2024-09-09_faf20b0e55217223a133abf6c80077d8_megazord

Sharing

Copy URL Twitter E-mail

General

Target

2024-09-09_faf20b0e55217223a133abf6c80077d8_megazord
Size

17.5MB
MD5

faf20b0e55217223a133abf6c80077d8
SHA1

a2c2462dee3c5a1808d88ae7dd4769f594b9cb1f
SHA256

699476940fb3a3424f8516a388e12498400bb7a6e5a1f10a148b7015820ecd94
SHA512

14d2ff56da21956aabb5e7b0ed3b0ef866bd6f896f45abbbba3b8f32149621883949a2c3403482bb24ae71cb6fa016b2a6318f381edf318c33946e81a1278f54
SSDEEP

196608:KvYgzGIAVKBzypgtHqOFKdX8+OQABNhZSc3dAZB1Rf311:K1UKBzyStHqOUp8bBPZSoAZB1t11

Score

8^/10

Malware Config

Signatures

Patched UPX-packed file 1 IoCs

Sample is packed with UPX but required header fields are zeroed out to prevent unpacking with the default UPX tool.

resource	yara_rule
sample	patched_upx

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2024-09-09_faf20b0e55217223a133abf6c80077d8_megazord

Files

2024-09-09_faf20b0e55217223a133abf6c80077d8_megazord
.exe windows:5 windows x64 arch:x64

49821bccba3c7c51b567d4e08f50b117

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\Administrator\bamboo-agent-home\xml-data\build-dir\SH5-RC-JOB1\sh5\builds\Release-x64\ShKernel.pdb

Imports

ws2_32

shutdown
WSAWaitForMultipleEvents
WSAEventSelect
WSACleanup
WSAResetEvent
WSAEnumNetworkEvents
getnameinfo
gethostname
htonl
WSAStartup
freeaddrinfo
accept
listen
recvfrom
sendto
ioctlsocket
__WSAFDIsSet
select
bind
WSAIoctl
closesocket
WSASetLastError
getpeername
getsockname
socket
ntohs
WSACreateEvent
WSACloseEvent
WSAAddressToStringW
WSAGetLastError
getaddrinfo
connect
recv
WSCDeinstallProvider
send
setsockopt
htons
getsockopt
WSAEnumProtocolsW

version

GetFileVersionInfoW
VerQueryValueW
GetFileVersionInfoSizeW

gdiplus

GdipDisposeImage
GdipCreateBitmapFromScan0
GdiplusShutdown
GdiplusStartup
GdipCloneImage
GdipCreateBitmapFromHICON
GdipBitmapUnlockBits
GdipBitmapLockBits
GdipDrawImageRectRectI
GdipFillRectangleI
GdipAlloc
GdipGetImageWidth
GdipGetImageHeight
GdipCreateImageAttributes
GdipDisposeImageAttributes
GdipSetImageAttributesColorMatrix
GdipGetImageGraphicsContext
GdipDeleteGraphics
GdipFree
GdipDeleteBrush
GdipCreateSolidFill

user32

DestroyIcon
CharToOemA
OemToCharBuffA
CharUpperW
CharLowerW
CreateIconFromResourceEx
GetProcessWindowStation
GetUserObjectInformationW
MessageBoxW
wsprintfW
ExitWindowsEx
GetSystemMetrics
IsCharAlphaNumericA
BroadcastSystemMessageW
LoadStringW
OemToCharA

