hermeticwiper | 84eda1c70305436d1f9567e274b95f6f3a22e0c9dfbb1b70b8a97febf9bb5d18

Sharing

Copy URL

Twitter E-mail

General

Target

84eda1c70305436d1f9567e274b95f6f3a22e0c9dfbb1b70b8a97febf9bb5d18
Size

776KB
MD5

3f37fb6bb24b85a00177bce8911b89c6
SHA1

23b4c25c221c6393cc47cc234ceeb23094fdfee1
SHA256

84eda1c70305436d1f9567e274b95f6f3a22e0c9dfbb1b70b8a97febf9bb5d18
SHA512

c19bc482a09506b2cacdf8d24abc50bc732d8e6912faa21a5ff43d0b3b06ec5f2a1fb7dc13faa7fee5cdebc4df9bdb226f2a561a44726e20e88c69887d9faa63
SSDEEP

24576:b5Z9nTNvkUHEK97kgGAZhk0tRmeuJfFtcEnX9:b79nTN7h7k+ZhntbubCEnt

Score

10^/10

worm wiper hermeticwiper

Malware Config

Signatures

Detect HermeticWiper 1 IoCs

Detect HermeticWiper Payload.

wiper

Processes:

resource	yara_rule
static1/unpack001/files/Wiper.exe	family_hermeticwiper

Detect HermeticWizard 1 IoCs

Detect HermeticWizard Payload.

worm

Processes:

resource	yara_rule
static1/unpack001/files/Manager.dll	family_hermeticwizard

Hermeticwiper family
hermeticwiper

Files

84eda1c70305436d1f9567e274b95f6f3a22e0c9dfbb1b70b8a97febf9bb5d18
.zip
files/Manager.dll
.dll regsvr32 windows x86

e099d3524b6906cf8460b4e6db0b11f2

Code Sign

0c:48:73:28:73:ac:8c:ce:ba:f8:f0:e1:e8:32:9c:ec
Certificate

Issuer

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

13-04-2021 00:00

Not After

14-04-2022 23:59

Subject

SERIALNUMBER=HE 419469,CN=Hermetica Digital Ltd,O=Hermetica Digital Ltd,L=Nicosia,C=CY,1.3.6.1.4.1.311.60.2.1.3=#13024359,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5c
Certificate

Issuer

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

18-04-2012 12:00

Not After

18-04-2027 12:00

Subject

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

98:ea:94:e6:f3:a0:68:a7:61:02:5e:4a:70:24:b6:a3:c4:df:f9:65
Signer

Actual PE Digest

98:ea:94:e6:f3:a0:68:a7:61:02:5e:4a:70:24:b6:a3:c4:df:f9:65

Digest Algorithm

sha1

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

SERIALNUMBER=HE 419469,CN=Hermetica Digital Ltd,O=Hermetica Digital Ltd,L=Nicosia,C=CY,1.3.6.1.4.1.311.60.2.1.3=#13024359,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

30-06-2022 15:34
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

InitializeCriticalSectionEx
Thread32First
SuspendThread
ResumeThread
OpenProcess
CreateToolhelp32Snapshot
WaitForSingleObjectEx
RaiseException
DecodePointer
CreateProcessW
OpenThread
GetExitCodeProcess
MultiByteToWideChar
WideCharToMultiByte
GetCurrentProcess
GetModuleFileNameW
GetProcessId
GetCurrentThreadId
DuplicateHandle
GetModuleHandleA
GetLocalTime
GetCurrentDirectoryW
GetWindowsDirectoryW
GetComputerNameExA
VirtualQuery
GetSystemDirectoryW
GetExitCodeThread
TerminateThread
CreateThread
SizeofResource
FindResourceA
LockResource
LoadResource
WriteConsoleW
SetEndOfFile
FlushFileBuffers
SleepEx
Sleep
GetTickCount
GetProcessHeap
HeapAlloc
HeapSize
HeapFree
CloseHandle
GetLastError
Thread32Next
CreateNamedPipeW
DeleteCriticalSection
LocalFree
InitializeCriticalSection
SetStdHandle
HeapReAlloc
SetConsoleCtrlHandler
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetLocaleInfoW
LCMapStringW
CompareStringW
GetTimeFormatW
GetDateFormatW
SetEnvironmentVariableW
SetEnvironmentVariableA
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
GetCPInfo
GetOEMCP
IsValidCodePage
FindNextFileW
FindNextFileA
FindFirstFileExW
FindFirstFileExA
FindClose
GetConsoleCP
WriteFile
OutputDebugStringA
ReadConsoleW
GetConsoleMode
SetFilePointerEx
GetStringTypeW
GetFileType
GetStdHandle
GetACP
GetCurrentThread
GetModuleFileNameA
GetModuleHandleExW
ExitProcess
ReadFile
LoadLibraryExW
TlsFree
TerminateProcess
FreeLibrary
LoadLibraryW
GetProcAddress
VerifyVersionInfoW
CreateFileW
VerSetConditionMask
TlsSetValue
TlsGetValue
TlsAlloc
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSectionAndSpinCount
EncodePointer
SetLastError
InterlockedFlushSList
InterlockedPushEntrySList
RtlUnwind
OutputDebugStringW
InitializeSListHead
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
IsDebuggerPresent
GetStartupInfoW
GetModuleHandleW
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime

