Gembel[.]zip | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Gembel.zip
Size

1.8MB
MD5

b1ae69b25534dc2b1d45b36e9b2900de
SHA1

11bb617b65f531da8921823e15312b4f97d5a1bf
SHA256

2c857e4bcaa869d91edb45c0f376fc05da658d17b331081fd205dfb9673756ad
SHA512

0f5c22ac8c979540c90f438269728d93d2f1601f2d3a5fed5e7baa429bf3b835ba92b0ef47d49cf0c80457b7567ee0df6c1d49896a6fcd57358a69a4a5a32b37
SSDEEP

49152:5jNZHLjDRnayQGoYTvtZ6nKy0fX4kmgnC3nN+V0XhPGA6jL+19zBTbe:9NZr3Rn1QrYSK5/tXkNK0XhPj6v+19ZK

Score

3^/10

Malware Config

Signatures

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/UPDATE ZEPO.exe
unpack001/msvcf100.exe

Files

Gembel.zip
.zip
UPDATE ZEPO.exe
.exe windows:4 windows x86 arch:x86

61e48f6654316aea72f8f748f2cff05c

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvbvm60

__vbaVarSub
__vbaStrI2
_CIcos
_adj_fptan
__vbaVarMove
__vbaAryMove
__vbaFreeVar
__vbaLenBstr
__vbaStrVarMove
__vbaFreeVarList
__vbaEnd
_adj_fdiv_m64
__vbaFreeObjList
ord516
_adj_fprem1
__vbaRecAnsiToUni
ord519
__vbaCopyBytes
__vbaStrCat
ord552
ord553
__vbaLsetFixstr
__vbaRecDestruct
__vbaSetSystemError
__vbaHresultCheckObj
_adj_fdiv_m32
__vbaAryDestruct
ord593
ord594
__vbaI4Abs
ord595
__vbaObjSet
_adj_fdiv_m16i
__vbaObjSetAddref
_adj_fdivr_m16i
ord598
__vbaFpR4
ord520
__vbaStrFixstr
_CIsin
__vbaErase
ord632
__vbaChkstk
__vbaFileClose
EVENT_SINK_AddRef
__vbaGenerateBoundsError
__vbaStrCmp
ord529
__vbaVarTstEq
__vbaPutOwner3
DllFunctionCall
__vbaLbound
_adj_fpatan
__vbaFixstrConstruct
__vbaRedim
__vbaRecUniToAnsi
EVENT_SINK_Release
__vbaUI1I2
_CIsqrt
EVENT_SINK_QueryInterface
__vbaUI1I4
__vbaStr2Vec
__vbaExceptHandler
__vbaStrToUnicode
__vbaDateStr
_adj_fprem
_adj_fdivr_m64
ord608
__vbaFPException
__vbaUbound
__vbaStrVarVal
__vbaVarCat
ord535
__vbaI2Var
ord644
ord645
_CIlog
__vbaErrorOverflow
__vbaFileOpen
__vbaR8Str
__vbaVar2Vec
ord648
__vbaNew2
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaStrCopy
ord681
__vbaFreeStrList
ord576
_adj_fdivr_m32
_adj_fdiv_r
ord685
ord100
ord610
ord612
__vbaStrComp
__vbaStrToAnsi
__vbaVarDup
__vbaFpI4
__vbaVarCopy
ord617
__vbaRecDestructAnsi
__vbaR8IntI2
_CIatan
__vbaStrMove
ord619
__vbaR8IntI4
__vbaStrVarCopy
ord542
ord543
ord650
_allmul
ord545
_CItan
ord547
__vbaUI1Var
__vbaFPInt
_CIexp
__vbaFreeObj
__vbaFreeStr

Sections

.text
Size: 36KB - Virtual size: 32KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4.6MB - Virtual size: 4.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
msvcf100.exe
.exe windows:5 windows x86 arch:x86

