7f61e10689d5f4e41f5784ce6db0514689feb208262b8741e751524760ef6135

Sharing

Copy URL Twitter E-mail

General

Target

7f61e10689d5f4e41f5784ce6db0514689feb208262b8741e751524760ef6135
Size

185KB
MD5

c833407f6de545f26a1f901e535717ab
SHA1

f0a55ba5fee9b3de1633a33f2f9aa9b0656c8f06
SHA256

7f61e10689d5f4e41f5784ce6db0514689feb208262b8741e751524760ef6135
SHA512

389c4895fdce416317ebb873ec72340757af9c4cbee7ead383b2f7d935cd51ae5700c52d3584af4fd16a9ee1bc16f5768be2e356f5bb16c4bfa2f18743e90a33
SSDEEP

3072:Dsa5R37QUXtgpRaJKER6Id2IH58r2peJ4rvwQiAF2/T/KIBeYIcOg/:j/7noRaJKER6Ny58NojF2b/K8/

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
sample	upx

Files

7f61e10689d5f4e41f5784ce6db0514689feb208262b8741e751524760ef6135
.exe windows x86

c54166158f8e2bce0b0a4510b15e96b7

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15/06/2007, 00:00

Not After

14/06/2012, 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

5c:b2:d3:c2:21:07:bc:a3:05:4c:66:a7:95:9f:1b:5f
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2009-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09,O=VeriSign\, Inc.,C=US

Not Before

02/09/2009, 00:00

Not After

25/10/2012, 23:59

Subject

CN=Norman ASA,OU=Digital ID Class 3 - Microsoft Software Validation v2+OU=Headquarter,O=Norman ASA,L=Lysaker,ST=Oslo,C=NO

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

65:52:26:e1:b2:2e:18:e1:59:0f:29:85:ac:22:e7:5c
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

21/05/2009, 00:00

Not After

20/05/2019, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2009-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

d3:0b:51:04:14:6d:f6:67:b6:57:74:8e:e0:8a:1f:14:18:4e:f7:76
Signer

Actual PE Digest

d3:0b:51:04:14:6d:f6:67:b6:57:74:8e:e0:8a:1f:14:18:4e:f7:76

Digest Algorithm

sha1

PE Digest Matches

false

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Norman ASA,OU=Digital ID Class 3 - Microsoft Software Validation v2+OU=Headquarter,O=Norman ASA,L=Lysaker,ST=Oslo,C=NO

08/11/2010, 14:11
Valid: false

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

msvcrt

malloc
free
wcscmp
wcsncmp
__CxxFrameHandler
sprintf
strstr
swprintf
wcscat
exit
wcsstr
wcslen
wcscpy
mbstowcs
_wcsupr
memmove
wcsrchr
towupper
wcsncpy
fclose
fflush
mbtowc
__mb_cur_max
fopen
wcschr
_c_exit
_exit
_XcptFilter
_cexit
__initenv
__getmainargs
_initterm
__setusermatherr
__set_app_type
__dllonexit
_onexit
_controlfp

advapi32

RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyW
InitiateSystemShutdownW
RegCreateKeyExW
RegSetValueExW
RegUnLoadKeyW
RegLoadKeyW
RegOpenKeyExW
RegQueryValueExW
RegisterEventSourceW
ReportEventW
DeregisterEventSource
RegOpenKeyA
RegQueryValueExA
RegCloseKey
RegisterServiceCtrlHandlerW
LookupPrivilegeValueW
PrivilegeCheck
AllocateAndInitializeSid
FreeSid
CheckTokenMembership
OpenThreadToken
OpenProcessToken
SetServiceStatus
StartServiceCtrlDispatcherW
RegDeleteKeyW

