version[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

version.exe
Size

1.0MB
MD5

4ea0297a836acc00113001a98abea43b
SHA1

32b6d727909e8bd07b0cd5e16f290aca658bf93c
SHA256

8eafd9ab9bf8f0a5f834f8a4eb5bffae64f39d50885a04fc598a2a5c7b852076
SHA512

ff6ad9908f2af3362b915e02be6aadf80f16046ddce40f58b8746bbfdfaa73b0a5fc841689f07be37cec68545e498e20dfca1c761113d9be79233eb6a2c0d60d
SSDEEP

24576:dIBaksjQhF+zjqNwsXwXZoxPMkZIjDhhhhjhhhhGBe:dIBzsjc+zGNwCwX/GIfhhhhjhhhhGBe

Score

N/A

Malware Config

Signatures

Files

version.exe
.exe windows x86

3d590dfb17e738fadbbea3a69d21303c

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15/06/2007, 00:00

Not After

14/06/2012, 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

75:8f:5e:e8:26:3b:66:94:71:9d:84:34:eb:99:86:08
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

31/10/2007, 00:00

Not After

24/11/2010, 23:59

Subject

CN=Symantec Corporation,OU=Digital ID Class 3 - Microsoft Software Validation v2+OU=Symantec Research Labs,O=Symantec Corporation,L=Santa Monica,ST=California,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

f3:55:7e:52:54:ae:4f:50:84:c0:df:cd:73:54:91:4e:82:01:16:36
Signer

Actual PE Digest

f3:55:7e:52:54:ae:4f:50:84:c0:df:cd:73:54:91:4e:82:01:16:36

Digest Algorithm

sha1

PE Digest Matches

false

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Symantec Corporation,OU=Digital ID Class 3 - Microsoft Software Validation v2+OU=Symantec Research Labs,O=Symantec Corporation,L=Santa Monica,ST=California,C=US

17/08/2010, 03:33
Valid: false

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

advapi32

SetThreadToken
QueryServiceStatus
OpenServiceA
FreeSid
InitializeAcl
RegEnumKeyExA
AddAccessAllowedAce
AllocateAndInitializeSid
CreateProcessAsUserA
OpenThreadToken
RegSetValueExA
RegCloseKey
InitializeSecurityDescriptor
GetLengthSid
OpenSCManagerA
GetUserNameA
RegDeleteValueA
RegCreateKeyExW
RevertToSelf
SetSecurityDescriptorDacl
RegOpenKeyExA
GetTrusteeFormW
RegCreateKeyExA
RegQueryValueExA
RegDeleteKeyA
RegOpenKeyExW
RegSetValueExW
CloseServiceHandle
RegDeleteKeyW

cabview

Uninstall

duser

GetStdColorPenI

filemgmt

DllCanUnloadNow

gdi32

GetClipBox
GetDCOrgEx
ExtEscape
DeleteDC
CreateDCA

kbdda

KbdLayerDescriptor

kernel32

LoadLibraryW
lstrcpyA
GetCurrentThreadId
EnterCriticalSection
ExitProcess
InterlockedIncrement
GetEnvironmentStrings
lstrlenW
InterlockedExchange
CreateMutexA
CallNamedPipeA
GetLocaleInfoA
CloseHandle
GetFileType
GetTickCount
FreeEnvironmentStringsA
GetEnvironmentStringsW
GetStringTypeA
LoadLibraryA
GetCommandLineA
SetConsoleCtrlHandler
GetCurrentProcessId
SetStdHandle
LocalFree
DeleteCriticalSection
GetSystemInfo
GetExitCodeProcess
WideCharToMultiByte
DeviceIoControl
MultiByteToWideChar
WriteFile
OutputDebugStringA
GetStartupInfoA
GetCurrentProcess
LeaveCriticalSection
IsBadWritePtr
VirtualFree
GetModuleFileNameA
IsBadCodePtr
FormatMessageW
FlushFileBuffers
OutputDebugStringW
HeapFree
ResetEvent
CreateEventA
CreateMutexW
VirtualProtectEx
OpenEventA
IsBadReadPtr
TerminateThread
InterlockedDecrement
SetFilePointer
GetACP
HeapDestroy
GetVersionExA
GetStdHandle
Sleep
CreateProcessA
GetLastError
lstrcmpiW
QueryPerformanceCounter
RtlUnwind
CreateEventW
LCMapStringW
GetModuleHandleA
GetCPInfo
CreateThread
LoadLibraryExW
ReleaseMutex
VirtualQuery
IsProcessorFeaturePresent
VirtualAlloc
GetCurrentThread
WaitForSingleObject
HeapAlloc
CreateFileW
HeapCreate
LCMapStringA
VirtualProtect
IsDebuggerPresent
SetHandleCount
FreeEnvironmentStringsW
SetEvent
GetModuleHandleW
RaiseException
WaitForMultipleObjects
UnhandledExceptionFilter
InitializeCriticalSection
ReadFile
GetOEMCP
FreeLibrary
SetLastError
SetUnhandledExceptionFilter
HeapReAlloc
GetProcessHeap
GetProcAddress
GetModuleFileNameW
TerminateProcess
GetStringTypeW

