78ea1cc56cc38ca8f572faf3c0829684c63df93e71ef3091b567de1313a5c87b

Sharing

Copy URL

Twitter E-mail

General

Target

78ea1cc56cc38ca8f572faf3c0829684c63df93e71ef3091b567de1313a5c87b
Size

395KB
MD5

7964148e8c15d3aa4d12bc4be0fb81c0
SHA1

d544f296f67812e4b200434456d18ceca98e815a
SHA256

78ea1cc56cc38ca8f572faf3c0829684c63df93e71ef3091b567de1313a5c87b
SHA512

9a036599f73ea2dab099109d29fb9732c6365f7c18860d43b1197e90458439c14a3013e6ff2f61fb6647bd3988af1b1d5682f07009f682a632af40e199e5f713
SSDEEP

6144:2P+NbVklNXD42QXhtgn03k35946hYu8+cOGJ:8+Nul6R6PbhlGJ

Score

N/A

Malware Config

Signatures

Files

78ea1cc56cc38ca8f572faf3c0829684c63df93e71ef3091b567de1313a5c87b
.dll windows x86

d85f04f1ff5855384b6cd7c06edf6980

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

advapi32

ControlService
SetTokenInformation
ImpersonateLoggedOnUser
CreateProcessAsUserW
StartServiceW
ConvertSidToStringSidW
QueryServiceStatus
DuplicateTokenEx
RegSetValueExW
LsaRetrievePrivateData
LookupAccountNameW
AccessCheck
GetSecurityDescriptorLength
RegCreateKeyExW
ConvertStringSecurityDescriptorToSecurityDescriptorW
QueryServiceStatusEx
SaferCreateLevel
SaferComputeTokenFromLevel
SaferCloseLevel
CommandLineFromMsiDescriptor
IsValidSecurityDescriptor
LookupAccountSidW
FreeSid
AllocateAndInitializeSid
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
AddAccessAllowedAce
InitializeAcl
GetLengthSid
RegCloseKey
RegQueryValueExW
RegOpenKeyExW
CloseServiceHandle
OpenServiceW
OpenSCManagerW
AllocateLocallyUniqueId
SetServiceStatus
RegQueryValueA
RegisterServiceCtrlHandlerExW
RegisterEventSourceW
ReportEventW
DeregisterEventSource
IsValidSid
GetSidIdentifierAuthority
GetSidSubAuthorityCount
GetSidSubAuthority
GetSecurityDescriptorDacl
GetAce
RegOpenKeyW
RegQueryValueW
CryptAcquireContextW
CryptReleaseContext
SystemFunction036
CryptGenRandom
RegNotifyChangeKeyValue
RegQueryInfoKeyW
RegEnumValueW
ImpersonateAnonymousToken
OpenThreadToken
RevertToSelf
RegOpenUserClassesRoot
SaferiCompareTokenLevels
CheckTokenMembership
CopySid
SetThreadToken
CreateWellKnownSid
LsaOpenPolicy
LsaQueryInformationPolicy
LsaClose
EqualSid
GetTokenInformation
OpenProcessToken
ChangeServiceConfigW
LsaFreeMemory

kernel32

DisableThreadLibraryCalls
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
GetCurrentProcessId
GetCurrentThreadId
GetTickCount
LoadLibraryA
InterlockedCompareExchange
FreeLibrary
GetProcAddress
TlsAlloc
LocalAlloc
CreateEventA
LocalFree
Sleep
GetComputerNameA
QueryPerformanceCounter
GlobalMemoryStatus
GetDiskFreeSpaceA
InterlockedExchange
EnterCriticalSection
LeaveCriticalSection
GetComputerNameW
GetLastError
lstrcmpW
GetProcessHeap
HeapAlloc
HeapFree
GetDriveTypeW
lstrcpynW
MultiByteToWideChar
lstrlenA
GetExitCodeProcess
WaitForMultipleObjects
CreateMutexW
UnmapViewOfFile
MapViewOfFile
CreateFileMappingW
ResumeThread
OpenFileMappingW
CreateProcessW
ReadFile
ReleaseActCtx
WriteFile
WaitNamedPipeW
InitializeCriticalSectionAndSpinCount
lstrcmpiA
MapViewOfFileEx
VirtualAlloc
VirtualFree
GetSystemTimeAsFileTime
DelayLoadFailureHook
SetLastError
CloseHandle
DeviceIoControl
CreateFileW
SleepEx
InterlockedIncrement
InterlockedDecrement
CreateThread
GetSystemInfo
lstrcpyW
lstrlenW
RegisterWaitForSingleObject
CreateEventW
SetEvent
WaitForSingleObject
lstrcatW
TerminateJobObject
GetCurrentThread
InterlockedExchangeAdd
DeleteTimerQueueTimer
CreateTimerQueueTimer
DeleteCriticalSection
IsDebuggerPresent
DebugBreak
ResetEvent
TlsSetValue
TlsGetValue
GetModuleHandleW
LoadLibraryExA
ExpandEnvironmentStringsW
GetModuleFileNameW
ReleaseMutex
FindActCtxSectionGuid
FindActCtxSectionStringW
LoadLibraryW
GetSystemDirectoryW
GetSystemWow64DirectoryW
lstrcmpiW
SearchPathW
AddRefActCtx
OpenProcess
DuplicateHandle
InitializeCriticalSection
OpenEventW
LoadLibraryExW
FindClose
FindFirstFileW