kernel32

FindClose
GetFileAttributesW
lstrlenA
InterlockedIncrement
ExitThread
GetProcAddress
FreeLibrary
TerminateThread
DeleteVolumeMountPointW
SetVolumeMountPointW
FindFirstVolumeW
FindNextVolumeW
FindVolumeClose
LoadLibraryW
ResumeThread
CreateFileA
LocalAlloc
GetComputerNameW
IsBadCodePtr
FindFirstFileW
lstrcpyA
IsBadWritePtr
GetSystemDirectoryW
GetComputerNameExW
WideCharToMultiByte
MultiByteToWideChar
LoadLibraryA
SetEndOfFile
SetFilePointerEx
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetModuleHandleA
CompareStringW
GetCurrentThreadId
InterlockedDecrement
SetLastError
HeapAlloc
GetProcessHeap
HeapFree
QueryDosDeviceW
DeviceIoControl
CloseHandle
CreateFileW
DefineDosDeviceW
GetDriveTypeW
Sleep
LocalFree
GetLastError
lstrcmpiA
SetEvent
lstrcmpW
lstrlenW
FormatMessageW
GetModuleHandleW
CreateEventW
WaitForSingleObject
LeaveCriticalSection
EnterCriticalSection
GetCurrentProcess
GetCurrentThread
CreateThread
SetErrorMode
InitializeCriticalSection
DeleteCriticalSection
IsBadStringPtrW
IsBadReadPtr
lstrcpyW
GetVolumeNameForVolumeMountPointW
GetVolumePathNameW
lstrcatW
GetVolumePathNamesForVolumeNameW
VirtualAlloc
GetVersion

user32

PostThreadMessageW
GetMessageW
TranslateMessage
DispatchMessageW
LoadIconW
LoadCursorW
RegisterClassW
CreateWindowExW
ShowWindow
DefWindowProcW
BroadcastSystemMessageW
PostMessageW
DestroyWindow
wsprintfW
LoadStringW
PostQuitMessage
CharUpperW
SetMenu
GetMenuItemInfoW
GetAncestor
IsDialogMessage
DestroyCaret
ActivateKeyboardLayout
AllowSetForegroundWindow
OpenWindowStationA
DdeGetQualityOfService
TranslateMessageEx
GetMonitorInfoA
GetInputDesktop
GetGuiResources
UserLpkPSMTextOut
GetAltTabInfoW
DialogBoxParamA
GetProcessDefaultLayout
DdeGetData
WCSToMBEx
IsWindowInDestroy
SetWindowRgn
DdeQueryConvInfo
MapVirtualKeyExW
SendIMEMessageExW
CharLowerBuffA
IsWindowVisible
GetWindowModuleFileNameA
GetKeyboardType
DdeAbandonTransaction
PackDDElParam
DrawMenuBar
IsMenu
CascadeChildWindows
SetClassLongA
IMPSetIMEA
RemoveMenu
EnumWindowStationsW
MessageBeep
LoadAcceleratorsA
DdeImpersonateClient
IsIconic
CharNextW
IMPQueryIMEA
DdeUninitialize
InternalGetWindowText
MessageBoxW
ReasonCodeNeedsBugID
ToUnicodeEx
SetSystemMenu
DdeNameService
GetComboBoxInfo
OpenDesktopA
GetIconInfo
IsWinEventHookInstalled
SetWindowLongW
GetWindowModuleFileName
DdeInitializeW
GetWindowWord
ShowWindowAsync
GetKeyState
SetRectEmpty
mouse_event
GetPropW
SetDlgItemInt
DrawFrame
RegisterHotKey
GetListBoxInfo
ExitWindowsEx
RealGetWindowClassA
SwitchToThisWindow
LockWindowStation
ChangeDisplaySettingsW

ntdll

NtFlushBuffersFile
NtDeviceIoControlFile
NtQueryVolumeInformationFile
NtQuerySystemTime
RtlAdjustPrivilege
NtQuerySystemInformation
RtlFreeUnicodeString
NtOpenFile
RtlCreateUnicodeString
NtFsControlFile
NtWriteFile
NtReadFile
NtDeleteBootEntry
NtTranslateFilePath
NtEnumerateBootEntries
NtModifyBootEntry
NtQuerySymbolicLinkObject
RtlInitUnicodeString
NtOpenSymbolicLinkObject
NtClose

ole32

CoSuspendClassObjects
CoRevertToSelf
CoImpersonateClient
CoTaskMemAlloc
CoSetProxyBlanket
CoTaskMemRealloc
CoTaskMemFree
CoUninitialize
CoRevokeClassObject
CoRegisterClassObject
CoInitializeSecurity
CoInitializeEx

