xmrig | malware_samples[.]zip

Target

malware_samples.zip
Size

19.1MB
MD5

d8e816c76ab1b9bc76e73b1aa0f88f2d
SHA1

da193bad12f1b79f8c938d62e8029ba948433859
SHA256

487f4dd9bdbe94a9cf1a04a8fdec19f16f86864d05d06f0511544b3ff68c850c
SHA512

5bd84b71cb39d1d4952255cbabc45608c972757bb63a9f70606e0d2200154374f9e61f1c526ed1fe903b166e5d0b0458540b47da9c70434ae5b31a7b7d1bd02a
SSDEEP

393216:ThCblxXJLB2mW/RxHedw0OZnq0NyWl9Hh9H2KAm4zI:ThSDZLI5xHea9Zf5XHD4zI

Score

10^/10

pdf link miner 0 upx macro macro_on_action ono33 xmrig cobaltstrike trickbot

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Extracted

Family

trickbot

Version

1000501

Botnet

ono33

5.182.210.226:443

5.182.210.120:443

185.65.202.183:443

212.80.217.243:443

85.143.218.249:443

194.5.250.178:443

198.15.119.121:443

107.175.87.142:443

185.14.31.72:443

188.165.62.2:443

194.5.250.179:443

198.15.119.71:443

185.14.29.4:443

185.99.2.202:443

192.3.193.162:443

89.191.234.89:443

195.54.32.12:443

31.131.21.30:443

5.34.177.194:443

190.214.13.2:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Cobalt Strike reflective loader 2 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
static1/unpack001/virusshare/1/VirusShare_0a2d1ecedf3f79754aa2c18d62e75287	cobalt_reflective_dll
static1/unpack001/virusshare/1/malware	cobalt_reflective_dll

Cobaltstrike family
cobaltstrike
Trickbot family
trickbot

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
static1/unpack001/virusshare/1/VirusShare_0a2d1ecedf3f79754aa2c18d62e75287	xmrig
static1/unpack001/virusshare/1/malware	xmrig

Xmrig family
xmrig

Office macro that triggers on suspicious action 4 IoCs

Office document macro which triggers in special circumstances - often malicious.

macro macro_on_action

resource	yara_rule
static1/unpack001/virusshare/1/VirusShare_0fea640a7da27f365b3675f73626b9c9	office_macro_on_action
static1/unpack001/virusshare/2/VirusShare_3f0b1eed4b7b9ae05fab4d949843f103	office_macro_on_action
static1/unpack001/virusshare/3/VirusShare_3fb34964fa7b8c6bfad8d960380ff04e	office_macro_on_action
static1/unpack001/virusshare/4/VirusShare_4b8eb7fe75f72c1c5c1f80af9cd165d2	office_macro_on_action

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

resource
static1/unpack001/virusshare/1/VirusShare_0fea640a7da27f365b3675f73626b9c9

Attempts to obfuscate APK file format
Applies obfuscation techniques to the APK format in order to hinder analysis

Declares services with permission to bind to the system 1 IoCs

description	ioc
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device.	android.permission.BIND_NOTIFICATION_LISTENER_SERVICE

Requests dangerous framework permissions 3 IoCs

description	ioc
Allows an application to receive SMS messages.	android.permission.RECEIVE_SMS
Allows an application to read SMS messages.	android.permission.READ_SMS
Allows an application to send SMS messages.	android.permission.SEND_SMS

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
static1/unpack001/virusshare/1/VirusShare_0aee78510c46e3a200b6bc21ac1c954d	upx

One or more HTTP URLs in PDF identified
Detects presence of HTTP links in PDF files.
pdf link

Unsigned PE 7 IoCs

Checks for missing Authenticode signature.

resource
unpack001/virusshare/1/VirusShare_0a2d1ecedf3f79754aa2c18d62e75287
unpack003/out.upx
unpack001/virusshare/1/malware
unpack001/virusshare/2/VirusShare_01b55404de50bd1a56343b2f316ff88d
unpack001/virusshare/3/VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b
unpack001/virusshare/3/VirusShare_5c8b670c503455baafbff400a446cf82
unpack001/virusshare/4/VirusShare_6d2d7d94fe5faab76b3e786e7d810c1d

Files

malware_samples.zip
.zip

Password: infected
virusshare/1/VirusShare_0a2d1ecedf3f79754aa2c18d62e75287
.exe windows:6 windows x64 arch:x64