user32

UnregisterClassA

advapi32

FreeSid
GetLengthSid
InitializeAcl
OpenProcessToken
GetTokenInformation
RegSetValueExW
RegQueryValueExW
SetSecurityDescriptorDacl
RegCloseKey
AllocateAndInitializeSid
RegCreateKeyExW
InitializeSecurityDescriptor
AddAccessAllowedAce

shell32

CommandLineToArgvW

ole32

CoInitializeSecurity
CoInitializeEx
CoSetProxyBlanket
CoUninitialize
CoCreateInstance

oleaut32

VariantClear
VariantInit
SysFreeString
SysAllocString

ws2_32

htons
ioctlsocket
WSAGetLastError
WSACleanup
WSAStartup
getsockopt
getaddrinfo
inet_addr
WSAAddressToStringW
htonl
freeaddrinfo
ntohl
connect
setsockopt
select
closesocket
__WSAFDIsSet
recv
WSAStringToAddressA
send
shutdown
socket

mpr

WNetCancelConnection2W
WNetCloseEnum
WNetEnumResourceW
WNetOpenEnumW
WNetAddConnection2W

iphlpapi

GetIpNetTable
GetAdaptersAddresses
GetTcpTable

dnsapi

DnsQuery_W
DnsFree

netapi32

NetServerEnum
NetApiBufferFree

crypt32

CertNameToStrA

secur32

FreeContextBuffer
InitializeSecurityContextA
DeleteSecurityContext
QueryContextAttributesA
ApplyControlToken

rpcrt4

UuidCreate

Exports

Exports

DllInstall
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 305KB - Virtual size: 305KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 59KB - Virtual size: 58KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 297KB - Virtual size: 296KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
files/Wiper.exe
.exe windows x86

4233d97404e1fecedef6a46e0f7c09b9

Code Sign

0c:48:73:28:73:ac:8c:ce:ba:f8:f0:e1:e8:32:9c:ec
Certificate

Issuer

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

13-04-2021 00:00

Not After

14-04-2022 23:59

Subject

SERIALNUMBER=HE 419469,CN=Hermetica Digital Ltd,O=Hermetica Digital Ltd,L=Nicosia,C=CY,1.3.6.1.4.1.311.60.2.1.3=#13024359,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5c
Certificate

Issuer

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

18-04-2012 12:00

Not After

18-04-2027 12:00

Subject

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

e0:71:1b:51:ca:fc:5e:0b:87:8a:c5:8b:d8:2f:a5:34:56:08:04:26
Signer

Actual PE Digest

e0:71:1b:51:ca:fc:5e:0b:87:8a:c5:8b:d8:2f:a5:34:56:08:04:26

Digest Algorithm

sha1

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

SERIALNUMBER=HE 419469,CN=Hermetica Digital Ltd,O=Hermetica Digital Ltd,L=Nicosia,C=CY,1.3.6.1.4.1.311.60.2.1.3=#13024359,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

