp
_wspawnvpe
_wstat64
_wunlink
_wutime64
abort
acos
asin
atan
atof
atoi
bsearch
calloc
exit
fclose
feof
ferror
fflush
fgetc
fgetpos
fgets
fopen
fprintf
fputc
fputs
fputwc
fread
free
freopen
fseek
fsetpos
ftell
fwrite
getc
getenv
isalnum
isalpha
iscntrl
isgraph
islower
isprint
ispunct
isspace
isupper
iswctype
isxdigit
localeconv
log10
longjmp
malloc
mbstowcs
memchr
memcmp
memcpy
memmove
memset
perror
printf
putc
putchar
puts
qsort
raise
rand
realloc
remove
setbuf
setlocale
setvbuf
signal
sinh
sprintf
strcat
strchr
strcmp
strcoll
strcpy
strcspn
strerror
strftime
strlen
strncmp
strncpy
strpbrk
strrchr
strspn
strstr
strtok
strtol
strtoul
strxfrm
swprintf_s
tan
tolower
toupper
towlower
towupper
ungetc
vfprintf
wcscat
wcschr
wcscmp
wcscoll
wcscpy
wcscpy_s
wcsftime
wcslen
wcsncmp
wcsspn
wcsstr
wcstol
wcstombs
wcstoul
wcsxfrm
wctomb
_strtoui64
_strtoi64
_wcsicmp
_write
_unlink
_strdup
_read
_open
_itoa
_getpid
_fileno
_fdopen
_dup2
_dup
_close
_access

ole32

CLSIDFromString
CoCreateInstance
CoInitialize
CoInitializeEx
CoTaskMemFree
CoUninitialize
PropVariantClear

oleaut32

SysFreeString

api-ms-win-core-path-l1-1-0

PathCchSkipRoot

setupapi

CM_Get_Device_IDA
CM_Get_Parent
CM_Locate_DevNodeA
SetupDiDestroyDeviceInfoList
SetupDiEnumDeviceInfo
SetupDiEnumDeviceInterfaces
SetupDiGetClassDevsA
SetupDiGetDeviceInterfaceDetailA
SetupDiGetDeviceRegistryPropertyA

shell32

CommandLineToArgvW
DragAcceptFiles
DragFinish
DragQueryFileW
SHGetFolderPathW
SHGetKnownFolderPath
ShellExecuteA
ShellExecuteW

user32

AdjustWindowRectEx
AttachThreadInput
CallNextHookEx
CallWindowProcW
ChangeDisplaySettingsExW
ClientToScreen
ClipCursor
CloseClipboard
CopyImage
CreateIconFromResource
CreateIconIndirect
CreateWindowExA
CreateWindowExW
DefWindowProcW
DestroyIcon
DestroyWindow
DialogBoxIndirectParamW
DispatchMessageW
DrawTextW
EmptyClipboard
EndDialog
EnumDisplayDevicesW
EnumDisplayMonitors
EnumDisplaySettingsW
FillRect
FlashWindowEx
GetAsyncKeyState
GetClassInfoExW
GetClientRect
GetClipCursor
GetClipboardData
GetClipboardSequenceNumber
GetCursorPos
GetDC
GetDesktopWindow
GetDlgItem
GetDoubleClickTime
GetFocus
GetForegroundWindow
GetKeyState
GetKeyboardLayout
GetKeyboardState
GetMenu
GetMessageExtraInfo
GetMessageW
GetMonitorInfoW
GetParent
GetProcessWindowStation
GetPropW
GetRawInputData
GetRawInputDeviceInfoA
GetRawInputDeviceList
GetSystemMetrics
GetUpdateRect
GetUserObjectInformationW
GetWindowLongPtrW
GetWindowLongW
GetWindowRect
GetWindowTextLengthW
GetWindowTextW
GetWindowThreadProcessId
IntersectRect
InvalidateRect
IsClipboardFormatAvailable
IsIconic
IsWindow
KillTimer
LoadCursorW
LoadIconW
MapVirtualKeyW
MessageBoxA
MessageBoxW
MonitorFromPoint
MonitorFromRect
MonitorFromWindow
MsgWaitForMultipleObjects
MsgWaitForMultipleObjectsEx
OpenClipboard
PeekMessageW
PostMessageW
PostThreadMessageW
PtInRect
RegisterClassExA
RegisterClassExW
RegisterClassW
RegisterDeviceNotificationW
RegisterRawInputDevices
RegisterWindowMessageA
ReleaseCapture
ReleaseDC
RemovePropW
ScreenToClient
SendMessageW
SetActiveWindow
SetCapture
SetClipboardData
SetCursor
SetCursorPos
SetFocus
SetForegroundWindow
SetLayeredWindowAttributes
SetPropW
SetTimer
SetWindowLongPtrW
SetWindowLongW
SetWindowPos
SetWindowRgn
SetWindowTextW
SetWindowsHookExW
ShowWindow
SystemParametersInfoA
SystemParametersInfoW
ToUnicode
TrackMouseEvent
TranslateMessage
UnhookWindowsHookEx
UnregisterClassA
UnregisterClassW
UnregisterDeviceNotification
ValidateRect