Password: infected

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

.text
Size: 619KB - Virtual size: 619KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 96KB - Virtual size: 96KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 2.5MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 17KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_TEXT_CN
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

_TEXT_CN
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
virusshare/1/VirusShare_0aee78510c46e3a200b6bc21ac1c954d
.exe windows:5 windows x86 arch:x86

Password: infected

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

60:86:44:63:bb:bc:2e:4e:67:d4:27:71:e4:cb:d9:a5
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

21/04/2017, 00:00

Not After

04/02/2020, 23:59

Subject

CN=Zhuhai Kingsoft Office Software Co.\, Ltd.,OU=RD Department,O=Zhuhai Kingsoft Office Software Co.\, Ltd.,L=Zhuhai,ST=Guangdong,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

44:e0:b5:be:99:0e:46:a6:96:3f:d9:a1:0d:d4:bb:ac
Certificate

Issuer

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

19/04/2017, 00:00

Not After

03/02/2020, 23:59

Subject

CN=Zhuhai Kingsoft Office Software Co.\, Ltd.,OU=RD Department,O=Zhuhai Kingsoft Office Software Co.\, Ltd.,L=Zhuhai,ST=Guangdong,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

10/12/2013, 00:00

Not After

09/12/2023, 23:59

Subject

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

6a:0f:db:e6:78:b3:1e:23:2c:ba:5a:e1:4d:9d:bf:1b
Certificate

Issuer

CN=WoSign Time Stamping Services CA G2,O=WoSign CA Limited,C=CN

Not Before

08/04/2015, 01:00

Not After

08/04/2023, 01:00

Subject

CN=WoSign Time Stamping Signer G2,O=WoSign CA Limited,C=CN

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

8c:c8:f0:70:80:b1:2b:f4:14:36:02:ff:c8:11:86:e8:9e:6e:a6:68:d2:b6:8b:d0:e0:e4:4b:9e:c3:1e:8f:09
Signer

Actual PE Digest

8c:c8:f0:70:80:b1:2b:f4:14:36:02:ff:c8:11:86:e8:9e:6e:a6:68:d2:b6:8b:d0:e0:e4:4b:9e:c3:1e:8f:09

Digest Algorithm

sha256

PE Digest Matches

true

a2:71:64:f3:87:e9:1d:ac:6e:ca:7d:87:06:ba:6e:06:ff:b4:8d:8f
Signer

Actual PE Digest

a2:71:64:f3:87:e9:1d:ac:6e:ca:7d:87:06:ba:6e:06:ff:b4:8d:8f

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

UPX0
Size: - Virtual size: 1.2MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 509KB - Virtual size: 512KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 111KB - Virtual size: 112KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
out.upx
.exe windows:5 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 809KB - Virtual size: 809KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 256KB - Virtual size: 255KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 21KB - Virtual size: 37KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 489KB - Virtual size: 488KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 59KB - Virtual size: 58KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
virusshare/1/VirusShare_0fea640a7da27f365b3675f73626b9c9
.xls windows office2003

Sem

Page1

Module1

UserForm1

Module2

Class1

UserForm6

Page11

Module6

Module5

Module4
virusshare/1/VirusShare_1ba8249d8503c0cf7bc125588c43bef9
.doc windows office2003

Aojplemq

Jeuwzqvsdrcqz

Rgzhzedt
virusshare/1/VirusShare_3cd9a967b67fe69351e390195ca7a430
.pdf
Password: infected
- http://amcarizona.com/uploads/1/3/0/4/130478709/d508b2931dd488.pdf
- http://aufgutdeutsch.net/uploads/1/3/0/2/130291646/zefawove_dojavakumavuv_fesadetekud_pixopibetegoso.pdf
- http://capscoating.com/uploads/1/3/0/5/130540699/waxasavapiz_tibuxe.pdf
- http://formormedia.com/uploads/1/3/0/2/130289443/130289443.html#auma+electric+actuator+catalogue
- http://fountainalleybodycare.com/uploads/1/3/0/2/130270832/kexerewel.pdf
- http://mingateachers.com/uploads/1/3/0/6/130620948/3396168.pdf
- http://mwilkinson91.com/uploads/1/3/0/5/130550994/d4e8bf21c6b2322.pdf
- http://nkaskephotography.com/uploads/1/3/0/3/130323319/941a1631a4c.pdf
- http://nrttourscentre.com/uploads/1/3/0/7/130776684/3637788.pdf
- http://pitchtreemetalworks.com/uploads/1/3/0/6/130620946/witenexupamafofakis.pdf
- http://soulsinfriendship.org/uploads/1/3/0/6/130621483/pebuliduv.pdf
- https://jofavape.weebly.com/uploads/1/3/0/4/130476440/xafoniwokivezezo.pdf
- Show all
virusshare/1/malware
.exe windows:6 windows x64 arch:x64

