Cryptam // document analysis


Sample Details

original filename: 39e71cd60e8beb04a23f3ca57d898826ff386aeec467ff726748baa288ce21ab

size: 420497 bytes
submitted: 2017-07-12 17:32:27
md5: 2d5f468c99dbec280435d402da52e0a1
sha1: e441fe154f85f3b5d395a72b87125cf6f61bc66c
sha256: 39e71cd60e8beb04a23f3ca57d898826ff386aeec467ff726748baa288ce21ab
ssdeep: 6144:gYWOwwPfo8mc9kAoOmV2qfxp9+RcaoTagOUC0u+3EqONcCvNouIKq3ypr:gqwIVmQynht4cPq0u+3ySv3i
content/type: Zip archive data, at least v2.0 to extract
analysis time: 0.00 s
result: malware [300]
embedded file objects: yes
embedded executable: found

signature hits:

embedded.file image1.eps d620f1b85b91ccd2fa862d5e83c81cd0
image1.eps.embedded.file datastore-10017838 24fedfe1aafe96ea3fc12a9eed02ebcc
image1.eps.datastore-10017838.86: string.This program cannot be run in DOS mode
image1.eps.datastore-10017838.5980: string.LoadLibraryA
image1.eps.datastore-10017838.36994: string.GetModuleHandleA
image1.eps.datastore-10017838.36822: string.GetCommandLineA
image1.eps.datastore-10017838.5962: string.GetProcAddress
image1.eps.datastore-10017838.5096: string.CreateProcessA
image1.eps.datastore-10017838.36638: string.EnterCriticalSection
image1.eps.datastore-10017838.5996: string.CloseHandle
image1.eps.datastore-10017838.5898: string.CreateFileA
image1.eps.datastore-10017838.37784: string.user32.dll
image1.eps.datastore-10017838.37772: string.shell32.dll
image1.eps.datastore-10017838.6040: string.KERNEL32
image1.eps.datastore-10017838.36738: string.ExitProcess
image1.eps.datastore-10017838.dropped.file exe 9be2819ee2552ffb745e272786abedcf / 6720 bytes / @ 8
image1.eps.datastore-10017838.dropped.file exe 993b96a6fa5cff0a939391f90e5802ba / 116680 bytes / @ 6728
image1.eps.embedded.file datastore-10287356 256eba9300e726b9415e926f6a1021a1
image1.eps.datastore-10287356.86: string.This program cannot be run in DOS mode
image1.eps.datastore-10287356.27246: string.LoadLibraryA
image1.eps.datastore-10287356.26960: string.GetModuleHandleA
image1.eps.datastore-10287356.26534: string.GetCommandLineA
image1.eps.datastore-10287356.27228: string.GetProcAddress
image1.eps.datastore-10287356.26422: string.CreateProcessA
image1.eps.datastore-10287356.27104: string.EnterCriticalSection
image1.eps.datastore-10287356.26980: string.GetEnvironmentVariableA
image1.eps.datastore-10287356.26440: string.CloseHandle
image1.eps.datastore-10287356.26466: string.CreateFileA
image1.eps.datastore-10287356.25736: string.user32.dll
image1.eps.datastore-10287356.59796: string.shell32.dll
image1.eps.datastore-10287356.26518: string.KERNEL32
image1.eps.datastore-10287356.26566: string.ExitProcess
image1.eps.datastore-10287356.dropped.file exe f103b1946954a6e2b905a92891135809 / 28744 bytes / @ 8
image1.eps.datastore-10287356.dropped.file exe cec4e0357e584d4661f04a8825658255 / 77760 bytes / @ 28752
image1.eps.10267973: exploit.office PostScript CVE-2015-2545
image1.eps.10007725: string.KERNEL32


Strings

raw strings

Dropped Files

image1.eps at zip
md5: d620f1b85b91ccd2fa862d5e83c81cd0
sha1: f73bedce7eb1cab8f44658966ed93c6a2a6cf4f4
sha256: 19fd24a9337e2cdd7d839c39b4d9dc46a112660b1699737f2d9e46dd012a7a8a
view strings

exe at 8
md5: f103b1946954a6e2b905a92891135809
sha1: 8bfeb905804874e2bfaa4ef6e067a19975c852a5
sha256: 17f4ab8da88e13a96c8e646e5629069982ae94399500aa92824c4d4039b8a6d5
imphash: 999eb4cb710944c693a8c8611d4b5685
view strings

exe at 28752
md5: cec4e0357e584d4661f04a8825658255
sha1: 4ae0483132bb38873247bd577834b1b26de9f99e
sha256: c6aa00d52c370e114be9dbea3b0a282e7b0ec22f1d63669952806533c810f7fc
imphash: 2a942e55cd12fbb4da839e3a870d69b3
view strings

datastore-10287356 at rtf
md5: 256eba9300e726b9415e926f6a1021a1
sha1: f41a92dd484d4174a067fa64551979512ed44fa5
sha256: 5768f560bd9b4e89c507a22188fc962fc55d1b1b5354c3fe536bebc4a83cecbe
view strings