30-06-2022 15:34
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

shlwapi

StrStrW
StrRChrW
StrChrW
StrToIntW
PathAddExtensionW
PathFindExtensionW
PathFileExistsW
StrCatBuffW
PathAddBackslashW
PathAppendW
StrStrIW
StrCmpNW
wnsprintfW
StrStrA

lz32

LZClose
LZCopy
LZOpenFileW

msvcrt

towupper
wcsncpy
memcpy
_except_handler3
memset

kernel32

HeapAlloc
GetProcessHeap
DeviceIoControl
GetLastError
HeapReAlloc
HeapFree
lstrcmpA
GetSystemTimeAsFileTime
CreateFileW
CloseHandle
SetFilePointerEx
ReadFile
GetDiskFreeSpaceW
lstrlenW
WriteFile
FlushFileBuffers
CreateThread
WaitForMultipleObjects
GetModuleHandleW
GetProcAddress
GetCurrentProcess
VerSetConditionMask
VerifyVersionInfoW
FindResourceW
LoadResource
LockResource
SizeofResource
GetSystemDirectoryW
Sleep
WaitForSingleObject
SetThreadPriority
FindFirstFileW
FindNextFileW
FindClose
GetLogicalDriveStringsW
SetLastError
GetCommandLineW
GetModuleFileNameW
CreateEventW
SetEvent
ExitProcess
GetCurrentProcessId
GetFileInformationByHandle
DeleteFileW

user32

wsprintfW
CharLowerW

advapi32

InitiateSystemShutdownExW
ControlService
CloseServiceHandle
DeleteService
StartServiceW
ChangeServiceConfigW
QueryServiceStatus
CreateServiceW
OpenServiceW
OpenSCManagerW
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
RegDeleteKeyW
CryptReleaseContext
CryptGenRandom
CryptAcquireContextW
RegQueryInfoKeyW
RegEnumKeyExW
RegOpenKeyW
RegCloseKey
RegSetValueExW

shell32

CommandLineToArgvW

Sections

.text
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 900B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 87KB - Virtual size: 86KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 912B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
files/spreaderA.dll
.dll windows x86

0efd6cfc0613f20a06fa0746b2d5b8bc

Code Sign

0c:48:73:28:73:ac:8c:ce:ba:f8:f0:e1:e8:32:9c:ec
Certificate

Issuer

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

13-04-2021 00:00

Not After

14-04-2022 23:59

Subject

SERIALNUMBER=HE 419469,CN=Hermetica Digital Ltd,O=Hermetica Digital Ltd,L=Nicosia,C=CY,1.3.6.1.4.1.311.60.2.1.3=#13024359,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5c
Certificate

Issuer

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

18-04-2012 12:00

Not After

18-04-2027 12:00

Subject

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

ad:b3:b2:23:74:7f:66:12:cc:20:e3:73:83:d0:9f:3a:49:a1:b2:86
Signer

Actual PE Digest

ad:b3:b2:23:74:7f:66:12:cc:20:e3:73:83:d0:9f:3a:49:a1:b2:86

Digest Algorithm

sha1

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

SERIALNUMBER=HE 419469,CN=Hermetica Digital Ltd,O=Hermetica Digital Ltd,L=Nicosia,C=CY,1.3.6.1.4.1.311.60.2.1.3=#13024359,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

30-06-2022 15:34
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

VirtualQuery
lstrcmpW
Sleep
LocalFree
ExitProcess
GetModuleHandleW
CopyFileW
InitializeCriticalSectionAndSpinCount
RaiseException
DecodePointer
GetProcAddress
GetCurrentThreadId
GetCurrentProcess
WideCharToMultiByte
MultiByteToWideChar
DeleteCriticalSection
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
GetProcessHeap
HeapAlloc
HeapSize
HeapFree
CloseHandle
GetLastError
CreateFileW
DeleteFileW
WriteConsoleW
FlushFileBuffers
SetStdHandle
HeapReAlloc
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
GetCPInfo
GetOEMCP
IsValidCodePage
FindNextFileA
FindFirstFileExA
FindClose
LCMapStringW
GetConsoleCP
IsProcessorFeaturePresent
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoW
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
InitializeSListHead
TerminateProcess
OutputDebugStringW
InterlockedFlushSList
SetLastError
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
LoadLibraryExW
RtlUnwind
GetModuleHandleExW
GetModuleFileNameA
GetACP
GetStdHandle
GetFileType
GetStringTypeW
SetFilePointerEx
GetConsoleMode
WriteFile

advapi32

CreateServiceW
QueryServiceStatus
OpenSCManagerW
DeleteService
ControlService
StartServiceW
OpenServiceW
CloseServiceHandle
ImpersonateLoggedOnUser
LogonUserW
EqualSid
OpenProcessToken
GetTokenInformation
AllocateAndInitializeSid
FreeSid

shell32

CommandLineToArgvW

ole32

CoCreateInstance
CoInitializeSecurity
CoInitializeEx
CoSetProxyBlanket
CoCreateGuid
CoUninitialize

oleaut32

VariantClear
SysAllocString
SysAllocStringByteLen
SysStringByteLen
SysFreeString
VariantInit

ws2_32

WSAAddressToStringW
getaddrinfo
inet_addr
freeaddrinfo

mpr

WNetCancelConnection2W
WNetAddConnection2W

Sections

.text
Size: 79KB - Virtual size: 79KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 28KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
files/spreaderB.dll
.dll windows x86

