66183972891ab1e271d8f5bb9b1678c682a71c486ee63c6d39daa764b646d3d3

Sharing

Copy URL

Twitter E-mail

General

Target

66183972891ab1e271d8f5bb9b1678c682a71c486ee63c6d39daa764b646d3d3
Size

834KB
MD5

c4d3e3db5c63d96b0885ca295206b86f
SHA1

6f2a96758d0f94194e2089bd23ae5c2faed24a88
SHA256

66183972891ab1e271d8f5bb9b1678c682a71c486ee63c6d39daa764b646d3d3
SHA512

68e243c3b71f9b8c6049d78f98f2da20189d39562573bbbc12b43ec860a461cda53529cdd68cd17574cf25bbf15dda81cad6ed4d3bf180c4ff3f9b39e1789297
SSDEEP

24576:gXrgAxttkeeNhas/VvNaU1FUnOrGDQ26i:gXrg8OeeNhnMU1sOaD5h

Score

N/A

Malware Config

Signatures

Files

66183972891ab1e271d8f5bb9b1678c682a71c486ee63c6d39daa764b646d3d3
.zip
201408282238374348/0829.exe
.exe windows x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

.nsp0
Size: - Virtual size: 1.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.nsp1
Size: 779KB - Virtual size: 780KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.nsp2
Size: - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
201408282238374348/װԶǹ/BackInDKB.inf
201408282238374348/װԶǹ/BackInDKB.sys
.exe windows x86

08450bf8a3feabf942fc0d09997cdefd

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntoskrnl.exe

memset
KeSetEvent
IoDeleteSymbolicLink
RtlInitUnicodeString
IofCompleteRequest
IofCallDriver
IoStartPacket
IoCreateDevice
KeWaitForSingleObject
KeInitializeEvent
IoDetachDevice
PoCallDriver
PoStartNextPowerIrp
IoCreateSymbolicLink
KeTickCount
IoAttachDeviceToDeviceStack
memmove
IoDeleteDevice

hal

KfLowerIrql
KfRaiseIrql

Sections

.text
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 512B - Virtual size: 239B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 20B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 1024B - Virtual size: 914B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 896B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 214B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
201408282238374348/װԶǹ/BackInDMU.inf
201408282238374348/װԶǹ/BackInDMU.sys
.exe windows x86

fecb9a2ffaff2a61c997a4276c35402e

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntoskrnl.exe

memset
KeSetEvent
IoDeleteSymbolicLink
RtlInitUnicodeString
IofCompleteRequest
IofCallDriver
IoStartPacket
IoCreateDevice
KeInitializeEvent
IoDetachDevice
PoCallDriver
PoStartNextPowerIrp
IoCreateSymbolicLink
KeTickCount
IoAttachDeviceToDeviceStack
KeWaitForSingleObject
IoDeleteDevice

hal

KfLowerIrql
KfRaiseIrql

Sections

.text
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 512B - Virtual size: 227B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 20B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 1024B - Virtual size: 900B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 896B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 208B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
201408282238374348/װԶǹ/BackInDll.dll
.dll windows x86

e10e8f042e340eeb093a471889906260

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetModuleFileNameW
CloseHandle
CreateFileW
GetLastError
DeviceIoControl
Sleep
GetCommandLineA
GetVersion
ExitProcess
TerminateProcess
GetCurrentProcess
GetCurrentThreadId
TlsSetValue
TlsAlloc
TlsFree
SetLastError
TlsGetValue
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
DeleteCriticalSection
GetModuleFileNameA
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
GetModuleHandleA
GetEnvironmentVariableA
GetVersionExA
HeapDestroy
HeapCreate
VirtualFree
HeapFree
WriteFile
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
HeapAlloc
GetCPInfo
GetACP
GetOEMCP
VirtualAlloc
HeapReAlloc
GetProcAddress
LoadLibraryA
SetFilePointer
InterlockedDecrement
InterlockedIncrement
MultiByteToWideChar
GetStringTypeA
GetStringTypeW
RtlUnwind
LCMapStringA
LCMapStringW
SetStdHandle
FlushFileBuffers

advapi32

DeleteService
ControlService
OpenSCManagerW
CreateServiceW
CloseServiceHandle
OpenServiceW
StartServiceW

user32

keybd_event
MapVirtualKeyW
GetKeyState
PostMessageW
GetSystemMetrics
GetCursorPos
mouse_event
MessageBoxW
SendMessageW

