1fe0b3a22672e1d56ff8a4be3d2bb248ef2f519f181a8c4bef93371938670238

Sharing

Copy URL Twitter E-mail

General

Target

1fe0b3a22672e1d56ff8a4be3d2bb248ef2f519f181a8c4bef93371938670238
Size

108KB
MD5

e36c2ebc44e750d564f4884603cbc370
SHA1

70bf3a246793adcd710c217ae2ed8de95c1e9842
SHA256

1fe0b3a22672e1d56ff8a4be3d2bb248ef2f519f181a8c4bef93371938670238
SHA512

cde3686da3f432c022bffb785eca36c72da246f2e06b0cb7d8ee220dce86f7c768a8306a6cabd5df448da6dd29d5d9c50a03618a493c2984cba88756cb208986
SSDEEP

3072:jwVJX/S+uq3FcbDyeNo9Y3nprg3zsIQ3jx0S5:jSX/Vuf3Nq9snKJ8xV

Score

N/A

Malware Config

Signatures

Files

1fe0b3a22672e1d56ff8a4be3d2bb248ef2f519f181a8c4bef93371938670238
.rar
amd64_microsoft-windows-s..-kerberos.resources_31bf3856ad364e35_10.0.22621.1_en-us_e04872f710e81412/kerberos.dll.mui
.dll windows x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.rdata
Size: 512B - Virtual size: 224B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 34KB - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
amd64_microsoft-windows-s..-kf-commondocuments_31bf3856ad364e35_10.0.22621.1_none_b0671115bbefda1e/desktop.ini
amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.22621.1_none_54b9a21445fd9765/desktop.ini
amd64_microsoft-windows-s..-kf-commonstartmenu_31bf3856ad364e35_10.0.22621.1_none_a293a6a8f07d19a1/desktop.ini
amd64_microsoft-windows-s..ity-netlogon-netapi_31bf3856ad364e35_10.0.22621.1_none_34cbb69449b81ca0/logoncli.dll
.dll windows x64

3faa6dafb78cd99349068711b5abf4a3

Code Sign

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3c
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/09/2021, 18:23

Not After

01/09/2022, 18:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

e4:48:db:4e:31:fb:4a:1c:b9:28:7b:25:3b:92:d8:be:a8:22:34:48:eb:36:b5:c2:3f:54:2c:7a:45:de:34:f1
Signer

Actual PE Digest

e4:48:db:4e:31:fb:4a:1c:b9:28:7b:25:3b:92:d8:be:a8:22:34:48:eb:36:b5:c2:3f:54:2c:7a:45:de:34:f1

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

23/09/2022, 10:46
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

api-ms-win-crt-runtime-l1-1-0

_initterm_e
_initterm

api-ms-win-crt-private-l1-1-0

_o__configure_narrow_argv
_o__execute_onexit_table
_o__initialize_narrow_environment
_o__initialize_onexit_table
_o__seh_filter_dll
_o__stricmp
_o__strnicmp
memmove
_o__ultow_s
_o__wcsicmp
_o_qsort
_o_strcpy_s
_o_wcscat_s
_o_wcscpy_s
_o_wcsncpy_s
_o_wcstoul
_o__cexit
_o___std_type_info_destroy_list
wcsrchr
__C_specific_handler
memcmp
wcsstr
_o___stdio_common_vswprintf
wcschr
_o___stdio_common_vsprintf
memcpy

api-ms-win-crt-string-l1-1-0

memset

rpcrt4

RpcExceptionFilter
RpcEpResolveBinding
UuidCreate
UuidEqual
UuidToStringA
RpcStringFreeA
I_RpcBindingCreateNP
RpcStringBindingComposeW
RpcBindingFromStringBindingW
NdrClientCall3
RpcBindingFree
RpcBindingSetAuthInfoW
RpcStringFreeW
I_RpcExceptionFilter
UuidToStringW
I_RpcMapWin32Status
RpcBindingSetAuthInfoExW

api-ms-win-core-registry-l1-1-0

RegQueryValueExA
RegQueryValueExW
RegOpenKeyExA
RegGetValueW
RegCloseKey
RegOpenKeyExW

