General

Malware Config

Signatures

Files

• ww.zip

  .zip
• casarowtt
• custsat.dll

  .dll regsvr32 windows x86

  43faca19a24ebb6f045ead2184d44df3

  
  

  Headers

  File Characteristics

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_LINE_NUMS_STRIPPED

  IMAGE_FILE_LOCAL_SYMS_STRIPPED

  IMAGE_FILE_32BIT_MACHINE

  Imports

  msvcrt

  ??2@YAPAXI@Z

  ceil

  free

  _except_handler3

  ??3@YAXPAX@Z

  malloc

  _adjust_fdiv

  _initterm

  realloc

  shlwapi

  SHStrDupW

  wnsprintfA

  StrCpyNW

  SHGetValueW

  SHSetValueW

  PathFindFileNameW

  wnsprintfW

  PathFileExistsW

  ole32

  CreateStreamOnHGlobal

  CreateBindCtx

  StringFromGUID2

  CoCreateGuid

  oleaut32

  SysAllocString

  SysFreeString

  kernel32

  RaiseException

  LocalAlloc

  LocalReAlloc

  GetSystemInfo

  CreateEventA

  CreateFileMappingA

  InterlockedCompareExchange

  SetUnhandledExceptionFilter

  UnhandledExceptionFilter

  TerminateProcess

  GetCurrentProcessId

  GetCurrentThreadId

  QueryPerformanceCounter

  SetLastError

  InterlockedExchange

  GetSystemDirectoryA

  GetWindowsDirectoryA

  GetModuleFileNameA

  GetModuleHandleA

  CompareStringA

  FreeLibrary

  Sleep

  FindClose

  ResetEvent

  InterlockedDecrement

  DeleteCriticalSection

  InitializeCriticalSection

  GetFileSize

  GlobalAlloc

  ReadFile

  GlobalFree

  WriteFile

  VirtualAlloc

  WaitForSingleObject

  EnterCriticalSection

  SetEvent

  LeaveCriticalSection

  InterlockedIncrement

  DisableThreadLibraryCalls

  LoadLibraryA

  IsBadWritePtr

  IsBadCodePtr

  IsBadReadPtr

  GetVersionExA

  LocalFree

  GetLastError

  GetSystemTimeAsFileTime

  CloseHandle

  SystemTimeToFileTime

  GetCurrentProcess

  CompareFileTime

  UnmapViewOfFile

  GetSystemTime

  MapViewOfFile

  GetTickCount

  Exports

  Exports

  DllCanUnloadNow

  DllGetClassObject

  DllRegisterServer

  DllUnregisterServer

  Sections

  .text

  Size: 27KB - Virtual size: 27KB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .data

  Size: 512B - Virtual size: 1KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .rsrc

  Size: 1024B - Virtual size: 976B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .reloc

  Size: 3KB - Virtual size: 2KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_DISCARDABLE

  IMAGE_SCN_MEM_READ

• dsssdvreeed55
• msvcr80.dll

  .dll windows x86

  
  

  Headers

  File Characteristics

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_LINE_NUMS_STRIPPED

  IMAGE_FILE_LOCAL_SYMS_STRIPPED

  IMAGE_FILE_BYTES_REVERSED_LO

  IMAGE_FILE_32BIT_MACHINE

  IMAGE_FILE_BYTES_REVERSED_HI

  Exports

  Exports

  ??3@YAXPAX@Z

  ??_V@YAXPAX@Z

  ?terminate@@YAXXZ

  TMethodImplementationIntercept

  _XcptFilter

  __dbk_fcall_wrapper

  __dllonexit

  __getmainargs

  __p__commode

  __p__fmode

  __set_app_type

  __setusermatherr

  _acmdln

  _adjust_fdiv

  _amsg_exit

  _callnewh

  _cexit

  _configthreadlocale

  _controlfp_s

  _crt_debugger_hook

  _decode_pointer

  _encode_pointer

  _except_handler4_common

  _exit

  _initterm

  _initterm_e

  _invoke_watson

  _ismbblead

  _lock

  _mbscmp

  _onexit

  _recalloc

  _resetstkoflw

  _set_purecall_handler

  _snwprintf_s

  _stricmp

  _strlwr_s

  _swab

  _ultow_s

  _unlock

  _vsnprintf_s

  _vsnwprintf_s

  _vswprintf_c_l

  _wcsicmp

  _wcsnicmp

  _wfullpath

  _wmakepath_s

  _wsplitpath_s

  _wtoi

  _wtol

  calloc

  dbkFCallWrapperAddr

  exit

  fclose

  fgets

  fopen_s

  fprintf

  free

  isprint

  malloc

  memcpy

  memcpy_s

  memmove

  memmove_s

  memset

  sprintf_s

  strcpy_s

  strncpy_s

  strrchr

  swprintf_s

  wcscat_s

  wcschr

  wcscpy_s

  wcscspn

  wcsncat_s

  wcsncpy_s

  wcspbrk

  wcsstr

  wcstok_s

  Sections

  Size: 271KB - Virtual size: 840KB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  Size: 1KB - Virtual size: 2KB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  Size: 7KB - Virtual size: 15KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  Size: - Virtual size: 23KB

