sqlservr[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

sqlservr.exe
Size

383KB
MD5

bd5f839017cff68b2f1fe8e98760b8c8
SHA1

72059370cec15e4d78fb51c9fb712712608e838b
SHA256

4ec388d2b99b0d1237bcec16aa6f9ecf37af9282b951b9c15c8ec2d256f36edf
SHA512

8f7d96d15959f3ef2f60ac7b8d4e4595d6cb6bbfed9b08ae74137f7fd4d40615ef10c4a703468b38e68b8f7caf5a863a04b4fafe54b7913422b09ab528c7f45e
SSDEEP

6144:7xClD/6mA25XsVooiPddi/JAHNbQ4MWzOYOSokIEi7:tCpCmA25XsVovHqAVD63

Score

1^/10

Malware Config

Signatures

Files

sqlservr.exe
.exe windows x64

d0399b1e19588e1cfe01971a1925a948

Code Sign

33:00:00:00:c5:96:40:60:4b:f4:de:ae:2e:00:00:00:00:00:c5
Certificate

Issuer

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

07/09/2016, 17:58

Not After

07/09/2018, 17:58

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:C0F4-3086-DEF8,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

33:00:00:01:40:96:a9:ee:70:56:fe:cc:07:00:01:00:00:01:40
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

18/08/2016, 20:17

Not After

02/11/2017, 20:17

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:33:26:1a:00:00:00:00:00:31
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

31/08/2010, 22:19

Not After

31/08/2020, 22:29

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:16:68:34:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

03/04/2007, 12:53

Not After

03/04/2021, 13:03

Subject

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:64:47:84:94:86:db:41:19:38:00:00:00:00:00:64
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

28/10/2015, 20:31

Not After

28/01/2017, 20:31

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/07/2011, 20:59

Not After

08/07/2026, 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

73:80:03:68:0d:8e:dc:1d:b4:0d:3e:e7:4c:4e:d1:ad:cc:85:7e:74:34:ea:cc:49:9f:97:5e:b4:02:52:a9:d6
Signer

Actual PE Digest

73:80:03:68:0d:8e:dc:1d:b4:0d:3e:e7:4c:4e:d1:ad:cc:85:7e:74:34:ea:cc:49:9f:97:5e:b4:02:52:a9:d6

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

16/03/2023, 15:36
Valid: false

2f:3e:8e:60:4b:6d:19:6f:98:35:f8:d2:5c:76:74:66:d7:0d:ce:a8
Signer

Actual PE Digest

2f:3e:8e:60:4b:6d:19:6f:98:35:f8:d2:5c:76:74:66:d7:0d:ce:a8

Digest Algorithm

sha1

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

29/10/2016, 12:19
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

netapi32

NetApiBufferFree
NetWkstaGetInfo

pdh

PdhCollectQueryData
PdhCloseQuery
PdhAddCounterW
PdhOpenQueryW
PdhGetFormattedCounterValue

kernel32

Sleep
CreateEventA
LeaveCriticalSection
SetThreadPriority
GetLastError
EnterCriticalSection
CreateFileMappingW
SetConsoleCtrlHandler
OpenFileMappingW
SetThreadAffinityMask
LCMapStringW
HeapFree
GetProcessHeap
InitializeCriticalSection
GetProcAddress
FreeLibrary
SetEnvironmentVariableW
SetPriorityClass
GetCurrentThread
GetPriorityClass
GlobalMemoryStatusEx
IsProcessorFeaturePresent
GetModuleHandleW
SetProcessPriorityBoost
GetModuleHandleA
CreateEventW
CreateThread
GetComputerNameW
GetTickCount
GetSystemTimeAsFileTime
SetEvent
WaitForSingleObject
SetErrorMode
MapViewOfFile
GetThreadTimes
CloseHandle
CreateToolhelp32Snapshot
WideCharToMultiByte
Process32NextW
OpenThread
Process32FirstW
Thread32Next
Thread32First
OpenProcess
K32GetProcessMemoryInfo
UnhandledExceptionFilter
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
TlsGetValue
ReleaseMutex
SetHandleInformation
CreateMutexW
VirtualFree
LoadLibraryExA
GetModuleFileNameW
DecodePointer
EncodePointer
Module32NextW
QueryInformationJobObject
IsProcessInJob
GetLocalTime
QueryPerformanceCounter
lstrlenW
HeapReAlloc
GetEnvironmentVariableW
ExpandEnvironmentStringsW
DebugBreak
SetLastError
MultiByteToWideChar
CompareStringW
GetFileAttributesW
HeapDestroy
GetPrivateProfileStringW
GetExitCodeProcess
CreateProcessW
GetStartupInfoW
GetCurrentProcessId
GetThreadPriority
GetCurrentThreadId
ReadProcessMemory
VirtualQuery
GetSystemInfo
LoadLibraryW
HeapAlloc
HeapCreate
RaiseException