mssip32

CryptSIPRemoveSignedDataMsg

msvcrt

_XcptFilter
towupper
wcscat
wcsstr
free
wcslen
malloc
_wtoi
__CxxFrameHandler
wcscpy
_beginthread
_purecall
_CxxThrowException
_amsg_exit
__dllonexit
_initterm
_itow
_onexit
memcpy
?terminate@@YAXXZ
memset

ole32

CoUninitialize
CoInitializeEx
StringFromGUID2
CoInitialize
CoCreateInstance

qdv

DllCanUnloadNow

setupapi

SetupDiGetDeviceInstanceIdA
CM_Get_DevNode_Registry_PropertyA
SetupDiGetClassDevsA
SetupDiEnumDeviceInfo
CM_Get_Parent
CM_Get_Device_ID_ExA
SetupDiSetClassInstallParamsA
CM_Reenumerate_DevNode
SetupDiOpenDevRegKey
SetupDiDestroyDeviceInfoList
SetupDiGetDeviceRegistryPropertyA
SetupDiCallClassInstaller

termmgr

DllCanUnloadNow

user32

GetWindowPlacement
GetIconInfo
UnregisterDeviceNotification
UnhookWindowsHookEx
SetWindowsHookExA
IntersectRect
RegisterDeviceNotificationA
OffsetRect
IsIconic
EnumDisplayDevicesA
GetWindowRect
EnumDisplaySettingsA
GetSystemMetrics
MessageBoxW
SystemParametersInfoA
ChangeDisplaySettingsExA
EnumDisplaySettingsExA
CallNextHookEx
wsprintfW
LoadIconW

winspool.drv

EnumJobsW

Sections

.rdata
Size: 732KB - Virtual size: 772KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.text
Size: 106KB - Virtual size: 146KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.noninfi
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.baronet
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.coggie
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.dags
Size: 9KB - Virtual size: 48KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.radioth
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 166KB - Virtual size: 165KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

3d590dfb17e738fadbbea3a69d21303c

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5Certificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2Certificate

Extended Key Usages

Key Usages

75:8f:5e:e8:26:3b:66:94:71:9d:84:34:eb:99:86:08Certificate

Extended Key Usages

Key Usages

f3:55:7e:52:54:ae:4f:50:84:c0:df:cd:73:54:91:4e:82:01:16:36Signer

Signature Validations

Verification

17/08/2010, 03:33 Valid: false

Headers

File Characteristics

Imports

advapi32

cabview

duser

filemgmt

gdi32

kbdda

kernel32

mssip32

msvcrt

ole32

qdv

setupapi

termmgr

user32

winspool.drv

Sections

.rdata Size: 732KB - Virtual size: 772KB

.text Size: 106KB - Virtual size: 146KB

.noninfi Size: 6KB - Virtual size: 6KB

.baronet Size: 10KB - Virtual size: 10KB

.coggie Size: 10KB - Virtual size: 10KB

.dags Size: 9KB - Virtual size: 48KB

.radioth Size: 10KB - Virtual size: 10KB

.rsrc Size: 166KB - Virtual size: 165KB

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

75:8f:5e:e8:26:3b:66:94:71:9d:84:34:eb:99:86:08
Certificate

f3:55:7e:52:54:ae:4f:50:84:c0:df:cd:73:54:91:4e:82:01:16:36
Signer

17/08/2010, 03:33
Valid: false

.rdata
Size: 732KB - Virtual size: 772KB

.text
Size: 106KB - Virtual size: 146KB

.noninfi
Size: 6KB - Virtual size: 6KB

.baronet
Size: 10KB - Virtual size: 10KB

.coggie
Size: 10KB - Virtual size: 10KB

.dags
Size: 9KB - Virtual size: 48KB

.radioth
Size: 10KB - Virtual size: 10KB

.rsrc
Size: 166KB - Virtual size: 165KB