clop | UnsrrreKHaf[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

UnsrrreKHaf.exe
Size

1.9MB
MD5

0c81363e35f1c3bf5f47527b51fad3f7
SHA1

7b222e4df46268518746ea1c8cdc53accf3f8dff
SHA256

2bc62a2dd5c35cd3e19d845d838614c86abadbbe5837e68a5c80a9ba4912c26f
SHA512

19c773baaa878d6be71f1cc7e6369ffbec1ebb79b7655dd579e62ef3d3a27e74486fa6fbab2eb19521524e7f3cd73df8ec45b753e2ab35b6fa40fb8b0bbcbe74
SSDEEP

24576:YBmVcx2S4LeWj/kr3Zwen9UftAIQzpDJUEs8hHeneVc60COR2sWepAMHQF2UAJrm:rVcxrZD9EAIQddxVHeemXCHsW+Ueu3/

Score

10^/10

clop

Malware Config

Signatures

Clop family
clop
Detects Clop payload 1 IoCs

Processes:

resource yara_rule

sample family_clop

resource	yara_rule
sample	family_clop

Files

UnsrrreKHaf.exe
.exe windows x86

370406bef75905285b69a28ea7568c3c

Code Sign

01
Certificate

Issuer

CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

01-01-2004 00:00

Not After

31-12-2028 23:59

Subject

CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

48:fc:93:b4:60:55:94:8d:36:a7:c9:8a:89:d6:94:16
Certificate

Issuer

CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

25-05-2021 00:00

Not After

31-12-2028 23:59

Subject

CN=Sectigo Public Code Signing Root R46,O=Sectigo Limited,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01-08-2022 00:00

Not After

09-11-2031 23:59

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

62:1d:6d:0c:52:01:9e:3b:90:79:15:20:89:21:1c:0a
Certificate

Issuer

CN=Sectigo Public Code Signing Root R46,O=Sectigo Limited,C=GB

Not Before

22-03-2021 00:00

Not After

21-03-2036 23:59

Subject

CN=Sectigo Public Code Signing CA R36,O=Sectigo Limited,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

ae:63:17:9e:39:08:e1:b9:ab:35:00:85:75:15:03:d9
Certificate

Issuer

CN=Sectigo Public Code Signing CA R36,O=Sectigo Limited,C=GB

Not Before

25-01-2022 00:00

Not After

25-01-2023 23:59

Subject

CN=MANGO 3D,O=MANGO 3D,ST=Nouvelle-Aquitaine,C=FR

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

23-03-2022 00:00

Not After

22-03-2037 23:59

Subject

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0c:4d:69:72:4b:94:fa:3c:2a:4a:3d:29:07:80:3d:5a
Certificate

Issuer

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Not Before

21-09-2022 00:00

Not After

21-11-2033 23:59

Subject

CN=DigiCert Timestamp 2022 - 2,O=DigiCert,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