0802be27b58612f1b2648b8a57d1acfd

Code Sign

0c:48:73:28:73:ac:8c:ce:ba:f8:f0:e1:e8:32:9c:ec
Certificate

Issuer

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

13-04-2021 00:00

Not After

14-04-2022 23:59

Subject

SERIALNUMBER=HE 419469,CN=Hermetica Digital Ltd,O=Hermetica Digital Ltd,L=Nicosia,C=CY,1.3.6.1.4.1.311.60.2.1.3=#13024359,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5c
Certificate

Issuer

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

18-04-2012 12:00

Not After

18-04-2027 12:00

Subject

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

88:2b:f0:7e:fb:c7:85:96:fd:bc:e0:e5:1d:b0:6e:b3:51:14:ec:fb
Signer

Actual PE Digest

88:2b:f0:7e:fb:c7:85:96:fd:bc:e0:e5:1d:b0:6e:b3:51:14:ec:fb

Digest Algorithm

sha1

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

SERIALNUMBER=HE 419469,CN=Hermetica Digital Ltd,O=Hermetica Digital Ltd,L=Nicosia,C=CY,1.3.6.1.4.1.311.60.2.1.3=#13024359,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

30-06-2022 15:34
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetModuleFileNameW
GetProcessId
GetCurrentThreadId
DuplicateHandle
GetModuleHandleA
GetLocalTime
GetCurrentDirectoryW
GetWindowsDirectoryW
GetCurrentProcess
GetModuleHandleW
GetComputerNameExA
VirtualQuery
ReadFile
LocalAlloc
LocalFree
GetFileSize
ExitProcess
WaitForSingleObjectEx
WideCharToMultiByte
MultiByteToWideChar
DeleteCriticalSection
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
GetProcessHeap
HeapAlloc
HeapSize
HeapFree
CloseHandle
GetLastError
CreateFileW
GetProcAddress
CreateNamedPipeW
OutputDebugStringW
OutputDebugStringA
DecodePointer
SetEndOfFile
HeapReAlloc
WriteConsoleW
FlushFileBuffers
SetStdHandle
SetConsoleCtrlHandler
SetEnvironmentVariableW
SetEnvironmentVariableA
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
GetCPInfo
GetOEMCP
IsValidCodePage
FindNextFileW
FindNextFileA
FindFirstFileExW
CreateThread
FindFirstFileExA
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoW
IsProcessorFeaturePresent
TerminateProcess
RtlUnwind
RaiseException
InterlockedPushEntrySList
InterlockedFlushSList
SetLastError
EncodePointer
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
LoadLibraryExW
GetModuleHandleExW
GetModuleFileNameA
GetCurrentThread
GetACP
GetStdHandle
GetFileType
GetStringTypeW
SetFilePointerEx
GetConsoleMode
ReadConsoleW
WriteFile
GetConsoleCP
GetDateFormatW
GetTimeFormatW
CompareStringW
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
FindClose

advapi32

EqualSid
OpenProcessToken
GetTokenInformation
RegSetValueExW
RegQueryValueExW
SetSecurityDescriptorDacl
RegCloseKey
AllocateAndInitializeSid
RegCreateKeyExW
FreeSid
InitializeSecurityDescriptor
InitializeAcl
GetLengthSid
AddAccessAllowedAce

shell32

CommandLineToArgvW

ole32

CoCreateGuid

ws2_32

socket
connect
recv
WSACleanup
WSAStartup
send
closesocket
inet_addr
WSAAddressToStringW
htonl
freeaddrinfo
ntohl
WSAStringToAddressA
select
getaddrinfo

mpr

WNetAddConnection2W
WNetCancelConnection2W

Sections

.text
Size: 279KB - Virtual size: 279KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 42KB - Virtual size: 41KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

