liriav[.]zip | Triage

Sharing

Copy URL Twitter E-mail

General

Target

liriav.zip
Size

18.2MB
MD5

9d69c212c40421c92f5847ad7a16787f
SHA1

e667a1bccebb9ce35a32f89279eff2f8011ba62f
SHA256

733c04e217f4a645f35e66fb3c7d2cdb629857a6282c62cd2b9c277a7d3da1a6
SHA512

77680cb9f6a53efeadf29b71a84bff1be55049a9b6ebffa0b52a423cd48a63f8d44df015bbdb519cb69f9835b299012156f14a81d855aaee71082abf3e04c1e5
SSDEEP

393216:quVdw0Ul4/jfPxAGtM3J9C3j9uvUY6sEj6dfNLKDhgo5:Bw0C4/V/a6ZO6sHjLKDhge

Score

8^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
static1/unpack001/imgengine.dll	vmprotect

Files

liriav.zip
.zip
01nGLytdpUVYT0oM2cDbpnoLDWdcX6Lrx4cVCBXE
.exe windows x86

17e732420e3f74bbe372ba823918c7fe

Code Sign

11:21:35:2e:0b:20:23:d1:a7:51:88:6d:cb:e9:7d:37:79:5e
Certificate

Issuer

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

21/02/2014, 16:58

Not After

30/05/2015, 17:52

Subject

CN=Disc Soft Ltd,O=Disc Soft Ltd,L=Belize city,ST=Belize,C=BZ,1.2.840.113549.1.9.1=#0c1366696e707240646973632d736f66742e636f6d

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13/04/2011, 10:00

Not After

13/04/2019, 10:00

Subject

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

11:21:40:5c:1f:0e:d2:58:88:2b:e5:4d:86:86:ba:11:ea:45
Certificate

Issuer

CN=GlobalSign Timestamping CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

23/08/2013, 00:00

Not After

23/09/2024, 00:00

Subject

CN=GlobalSign TSA for MS Authenticode - G1,O=GMO GlobalSign Pte Ltd,C=SG

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

04:00:00:00:00:01:2f:4e:e1:52:d7
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13/04/2011, 10:00

Not After

28/01/2028, 12:00

Subject

CN=GlobalSign Timestamping CA - G2,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

b0:c3:eb:09:f6:93:8e:58:d7:06:06:9a:0a:65:4f:61:23:93:0d:da
Signer

Actual PE Digest

b0:c3:eb:09:f6:93:8e:58:d7:06:06:9a:0a:65:4f:61:23:93:0d:da

Digest Algorithm

sha1

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Disc Soft Ltd,O=Disc Soft Ltd,L=Belize city,ST=Belize,C=BZ,1.2.840.113549.1.9.1=#0c1366696e707240646973632d736f66742e636f6d

