General

Malware Config

Signatures

Files

• HFlashPlayer-windows-0.1.1.zip

  .zip
• HFlashPlayer.exe

  .exe windows x86

  f34d5f2d4577ed6d9ceec516c1f5a744

  
  

  Headers

  DLL Characteristics

  IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE

  IMAGE_DLLCHARACTERISTICS_NX_COMPAT

  IMAGE_DLLCHARACTERISTICS_NO_SEH

  IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

  File Characteristics

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_LARGE_ADDRESS_AWARE

  Imports

  mscoree

  _CorExeMain

  Sections

  .text

  Size: 19KB - Virtual size: 19KB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .rsrc

  Size: 12KB - Virtual size: 12KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .reloc

  Size: 512B - Virtual size: 12B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_DISCARDABLE

  IMAGE_SCN_MEM_READ

• flashplayer.exe

  .exe windows x86

  992bef1fea0f17c89054a29fd57a25d7

  
  

  Code Sign

  06:f0:47:88:03:10:55:d3:1d:ef:fe:fc:d0:26:d6:c5

  Certificate

  Issuer

  CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

  Not Before

  15-03-2017 00:00

  Not After

  20-03-2019 12:00

  Subject

  SERIALNUMBER=2748129,CN=Adobe Systems Incorporated,OU=Flash Player,O=Adobe Systems Incorporated,POSTALCODE=95110,STREET=345 Park Avenue,L=San Jose,ST=California,C=US,1.3.6.1.4.1.311.60.2.1.2=#130844656c6177617265,1.3.6.1.4.1.311.60.2.1.3=#13025553,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

  Extended Key Usages

  ExtKeyUsageCodeSigning

  Key Usages

  KeyUsageDigitalSignature

  03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5c

  Certificate

  Issuer

  CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

  Not Before

  18-04-2012 12:00

  Not After

  18-04-2027 12:00

  Subject

  CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

  Extended Key Usages

  ExtKeyUsageCodeSigning

  Key Usages

  KeyUsageDigitalSignature

  KeyUsageCertSign

  KeyUsageCRLSign

  7b:05:b1:d4:49:68:51:44:f7:c9:89:d2:9c:19:9d:12

  Certificate

  Issuer

  CN=VeriSign Universal Root Certification Authority,OU=VeriSign Trust Network+OU=(c) 2008 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

  Not Before

  12-01-2016 00:00

  Not After

  11-01-2031 23:59

  Subject

  CN=Symantec SHA256 TimeStamping CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

  Extended Key Usages

  ExtKeyUsageTimeStamping

  Key Usages

  KeyUsageCertSign

  KeyUsageCRLSign

  54:58:f2:aa:d7:41:d6:44:bc:84:a9:7b:a0:96:52:e6

  Certificate

  Issuer

  CN=Symantec SHA256 TimeStamping CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

  Not Before

  02-01-2017 00:00

  Not After

  01-04-2028 23:59

  Subject

  CN=Symantec SHA256 TimeStamping Signer - G2,OU=Symantec Trust Network,O=Symantec Corporation,C=US

  Extended Key Usages

  ExtKeyUsageTimeStamping

  Key Usages

  KeyUsageDigitalSignature

  dd:d5:ea:c2:2d:90:a3:68:0d:d2:84:c7:6b:2d:b7:f6:e9:d1:87:b0:75:6e:93:07:d9:3a:fd:ec:c0:c4:0b:0d

  Signer

  Actual PE Digest

  dd:d5:ea:c2:2d:90:a3:68:0d:d2:84:c7:6b:2d:b7:f6:e9:d1:87:b0:75:6e:93:07:d9:3a:fd:ec:c0:c4:0b:0d

  Digest Algorithm

  sha256

  PE Digest Matches

  true

  Signature Validations

  Trusted

  true

  Verification

  Signing Certificate

  SERIALNUMBER=2748129,CN=Adobe Systems Incorporated,OU=Flash Player,O=Adobe Systems Incorporated,POSTALCODE=95110,STREET=345 Park Avenue,L=San Jose,ST=California,C=US,1.3.6.1.4.1.311.60.2.1.2=#130844656c6177617265,1.3.6.1.4.1.311.60.2.1.3=#13025553,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