msvcrt

_onexit
__dllonexit
_adjust_fdiv
malloc
_initterm
free
wcschr
_resetstkoflw
_except_handler3
memmove
_wtoi
_purecall
ceil
_ftol
wcslen
wcscpy
_ultow
strncmp
wcstol
_stricmp
swprintf
_vsnwprintf
_wcsicmp
wcsncpy
towupper
wcscat

ntdll

RtlAllocateHeap
RtlFreeHeap
RtlImageNtHeader
RtlNtStatusToDosError
NtOpenFile
RtlInitString
RtlDeleteCriticalSection
RtlEqualSid
NtCompareTokens
NtQueryInformationToken
DbgPrint
NtQuerySystemInformation
NtOpenSection
NtFsControlFile
NtCreateFile
RtlAdjustPrivilege
NtSetInformationProcess
NtDuplicateToken
NtAllocateLocallyUniqueId
RtlInitUnicodeString
RtlEqualUnicodeString
NtSetUuidSeed
RtlSetSaclSecurityDescriptor
RtlSetDaclSecurityDescriptor
RtlSetGroupSecurityDescriptor
RtlSetOwnerSecurityDescriptor
RtlCreateSecurityDescriptor
RtlAddAce
RtlCreateAcl
RtlGetNtProductType
RtlInitializeCriticalSection
RtlLengthRequiredSid
RtlInitializeSid
RtlSubAuthoritySid
RtlAllocateAndInitializeSid
NtClose
NtOpenKey
RtlLengthSid
RtlCopySid

rpcrt4

RpcServerRegisterIf2
RpcMgmtSetServerStackSize
UuidCreate
RpcServerListen
RpcMgmtIsServerListening
I_RpcAllocate
I_RpcFree
RpcServerUseProtseqEpExW
RpcBindingFree
RpcBindingSetAuthInfoW
RpcBindingSetAuthInfoExW
NdrAsyncServerCall
NdrAsyncClientCall
MesEncodeFixedBufferHandleCreate
MesHandleFree
MesDecodeBufferHandleCreate
NdrMesTypeAlignSize2
NdrMesTypeEncode2
NdrMesTypeDecode2
RpcRevertToSelfEx
RpcImpersonateClient
RpcRaiseException
I_RpcBindingInqTransportType
RpcAsyncCompleteCall
RpcBindingSetOption
I_RpcBindingInqWireIdForSnego
RpcServerUnregisterIf
I_RpcServerInqLocalConnAddress
I_RpcServerCheckClientRestriction
TowerExplode
I_RpcSystemFunction001
RpcServerRegisterIfEx
I_RpcServerRegisterForwardFunction
I_RpcServerSetAddressChangeFn
I_RpcExceptionFilter
NdrClientCall2
NdrServerCall2
RpcStringBindingComposeW
RpcMgmtEnableIdleCleanup
I_RpcBindingInqLocalClientPID
RpcRevertToSelf
RpcBindingReset
RpcAsyncCancelCall
RpcBindingFromStringBindingW
RpcBindingSetObject
RpcAsyncInitializeHandle
RpcBindingCopy
RpcServerInqBindings
RpcBindingVectorFree
RpcStringFreeW
RpcBindingToStringBindingW
RpcStringBindingParseW
RpcServerRegisterAuthInfoW

secur32

FreeContextBuffer
LsaLogonUser
LsaLookupAuthenticationPackage
LsaRegisterLogonProcess
LsaFreeReturnBuffer
EnumerateSecurityPackagesW

user32

wsprintfW
LoadStringW
CharUpperW

ws2_32

closesocket
WSAIoctl
WSAGetLastError
inet_ntoa
gethostname
gethostbyname
socket
bind
WSASetServiceW
htons
getsockname

Exports

Exports

CoGetComCatalog
GetRPCSSInfo
ServiceMain
WhichService

Sections

.text
Size: 251KB - Virtual size: 250KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 131KB - Virtual size: 131KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 1016B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

d85f04f1ff5855384b6cd7c06edf6980

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

kernel32

msvcrt

ntdll

rpcrt4

secur32

user32

ws2_32

Exports

Exports

Sections

.text Size: 251KB - Virtual size: 250KB

.data Size: 131KB - Virtual size: 131KB

.rsrc Size: 1024B - Virtual size: 1016B

.reloc Size: 11KB - Virtual size: 10KB

.text
Size: 251KB - Virtual size: 250KB

.data
Size: 131KB - Virtual size: 131KB

.rsrc
Size: 1024B - Virtual size: 1016B

.reloc
Size: 11KB - Virtual size: 10KB