d81b4a326cedf6c2a2feeb6e30b0688874c12fb78faeb402a15842697eb0dab3

Sharing

Copy URL

Twitter E-mail

General

Target

d81b4a326cedf6c2a2feeb6e30b0688874c12fb78faeb402a15842697eb0dab3
Size

329KB
MD5

129e4a7f9e6d5e417284c00617fc5d8b
SHA1

a29936be78f133df5bf8327caf3ed0802e7ca37c
SHA256

d81b4a326cedf6c2a2feeb6e30b0688874c12fb78faeb402a15842697eb0dab3
SHA512

df4de98daaa373703ba991a0058e5da51a37f80960df7fe4800b5b637ae72dadc6820ff52ea34623ef18b8e843c6cd20c64203d1e61e0e24f16e73e6926b56bb
SSDEEP

6144:i9vKw15Y4vr6jrMKku6IWl8y2+Du2NLsWQRBKz8T/vLv:evKwftEny/uysHLzvL

Score

N/A

Malware Config

Signatures

Files

d81b4a326cedf6c2a2feeb6e30b0688874c12fb78faeb402a15842697eb0dab3
.exe windows x86

4858264641114737824d2d7c37f2837e

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

advapi32

TraceMessage
EventWrite
EventEnabled
InitiateShutdownW
RegCloseKey
RegQueryValueExW
RegOpenKeyExW
QueryTraceW
EnableTrace
ControlTraceW
StartTraceW
GetTraceEnableFlags
GetTraceEnableLevel
GetTraceLoggerHandle
RegisterTraceGuidsW
UnregisterTraceGuids
RegDeleteValueW
EventRegister
EventUnregister
EventWriteEndScenario
EventWriteStartScenario
EventActivityIdControl
RegEnumValueW
RegQueryInfoKeyW
RegSetValueExW
RegOpenKeyW
GetTokenInformation
OpenProcessToken
ConvertStringSidToSidW
LsaFreeMemory
LsaGetUserName
RevertToSelf
ImpersonateLoggedOnUser
CloseEventLog
GetEventLogInformation
OpenEventLogW
RegisterEventSourceW
DeregisterEventSource
LsaNtStatusToWinError
RegCreateKeyExW
CheckTokenMembership
DuplicateTokenEx
ConvertSidToStringSidW
CreateProcessAsUserW
AllocateLocallyUniqueId
ReportEventW
LogonUserW
RegSetKeySecurity
RegDeleteKeyW
RegGetValueA
EqualSid
CredFree
NotifyServiceStatusChangeW
NotifyBootConfigStatus
CreateWellKnownSid
LookupAccountSidW
RegDeleteTreeW
OpenSCManagerW
RegEnumKeyExW
CloseServiceHandle
OpenServiceW
QueryServiceConfigW
QueryServiceStatus
MD5Init
MD5Update
MD5Final
CredReadByTokenHandle

kernel32

CloseHandle
SetEvent
CreateEventW
LocalReAlloc
LocalSize
MoveFileExW
Sleep
UnregisterWaitEx
InterlockedExchange
WaitForSingleObjectEx
HeapSetInformation
GetCurrentProcessId
VirtualAlloc
ExpandEnvironmentStringsW
lstrlenW
GetShortPathNameW
CompareStringW
SetEnvironmentVariableW
FreeLibrary
GetProcAddress
LoadLibraryW
GetProcessHeap
GetExitCodeProcess
UnregisterWait
OpenProcess
RegisterWaitForSingleObject
QueryInformationJobObject
DuplicateHandle
GetSystemTimeAsFileTime
InterlockedDecrement
InterlockedIncrement
GetComputerNameW
InterlockedCompareExchange
ResetEvent
TerminateJobObject
GetCommandLineW
CreateJobObjectW
VirtualFree
VirtualUnlock
SetProcessWorkingSetSize
GetProcessWorkingSetSize
VirtualLock
GetDateFormatW
GetTimeFormatW
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
ResumeThread
CompareFileTime
GetTickCount
TerminateProcess
AssignProcessToJobObject
SearchPathW
CreateProcessW
DeleteTimerQueueTimer
CreateTimerQueueTimer
OpenEventW
GetProcessId
GetModuleHandleW
ReadFile
CreateFileW
SetErrorMode
CreateThread
WaitForMultipleObjects
SetInformationJobObject
GetSystemDirectoryW
LoadLibraryA
GetModuleFileNameW
LocalAlloc
LocalFree
SetLastError
FormatMessageW
FindResourceExW
LoadResource
WaitForSingleObject
LockResource
GetCurrentProcess
SetPriorityClass
GetCurrentThread
SetThreadPriority
HeapSize
HeapFree
HeapAlloc
GetLastError
HeapCreate
HeapDestroy
MultiByteToWideChar
GetSystemInfo
lstrcmpW
SleepEx
GetFileAttributesW
SetTimerQueueTimer
CreateRemoteThread
GetThreadUILanguage
GetVersionExW
GetTickCount64
WideCharToMultiByte
DebugBreak
UnhandledExceptionFilter
GetCurrentThreadId
QueryPerformanceCounter
GetModuleHandleA
SetUnhandledExceptionFilter
GetStartupInfoA
DelayLoadFailureHook
CreateProcessInternalW
BaseInitAppcompatCacheSupport

