Win32[.]Avatar[.]zip | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Win32.Avatar.zip
Size

118KB
MD5

b26a58fe73560793831182e0beb94103
SHA1

7d05d9a807e4e8fbe64c917614af2cd7d821ff33
SHA256

38eb90d78a838741cc719e9bc967e735b59264ea31b1abf5cede92f9175114cc
SHA512

79c3846f8995c3561b013c48a644107c88a431f56681e138ef675165e5e3f4b3efc72a4b7afd2ca98e6fcf43762d26ec16a4f688ea72e8a164ad017449ad4937
SSDEEP

3072:mVOyqkbaFFeHGxRfgNsdjXWDKZ5pZ3D+8+DN:mkLFAHIfgNsdTWDKZR3DHA

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/Avatar_Rootkit_NETbotnet_32d6644c5ea66e390070d3dc3401e54b_unpacked

Files

Win32.Avatar.zip
.zip

Password: infected
Avatar_Rootkit_NETbotnet_32d6644c5ea66e390070d3dc3401e54b_unpacked
.exe windows:5 windows x86 arch:x86

e119b107e7442814a9853c4b22677273

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

LocalAlloc
LocalFree
RtlUnwind
LoadLibraryA
GetModuleHandleA
CloseHandle
ReadFile
GetFileSize
CreateFileW
GetEnvironmentVariableA
lstrcatA
lstrcpyA
GetShortPathNameA
GetModuleFileNameA
InterlockedExchange
WaitForSingleObject
CreateEventA
GetModuleFileNameW
VirtualProtect
IsWow64Process
GetCurrentProcess
HeapCreate
HeapFree
HeapAlloc

ntdll

_snwprintf
_wcslwr
memset
NtTerminateProcess
sprintf
RtlCompareMemory
NtQueryVirtualMemory
NtProtectVirtualMemory
wcsstr
wcsrchr
strrchr
memcpy

rpcrt4

UuidToStringA
RpcStringFreeA

shell32

ShellExecuteA

Sections

.text
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 108KB - Virtual size: 107KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 706B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