5b:21:ed:8e:f7:69:a5:fa:76:68:dc:d3:e3:93:64:e4:19:d5:5a:1f
Signer

Actual PE Digest

5b:21:ed:8e:f7:69:a5:fa:76:68:dc:d3:e3:93:64:e4:19:d5:5a:1f

Digest Algorithm

sha1

PE Digest Matches

true

Signature Validations

Trusted

true

Verification

Signing Certificate

CN=MANGO 3D,O=MANGO 3D,ST=Nouvelle-Aquitaine,C=FR

26-11-2022 18:20
Valid: true

Chain 1

CN=MANGO 3D,O=MANGO 3D,ST=Nouvelle-Aquitaine,C=FR

CN=Sectigo Public Code Signing CA R36,O=Sectigo Limited,C=GB

CN=Sectigo Public Code Signing Root R46,O=Sectigo Limited,C=GB

CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_ISOLATION
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetFullPathNameA
GetLogicalDrives
LockFileEx
GetCompressedFileSizeA
AreFileApisANSI
GetVolumeInformationA
SetFileApisToOEM
SetFileApisToANSI
IsDebuggerPresent
OutputDebugStringW
DecodeSystemPointer
GetErrorMode
GetThreadErrorMode
FlsFree
IsThreadAFiber
GetNamedPipeClientComputerNameW
HeapAlloc
HeapFree
GetProcessHeap
SleepConditionVariableCS
SleepConditionVariableSRW
SetEvent
CreateMutexA
CreateMutexW
CreateEventW
OpenEventW
OpenSemaphoreW
CreateSemaphoreExW
Sleep
GetProcessTimes
GetCurrentProcess
GetCurrentProcessId
ExitProcess
TerminateProcess
SwitchToThread
GetCurrentThread
GetCurrentThreadId
ResumeThread
TlsAlloc
CreateProcessW
SetPriorityClass
ProcessIdToSessionId
FlushProcessWriteBuffers
GetThreadTimes
OpenProcess
GetCurrentProcessorNumber
GetSystemTimes
GetVersion
GetTickCount64
GetNativeSystemInfo
WriteProcessMemory
MapViewOfFileEx
GetLargePageMinimum
CreateTimerQueue
CreateThreadpoolCleanupGroup
IsProcessInJob
Wow64DisableWow64FsRedirection
Wow64RevertWow64FsRedirection
DisableThreadLibraryCalls
GetModuleFileNameA
GetModuleFileNameW
DeleteBoundaryDescriptor
GlobalReAlloc
GlobalHandle
GlobalFix
LocalLock
LocalFlags
ConvertFiberToThread
ConvertThreadToFiber
IsSystemResumeAutomatic
Wow64GetThreadContext
GlobalDeleteAtom
LoadModule
EscapeCommFunction
GetCommProperties
CreateTapePartition
GetSystemDEPPolicy
FileTimeToDosDateTime
GetMailslotInfo
lstrcmpiW
lstrcpynA
lstrcpynW
lstrlenA
lstrlenW
OpenFile
_hread
BackupRead
OpenSemaphoreA
GetDriveTypeW
FindResourceA
EnumResourceLanguagesW
GlobalAddAtomW
AddAtomW
GetProfileStringA
GetProfileStringW
GetPrivateProfileIntW
CreateDirectoryExA
UnmapViewOfFile
GetFileAttributesTransactedA
WaitNamedPipeA
GetNamedPipeServerSessionId
IsBadCodePtr
BuildCommDCBW
GetComputerNameW
CancelTimerQueueTimer
CreatePrivateNamespaceA
FileTimeToSystemTime
GetTimeZoneInformation
GetSystemPowerStatus
FindNextVolumeA
WTSGetActiveConsoleSessionId
GetActiveProcessorGroupCount
GetMaximumProcessorGroupCount
UnregisterApplicationRecoveryCallback
UnregisterApplicationRestart
CompareStringOrdinal
GetStringTypeW
GetACP
GetOEMCP
LCMapStringW
IsDBCSLeadByteEx
LCIDToLocaleName
EnumTimeFormatsW
EnumDateFormatsExW
ConvertDefaultLocale
GetThreadLocale
GetSystemDefaultUILanguage
GetUserDefaultUILanguage
GetSystemDefaultLangID
GetUserDefaultLangID
GetSystemDefaultLCID
GetUserDefaultLCID
GetThreadUILanguage
GetStringTypeA
ReadConsoleOutputCharacterA
GetConsoleFontSize
FreeConsole
AllocConsole
GetConsoleCP
GetConsoleOutputCP
ReadConsoleInputW
GetConsoleWindow
GetConsoleAliasesLengthW
GetConsoleAliasExesLengthA
GetConsoleAliasExesLengthW
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
GetModuleHandleW
LoadResource
LockResource
SizeofResource
FindResourceW
WriteConsoleW
SetFilePointerEx
SetEndOfFile
FlushFileBuffers
ReadConsoleW
GetConsoleMode
HeapReAlloc
HeapSize
SetStdHandle
FreeEnvironmentStringsW
GetCPInfo
IsValidCodePage
FindFirstChangeNotificationW
NeedCurrentDirectoryForExePathA
GetCurrentDirectoryW
ExpandEnvironmentStringsW
GetCommandLineW
GetCommandLineA
GetEnvironmentStringsW
lstrcatW
lstrcpyW
lstrcpyA
GlobalFree
GlobalUnlock
GlobalLock
CreateSemaphoreExA
GlobalAlloc
MapViewOfFile
CreateFileMappingW
VirtualFree
VirtualAlloc
GetTickCount
ExitThread
CreateThread
WaitForSingleObject
SetErrorMode
GetLastError
CloseHandle
WriteFile
SetFilePointer
SetFileAttributesW
ReadFile
FindNextFileW
FindFirstFileExW
GetFileType
GetModuleHandleExW
WideCharToMultiByte
MultiByteToWideChar
GetStdHandle
RaiseException
LoadLibraryExW
GetProcAddress
FreeLibrary
TlsFree
TlsSetValue
TlsGetValue
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
FindFirstFileW
FindClose
GetFullPathNameTransactedW
CreateFileW
SetLastError
RtlUnwind
GetStartupInfoW
InitializeSListHead
GetSystemTimeAsFileTime
QueryPerformanceCounter
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
DecodePointer

