297613fdd4cbd3a61ba7b4c3fc3da97b0e5eec9f740e6ec8f93cf16c82119d28

Sharing

Copy URL Twitter E-mail

General

Target

297613fdd4cbd3a61ba7b4c3fc3da97b0e5eec9f740e6ec8f93cf16c82119d28
Size

3.4MB
MD5

d098add0a62bf050384da587bf7e4770
SHA1

2ae3cd45c4f78bcecc380615a1952a0dd6e1de5b
SHA256

297613fdd4cbd3a61ba7b4c3fc3da97b0e5eec9f740e6ec8f93cf16c82119d28
SHA512

aa47866eaf546f74f9f4d3d7d48f5f619ea461473d7cd8332d1e6b27c430e0fa1d44111220a389808b8b1ce77f049be1ed8977247707cc1b301b80f6faa7e855
SSDEEP

49152:yQ6XwF2Ps+f5gU4TNZs6kSTUcZA8ZFPA6AHEegbGknb5TS2Gvcj5VArRb:B6gcPXl4TNZTkSgYA8ZbRee/TScjLAVb

Score

1^/10

Malware Config

Signatures

NSIS installer 2 IoCs

installer

resource	yara_rule
static1/unpack001/Dokan.exe	nsis_installer_1
static1/unpack001/Dokan.exe	nsis_installer_2

Files

297613fdd4cbd3a61ba7b4c3fc3da97b0e5eec9f740e6ec8f93cf16c82119d28
.zip
Boot Sector FAT.tpl
Boot Sector FAT32.tpl
Boot Sector NTFS.tpl
Chinese.dat
.dll windows x86

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Sections

CODE
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

DATA
Size: 512B - Virtual size: 160B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

BSS
Size: - Virtual size: 1KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 1024B - Virtual size: 702B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 512B - Virtual size: 424B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 14KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Chinese.txt
Conditional Coloring.cfg
Dokan.exe
.exe windows x86

e160ef8e55bb9d162da4e266afd9eef3

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

03:01
Certificate

Issuer

OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, Inc.,C=US

Not Before

16/11/2006, 01:54

Not After

16/11/2026, 01:54

Subject

SERIALNUMBER=07969287,CN=Go Daddy Secure Certification Authority,OU=http://certificates.godaddy.com/repository,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

8f:56:90:01:d5:0f:c4:57
Certificate

Issuer

SERIALNUMBER=07969287,CN=Go Daddy Secure Certification Authority,OU=http://certificates.godaddy.com/repository,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US

Not Before

30/01/2015, 09:32

Not After

30/01/2016, 09:32

Subject

CN=ISLOG,O=ISLOG,L=Strasbourg,ST=Alsace,C=FR

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

33:00:00:00:37:b9:08:f8:71:ee:b5:e9:94:00:00:00:00:00:37
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

27/08/2013, 17:38

Not After

27/08/2023, 17:48

Subject

OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, Inc.,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

64:26:68:01:77:1b:3c:bd:da:ee:1a:b6:4b:b8:03:b9:e0:73:d3:b8
Signer

Actual PE Digest

64:26:68:01:77:1b:3c:bd:da:ee:1a:b6:4b:b8:03:b9:e0:73:d3:b8

Digest Algorithm

sha1

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=ISLOG,O=ISLOG,L=Strasbourg,ST=Alsace,C=FR