26/02/2015, 09:14
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

DeviceIoControl
SetVolumeMountPointW
DeleteVolumeMountPointW
QueryDosDeviceW
GetVolumeInformationW
FindFirstVolumeW
FindNextVolumeW
FindVolumeClose
GetVolumePathNamesForVolumeNameW
CreateEventA
InitializeCriticalSection
GetTickCount
LoadLibraryW
GetFileSize
SetThreadPriority
GetPrivateProfileStringW
LocalFree
OpenProcess
GetCurrentThread
DeleteFileW
GetFileAttributesW
SetFileAttributesW
MultiByteToWideChar
FindResourceExW
FindResourceW
GetCommandLineW
GetModuleHandleW
GetModuleFileNameW
LoadLibraryExW
CreateEventW
CreateMutexW
lstrcmpiW
WideCharToMultiByte
LocalAlloc
GetComputerNameW
FormatMessageA
SizeofResource
LoadResource
Sleep
WaitForSingleObject
SetEvent
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
EnterCriticalSection
GetCurrentThreadId
CreateThread
RaiseException
GetProcessHeap
HeapSize
HeapFree
HeapReAlloc
HeapAlloc
HeapDestroy
GetProcAddress
FreeLibrary
LockResource
InterlockedCompareExchange
InterlockedExchange
InterlockedDecrement
InterlockedIncrement
DecodePointer
CreateFileW
CloseHandle
SetFileTime
GetFileTime
ReadFile
WriteFile
GetLastError
ResumeThread
ReleaseSemaphore
OpenEventA
WriteConsoleW
FlushFileBuffers
SetStdHandle
GetConsoleMode
GetConsoleCP
GetOEMCP
GetACP
IsValidCodePage
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCurrentProcessId
GetFileType
GetStdHandle
GetModuleHandleExW
ExitProcess
EnumSystemLocalesW
IsValidLocale
GetLocaleInfoW
LCMapStringW
GetStartupInfoW
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetCPInfo
ExitThread
RtlUnwind
IsProcessorFeaturePresent
EncodePointer
GetStringTypeW
OutputDebugStringW
IsDebuggerPresent
LoadLibraryExA
GetCurrentProcess
ReleaseMutex
GetSystemWindowsDirectoryW
GetOverlappedResult
ResetEvent
WaitForMultipleObjects
CancelIo
InterlockedExchangeAdd
VerSetConditionMask
FindClose
GetSystemTimeAsFileTime
GetSystemInfo
CreateDirectoryW
FindFirstFileW
FindNextFileW
VerifyVersionInfoW
GetUserDefaultLCID
WritePrivateProfileStringW
GetSystemTime
SystemTimeToFileTime
lstrlenA
GetThreadTimes
GetProcessAffinityMask
SetThreadAffinityMask
WaitForSingleObjectEx
CreateWaitableTimerW
SetWaitableTimer
CancelWaitableTimer
QueryPerformanceCounter
QueryPerformanceFrequency
VirtualAlloc
VirtualFree
SetLastError
GetFileSizeEx
SetFilePointerEx
GetModuleHandleA
GetDiskFreeSpaceW
SetFilePointer
LocalFileTimeToFileTime
GetCurrentDirectoryW
GetFileAttributesExW
FileTimeToSystemTime
AllocateUserPhysicalPages
FreeUserPhysicalPages
MapUserPhysicalPages
SetEndOfFile
InitializeSListHead
InterlockedPopEntrySList
InterlockedPushEntrySList
SleepEx

user32

CharUpperBuffW
CharLowerBuffW
DestroyWindow
CreateWindowExW
GetClassInfoExW
RegisterClassExW
DefWindowProcW
PostMessageW
SendMessageW
LoadStringW
MessageBoxW
CharNextW
CharUpperW
PostThreadMessageW
DispatchMessageW
TranslateMessage
GetMessageW

advapi32

OpenProcessToken
ImpersonateLoggedOnUser
SetThreadToken
RevertToSelf
DuplicateToken
TraceMessage
GetTraceEnableFlags
GetTraceEnableLevel
GetTraceLoggerHandle
UnregisterTraceGuids
RegisterTraceGuidsW
StartServiceCtrlDispatcherW
SetServiceStatus
RegisterServiceCtrlHandlerW
OpenServiceW
OpenSCManagerW
DeleteService
CreateServiceW
ControlService
CloseServiceHandle
RegSetValueExW
RegQueryValueExW
RegQueryInfoKeyW
RegOpenKeyExW
RegEnumKeyExW
RegDeleteValueW
RegDeleteKeyW
RegCreateKeyExW
RegCloseKey
ReportEventW
RegisterEventSourceW
DeregisterEventSource
AdjustTokenPrivileges
AllocateAndInitializeSid
FreeSid
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
LookupPrivilegeValueW
CheckTokenMembership
SetEntriesInAclW
GetTokenInformation
SetNamedSecurityInfoW
OpenThreadToken

