OxycoRat[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

OxycoRat.zip
Size

12.1MB
MD5

af8b1a697daa2373b367a8b4354489be
SHA1

06be7fb6ea6b27775df408e9f75f36073f1aa3cb
SHA256

24e7bea644e79281019e4ec4af397a2ddb160e3879df58b5e277a04214bf9279
SHA512

111e09665a49e4d6039d11b4cd695048be9ea6f0b465e4acde03fb3009f385ba32fc46008c11fa4a92a85e264f78627dcba4ac1d394e0f2cab21bf52774f554d
SSDEEP

393216:9Q2WOG5ppSPxvFwbKAJ/EwSN+qe2OeYdkxXbdQ+KjsdG:G5pYPxS2NjNDe2OeY+xXdKEG

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
static1/unpack001/Plugins/sqlite3.dll	acprotect

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
static1/unpack001/Plugins/sqlite3.dll	upx

Unsigned PE 3 IoCs

Checks for missing Authenticode signature.

resource
unpack001/Modules/ffmpeg.exe
unpack001/Plugins/sqlite3.dll
unpack003/out.upx

Files

OxycoRat.zip
.zip

Password: 123
Data/DataBase.db
Modules/ffmpeg.exe
.exe windows:4 windows x86 arch:x86

Password: 123

a05575a4ef06bc557b834a488509da27

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Imports

advapi32

CryptAcquireContextA
CryptGenRandom
CryptReleaseContext
DeregisterEventSource
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
RegisterEventSourceA
ReportEventA

avicap32

capCreateCaptureWindowA
capGetDriverDescriptionA

crypt32

CertCloseStore
CertEnumCertificatesInStore
CertOpenSystemStoreA

gdi32

BitBlt
ChoosePixelFormat
CombineRgn
CreateCompatibleBitmap
CreateCompatibleDC
CreateDCA
CreateDIBSection
CreatePalette
CreateRectRgn
DeleteDC
DeleteObject
DescribePixelFormat
GetBitmapBits
GetDIBColorTable
GetDIBits
GetDeviceCaps
GetDeviceGammaRamp
GetObjectA
GetStockObject
GetSystemPaletteEntries
GetSystemPaletteUse
RealizePalette
SelectObject
SelectPalette
SetDIBColorTable
SetDeviceGammaRamp
SetPaletteEntries
SetPixelFormat
SetSystemPaletteUse
SwapBuffers
UnrealizeObject

kernel32

AllocConsole
CloseHandle
CreateConsoleScreenBuffer
CreateEventA
CreateFileA
CreateFileMappingA
CreateFileW
CreateMutexA
CreateSemaphoreA
CreateSemaphoreW
CreateThread
DeleteCriticalSection
DuplicateHandle
EnterCriticalSection
FindClose
FindFirstFileA
FindNextFileA
FormatMessageA
FormatMessageW
FreeLibrary
GetACP
GetCommandLineW
GetConsoleCursorInfo
GetConsoleMode
GetConsoleScreenBufferInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetDriveTypeA
GetEnvironmentVariableA
GetFileAttributesA
GetFileAttributesExA
GetFileType
GetFullPathNameA
GetLastError
GetLocaleInfoA
GetLongPathNameA
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleExA
GetModuleHandleW
GetNumberOfConsoleInputEvents
GetProcAddress
GetProcessAffinityMask
GetProcessTimes
GetStartupInfoA
GetStdHandle
GetSystemDirectoryA
GetSystemInfo
GetSystemTimeAsFileTime
GetTempPathA
GetThreadContext
GetThreadPriority
GetTickCount
GetTimeZoneInformation
GetVersion
GetVersionExA
GetWindowsDirectoryA
GlobalAlloc
GlobalFree
GlobalHandle
GlobalLock
GlobalMemoryStatus
GlobalUnlock
InitializeCriticalSection
InterlockedDecrement
InterlockedIncrement
IsDBCSLeadByteEx
LeaveCriticalSection
LoadLibraryA
LoadLibraryExA
LoadLibraryW
LocalFree
MapViewOfFile
MoveFileExA
MoveFileExW
MultiByteToWideChar
OpenProcess
PeekNamedPipe
QueryPerformanceCounter
QueryPerformanceFrequency
ReadConsoleInputA
ReadFile
ReleaseMutex
ReleaseSemaphore
ResetEvent
ResumeThread
SetConsoleActiveScreenBuffer
SetConsoleCursorInfo
SetConsoleMode
SetConsoleScreenBufferSize
SetConsoleTextAttribute
SetConsoleTitleA
SetConsoleWindowInfo
SetEnvironmentVariableA
SetErrorMode
SetEvent
SetFilePointer
SetLastError
SetProcessAffinityMask
SetThreadAffinityMask
SetThreadContext
SetThreadPriority
SetUnhandledExceptionFilter
Sleep
SuspendThread
TerminateProcess
TerminateThread
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
UnhandledExceptionFilter
UnmapViewOfFile
VirtualAlloc
VirtualFree
VirtualProtect
VirtualQuery
WaitForMultipleObjects
WaitForSingleObject
WaitNamedPipeW
WideCharToMultiByte
WriteConsoleOutputW
WriteConsoleW
WriteFile
lstrcpyA
lstrcpynA