shlwapi

StrCpyW

Exports

Exports

AppKbVkSendKeyAndStatus2String
AppKbWinMakeCodeAndStatus22String
BackInKbGetHandle
BackInKbSetDelayTime
BackInKbSetHandle
BackInMouSetDelayTime
BackInMuGetHandle
BackInMuSetHandle
DriverDeviceClose
DriverDeviceOpen
End
Init
KeyDown
KeyPress
KeyUp
KmdDriverRemove
KmdDriverSetup
LeftClick
LeftDoubleClick
LeftDown
LeftUp
MiddleClick
MouseWheel
MoveR
MoveR_Ex
MoveTo
MoveTo_Ex
RightClick
RightDown
RightUp
SetKbMakeType
SetMuMakeType
VKSendAkeysAsync_KB
VKSendAkeysSeq_KB
VKSendAkeysSingle_KB
VKSendAkeysSync_KB
VKSendKeyAction_MU
VKSendKeyEx_KB
VKSendKeyEx_MU
VKSendMsVirtualKeyAsync_KB
VKSendMsVirtualKeySingle_KB
VKSendMsVirtualKeySync_KB
VKSendWinMakeCodeAsync_KB
VKSendWinMakeCodeSingle_KB
VKSendWinMakeCodeSync_KB

Sections

.text
Size: 32KB - Virtual size: 30KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 16KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
201408282238374348/װԶǹ/devcon.exe
.exe windows x86

4a8b1b3af5ed6b972156a2972693a918

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15-06-2007 00:00

Not After

14-06-2012 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04-12-2003 00:00

Not After

03-12-2013 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

65:52:26:e1:b2:2e:18:e1:59:0f:29:85:ac:22:e7:5c
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

21-05-2009 00:00

Not After

20-05-2019 23:59

Subject

CN=VeriSign Class 3 Code Signing 2009-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

61:0c:12:06:00:00:00:00:00:1b
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23-05-2006 17:01

Not After

23-05-2016 17:11

Subject

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

1e:ac:c4:41:30:9d:41:27:c9:bc:0a:13:92:7d:67:90
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2009-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09,O=VeriSign\, Inc.,C=US

Not Before

23-08-2010 00:00

Not After

23-08-2011 23:59

Subject

CN=Siliten Electronics Co.\,Ltd,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Siliten Electronics Co.\,Ltd,L=DongGuan,ST=Guangdong,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

4d:32:a9:b6:bc:ff:ee:65:9b:b0:12:c5:5f:79:50:25:94:1b:f0:55
Signer

Actual PE Digest

4d:32:a9:b6:bc:ff:ee:65:9b:b0:12:c5:5f:79:50:25:94:1b:f0:55

Digest Algorithm

sha1

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Siliten Electronics Co.\,Ltd,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Siliten Electronics Co.\,Ltd,L=DongGuan,ST=Guangdong,C=CN

25-08-2010 09:05
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetProcAddress
LoadLibraryW
GetFileAttributesW
GetFullPathNameW
TerminateProcess
GetModuleHandleA
FreeLibrary
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
lstrcpynW
FileTimeToSystemTime
GetDateFormatW
lstrcpyW
lstrlenW
GetLastError
GetCurrentProcess
CloseHandle
LocalFree
FormatMessageW
QueryPerformanceCounter

msvcrt

fputws
fputs
_iob
??3@YAXPAX@Z
??2@YAPAXI@Z
wcschr
towlower
towupper
iswalpha
_wcsnicmp
_wcsicmp
_controlfp
_except_handler3
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
__wgetmainargs
__winitenv
exit
_cexit
_XcptFilter
_exit
_c_exit
wcscmp
wprintf
wcsrchr

advapi32

OpenProcessToken
LookupPrivilegeValueW
RegQueryValueExW
RegCloseKey
RegDeleteValueW
RegSetValueExW
CloseServiceHandle
OpenServiceW
OpenSCManagerW
AdjustTokenPrivileges

setupapi

SetupDiClassGuidsFromNameExW
CM_Free_Log_Conf_Handle
CM_Get_Next_Res_Des_Ex
CM_Free_Res_Des_Handle
CM_Get_Res_Des_Data_Size_Ex
CM_Connect_MachineW
CM_Locate_DevNode_ExW
CM_Reenumerate_DevNode_Ex
CM_Disconnect_Machine
SetupDiGetINFClassW
SetupDiCreateDeviceInfoList
SetupDiCreateDeviceInfoW
SetupDiSetDeviceRegistryPropertyW
SetupDiSetClassInstallParamsW
SetupDiBuildClassInfoListExW
SetupDiClassNameFromGuidExW
SetupDiGetClassDescriptionExW
SetupDiOpenClassRegKeyExW
SetupDiGetDriverInstallParamsW
SetupDiSetSelectedDriverW
SetupOpenFileQueue
SetupDiCallClassInstaller
SetupScanFileQueueW
SetupCloseFileQueue
SetupDiGetDeviceInstallParamsW
SetupDiSetDeviceInstallParamsW
SetupDiBuildDriverInfoList
SetupDiEnumDriverInfoW
SetupDiOpenDevRegKey
SetupDiGetDriverInfoDetailW
SetupDiDestroyDriverInfoList
SetupDiGetDeviceRegistryPropertyW
SetupDiDestroyDeviceInfoList
SetupDiEnumDeviceInfo
CM_Get_Device_ID_ExW
SetupDiGetDeviceInfoListDetailW
SetupDiOpenDeviceInfoW
SetupDiGetClassDevsExW
SetupDiCreateDeviceInfoListExW
CM_Get_Res_Des_Data_Ex
CM_Get_DevNode_Status_Ex
CM_Get_First_Log_Conf_Ex

user32

ExitWindowsEx
CharNextW
LoadStringW
CharPrevW

Sections

.text
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 472B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 33KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
201408282238374348/װԶǹ/һװԶǹ.bat
˵.htm
.html .js

