Desktop[.]rar | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Desktop.rar
Size

79KB
MD5

ad712eb222777e52c8df1a38ec8e2bbf
SHA1

cddb35e622bf85c70c0ba7672452e442e77b5e48
SHA256

d256e1e5f1a2164aed4c49d793df6874c2ce0188772961b20d33299db82669f3
SHA512

1c76e4d9d1d1aa72c1e7120f7b2a1159657da49272a444763b2a1ea87e61eda4e5025ffca96d9ec813ad4a24b135d666a741fe1124e250d79f85c5cfd3d2b3fd
SSDEEP

1536:RJ01DJpHnWGnngLToc80G2kNQMXVhwZkeY7xApxuPBSolE0f6s:IxHnWsmToc872kNJzwfgxK8BSolE0fP

Score

1^/10

Malware Config

Signatures

Files

Desktop.rar
.rar
P100_Injector.exe
.exe windows x64

5bebd824a4d4c4a0ef197e472a57b46f

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

GetFileAttributesW
GetProcAddress
LoadLibraryExW
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetModuleHandleW
RtlCaptureContext

user32

PostThreadMessageW
SetWindowsHookExW
FindWindowW
UnhookWindowsHookEx
GetWindowThreadProcessId

msvcp140

?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?uncaught_exception@std@@YA_NXZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z

vcruntime140_1

__CxxFrameHandler4

vcruntime140

__std_terminate
__C_specific_handler
__current_exception
memcpy
__current_exception_context
memset

api-ms-win-crt-runtime-l1-1-0

_register_onexit_function
terminate
_crt_atexit
_initialize_onexit_table
_register_thread_local_exe_atexit_callback
_cexit
_c_exit
__p___wargv
__p___argc
system
_exit
exit
_initterm_e
_initterm
_initialize_wide_environment
_configure_wide_argv
_set_app_type
_seh_filter_exe
_get_initial_wide_environment

api-ms-win-crt-math-l1-1-0

__setusermatherr

api-ms-win-crt-stdio-l1-1-0

__p__commode
_set_fmode

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

api-ms-win-crt-heap-l1-1-0

_set_new_mode

Sections

.text
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 444B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 48B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
StaffBesting.dll
.dll windows x64

e8a97fa73a9da8d3ec89c6bf3837b2f0

Code Sign

48:fc:93:b4:60:55:94:8d:36:a7:c9:8a:89:d6:94:16
Certificate

Issuer

CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

25/05/2021, 00:00

Not After

31/12/2028, 23:59

Subject

CN=Sectigo Public Code Signing Root R46,O=Sectigo Limited,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

01:39:dd:e1:19:bb:32:0d:fb:9f:5d:ef:e3:f7:12:45
Certificate

Issuer

CN=Sectigo Public Code Signing CA R36,O=Sectigo Limited,C=GB

Not Before

10/11/2021, 00:00

Not After

09/11/2024, 23:59

Subject

CN=Hangil IT Co.\, Ltd,O=Hangil IT Co.\, Ltd,ST=Seoul,C=KR

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

62:1d:6d:0c:52:01:9e:3b:90:79:15:20:89:21:1c:0a
Certificate

Issuer

CN=Sectigo Public Code Signing Root R46,O=Sectigo Limited,C=GB

Not Before

22/03/2021, 00:00

Not After

21/03/2036, 23:59

Subject

CN=Sectigo Public Code Signing CA R36,O=Sectigo Limited,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

a9:70:b4:6b:4f:ff:4d:99:8e:fb:7e:c9:ab:bd:2c:05:a0:1b:d5:e8
Signer

Actual PE Digest

a9:70:b4:6b:4f:ff:4d:99:8e:fb:7e:c9:ab:bd:2c:05:a0:1b:d5:e8

Digest Algorithm

sha1

PE Digest Matches

true

Signature Validations

Trusted

true

Verification

Signing Certificate

CN=Hangil IT Co.\, Ltd,O=Hangil IT Co.\, Ltd,ST=Seoul,C=KR

09/03/2023, 19:08
Valid: true

Chain 1

CN=Hangil IT Co.\, Ltd,O=Hangil IT Co.\, Ltd,ST=Seoul,C=KR

CN=Sectigo Public Code Signing CA R36,O=Sectigo Limited,C=GB

CN=Sectigo Public Code Signing Root R46,O=Sectigo Limited,C=GB

CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

GetCurrentProcessId
WaitNamedPipeW
lstrlenW
GetModuleFileNameW
MultiByteToWideChar
GetCurrentProcess
GetModuleHandleA
Beep
ReadProcessMemory
CloseHandle
LeaveCriticalSection
InitializeSListHead
GetSystemTimeAsFileTime
GetCurrentThreadId
QueryPerformanceCounter
IsDebuggerPresent
IsProcessorFeaturePresent
TerminateProcess
GetLastError
CreateFileW
PeekNamedPipe
WriteFile
AllocConsole
ReadFile
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
SetEvent
ResetEvent
WaitForSingleObjectEx
CreateEventW
GetModuleHandleW
GetProcAddress
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
EnterCriticalSection