21/08/2015, 15:27
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetTickCount
GetFullPathNameA
MoveFileA
SetCurrentDirectoryA
GetFileAttributesA
GetLastError
CreateDirectoryA
SetFileAttributesA
SearchPathA
GetShortPathNameA
GetFileSize
GetModuleFileNameA
GetCurrentProcess
CopyFileA
ExitProcess
SetEnvironmentVariableA
GetWindowsDirectoryA
GetTempPathA
Sleep
CloseHandle
LoadLibraryA
lstrlenA
lstrcpynA
GetDiskFreeSpaceA
GlobalUnlock
GlobalLock
CreateThread
CreateProcessA
RemoveDirectoryA
CreateFileA
GetTempFileNameA
ReadFile
lstrcpyA
lstrcatA
GetSystemDirectoryA
GetVersion
GetProcAddress
GlobalAlloc
CompareFileTime
SetFileTime
ExpandEnvironmentStringsA
lstrcmpiA
lstrcmpA
WaitForSingleObject
GlobalFree
GetExitCodeProcess
GetModuleHandleA
SetErrorMode
GetCommandLineA
LoadLibraryExA
FindFirstFileA
FindNextFileA
DeleteFileA
SetFilePointer
WriteFile
FindClose
WritePrivateProfileStringA
MultiByteToWideChar
MulDiv
GetPrivateProfileStringA
FreeLibrary

user32

CreateWindowExA
EndDialog
ScreenToClient
GetWindowRect
EnableMenuItem
GetSystemMenu
SetClassLongA
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongA
SetCursor
LoadCursorA
CheckDlgButton
GetMessagePos
LoadBitmapA
CallWindowProcA
IsWindowVisible
CloseClipboard
GetDC
SystemParametersInfoA
RegisterClassA
TrackPopupMenu
AppendMenuA
CreatePopupMenu
GetSystemMetrics
SetDlgItemTextA
GetDlgItemTextA
MessageBoxIndirectA
CharPrevA
DispatchMessageA
PeekMessageA
ReleaseDC
EnableWindow
InvalidateRect
SendMessageA
DefWindowProcA
BeginPaint
GetClientRect
FillRect
DrawTextA
GetClassInfoA
DialogBoxParamA
CharNextA
ExitWindowsEx
DestroyWindow
CreateDialogParamA
SetTimer
GetDlgItem
wsprintfA
SetForegroundWindow
ShowWindow
IsWindow
LoadImageA
SetWindowLongA
SetClipboardData
EmptyClipboard
OpenClipboard
EndPaint
PostQuitMessage
FindWindowExA
SendMessageTimeoutA
SetWindowTextA

gdi32

SelectObject
SetBkMode
CreateFontIndirectA
SetTextColor
DeleteObject
GetDeviceCaps
CreateBrushIndirect
SetBkColor

shell32

SHGetSpecialFolderLocation
SHGetPathFromIDListA
SHBrowseForFolderA
SHGetFileInfoA
ShellExecuteA
SHFileOperationA

advapi32

RegCloseKey
RegOpenKeyExA
RegDeleteKeyA
RegDeleteValueA
RegEnumValueA
RegCreateKeyExA
RegSetValueExA
RegQueryValueExA
RegEnumKeyA

comctl32

ImageList_Create
ImageList_AddMasked
ImageList_Destroy
ord17

ole32

CoCreateInstance
CoTaskMemFree
OleInitialize
OleUninitialize

version

GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA

Sections

.text
Size: 23KB - Virtual size: 23KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 149KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.ndata
Size: - Virtual size: 36KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Ext Directory Entry.tpl
Ext Group Descriptor.tpl
Ext Inode.tpl
Ext Superblock.tpl
FAT Directory Entry.tpl
FAT LFN Entry.tpl
File Type Signatures Search.txt
GUID Partition Table.tpl
HFS+ Volume Header.tpl
History.dat
Master Boot Record.tpl
NTFS FILE Record.tpl
Recently Opened.dat
Russian.txt
Sample script.whs
Text file conversion UNIX - Windows.whs
Text file conversion Windows - UNIX.whs
WinHex.cfg
indexcha.txt
language.dat
setup.exe
.exe windows x86

Code Sign

1b:e7:15
Certificate

Issuer

OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, Inc.,C=US

Not Before

01/01/2014, 07:00

Not After

30/05/2031, 07:00

Subject

CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0b
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

31/12/2015, 00:00

Not After

09/07/2019, 18:40

Subject

CN=COMODO SHA-1 Time Stamping Signer,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