72a6202bb40b60327319bb4e20b1c86a

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

C:\Users\AFI\Documents\Visual Studio 2010\Projects\Free\Release\Token.pdb

Imports

kernel32

CloseHandle
ExitProcess
GetFullPathNameA
Process32First
OpenProcess
Sleep
GetProcAddress
VirtualAllocEx
Process32Next
GetModuleHandleA
CreateToolhelp32Snapshot
WriteProcessMemory
WaitForSingleObject
SetConsoleScreenBufferSize
GetConsoleWindow
TerminateProcess
SetConsoleTitleA
GetConsoleScreenBufferInfo
GetTempPathA
GetSystemTimeAsFileTime
GetCurrentProcessId
GetCurrentThreadId
GetTickCount
QueryPerformanceCounter
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
HeapSetInformation
InterlockedCompareExchange
GetLastError
GetCurrentProcess
InterlockedExchange
DecodePointer
GetStdHandle
EncodePointer

user32

GetSystemMetrics
SetWindowPos
GetWindowLongA
SetWindowLongA

msvcp100

?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@K@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z
??_7?$basic_ostream@DU?$char_traits@D@std@@@std@@6B@
?_BADOFF@std@@3_JB
?_Xout_of_range@std@@YAXPBD@Z
??1_Lockit@std@@QAE@XZ
??0_Lockit@std@@QAE@H@Z
?_Xlength_error@std@@YAXPBD@Z
?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ
?id@?$codecvt@DDH@std@@2V0locale@2@A
?_Getcat@?$codecvt@DDH@std@@SAIPAPBVfacet@locale@2@PBV42@@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ
?unshift@?$codecvt@DDH@std@@QBEHAAHPAD1AAPAD@Z
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAD00@Z
?out@?$codecvt@DDH@std@@QBEHAAHPBD1AAPBDPAD3AAPAD@Z
?in@?$codecvt@DDH@std@@QBEHAAHPBD1AAPBDPAD3AAPAD@Z
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UAE@XZ
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPAD_J@Z
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JXZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ
?always_noconv@codecvt_base@std@@QBE_NXZ
?_Decref@facet@locale@std@@QAEPAV123@XZ
?_Incref@facet@locale@std@@QAEXXZ
??Bid@locale@std@@QAEIXZ
?uncaught_exception@std@@YA_NXZ
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z

msvcr100

system
fputc
??1bad_cast@std@@UAE@XZ
??0bad_cast@std@@QAE@PBD@Z
??0bad_cast@std@@QAE@ABV01@@Z
?what@exception@std@@UBEPBDXZ
??1exception@std@@UAE@XZ
??0exception@std@@QAE@ABQBD@Z
??0exception@std@@QAE@ABV01@@Z
memmove
_unlock_file
ungetc
fgetpos
memchr
_fseeki64
fflush
fgetc
fsetpos
setvbuf
_lock_file
srand
??3@YAXPAX@Z
memcpy_s
fwrite
fclose
_time64
exit
??2@YAPAXI@Z
__CxxFrameHandler3
_unlock
__dllonexit
_lock
_onexit
_amsg_exit
__getmainargs
_cexit
_exit
_XcptFilter
__initenv
_initterm
_initterm_e
_configthreadlocale
__setusermatherr
_commode
_fmode
__set_app_type
_crt_debugger_hook
_except_handler4_common
?terminate@@YAXXZ
?_type_info_dtor_internal_method@type_info@@QAEXXZ
_invoke_watson
_controlfp_s
memcpy
memset
_CxxThrowException

Sections

.text
Size: 15KB - Virtual size: 15KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 448B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

61e48f6654316aea72f8f748f2cff05c

Headers

File Characteristics

Imports

msvbvm60

Sections

.text Size: 36KB - Virtual size: 32KB

.data Size: 4KB - Virtual size: 7KB

.rsrc Size: 4.6MB - Virtual size: 4.6MB

72a6202bb40b60327319bb4e20b1c86a

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

msvcp100

msvcr100

Sections

.text Size: 15KB - Virtual size: 15KB

.rdata Size: 8KB - Virtual size: 8KB

.data Size: 1024B - Virtual size: 13KB

.rsrc Size: 512B - Virtual size: 448B

.reloc Size: 3KB - Virtual size: 2KB

.text
Size: 36KB - Virtual size: 32KB

.data
Size: 4KB - Virtual size: 7KB

.rsrc
Size: 4.6MB - Virtual size: 4.6MB

.text
Size: 15KB - Virtual size: 15KB

.rdata
Size: 8KB - Virtual size: 8KB

.data
Size: 1024B - Virtual size: 13KB

.rsrc
Size: 512B - Virtual size: 448B

.reloc
Size: 3KB - Virtual size: 2KB