msvcrt

__dllonexit
__doserrno
__getmainargs
__initenv
__lconv_init
__mb_cur_max
__pioinfo
__set_app_type
__setusermatherr
_acmdln
_aligned_free
_aligned_malloc
_aligned_realloc
_amsg_exit
_beginthreadex
_cexit
_close
_endthreadex
_errno
_exit
_filelengthi64
_fileno
_findclose
_findnext
_fmode
_fstati64
_ftime
_ftime64
_fullpath
_get_osfhandle
_getch
_initterm
_iob
_lock
_lseeki64
_mbsrchr
_mkdir
_mktemp
_onexit
_open
_rmdir
_setjmp3
_setmode
_snprintf
_snwprintf
_sopen
_stat
_stati64
_vsnprintf
time
mktime
localtime
gmtime
calloc
clock
cosh
div
exit
fclose
feof
ferror
fflush
fgetc
fgetpos
fgets
fopen
fprintf
fputc
fputs
fread
free
frexp
fscanf
fseek
fsetpos
ftell
fwprintf
fwrite
getc
getchar
getenv
gmtime
isalnum
isalpha
islower
isprint
isspace
isupper
isxdigit
localeconv
localtime
log10
malloc
memchr
memcmp
memcpy
memmove
memset
perror
printf
putc
putchar
puts
qsort
raise
rand
realloc
rename
rewind
setlocale
setvbuf
signal
sinh
sprintf
srand
sscanf
strcat
strchr
strcmp
strcpy
strcspn
strerror
strftime
strlen
strncat
strncmp
strncpy
strpbrk
strrchr
strspn
strstr
strtok
strtol
strtoul
_strdup
_stricmp
_strnicmp
_unlink
_unlock
_wfopen
_wmkdir
_wrename
_write
_wrmdir
_wsopen
_wstati64
_wunlink
abort
acos
asin
atan
atan2
atof
atoi
atol
tan
tanh
time
tolower
toupper
ungetc
vfprintf
vsprintf
wcscmp
wcscpy
wcslen
wcsstr
bsearch
_wfindnext
_wfindfirst
_findfirst
longjmp
_hypot
_write
_wcsdup
_unlink
_tempnam
_strdup
_setmode
_rmdir
_read
_putenv
_open
_kbhit
_isatty
_getpid
_getch
_fileno
_fdopen
_close
_chmod
_access

ole32

CoCreateInstance
CoGetMalloc
CoInitialize
CoTaskMemAlloc
CoTaskMemFree
CoUninitialize
CreateBindCtx

oleaut32

OleCreatePropertyFrame
SysFreeString

psapi

GetProcessMemoryInfo

shell32

CommandLineToArgvW

user32

AdjustWindowRect
AdjustWindowRectEx
BeginPaint
CallWindowProcA
ChangeDisplaySettingsA
ClientToScreen
ClipCursor
CopyIcon
CreateCursor
CreateIconFromResourceEx
CreateWindowExA
DefWindowProcA
DestroyCursor
DestroyIcon
DestroyWindow
DispatchMessageA
DrawIcon
EndPaint
EnumDisplaySettingsA
FindWindowA
FrameRect
GetClassInfoA
GetClientRect
GetCursor
GetCursorInfo
GetCursorPos
GetDC
GetDesktopWindow
GetForegroundWindow
GetIconInfo
GetKeyState
GetKeyboardLayout
GetKeyboardLayoutNameA
GetKeyboardState
GetMenu
GetMessageA
GetParent
GetProcessWindowStation
GetShellWindow
GetSystemMetrics
GetUserObjectInformationW
GetWindowLongA
GetWindowRect
InvalidateRect
IsZoomed
KillTimer
LoadCursorA
LoadImageA
LoadKeyboardLayoutA
MapVirtualKeyA
MapVirtualKeyExA
MapWindowPoints
MessageBoxA
MessageBoxW
MsgWaitForMultipleObjects
PeekMessageA
PostMessageA
PostQuitMessage
PtInRect
RegisterClassA
ReleaseCapture
ReleaseDC
ScreenToClient
SendMessageA
SetCapture
SetClassLongA
SetCursor
SetCursorPos
SetFocus
SetForegroundWindow
SetTimer
SetWindowLongA
SetWindowPos
SetWindowRgn
SetWindowTextA
ShowWindow
ToAsciiEx
ToUnicode
TranslateMessage
UnregisterClassA
WindowFromPoint
wsprintfA

