anchordns | aa2e06be6aed2cf9a4445cc3a239fb87e069e5e693c555e1e2a651970f725af5

Sharing

Copy URL

Twitter E-mail

General

Target

aa2e06be6aed2cf9a4445cc3a239fb87e069e5e693c555e1e2a651970f725af5
Size

272KB
MD5

0bb5cb4fbbca83140bb69bbd5421b276
SHA1

26092cebf3f892fcc32c0dc311718901ee3fcb42
SHA256

aa2e06be6aed2cf9a4445cc3a239fb87e069e5e693c555e1e2a651970f725af5
SHA512

0433842b1e76545485431787ce4e127f40d835506a6b26328da6e217755974012ae37579dccd10273a8668d3391eca448ec31f0af3fe761ebbe04ee4cbadff06
SSDEEP

3072:h/YfCR8Mbcx0zPUeGMw70JXBRdTqltV4JKeK5n8Q3nT:hgflScx0zPC70J+VNeKn3nT

Score

10^/10

backdoor anchordns

Malware Config

Signatures

Anchordns family
anchordns

Detected AnchorDNS Backdoor 1 IoCs

Sample triggered yara rules associated with the AnchorDNS malware family.

backdoor

resource	yara_rule
sample	family_anchor_dns

Files

aa2e06be6aed2cf9a4445cc3a239fb87e069e5e693c555e1e2a651970f725af5
.exe windows x64

8db6cf2ede2b203104185a1388b19a7b

Code Sign

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

GetProcAddress
LoadLibraryA
WideCharToMultiByte
CloseHandle
SetEvent
WaitForSingleObject
CreateEventW
EnterCriticalSection
LeaveCriticalSection
ReleaseMutex
InitializeCriticalSection
DeleteCriticalSection
lstrlenW
CreateFileA
GetModuleHandleA
DeleteFileA
DeleteFileW
ReadFile
WriteFile
GetTempPathA
GetTempFileNameA
TerminateThread
CreateProcessW
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryW
GetShortPathNameA
MultiByteToWideChar
SetFilePointer
GetSystemTimeAsFileTime
FreeLibrary
GetComputerNameExW
GetTickCount
GetCurrentProcess
GetLastError
CreateFileW
CreateDirectoryA
GetCurrentProcessId
QueryPerformanceCounter
VirtualQuery
GetProcessHeap
HeapFree
HeapAlloc
GetStartupInfoW
RaiseException
IsDebuggerPresent
GetModuleHandleW
WaitForSingleObjectEx
ResetEvent
InitializeCriticalSectionAndSpinCount
IsProcessorFeaturePresent
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
GetCurrentThreadId
InitializeSListHead

advapi32

RegQueryValueExW
RegOpenKeyExW
RegCloseKey
SetServiceStatus
RegisterServiceCtrlHandlerW
RegSetValueExW

msvcp140d

?_Xlength_error@std@@YAXPEBD@Z
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z

ws2_32

sendto
closesocket
connect
ioctlsocket
htons
inet_addr
setsockopt
shutdown
socket
WSAStartup
WSACleanup
WSAGetLastError
WSAPoll
__WSAFDIsSet
inet_ntoa
ntohs
recvfrom
select

winhttp

WinHttpCloseHandle
WinHttpAddRequestHeaders
WinHttpQueryHeaders
WinHttpReceiveResponse
WinHttpSendRequest
WinHttpOpenRequest
WinHttpOpen
WinHttpSetOption
WinHttpQueryDataAvailable
WinHttpReadData
WinHttpConnect

rpcrt4

UuidCreate
RpcStringFreeA
UuidToStringA

vcruntime140d

__std_exception_destroy
__std_exception_copy
__C_specific_handler_noexcept
__vcrt_LoadLibraryExW
__std_type_info_destroy_list
__vcrt_GetModuleHandleW
__vcrt_GetModuleFileNameW
strrchr
__CxxFrameHandler3
memcmp
memcpy
memmove
memset
strchr
__C_specific_handler
wcschr
_CxxThrowException

ucrtbased

_seh_filter_dll
_configure_narrow_argv
_initialize_narrow_environment
_initialize_onexit_table
_register_onexit_function
_execute_onexit_table
_crt_atexit
_crt_at_quick_exit
_cexit
terminate
strcpy_s
_seh_filter_exe
_set_app_type
__setusermatherr
_get_initial_narrow_environment
_initterm
_initterm_e
exit
_exit
_set_fmode
__p___argc
__p___argv
_c_exit
_register_thread_local_exe_atexit_callback
_configthreadlocale
_set_new_mode
__p__commode
_free_dbg
_wmakepath_s
_wsplitpath_s
_invalid_parameter
malloc
_CrtDbgReportW
__stdio_common_vswprintf_s
_wtol
_wcsnicmp
_beginthreadex
atol
wcsncmp
wcslen
wcscmp
wcscpy_s
wcscat_s
_ltoa_s
rand
srand
strlen
strcat_s
_errno
__stdio_common_vsprintf_s
_CrtDbgReport
_invalid_parameter_noinfo
_callnewh

Exports

Exports

ServiceMain
SvchostPushServiceGlobals

Sections

.textbss
Size: - Virtual size: 71KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.text
Size: 174KB - Virtual size: 174KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 65KB - Virtual size: 64KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 15KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.msvcjmc
Size: 1024B - Virtual size: 703B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 1024B - Virtual size: 777B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.00cfg
Size: 512B - Virtual size: 283B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

8db6cf2ede2b203104185a1388b19a7b

Code Sign

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

advapi32

msvcp140d

ws2_32

winhttp

rpcrt4

vcruntime140d

ucrtbased

Exports

Exports

Sections

.textbss Size: - Virtual size: 71KB

.text Size: 174KB - Virtual size: 174KB

.rdata Size: 65KB - Virtual size: 64KB

.data Size: 1KB - Virtual size: 5KB

.pdata Size: 15KB - Virtual size: 15KB

.idata Size: 8KB - Virtual size: 8KB

.msvcjmc Size: 1024B - Virtual size: 703B

.tls Size: 1024B - Virtual size: 777B

.00cfg Size: 512B - Virtual size: 283B

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 2KB - Virtual size: 1KB

.textbss
Size: - Virtual size: 71KB

.text
Size: 174KB - Virtual size: 174KB

.rdata
Size: 65KB - Virtual size: 64KB

.data
Size: 1KB - Virtual size: 5KB

.pdata
Size: 15KB - Virtual size: 15KB

.idata
Size: 8KB - Virtual size: 8KB

.msvcjmc
Size: 1024B - Virtual size: 703B

.tls
Size: 1024B - Virtual size: 777B

.00cfg
Size: 512B - Virtual size: 283B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 2KB - Virtual size: 1KB