Password: infected

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

.text
Size: 619KB - Virtual size: 619KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 96KB - Virtual size: 96KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 2.5MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 17KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_TEXT_CN
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

_TEXT_CN
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
virusshare/2/VirusShare_01b55404de50bd1a56343b2f316ff88d
.exe windows:4 windows x86 arch:x86

Password: infected

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 105KB - Virtual size: 105KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
virusshare/2/VirusShare_1ad9a67240d5775395c45b64dd6529fa
.exe windows:5 windows x86 arch:x86

Password: infected

483f0c4259a9148c34961abbda6146c1

Code Sign

e4:27:04:95:f6:8c:91:d6:d0:ec:7b:49:4e:a4:df:1c
Certificate

Issuer

CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Not Before

11/09/2018, 09:26

Not After

11/09/2023, 09:26

Subject

CN=SSL.com Root Certification Authority RSA,O=SSL Corporation,L=Houston,ST=Texas,C=US

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

45:f8:da:05:30:f5:16:06
Certificate

Issuer

CN=SSL.com Code Signing Intermediate CA RSA R1,O=SSL Corp,L=Houston,ST=Texas,C=US

Not Before

29/01/2019, 08:48

Not After

29/01/2020, 08:48

Subject

CN=Rabbit Speedy (Superior Media Ltd.),O=Rabbit Speedy (Superior Media Ltd.),L=Tel Aviv,ST=Israel,C=IL

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

64:33:51:d3:c7:38:9f:08
Certificate

Issuer

CN=SSL.com Root Certification Authority RSA,O=SSL Corporation,L=Houston,ST=Texas,C=US

Not Before

24/06/2016, 20:44

Not After

24/06/2031, 20:44

Subject

CN=SSL.com Code Signing Intermediate CA RSA R1,O=SSL Corp,L=Houston,ST=Texas,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

ab:40:24:7a:c9:3b:7b:19:d6:51:17:2f:8e:a5:56:5d:21:0d:23:88
Signer

Actual PE Digest

ab:40:24:7a:c9:3b:7b:19:d6:51:17:2f:8e:a5:56:5d:21:0d:23:88

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Imports

oleaut32

SysFreeString
SysReAllocStringLen
SysAllocStringLen
SafeArrayPtrOfIndex
SafeArrayGetUBound
SafeArrayGetLBound
SafeArrayCreate
VariantChangeType
VariantCopy
VariantClear
VariantInit

advapi32

RegQueryValueExW
RegOpenKeyExW
RegCloseKey
RegQueryValueExW
RegOpenKeyExW
RegCloseKey
OpenProcessToken
LookupPrivilegeValueW
AdjustTokenPrivileges

user32

GetKeyboardType
LoadStringW
MessageBoxA
CharNextW
CreateWindowExW
TranslateMessage
SetWindowLongW
PeekMessageW
MsgWaitForMultipleObjects
MessageBoxW
LoadStringW
GetSystemMetrics
ExitWindowsEx
DispatchMessageW
DestroyWindow
CharUpperBuffW
CallWindowProcW

