Static task
static1
Behavioral task
behavioral1
Sample
SouthPark_TFBW.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
SouthPark_TFBW.exe
Resource
win10v2004-20220414-en
General
-
Target
SouthPark_TFBW.exe
-
Size
220MB
-
MD5
15ea6ed6b5eecad1c7fe2724e23cae04
-
SHA1
5b62f959871c49a71e4e5d238b651d6ecfef0be4
-
SHA256
62f9387ad9055b005683d934271e5b7d511d2e202bb44a2d877a911568119f68
-
SHA512
410c53744c911b49aefd33c9501bf6117e84a4b77cb87491165ecb08993d408b2188314afab9be912ed85de122918736dbd2206b0a710e9dd5b85809d00879fd
-
SSDEEP
3145728:esFV8bN4rySg2X8/srGyadBvkYrB8TKVR9DkEDJ24bc19TaB1nw:H8Wy0XrOvkkBzDsK
Malware Config
Signatures
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
Processes:
resource yara_rule sample coreentity
Files
-
SouthPark_TFBW.exe.exe windows x64
d79766625eb453066680ca095db392f2
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
Imports
advapi32
CloseServiceHandle
CryptAcquireContextA
CryptAcquireContextW
CryptGenRandom
CryptReleaseContext
DeregisterEventSource
GetUserNameA
OpenSCManagerA
OpenServiceA
QueryServiceConfigA
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
RegQueryValueExA
RegQueryValueExW
RegisterEventSourceA
ReportEventA
bink2w64
BinkClose
BinkGetFrameBuffersInfo
BinkGetKeyFrame
BinkGoto
BinkOpen
BinkOpenDirectSound
BinkOpenXAudio2
BinkPause
BinkRegisterFrameBuffers
BinkSetFileOffset
BinkSetFrameRate
BinkSetMemory
BinkSetSoundSystem
BinkSetSoundTrack
BinkSetVolume
BinkSetWillLoop
gdi32
CreateDCA
CreateSolidBrush
DeleteDC
DeleteObject
ExtEscape
CreateBitmap
kernel32
AcquireSRWLockExclusive
AcquireSRWLockShared
AddVectoredExceptionHandler
AllocConsole
AttachConsole
CloseHandle
CopyFileA
CreateDirectoryA
CreateDirectoryW
CreateEventA
CreateEventExA
CreateEventW
CreateFileA
CreateFileW
CreateIoCompletionPort
CreateMutexA
CreateProcessA
CreateSemaphoreExW
CreateThread
DeleteCriticalSection
DeleteFileA
EncodePointer
EnterCriticalSection
ExitProcess
FileTimeToSystemTime
FindClose
FindFirstFileA
FindFirstFileExA
FindFirstFileW
FindNextFileA
FormatMessageA
FormatMessageW
FreeLibrary
GetACP
GetCPInfo
GetCommandLineA
GetCommandLineW
GetComputerNameA
GetComputerNameExA
GetConsoleMode
GetCurrentDirectoryA
GetCurrentDirectoryW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetDateFormatA
GetEnvironmentVariableA
GetExitCodeProcess
GetExitCodeThread
GetFileAttributesA
GetFileAttributesExA
GetFileAttributesW
GetFileInformationByHandle
GetFileInformationByHandleEx
GetFileSize
GetLastError
GetLocalTime
GetLocaleInfoA
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleExA
GetModuleHandleW
GetOEMCP
GetOverlappedResult
GetProcAddress
GetProcessAffinityMask
GetProcessHeap
GetQueuedCompletionStatus
GetStdHandle
GetStringTypeW
GetSystemDirectoryA
GetSystemDirectoryW
GetSystemTime
GetSystemTimeAsFileTime
GetSystemWindowsDirectoryA
GetTempPathA
GetThreadContext
GetTickCount
GetTickCount64
GetTimeFormatA
GetUserDefaultLCID
GetUserPreferredUILanguages
GetVersionExA
GlobalAlloc
GlobalLock
GlobalMemoryStatus
GlobalMemoryStatusEx
GlobalSize
GlobalUnlock
HeapAlloc
HeapFree
InitOnceExecuteOnce
InitializeCriticalSection
InitializeCriticalSectionEx
InitializeSListHead
InitializeSRWLock
InterlockedPopEntrySList
InterlockedPushEntrySList
IsBadStringPtrA
IsDebuggerPresent
LCMapStringEx
LeaveCriticalSection
LoadLibraryA
LoadLibraryExW
LoadLibraryW
LocalAlloc
LocalFree
LockFileEx
MultiByteToWideChar
OpenMutexA
OpenProcess
OpenThread
OutputDebugStringA
PeekNamedPipe
QueryPerformanceCounter
QueryPerformanceFrequency
RaiseException
ReadFile
ReadProcessMemory
ReleaseMutex
ReleaseSRWLockExclusive
ReleaseSRWLockShared
RemoveVectoredExceptionHandler
ResetEvent
ResumeThread