ole32

StringFromGUID2
CoUninitialize
CoRevertToSelf
CoImpersonateClient
CoCreateGuid
StringFromCLSID
CoTaskMemFree
CoTaskMemRealloc
CoTaskMemAlloc
CoInitialize
CoCreateInstance
CoInitializeSecurity
CoReleaseServerProcess
CoAddRefServerProcess
CoResumeClassObjects
CoRevokeClassObject
CoRegisterClassObject
CoInitializeEx

oleaut32

RegisterTypeLi
SysAllocStringLen
VarBstrCmp
SysAllocString
SysFreeString
SysStringLen
VarUI4FromStr
LoadTypeLi
LoadRegTypeLi
SysAllocStringByteLen
UnRegisterTypeLi
SysStringByteLen

ws2_32

WSASetEvent
WSASend
WSASocketW
WSAWaitForMultipleEvents
WSACloseEvent
WSAResetEvent
WSARecv
WSAHtons
WSAHtonl
WSAGetOverlappedResult
WSAEventSelect
WSAEnumNetworkEvents
WSACreateEvent
WSAConnect
FreeAddrInfoW
WSAGetLastError
shutdown
setsockopt
ntohl
WSAStartup
WSACleanup
GetAddrInfoW
closesocket

imgengine

ord5
ord2
ord8
ord9
ord3
ord7
ord10

sptdintf

ord6

shlwapi

PathFileExistsW

newdev

UpdateDriverForPlugAndPlayDevicesW

shell32

SHGetFolderPathW
ord680

winmm

timeEndPeriod
timeBeginPeriod

setupapi

CM_Get_DevNode_Registry_PropertyW
CM_Get_Device_IDW
CM_Get_Child
SetupDiSetSelectedDevice
SetupDiSetClassInstallParamsW
SetupDiSetDeviceInstallParamsW
CM_Get_DevNode_Status
CM_Get_Sibling
CM_Query_And_Remove_SubTreeW
CMP_WaitNoPendingInstallEvents
SetupDiEnumDeviceInterfaces
SetupDiGetDeviceInterfaceDetailW
SetupDiCreateDeviceInfoW
SetupDiGetINFClassW
CM_Request_Device_EjectW
SetupDiCreateDeviceInfoList
SetupDiOpenDeviceInfoW
SetupDiGetDeviceInstallParamsW
SetupDiSetDeviceRegistryPropertyW
SetupDiGetDeviceRegistryPropertyW
SetupDiCallClassInstaller
SetupDiGetClassDevsW
SetupDiDestroyDriverInfoList
SetupDiSetSelectedDriverW
SetupDiEnumDriverInfoW
SetupDiBuildDriverInfoList
SetupDiDestroyDeviceInfoList
SetupDiEnumDeviceInfo

rpcrt4

UuidCreate

Exports

Exports

??0CSPTDDeviceInfo@@IAE@XZ
??0CSPTDDeviceInfo@@QAE@ABV0@@Z
??0CSPTDDevices@@QAE@ABV0@@Z
??4CSPTDDeviceInfo@@QAEAAV0@ABV0@@Z
??4CSPTDDevices@@QAEAAV0@ABV0@@Z
??4VDriveEngine@@QAEAAV0@ABV0@@Z
??_7CSPTDDeviceInfo@@6B@
??_7CSPTDDevices@@6B@
?GetATAPIDevicesCount@CSPTDDevices@@QAEHXZ
?GetDevNotify@CSPTDDeviceInfo@@QAEPAXXZ
?GetDevicesCount@CSPTDDevices@@QAEHXZ
?OnDeviceChanged@CSPTDDevices@@UAEXAAV?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@@Z

Sections

.text
Size: 727KB - Virtual size: 726KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 150KB - Virtual size: 150KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 39KB - Virtual size: 56KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 2B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp0
Size: 33KB - Virtual size: 32KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 51KB - Virtual size: 51KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
imgengine.dll
.dll windows x86

