67fc4714ddbcea287aeedc82ecc582214fd21cda84f9921d86ae58b17652b813

Sharing

Copy URL Twitter E-mail

General

Target

67fc4714ddbcea287aeedc82ecc582214fd21cda84f9921d86ae58b17652b813
Size

159KB
MD5

7789c37ef6fd12a6ffbd8b3774539750
SHA1

244c885987c01a7535cb0c7449630a41154b4c05
SHA256

67fc4714ddbcea287aeedc82ecc582214fd21cda84f9921d86ae58b17652b813
SHA512

1fb51dc20710b27c3a18356a289d2f6840f6b9764f88eb3b63d28ac376099a1adaa07fb93ba866354b4b075be2315dc69a73e30a10f9410d609b7059f8a75717
SSDEEP

3072:Y0PYqgp0G42LJ5msOXX73l8hr1stavLSgWRYKSxMin:nYqs5s7VGrytWu+

Score

N/A

Malware Config

Signatures

Files

67fc4714ddbcea287aeedc82ecc582214fd21cda84f9921d86ae58b17652b813
.dll windows x86

867a7766105155bc68694144012c1d13

Code Sign

0a
Certificate

Issuer

CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA,1.2.840.113549.1.9.1=#0c197072656d69756d2d736572766572407468617774652e636f6d

Not Before

06/08/2003, 00:00

Not After

05/08/2013, 23:59

Subject

CN=Thawte Code Signing CA,O=Thawte Consulting (Pty) Ltd.,C=ZA

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15/06/2007, 00:00

Not After

14/06/2012, 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

6c:54:c3:bd:23:b7:b9:94:98:2b:2d:a0:fa:1e:29:f7
Certificate

Issuer

CN=Thawte Code Signing CA,O=Thawte Consulting (Pty) Ltd.,C=ZA

Not Before

14/07/2010, 00:00

Not After

02/08/2012, 23:59

Subject

CN=Beijing Funshion Online Technologies Ltd.,OU=SECURE APPLICATION DEVELOPMENT,O=Beijing Funshion Online Technologies Ltd.,L=Beijing,ST=Beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageMicrosoftCommercialCodeSigning

5a:c5:14:c6:4a:fa:3a:90:a4:71:63:83:2c:32:d0:6c:f1:58:61:07
Signer

Actual PE Digest

5a:c5:14:c6:4a:fa:3a:90:a4:71:63:83:2c:32:d0:6c:f1:58:61:07

Digest Algorithm

sha1

PE Digest Matches

false

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Beijing Funshion Online Technologies Ltd.,OU=SECURE APPLICATION DEVELOPMENT,O=Beijing Funshion Online Technologies Ltd.,L=Beijing,ST=Beijing,C=CN

29/11/2011, 10:58
Valid: false

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

MoveFileExA
GetLocalTime
MapViewOfFile
CreateFileMappingA
HeapFree
GetProcessHeap
HeapAlloc
UnmapViewOfFile
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalSize
LocalSize
GetStartupInfoA
CreatePipe
SetLastError
OutputDebugStringA
PeekNamedPipe
WaitForMultipleObjects
GlobalMemoryStatusEx
GetSystemInfo
ReleaseMutex
OpenEventA
SetErrorMode
CreateMutexA
SetUnhandledExceptionFilter
FreeConsole
GetTempPathA
GetComputerNameA
lstrcmpiA
GetCurrentThreadId
VirtualAllocEx
WriteProcessMemory
CreateRemoteThread
GetTickCount
ExitThread
TerminateProcess
OpenProcess
GetModuleFileNameA
MoveFileA
Beep
SetFilePointer
ReadFile
CreateFileA
GetFileSize
RemoveDirectoryA
LocalAlloc
FindFirstFileA
LocalReAlloc
FindNextFileA
LocalFree
FindClose
GetLogicalDriveStringsA
GetVolumeInformationA
GetDiskFreeSpaceExA
GetDriveTypeA
CreateProcessA
GetFileAttributesA
CreateDirectoryA
GetLastError
DeleteFileA
GetVersionExA
GetPrivateProfileStringA
lstrcmpA
WideCharToMultiByte
MultiByteToWideChar
LoadLibraryA
GetProcAddress
FreeLibrary
GetWindowsDirectoryA
lstrcatA
GetPrivateProfileSectionNamesA
lstrlenA
Sleep
CancelIo
InterlockedExchange
lstrcpyA
ResetEvent
VirtualAlloc
EnterCriticalSection
LeaveCriticalSection
VirtualFree
DeleteCriticalSection
CreateEventA
InitializeCriticalSection
CreateThread
ResumeThread
SetEvent
WaitForSingleObject
TerminateThread
CreateToolhelp32Snapshot
Process32First
Process32Next
DeviceIoControl
GetVersion
GetCurrentProcess
ExitProcess
WriteFile
GetSystemDirectoryA
CloseHandle
DisconnectNamedPipe

user32

SystemParametersInfoA
keybd_event
MapVirtualKeyA
SetCapture
WindowFromPoint
SetCursorPos
mouse_event
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
GetClipboardData
GetSystemMetrics
SetRect
GetDC
LoadCursorA
ReleaseDC
GetCursorPos
BlockInput
SetProcessWindowStation
OpenWindowStationA
GetProcessWindowStation
GetWindowThreadProcessId
IsWindowVisible
EnumWindows
IsWindow
CloseWindow
CreateWindowExA
UnhookWindowsHookEx
SetWindowsHookExA
CallNextHookEx
GetKeyNameTextA
GetActiveWindow
GetForegroundWindow
DispatchMessageA
MoveWindow
GetWindowRect
GetCursorInfo
DestroyCursor
GetWindowTextA
SendMessageA
SwapMouseButton
TranslateMessage
GetMessageA
wsprintfA
CharNextA
MessageBoxA
ExitWindowsEx
ShowWindow
GetDesktopWindow
FindWindowA
PostMessageA
OpenDesktopA
GetThreadDesktop
GetUserObjectInformationA
OpenInputDesktop
SetThreadDesktop
CloseDesktop

