SouthPark_TFBW[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

SouthPark_TFBW.exe
Size

221.0MB
MD5

15ea6ed6b5eecad1c7fe2724e23cae04
SHA1

5b62f959871c49a71e4e5d238b651d6ecfef0be4
SHA256

62f9387ad9055b005683d934271e5b7d511d2e202bb44a2d877a911568119f68
SHA512

410c53744c911b49aefd33c9501bf6117e84a4b77cb87491165ecb08993d408b2188314afab9be912ed85de122918736dbd2206b0a710e9dd5b85809d00879fd
SSDEEP

3145728:esFV8bN4rySg2X8/srGyadBvkYrB8TKVR9DkEDJ24bc19TaB1nw:H8Wy0XrOvkkBzDsK

Score

10^/10

coreentity

Malware Config

Signatures

CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
coreentity

Processes:

resource yara_rule

sample coreentity

resource	yara_rule
sample	coreentity

Files

SouthPark_TFBW.exe
.exe windows x64

d79766625eb453066680ca095db392f2

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

CloseServiceHandle
CryptAcquireContextA
CryptAcquireContextW
CryptGenRandom
CryptReleaseContext
DeregisterEventSource
GetUserNameA
OpenSCManagerA
OpenServiceA
QueryServiceConfigA
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
RegQueryValueExA
RegQueryValueExW
RegisterEventSourceA
ReportEventA

bink2w64

BinkClose
BinkGetFrameBuffersInfo
BinkGetKeyFrame
BinkGoto
BinkOpen
BinkOpenDirectSound
BinkOpenXAudio2
BinkPause
BinkRegisterFrameBuffers
BinkSetFileOffset
BinkSetFrameRate
BinkSetMemory
BinkSetSoundSystem
BinkSetSoundTrack
BinkSetVolume
BinkSetWillLoop

gdi32

CreateDCA
CreateSolidBrush
DeleteDC
DeleteObject
ExtEscape
CreateBitmap

kernel32

AcquireSRWLockExclusive
AcquireSRWLockShared
AddVectoredExceptionHandler
AllocConsole
AttachConsole
CloseHandle
CopyFileA
CreateDirectoryA
CreateDirectoryW
CreateEventA
CreateEventExA
CreateEventW
CreateFileA
CreateFileW
CreateIoCompletionPort
CreateMutexA
CreateProcessA
CreateSemaphoreExW
CreateThread
DeleteCriticalSection
DeleteFileA
EncodePointer
EnterCriticalSection
ExitProcess
FileTimeToSystemTime
FindClose
FindFirstFileA
FindFirstFileExA
FindFirstFileW
FindNextFileA
FormatMessageA
FormatMessageW
FreeLibrary
GetACP
GetCPInfo
GetCommandLineA
GetCommandLineW
GetComputerNameA
GetComputerNameExA
GetConsoleMode
GetCurrentDirectoryA
GetCurrentDirectoryW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetDateFormatA
GetEnvironmentVariableA
GetExitCodeProcess
GetExitCodeThread
GetFileAttributesA
GetFileAttributesExA
GetFileAttributesW
GetFileInformationByHandle
GetFileInformationByHandleEx
GetFileSize
GetLastError
GetLocalTime
GetLocaleInfoA
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleExA
GetModuleHandleW
GetOEMCP
GetOverlappedResult
GetProcAddress
GetProcessAffinityMask
GetProcessHeap
GetQueuedCompletionStatus
GetStdHandle
GetStringTypeW
GetSystemDirectoryA
GetSystemDirectoryW
GetSystemTime
GetSystemTimeAsFileTime
GetSystemWindowsDirectoryA
GetTempPathA
GetThreadContext
GetTickCount
GetTickCount64
GetTimeFormatA
GetUserDefaultLCID
GetUserPreferredUILanguages
GetVersionExA
GlobalAlloc
GlobalLock
GlobalMemoryStatus
GlobalMemoryStatusEx
GlobalSize
GlobalUnlock
HeapAlloc
HeapFree
InitOnceExecuteOnce
InitializeCriticalSection
InitializeCriticalSectionEx
InitializeSListHead
InitializeSRWLock
InterlockedPopEntrySList
InterlockedPushEntrySList
IsBadStringPtrA
IsDebuggerPresent
LCMapStringEx
LeaveCriticalSection
LoadLibraryA
LoadLibraryExW
LoadLibraryW
LocalAlloc
LocalFree
LockFileEx
MultiByteToWideChar
OpenMutexA
OpenProcess
OpenThread
OutputDebugStringA
PeekNamedPipe
QueryPerformanceCounter
QueryPerformanceFrequency
RaiseException
ReadFile
ReadProcessMemory
ReleaseMutex
ReleaseSRWLockExclusive
ReleaseSRWLockShared
RemoveVectoredExceptionHandler
ResetEvent
ResumeThread
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
SetConsoleCtrlHandler
SetConsoleMode
SetConsoleTitleA
SetCurrentDirectoryA
SetEndOfFile
SetErrorMode
SetEvent
SetFileAttributesA
SetFilePointerEx
SetHandleInformation
SetLastError
SetProcessAffinityMask
SetThreadAffinityMask
SetThreadPriority
SetUnhandledExceptionFilter
Sleep
SuspendThread
SystemTimeToFileTime
TerminateProcess
TlsAlloc
TlsGetValue
TlsSetValue
TryEnterCriticalSection
UnlockFileEx
UnmapViewOfFile
VerSetConditionMask
VerifyVersionInfoA
VirtualAlloc
VirtualFree
VirtualProtect
WaitForMultipleObjects
WaitForSingleObject
WaitForSingleObjectEx
WideCharToMultiByte
WriteConsoleW
WriteFile
lstrcatW
lstrcmpW
lstrcpyW
lstrlenA
lstrlenW