kernel32

LoadLibraryExW
MultiByteToWideChar
GetVolumeInformationW
GetLongPathNameW
SetErrorMode
DeviceIoControl
FileTimeToSystemTime
lstrcpyW
GetModuleFileNameW
SetLastError
GetUserDefaultLangID
GetFileAttributesExW
FileTimeToLocalFileTime
GetFileSize
SearchPathW
GetSystemDirectoryW
GetModuleHandleW
SleepEx
VerSetConditionMask
VerifyVersionInfoW
GetEnvironmentVariableA
ReadFile
GetStdHandle
PeekNamedPipe
GetFileType
GetSystemTimeAsFileTime
GetEnvironmentVariableW
GetConsoleMode
SetConsoleMode
ReadConsoleA
ReadConsoleW
RtlVirtualUnwind
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetModuleHandleExW
SwitchToFiber
DeleteFiber
CreateFiber
ConvertFiberToThread
ConvertThreadToFiber
LoadLibraryA
GetTimeFormatW
GetDateFormatW
GetLocalTime
SystemTimeToTzSpecificLocalTime
CreateTimerQueue
DeleteTimerQueueEx
lstrlenW
GetUserDefaultLCID
GetStringTypeExW
LCMapStringW
lstrcmpW
GetSystemWow64DirectoryW
GetFullPathNameW
CopyFileW
lstrcmpiW
GetNativeSystemInfo
LocalAlloc
ProcessIdToSessionId
GetComputerNameW
GetVersionExW
CreatePipe
SetHandleInformation
GetExitCodeProcess
HeapReAlloc
GetCurrentThread
GetModuleHandleA
GlobalAlloc
GlobalLock
GlobalUnlock
GlobalFree
RtlCaptureContext
RemoveVectoredExceptionHandler
SetUnhandledExceptionFilter
AddVectoredExceptionHandler
IsBadReadPtr
CreateFileMappingW
MapViewOfFile
UnmapViewOfFile
SetFilePointer
K32EnumProcesses
CreateToolhelp32Snapshot
Thread32First
Thread32Next
GetProcessHandleCount
QueryDosDeviceW
K32GetProcessImageFileNameW
QueryFullProcessImageNameW
Module32FirstW
OpenThread
FindResourceW
SizeofResource
LoadResource
LockResource
FreeResource
EnumResourceNamesW
GetLocaleInfoW
Process32FirstW
Process32NextW
Module32NextW
FindFirstVolumeW
GetVolumePathNamesForVolumeNameW
FindNextVolumeW
FindVolumeClose
K32EnumProcessModules
GetDiskFreeSpaceW
SetFilePointerEx
MoveFileA
GetFileAttributesExA
FindFirstFileA
ReplaceFileA
FindNextFileA
LockFile
GetTempPathA
GetFileAttributesA
CreateFileA
DeleteFileA
UnlockFile
CreateFileMappingA
RemoveDirectoryA
CreateDirectoryA
GetTimeZoneInformation
TzSpecificLocalTimeToSystemTime
GetFileTime
GetTempPathW
SwitchToThread
GetQueuedCompletionStatus
PostQueuedCompletionStatus
CreateIoCompletionPort
ResumeThread
WTSGetActiveConsoleSessionId
DisconnectNamedPipe
MapViewOfFileEx
InitializeSRWLock
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
TryEnterCriticalSection
GetStringTypeW
GetExitCodeThread
InitializeConditionVariable
WakeConditionVariable
WakeAllConditionVariable
SleepConditionVariableCS
SleepConditionVariableSRW
RtlPcToFileHeader
FreeLibraryWhenCallbackReturns
FindFirstFileW
SubmitThreadpoolWork
CloseThreadpoolWork
WritePrivateProfileStringW
IsProcessorFeaturePresent
InitOnceBeginInitialize
GetProfileStringW
EncodePointer
LCMapStringEx
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
CreateEventExW
CreateSemaphoreExW
FlushProcessWriteBuffers
GetCurrentProcessorNumber
GetTickCount64
CreateThreadpoolTimer
SetThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CloseThreadpoolTimer
CreateThreadpoolWait
SetThreadpoolWait
CloseThreadpoolWait
CompareStringEx
GetCPInfo
GetLocaleInfoEx
ResetEvent
OpenEventA
GetLogicalProcessorInformation
CreateWaitableTimerA
RtlLookupFunctionEntry
UnhandledExceptionFilter
IsDebuggerPresent
GetStartupInfoW
InitializeSListHead
GetACP
OpenProcess
GetSystemTimes
GetSystemTime
OpenMutexW
SetWaitableTimer
CreateWaitableTimerW
GetSystemPowerStatus
SetThreadExecutionState
GetCurrentProcessId
OutputDebugStringW
TerminateProcess
WaitForMultipleObjects
ConnectNamedPipe
CreateNamedPipeW
K32GetProcessMemoryInfo
ReleaseMutex
CompareFileTime
CreateMutexW
CreateEventW
SetCurrentDirectoryW
GetCurrentThreadId
WaitForSingleObject
LoadLibraryW
GetProcAddress
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
DuplicateHandle
MoveFileExW
GetCurrentProcess
DeleteTimerQueueTimer
CreateTimerQueueTimer
DecodePointer
DeleteCriticalSection
InitializeCriticalSectionEx
RaiseException
CreateProcessW
QueryPerformanceFrequency
QueryPerformanceCounter
GetTickCount
GetLastError
SetEvent
CreateEventA
HeapAlloc
HeapFree
GetProcessHeap
WaitForMultipleObjectsEx
Sleep
WaitForSingleObjectEx
CreateSemaphoreA
ReleaseSemaphore
CloseHandle
FormatMessageA
FormatMessageW
LocalFree
WideCharToMultiByte
GetShortPathNameW
IsValidCodePage
EnumSystemLocalesW
IsValidLocale
CompareStringW
GetConsoleOutputCP
GetCommandLineW
GetCommandLineA
ExitProcess
SetConsoleCtrlHandler
GetFileInformationByHandle
ExitThread
RtlUnwindEx
AreFileApisANSI
VirtualFree
VirtualProtect
VirtualAlloc
FreeLibraryAndExitThread
GetThreadTimes
UnregisterWait
SetThreadAffinityMask
GetProcessAffinityMask
GetNumaHighestNodeNumber
ChangeTimerQueueTimer
GetThreadPriority
SetThreadPriority
CreateThread
SignalObjectAndWait
RegisterWaitForSingleObject
UnregisterWaitEx
CreateSemaphoreW
CreateDirectoryW
CompareStringA
FoldStringW
IsDBCSLeadByte
RtlUnwind
QueryDepthSList
InterlockedFlushSList
InterlockedPushEntrySList
InterlockedPopEntrySList
SetEnvironmentVariableW
GetCurrentDirectoryW
SetStdHandle
FindFirstFileExW
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEndOfFile
HeapSize
SystemTimeToFileTime
RemoveDirectoryW
GetDiskFreeSpaceExW
DeleteFileW
MoveFileW
SetFileAttributesW
WriteConsoleW
GetLogicalDrives
GetModuleFileNameA
HeapCreate
OutputDebugStringA
GetFullPathNameA
UnlockFileEx
ExpandEnvironmentStringsW
HeapValidate
GetDiskFreeSpaceA
WriteProfileStringW
GetFileAttributesW
WriteFile
GetFileSizeEx
BackupSeek
GetPrivateProfileStringW
FindClose
InitOnceComplete
FindNextFileW
BackupRead
FlushFileBuffers
CreateFileW
GetDriveTypeW
GetLogicalDriveStringsW
GlobalMemoryStatusEx
GetSystemInfo
FreeLibrary
GetProcessTimes
K32GetModuleFileNameExW
CreateThreadpoolWork
GetWindowsDirectoryW
CreateHardLinkW
ReadProcessMemory
VirtualQueryEx
SetFileTime
LocalFileTimeToFileTime
DosDateTimeToFileTime
SetVolumeMountPointW
GetVolumeNameForVolumeMountPointW
DefineDosDeviceW
DeleteVolumeMountPointW
GetLocaleInfoA
VirtualLock
VirtualUnlock
LockFileEx
HeapDestroy
HeapCompact
FlushViewOfFile
GetPriorityClass
GetOEMCP

