begit[.]zip | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

begit.zip
Size

4.1MB
MD5

09a4b2535a791e88b4ebfb0563df5b7e
SHA1

b41188a7194307e374f6a7b4425b157a0947cedd
SHA256

c29aa20740e453ad22c74ea8acd3a04fbc71fe607c3c70493b3aaba3c124235c
SHA512

1a56fb8cacca047999fbd4d39d1c273cf1325bf944e59f3122ff8a00cb15732f27c7a0c25820e39236bb5ffca756f075926bb92bb2c525336d4013ac28037893
SSDEEP

98304:H9eR9nYHES0q8Yfk/zwG0GAn5Xv08+xB7tOkCvs2bDOSuDUWRZ7pgR1hcs:H9eLnYHE0fk/bVOf4xKxmSu4WRZ7pg9H

Score

3^/10

Malware Config

Signatures

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/cr.dll
unpack001/zipki.exe

Files

begit.zip
.zip
cr.dll
.dll windows:4 windows x86 arch:x86

fd11bbb1497547b1b5f9de1923ab6ec6

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_DLL

Imports

kernel32

DeleteCriticalSection
EnterCriticalSection
FreeLibrary
GetLastError
GetModuleHandleA
GetProcAddress
InitializeCriticalSection
LeaveCriticalSection
LoadLibraryA
Sleep
TlsGetValue
VirtualProtect
VirtualQuery
WriteConsoleW
EnumDateFormatsW
FindNextVolumeA
GetFirmwareEnvironmentVariableW
GetSystemTime
MoveFileExW
RegDeleteTreeA
RemoveDirectoryTransactedW

msvcrt

_amsg_exit
_initterm
_iob
_lock
_unlock
abort
calloc
free
fwrite
realloc
strlen
strncmp
vfprintf

activeds

ADsFreeEnumerator
ADsGetObject
ADsSetLastError
AllocADsStr
BinarySDToSecurityDescriptor
FreeADsStr
ReallocADsMem

clusapi

ClusterGroupOpenEnum
ClusterOpenEnumEx
ClusterRegBatchCloseNotification
ClusterRegGetBatchNotification
GetClusterFromNetwork
OpenClusterEx
OpenClusterResourceEx
RemoveClusterResourceNode
SetClusterServiceAccountPassword

dbghelp

EnumerateLoadedModules64
EnumerateLoadedModulesW64
FindDebugInfoFileEx
FindExecutableImageExW
ImageRvaToVa
SymAddSourceStreamA
SymAddSourceStreamW
SymEnumTypesByNameW
SymEnumerateModulesW64
SymFindFileInPath
SymGetLineFromAddr
SymGetLinePrev
SymGetSymFromAddr64
SymGetSymPrev
SymMatchFileNameW
SymNext

eappprxy

EapHostPeerClearConnection
EapHostPeerGetAuthStatus
EapHostPeerGetResult
EapHostPeerGetSendPacket
EapHostPeerSetResponseAttributes
EapHostPeerUninitialize

evr

MFCopyImage
MFCreateVideoMediaType
MFCreateVideoMediaTypeFromSubtype
MFCreateVideoMediaTypeFromVideoInfoHeader2
MFGetPlaneSize
MFGetStrideForBitmapInfoHeader
MFInitVideoFormat_RGB
MFIsFormatYUV

fwpuclnt

FwpmEngineSetOption0
FwpmLayerEnum0
FwpmNetEventDestroyEnumHandle0
FwpmProviderContextEnum1
FwpmProviderContextGetById0
IPsecDospStateCreateEnumHandle0
IPsecSaContextCreateEnumHandle0
IPsecSaContextExpire0

logoncli

DsDeregisterDnsHostRecordsW
DsEnumerateDomainTrustsW
DsGetDcNameA
DsGetDcNextA
DsGetForestTrustInformationW
DsGetSiteNameA
DsValidateSubnetNameW
NetGetAnyDCName