2dacd33696ad29ebd11ccd70cff0c6e9

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Imports

comctl32

FlatSB_SetScrollInfo

shell32

Shell_NotifyIconW

user32

CopyImage
GetUserObjectInformationW
GetProcessWindowStation
GetUserObjectInformationW

version

GetFileVersionInfoSizeW

oleaut32

SafeArrayPutElement

advapi32

InitializeAcl

netapi32

NetWkstaGetInfo

msvcrt

memcpy

winhttp

WinHttpGetIEProxyConfigForCurrentUser

kernel32

GetVersion
GetVersionExW
VirtualQuery
LocalAlloc
LocalFree
GetModuleFileNameW
GetProcessAffinityMask
SetProcessAffinityMask
SetThreadAffinityMask
Sleep
ExitProcess
FreeLibrary
LoadLibraryA
GetModuleHandleA
GetProcAddress

wsock32

gethostbyaddr

ole32

CreateBindCtx

gdi32

Arc

wtsapi32

WTSSendMessageW

Exports

Exports

BindImage
BindImageEx
CheckSumMappedFile
EnumerateLoadedModules
EnumerateLoadedModules64
EnumerateLoadedModulesEx
EnumerateLoadedModulesExW
EnumerateLoadedModulesW64
FindDebugInfoFile
FindDebugInfoFileEx
FindExecutableImage
FindExecutableImageEx
FindFileInPath
FindFileInSearchPath
GetImageConfigInformation
GetImageUnusedHeaderBytes
GetTimestampForLoadedLibrary
ImageAddCertificate
ImageDirectoryEntryToData
ImageDirectoryEntryToDataEx
ImageEnumerateCertificates
ImageGetCertificateData
ImageGetCertificateHeader
ImageGetDigestStream
ImageLoad
ImageNtHeader
ImageRemoveCertificate
ImageRvaToSection
ImageRvaToVa
ImageUnload
ImagehlpApiVersion
ImagehlpApiVersionEx
MakeSureDirectoryPathExists
MapAndLoad
MapDebugInformation
MapFileAndCheckSumA
MapFileAndCheckSumW
ReBaseImage
ReBaseQHddvKE4
RemovePrivateCvSymbolic
RemovePrivateCvSymbolicEx
RemoveRelocations
SearchTreeForFile
SetImageConfigInformation
SplitSymbols
StackWalk
StackWalk64
SymCleanup
SymEnumSym
SymEnumSymbols
SymEnumSymbolsForAddr
SymEnumTypes
SymEnumTypesByName
SymEnumTypesByNameW
SymEnumTypesW
SymEnumerateModules
SymEnumerateModules64
SymEnumerateSymbols
SymEnumerateSymbols64
SymEnumerateSymbolsW
SymEnumerateSymbolsW64
SymFindFileInPath
SymFindFileInPathW
SymFromAddr
SymFromName
SymFunctionTableAccess
SymFunctionTableAccess64
SymGetLineFromAddr
SymGetLineFromAddr64
SymGetLineFromName
SymGetLineFromName64
SymGetLineNext
SymGetLineNext64
SymGetLinePrev
SymGetLinePrev64
SymGetModuleBase
SymGetModuleBase64
SymGetModuleInfo
SymGetModuleInfo64
SymGetModuleInfoW
SymGetModuleInfoW64
SymGetOptions
SymGetSearchPath
SymGetSourceFileFromTokenW
SymGetSourceFileTokenW
SymGetSourceVarFromTokenW
SymGetSymFromAddr
SymGetSymFromAddr64
SymGetSymFromName
SymGetSymFromName64
SymGetSymNext
SymGetSymNext64
SymGetSymPrev
SymGetSymPrev64
SymGetSymbolFile
SymGetSymbolFileW
SymGetTypeFromName
SymGetTypeFromNameW
SymGetTypeInfo
SymGetTypeInfoEx
SymInitialize
SymLoadModule
SymLoadModule64
SymMatchFileName
SymMatchFileNameW
SymMatchString
SymMatchStringA
SymMatchStringW
SymRegisterCallback
SymRegisterCallback64
SymRegisterFunctionEntryCallback
SymRegisterFunctionEntryCallback64
SymSetContext
SymSetOptions
SymSetScopeFromAddr
SymSetScopeFromIndex
SymSetSearchPath
SymSrvGetFileIndexString
SymSrvGetFileIndexStringW
SymSrvGetFileIndexes
SymSrvGetFileIndexesW
SymUnDName
SymUnDName64
SymUnloadModule
SymUnloadModule64
TMethodImplementationIntercept
TMethodImplementationIntercept
TouchFileTimes
UnDecorateSymbolName
UnMapAndLoad
UnmapDebugInformation
UpdateDebugInfoFile
UpdateDebugInfoFileEx
__dbk_fcall_wrapper
dbkFCallWrapperAddr