user32

GetMessagePos
DefWindowProcW
InSendMessage
CloseClipboard
CharUpperW
CharUpperBuffW
IsCharAlphaNumericW
GetFocus
ToAscii
DeleteMenu
UpdateWindow
wsprintfW
ChangeClipboardChain
DestroyIcon
FindWindowA
EnumChildWindows
GetDesktopWindow
IsRectEmpty
MessageBoxW
GetPropW
ReleaseDC
GetForegroundWindow

gdi32

LPtoDP
RestoreDC
PtVisible
InvertRgn
GetSystemPaletteUse
GetSystemPaletteEntries
GetMetaFileW
Ellipse
DeleteDC
CreatePatternBrush
CreatePen
Arc
AddFontResourceW
UnrealizeObject

advapi32

RegQueryInfoKeyW
CreateProcessAsUserW
OpenProcessToken
StartServiceCtrlDispatcherW
SetServiceStatus
RegisterServiceCtrlHandlerW
CryptAcquireContextW
RegLoadMUIStringA
CryptEncrypt
RegEnumKeyExA
RegDisablePredefinedCacheEx
LookupAccountSidW
RevertToSelf
GetTokenInformation
DuplicateTokenEx

shell32

SHGetSpecialFolderPathW

ole32

CoCreateInstance
CoSetProxyBlanket
CoInitializeEx
CoUninitialize
CoInitializeSecurity

oleaut32

VariantClear
SysAllocString
VariantInit

mpr

WNetCloseEnum
WNetEnumResourceW
WNetOpenEnumW

shlwapi

StrStrW
PathFindFileNameW

crypt32

CryptImportPublicKeyInfo
CryptDecodeObjectEx
CryptStringToBinaryA

userenv

DestroyEnvironmentBlock
CreateEnvironmentBlock

wtsapi32

WTSEnumerateSessionsW
WTSQuerySessionInformationW
WTSQueryUserToken
WTSFreeMemory

rstrtmgr

RmGetList
RmStartSession
RmRestart
RmShutdown
RmEndSession
RmRegisterResources

Sections

.text
Size: 1.5MB - Virtual size: 1.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 31KB - Virtual size: 31KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gfids
Size: 512B - Virtual size: 172B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 170KB - Virtual size: 169KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 171KB - Virtual size: 170KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

370406bef75905285b69a28ea7568c3c

Code Sign

01Certificate

Key Usages

48:fc:93:b4:60:55:94:8d:36:a7:c9:8a:89:d6:94:16Certificate

Extended Key Usages

Key Usages

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5aCertificate

Key Usages

62:1d:6d:0c:52:01:9e:3b:90:79:15:20:89:21:1c:0aCertificate

Extended Key Usages

Key Usages

ae:63:17:9e:39:08:e1:b9:ab:35:00:85:75:15:03:d9Certificate

Extended Key Usages

Key Usages

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5bCertificate

Extended Key Usages

Key Usages

0c:4d:69:72:4b:94:fa:3c:2a:4a:3d:29:07:80:3d:5aCertificate

Extended Key Usages

Key Usages

5b:21:ed:8e:f7:69:a5:fa:76:68:dc:d3:e3:93:64:e4:19:d5:5a:1fSigner

Signature Validations

Verification

26-11-2022 18:20 Valid: true

Chain 1

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

ole32

oleaut32

mpr

shlwapi

crypt32

userenv

wtsapi32

rstrtmgr

Sections

.text Size: 1.5MB - Virtual size: 1.5MB

.rdata Size: 31KB - Virtual size: 31KB

.data Size: 3KB - Virtual size: 13KB

.gfids Size: 512B - Virtual size: 172B

.rsrc Size: 170KB - Virtual size: 169KB

.reloc Size: 171KB - Virtual size: 170KB

01
Certificate

48:fc:93:b4:60:55:94:8d:36:a7:c9:8a:89:d6:94:16
Certificate

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

62:1d:6d:0c:52:01:9e:3b:90:79:15:20:89:21:1c:0a
Certificate

ae:63:17:9e:39:08:e1:b9:ab:35:00:85:75:15:03:d9
Certificate

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

0c:4d:69:72:4b:94:fa:3c:2a:4a:3d:29:07:80:3d:5a
Certificate

5b:21:ed:8e:f7:69:a5:fa:76:68:dc:d3:e3:93:64:e4:19:d5:5a:1f
Signer

26-11-2022 18:20
Valid: true

.text
Size: 1.5MB - Virtual size: 1.5MB

.rdata
Size: 31KB - Virtual size: 31KB

.data
Size: 3KB - Virtual size: 13KB

.gfids
Size: 512B - Virtual size: 172B

.rsrc
Size: 170KB - Virtual size: 169KB

.reloc
Size: 171KB - Virtual size: 170KB