General

Malware Config

Signatures

Files

• f427b4d8a76ba24099478a24e0232203ae8ba49b7540110e8cb8a21401a0ad92

  .exe windows x86

  365a0c6663eb6d83395d4fd917effcd3

  
  

  Headers

  DLL Characteristics

  IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE

  IMAGE_DLLCHARACTERISTICS_NX_COMPAT

  File Characteristics

  IMAGE_FILE_RELOCS_STRIPPED

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_32BIT_MACHINE

  Imports

  ntdll

  RtlInitUnicodeString

  RtlInitString

  kernel32

  GetCurrentProcess

  OutputDebugStringW

  IsDebuggerPresent

  DebugBreak

  FatalExit

  LoadLibraryW

  GetProcAddress

  EnterCriticalSection

  LeaveCriticalSection

  DeleteCriticalSection

  InitializeCriticalSection

  InterlockedCompareExchange

  SetLastError

  AssignProcessToJobObject

  GetSystemDirectoryW

  ResumeThread

  TerminateProcess

  WaitForMultipleObjects

  GetProcessHeap

  OpenProcess

  LocalFree

  LocalAlloc

  FreeLibrary

  CreateFileW

  IsProcessorFeaturePresent

  GetFileType

  CloseHandle

  GetLastError

  GetCurrentProcessId

  CreateJobObjectW

  InterlockedExchange

  HeapSize

  HeapReAlloc

  Sleep

  UnhandledExceptionFilter

  SetUnhandledExceptionFilter

  QueryPerformanceCounter

  GetTickCount

  GetCurrentThreadId

  GetSystemTimeAsFileTime

  HeapDestroy

  HeapAlloc

  HeapSetInformation

  GetVersionExW

  ProcessIdToSessionId

  GetVolumeInformationW

  HeapFree

  rpcrt4

  NdrServerCall2

  RpcStringFreeW

  RpcBindingFree

  I_RpcBindingInqLocalClientPID

  RpcStringBindingParseW

  RpcBindingToStringBindingW

  RpcBindingServerFromClient

  RpcServerListen

  RpcServerRegisterAuthInfoW

  RpcServerRegisterIf2

  RpcRevertToSelf

  RpcImpersonateClient

  RpcStringBindingComposeW

  RpcBindingFromStringBindingW

  RpcBindingSetAuthInfoW

  NdrClientCall2

  RpcMgmtStopServerListening

  RpcServerUseProtseqEpW

  advapi32

  InitializeSid

  LookupPrivilegeValueW

  GetTokenInformation

  AdjustTokenPrivileges

  SystemFunction036

  GetSidLengthRequired

  GetSidSubAuthority

  OpenProcessToken

  DuplicateTokenEx

  CreateProcessAsUserW

  ImpersonateLoggedOnUser

  RevertToSelf

  LsaNtStatusToWinError

  SetTokenInformation

  SetSecurityDescriptorDacl

  SetSecurityDescriptorOwner

  CopySid

  IsValidSid

  GetLengthSid

  AllocateLocallyUniqueId

  AllocateAndInitializeSid

  FreeSid

  GetSecurityDescriptorLength

  MakeSelfRelativeSD

  InitializeSecurityDescriptor

  GetSecurityDescriptorOwner

  GetSecurityDescriptorGroup

  GetSecurityDescriptorDacl

  GetSecurityDescriptorSacl

  MakeAbsoluteSD

  GetSecurityDescriptorControl

  GetAclInformation

  InitializeAcl

  AddAce

  ConvertSidToStringSidW

  GetSecurityInfo

  SetEntriesInAclW

  SetSecurityInfo

  CreateWellKnownSid

  EqualSid

  CheckTokenMembership

  ConvertStringSidToSidW

  user32

  MessageBoxW

  msvcr80

  _except_handler4_common

  _amsg_exit

  __wgetmainargs

  _cexit

  _exit

  _XcptFilter

  exit

  __winitenv

  _initterm

  _initterm_e

  _configthreadlocale

  __setusermatherr

  _adjust_fdiv

  __p__commode

  __p__fmode

  strncmp

  __set_app_type

  _crt_debugger_hook

  ?terminate@@YAXXZ

  ?_type_info_dtor_internal_method@type_info@@QAEXXZ

  _unlock

  __dllonexit

  _lock

  _onexit

  _decode_pointer

  _invoke_watson

  _controlfp_s

  ??1exception@std@@UAE@XZ

  ?what@exception@std@@UBEPBDXZ

  ??0exception@std@@QAE@ABQBD@Z

  _purecall

  memcpy

  ??0exception@std@@QAE@XZ

  ??0exception@std@@QAE@ABV01@@Z

  _encode_pointer

  ??2@YAPAXI@Z

  memmove_s

  memcpy_s

  _CxxThrowException

  _vsnwprintf

  ??3@YAXPAX@Z

  __CxxFrameHandler3

  malloc

  free

  memset

  __FrameUnwindFilter

  calloc

  _wcsnicmp

  crypt32

  CertVerifyCertificateChainPolicy

  CertGetCertificateContextProperty

  CryptDecodeObject

  CryptFindOIDInfo

  msvcp80

  ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ

  ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ

  ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z

  ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z

  userenv

  UnloadUserProfile

  DestroyEnvironmentBlock

  CreateEnvironmentBlock

  LoadUserProfileW

  secur32

  LsaGetLogonSessionData

  LsaConnectUntrusted

  LsaLookupAuthenticationPackage

  LsaFreeReturnBuffer

  LsaDeregisterLogonProcess

  LsaLogonUser

  shlwapi

  PathCombineW

  msvcm80

  ?ThrowModuleLoadException@<CrtImplementationDetails>@@YAXP$AAVString@System@@P$AAVException@3@@Z

  ?DoDllLanguageSupportValidation@<CrtImplementationDetails>@@YAXXZ

  ?RegisterModuleUninitializer@<CrtImplementationDetails>@@YAXP$AAVEventHandler@System@@@Z

  ?ThrowModuleLoadException@<CrtImplementationDetails>@@YAXP$AAVString@System@@@Z

  ?ThrowNestedModuleLoadException@<CrtImplementationDetails>@@YAXP$AAVException@System@@0@Z

  ?DoCallBackInDefaultDomain@<CrtImplementationDetails>@@YAXP6GJPAX@Z0@Z

  shell32

  SHGetFolderPathW

  dnsapi

  DnsNameCompare_W

  mscoree

  _CorExeMain

  Sections

  .text

  Size: 248KB - Virtual size: 244KB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .rdata

  Size: 516KB - Virtual size: 513KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .data

  Size: 4KB - Virtual size: 3KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .rsrc

  Size: 72KB - Virtual size: 68KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .reloc

  Size: 8KB - Virtual size: 4KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_DISCARDABLE

  IMAGE_SCN_MEM_READ

  UPX0

  Size: 144KB - Virtual size: 380KB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE