file.zip
|
Zip archive data, at least v2.0 to extract, compression method=deflate
|
initial sample
|
![malicious](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABwAAAAYCAYAAADpnJ2CAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAppJREFUeNqsVkFoU0EQnZ/W2haM0R71kIAe4sWKB70ULLSei3oRBI13bXMQD1rSoD3b1LuNIPQiGgQvWjDgxR5EvZiDQnOoRzV80dRqrPOWP5/9m92ftOnAsvt358/beTOzux455Gv6yBx3BdqZFEfqn+dsC54DLM3dO24p2rlkGLRuTiYcyvdcYInDh6xjhw3qCMjeneFuyqY8ePUK7b1wPvweODup5hwyFdjq6KF1Z8nlR9SXzVJzYTGc23hQVnNYc8hSbAx5RzMuwINrn+hb5ihtd40lz7FcaPOQwVI9ZGWcFALbbZQWusnKPadPKQrRMO5CUjprXuDdaFAGTgFtiBmS5N/6lzBLfz9+wol0Lo5SkRNM7ftEXKLoXkmWbvk+/bpzl37euKnGANN1OpWJx96hBJ66gIamr1F/d9TR3zer1Czdpz/cOyQHwDUepM3iHpq+rnYPL7b8H5Eih1EINiMCmr3kPm5JRXOztBhSr0ndetKkXlcVGH5sjI3zj+tM43wA7qtaRJNvrEEHuhJT2LCepTZKD3x4S/7FS9T6WIvUGbwcnr1N/ceyCqjFHiCe8ESvRejtf/6Mvh8/2UZpgjOnwoPIdjZfrIRgIsOzt4LjbEIZ7GNQjPU1nV7YMKTKWGWhNB8J/mo06IiZ0KRvBIaFfomry4ZgeNpJg7SdUZMceFAW4Z7nYHhgciLMWmTl5ssVFTebvjZXZu9y5klT5NbAwPxZ4iJgWId3GKs5ptcUzUZDZ9B5eKPIcRO0ajXVS4lsLD1UJ47oDOYuh6UguuhFxzy8Pct9iCNu1KxHV2110KkzWCb2iRFcmq926aYYZ8Bq7AUcKFR2AaxigsW9afKSQD1Ivqs3TeAlXlulHsCKthcb5L8AAwCehEsTSl88KQAAAABJRU5ErkJggg==) |
|
|
Filetype: |
Zip archive data, at least v2.0 to extract, compression method=deflate
|
Entropy: |
7.99859454661898
|
Filename: |
file.zip
|
Filesize: |
358766
|
MD5: |
6da382bb9e3a7d435b57f2d5aa7cba34
|
SHA1: |
7439b08ef1d4cae39192951c80f2f7ec646ec045
|
SHA256: |
f4078e1ec71b088a554c65ffa245570014d56ea95d93a761532a83acc638cfce
|
SHA512: |
ce2d2e8693e99a44d528ee1feb6f0afba8282f6aaa8f244ae00b62f8afa4d98f407a1a2e563e5640fa1c9092cfbcf38ae9c2bd816a84345dfffc3a352cc0f849
|
SSDEEP: |
6144:4cnl1+aJpiswmam9gu8lv02jo9eZSFZexjLR/sZRqKRJoOmoeNmHcitJ1:4cnd/wYO02c9eZlJ+IKvhegn1
|
Preview: |
PK...........X..? .x..........file.exeUT...8.Qf..Tfux..............<..T...o.^....G...a..>=>...?0.DDEMPQA@>.Q..|.z0.m...QVH4.fKM.r..UI..[..YW....Z.....X.5h...D.RQ..=.~..{..e.x..{...{.9..{..6.M.....=z..'..9.L.3..{....<.zi...._....k.C.-.*k...+.]..9:.}......k
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Hides that the sample has been downloaded from the Internet (zone.identifier) |
Hooking and other Techniques for Hiding and Protection |
Hidden Files and Directories
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
May sleep (evasive loops) to hinder dynamic analysis |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Queries a list of all running processes |
Malware Analysis System Evasion |
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
Uses Microsoft Silverlight |
System Summary |
|
|
C:\Users\user\AppData\Local\star.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
![malicious](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABwAAAAYCAYAAADpnJ2CAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAppJREFUeNqsVkFoU0EQnZ/W2haM0R71kIAe4sWKB70ULLSei3oRBI13bXMQD1rSoD3b1LuNIPQiGgQvWjDgxR5EvZiDQnOoRzV80dRqrPOWP5/9m92ftOnAsvt358/beTOzux455Gv6yBx3BdqZFEfqn+dsC54DLM3dO24p2rlkGLRuTiYcyvdcYInDh6xjhw3qCMjeneFuyqY8ePUK7b1wPvweODup5hwyFdjq6KF1Z8nlR9SXzVJzYTGc23hQVnNYc8hSbAx5RzMuwINrn+hb5ihtd40lz7FcaPOQwVI9ZGWcFALbbZQWusnKPadPKQrRMO5CUjprXuDdaFAGTgFtiBmS5N/6lzBLfz9+wol0Lo5SkRNM7ftEXKLoXkmWbvk+/bpzl37euKnGANN1OpWJx96hBJ66gIamr1F/d9TR3zer1Czdpz/cOyQHwDUepM3iHpq+rnYPL7b8H5Eih1EINiMCmr3kPm5JRXOztBhSr0ndetKkXlcVGH5sjI3zj+tM43wA7qtaRJNvrEEHuhJT2LCepTZKD3x4S/7FS9T6WIvUGbwcnr1N/ceyCqjFHiCe8ESvRejtf/6Mvh8/2UZpgjOnwoPIdjZfrIRgIsOzt4LjbEIZ7GNQjPU1nV7YMKTKWGWhNB8J/mo06IiZ0KRvBIaFfomry4ZgeNpJg7SdUZMceFAW4Z7nYHhgciLMWmTl5ssVFTebvjZXZu9y5klT5NbAwPxZ4iJgWId3GKs5ptcUzUZDZ9B5eKPIcRO0ajXVS4lsLD1UJ47oDOYuh6UguuhFxzy8Pct9iCNu1KxHV2110KkzWCb2iRFcmq926aYYZ8Bq7AUcKFR2AaxigsW9afKSQD1Ivqs3TeAlXlulHsCKthcb5L8AAwCehEsTSl88KQAAAABJRU5ErkJggg==) |
|
|
File: |
C:\Users\user\AppData\Local\star.exe
|
Category: |
dropped
|
Dump: |
star.exe.15.dr
|
ID: |
dr_1
|
Target ID: |
15
|
Process: |
C:\Windows\SysWOW64\cmd.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
6.396843231622265
|
Encrypted: |
false
|
Size: |
626176
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Multi AV Scanner detection for dropped file |
AV Detection |
Security Software Discovery
|
Machine Learning detection for dropped file |
AV Detection |
|
Drops PE files |
Persistence and Installation Behavior |
|
Creates files inside the user directory |
System Summary |
|
|
\Device\Null
|
ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
\Device\Null
|
Category: |
dropped
|
Dump: |
Null.21.dr
|
ID: |
dr_3
|
Target ID: |
21
|
Process: |
C:\Windows\SysWOW64\PING.EXE
|
Type: |
ASCII text, with CRLF line terminators
|
Entropy: |
4.647354968007433
|
Encrypted: |
false
|
Size: |
926
|
Whitelisted: |
false
|
|