gdi32

DeleteObject
BitBlt
CreateDIBSection
SelectObject
CreateCompatibleBitmap
GetDIBits
CreateCompatibleDC
DeleteDC

advapi32

RegOpenKeyExA
IsValidSid
LsaClose
LsaRetrievePrivateData
LsaOpenPolicy
LsaFreeMemory
RegCloseKey
RegQueryValueA
CloseServiceHandle
DeleteService
ControlService
QueryServiceStatus
OpenServiceA
OpenSCManagerA
RegSetValueExA
RegCreateKeyA
RegQueryValueExA
RegOpenKeyA
CloseEventLog
ClearEventLogA
OpenEventLogA
RegCreateKeyExA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
FreeSid
SetSecurityDescriptorDacl
AddAccessAllowedAce
InitializeAcl
GetLengthSid
AllocateAndInitializeSid
InitializeSecurityDescriptor
RegEnumKeyExA
RegEnumValueA
RegDeleteKeyA
RegDeleteValueA
UnlockServiceDatabase
ChangeServiceConfigA
LockServiceDatabase
StartServiceA
QueryServiceConfigA
EnumServicesStatusA
RegisterServiceCtrlHandlerA
SetServiceStatus
GetUserNameA
LookupAccountSidA
GetTokenInformation
LookupAccountNameA

shell32

SHGetSpecialFolderPathA
SHGetFileInfoA

shlwapi

SHDeleteKeyA

msvcrt

_strnicmp
_strrev
_adjust_fdiv
_strupr
_strcmpi
_initterm
calloc
_beginthreadex
wcstombs
realloc
strncat
time
srand
rand
_snprintf
wcscpy
_errno
strncmp
atoi
strncpy
strcat
strrchr
_except_handler3
free
strcmp
strcpy
malloc
strchr
memcmp
strstr
strlen
_ftol
ceil
memmove
__CxxFrameHandler
memcpy
??3@YAXPAX@Z
??2@YAPAXI@Z
memset

winmm

waveInReset
waveInStop
waveOutWrite
waveInStart
waveInAddBuffer
waveInPrepareHeader
waveInUnprepareHeader
waveInGetNumDevs
waveOutPrepareHeader
waveOutOpen
waveOutGetNumDevs
mciSendStringA
waveInClose
waveOutClose
waveOutUnprepareHeader
waveInOpen
waveOutReset

ws2_32

htons
connect
gethostbyname
WSACleanup
bind
socket
closesocket
ntohs
recv
WSAStartup
select
send
inet_ntoa
inet_addr
getsockname
WSAGetLastError
htonl
gethostname
WSASocketA
ioctlsocket
__WSAFDIsSet
recvfrom
sendto
listen
accept
getpeername
WSAIoctl
setsockopt

msvcp60

?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z

netapi32

NetLocalGroupAddMembers
NetUserAdd

imm32

ImmReleaseContext
ImmGetContext
ImmGetCompositionStringA

wininet

InternetCloseHandle
InternetOpenUrlA
InternetOpenA
InternetReadFile

avicap32

capGetDriverDescriptionA
capCreateCaptureWindowA

msvfw32

ICOpen
ICSeqCompressFrameEnd
ICSeqCompressFrame
ICSeqCompressFrameStart
ICSendMessage
ICClose
ICCompressorFree

psapi

EnumProcesses
GetModuleFileNameExA
EnumProcessModules
GetModuleBaseNameA

wtsapi32

WTSFreeMemory
WTSQuerySessionInformationA

Exports

Exports

Hackms
ServiceMain
cnla
hackMs
tk

Sections

.text
Size: 104KB - Virtual size: 104KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 43KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

867a7766105155bc68694144012c1d13

Code Sign

0aCertificate

Extended Key Usages

Key Usages

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5Certificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

6c:54:c3:bd:23:b7:b9:94:98:2b:2d:a0:fa:1e:29:f7Certificate

Extended Key Usages

5a:c5:14:c6:4a:fa:3a:90:a4:71:63:83:2c:32:d0:6c:f1:58:61:07Signer

Signature Validations

Verification

29/11/2011, 10:58 Valid: false

Headers

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

shlwapi

msvcrt

winmm

ws2_32

msvcp60

netapi32

imm32

wininet

avicap32

msvfw32

psapi

wtsapi32

Exports

Exports

Sections

.text Size: 104KB - Virtual size: 104KB

.rsrc Size: 43KB - Virtual size: 44KB

.reloc Size: 6KB - Virtual size: 5KB

0a
Certificate

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

6c:54:c3:bd:23:b7:b9:94:98:2b:2d:a0:fa:1e:29:f7
Certificate

5a:c5:14:c6:4a:fa:3a:90:a4:71:63:83:2c:32:d0:6c:f1:58:61:07
Signer

29/11/2011, 10:58
Valid: false

.text
Size: 104KB - Virtual size: 104KB

.rsrc
Size: 43KB - Virtual size: 44KB

.reloc
Size: 6KB - Virtual size: 5KB