Sections

.text
Size: - Virtual size: 2.8MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.itext
Size: - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 39KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 30KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.didata
Size: - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 69B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.vmp0
Size: - Virtual size: 6.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp1
Size: 9.6MB - Virtual size: 9.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 600B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
sptdintf.dll
.dll windows x86

0c0e25218d1b9d2451a916055dd8d7a8

Code Sign

11:21:35:2e:0b:20:23:d1:a7:51:88:6d:cb:e9:7d:37:79:5e
Certificate

Issuer

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

21/02/2014, 16:58

Not After

30/05/2015, 17:52

Subject

CN=Disc Soft Ltd,O=Disc Soft Ltd,L=Belize city,ST=Belize,C=BZ,1.2.840.113549.1.9.1=#0c1366696e707240646973632d736f66742e636f6d

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13/04/2011, 10:00

Not After

13/04/2019, 10:00

Subject

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

11:21:40:5c:1f:0e:d2:58:88:2b:e5:4d:86:86:ba:11:ea:45
Certificate

Issuer

CN=GlobalSign Timestamping CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

23/08/2013, 00:00

Not After

23/09/2024, 00:00

Subject

CN=GlobalSign TSA for MS Authenticode - G1,O=GMO GlobalSign Pte Ltd,C=SG

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

04:00:00:00:00:01:2f:4e:e1:52:d7
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13/04/2011, 10:00

Not After

28/01/2028, 12:00

Subject

CN=GlobalSign Timestamping CA - G2,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

c8:b2:f3:e1:e1:f4:fe:89:e8:98:10:ee:72:82:28:43:40:71:7d:02
Signer

Actual PE Digest

c8:b2:f3:e1:e1:f4:fe:89:e8:98:10:ee:72:82:28:43:40:71:7d:02

Digest Algorithm

sha1

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Disc Soft Ltd,O=Disc Soft Ltd,L=Belize city,ST=Belize,C=BZ,1.2.840.113549.1.9.1=#0c1366696e707240646973632d736f66742e636f6d

25/01/2015, 18:20
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

HeapFree
GetProcessHeap
GetLastError
GetProcAddress
GetModuleHandleA
HeapAlloc

Exports

Exports

A0DB34FC6FE35D429A28ADDE5467D4D7

Sections

.text
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.stext
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 512B - Virtual size: 326B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 52B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp0
Size: 38KB - Virtual size: 37KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 660B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