advapi32

RegFlushKey
CryptGenRandom
RegOpenKeyW
RegUnLoadKeyW
RegLoadKeyW
IsTextUnicode
RegReplaceKeyW
RegSaveKeyW
GetNumberOfEventLogRecords
ClearEventLogW
ChangeServiceConfigW
DecryptFileW
FileEncryptionStatusW
EnumServicesStatusExW
CreateServiceW
StartServiceW
ChangeServiceConfig2W
DeleteAce
GetAce
CreateProcessAsUserW
DuplicateTokenEx
ImpersonateLoggedOnUser
RevertToSelf
ReadEventLogW
OpenEventLogW
CloseEventLog
RegSaveKeyExW
RegSetKeySecurity
ControlService
QueryServiceStatusEx
IsValidSecurityDescriptor
SetSecurityDescriptorOwner
SetSecurityDescriptorDacl
AddAccessAllowedAce
GetLengthSid
InitializeSecurityDescriptor
AllocateAndInitializeSid
OpenThreadToken
FreeSid
CheckTokenMembership
AdjustTokenPrivileges
LookupPrivilegeValueW
GetTokenInformation
SetNamedSecurityInfoW
SetEntriesInAclW
InitializeAcl
GetExplicitEntriesFromAclW
GetNamedSecurityInfoW
GetUserNameW
ConvertSidToStringSidW
LookupAccountNameW
CryptEnumProvidersW
CryptSignHashW
CryptDestroyHash
CryptCreateHash
CryptDecrypt
CryptExportKey
CryptGetUserKey
CryptGetProvParam
CryptSetHashParam
CryptDestroyKey
CryptReleaseContext
CryptAcquireContextW
ReportEventW
RegisterEventSourceW
DeregisterEventSource
RegQueryInfoKeyW
RegDeleteKeyW
QueryServiceConfigW
EnumServicesStatusW
CloseServiceHandle
DeleteService
OpenServiceW
OpenSCManagerW
RegEnumKeyExW
SetFileSecurityW
RegEnumValueW
RegDeleteValueW
RegSetValueExW
RegCreateKeyExW
RegCloseKey
RegQueryValueExW
RegOpenKeyExW
RegisterServiceCtrlHandlerExW
SetServiceStatus
StartServiceCtrlDispatcherW
ConvertStringSecurityDescriptorToSecurityDescriptorW
OpenProcessToken