user32

CreateDesktopW
SystemParametersInfoW
GetKeyState
GetLastInputInfo
SwitchDesktopWithFade
LoadLocalFonts
RegisterLogonProcess
CreateWindowStationW
SetProcessWindowStation
CloseWindowStation
SetUserObjectSecurity
SwitchDesktop
SetThreadDesktop
SetForegroundWindow
SetWindowPos
GetDesktopWindow
CancelShutdown
GetWindowLongW
GetWindowRect
LoadStringW
SendMessageW
GetDlgItem
LoadImageW
EndDialog
GetDlgItemTextW
DialogBoxParamW
ShowWindow
RealGetWindowClassW
FindWindowW
UpdatePerUserSystemParameters
SetWindowStationUser
UnlockWindowStation
LockWindowStation
GetSystemMetrics
GetAsyncKeyState
LoadCursorW
CopyIcon
SetSystemCursor
DestroyCursor
ExitWindowsEx
MessageBoxW
OpenInputDesktop
GetUserObjectInformationW
GetParent
EnumWindows
CloseDesktop

msvcrt

wcsncmp
iswalnum
iswalpha
_snwscanf_s
_wcsupr
strncmp
wcsnlen
??_U@YAPAXI@Z
??_V@YAXPAX@Z
swscanf
_controlfp
?terminate@@YAXXZ
_except_handler4_common
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_amsg_exit
_initterm
_acmdln
exit
_ismbblead
_XcptFilter
_exit
_cexit
__getmainargs
_wtoi
_ultow
??3@YAXPAX@Z
wcstok
iswspace
wcschr
_wcsicmp
memmove
_vsnwprintf
memset
memcpy
??2@YAPAXI@Z
_wcslwr
wcscpy_s
wcscat_s
_wcsnicmp
swprintf_s
_ultow_s
wcstoul
printf
wcsstr
__isascii
isupper
_tolower

