pItktXL4KOAjezzz[.]zip

Sharing

Copy URL

Twitter E-mail

General

Target

pItktXL4KOAjezzz.zip
Size

26.6MB
MD5

0cf10ccef009522b6db946cb1766af21
SHA1

e4e266b3bd34a625f38937ca2e71c9f0fd47d9c4
SHA256

b941ad368893ae6b60c3aa925245ddf9ca5ec9fa214fb938073c1bab9ec7767c
SHA512

466b7f8ded967e24ba0e0d4ed685e7b4c9c2ae9cc1cbb89ae3deaf91b25e900fa799a994766c31bec5d1903e2611eceb020a6cfc53bf55931f18648c214f3ba6
SSDEEP

393216:zdtr1kyNx5Y6YdXYAXpgNzo1DjO+lir+JBDI2ADQ/fY95BR64T+z6Gz7KnM:zdzN9YdXVpgNzoDjO+lh3IUg7GXz7QM

Score

5^/10

pdf link upx

Malware Config

Signatures

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
static1/unpack002/out.upx	autoit_exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
static1/unpack001/dControl.exe	upx

One or more HTTP URLs in PDF identified
Detects presence of HTTP links in PDF files.
pdf link

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack002/out.upx
unpack001/pItktXL4KOAjezzz.exe

Files

pItktXL4KOAjezzz.zip
.zip
dControl.exe
.exe windows:5 windows x86 arch:x86

Code Sign

69:98:6c:80:0a:7c:5b:8e:47:86:45:a0:3e:86:d5:40
Certificate

Issuer

CN=Sordum Software

Not Before

11-09-2021 21:00

Not After

31-07-2030 21:00

Subject

CN=Sordum Software

Extended Key Usages

ExtKeyUsageCodeSigning

1b:b5:8f:25:2a:df:23:00:49:28:c9:ae:3d:7e:ed:27
Certificate

Issuer

CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Not Before

31-05-2021 06:43

Not After

17-09-2029 06:43

Subject

CN=Certum Trusted Network CA 2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

f1:64:25:8c:09:b6:e2:7b:e2:0e:32:60:8e:4b:f4:a8
Certificate

Issuer

CN=Certum Timestamping 2021 CA,O=Asseco Data Systems S.A.,C=PL

Not Before

19-05-2021 05:42

Not After

18-05-2032 05:42

Subject

CN=Certum Timestamp 2021,O=Asseco Data Systems S.A.,C=PL

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

e7:ff:69:c7:3b:35:ce:4b:91:26:d8:74:7c:68:a5:87
Certificate

Issuer

CN=Certum Trusted Network CA 2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Not Before

19-05-2021 05:32

Not After

18-05-2036 05:32

Subject

CN=Certum Timestamping 2021 CA,O=Asseco Data Systems S.A.,C=PL

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

13:f6:ef:3f:06:29:49:56:6c:21:59:e0:0c:ac:6f:83:24:95:fa:e4
Signer

Actual PE Digest

13:f6:ef:3f:06:29:49:56:6c:21:59:e0:0c:ac:6f:83:24:95:fa:e4

Digest Algorithm

sha1

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Sections

UPX0
Size: - Virtual size: 492KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 262KB - Virtual size: 264KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 57KB - Virtual size: 60KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
out.upx
.exe windows:5 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 514KB - Virtual size: 513KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 56KB - Virtual size: 55KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 26KB - Virtual size: 105KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 56KB - Virtual size: 56KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
guide.pdf
.pdf
- https://content.overwolf.com/downloads/setup/latest/regular.html
- https://emojipedia.org/euro-banknote
- https://emojipedia.org/fire
- https://emojipedia.org/hundred-points
- https://emojipedia.org/tongue
- https://medal.tv/
pItktXL4KOAjezzz.exe
.exe windows:6 windows x64 arch:x64

5bb76e4b373d54d3cab534435c16c0c7

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntdll

RtlCaptureContext

d3d11

D3D11CreateDeviceAndSwapChain

kernel32

GetCurrentProcess
GetSystemTimeAsFileTime
HeapAlloc
HeapFree
ExitProcess
GetModuleHandleA
LoadLibraryA
GetProcAddress