ole32

CoUninitialize
CoInitializeEx
CoTaskMemFree
CoCreateInstance
CoInitializeSecurity
StringFromCLSID
CreateStreamOnHGlobal
CreateILockBytesOnHGlobal
StgIsStorageILockBytes
StgOpenStorageOnILockBytes

shell32

SHParseDisplayName
SHOpenFolderAndSelectItems
SHGetSpecialFolderPathW
SHChangeNotify
SHFileOperationW

oleaut32

SysStringLen
SysFreeString
VariantInit
VariantClear
VariantChangeType
SysAllocString

shlwapi

PathFileExistsW
SHDeleteKeyW
SHCopyKeyW
ord1
StrCmpNIW

mpr

WNetGetConnectionW

bcrypt

BCryptGenRandom

setupapi

SetupDiEnumDeviceInterfaces
SetupDiGetDeviceInterfaceDetailW
SetupDiDestroyDeviceInfoList
SetupDiGetClassDevsW

crypt32

CertDuplicateCertificateContext
CertGetCertificateContextProperty
CertFindCertificateInStore
CertOpenStore
CertCloseStore
CertEnumCertificatesInStore
CertOpenSystemStoreW
CertFreeCertificateContext
CryptMsgClose
CertGetIntendedKeyUsage
CertGetEnhancedKeyUsage

wininet

InternetSetOptionW

iphlpapi

GetAdaptersAddresses

wtsapi32

WTSFreeMemory
WTSEnumerateSessionsW
WTSQueryUserToken

userenv

DestroyEnvironmentBlock
CreateEnvironmentBlock

authz

AuthzAccessCheck
AuthzFreeResourceManager
AuthzInitializeContextFromSid
AuthzInitializeResourceManager
AuthzFreeContext

pdh

PdhGetFormattedCounterValue
PdhGetRawCounterValue
PdhCollectQueryData
PdhAddCounterW
PdhOpenQueryW
PdhLookupPerfNameByIndexW
PdhCloseQuery

powrprof

SetSuspendState
CallNtPowerInformation

cabinet

ord22
ord23
ord20

Sections

.text
Size: 12.5MB - Virtual size: 12.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3.2MB - Virtual size: 3.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 515KB - Virtual size: 692KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 517KB - Virtual size: 517KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 244B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 181KB - Virtual size: 180KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 644KB - Virtual size: 648KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

49821bccba3c7c51b567d4e08f50b117

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ws2_32

version

gdiplus

user32

kernel32

advapi32

ole32

shell32

oleaut32

shlwapi

mpr

bcrypt

setupapi

crypt32

wininet

iphlpapi

wtsapi32

userenv

authz

pdh

powrprof

cabinet

Sections

.text Size: 12.5MB - Virtual size: 12.5MB

.rdata Size: 3.2MB - Virtual size: 3.2MB

.data Size: 515KB - Virtual size: 692KB

.pdata Size: 517KB - Virtual size: 517KB

_RDATA Size: 512B - Virtual size: 244B

.rsrc Size: 181KB - Virtual size: 180KB

.reloc Size: 644KB - Virtual size: 648KB

.text
Size: 12.5MB - Virtual size: 12.5MB

.rdata
Size: 3.2MB - Virtual size: 3.2MB

.data
Size: 515KB - Virtual size: 692KB

.pdata
Size: 517KB - Virtual size: 517KB

_RDATA
Size: 512B - Virtual size: 244B

.rsrc
Size: 181KB - Virtual size: 180KB

.reloc
Size: 644KB - Virtual size: 648KB