e33373f2f5c49e0a81b02015d2a3fb10bddfcff00172144bd189a5b4e6b5ccaf

Sharing

Copy URL

Twitter E-mail

General

Target

e33373f2f5c49e0a81b02015d2a3fb10bddfcff00172144bd189a5b4e6b5ccaf
Size

777KB
MD5

8c4d6dab533c361266b2c8359983d47e
SHA1

3bb5690a0041e97f7be116dfd8f0827017a82c8d
SHA256

e33373f2f5c49e0a81b02015d2a3fb10bddfcff00172144bd189a5b4e6b5ccaf
SHA512

5296f02264c75eee45073d5ae146d8f3bdee382c95dafdae5da1eaac66875e9c3822838cb64d1eeae4546d1cd8c31dc664217b72afb56e9e88c5da551e5b40c3
SSDEEP

12288:FrHSFks+wwYbIoa/IjYStpVdmiqPwHNFyTLlj+HGgYYH0iwvv+RoUw4EI93k:dyklS3oLPwtFUgHAYUH6O4EI93k

Score

N/A

Malware Config

Signatures

Files

e33373f2f5c49e0a81b02015d2a3fb10bddfcff00172144bd189a5b4e6b5ccaf
.exe windows x86

ed4aac6d47256300412871c267cc54b1

Code Sign

6a:c5:cc:e2:d2:08:12:b6:ff:36:b2:b0:56:64:dc:77
Certificate

Issuer

CN=WoSign Class 3 Code Signing CA,O=WoSign CA Limited,C=CN

Not Before

17/08/2016, 09:03

Not After

17/09/2017, 09:03

Subject

CN=Beijing Yida Hongtian Technology Co.\, Ltd.,O=Beijing Yida Hongtian Technology Co.\, Ltd.,L=Beijing,ST=Beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageMicrosoftCommercialCodeSigning

Key Usages

KeyUsageDigitalSignature

25:1f:5d:98:81:82:17:2e:3c:41:9e:01:4f:b0:40:4c
Certificate

Issuer

CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN

Not Before

08/08/2009, 01:00

Not After

08/08/2024, 01:00

Subject

CN=WoSign Time Stamping Signer,O=WoSign CA Limited,C=CN

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

5e:68:d6:11:71:94:63:50:56:00:68:f3:3e:c9:c5:91
Certificate

Issuer

CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN

Not Before

08/08/2009, 01:00

Not After

08/08/2039, 01:00

Subject

CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

46:bb:b3:40:fa:b9:c1:79:28:93:8c:93:da:10:86:79
Certificate

Issuer

CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN

Not Before

08/08/2009, 01:00

Not After

08/08/2024, 01:00

Subject

CN=WoSign Class 3 Code Signing CA,O=WoSign CA Limited,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageMicrosoftCommercialCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:39:65:c4:72:e0:dc:2b:d9:65:00:00:00:00:00:39
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

29/04/2015, 17:12

Not After

29/04/2025, 17:12

Subject

CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

d7:bb:d1:c0:b3:b4:6a:50:35:b4:5d:d9:50:d3:2f:9b:d0:fd:fd:de
Signer

Actual PE Digest

d7:bb:d1:c0:b3:b4:6a:50:35:b4:5d:d9:50:d3:2f:9b:d0:fd:fd:de

Digest Algorithm

sha1

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Beijing Yida Hongtian Technology Co.\, Ltd.,O=Beijing Yida Hongtian Technology Co.\, Ltd.,L=Beijing,ST=Beijing,C=CN