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
SetConsoleCtrlHandler
SetConsoleMode
SetConsoleTitleA
SetCurrentDirectoryA
SetEndOfFile
SetErrorMode
SetEvent
SetFileAttributesA
SetFilePointerEx
SetHandleInformation
SetLastError
SetProcessAffinityMask
SetThreadAffinityMask
SetThreadPriority
SetUnhandledExceptionFilter
Sleep
SuspendThread
SystemTimeToFileTime
TerminateProcess
TlsAlloc
TlsGetValue
TlsSetValue
TryEnterCriticalSection
UnlockFileEx
UnmapViewOfFile
VerSetConditionMask
VerifyVersionInfoA
VirtualAlloc
VirtualFree
VirtualProtect
WaitForMultipleObjects
WaitForSingleObject
WaitForSingleObjectEx
WideCharToMultiByte
WriteConsoleW
WriteFile
lstrcatW
lstrcmpW
lstrcpyW
lstrlenA
lstrlenW
ole32
CoCreateInstance
CoInitializeEx
CoTaskMemAlloc
CoTaskMemFree
CoUninitialize
DoDragDrop
OleInitialize
RegisterDragDrop
ReleaseStgMedium
RevokeDragDrop
oleaut32
VariantClear
SysFreeString
shell32
CommandLineToArgvW
SHGetFolderPathA
SHGetFolderPathW
ShellExecuteA
ShellExecuteExA
user32
AdjustWindowRect
AdjustWindowRectEx
CallWindowProcW
ChangeDisplaySettingsA
ClipCursor
CloseClipboard
CreateIconIndirect
CreateWindowExW
DestroyCursor
DestroyWindow
DispatchMessageW
EmptyClipboard
EnableWindow
EnumDisplayDevicesA
EnumDisplaySettingsA
GetActiveWindow
GetAncestor
GetCaretBlinkTime
GetClipboardData
GetDoubleClickTime
GetForegroundWindow
GetKeyNameTextW
GetMonitorInfoA
GetWindowLongA
GetWindowLongPtrA
GetWindowRect
GetWindowTextA
GetWindowThreadProcessId
IsWindowUnicode
LoadCursorA
MapVirtualKeyA
MessageBoxA
MsgWaitForMultipleObjects
OpenClipboard
PeekMessageA
PeekMessageW
RegisterClassExW
RegisterClipboardFormatA
RegisterDeviceNotificationA
RegisterDeviceNotificationW
RegisterRawInputDevices
SendMessageA
SendMessageW
SetClipboardData
SetCursor
SetWindowLongPtrA
SetWindowLongPtrW
SetWindowPos
SetWindowTextW
SetWindowsHookExA
ShowCursor
ShowWindow
SystemParametersInfoA
TranslateMessage
UnhookWindowsHookEx
UnregisterClassW
winmm
timeEndPeriod
timeGetDevCaps
timeGetTime
waveInClose
waveInStop
timeBeginPeriod
ws2_32
accept
ioctlsocket
inet_addr
WSAGetLastError
WSASetLastError
WSAStartup
WSACleanup
inet_ntoa
listen
ntohs
recv
recvfrom
select
send
bind
setsockopt
shutdown
socket
closesocket
connect
getpeername
gethostbyname
gethostname
getsockname
getsockopt
htonl
htons
WSAIoctl
WSARecv
WSASend
WSASocketA
freeaddrinfo
getaddrinfo
Sections
.xdata Size: 31MB - Virtual size: 31MB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.data Size: 18MB - Virtual size: 18MB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.arch Size: 5MB - Virtual size: 11MB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.pdata Size: 2MB - Virtual size: 2MB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.link Size: 512B - Virtual size: 16KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.srdata Size: 39KB - Virtual size: 40KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_READ
.edata Size: 151MB - Virtual size: 151MB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.text1 Size: 23KB - Virtual size: 24KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.xcode Size: 3KB - Virtual size: 8KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 11KB - Virtual size: 12KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.vmp0 Size: 3MB - Virtual size: 3MB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.cdx0 Size: 424KB - Virtual size: 424KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.cdx Size: 4MB - Virtual size: 4MB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.cdx1 Size: 3MB - Virtual size: 3MB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 424KB - Virtual size: 424KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