user32

GetAsyncKeyState
CallNextHookEx
GetSystemMetrics
GetKeyNameTextA
SendInput
GetCursorPos
MapVirtualKeyW

advapi32

RegCreateKeyExW
RegSetValueExW
RegCloseKey

msvcp140

_Cnd_broadcast
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?uncaught_exceptions@std@@YAHXZ
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
?id@?$ctype@_W@std@@2V0locale@2@A
?_Xlength_error@std@@YAXPEBD@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
?_Getcat@?$ctype@_W@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?narrow@?$ctype@_W@std@@QEBAPEB_WPEB_W0DPEAD@Z
??Bid@locale@std@@QEAA_KXZ
_Mtx_unlock
_Xtime_get_ticks
_Cnd_do_broadcast_at_thread_exit
_Mtx_init_in_situ
_Mtx_lock
_Mtx_destroy_in_situ
_Cnd_timedwait
?_Throw_C_error@std@@YAXH@Z
?_Throw_Cpp_error@std@@YAXH@Z
_Cnd_init_in_situ
_Mtx_current_owns

vcruntime140_1

__CxxFrameHandler4

vcruntime140

memcmp
memcpy
memchr
__std_type_info_destroy_list
memmove
memset
__std_terminate
__std_exception_destroy
__std_exception_copy
__C_specific_handler
_CxxThrowException

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vfprintf
__stdio_common_vswprintf
__acrt_iob_func
__stdio_common_vsprintf_s

api-ms-win-crt-heap-l1-1-0

free
_callnewh
malloc

api-ms-win-crt-runtime-l1-1-0

_execute_onexit_table
_cexit
_initialize_onexit_table
_initialize_narrow_environment
_configure_narrow_argv
_seh_filter_dll
_initterm
_invalid_parameter_noinfo_noreturn
_initterm_e
terminate
_beginthreadex
_register_onexit_function
_crt_atexit

api-ms-win-crt-time-l1-1-0

_time64

api-ms-win-crt-string-l1-1-0

strcmp
tolower
toupper

api-ms-win-crt-convert-l1-1-0

mbstowcs

api-ms-win-crt-math-l1-1-0

cosf
atan2f
sqrtf
atanf
acosf
sinf

Exports

Exports

NextHook

Sections

.text
Size: 148KB - Virtual size: 147KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 49KB - Virtual size: 49KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 247KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 248B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 136B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

5bebd824a4d4c4a0ef197e472a57b46f

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

msvcp140

vcruntime140_1

vcruntime140

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-heap-l1-1-0

Sections

.text Size: 5KB - Virtual size: 4KB

.rdata Size: 6KB - Virtual size: 5KB

.data Size: 512B - Virtual size: 1KB

.pdata Size: 512B - Virtual size: 444B

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 512B - Virtual size: 48B

e8a97fa73a9da8d3ec89c6bf3837b2f0

Code Sign

48:fc:93:b4:60:55:94:8d:36:a7:c9:8a:89:d6:94:16Certificate

Extended Key Usages

Key Usages

01:39:dd:e1:19:bb:32:0d:fb:9f:5d:ef:e3:f7:12:45Certificate

Extended Key Usages

Key Usages

62:1d:6d:0c:52:01:9e:3b:90:79:15:20:89:21:1c:0aCertificate

Extended Key Usages

Key Usages

a9:70:b4:6b:4f:ff:4d:99:8e:fb:7e:c9:ab:bd:2c:05:a0:1b:d5:e8Signer

Signature Validations

Verification

09/03/2023, 19:08 Valid: true

Chain 1

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

msvcp140

vcruntime140_1

vcruntime140

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-math-l1-1-0

Exports

Exports

Sections

.text Size: 148KB - Virtual size: 147KB

.rdata Size: 49KB - Virtual size: 49KB

.data Size: 5KB - Virtual size: 247KB

.pdata Size: 4KB - Virtual size: 4KB

.rsrc Size: 512B - Virtual size: 248B

.reloc Size: 512B - Virtual size: 136B

.text
Size: 5KB - Virtual size: 4KB

.rdata
Size: 6KB - Virtual size: 5KB

.data
Size: 512B - Virtual size: 1KB

.pdata
Size: 512B - Virtual size: 444B

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 512B - Virtual size: 48B

48:fc:93:b4:60:55:94:8d:36:a7:c9:8a:89:d6:94:16
Certificate

01:39:dd:e1:19:bb:32:0d:fb:9f:5d:ef:e3:f7:12:45
Certificate

62:1d:6d:0c:52:01:9e:3b:90:79:15:20:89:21:1c:0a
Certificate

a9:70:b4:6b:4f:ff:4d:99:8e:fb:7e:c9:ab:bd:2c:05:a0:1b:d5:e8
Signer

09/03/2023, 19:08
Valid: true

.text
Size: 148KB - Virtual size: 147KB

.rdata
Size: 49KB - Virtual size: 49KB

.data
Size: 5KB - Virtual size: 247KB

.pdata
Size: 4KB - Virtual size: 4KB

.rsrc
Size: 512B - Virtual size: 248B

.reloc
Size: 512B - Virtual size: 136B