Behavioral task
behavioral1
Sample
d7dbf2031815f4634fde38b0bd6250b54aac2ee2c980824c4877814892b13ed0.dll
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
d7dbf2031815f4634fde38b0bd6250b54aac2ee2c980824c4877814892b13ed0.dll
Resource
win10v2004-20220812-en
General
-
Target
1d069a0f0d32a98624597c8d2ddfcbff.bin
-
Size
22KB
-
MD5
df4dcef7b97e96e34194a876fdbacd08
-
SHA1
96b807b819b89de2aeaff03ffe0a3335bf9ab5b4
-
SHA256
903f4707ba16657d140628d8fe1b6cd34bc283592b056da6820111c3014402f0
-
SHA512
a2db849afe9d362da99ed092cf1545280b352720d57f3ebe370dd54cab29e7428b43390b9c2b0827d8fc9825ebde5d22d1855c721e2ab7cf13d5f8a8cdb477fb
-
SSDEEP
384:JbGhGOXbbNkv0w8i50qvgMJ+1DPoIsVO3NcuoiH166AwOngxMhU7UbaTenegk/8n:UXWMW50SNJmocNcszGbKiegfn
Malware Config
Signatures
-
DoubleBack x64 payload 1 IoCs
Processes:
resource yara_rule static1/unpack001/d7dbf2031815f4634fde38b0bd6250b54aac2ee2c980824c4877814892b13ed0.exe family_doubleback_x64 -
Doubleback family
Files
-
1d069a0f0d32a98624597c8d2ddfcbff.bin.zip
Password: infected
-
d7dbf2031815f4634fde38b0bd6250b54aac2ee2c980824c4877814892b13ed0.exe.dll windows x64
Password: infected
64fb42731fb3b42c8520455306b157a2
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
Imports
kernel32
Process32First
CreateToolhelp32Snapshot
Process32Next
UnmapViewOfFile
DeleteFileW
CreateFileMappingW
MapViewOfFile
FlushFileBuffers
GetProcAddress
Process32NextW
Process32FirstW
WideCharToMultiByte
GetSystemTime
GlobalSize
GlobalUnlock
lstrcmpW
CreatePipe
RtlAddFunctionTable
RtlDeleteFunctionTable
GetLastError
GetComputerNameW
GetVolumeInformationW
CreateMutexW
OpenMutexW
SetHandleInformation
GetComputerNameA
ProcessIdToSessionId
GetModuleHandleA
WaitForSingleObject
CreateProcessW
Sleep
QueryFullProcessImageNameA
lstrcpyW
GetModuleHandleW
lstrlenW
VirtualFree
MultiByteToWideChar
RtlZeroMemory
GetFileSize
ReadFile
GetCurrentProcessId
CloseHandle
CreateFileW
OutputDebugStringA
WriteFile
lstrcpyA
lstrlenA
VirtualAlloc
GlobalLock
user32
OemToCharBuffA
ReleaseDC
EnumWindows
SendMessageA
GetDC
GetWindowThreadProcessId
GetSystemMetrics
wsprintfW
gdi32
CreateCompatibleDC
DeleteObject
SelectObject
CreateCompatibleBitmap
BitBlt
advapi32
RegOpenKeyExW
RegDeleteKeyW
RegDeleteTreeW
RegDeleteValueW
RegEnumValueW
CryptAcquireContextA
CryptCreateHash
CryptHashData
CryptDestroyHash
CryptGetHashParam
CryptReleaseContext
RegCreateKeyExW
RegEnumKeyExW
RegQueryValueExW
RegCloseKey
RegSetValueExW
RegSetValueExA
RegDeleteValueA
GetTokenInformation
RegEnumKeyExA
LookupAccountSidW
RegOpenKeyExA
OpenProcessToken
GetSidSubAuthority
GetSidSubAuthorityCount
RegQueryValueExA
shell32
SHGetSpecialFolderPathW
SHGetFolderPathW
ole32
StringFromGUID2
CreateStreamOnHGlobal
GetHGlobalFromStream
CoUninitialize
CoInitialize
ntdll
NtGetContextThread
NtTerminateThread
NtAllocateVirtualMemory
NtSetContextThread
NtWriteVirtualMemory
NtResumeThread
RtlImageDirectoryEntryToData
ZwReadFile
NtTerminateProcess
NtClose
RtlCreateUserThread
NtMapViewOfSection
NtReadVirtualMemory
NtCreateSection
NtQueryVirtualMemory
LdrLoadDll
LdrGetDllHandle
LdrGetProcedureAddress
NtFreeVirtualMemory
wininet
InternetCloseHandle
HttpOpenRequestA
InternetCrackUrlA
InternetSetOptionA
HttpAddRequestHeadersA
InternetReadFile
InternetConnectA
HttpSendRequestA
InternetOpenA
HttpQueryInfoA
urlmon
ObtainUserAgentString
gdiplus
GdiplusStartup
GdipDisposeImage
GdipGetImageEncodersSize
GdiplusShutdown
GdipGetImageEncoders
GdipCreateBitmapFromHBITMAP
GdipSaveImageToStream
Sections
.text Size: 35KB - Virtual size: 35KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 6KB - Virtual size: 6KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: - Virtual size: 176B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.pdata Size: 1024B - Virtual size: 792B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