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  Size: 512B - Virtual size: 4KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  Size: 512B - Virtual size: 490B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  Size: 1024B - Virtual size: 1KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  Size: 512B - Virtual size: 68B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  Size: 49KB - Virtual size: 80KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_DISCARDABLE

  IMAGE_SCN_MEM_READ

  Size: 3KB - Virtual size: 11KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  Size: 762KB - Virtual size: 3.2MB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .edata

  Size: 2KB - Virtual size: 4KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .idata

  Size: 512B - Virtual size: 4KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .rsrc

  Size: 1024B - Virtual size: 4KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .themida

  Size: - Virtual size: 4.1MB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .boot

  Size: 2.5MB - Virtual size: 2.5MB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

• windows.exe

  .exe windows x86

  bc22ecaaac25583530b5f5715be4e5b1

  
  

  Code Sign

  2e:ab:11:dc:50:ff:5c:9d:cb:c0

  Certificate

  Issuer

  CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

  Not Before

  22-08-2007 22:31

  Not After

  25-08-2012 07:00

  Subject

  CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

  Extended Key Usages

  ExtKeyUsageCodeSigning

  Key Usages

  KeyUsageDigitalSignature

  KeyUsageCertSign

  KeyUsageCRLSign

  61:06:27:81:00:00:00:00:00:08

  Certificate

  Issuer

  CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

  Not Before

  22-10-2008 21:24

  Not After

  22-01-2010 21:34

  Subject

  CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

  Extended Key Usages

  ExtKeyUsageCodeSigning

  Key Usages

  KeyUsageDigitalSignature

  6a:0b:99:4f:c0:00:25:ab:11:db:45:1f:58:7a:67:a2

  Certificate

  Issuer

  CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

  Not Before

  16-09-2006 01:04

  Not After

  15-09-2019 07:00

  Subject

  CN=Microsoft Timestamping PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

  Extended Key Usages

  ExtKeyUsageTimeStamping

  Key Usages

  KeyUsageDigitalSignature

  KeyUsageCertSign

  KeyUsageCRLSign

  61:05:a2:30:00:00:00:00:00:08

  Certificate

  Issuer

  CN=Microsoft Timestamping PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

  Not Before

  25-07-2008 19:01

  Not After

  25-07-2013 19:11

  Subject

  CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:85D3-305C-5BCF,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