06/03/2017, 14:50
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetModuleFileNameA
OutputDebugStringA
FindResourceW
FindResourceExW
CreateFileA
MultiByteToWideChar
WideCharToMultiByte
LocalFree
FormatMessageA
GetProcAddress
VirtualAlloc
VirtualFree
VirtualProtect
VirtualAllocEx
VirtualFreeEx
VirtualProtectEx
GetProcessTimes
OpenProcess
GetCurrentProcessId
TerminateProcess
CreateRemoteThread
GetProcessId
OpenThread
ReadProcessMemory
WriteProcessMemory
GetThreadContext
SetThreadContext
SuspendThread
ResumeThread
FileTimeToLocalFileTime
FileTimeToSystemTime
MapViewOfFile
UnmapViewOfFile
lstrcmpiA
lstrcpyA
CreateFileMappingA
OpenFileMappingA
LoadLibraryA
GetModuleHandleA
CreateProcessA
OutputDebugStringW
CreateToolhelp32Snapshot
Process32First
Process32Next
Thread32First
Thread32Next
Module32First
Module32Next
VerSetConditionMask
InterlockedIncrement
InterlockedDecrement
FreeLibrary
GlobalReAlloc
LocalAlloc
CreateThread
SetEvent
ReleaseMutex
WaitForSingleObject
WaitForMultipleObjects
Sleep
DeviceIoControl
WinExec
MulDiv
GetNativeSystemInfo
CreateMutexA
CreateEventA
CreateWaitableTimerA
SetWaitableTimer
LoadLibraryExA
GetModuleHandleW
FindResourceA
GetPrivateProfileStringA
GetVersionExA
VerifyVersionInfoA
IsDBCSLeadByte
GetTickCount
lstrlenA
SetEnvironmentVariableA
CreateFileW
ReadConsoleW
FlushFileBuffers
WriteConsoleW
SetStdHandle
LoadLibraryW
SetFilePointerEx
GetConsoleMode
GetConsoleCP
UnregisterWaitEx
QueryDepthSList
InterlockedFlushSList
ReleaseSemaphore
DuplicateHandle
GetVersionExW
FreeLibraryAndExitThread
GetThreadTimes
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
GetFileType
GetTimeZoneInformation
GetOEMCP
GetACP
IsValidCodePage
GetCurrentThread
GetModuleFileNameW
WriteFile
GetStdHandle
GetModuleHandleExW
ExitProcess
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetLocaleInfoW
LCMapStringW
CompareStringW
CreateSemaphoreW
GetStartupInfoW
CreateEventW
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetCPInfo
UnregisterWait
RegisterWaitForSingleObject
SetThreadAffinityMask
GetProcessAffinityMask
GetNumaHighestNodeNumber
DeleteTimerQueueTimer
ChangeTimerQueueTimer
CreateTimerQueueTimer
GetLogicalProcessorInformation
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
GetThreadPriority
SetThreadPriority
SwitchToThread
SignalObjectAndWait
WaitForSingleObjectEx
CreateTimerQueue
GetCommandLineA
LoadLibraryExW
ExitThread
VirtualQuery
GetSystemInfo
lstrcatA
lstrcpynA
lstrcmpA
CloseHandle
ReadFile
GetFileSize
SizeofResource
LoadResource
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
EnterCriticalSection
LeaveCriticalSection
SetLastError
GetLastError
DecodePointer
GetCurrentThreadId
RaiseException
GetCurrentProcess
GetProcessHeap
HeapSize
HeapFree
HeapReAlloc
HeapAlloc
HeapDestroy
FlushInstructionCache
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
LockResource
InterlockedExchange
MapViewOfFileEx
RtlUnwind
GetStringTypeW
EncodePointer
GetSystemTimeAsFileTime
IsProcessorFeaturePresent
InterlockedPushEntrySList
InterlockedPopEntrySList
InitializeSListHead
IsDebuggerPresent

user32

wsprintfA
SendMessageA
PostMessageA
CallWindowProcA
UnregisterClassA
GetClassInfoExA
CreateWindowExA
GetClientRect
MessageBoxA
SetWindowLongA
EnumChildWindows
GetClassNameA
LoadCursorA
wsprintfW
IsWindow
CharLowerBuffA
EnumWindows
RegisterClassExA
GetWindowThreadProcessId
SetWindowPos
EndDialog
GetWindowRect
MapWindowPoints
GetWindowLongA
GetParent
GetWindow
MonitorFromWindow
GetMonitorInfoA
RegisterWindowMessageA
GetMessageA
TranslateMessage
DispatchMessageA
PeekMessageA
DefWindowProcA
IsChild
DestroyWindow
ShowWindow
MoveWindow
CreateDialogParamA
GetDlgItem
CharNextA
SetFocus
GetActiveWindow
GetFocus
SetCapture
ReleaseCapture
CreateAcceleratorTableA
DestroyAcceleratorTable
GetSystemMetrics
GetDC
ReleaseDC
IsDialogMessageA
LoadImageA
SetCursorPos
MessageBeep
EnableWindow
KillTimer
SetTimer
MsgWaitForMultipleObjects
mouse_event
SetDlgItemTextA
DialogBoxParamA
PostQuitMessage
FindWindowA
GetDesktopWindow
FillRect
GetSysColor
ScreenToClient
ClientToScreen
GetWindowTextLengthA
GetWindowTextA
SetWindowTextA
RedrawWindow
InvalidateRgn
InvalidateRect
EndPaint
BeginPaint

gdi32

GetDeviceCaps
CreateSolidBrush
CreateCompatibleBitmap
BitBlt
GetObjectA
CreateDIBSection
SelectObject
DeleteObject
DeleteDC
CreateCompatibleDC
GetStockObject

advapi32

RegCloseKey
CryptDestroyHash
CryptHashData
CryptCreateHash
CryptGetHashParam
CryptReleaseContext
CryptAcquireContextA
RegSetValueExA
RegQueryValueExA
RegQueryInfoKeyW
RegOpenKeyExA
RegEnumValueA
RegEnumKeyExA
RegEnumKeyA
RegDeleteValueA
RegDeleteKeyA
RegCreateKeyExA
LookupPrivilegeValueA
AdjustTokenPrivileges
OpenProcessToken