user32

GetForegroundWindow

gdi32

CreateCompatibleDC

advapi32

QueryServiceStatus

shell32

ShellExecuteExA

ole32

CreateStreamOnHGlobal

d3dcompiler_43

D3DCompile

msvcp140

?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ

d3dx11_43

D3DX11CreateShaderResourceViewFromMemory

imm32

ImmSetCandidateWindow

urlmon

URLDownloadToFileA

gdiplus

GdipAlloc

wininet

HttpOpenRequestA

vcruntime140_1

__CxxFrameHandler4

vcruntime140

memmove

api-ms-win-crt-stdio-l1-1-0

ftell

api-ms-win-crt-utility-l1-1-0

qsort

api-ms-win-crt-string-l1-1-0

_wcsicmp

api-ms-win-crt-heap-l1-1-0

_callnewh

api-ms-win-crt-runtime-l1-1-0

_beginthreadex

api-ms-win-crt-convert-l1-1-0

strtol

api-ms-win-crt-math-l1-1-0

fmodf

api-ms-win-crt-filesystem-l1-1-0

remove

api-ms-win-crt-locale-l1-1-0

___lc_codepage_func

api-ms-win-crt-environment-l1-1-0

getenv

Sections

.text
Size: - Virtual size: 521KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 101KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 328KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrcrs0
Size: - Virtual size: 488B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.vlizer
Size: - Virtual size: 7.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrcrs1
Size: - Virtual size: 14.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrcrs2
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrcrs3
Size: 26.9MB - Virtual size: 26.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Code Sign

69:98:6c:80:0a:7c:5b:8e:47:86:45:a0:3e:86:d5:40Certificate

Extended Key Usages

1b:b5:8f:25:2a:df:23:00:49:28:c9:ae:3d:7e:ed:27Certificate

Key Usages

f1:64:25:8c:09:b6:e2:7b:e2:0e:32:60:8e:4b:f4:a8Certificate

Extended Key Usages

Key Usages

e7:ff:69:c7:3b:35:ce:4b:91:26:d8:74:7c:68:a5:87Certificate

Extended Key Usages

Key Usages

13:f6:ef:3f:06:29:49:56:6c:21:59:e0:0c:ac:6f:83:24:95:fa:e4Signer

Headers

DLL Characteristics

File Characteristics

Sections

UPX0 Size: - Virtual size: 492KB

UPX1 Size: 262KB - Virtual size: 264KB

.rsrc Size: 57KB - Virtual size: 60KB

Headers

DLL Characteristics

File Characteristics

Sections

.text Size: 514KB - Virtual size: 513KB

.rdata Size: 56KB - Virtual size: 55KB

.data Size: 26KB - Virtual size: 105KB

.rsrc Size: 56KB - Virtual size: 56KB

5bb76e4b373d54d3cab534435c16c0c7

Headers

DLL Characteristics

File Characteristics

Imports

ntdll

d3d11

kernel32

user32

gdi32

advapi32

shell32

ole32

d3dcompiler_43

msvcp140

d3dx11_43

imm32

urlmon

gdiplus

wininet

vcruntime140_1

vcruntime140

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-environment-l1-1-0

Sections

.text Size: - Virtual size: 521KB

.rdata Size: - Virtual size: 101KB

.data Size: - Virtual size: 328KB

.pdata Size: - Virtual size: 22KB

.rsrcrs0 Size: - Virtual size: 488B

.reloc Size: - Virtual size: 1KB

.vlizer Size: - Virtual size: 7.1MB

.rsrcrs1 Size: - Virtual size: 14.9MB

.rsrcrs2 Size: 5KB - Virtual size: 4KB

.rsrcrs3 Size: 26.9MB - Virtual size: 26.9MB

.rsrc Size: 512B - Virtual size: 480B

69:98:6c:80:0a:7c:5b:8e:47:86:45:a0:3e:86:d5:40
Certificate

1b:b5:8f:25:2a:df:23:00:49:28:c9:ae:3d:7e:ed:27
Certificate

f1:64:25:8c:09:b6:e2:7b:e2:0e:32:60:8e:4b:f4:a8
Certificate

e7:ff:69:c7:3b:35:ce:4b:91:26:d8:74:7c:68:a5:87
Certificate

13:f6:ef:3f:06:29:49:56:6c:21:59:e0:0c:ac:6f:83:24:95:fa:e4
Signer

UPX0
Size: - Virtual size: 492KB

UPX1
Size: 262KB - Virtual size: 264KB

.rsrc
Size: 57KB - Virtual size: 60KB

.text
Size: 514KB - Virtual size: 513KB

.rdata
Size: 56KB - Virtual size: 55KB

.data
Size: 26KB - Virtual size: 105KB

.rsrc
Size: 56KB - Virtual size: 56KB

.text
Size: - Virtual size: 521KB

.rdata
Size: - Virtual size: 101KB

.data
Size: - Virtual size: 328KB

.pdata
Size: - Virtual size: 22KB

.rsrcrs0
Size: - Virtual size: 488B

.reloc
Size: - Virtual size: 1KB

.vlizer
Size: - Virtual size: 7.1MB

.rsrcrs1
Size: - Virtual size: 14.9MB

.rsrcrs2
Size: 5KB - Virtual size: 4KB

.rsrcrs3
Size: 26.9MB - Virtual size: 26.9MB

.rsrc
Size: 512B - Virtual size: 480B