kernel32

GetACP
Sleep
VirtualFree
VirtualAlloc
GetSystemInfo
GetTickCount
QueryPerformanceCounter
GetVersion
GetCurrentThreadId
VirtualQuery
WideCharToMultiByte
MultiByteToWideChar
lstrlenW
lstrcpynW
LoadLibraryExW
GetThreadLocale
GetStartupInfoA
GetProcAddress
GetModuleHandleW
GetModuleFileNameW
GetLocaleInfoW
GetCommandLineW
FreeLibrary
FindFirstFileW
FindClose
ExitProcess
WriteFile
UnhandledExceptionFilter
RtlUnwind
RaiseException
GetStdHandle
CloseHandle
TlsSetValue
TlsGetValue
LocalAlloc
GetModuleHandleW
WriteFile
WideCharToMultiByte
WaitForSingleObject
VirtualQuery
VirtualProtect
VirtualFree
VirtualAlloc
SizeofResource
SignalObjectAndWait
SetLastError
SetFilePointer
SetEvent
SetErrorMode
SetEndOfFile
ResetEvent
RemoveDirectoryW
ReadFile
MultiByteToWideChar
LockResource
LoadResource
LoadLibraryW
LeaveCriticalSection
InitializeCriticalSection
GetWindowsDirectoryW
GetVersionExW
GetUserDefaultLangID
GetThreadLocale
GetSystemInfo
GetStdHandle
GetProcAddress
GetModuleHandleW
GetModuleFileNameW
GetLocaleInfoW
GetLocalTime
GetLastError
GetFullPathNameW
GetFileSize
GetFileAttributesW
GetExitCodeProcess
GetEnvironmentVariableW
GetDiskFreeSpaceW
GetDateFormatW
GetCurrentProcess
GetCommandLineW
GetCPInfo
InterlockedExchange
InterlockedCompareExchange
FreeLibrary
FormatMessageW
FindResourceW
EnumCalendarInfoW
EnterCriticalSection
DeleteFileW
DeleteCriticalSection
CreateProcessW
CreateFileW
CreateEventW
CreateDirectoryW
CompareStringW
CloseHandle
Sleep

comctl32

InitCommonControls

Sections

.text
Size: 81KB - Virtual size: 80KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.itext
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 21KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: - Virtual size: 8B

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 44KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
virusshare/2/VirusShare_2fe5b00079aec2d8369a798230313ec8
.doc windows office2003

Xmtcmcovmi

Rlndryuf

Sfxuqprex
virusshare/2/VirusShare_3f0b1eed4b7b9ae05fab4d949843f103
.doc .vbs windows office2003 polyglot

ThisWorkbook

Sheet1

Sheet2

Sheet3

Sheet4

Module1
virusshare/2/VirusShare_480ef02bb062a57724e1b3e14532a140
.pdf
Password: infected
- http://americanbenefitsolutions.net/uploads/1/3/0/5/130590122/0edbbc0c.pdf
- http://armquiz.com/uploads/2020/01/27/tusuzaw.pdf
- http://befreeproduction.com/uploads/1/3/0/4/130478663/3e464e773d.pdf
- http://bulverdepregnancy.net/uploads/1/3/0/6/130639282/wetivuxolaja.pdf
- http://clearhrsolutionsd.com/uploads/1/3/0/4/130435941/8c7e87.pdf
- http://link2yoo.net/uploads/1/3/0/6/130604529/42536e7ead401.pdf
- http://movimentomarianobetania.org/uploads/1/3/0/6/130603773/bupiwudunudasogof.pdf
- http://vertudevelopment.com/uploads/1/3/0/6/130605267/130605267.html#brother+intellifax+2820+driver
virusshare/2/wedding.apk
.apk android

Password: infected

com.google.aplikasi

com.example.myapplicatior.MainActivity

Activities

com.example.myapplicatior.MainActivity

android.intent.action.MAIN

Permissions

android.permission.RECEIVE_SMS
android.permission.INTERNET
android.permission.READ_SMS
android.permission.SEND_SMS
android.permission.WAKE_LOCK
android.permission.ACCESS_NETWORK_STATE
android.permission.RECEIVE_BOOT_COMPLETED
android.permission.FOREGROUND_SERVICE

Receivers

com.example.myapplicatior.ReceiveSms

android.provider.Telephony.SMS_RECEIVED

com.example.myapplicatior.SendSMS

android.provider.Telephony.SMS_RECEIVED

androidx.work.impl.background.systemalarm.ConstraintProxy$BatteryChargingProxy

android.intent.action.ACTION_POWER_CONNECTED
android.intent.action.ACTION_POWER_DISCONNECTED