ole32

CoCreateInstance
CoInitializeEx
CoTaskMemAlloc
CoTaskMemFree
CoUninitialize
DoDragDrop
OleInitialize
RegisterDragDrop
ReleaseStgMedium
RevokeDragDrop

oleaut32

VariantClear
SysFreeString

shell32

CommandLineToArgvW
SHGetFolderPathA
SHGetFolderPathW
ShellExecuteA
ShellExecuteExA

user32

AdjustWindowRect
AdjustWindowRectEx
CallWindowProcW
ChangeDisplaySettingsA
ClipCursor
CloseClipboard
CreateIconIndirect
CreateWindowExW
DestroyCursor
DestroyWindow
DispatchMessageW
EmptyClipboard
EnableWindow
EnumDisplayDevicesA
EnumDisplaySettingsA
GetActiveWindow
GetAncestor
GetCaretBlinkTime
GetClipboardData
GetDoubleClickTime
GetForegroundWindow
GetKeyNameTextW
GetMonitorInfoA
GetWindowLongA
GetWindowLongPtrA
GetWindowRect
GetWindowTextA
GetWindowThreadProcessId
IsWindowUnicode
LoadCursorA
MapVirtualKeyA
MessageBoxA
MsgWaitForMultipleObjects
OpenClipboard
PeekMessageA
PeekMessageW
RegisterClassExW
RegisterClipboardFormatA
RegisterDeviceNotificationA
RegisterDeviceNotificationW
RegisterRawInputDevices
SendMessageA
SendMessageW
SetClipboardData
SetCursor
SetWindowLongPtrA
SetWindowLongPtrW
SetWindowPos
SetWindowTextW
SetWindowsHookExA
ShowCursor
ShowWindow
SystemParametersInfoA
TranslateMessage
UnhookWindowsHookEx
UnregisterClassW

winmm

timeEndPeriod
timeGetDevCaps
timeGetTime
waveInClose
waveInStop
timeBeginPeriod

ws2_32

accept
ioctlsocket
inet_addr
WSAGetLastError
WSASetLastError
WSAStartup
WSACleanup
inet_ntoa
listen
ntohs
recv
recvfrom
select
send
bind
setsockopt
shutdown
socket
closesocket
connect
getpeername
gethostbyname
gethostname
getsockname
getsockopt
htonl
htons
WSAIoctl
WSARecv
WSASend
WSASocketA
freeaddrinfo
getaddrinfo

Sections

.xdata
Size: 31.4MB - Virtual size: 31.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 18.6MB - Virtual size: 18.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.arch
Size: 5.5MB - Virtual size: 11.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2.3MB - Virtual size: 2.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.link
Size: 512B - Virtual size: 16KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.srdata
Size: 39KB - Virtual size: 40KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_READ

.edata
Size: 151.7MB - Virtual size: 151.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.text1
Size: 23KB - Virtual size: 24KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.xcode
Size: 3KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 11KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.vmp0
Size: 3.1MB - Virtual size: 3.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.cdx0
Size: 424KB - Virtual size: 424KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.cdx
Size: 4.0MB - Virtual size: 4.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.cdx1
Size: 3.4MB - Virtual size: 3.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 424KB - Virtual size: 424KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

d79766625eb453066680ca095db392f2

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

bink2w64

gdi32

kernel32

ole32

oleaut32

shell32

user32

winmm

ws2_32

Sections

.xdata Size: 31.4MB - Virtual size: 31.4MB

.data Size: 18.6MB - Virtual size: 18.6MB

.arch Size: 5.5MB - Virtual size: 11.2MB

.pdata Size: 2.3MB - Virtual size: 2.3MB

.link Size: 512B - Virtual size: 16KB

.srdata Size: 39KB - Virtual size: 40KB

.edata Size: 151.7MB - Virtual size: 151.7MB

.text1 Size: 23KB - Virtual size: 24KB

.xcode Size: 3KB - Virtual size: 8KB

.rsrc Size: 11KB - Virtual size: 12KB

.vmp0 Size: 3.1MB - Virtual size: 3.1MB

.cdx0 Size: 424KB - Virtual size: 424KB

.cdx Size: 4.0MB - Virtual size: 4.0MB

.cdx1 Size: 3.4MB - Virtual size: 3.4MB

.rsrc Size: 424KB - Virtual size: 424KB

.xdata
Size: 31.4MB - Virtual size: 31.4MB

.data
Size: 18.6MB - Virtual size: 18.6MB

.arch
Size: 5.5MB - Virtual size: 11.2MB

.pdata
Size: 2.3MB - Virtual size: 2.3MB

.link
Size: 512B - Virtual size: 16KB

.srdata
Size: 39KB - Virtual size: 40KB

.edata
Size: 151.7MB - Virtual size: 151.7MB

.text1
Size: 23KB - Virtual size: 24KB

.xcode
Size: 3KB - Virtual size: 8KB

.rsrc
Size: 11KB - Virtual size: 12KB

.vmp0
Size: 3.1MB - Virtual size: 3.1MB

.cdx0
Size: 424KB - Virtual size: 424KB

.cdx
Size: 4.0MB - Virtual size: 4.0MB

.cdx1
Size: 3.4MB - Virtual size: 3.4MB

.rsrc
Size: 424KB - Virtual size: 424KB