  Extended Key Usages

  ExtKeyUsageTimeStamping

  Key Usages

  KeyUsageDigitalSignature

  KeyUsageContentCommitment

  77:a5:98:38:1d:66:c3:de:36:80:84:ae:13:14:24:2c:1c:11:d9:c6

  Signer

  Actual PE Digest

  77:a5:98:38:1d:66:c3:de:36:80:84:ae:13:14:24:2c:1c:11:d9:c6

  Digest Algorithm

  sha1

  PE Digest Matches

  true

  Signature Validations

  Trusted

  false

  Verification

  Signing Certificate

  CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

  04-06-2009 03:09

  Valid: false

  Headers

  DLL Characteristics

  IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

  File Characteristics

  IMAGE_FILE_RELOCS_STRIPPED

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_32BIT_MACHINE

  Imports

  kernel32

  SetFileAttributesW

  CreateFileW

  GetFileSize

  GetFileAttributesW

  MapViewOfFile

  UnmapViewOfFile

  CloseHandle

  ExpandEnvironmentStringsW

  LeaveCriticalSection

  CreateFileMappingA

  DeleteCriticalSection

  HeapSize

  HeapReAlloc

  HeapDestroy

  FindFirstFileW

  FindNextFileW

  FindClose

  GetUserDefaultLCID

  GetSystemDefaultLCID

  InterlockedIncrement

  InterlockedDecrement

  GetFileAttributesExW

  CopyFileW

  GetModuleHandleW

  FindAtomW

  DeleteAtom

  AddAtomW

  CreateEventA

  CreateMutexA

  DuplicateHandle

  OpenProcess

  LoadLibraryA

  CreateProcessA

  WaitForSingleObject

  SetEvent

  ReleaseMutex

  GetUserDefaultUILanguage

  GetFileAttributesA

  CreateFileMappingW

  EnterCriticalSection

  GlobalAlloc

  GlobalUnlock

  GlobalLock

  FindResourceExA

  OutputDebugStringW

  VirtualFree

  VirtualAlloc

  lstrcpynW

  SystemTimeToFileTime

  GetSystemTime

  CreateProcessW

  LocalFree

  FormatMessageW

  LoadLibraryExW

  WriteFile

  GetStdHandle

  GetEnvironmentVariableA

  LoadLibraryW

  CreateDirectoryW

  MoveFileW

  GetThreadLocale

  GetLocaleInfoA

  GetACP

  IsDebuggerPresent

  UnhandledExceptionFilter

  GetCurrentProcess

  TerminateProcess

  GetSystemTimeAsFileTime

  GetCurrentProcessId

  GetCurrentThreadId

  GetTickCount

  QueryPerformanceCounter

  GetStartupInfoA

  InterlockedCompareExchange

  Sleep

  GetLastError

  InitializeCriticalSection

  LoadLibraryExA

  lstrcmpiA

  IsDBCSLeadByte

  FreeLibrary

  GetProcAddress

  GetModuleHandleA

  GetVersionExA

  RaiseException

  WideCharToMultiByte

  lstrlenW

  MultiByteToWideChar

  FindResourceA

  LoadResource

  LockResource

  SizeofResource

  HeapFree

  GetProcessHeap

  HeapAlloc

  SetCurrentDirectoryW

  GetCurrentDirectoryW

  lstrlenA

  GetModuleFileNameW

  SetUnhandledExceptionFilter

  InterlockedExchange

  GetModuleFileNameA

  GlobalFree

  gdi32

  DeleteObject

  msvcr80

  ?terminate@@YAXXZ

  malloc

  _callnewh

  ??3@YAXPAX@Z

  _stricmp

  strcpy_s

  fopen_s

  fgets

  fclose

  _wcsicmp

  wcsncpy_s

  _mbscmp

  _wtol

  swprintf_s

  _vsnprintf_s

  _vswprintf_c_l

  strrchr

  isprint

  _ultow_s

  _strlwr_s

  calloc

  _wmakepath_s

  _set_purecall_handler

  _wtoi

  wcspbrk

  _wfullpath

  memmove

  wcschr

  wcscat_s

  _vsnwprintf_s

  memset

  memmove_s

  _snwprintf_s

  _wcsnicmp

  fprintf

  memcpy_s

  free

  wcsstr

  sprintf_s

  strncpy_s

  _recalloc

  _resetstkoflw

  ??_V@YAXPAX@Z

  wcscpy_s

  wcsncat_s

  _wsplitpath_s

  _swab

  wcscspn

  wcstok_s

  _amsg_exit

  __getmainargs

  _cexit

  _exit

  _XcptFilter

  _ismbblead

  exit

  _acmdln

  _initterm

  _initterm_e

  _configthreadlocale

  __setusermatherr

  _adjust_fdiv

  __p__commode

  __p__fmode

  _encode_pointer

  __set_app_type

  _unlock

  __dllonexit

  _crt_debugger_hook

  _controlfp_s

  _invoke_watson

  _except_handler4_common

  memcpy

  _decode_pointer

  _onexit

  _lock

  user32

  LoadImageA

  LoadIconA

  SetForegroundWindow

  LoadBitmapA

  MessageBoxW

  CharNextW

  UnregisterClassA

  CharNextA

  GetSystemMetrics

  LoadStringW

  advapi32

  CryptHashData

  CryptCreateHash

  CryptImportKey

  CryptAcquireContextA

  CryptReleaseContext

  CryptDestroyKey

  RegDeleteValueW

  CryptDestroyHash

  RegQueryValueExA

  RegEnumValueW

  RegQueryInfoKeyW

  RegSetValueExW

  RegFlushKey

  RegEnumKeyExW

  RegCreateKeyExW

  RegDeleteValueA

  RegOpenKeyExA

  RegEnumKeyExA

  RegQueryInfoKeyA

  RegDeleteKeyA

  RegSetValueExA

  RegCreateKeyExA

  RegOpenKeyExW

  RegQueryValueExW

  RegCloseKey

  RegDeleteKeyW

  CryptVerifySignatureA

  shell32

  SHCreateDirectoryExW

  SHFileOperationW

  SHGetFolderPathW

  ole32

  OleInitialize

  StringFromGUID2

  CoCreateInstance

  CoTaskMemAlloc

  CoInitializeSecurity

  OleUninitialize

  CoTaskMemRealloc

  CoTaskMemFree

  StringFromCLSID

  IIDFromString

  CoReleaseMarshalData

  CreateStreamOnHGlobal

  CoMarshalInterface

  CoDisconnectObject

  oleaut32

  GetErrorInfo

  SysAllocStringLen

  SysFreeString

  VarBstrCat

  SysStringLen

  VarUI4FromStr

  SysStringByteLen

  SysAllocStringByteLen

  VariantClear

  GetActiveObject

  SysAllocString

  VariantInit

  shlwapi

  SHDeleteKeyW

  PathAddBackslashW

  SHCopyKeyW

  PathFileExistsW

  PathIsDirectoryW

  PathIsRelativeW

  PathUnquoteSpacesW

  PathRemoveBlanksW

  PathRemoveFileSpecW

  mscoree

  CorBindToRuntimeEx

  LockClrVersion

  custsat

  ord5

  ord4

  Sections

  .text

  Size: 93KB - Virtual size: 93KB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .data

  Size: 2KB - Virtual size: 11KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .rsrc

  Size: 111KB - Virtual size: 110KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