api-ms-win-core-heap-l2-1-0

LocalAlloc
LocalFree

api-ms-win-core-errorhandling-l1-1-0

GetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter
SetLastError

api-ms-win-eventing-classicprovider-l1-1-0

TraceMessage
UnregisterTraceGuids
RegisterTraceGuidsW
GetTraceEnableLevel
GetTraceEnableFlags
GetTraceLoggerHandle

api-ms-win-core-synch-l1-1-0

AcquireSRWLockShared
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
DeleteCriticalSection
EnterCriticalSection
ReleaseSRWLockShared
InitializeCriticalSection
LeaveCriticalSection

api-ms-win-core-libraryloader-l1-2-0

GetModuleFileNameW
DisableThreadLibraryCalls

api-ms-win-core-processthreads-l1-1-0

GetCurrentThreadId
GetCurrentProcessId
TerminateProcess
GetCurrentProcess

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime
GetComputerNameExW
GetTickCount

api-ms-win-core-rtlsupport-l1-1-0

RtlCaptureContext
RtlVirtualUnwind
RtlLookupFunctionEntry

api-ms-win-core-processthreads-l1-1-1

IsProcessorFeaturePresent

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent

api-ms-win-core-file-l1-1-0

WriteFile
CreateFileW
ReadFile

api-ms-win-core-string-l1-1-0

WideCharToMultiByte
MultiByteToWideChar

api-ms-win-core-synch-l1-2-0

InitOnceExecuteOnce
Sleep

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-kernel32-legacy-l1-1-0

SetMailslotInfo
CreateMailslotA

ntdll

RtlxUnicodeStringToOemSize
RtlUpcaseUnicodeStringToOemString
RtlOemStringToUnicodeString
RtlInitString
RtlInsertElementGenericTableAvl
RtlxUnicodeStringToAnsiSize
NtOpenEvent
RtlInitUnicodeString
RtlLookupElementGenericTableAvl
RtlNumberGenericTableElementsAvl
RtlNtStatusToDosError
RtlDeleteElementGenericTableAvl
RtlInitializeGenericTableAvl
RtlUnicodeStringToAnsiString
RtlCopySid
RtlSubAuthorityCountSid
RtlValidSid
RtlGetNtProductType
EtwEventRegister
EtwEventWrite
EtwEventUnregister
RtlLengthSid
RtlEqualUnicodeString
NtWaitForSingleObject
NtQuerySystemTime
EtwTraceMessage
RtlUniform
RtlAnsiStringToUnicodeString
RtlxAnsiStringToUnicodeSize
RtlInitUnicodeStringEx
RtlInitAnsiString
RtlCompareMemoryUlong
RtlCompareUnicodeString
RtlAllocateHeap
RtlFreeHeap
RtlEqualSid
RtlSubAuthoritySid
RtlLengthRequiredSid
NtCreateEvent
NtClose