ntdll

RtlCopySid
RtlExpandEnvironmentStrings_U
TpAllocWait
TpAllocWork
TpPostWork
TpSetWait
TpWaitForWait
TpReleaseWait
TpWaitForWork
TpReleaseWork
TpSimpleTryPost
NtAllocateLocallyUniqueId
RtlOpenCurrentUser
RtlFreeSid
NtSetSecurityObject
RtlSetSaclSecurityDescriptor
RtlAddMandatoryAce
RtlCreateAcl
RtlCreateSecurityDescriptor
RtlAllocateAndInitializeSid
RtlTimeToSecondsSince1980
RtlRemovePrivileges
TpSetTimer
TpAllocTimer
NtOpenDirectoryObject
NtInitiatePowerAction
NtShutdownSystem
RtlNtStatusToDosError
NtClose
NtQueryInformationToken
NtOpenProcessToken
WinSqmStartSession
WinSqmEndSession
RtlGetNtProductType
RtlInitString
RtlDestroyEnvironment
RtlLengthSid
TpWaitForTimer
RtlGetDaclSecurityDescriptor
RtlSetDaclSecurityDescriptor
RtlAddAce
NtAdjustPrivilegesToken
NtDuplicateToken
RtlUnhandledExceptionFilter
NtQueryInformationProcess
TpReleaseTimer
NtSetInformationProcess
NtReplyPort
NtCompleteConnectPort
NtReplyWaitReceivePort
NtAcceptConnectPort
NtCreatePort
NtCreateEvent
DbgPrint
RtlFreeHeap
RtlAllocateHeap
NtOpenFile
RtlGUIDFromString
RtlStringFromGUID
NtOpenKey
NtEnumerateKey
NtQueryKey
NtQueryAttributesFile
NtUnloadKey
NtLoadKey
RtlSetOwnerSecurityDescriptor
RtlLengthSecurityDescriptor
RtlAddAccessAllowedAceEx
NtCreateKey
NtDeleteValueKey
NtQueryValueKey
NtSetValueKey
NtDeleteKey
LdrGetProcedureAddress
RtlInitAnsiString
LdrGetDllHandle
NtResetEvent
NtWaitForSingleObject
NtDeviceIoControlFile
RtlGetVersion
NtQuerySymbolicLinkObject
NtOpenSymbolicLinkObject
NtAllocateUuids
NtQuerySystemInformation
NtSystemDebugControl
RtlDuplicateUnicodeString
NtFilterToken
RtlEqualSid
RtlInitializeCriticalSection
RtlEnterCriticalSection
RtlLeaveCriticalSection
DbgBreakPoint
NtCreateToken
NtSetInformationToken
RtlCreateEnvironment
RtlInitUnicodeString
RtlQueryEnvironmentVariable_U
RtlSetEnvironmentVariable
RtlInitUnicodeStringEx
RtlCompareUnicodeString
NtOpenThreadToken
RtlpVerifyAndCommitUILanguageSettings
RtlDeleteCriticalSection
RtlFreeUnicodeString
RtlAdjustPrivilege

secur32

LsaCallAuthenticationPackage
LsaFreeReturnBuffer
SeciAllocateAndSetIPAddress
SeciAllocateAndSetCallFlags
LsaLogonUser
SeciFreeCallContext
LsaRegisterLogonProcess
LsaLookupAuthenticationPackage
LsaGetLogonSessionData
ChangeAccountPasswordW
GetUserNameExW

winsta

WinStationGetUserCredentials
WinStationDisconnect
WinStationFreeUserCredentials
WinStationIsSessionPermitted
WinStationQueryInformationW
WinStationFreeMemory
WinStationReportUIResult
WinStationNegotiateSession
_WinStationWaitForConnect

rpcrt4

RpcServerUnsubscribeForNotification
RpcServerSubscribeForNotification
I_RpcBindingIsClientLocal
RpcServerUnregisterIf
RpcBindingVectorFree
RpcEpUnregister
RpcServerListen
RpcEpRegisterW
RpcServerRegisterIfEx
RpcServerUseProtseqW
NdrServerCall2
NdrAsyncServerCall
RpcRaiseException
RpcServerInqCallAttributesW
RpcServerTestCancel
NdrAsyncClientCall
RpcAsyncInitializeHandle
RpcAsyncCancelCall
RpcMgmtIsServerListening
RpcStringFreeW
RpcStringBindingComposeW
RpcBindingFromStringBindingW
RpcBindingSetAuthInfoExW
UuidFromStringW
NdrClientCall2
RpcBindingCreateW
RpcBindingBind
RpcBindingUnbind
RpcBindingFree
I_RpcExceptionFilter
RpcAsyncAbortCall
RpcAsyncCompleteCall
I_RpcMapWin32Status
I_RpcBindingInqLocalClientPID
RpcImpersonateClient
RpcRevertToSelf
RpcServerUseProtseqEpW
RpcServerInqBindings

psapi

EnumProcessModules
GetModuleBaseNameW

userenv

GetUserProfileDirectoryW
GetAllUsersProfileDirectoryW
ord204
ord205

Sections

.text
Size: 261KB - Virtual size: 261KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 41KB - Virtual size: 40KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 17KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

4858264641114737824d2d7c37f2837e

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

kernel32

user32

msvcrt

ntdll

secur32

winsta

rpcrt4

psapi

userenv

Sections

.text Size: 261KB - Virtual size: 261KB

.data Size: 8KB - Virtual size: 11KB

.rsrc Size: 41KB - Virtual size: 40KB

.reloc Size: 17KB - Virtual size: 16KB

.text
Size: 261KB - Virtual size: 261KB

.data
Size: 8KB - Virtual size: 11KB

.rsrc
Size: 41KB - Virtual size: 40KB

.reloc
Size: 17KB - Virtual size: 16KB