General

  • Target

    winhex.zip

  • Size

    3.9MB

  • MD5

    ca16785ad538f1b64db604a962420724

  • SHA1

    3268857c38dd0bdf9ccec934d2d0f4b7ea87ae12

  • SHA256

    09767af85ac0de77db770fc1a7539b5537be04adc1465584b493b315d58a496c

  • SHA512

    94f87c734a575250e656ec4abefa3de5610920f27837dc0f28243c6d8af5844aec5334843015c5f4094c4c62897aa75742969cb4a29a60b410b25a8d4f00da7b

  • SSDEEP

    98304:uxRoxyN9GJHR4M7/qv+/4NNXD6OwrHVKj:udYJHRrWvO4NxD6Ow7Y

Score
6/10

Malware Config

Signatures

  • Malformed or missing cross-reference table in PDF

    Malformed or missing cross-reference tables are often used to evade detection

  • Unsigned PE 3 IoCs

    Checks for missing Authenticode signature.

  • NSIS installer 2 IoCs

Files

  • winhex.zip
    .zip
  • Boot Sector FAT.tpl
  • Boot Sector FAT32.tpl
  • Boot Sector NTFS.tpl
  • Chinese.txt
  • Dokan.exe
    .exe windows:4 windows x86 arch:x86

    e160ef8e55bb9d162da4e266afd9eef3


    Code Sign

    Headers

    Imports

    Sections

  • $PLUGINSDIR/System.dll
    .dll windows:4 windows x86 arch:x86

    8c8a576201f68de1a3f26fc723b9f30f


    Headers

    Imports

    Exports

    Sections

  • $PROGRAMFILES/Dokan/DokanLibrary/README.url
    .url
  • $PROGRAMFILES/Dokan/DokanLibrary/dokan.h
  • $PROGRAMFILES/Dokan/DokanLibrary/dokan.lib
  • $PROGRAMFILES/Dokan/DokanLibrary/dokanctl.exe
    .exe windows:6 windows x86 arch:x86

    f483a4733817eb37a9a3ee4f716a6885


    Code Sign

    Headers

    Imports

    Sections

  • $PROGRAMFILES/Dokan/DokanLibrary/dokanfuse.lib
  • $PROGRAMFILES/Dokan/DokanLibrary/include/fuse/ScopeGuard.h
    .js
  • $PROGRAMFILES/Dokan/DokanLibrary/include/fuse/docanfuse.h
  • $PROGRAMFILES/Dokan/DokanLibrary/include/fuse/fuse.h
  • $PROGRAMFILES/Dokan/DokanLibrary/include/fuse/fuse_common.h
  • $PROGRAMFILES/Dokan/DokanLibrary/include/fuse/fuse_opt.h
    .vbs
  • $PROGRAMFILES/Dokan/DokanLibrary/include/fuse/fuse_sem_fix.h
  • $PROGRAMFILES/Dokan/DokanLibrary/include/fuse/fuse_win.h
  • $PROGRAMFILES/Dokan/DokanLibrary/include/fuse/fusemain.h
  • $PROGRAMFILES/Dokan/DokanLibrary/include/fuse/utils.h
  • $PROGRAMFILES/Dokan/DokanLibrary/license.gpl.txt
  • $PROGRAMFILES/Dokan/DokanLibrary/license.lgpl.txt
  • $PROGRAMFILES/Dokan/DokanLibrary/license.mit.txt
  • $PROGRAMFILES/Dokan/DokanLibrary/mounter.exe
    .exe windows:6 windows x86 arch:x86

    ca474f8e57bfad02d6bbe9c5347d8e2f


    Code Sign

    Headers

    Imports

    Sections

  • $PROGRAMFILES/Dokan/DokanLibrary/sample/mirror/dokan_mirror.vcxproj
  • $PROGRAMFILES/Dokan/DokanLibrary/sample/mirror/mirror.c
  • $PROGRAMFILES/Dokan/DokanLibrary/sample/mirror/mirror.exe
    .exe windows:6 windows x86 arch:x86