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

Exports

Exports

AuthzrExtAccessCheck
AuthzrExtFreeContext
AuthzrExtFreeResourceManager
AuthzrExtGetInformationFromContext
AuthzrExtInitializeCompoundContext
AuthzrExtInitializeContextFromSid
AuthzrExtInitializeRemoteResourceManager
AuthzrExtModifyClaims
DsAddressToSiteNamesA
DsAddressToSiteNamesExA
DsAddressToSiteNamesExW
DsAddressToSiteNamesW
DsDeregisterDnsHostRecordsA
DsDeregisterDnsHostRecordsW
DsEnumerateDomainTrustsA
DsEnumerateDomainTrustsW
DsGetDcCloseW
DsGetDcNameA
DsGetDcNameW
DsGetDcNameWithAccountA
DsGetDcNameWithAccountW
DsGetDcNextA
DsGetDcNextW
DsGetDcOpenA
DsGetDcOpenW
DsGetDcSiteCoverageA
DsGetDcSiteCoverageW
DsGetForestTrustInformationW
DsGetSiteNameA
DsGetSiteNameW
DsMergeForestTrustInformationW
DsValidateSubnetNameA
DsValidateSubnetNameW
I_DsUpdateReadOnlyServerDnsRecords
I_NetAccountDeltas
I_NetAccountSync
I_NetChainSetClientAttributes
I_NetChainSetClientAttributes2
I_NetDatabaseDeltas
I_NetDatabaseRedo
I_NetDatabaseSync
I_NetDatabaseSync2
I_NetExtendMachinePasswordExpirationTimeout
I_NetGetDCList
I_NetGetForestTrustInformation
I_NetLogonControl
I_NetLogonControl2
I_NetLogonGetCapabilities
I_NetLogonGetDomainInfo
I_NetLogonSamLogoff
I_NetLogonSamLogon
I_NetLogonSamLogonEx
I_NetLogonSamLogonWithFlags
I_NetLogonSendToSam
I_NetLogonUasLogoff
I_NetLogonUasLogon
I_NetQuerySecureChannelDCInfo
I_NetServerAuthenticate
I_NetServerAuthenticate2
I_NetServerAuthenticate3
I_NetServerAuthenticateKerberos
I_NetServerGetTrustInfo
I_NetServerPasswordGet
I_NetServerPasswordSet
I_NetServerPasswordSet2
I_NetServerReqChallenge
I_NetServerTrustPasswordsGet
I_NetlogonComputeClientDigest
I_NetlogonComputeClientSignature
I_NetlogonComputeServerDigest
I_NetlogonComputeServerSignature
I_NetlogonGetTrustRid
I_RpcExtInitializeExtensionPoint
NetAddServiceAccount
NetEnumerateServiceAccounts
NetEnumerateTrustedDomains
NetGetAnyDCName
NetGetDCName
NetIsServiceAccount
NetLogonGetTimeServiceParentDomain
NetLogonSetServiceBits
NetQueryServiceAccount
NetRemoveServiceAccount
NlBindingAddServerToCache
NlBindingRemoveServerFromCache
NlBindingSetAuthInfo
NlSetDsIsCloningPDC

Sections

.text
Size: 128KB - Virtual size: 124KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 108KB - Virtual size: 104KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 456B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
amd64_microsoft-windows-s..kf-commonadmintools_31bf3856ad364e35_10.0.22621.1_none_b6adc9e6026286de/desktop.ini

Sharing

General

Malware Config

Signatures

Files

Headers

DLL Characteristics

File Characteristics

Sections

.rdata Size: 512B - Virtual size: 224B

.rsrc Size: 34KB - Virtual size: 36KB

3faa6dafb78cd99349068711b5abf4a3

Code Sign

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3cCertificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

e4:48:db:4e:31:fb:4a:1c:b9:28:7b:25:3b:92:d8:be:a8:22:34:48:eb:36:b5:c2:3f:54:2c:7a:45:de:34:f1Signer

Signature Validations

Verification

23/09/2022, 10:46 Valid: false

Headers

DLL Characteristics

File Characteristics

Imports

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-private-l1-1-0

api-ms-win-crt-string-l1-1-0

rpcrt4

api-ms-win-core-registry-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-profile-l1-1-0

api-ms-win-core-interlocked-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-kernel32-legacy-l1-1-0

ntdll

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

api-ms-win-core-apiquery-l1-1-0

Exports

Exports

Sections

.text Size: 128KB - Virtual size: 124KB

.rdata Size: 108KB - Virtual size: 104KB

.data Size: 4KB - Virtual size: 5KB

.pdata Size: 8KB - Virtual size: 6KB

.didat Size: 4KB - Virtual size: 456B

.rsrc Size: 4KB - Virtual size: 2KB

.reloc Size: 4KB - Virtual size: 2KB

.rdata
Size: 512B - Virtual size: 224B

.rsrc
Size: 34KB - Virtual size: 36KB

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3c
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

e4:48:db:4e:31:fb:4a:1c:b9:28:7b:25:3b:92:d8:be:a8:22:34:48:eb:36:b5:c2:3f:54:2c:7a:45:de:34:f1
Signer

23/09/2022, 10:46
Valid: false

.text
Size: 128KB - Virtual size: 124KB

.rdata
Size: 108KB - Virtual size: 104KB

.data
Size: 4KB - Virtual size: 5KB

.pdata
Size: 8KB - Virtual size: 6KB

.didat
Size: 4KB - Virtual size: 456B

.rsrc
Size: 4KB - Virtual size: 2KB

.reloc
Size: 4KB - Virtual size: 2KB