07
Certificate

Issuer

CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US

Not Before

03/05/2011, 07:00

Not After

03/05/2031, 07:00

Subject

CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

8c:34:b7:ef:c9:d9:dc:22
Certificate

Issuer

CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US

Not Before

06/01/2018, 10:58

Not After

12/12/2019, 01:54

Subject

CN=X-Ways Software Technology AG,O=X-Ways Software Technology AG,L=Bünde,ST=Nordrhein-Westfalen,C=DE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

58:8c:d4:04:82:67:1d:b5:b0:35:57:1d:0c:6b:f2:ab:ed:63:0d:8e:e4:1d:9f:f4:1c:58:fb:a9:66:8e:7e:2a
Signer

Actual PE Digest

58:8c:d4:04:82:67:1d:b5:b0:35:57:1d:0c:6b:f2:ab:ed:63:0d:8e:e4:1d:9f:f4:1c:58:fb:a9:66:8e:7e:2a

Digest Algorithm

sha256

PE Digest Matches

false

Signature Validations

Trusted

true

Verification

Signing Certificate

CN=X-Ways Software Technology AG,O=X-Ways Software Technology AG,L=Bünde,ST=Nordrhein-Westfalen,C=DE

06/01/2018, 13:10
Valid: true

Chain 1

CN=X-Ways Software Technology AG,O=X-Ways Software Technology AG,L=Bünde,ST=Nordrhein-Westfalen,C=DE

CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US

CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US

Chain 2

CN=X-Ways Software Technology AG,O=X-Ways Software Technology AG,L=Bünde,ST=Nordrhein-Westfalen,C=DE

CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US

CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US

OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, Inc.,C=US

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Sections

CODE
Size: 21KB - Virtual size: 21KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

DATA
Size: 1024B - Virtual size: 920B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

BSS
Size: - Virtual size: 2KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: - Virtual size: 8B

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
timezone.dat
user.txt
winhex-d.chm
.chm
winhex.chm
.chm
winhex.exe
.exe windows x86

Code Sign

1b:e7:15
Certificate

Issuer

OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, Inc.,C=US

Not Before

01/01/2014, 07:00

Not After

30/05/2031, 07:00

Subject

CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0b
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

31/12/2015, 00:00

Not After

09/07/2019, 18:40

Subject

CN=COMODO SHA-1 Time Stamping Signer,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

07
Certificate

Issuer

CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US

Not Before

03/05/2011, 07:00

Not After

03/05/2031, 07:00

Subject

CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

47:e2:da:75:30:31:8f:a5
Certificate

Issuer

CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US

Not Before

14/01/2018, 17:35

Not After

12/12/2019, 01:54

Subject

CN=X-Ways Software Technology AG,O=X-Ways Software Technology AG,L=Bünde,ST=Nordrhein-Westfalen,C=DE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

b6:cc:0f:4e:85:39:1f:65:4c:ca:f9:61:65:3c:28:66:48:b2:da:97:44:b7:bc:67:bb:14:94:33:cb:27:6d:06
Signer

Actual PE Digest

b6:cc:0f:4e:85:39:1f:65:4c:ca:f9:61:65:3c:28:66:48:b2:da:97:44:b7:bc:67:bb:14:94:33:cb:27:6d:06

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

true

Verification

Signing Certificate

CN=X-Ways Software Technology AG,O=X-Ways Software Technology AG,L=Bünde,ST=Nordrhein-Westfalen,C=DE

08/04/2019, 07:49
Valid: true

Chain 1

CN=X-Ways Software Technology AG,O=X-Ways Software Technology AG,L=Bünde,ST=Nordrhein-Westfalen,C=DE

CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US

CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US

Chain 2

CN=X-Ways Software Technology AG,O=X-Ways Software Technology AG,L=Bünde,ST=Nordrhein-Westfalen,C=DE

CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US

CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US

OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, Inc.,C=US

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Sections

CODE
Size: 1.9MB - Virtual size: 1.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

DATA
Size: 43KB - Virtual size: 42KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

BSS
Size: - Virtual size: 112KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: - Virtual size: 380B

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: - Virtual size: 96KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 509KB - Virtual size: 509KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
zlib1.dll
.dll windows x86

66a201125fb55b79ced6d0ecd1985e10

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Imports

kernel32

DeleteCriticalSection
EnterCriticalSection
GetModuleHandleA
GetProcAddress
InitializeCriticalSection
InterlockedExchange
IsDBCSLeadByteEx
LeaveCriticalSection
MultiByteToWideChar
Sleep
VirtualProtect
VirtualQuery
WideCharToMultiByte

msvcrt

_close
_lseek
_open
_read
_write
__dllonexit
__lc_codepage
__mb_cur_max
_errno
_iob
abort
fflush
fputc
free
fwrite
getenv
localeconv
malloc
memchr
memcpy
sprintf
strcat
strcpy
strerror
strlen
vfprintf
wcslen

Exports

Exports

adler32
adler32_combine
compress
compress2
compressBound
crc32
crc32_combine
deflate
deflateBound
deflateCopy
deflateEnd
deflateInit2_
deflateInit_
deflateParams
deflatePrime
deflateReset
deflateSetDictionary
deflateSetHeader
deflateTune
get_crc_table
gzbuffer
gzclearerr
gzclose
gzclose_r
gzclose_w
gzdirect
gzdopen
gzeof
gzerror
gzflush
gzgetc
gzgets
gzoffset
gzopen
gzprintf
gzputc
gzputs
gzread
gzrewind
gzseek
gzsetparams
gztell
gzungetc
gzwrite
inflate
inflateBack
inflateBackEnd
inflateBackInit_
inflateCopy
inflateEnd
inflateGetHeader
inflateInit2_
inflateInit_
inflateMark
inflatePrime
inflateReset
inflateReset2
inflateSetDictionary
inflateSync
inflateSyncPoint
inflateUndermine
uncompress
zError
zlibCompileFlags
zlibVersion

Sections

.text
Size: 71KB - Virtual size: 71KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 92B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 19KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.eh_fram
Size: 512B - Virtual size: 220B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 2KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 900B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Headers

File Characteristics

Sections

CODE Size: 4KB - Virtual size: 3KB

DATA Size: 512B - Virtual size: 160B

BSS Size: - Virtual size: 1KB

.idata Size: 1024B - Virtual size: 702B

.reloc Size: 512B - Virtual size: 424B

.rsrc Size: 14KB - Virtual size: 14KB

e160ef8e55bb9d162da4e266afd9eef3

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

03:01Certificate

Key Usages

8f:56:90:01:d5:0f:c4:57Certificate

Extended Key Usages

Key Usages

33:00:00:00:37:b9:08:f8:71:ee:b5:e9:94:00:00:00:00:00:37Certificate

Extended Key Usages

Key Usages

64:26:68:01:77:1b:3c:bd:da:ee:1a:b6:4b:b8:03:b9:e0:73:d3:b8Signer

Signature Validations

Verification

21/08/2015, 15:27 Valid: false

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

shell32

advapi32

comctl32

ole32

version

Sections

.text Size: 23KB - Virtual size: 23KB

.rdata Size: 5KB - Virtual size: 4KB

.data Size: 1024B - Virtual size: 149KB

.ndata Size: - Virtual size: 36KB

.rsrc Size: 4KB - Virtual size: 4KB

Code Sign

1b:e7:15Certificate

Key Usages

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0bCertificate

Extended Key Usages

Key Usages

07Certificate

Key Usages

8c:34:b7:ef:c9:d9:dc:22Certificate

Extended Key Usages

Key Usages

58:8c:d4:04:82:67:1d:b5:b0:35:57:1d:0c:6b:f2:ab:ed:63:0d:8e:e4:1d:9f:f4:1c:58:fb:a9:66:8e:7e:2aSigner