ole32

OleUninitialize
OleLockRunning
CoTaskMemRealloc
OleInitialize
StringFromGUID2
CLSIDFromProgID
CLSIDFromString
CoGetClassObject
CoInitialize
CreateStreamOnHGlobal
CoCreateInstance
CoTaskMemAlloc
CoTaskMemFree

oleaut32

SysStringLen
SysStringByteLen
SysAllocStringByteLen
VariantInit
VariantClear
SysFreeString
VariantCopy
SystemTimeToVariantTime
VariantTimeToSystemTime
SysAllocStringLen
VarBstrFromDate
VarUI4FromStr
LoadTypeLi
LoadRegTypeLi
DispCallFunc
OleCreateFontIndirect
SysAllocString
VarBstrCmp
VariantChangeType

libeay32

ord484
ord490
ord492
ord491
ord119
ord493
ord485

shlwapi

PathRemoveFileSpecA
StrStrIA
StrCpyNW
PathFindFileNameA
StrToIntA
StrToInt64ExA
PathRemoveExtensionA
wvnsprintfA

gdiplus

GdipDrawLineI

wininet

InternetOpenA
InternetCloseHandle
InternetConnectA
InternetCrackUrlA
InternetQueryDataAvailable
HttpQueryInfoA
HttpSendRequestA
HttpOpenRequestA
InternetGetLastResponseInfoA
InternetSetOptionA
InternetReadFile

version

GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA

psapi

GetModuleFileNameExA
EnumProcessModules
EnumProcesses

imagehlp

ImageUnload
ImageLoad

ws2_32

htons
inet_addr
closesocket
inet_ntoa
recv
send
socket
gethostbyname
connect
WSAStartup

winmm

waveOutSetVolume
mixerSetControlDetails
mixerGetLineControlsA
mixerGetLineInfoA
mixerClose
mixerOpen

Sections

.text
Size: 595KB - Virtual size: 595KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 117KB - Virtual size: 117KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 18KB - Virtual size: 34KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 30KB - Virtual size: 30KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

ed4aac6d47256300412871c267cc54b1

Code Sign

6a:c5:cc:e2:d2:08:12:b6:ff:36:b2:b0:56:64:dc:77Certificate

Extended Key Usages

Key Usages

25:1f:5d:98:81:82:17:2e:3c:41:9e:01:4f:b0:40:4cCertificate

Extended Key Usages

Key Usages

5e:68:d6:11:71:94:63:50:56:00:68:f3:3e:c9:c5:91Certificate

Key Usages

46:bb:b3:40:fa:b9:c1:79:28:93:8c:93:da:10:86:79Certificate

Extended Key Usages

Key Usages

33:00:00:00:39:65:c4:72:e0:dc:2b:d9:65:00:00:00:00:00:39Certificate

Extended Key Usages

Key Usages

d7:bb:d1:c0:b3:b4:6a:50:35:b4:5d:d9:50:d3:2f:9b:d0:fd:fd:deSigner

Signature Validations

Verification

06/03/2017, 14:50 Valid: false

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

ole32

oleaut32

libeay32

shlwapi

gdiplus

wininet

version

psapi

imagehlp

ws2_32

winmm

Sections

.text Size: 595KB - Virtual size: 595KB

.rdata Size: 117KB - Virtual size: 117KB

.data Size: 18KB - Virtual size: 34KB

.rsrc Size: 6KB - Virtual size: 6KB

.reloc Size: 30KB - Virtual size: 30KB

6a:c5:cc:e2:d2:08:12:b6:ff:36:b2:b0:56:64:dc:77
Certificate

25:1f:5d:98:81:82:17:2e:3c:41:9e:01:4f:b0:40:4c
Certificate

5e:68:d6:11:71:94:63:50:56:00:68:f3:3e:c9:c5:91
Certificate

46:bb:b3:40:fa:b9:c1:79:28:93:8c:93:da:10:86:79
Certificate

33:00:00:00:39:65:c4:72:e0:dc:2b:d9:65:00:00:00:00:00:39
Certificate

d7:bb:d1:c0:b3:b4:6a:50:35:b4:5d:d9:50:d3:2f:9b:d0:fd:fd:de
Signer

06/03/2017, 14:50
Valid: false

.text
Size: 595KB - Virtual size: 595KB

.rdata
Size: 117KB - Virtual size: 117KB

.data
Size: 18KB - Virtual size: 34KB

.rsrc
Size: 6KB - Virtual size: 6KB

.reloc
Size: 30KB - Virtual size: 30KB