Cryptam // document analysis


Sample Details

original filename: PhotoCode.zip

size: 1808717 bytes
submitted: 2017-05-14 18:02:01
md5: 19525332a2d862ab3ece3a0ffc6fdf66
sha1: 1dd2450020ed25a603043887c462341251ab55d0
sha256: 3ba95580a2f34d86c5425d1ad0e5cef16e3d724f79ecac2de616318b0ec4c05e
ssdeep: 49152:14VqpdTnqqqqIbp99AjiiJ5PksyzFAl9x5XtOrVpIN:1iqpxqf9Ajig5PkFyt5XorV6N
content/type: Zip archive data, at least v2.0 to extract
analysis time: 0.00 s
result: malware [170]
embedded file objects: yes
embedded executable: found

signature hits:

embedded.file dcraw.exe e82f102d36e481070c12bebe74b5fbfc
dcraw.exe.78: string.This program cannot be run in DOS mode
dcraw.exe.357052: string.LoadLibraryA
dcraw.exe.356556: string.GetModuleHandleA
dcraw.exe.356072: string.GetCommandLineA
dcraw.exe.356118: string.GetProcAddress
dcraw.exe.355920: string.EnterCriticalSection
dcraw.exe.356790: string.CloseHandle
dcraw.exe.356868: string.CreateFileA
dcraw.exe.327196: string.KERNEL32
dcraw.exe.326979: string.ExitProcess
embedded.file PhotoCode.exe 33c0b0c8dd557db1a8d850566bf5b3a0
PhotoCode.exe.78: string.This program cannot be run in DOS mode
PhotoCode.exe.400308: string.LoadLibraryA
PhotoCode.exe.400258: string.GetModuleHandleA
PhotoCode.exe.400277: string.GetProcAddress
PhotoCode.exe.400173: string.user32.dll
PhotoCode.exe.400220: string.shell32.dll
PhotoCode.exe.400294: string.ExitProcess


Strings

raw strings

Dropped Files

dcraw.exe at zip
md5: e82f102d36e481070c12bebe74b5fbfc
sha1: 3465c1690281e6d18668a361ae0cc4e0f2c0863e
sha256: 7765e0cf377ad846259ef41c646c64938498784981eac8dee4e366caa3596f79
view strings

PhotoCode.exe at zip
md5: 33c0b0c8dd557db1a8d850566bf5b3a0
sha1: 06b15073c1f6beb9b96f1313fe8c188e55a81f55
sha256: 05dbf5b44959834f68017589c5b1bbf4bd400ea4f845a4d3230aef0b3026c312
view strings