rpcrt4

RpcServerUseProtseqEpW
RpcServerRegisterIf
RpcServerListen
RpcMgmtStopServerListening
RpcServerUnregisterIf
UuidFromStringW
UuidEqual
UuidCreate
RpcImpersonateClient
RpcRevertToSelf
NdrServerCall2

setupapi

SetupDiGetDeviceInterfaceDetailW
SetupDiGetClassDevsW
SetupDiDestroyDeviceInfoList
CM_Locate_DevNodeW
CM_Get_Device_IDW
CM_Get_Device_ID_Size_Ex
CM_Get_DevNode_Status_Ex
SetupDiOpenDeviceInterfaceW
SetupDiCreateDeviceInfoList
SetupDiGetDeviceRegistryPropertyW
SetupDiOpenDeviceInfoW
CM_Get_Parent_Ex
CM_Get_Device_ID_List_ExW
CM_Get_Device_ID_List_Size_ExW
SetupDiEnumDeviceInterfaces
CM_Reenumerate_DevNode_Ex

clusapi

GetNodeClusterState

osuninst

IsUninstallImageValid

winmm

mmioAdvance
timeGetDevCaps
mmGetCurrentTask
auxSetVolume
waveOutUnprepareHeader
mmioInstallIOProcW
waveOutGetDevCapsW
mxd32Message
mixerGetLineInfoW
WOWAppExit
midiInUnprepareHeader
mciSendCommandW
midiStreamProperty
NotifyCallbackData
waveInPrepareHeader
midiOutShortMsg
joyGetDevCapsW
midiInStart
mmioWrite
midiOutOpen
joyGetNumDevs
mciGetDeviceIDFromElementIDW

Sections

.text
Size: 14KB - Virtual size: 14KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

UPX0
Size: 2KB - Virtual size: 33KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

UPX1
Size: 2KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rdata
Size: 136KB - Virtual size: 339KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX2
Size: 1024B - Virtual size: 49KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX3
Size: 3KB - Virtual size: 40KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX4
Size: 1KB - Virtual size: 34KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

c54166158f8e2bce0b0a4510b15e96b7

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5Certificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

5c:b2:d3:c2:21:07:bc:a3:05:4c:66:a7:95:9f:1b:5fCertificate

Extended Key Usages

Key Usages

65:52:26:e1:b2:2e:18:e1:59:0f:29:85:ac:22:e7:5cCertificate

Extended Key Usages

Key Usages

d3:0b:51:04:14:6d:f6:67:b6:57:74:8e:e0:8a:1f:14:18:4e:f7:76Signer

Signature Validations

Verification

08/11/2010, 14:11 Valid: false

Headers

File Characteristics

Imports

msvcrt

advapi32

kernel32

user32

ntdll

ole32

rpcrt4

setupapi

clusapi

osuninst

winmm

Sections

.text Size: 14KB - Virtual size: 14KB

UPX0 Size: 2KB - Virtual size: 33KB

UPX1 Size: 2KB - Virtual size: 5KB

.rdata Size: 9KB - Virtual size: 8KB

.rdata Size: 136KB - Virtual size: 339KB

UPX2 Size: 1024B - Virtual size: 49KB

UPX3 Size: 3KB - Virtual size: 40KB

UPX4 Size: 1KB - Virtual size: 34KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 3KB - Virtual size: 4KB

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

5c:b2:d3:c2:21:07:bc:a3:05:4c:66:a7:95:9f:1b:5f
Certificate

65:52:26:e1:b2:2e:18:e1:59:0f:29:85:ac:22:e7:5c
Certificate

d3:0b:51:04:14:6d:f6:67:b6:57:74:8e:e0:8a:1f:14:18:4e:f7:76
Signer

08/11/2010, 14:11
Valid: false

.text
Size: 14KB - Virtual size: 14KB

UPX0
Size: 2KB - Virtual size: 33KB

UPX1
Size: 2KB - Virtual size: 5KB

.rdata
Size: 9KB - Virtual size: 8KB

.rdata
Size: 136KB - Virtual size: 339KB

UPX2
Size: 1024B - Virtual size: 49KB

UPX3
Size: 3KB - Virtual size: 40KB

UPX4
Size: 1KB - Virtual size: 34KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 3KB - Virtual size: 4KB