hermeticwiper | 3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767

Sharing

Copy URL

Twitter E-mail

General

Target

3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767
Size

114KB
MD5

decc2726599edcae8d1d1d0ca99d83a6
SHA1

0d8cc992f279ec45e8b8dfd05a700ff1f0437f29
SHA256

3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767
SHA512

1096ccabe0c99ab73bbc92c645814b6590f5a925801eb3a97e9930e3bc668738f8852e83628474836ba15983b6660eb5c2f2741e925d16877991ca89be47f49a

Score

10^/10

wiper hermeticwiper

Malware Config

Signatures

Detect HermeticWiper 1 IoCs
Detect HermeticWiper Payload.
wiper

Processes:

resource yara_rule

sample family_hermeticwiper
Hermeticwiper family
hermeticwiper

resource	yara_rule
sample	family_hermeticwiper

Files

3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767
.exe windows x86

4233d97404e1fecedef6a46e0f7c09b9

Code Sign

0c:48:73:28:73:ac:8c:ce:ba:f8:f0:e1:e8:32:9c:ec
Certificate

Issuer

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

13-04-2021 00:00

Not After

14-04-2022 23:59

Subject

SERIALNUMBER=HE 419469,CN=Hermetica Digital Ltd,O=Hermetica Digital Ltd,L=Nicosia,C=CY,1.3.6.1.4.1.311.60.2.1.3=#13024359,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5c
Certificate

Issuer

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

18-04-2012 12:00

Not After

18-04-2027 12:00

Subject

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

62:11:6f:43:42:0e:54:1e:8f:e7:f8:0c:43:ad:4b:2e:6e:20:ba:56
Signer

Actual PE Digest

62:11:6f:43:42:0e:54:1e:8f:e7:f8:0c:43:ad:4b:2e:6e:20:ba:56

Digest Algorithm

sha1

PE Digest Matches

false

Signature Validations

Trusted

true

Verification

Signing Certificate

SERIALNUMBER=HE 419469,CN=Hermetica Digital Ltd,O=Hermetica Digital Ltd,L=Nicosia,C=CY,1.3.6.1.4.1.311.60.2.1.3=#13024359,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

17-03-2022 16:10
Valid: true

Chain 1

SERIALNUMBER=HE 419469,CN=Hermetica Digital Ltd,O=Hermetica Digital Ltd,L=Nicosia,C=CY,1.3.6.1.4.1.311.60.2.1.3=#13024359,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

shlwapi

StrStrW
StrRChrW
StrChrW
StrToIntW
PathAddExtensionW
PathFindExtensionW
PathFileExistsW
StrCatBuffW
PathAddBackslashW
PathAppendW
StrStrIW
StrCmpNW
wnsprintfW
StrStrA

lz32

LZClose
LZCopy
LZOpenFileW

msvcrt

towupper
wcsncpy
memcpy
_except_handler3
memset

kernel32

HeapAlloc
GetProcessHeap
DeviceIoControl
GetLastError
HeapReAlloc
HeapFree
lstrcmpA
GetSystemTimeAsFileTime
CreateFileW
CloseHandle
SetFilePointerEx
ReadFile
GetDiskFreeSpaceW
lstrlenW
WriteFile
FlushFileBuffers
CreateThread
WaitForMultipleObjects
GetModuleHandleW
GetProcAddress
GetCurrentProcess
VerSetConditionMask
VerifyVersionInfoW
FindResourceW
LoadResource
LockResource
SizeofResource
GetSystemDirectoryW
Sleep
WaitForSingleObject
SetThreadPriority
FindFirstFileW
FindNextFileW
FindClose
GetLogicalDriveStringsW
SetLastError
GetCommandLineW
GetModuleFileNameW
CreateEventW
SetEvent
ExitProcess
GetCurrentProcessId
GetFileInformationByHandle
DeleteFileW

user32

wsprintfW
CharLowerW

advapi32

InitiateSystemShutdownExW
ControlService
CloseServiceHandle
DeleteService
StartServiceW
ChangeServiceConfigW
QueryServiceStatus
CreateServiceW
OpenServiceW
OpenSCManagerW
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
RegDeleteKeyW
CryptReleaseContext
CryptGenRandom
CryptAcquireContextW
RegQueryInfoKeyW
RegEnumKeyExW
RegOpenKeyW
RegCloseKey
RegSetValueExW

shell32

CommandLineToArgvW

Sections

.text
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 900B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 87KB - Virtual size: 86KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 912B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

4233d97404e1fecedef6a46e0f7c09b9

Code Sign

0c:48:73:28:73:ac:8c:ce:ba:f8:f0:e1:e8:32:9c:ecCertificate

Extended Key Usages

Key Usages

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5cCertificate

Extended Key Usages

Key Usages

62:11:6f:43:42:0e:54:1e:8f:e7:f8:0c:43:ad:4b:2e:6e:20:ba:56Signer

Signature Validations

Verification

17-03-2022 16:10 Valid: true

Chain 1

Headers

DLL Characteristics

File Characteristics

Imports

shlwapi

lz32

msvcrt

kernel32

user32

advapi32

shell32

Sections

.text Size: 16KB - Virtual size: 15KB

.rdata Size: 5KB - Virtual size: 4KB

.data Size: 512B - Virtual size: 900B

.rsrc Size: 87KB - Virtual size: 86KB

.reloc Size: 1024B - Virtual size: 912B

0c:48:73:28:73:ac:8c:ce:ba:f8:f0:e1:e8:32:9c:ec
Certificate

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5c
Certificate

62:11:6f:43:42:0e:54:1e:8f:e7:f8:0c:43:ad:4b:2e:6e:20:ba:56
Signer

17-03-2022 16:10
Valid: true

.text
Size: 16KB - Virtual size: 15KB

.rdata
Size: 5KB - Virtual size: 4KB

.data
Size: 512B - Virtual size: 900B

.rsrc
Size: 87KB - Virtual size: 86KB

.reloc
Size: 1024B - Virtual size: 912B