advapi32

RegCloseKey
RegQueryValueExW
RegSetValueExA
RegQueryValueExA
RegOpenKeyW
RegEnumValueW
SetServiceStatus
SetServiceBits
RegisterServiceCtrlHandlerA
StartServiceCtrlDispatcherW
RegOpenKeyExW

ole32

CoInitializeEx
CoInitializeSecurity

sqlos

IsHardwareSupported

sqlmin

ord289
ord290
ord291
ord1535
ord623
ord1477
ord1476
ord1093
ord1119
ord1118
ord1635
ord735
GetSqlServerGlobals
ord1764
ord1762
ord1296
ord1410
ord529
ord411
ord316
ord1870
ord555
ord1888
ord1252
ord1246
ord1234
ord1228
ord1556
ord1758
ord1912
ord1910
ord1913
ord1909
ord1914
ord1915
ord1347
ord1911
ord699
ord976
ord1537
ord1128
ord1881
ord1464
ord1352
ord1171
ord807
ord1261
ord1539
ord703
ord1706
ord547
ord1639
ord227
ord1638
ord1701
ord1240
GetXdbServerGlobals
ord794
ord1188
ord1250
ord705
ord1640
ord1916
ord1243
ord536
ord1653
ord1668
ord861
ord1832
ord1239
ord1360
ord844
ord1361
ord725
ord869
ord1928
ord978
ord1266
ord774
ord1707
ord1763
ord1016
ord608
ord1656
ord1073
ord1721
ord1131
ord1866
ord1865
ord960
ord1864
ord773
ord606
ord637
ord1292
ord288

sqllang

ord1237
ord1510
ord1509
ord1502
ord1501
ord1188
ord1503
ord309
ord993
ord483
ord1235
ord274
ord1470
ord311
ord1222
ord1446
ord1012
ord926
ord945
ord214
ord1453
ord1454
ord1455
ord372
ord1385
ord1468
ord1348
ord1388
ord1387
ord499
ord1236
ord915
ord916
ord954
ord1461
ord736
ord1189
ord1499
ord245
ord244
ord1386
ord1009
ord376
ord403
ord967
ord1329
ord962
ord589
ord266
ord937
ord936
ord454
ord1039
ord361
ord1239
ord927
ord412
ord1013
ord1306
ord1310
ord903
ord1305
ord1327
ord1240
ord907
ord333
ord222
ord657
ord331
ord1375
ord620
ord968
ord871
ord1349
ord1353
ord1494
ord1352
ord1051
ord621
ord1495
ord963
ord965
ord946
ord1238
ord980
ord415
ord1497
ord1471
ord547
ord1496
ord1469
ord728