e099d3524b6906cf8460b4e6db0b11f2

Code Sign

0c:48:73:28:73:ac:8c:ce:ba:f8:f0:e1:e8:32:9c:ecCertificate

Extended Key Usages

Key Usages

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5cCertificate

Extended Key Usages

Key Usages

98:ea:94:e6:f3:a0:68:a7:61:02:5e:4a:70:24:b6:a3:c4:df:f9:65Signer

Signature Validations

Verification

30-06-2022 15:34 Valid: false

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

shell32

ole32

oleaut32

ws2_32

mpr

iphlpapi

dnsapi

netapi32

crypt32

secur32

rpcrt4

Exports

Exports

Sections

.text Size: 305KB - Virtual size: 305KB

.rdata Size: 59KB - Virtual size: 58KB

.data Size: 3KB - Virtual size: 8KB

.rsrc Size: 297KB - Virtual size: 296KB

.reloc Size: 12KB - Virtual size: 12KB

4233d97404e1fecedef6a46e0f7c09b9

Code Sign

0c:48:73:28:73:ac:8c:ce:ba:f8:f0:e1:e8:32:9c:ecCertificate

Extended Key Usages

Key Usages

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5cCertificate

Extended Key Usages

Key Usages

e0:71:1b:51:ca:fc:5e:0b:87:8a:c5:8b:d8:2f:a5:34:56:08:04:26Signer

Signature Validations

Verification

30-06-2022 15:34 Valid: false

Headers

DLL Characteristics

File Characteristics

Imports

shlwapi

lz32

msvcrt

kernel32

user32

advapi32

shell32

Sections

.text Size: 16KB - Virtual size: 15KB

.rdata Size: 5KB - Virtual size: 4KB

.data Size: 512B - Virtual size: 900B

.rsrc Size: 87KB - Virtual size: 86KB

.reloc Size: 1024B - Virtual size: 912B

0efd6cfc0613f20a06fa0746b2d5b8bc

Code Sign

0c:48:73:28:73:ac:8c:ce:ba:f8:f0:e1:e8:32:9c:ecCertificate

Extended Key Usages

Key Usages

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5cCertificate

Extended Key Usages

Key Usages

0c:48:73:28:73:ac:8c:ce:ba:f8:f0:e1:e8:32:9c:ec
Certificate

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5c
Certificate

98:ea:94:e6:f3:a0:68:a7:61:02:5e:4a:70:24:b6:a3:c4:df:f9:65
Signer

30-06-2022 15:34
Valid: false

.text
Size: 305KB - Virtual size: 305KB

.rdata
Size: 59KB - Virtual size: 58KB

.data
Size: 3KB - Virtual size: 8KB

.rsrc
Size: 297KB - Virtual size: 296KB

.reloc
Size: 12KB - Virtual size: 12KB

0c:48:73:28:73:ac:8c:ce:ba:f8:f0:e1:e8:32:9c:ec
Certificate

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5c
Certificate

e0:71:1b:51:ca:fc:5e:0b:87:8a:c5:8b:d8:2f:a5:34:56:08:04:26
Signer

30-06-2022 15:34
Valid: false

.text
Size: 16KB - Virtual size: 15KB

.rdata
Size: 5KB - Virtual size: 4KB

.data
Size: 512B - Virtual size: 900B

.rsrc
Size: 87KB - Virtual size: 86KB

.reloc
Size: 1024B - Virtual size: 912B

0c:48:73:28:73:ac:8c:ce:ba:f8:f0:e1:e8:32:9c:ec
Certificate

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5c
Certificate

ad:b3:b2:23:74:7f:66:12:cc:20:e3:73:83:d0:9f:3a:49:a1:b2:86
Signer

30-06-2022 15:34
Valid: false

.text
Size: 79KB - Virtual size: 79KB

.rdata
Size: 28KB - Virtual size: 28KB

.data
Size: 2KB - Virtual size: 4KB

.reloc
Size: 4KB - Virtual size: 4KB

0c:48:73:28:73:ac:8c:ce:ba:f8:f0:e1:e8:32:9c:ec
Certificate

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5c
Certificate

88:2b:f0:7e:fb:c7:85:96:fd:bc:e0:e5:1d:b0:6e:b3:51:14:ec:fb
Signer

30-06-2022 15:34
Valid: false

.text
Size: 279KB - Virtual size: 279KB

.rdata
Size: 42KB - Virtual size: 41KB

.data
Size: 3KB - Virtual size: 8KB

.reloc
Size: 10KB - Virtual size: 10KB