Sharing

General

Malware Config

Signatures

Files

Headers

File Characteristics

Sections

.nsp0 Size: - Virtual size: 1.7MB

.nsp1 Size: 779KB - Virtual size: 780KB

.nsp2 Size: - Virtual size: 5KB

08450bf8a3feabf942fc0d09997cdefd

Headers

DLL Characteristics

File Characteristics

Imports

ntoskrnl.exe

hal

Sections

.text Size: 2KB - Virtual size: 1KB

.rdata Size: 512B - Virtual size: 239B

.data Size: 512B - Virtual size: 20B

INIT Size: 1024B - Virtual size: 914B

.rsrc Size: 1024B - Virtual size: 896B

.reloc Size: 512B - Virtual size: 214B

fecb9a2ffaff2a61c997a4276c35402e

Headers

DLL Characteristics

File Characteristics

Imports

ntoskrnl.exe

hal

Sections

.text Size: 2KB - Virtual size: 1KB

.rdata Size: 512B - Virtual size: 227B

.data Size: 512B - Virtual size: 20B

INIT Size: 1024B - Virtual size: 900B

.rsrc Size: 1024B - Virtual size: 896B

.reloc Size: 512B - Virtual size: 208B

e10e8f042e340eeb093a471889906260

Headers

File Characteristics

Imports

kernel32

advapi32

user32

shlwapi

Exports

Exports

Sections

.text Size: 32KB - Virtual size: 30KB

.rdata Size: 12KB - Virtual size: 10KB

.data Size: 16KB - Virtual size: 19KB

.rsrc Size: 4KB - Virtual size: 1KB

.reloc Size: 8KB - Virtual size: 4KB

4a8b1b3af5ed6b972156a2972693a918

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5Certificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

65:52:26:e1:b2:2e:18:e1:59:0f:29:85:ac:22:e7:5cCertificate

Extended Key Usages

Key Usages

61:0c:12:06:00:00:00:00:00:1bCertificate

Key Usages

1e:ac:c4:41:30:9d:41:27:c9:bc:0a:13:92:7d:67:90Certificate

Extended Key Usages

Key Usages

4d:32:a9:b6:bc:ff:ee:65:9b:b0:12:c5:5f:79:50:25:94:1b:f0:55Signer

Signature Validations

Verification

25-08-2010 09:05 Valid: false

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

.nsp0
Size: - Virtual size: 1.7MB

.nsp1
Size: 779KB - Virtual size: 780KB

.nsp2
Size: - Virtual size: 5KB

.text
Size: 2KB - Virtual size: 1KB

.rdata
Size: 512B - Virtual size: 239B

.data
Size: 512B - Virtual size: 20B

INIT
Size: 1024B - Virtual size: 914B

.rsrc
Size: 1024B - Virtual size: 896B

.reloc
Size: 512B - Virtual size: 214B

.text
Size: 2KB - Virtual size: 1KB

.rdata
Size: 512B - Virtual size: 227B

.data
Size: 512B - Virtual size: 20B

INIT
Size: 1024B - Virtual size: 900B

.rsrc
Size: 1024B - Virtual size: 896B

.reloc
Size: 512B - Virtual size: 208B

.text
Size: 32KB - Virtual size: 30KB

.rdata
Size: 12KB - Virtual size: 10KB

.data
Size: 16KB - Virtual size: 19KB

.rsrc
Size: 4KB - Virtual size: 1KB

.reloc
Size: 8KB - Virtual size: 4KB

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

65:52:26:e1:b2:2e:18:e1:59:0f:29:85:ac:22:e7:5c
Certificate

61:0c:12:06:00:00:00:00:00:1b
Certificate

1e:ac:c4:41:30:9d:41:27:c9:bc:0a:13:92:7d:67:90
Certificate

4d:32:a9:b6:bc:ff:ee:65:9b:b0:12:c5:5f:79:50:25:94:1b:f0:55
Signer

25-08-2010 09:05
Valid: false

.text
Size: 20KB - Virtual size: 19KB

.data
Size: 512B - Virtual size: 472B

.rsrc
Size: 33KB - Virtual size: 32KB