    63492adc2951a490c302fff42d8ad9f7


    Code Sign

    Headers

    Imports

    Sections

  • $PROGRAMFILES64/Dokan/DokanLibrary/README.url
    .url
  • $PROGRAMFILES64/Dokan/DokanLibrary/dokan.h
  • $PROGRAMFILES64/Dokan/DokanLibrary/dokan.lib
  • $PROGRAMFILES64/Dokan/DokanLibrary/dokanctl.exe
    .exe windows:6 windows x64 arch:x64

    c1e38f50522c9a994c9638a5ebb2529d


    Code Sign

    Headers

    Imports

    Sections

  • $PROGRAMFILES64/Dokan/DokanLibrary/dokanfuse.lib
  • $PROGRAMFILES64/Dokan/DokanLibrary/include/fuse/ScopeGuard.h
    .js
  • $PROGRAMFILES64/Dokan/DokanLibrary/include/fuse/docanfuse.h
  • $PROGRAMFILES64/Dokan/DokanLibrary/include/fuse/fuse.h
  • $PROGRAMFILES64/Dokan/DokanLibrary/include/fuse/fuse_common.h
  • $PROGRAMFILES64/Dokan/DokanLibrary/include/fuse/fuse_opt.h
    .vbs
  • $PROGRAMFILES64/Dokan/DokanLibrary/include/fuse/fuse_sem_fix.h
  • $PROGRAMFILES64/Dokan/DokanLibrary/include/fuse/fuse_win.h
  • $PROGRAMFILES64/Dokan/DokanLibrary/include/fuse/fusemain.h
  • $PROGRAMFILES64/Dokan/DokanLibrary/include/fuse/utils.h
  • $PROGRAMFILES64/Dokan/DokanLibrary/license.gpl.txt
  • $PROGRAMFILES64/Dokan/DokanLibrary/license.lgpl.txt
  • $PROGRAMFILES64/Dokan/DokanLibrary/license.mit.txt
  • $PROGRAMFILES64/Dokan/DokanLibrary/mounter.exe
    .exe windows:6 windows x64 arch:x64

    9041f70e0fe8dc7929bdb05504f52df0


    Code Sign

    Headers

    Imports

    Sections

  • $PROGRAMFILES64/Dokan/DokanLibrary/sample/mirror/dokan_mirror.vcxproj
  • $PROGRAMFILES64/Dokan/DokanLibrary/sample/mirror/mirror.c
  • $PROGRAMFILES64/Dokan/DokanLibrary/sample/mirror/mirror.exe
    .exe windows:6 windows x64 arch:x64

    06b8a64a03da7536982306727ddbaac4


    Code Sign

    Headers

    Imports

    Sections

  • $SYSDIR/dokan.dll
    .dll windows:6 windows x86 arch:x86

    55217713d6f65cb8fe5dd9bcec5a5f78


    Code Sign

    Headers

    Imports

    Exports

    Sections

  • $SYSDIR/dokannp.dll
    .dll windows:6 windows x86 arch:x86

    49e12ab17f374781428c0454f346bf5c


    Code Sign

    Headers

    Imports

    Exports

    Sections

  • Ext Directory Entry.tpl
  • Ext Group Descriptor.tpl
  • Ext Inode.tpl
  • Ext Superblock.tpl
  • Ext4 Inode.tpl
  • FAT Directory Entry.tpl
  • FAT LFN Entry.tpl
  • File Type Signatures Search.txt
    .pdf
  • GUID Partition Table.tpl
  • HFS+ Volume Header.tpl
  • Japanese.txt
  • Master Boot Record.tpl
  • NTFS FILE Record.tpl
  • Russian.txt
  • Sample script.whs
  • Text file conversion UNIX - Windows.whs
  • Text file conversion Windows - UNIX.whs
  • Tooltips.txt
  • Ukrainian.txt
  • ins.dll
    .dll windows:6 windows x86 arch:x86

    f1f88ca46f9cb5e171018dd80a98ea12


    Headers

    Imports

    Exports

    Sections

  • language.dat
  • setup.exe
    .exe windows:4 windows x86 arch:x86


    Code Sign

    Headers

    Sections

  • timezone.dat
  • winhex-d.chm
    .chm
  • winhex.chm
    .chm
  • winhex.exe
    .exe windows:4 windows x86 arch:x86


    Code Sign

    Headers

    Sections

  • zlib1.dll
    .dll windows:6 windows x86 arch:x86

    2295543605599311d9f85b5845d2144c


    Headers

    Imports

    Exports

    Sections