androidx.work.impl.background.systemalarm.ConstraintProxy$BatteryNotLowProxy

android.intent.action.BATTERY_OKAY
android.intent.action.BATTERY_LOW

androidx.work.impl.background.systemalarm.ConstraintProxy$StorageNotLowProxy

android.intent.action.DEVICE_STORAGE_LOW
android.intent.action.DEVICE_STORAGE_OK

androidx.work.impl.background.systemalarm.ConstraintProxy$NetworkStateProxy

android.net.conn.CONNECTIVITY_CHANGE

androidx.work.impl.background.systemalarm.RescheduleReceiver

android.intent.action.BOOT_COMPLETED
android.intent.action.TIME_SET
android.intent.action.TIMEZONE_CHANGED

androidx.work.impl.background.systemalarm.ConstraintProxyUpdateReceiver

androidx.work.impl.background.systemalarm.UpdateProxies

androidx.work.impl.diagnostics.DiagnosticsReceiver

androidx.work.diagnostics.REQUEST_DIAGNOSTICS

Services

com.example.myapplicatior.NotificationService

android.service.notification.NotificationListenerService
virusshare/3/VirusShare_3fb34964fa7b8c6bfad8d960380ff04e
.doc .vbs windows office2003 polyglot

ThisWorkbook

Sheet1

Sheet2

Sheet3

Sheet4

Module1
virusshare/3/VirusShare_4675e87be15585e66b0c88b833dd9ecd
.pdf
virusshare/3/VirusShare_4aa5734fe9c86184f931f4ddaf2d4d7b
.exe windows:4 windows x86 arch:x86

a32f20584ee1cae950a64ef226eea819

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvbvm60

MethCallEngine
ord666
ord595
ord596
ord525
EVENT_SINK_AddRef
ord568
EVENT_SINK_Release
EVENT_SINK_QueryInterface
__vbaExceptHandler
ord710
ProcCallEngine
ord646
ord571
ord575
ord100
ord689
ord541
ord544
ord545
ord546
ord547
ord580

Sections

.text
Size: 48KB - Virtual size: 47KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 12KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
virusshare/3/VirusShare_5c8b670c503455baafbff400a446cf82
.exe windows:5 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 8KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 188KB - Virtual size: 185KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
virusshare/3/VirusShare_6ad036ba93c94d6976e2d93c7a3aec6f
.doc windows office2003

Hsheolxjq

Ytxatmhtmzwws

Gwgukvssw
virusshare/3/delivery.apk
.apk android

com.rndytech.smstesd

com.example.myapplication.MainActivity

Activities

com.example.myapplication.MainActivity

android.intent.action.MAIN

Permissions

android.permission.RECEIVE_SMS
android.permission.INTERNET
android.permission.READ_SMS
android.permission.SEND_SMS

Receivers

com.example.myapplication.ReceiveSms

android.provider.Telephony.SMS_RECEIVED

com.example.myapplication.SendSMS

android.provider.Telephony.SMS_RECEIVED
virusshare/4/VirusShare_4b8eb7fe75f72c1c5c1f80af9cd165d2
.doc windows office2003

ThisWorkbook

Sheet1

Module1

AttachedFile

AttachedFiles

Module2

Sheet2
virusshare/4/VirusShare_6d2d7d94fe5faab76b3e786e7d810c1d
.exe windows:5 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 3.1MB - Virtual size: 3.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 736KB - Virtual size: 735KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 39KB - Virtual size: 134KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gfids
Size: 141KB - Virtual size: 140KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.giats
Size: 512B - Virtual size: 28B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1.6MB - Virtual size: 1.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 229KB - Virtual size: 228KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Resubmissions

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Files

Password: infected

Password: infected

Headers

DLL Characteristics

File Characteristics

Sections

.text Size: 619KB - Virtual size: 619KB

.rdata Size: 96KB - Virtual size: 96KB

.data Size: 4KB - Virtual size: 2.5MB

.pdata Size: 17KB - Virtual size: 17KB

_TEXT_CN Size: 6KB - Virtual size: 6KB

_TEXT_CN Size: 7KB - Virtual size: 7KB

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 2KB - Virtual size: 2KB

Password: infected

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

60:86:44:63:bb:bc:2e:4e:67:d4:27:71:e4:cb:d9:a5Certificate

Extended Key Usages

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

44:e0:b5:be:99:0e:46:a6:96:3f:d9:a1:0d:d4:bb:acCertificate

Extended Key Usages

Key Usages

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2aCertificate

Extended Key Usages

Key Usages

6a:0f:db:e6:78:b3:1e:23:2c:ba:5a:e1:4d:9d:bf:1bCertificate

Extended Key Usages

Key Usages

8c:c8:f0:70:80:b1:2b:f4:14:36:02:ff:c8:11:86:e8:9e:6e:a6:68:d2:b6:8b:d0:e0:e4:4b:9e:c3:1e:8f:09Signer