mpr

WNetAddConnectionA
WNetAddConnectionW
WNetCancelConnection2A
WNetGetLastErrorW
WNetSetLastErrorA
WNetUseConnectionA

t2embed

TTDeleteEmbeddedFont
TTEmbedFont
TTEmbedFontEx
TTEnableEmbeddingForFacename
TTGetEmbeddedFontInfo
TTGetNewFontName
TTIsEmbeddingEnabledForFacename
TTLoadEmbeddedFont
TTRunValidationTestsEx

winhttp

WinHttpCloseHandle
WinHttpCrackUrl
WinHttpDetectAutoProxyConfigUrl
WinHttpOpenRequest
WinHttpQueryDataAvailable
WinHttpSetOption
WinHttpSetTimeouts
WinHttpTimeFromSystemTime

Exports

Exports

DPvZQxkQmTvIchWg

Sections

.text
Size: 6.1MB - Virtual size: 6.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 896KB - Virtual size: 895KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.eh_fram
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 176B

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 512B - Virtual size: 82B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 44B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 8B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1024B - Virtual size: 552B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
zipki.exe
.exe windows:4 windows x86 arch:x86

cf7ef6b6567ab90b46e818aed7aff37c

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Imports

kernel32

DeleteCriticalSection
EnterCriticalSection
FreeLibrary
GetLastError
GetModuleHandleA
GetProcAddress
GetStartupInfoA
GlobalAlloc
GlobalFlags
InitializeCriticalSection
LeaveCriticalSection
LoadLibraryA
SetUnhandledExceptionFilter
Sleep
TlsGetValue
VirtualProtect
VirtualQuery
EnumDateFormatsW
FindNextVolumeA
GetFirmwareEnvironmentVariableW
GetSystemTime
MoveFileExW
RegDeleteTreeA
RemoveDirectoryTransactedW

msvcrt

__getmainargs
__initenv
__p__acmdln
__p__commode
__p__fmode
__set_app_type
__setusermatherr
_amsg_exit
_cexit
_initterm
_iob
_onexit
abort
calloc
exit
fprintf
free
fwrite
malloc
memcpy
signal
strlen
strncmp
vfprintf

activeds

ADsFreeEnumerator
ADsGetObject
ADsSetLastError
AllocADsStr
BinarySDToSecurityDescriptor
FreeADsStr
ReallocADsMem

clusapi

ClusterGroupOpenEnum
ClusterOpenEnumEx
ClusterRegBatchCloseNotification
ClusterRegGetBatchNotification
GetClusterFromNetwork
OpenClusterEx
OpenClusterResourceEx
RemoveClusterResourceNode
SetClusterServiceAccountPassword

dbghelp

EnumerateLoadedModules64
EnumerateLoadedModulesW64
FindDebugInfoFileEx
FindExecutableImageExW
ImageRvaToVa
SymAddSourceStreamA
SymAddSourceStreamW
SymEnumTypesByNameW
SymEnumerateModulesW64
SymFindFileInPath
SymGetLineFromAddr
SymGetLinePrev
SymGetSymFromAddr64
SymGetSymPrev
SymMatchFileNameW
SymNext

eappprxy

EapHostPeerClearConnection
EapHostPeerGetAuthStatus
EapHostPeerGetResult
EapHostPeerGetSendPacket
EapHostPeerSetResponseAttributes
EapHostPeerUninitialize

evr

MFCopyImage
MFCreateVideoMediaType
MFCreateVideoMediaTypeFromSubtype
MFCreateVideoMediaTypeFromVideoInfoHeader2
MFGetPlaneSize
MFGetStrideForBitmapInfoHeader
MFInitVideoFormat_RGB
MFIsFormatYUV

fwpuclnt

FwpmEngineSetOption0
FwpmLayerEnum0
FwpmNetEventDestroyEnumHandle0
FwpmProviderContextEnum1
FwpmProviderContextGetById0
IPsecDospStateCreateEnumHandle0
IPsecSaContextCreateEnumHandle0
IPsecSaContextExpire0