winmm

joyGetDevCapsA
joyGetNumDevs
joyGetPosEx
mciGetErrorStringA
mciSendCommandA
timeBeginPeriod
timeEndPeriod
timeGetTime
timeKillEvent
timeSetEvent
waveOutClose
waveOutGetErrorTextA
waveOutOpen
waveOutPrepareHeader
waveOutUnprepareHeader
waveOutWrite

ws2_32

WSACleanup
WSAEnumNetworkEvents
WSAGetLastError
WSASetLastError
WSAStartup
__WSAFDIsSet
accept
bind
closesocket
connect
freeaddrinfo
getaddrinfo
gethostbyname
gethostname
getnameinfo
getpeername
getsockname
getsockopt
htonl
htons
inet_addr
ioctlsocket
listen
ntohl
ntohs
recv
recvfrom
select
send
sendto
setsockopt
shutdown
socket

Sections

.text
Size: 22.0MB - Virtual size: 22.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rotext
Size: 109KB - Virtual size: 109KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 302KB - Virtual size: 301KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 6.9MB - Virtual size: 6.9MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rodata
Size: 69KB - Virtual size: 69KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 8.2MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 14KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 52B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 32B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Plugins/sqlite3.dll
.dll windows:4 windows x86 arch:x86

Password: 123

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Exports

Exports

sqlite3_aggregate_context
sqlite3_aggregate_count
sqlite3_auto_extension
sqlite3_bind_blob
sqlite3_bind_double
sqlite3_bind_int
sqlite3_bind_int64
sqlite3_bind_null
sqlite3_bind_parameter_count
sqlite3_bind_parameter_index
sqlite3_bind_parameter_name
sqlite3_bind_text
sqlite3_bind_text16
sqlite3_bind_value
sqlite3_bind_zeroblob
sqlite3_blob_bytes
sqlite3_blob_close
sqlite3_blob_open
sqlite3_blob_read
sqlite3_blob_write
sqlite3_busy_handler
sqlite3_busy_timeout
sqlite3_changes
sqlite3_clear_bindings
sqlite3_close
sqlite3_collation_needed
sqlite3_collation_needed16
sqlite3_column_blob
sqlite3_column_bytes
sqlite3_column_bytes16
sqlite3_column_count
sqlite3_column_decltype
sqlite3_column_decltype16
sqlite3_column_double
sqlite3_column_int
sqlite3_column_int64
sqlite3_column_name
sqlite3_column_name16
sqlite3_column_text
sqlite3_column_text16
sqlite3_column_type
sqlite3_column_value
sqlite3_commit_hook
sqlite3_complete
sqlite3_complete16
sqlite3_context_db_handle
sqlite3_create_collation
sqlite3_create_collation16
sqlite3_create_collation_v2
sqlite3_create_function
sqlite3_create_function16
sqlite3_create_module
sqlite3_create_module_v2
sqlite3_data_count
sqlite3_db_handle
sqlite3_declare_vtab
sqlite3_enable_load_extension
sqlite3_enable_shared_cache
sqlite3_errcode
sqlite3_errmsg
sqlite3_errmsg16
sqlite3_exec
sqlite3_expired
sqlite3_extended_result_codes
sqlite3_file_control
sqlite3_finalize
sqlite3_free
sqlite3_free_table
sqlite3_get_autocommit
sqlite3_get_auxdata
sqlite3_get_table
sqlite3_global_recover
sqlite3_interrupt
sqlite3_last_insert_rowid
sqlite3_libversion
sqlite3_libversion_number
sqlite3_limit
sqlite3_load_extension
sqlite3_malloc
sqlite3_memory_alarm
sqlite3_memory_highwater
sqlite3_memory_used
sqlite3_mprintf
sqlite3_mutex_alloc
sqlite3_mutex_enter
sqlite3_mutex_free
sqlite3_mutex_held
sqlite3_mutex_leave
sqlite3_mutex_notheld
sqlite3_mutex_try
sqlite3_open
sqlite3_open16
sqlite3_open_v2
sqlite3_overload_function
sqlite3_prepare
sqlite3_prepare16
sqlite3_prepare16_v2
sqlite3_prepare_v2
sqlite3_profile
sqlite3_progress_handler
sqlite3_randomness
sqlite3_realloc
sqlite3_release_memory
sqlite3_reset
sqlite3_reset_auto_extension
sqlite3_result_blob
sqlite3_result_double
sqlite3_result_error
sqlite3_result_error16
sqlite3_result_error_code
sqlite3_result_error_nomem
sqlite3_result_error_toobig
sqlite3_result_int
sqlite3_result_int64
sqlite3_result_null
sqlite3_result_text
sqlite3_result_text16
sqlite3_result_text16be
sqlite3_result_text16le
sqlite3_result_value
sqlite3_result_zeroblob
sqlite3_rollback_hook
sqlite3_set_authorizer
sqlite3_set_auxdata
sqlite3_sleep
sqlite3_snprintf
sqlite3_soft_heap_limit
sqlite3_sql
sqlite3_step
sqlite3_test_control
sqlite3_thread_cleanup
sqlite3_threadsafe
sqlite3_total_changes
sqlite3_trace
sqlite3_transfer_bindings
sqlite3_update_hook
sqlite3_user_data
sqlite3_value_blob
sqlite3_value_bytes
sqlite3_value_bytes16
sqlite3_value_double
sqlite3_value_int
sqlite3_value_int64
sqlite3_value_numeric_type
sqlite3_value_text
sqlite3_value_text16
sqlite3_value_text16be
sqlite3_value_text16le
sqlite3_value_type
sqlite3_version
sqlite3_vfs_find
sqlite3_vfs_register
sqlite3_vfs_unregister
sqlite3_vmprintf