Signature Validations

Verification

06/01/2018, 13:10 Valid: true

Chain 1

Chain 2

Headers

File Characteristics

Sections

CODE Size: 21KB - Virtual size: 21KB

DATA Size: 1024B - Virtual size: 920B

BSS Size: - Virtual size: 2KB

.idata Size: 3KB - Virtual size: 2KB

.tls Size: - Virtual size: 8B

.rdata Size: 512B - Virtual size: 24B

.reloc Size: 2KB - Virtual size: 2KB

.rsrc Size: 2KB - Virtual size: 2KB

CODE
Size: 4KB - Virtual size: 3KB

DATA
Size: 512B - Virtual size: 160B

BSS
Size: - Virtual size: 1KB

.idata
Size: 1024B - Virtual size: 702B

.reloc
Size: 512B - Virtual size: 424B

.rsrc
Size: 14KB - Virtual size: 14KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

03:01
Certificate

8f:56:90:01:d5:0f:c4:57
Certificate

33:00:00:00:37:b9:08:f8:71:ee:b5:e9:94:00:00:00:00:00:37
Certificate

64:26:68:01:77:1b:3c:bd:da:ee:1a:b6:4b:b8:03:b9:e0:73:d3:b8
Signer

21/08/2015, 15:27
Valid: false

.text
Size: 23KB - Virtual size: 23KB

.rdata
Size: 5KB - Virtual size: 4KB

.data
Size: 1024B - Virtual size: 149KB

.ndata
Size: - Virtual size: 36KB

.rsrc
Size: 4KB - Virtual size: 4KB

1b:e7:15
Certificate

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0b
Certificate

07
Certificate

8c:34:b7:ef:c9:d9:dc:22
Certificate

58:8c:d4:04:82:67:1d:b5:b0:35:57:1d:0c:6b:f2:ab:ed:63:0d:8e:e4:1d:9f:f4:1c:58:fb:a9:66:8e:7e:2a
Signer

06/01/2018, 13:10
Valid: true

CODE
Size: 21KB - Virtual size: 21KB

DATA
Size: 1024B - Virtual size: 920B

BSS
Size: - Virtual size: 2KB

.idata
Size: 3KB - Virtual size: 2KB

.tls
Size: - Virtual size: 8B

.rdata
Size: 512B - Virtual size: 24B

.reloc
Size: 2KB - Virtual size: 2KB

.rsrc
Size: 2KB - Virtual size: 2KB

1b:e7:15
Certificate

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0b
Certificate

07
Certificate

47:e2:da:75:30:31:8f:a5
Certificate

b6:cc:0f:4e:85:39:1f:65:4c:ca:f9:61:65:3c:28:66:48:b2:da:97:44:b7:bc:67:bb:14:94:33:cb:27:6d:06
Signer

08/04/2019, 07:49
Valid: true

CODE
Size: 1.9MB - Virtual size: 1.9MB

DATA
Size: 43KB - Virtual size: 42KB

BSS
Size: - Virtual size: 112KB

.idata
Size: 12KB - Virtual size: 12KB

.tls
Size: - Virtual size: 380B

.rdata
Size: 512B - Virtual size: 24B

.reloc
Size: - Virtual size: 96KB

.rsrc
Size: 509KB - Virtual size: 509KB

.text
Size: 71KB - Virtual size: 71KB

.data
Size: 512B - Virtual size: 92B

.rdata
Size: 19KB - Virtual size: 18KB

.eh_fram
Size: 512B - Virtual size: 220B

.bss
Size: - Virtual size: 2KB

.edata
Size: 1KB - Virtual size: 1KB

.idata
Size: 1KB - Virtual size: 1KB

.rsrc
Size: 1024B - Virtual size: 900B

.reloc
Size: 1KB - Virtual size: 1KB