  29-04-2018 06:15

  Valid: true

  Chain 1

  SERIALNUMBER=2748129,CN=Adobe Systems Incorporated,OU=Flash Player,O=Adobe Systems Incorporated,POSTALCODE=95110,STREET=345 Park Avenue,L=San Jose,ST=California,C=US,1.3.6.1.4.1.311.60.2.1.2=#130844656c6177617265,1.3.6.1.4.1.311.60.2.1.3=#13025553,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

  CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

  CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

  Headers

  DLL Characteristics

  IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE

  IMAGE_DLLCHARACTERISTICS_NX_COMPAT

  IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

  File Characteristics

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_32BIT_MACHINE

  Imports

  kernel32

  ReadFile

  SetFilePointer

  GetFileSize

  CreateFileW

  GetModuleFileNameA

  GetCommandLineW

  SetEndOfFile

  WriteFile

  CreateFileA

  GetFileAttributesA

  GetStartupInfoW

  GetCommandLineA

  ExitProcess

  RemoveDirectoryW

  CopyFileW

  GetModuleFileNameW

  GetCPInfo

  GetACP

  IsDBCSLeadByte

  HeapSize

  DeviceIoControl

  CreateProcessA

  GetTempPathA

  FindNextFileW

  GetSystemWow64DirectoryW

  ExpandEnvironmentStringsA

  WideCharToMultiByte

  MultiByteToWideChar

  lstrlenW

  GetLongPathNameW

  CreateProcessW

  GetTempFileNameA

  CreateDirectoryA

  DeleteFileA

  GetFileAttributesW

  CreateMutexA

  SetFilePointerEx

  GetFileSizeEx

  GetFileAttributesExW

  GetFileInformationByHandle

  GetVolumeInformationW

  GetCurrentDirectoryW

  SetCurrentDirectoryW

  GetFullPathNameW

  ExpandEnvironmentStringsW

  OutputDebugStringA

  MoveFileExW

  LoadLibraryA

  GetSystemDirectoryA

  FreeLibrary

  GetVersionExW

  GetCurrentProcess

  VirtualQuery

  ExitThread

  GetUserDefaultLangID

  GetUserDefaultUILanguage

  VerifyVersionInfoW

  VerSetConditionMask

  GlobalFree

  CreateThread

  LockResource

  LoadResource

  FindResourceExA

  FindResourceExW

  GlobalAlloc

  GlobalUnlock

  GlobalLock

  QueryPerformanceCounter

  QueryPerformanceFrequency

  GlobalSize

  QueueUserAPC

  OpenThread

  SleepEx

  SetUnhandledExceptionFilter

  GetCurrentProcessId

  GetProcessTimes

  RaiseException

  FlushInstructionCache

  SetLastError

  TerminateThread

  CreateEventW

  SetEvent

  ResetEvent

  WaitForMultipleObjects

  CreateWaitableTimerW

  GetTickCount

  SetThreadPriority

  GetTimeZoneInformation

  GetSystemTime

  SystemTimeToFileTime

  DebugBreak

  GetModuleHandleW

  LCMapStringW

  GetExitCodeThread

  DuplicateHandle

  GetCurrentThread

  MapViewOfFile

  UnmapViewOfFile

  ReleaseMutex

  CreateFileMappingA

  CompareFileTime

  ReleaseSemaphore

  CreateSemaphoreW

  SetThreadAffinityMask

  CreateEventA

  CreateWaitableTimerA

  SetWaitableTimer

  CancelWaitableTimer

  InterlockedExchangeAdd

  GetVersionExA

  GetVersion

  VirtualAlloc

  VirtualFree

  FlushFileBuffers

  GlobalMemoryStatusEx

  IsDebuggerPresent

  SetSystemTime

  FileTimeToSystemTime

  TlsAlloc

  TlsFree

  ResumeThread

  CreateTimerQueueTimer