version

GetFileVersionInfoA
GetFileVersionInfoSizeA
VerQueryValueA

winmm

timeBeginPeriod
timeEndPeriod
timeGetDevCaps
waveInAddBuffer
waveInClose
waveInGetDevCapsW
waveInGetNumDevs
waveInOpen
waveInPrepareHeader
waveInReset
waveInStart
waveInUnprepareHeader
waveOutClose
waveOutGetDevCapsW
waveOutGetErrorTextW
waveOutGetNumDevs
waveOutOpen
waveOutPrepareHeader
waveOutReset
waveOutUnprepareHeader
waveOutWrite

ws2_32

WSACleanup
WSACloseEvent
WSACreateEvent
WSADuplicateSocketW
WSAEnumNetworkEvents
WSAEventSelect
WSAGetLastError
WSASetEvent
WSASetLastError
WSASocketW
WSAStartup
__WSAFDIsSet
accept
bind
closesocket
connect
freeaddrinfo
getaddrinfo
gethostbyaddr
gethostbyname
getnameinfo
getpeername
getservbyname
getservbyport
getsockname
getsockopt
htonl
htons
inet_addr
inet_ntoa
inet_ntop
inet_pton
ioctlsocket
listen
ntohl
ntohs
recv
recvfrom
select
send
sendto
setsockopt
shutdown
socket

Exports

Exports

AmdPowerXpressRequestHighPerformance
NvOptimusEnablement

Sections

.text
Size: 16.4MB - Virtual size: 16.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1.2MB - Virtual size: 1.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 7.9MB - Virtual size: 7.9MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.pdata
Size: 577KB - Virtual size: 576KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.xdata
Size: 662KB - Virtual size: 662KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 335KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 512B - Virtual size: 139B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 27KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 112B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 316KB - Virtual size: 315KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 274KB - Virtual size: 274KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.debug
Size: 108B - Virtual size: 512B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

Password: infected

Password: infected

6b5f95c55ebc8c13cc324b73004bd29b

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

advapi32

comdlg32

crypt32

gdi32

imm32

iphlpapi

kernel32

msvcrt

ole32

oleaut32

api-ms-win-core-path-l1-1-0

setupapi

shell32

user32

version

winmm

ws2_32

Exports

Exports

Sections

.text Size: 16.4MB - Virtual size: 16.4MB

.data Size: 1.2MB - Virtual size: 1.2MB

.rdata Size: 7.9MB - Virtual size: 7.9MB

.pdata Size: 577KB - Virtual size: 576KB

.xdata Size: 662KB - Virtual size: 662KB

.bss Size: - Virtual size: 335KB

.edata Size: 512B - Virtual size: 139B

.idata Size: 27KB - Virtual size: 27KB

.CRT Size: 512B - Virtual size: 112B

.tls Size: 512B - Virtual size: 16B

.rsrc Size: 316KB - Virtual size: 315KB

.reloc Size: 274KB - Virtual size: 274KB

.debug Size: 108B - Virtual size: 512B

.text
Size: 16.4MB - Virtual size: 16.4MB

.data
Size: 1.2MB - Virtual size: 1.2MB

.rdata
Size: 7.9MB - Virtual size: 7.9MB

.pdata
Size: 577KB - Virtual size: 576KB

.xdata
Size: 662KB - Virtual size: 662KB

.bss
Size: - Virtual size: 335KB

.edata
Size: 512B - Virtual size: 139B

.idata
Size: 27KB - Virtual size: 27KB

.CRT
Size: 512B - Virtual size: 112B

.tls
Size: 512B - Virtual size: 16B

.rsrc
Size: 316KB - Virtual size: 315KB

.reloc
Size: 274KB - Virtual size: 274KB

.debug
Size: 108B - Virtual size: 512B