a2:71:64:f3:87:e9:1d:ac:6e:ca:7d:87:06:ba:6e:06:ff:b4:8d:8fSigner

Headers

DLL Characteristics

File Characteristics

Sections

UPX0 Size: - Virtual size: 1.2MB

UPX1 Size: 509KB - Virtual size: 512KB

.rsrc Size: 111KB - Virtual size: 112KB

Headers

DLL Characteristics

File Characteristics

Sections

.text Size: 809KB - Virtual size: 809KB

.rdata Size: 256KB - Virtual size: 255KB

.data Size: 21KB - Virtual size: 37KB

.rsrc Size: 489KB - Virtual size: 488KB

.reloc Size: 59KB - Virtual size: 58KB

Sem

Page1

Module1

UserForm1

Module2

Class1

UserForm6

Page11

Module6

Module5

Module4

Aojplemq

Jeuwzqvsdrcqz

Rgzhzedt

Password: infected

Password: infected

Headers

.text
Size: 619KB - Virtual size: 619KB

.rdata
Size: 96KB - Virtual size: 96KB

.data
Size: 4KB - Virtual size: 2.5MB

.pdata
Size: 17KB - Virtual size: 17KB

_TEXT_CN
Size: 6KB - Virtual size: 6KB

_TEXT_CN
Size: 7KB - Virtual size: 7KB

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 2KB - Virtual size: 2KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

60:86:44:63:bb:bc:2e:4e:67:d4:27:71:e4:cb:d9:a5
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

44:e0:b5:be:99:0e:46:a6:96:3f:d9:a1:0d:d4:bb:ac
Certificate

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

6a:0f:db:e6:78:b3:1e:23:2c:ba:5a:e1:4d:9d:bf:1b
Certificate

8c:c8:f0:70:80:b1:2b:f4:14:36:02:ff:c8:11:86:e8:9e:6e:a6:68:d2:b6:8b:d0:e0:e4:4b:9e:c3:1e:8f:09
Signer

a2:71:64:f3:87:e9:1d:ac:6e:ca:7d:87:06:ba:6e:06:ff:b4:8d:8f
Signer

UPX0
Size: - Virtual size: 1.2MB

UPX1
Size: 509KB - Virtual size: 512KB

.rsrc
Size: 111KB - Virtual size: 112KB

.text
Size: 809KB - Virtual size: 809KB

.rdata
Size: 256KB - Virtual size: 255KB

.data
Size: 21KB - Virtual size: 37KB

.rsrc
Size: 489KB - Virtual size: 488KB

.reloc
Size: 59KB - Virtual size: 58KB

.text
Size: 619KB - Virtual size: 619KB

.rdata
Size: 96KB - Virtual size: 96KB

.data
Size: 4KB - Virtual size: 2.5MB

.pdata
Size: 17KB - Virtual size: 17KB

_TEXT_CN
Size: 6KB - Virtual size: 6KB

_TEXT_CN
Size: 7KB - Virtual size: 7KB

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 2KB - Virtual size: 2KB

.text
Size: 105KB - Virtual size: 105KB

.data
Size: 12KB - Virtual size: 11KB

.reloc
Size: 3KB - Virtual size: 2KB

e4:27:04:95:f6:8c:91:d6:d0:ec:7b:49:4e:a4:df:1c
Certificate

45:f8:da:05:30:f5:16:06
Certificate

64:33:51:d3:c7:38:9f:08
Certificate

ab:40:24:7a:c9:3b:7b:19:d6:51:17:2f:8e:a5:56:5d:21:0d:23:88
Signer

.text
Size: 81KB - Virtual size: 80KB

.itext
Size: 3KB - Virtual size: 2KB

.data
Size: 3KB - Virtual size: 3KB

.bss
Size: - Virtual size: 21KB

.idata
Size: 4KB - Virtual size: 3KB

.tls
Size: - Virtual size: 8B

.rdata
Size: 512B - Virtual size: 24B

.rsrc
Size: 44KB - Virtual size: 44KB