logoncli

DsDeregisterDnsHostRecordsW
DsEnumerateDomainTrustsW
DsGetDcNameA
DsGetDcNextA
DsGetForestTrustInformationW
DsGetSiteNameA
DsValidateSubnetNameW
NetGetAnyDCName

mpr

WNetAddConnectionA
WNetAddConnectionW
WNetCancelConnection2A
WNetGetLastErrorW
WNetSetLastErrorA
WNetUseConnectionA

t2embed

TTDeleteEmbeddedFont
TTEmbedFont
TTEmbedFontEx
TTEnableEmbeddingForFacename
TTGetEmbeddedFontInfo
TTGetNewFontName
TTIsEmbeddingEnabledForFacename
TTLoadEmbeddedFont
TTRunValidationTestsEx

winhttp

WinHttpCloseHandle
WinHttpCrackUrl
WinHttpDetectAutoProxyConfigUrl
WinHttpOpenRequest
WinHttpQueryDataAvailable
WinHttpSetOption
WinHttpSetTimeouts
WinHttpTimeFromSystemTime

cr

DPvZQxkQmTvIchWg

Sections

.text
Size: 6.1MB - Virtual size: 6.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 48B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.eh_fram
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 192B

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 48B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 8B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1024B - Virtual size: 600B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

fd11bbb1497547b1b5f9de1923ab6ec6

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

msvcrt

activeds

clusapi

dbghelp

eappprxy

evr

fwpuclnt

logoncli

mpr

t2embed

winhttp

Exports

Exports

Sections

.text Size: 6.1MB - Virtual size: 6.1MB

.data Size: 896KB - Virtual size: 895KB

.rdata Size: 1KB - Virtual size: 1KB

.eh_fram Size: 2KB - Virtual size: 1KB

.bss Size: - Virtual size: 176B

.edata Size: 512B - Virtual size: 82B

.idata Size: 4KB - Virtual size: 4KB

.CRT Size: 512B - Virtual size: 44B

.tls Size: 512B - Virtual size: 8B

.reloc Size: 1024B - Virtual size: 552B

cf7ef6b6567ab90b46e818aed7aff37c

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

msvcrt

activeds

clusapi

dbghelp

eappprxy

evr

fwpuclnt

logoncli

mpr

t2embed

winhttp

cr

Sections

.text Size: 6.1MB - Virtual size: 6.1MB

.data Size: 512B - Virtual size: 48B

.rdata Size: 2KB - Virtual size: 1KB

.eh_fram Size: 2KB - Virtual size: 2KB

.bss Size: - Virtual size: 192B

.idata Size: 5KB - Virtual size: 4KB

.CRT Size: 512B - Virtual size: 48B

.tls Size: 512B - Virtual size: 8B

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 1024B - Virtual size: 600B

.text
Size: 6.1MB - Virtual size: 6.1MB

.data
Size: 896KB - Virtual size: 895KB

.rdata
Size: 1KB - Virtual size: 1KB

.eh_fram
Size: 2KB - Virtual size: 1KB

.bss
Size: - Virtual size: 176B

.edata
Size: 512B - Virtual size: 82B

.idata
Size: 4KB - Virtual size: 4KB

.CRT
Size: 512B - Virtual size: 44B

.tls
Size: 512B - Virtual size: 8B

.reloc
Size: 1024B - Virtual size: 552B

.text
Size: 6.1MB - Virtual size: 6.1MB

.data
Size: 512B - Virtual size: 48B

.rdata
Size: 2KB - Virtual size: 1KB

.eh_fram
Size: 2KB - Virtual size: 2KB

.bss
Size: - Virtual size: 192B

.idata
Size: 5KB - Virtual size: 4KB

.CRT
Size: 512B - Virtual size: 48B

.tls
Size: 512B - Virtual size: 8B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 1024B - Virtual size: 600B