Sections

UPX0
Size: - Virtual size: 180KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 165KB - Virtual size: 168KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX2
Size: 5KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
out.upx
.dll windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Sections

.text
Size: 268KB - Virtual size: 267KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 24KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 28KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 12KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: 123

Password: 123

a05575a4ef06bc557b834a488509da27

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

avicap32

crypt32

gdi32

kernel32

msvcrt

ole32

oleaut32

psapi

shell32

user32

winmm

ws2_32

Sections

.text Size: 22.0MB - Virtual size: 22.0MB

.rotext Size: 109KB - Virtual size: 109KB

.data Size: 302KB - Virtual size: 301KB

.rdata Size: 6.9MB - Virtual size: 6.9MB

.rodata Size: 69KB - Virtual size: 69KB

.bss Size: - Virtual size: 8.2MB

.idata Size: 14KB - Virtual size: 13KB

.CRT Size: 512B - Virtual size: 52B

.tls Size: 512B - Virtual size: 32B

Password: 123

Headers

File Characteristics

Exports

Exports

Sections

UPX0 Size: - Virtual size: 180KB

UPX1 Size: 165KB - Virtual size: 168KB

UPX2 Size: 5KB - Virtual size: 8KB

Headers

File Characteristics

Sections

.text Size: 268KB - Virtual size: 267KB

.rdata Size: 24KB - Virtual size: 20KB

.data Size: 28KB - Virtual size: 28KB

.reloc Size: 12KB - Virtual size: 8KB

.text
Size: 22.0MB - Virtual size: 22.0MB

.rotext
Size: 109KB - Virtual size: 109KB

.data
Size: 302KB - Virtual size: 301KB

.rdata
Size: 6.9MB - Virtual size: 6.9MB

.rodata
Size: 69KB - Virtual size: 69KB

.bss
Size: - Virtual size: 8.2MB

.idata
Size: 14KB - Virtual size: 13KB

.CRT
Size: 512B - Virtual size: 52B

.tls
Size: 512B - Virtual size: 32B

UPX0
Size: - Virtual size: 180KB

UPX1
Size: 165KB - Virtual size: 168KB

UPX2
Size: 5KB - Virtual size: 8KB

.text
Size: 268KB - Virtual size: 267KB

.rdata
Size: 24KB - Virtual size: 20KB

.data
Size: 28KB - Virtual size: 28KB

.reloc
Size: 12KB - Virtual size: 8KB