  DeleteTimerQueueTimer

  CreateSemaphoreA

  HeapAlloc

  HeapFree

  HeapUnlock

  HeapWalk

  HeapLock

  HeapCreate

  HeapDestroy

  VirtualProtect

  GetNumberFormatW

  GetCurrencyFormatW

  CompareStringW

  GetDateFormatW

  GetTimeFormatW

  GetUserDefaultLCID

  EnumSystemLocalesW

  GetProcessHeap

  GetProcessAffinityMask

  IsProcessorFeaturePresent

  GetStartupInfoA

  RtlUnwind

  UnhandledExceptionFilter

  TerminateProcess

  GetSystemTimeAsFileTime

  HeapReAlloc

  GetStdHandle

  FreeEnvironmentStringsA

  GetEnvironmentStrings

  FreeEnvironmentStringsW

  GetEnvironmentStringsW

  SetHandleCount

  GetFileType

  GetOEMCP

  IsValidCodePage

  LCMapStringA

  GetConsoleCP

  GetConsoleMode

  SetConsoleCtrlHandler

  InitializeCriticalSectionAndSpinCount

  SetStdHandle

  GetLocaleInfoA

  GetStringTypeA

  GetStringTypeW

  WriteConsoleA

  GetConsoleOutputCP

  WriteConsoleW

  CompareStringA

  SetEnvironmentVariableA

  LocalAlloc

  GlobalMemoryStatus

  FlushConsoleInputBuffer

  GetProcAddress

  WaitForSingleObject

  GetExitCodeProcess

  CloseHandle

  FindFirstFileW

  FindClose

  GetSystemDirectoryW

  LoadLibraryW

  GetModuleHandleA

  GetTempPathW

  GetTempFileNameW

  GetLastError

  DeleteFileW

  CreateDirectoryW

  GetSystemInfo

  SwitchToThread

  TlsGetValue

  TlsSetValue

  GetCurrentThreadId

  LeaveCriticalSection

  ReadConsoleInputA

  SetConsoleMode

  FindFirstFileA

  EnterCriticalSection

  TryEnterCriticalSection

  DeleteCriticalSection

  InitializeCriticalSection

  InterlockedDecrement

  InterlockedIncrement

  InterlockedExchange

  InterlockedCompareExchange

  GetLocaleInfoW

  Sleep

  FileTimeToLocalFileTime

  GetDriveTypeA

  GetFullPathNameA

  PeekNamedPipe

  GetCurrentDirectoryA

  advapi32

  CryptEncrypt

  CryptDestroyKey

  CryptImportKey

  CryptSetKeyParam

  CryptGetHashParam

  CryptHashData

  CryptDestroyHash

  CryptAcquireContextA

  CryptCreateHash

  RegisterEventSourceA

  ReportEventA

  DeregisterEventSource

  RegOpenKeyA

  CryptAcquireContextW

  CryptGenRandom

  CryptReleaseContext

  RegOpenKeyExA

  RegQueryValueExW

  RegSetValueExW

  RegCreateKeyExW

  RegSetValueExA

  RegQueryValueExA

  RegCloseKey

  RegCreateKeyExA

  RegOpenKeyExW

  CryptDecrypt

  Exports

  Exports

  IAEModule_AEModule_PutKernel

  IAEModule_IAEKernel_LoadModule

  IAEModule_IAEKernel_UnloadModule

  _WinMainSandboxed@20

  Sections

  .text

  Size: 10.1MB - Virtual size: 10.1MB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .rodata

  Size: 4KB - Virtual size: 4KB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .rdata

  Size: 2.1MB - Virtual size: 2.1MB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .data

  Size: 864KB - Virtual size: 1.8MB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .rsrc

  Size: 1.8MB - Virtual size: 1.8MB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .reloc

  Size: 490KB - Virtual size: 490KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_DISCARDABLE

  IMAGE_SCN_MEM_READ

• unregister.reg