17e732420e3f74bbe372ba823918c7fe

Code Sign

11:21:35:2e:0b:20:23:d1:a7:51:88:6d:cb:e9:7d:37:79:5eCertificate

Extended Key Usages

Key Usages

04:00:00:00:00:01:2f:4e:e1:35:5cCertificate

Extended Key Usages

Key Usages

11:21:40:5c:1f:0e:d2:58:88:2b:e5:4d:86:86:ba:11:ea:45Certificate

Extended Key Usages

Key Usages

04:00:00:00:00:01:2f:4e:e1:52:d7Certificate

Key Usages

b0:c3:eb:09:f6:93:8e:58:d7:06:06:9a:0a:65:4f:61:23:93:0d:daSigner

Signature Validations

Verification

26/02/2015, 09:14 Valid: false

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

ole32

oleaut32

ws2_32

imgengine

sptdintf

shlwapi

newdev

shell32

winmm

setupapi

rpcrt4

Exports

Exports

Sections

.text Size: 727KB - Virtual size: 726KB

.rdata Size: 150KB - Virtual size: 150KB

.data Size: 39KB - Virtual size: 56KB

.tls Size: 512B - Virtual size: 2B

.vmp0 Size: 33KB - Virtual size: 32KB

.rsrc Size: 51KB - Virtual size: 51KB

2dacd33696ad29ebd11ccd70cff0c6e9

Headers

File Characteristics

Imports

comctl32

shell32

user32

version

oleaut32

advapi32

netapi32

msvcrt

winhttp

kernel32

wsock32

ole32

gdi32

wtsapi32

Exports

Exports

Sections

.text Size: - Virtual size: 2.8MB

.itext Size: - Virtual size: 7KB

.data Size: - Virtual size: 39KB

.bss Size: - Virtual size: 30KB

.idata Size: - Virtual size: 14KB

.didata Size: - Virtual size: 3KB

.edata Size: - Virtual size: 3KB

.rdata Size: - Virtual size: 69B

.vmp0 Size: - Virtual size: 6.4MB

.vmp1 Size: 9.6MB - Virtual size: 9.6MB

11:21:35:2e:0b:20:23:d1:a7:51:88:6d:cb:e9:7d:37:79:5e
Certificate

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

11:21:40:5c:1f:0e:d2:58:88:2b:e5:4d:86:86:ba:11:ea:45
Certificate

04:00:00:00:00:01:2f:4e:e1:52:d7
Certificate

b0:c3:eb:09:f6:93:8e:58:d7:06:06:9a:0a:65:4f:61:23:93:0d:da
Signer

26/02/2015, 09:14
Valid: false

.text
Size: 727KB - Virtual size: 726KB

.rdata
Size: 150KB - Virtual size: 150KB

.data
Size: 39KB - Virtual size: 56KB

.tls
Size: 512B - Virtual size: 2B

.vmp0
Size: 33KB - Virtual size: 32KB

.rsrc
Size: 51KB - Virtual size: 51KB

.text
Size: - Virtual size: 2.8MB

.itext
Size: - Virtual size: 7KB

.data
Size: - Virtual size: 39KB

.bss
Size: - Virtual size: 30KB

.idata
Size: - Virtual size: 14KB

.didata
Size: - Virtual size: 3KB

.edata
Size: - Virtual size: 3KB

.rdata
Size: - Virtual size: 69B

.vmp0
Size: - Virtual size: 6.4MB

.vmp1
Size: 9.6MB - Virtual size: 9.6MB

.reloc
Size: 1KB - Virtual size: 1KB

.rsrc
Size: 1024B - Virtual size: 600B

11:21:35:2e:0b:20:23:d1:a7:51:88:6d:cb:e9:7d:37:79:5e
Certificate

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

11:21:40:5c:1f:0e:d2:58:88:2b:e5:4d:86:86:ba:11:ea:45
Certificate

04:00:00:00:00:01:2f:4e:e1:52:d7
Certificate

c8:b2:f3:e1:e1:f4:fe:89:e8:98:10:ee:72:82:28:43:40:71:7d:02
Signer

25/01/2015, 18:20
Valid: false

.text
Size: 4KB - Virtual size: 4KB

.stext
Size: 1KB - Virtual size: 1KB

.rdata
Size: 512B - Virtual size: 326B

.data
Size: - Virtual size: 52B

.vmp0
Size: 38KB - Virtual size: 37KB

.reloc
Size: 1024B - Virtual size: 660B

.rsrc
Size: 5KB - Virtual size: 5KB