sqltses

ord268
ord484
ord360
ord373
ord306
ord466
ord688
ord541
ord540
ord543

sqldk

ord1112
ord825
ord415
ord1128
ord1075
ord808
ord1051
ord1049
ord1048
ord1042
ord1039
ord813
ord1030
ord8
ord1020
ord1145
ord1011
ord561
ord345
ord642
ord513
ord634
ord991
ord775
ord948
ord268
ord524
ord398
ord120
ord67
ord549
ord290
ord404
ord926
ord220
ord1037
ord852
ord275
ord446
ord414
ord782
ord950
ord699
ord702
ord855
ord110
ord52
ord910
ord12
ord519
ord740
ord492
ord851
ord1021
ord790
ord1012
ord701
ord854
ord776
ord645
ord685
ord11
ord68
ord121
ord75
ord94
ord877
ord388
ord441
ord898
ord253
ord482
ord494
ord583
ord711
ord916
ord888
ord875
ord71
ord899
ord973
ord968
ord457
ord895
ord179
ord172
ord878
ord238
ord619
ord700
ord601
ord223
ord499
ord614
ord650
ord15
ord607
ord435
ord1046
ord643
ord911
ord529
ord486
ord487
ord528
ord511
ord537
ord913
ord914
ord461
ord462
ord456
ord563
ord799
ord1007
ord1045
ord308
ord656
ord221
ord780
ord1044
ord493
ord698
ord708
ord296
ord477
ord252
ord254
ord960
ord705
ord506
ord349
ord704
ord992
ord993
ord57
ord792
ord1129
ord1101
ord1122
ord1073
ord1053
ord1139
ord1118
ord865
ord806
ord1071
ord828
ord824
ord1086
ord1066
ord1065
ord1143
ord1116
ord835
ord807
ord1059
ord820
ord811
ord1115
ord797
ord1136
ord1097
ord1102
ord1092
ord836
ord1107
ord829
ord1098
ord1091
ord584
ord1055
ord1111
ord815
ord1064
ord823
ord1070
ord1078
ord1061
ord1079
ord822
ord803
ord662
ord1137
ord1093
ord837
ord805
ord798
ord1110
ord843
ord1083
ord814
ord1108
ord1089
ord842
ord848
ord1119
ord1090
ord1130
ord832
ord1072
ord817
ord1109
ord846
ord818
ord834
ord1103
ord1054
ord809
ord1138
ord1120
ord1094
ord821
ord1074

opends60

ord114

qds

?Init@CFeatureSwitchesQds@@SAXXZ
InitXeForQds
?ExportCurrentInstance@CFeatureSwitchesQds@@SAPEBV1@XZ

msvcp120

?_Xlength_error@std@@YAXPEBD@Z
?_Xout_of_range@std@@YAXPEBD@Z
?_Xbad_alloc@std@@YAXXZ
?_Syserror_map@std@@YAPEBDH@Z
?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Winerror_map@std@@YAPEBDH@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ

msvcr120

_amsg_exit
_XcptFilter
?terminate@@YAXXZ
_onexit
__C_specific_handler
__dllonexit
_calloc_crt
_unlock
_lock
_wtof
_errno
iswcntrl
iswspace
_swscanf_s_l
_wmakepath_s
_wtoi64
_wtol
_wtoi
_wcslwr_l
__iob_func
fflush
vwprintf
_vsnwprintf
_wcstol_l
_strtol_l
free
malloc
wcsstr
wcsncpy_s
_snwprintf_l
_wcsicmp_l
wcsrchr
_statusfp
_clearfp
_fpreset
_controlfp
wcschr
_wcsupr_l
_wprintf_l
wcscpy_s
_vsnprintf_l
wcsncmp
_wsplitpath_s
_kbhit
_getwche
_cputs
_beginthreadex
_endthreadex
_resetstkoflw
_endthread
_flushall
_getwch
_vsnwprintf_l
memmove
__wgetmainargs
__set_app_type
exit
_exit
_cexit
_configthreadlocale
__setusermatherr
_initterm_e
_initterm
__winitenv
_fmode
_commode
?_type_info_dtor_internal_method@type_info@@QEAAXXZ
__crtSetUnhandledExceptionFilter
_CxxThrowException
__CxxFrameHandler3
memcpy
memset

Exports

Exports

?SQLExit@@YAXK@Z
DmpGetClientExport
DmpRemoteDumpRequest
GetIMallocForMsxmlSQL
GetIUMSForMsxml
TlsGetValueForMsxmlSQL
TlsSetValueForMsxmlSQL
______SQL______Process______Available

Sections

.text
Size: 131KB - Virtual size: 131KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 64KB - Virtual size: 64KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 160KB - Virtual size: 191KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

AssertDa
Size: 512B - Virtual size: 475B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

d0399b1e19588e1cfe01971a1925a948

Code Sign

33:00:00:00:c5:96:40:60:4b:f4:de:ae:2e:00:00:00:00:00:c5Certificate

Extended Key Usages

33:00:00:01:40:96:a9:ee:70:56:fe:cc:07:00:01:00:00:01:40Certificate

Extended Key Usages

61:33:26:1a:00:00:00:00:00:31Certificate

Key Usages

61:16:68:34:00:00:00:00:00:1cCertificate

Extended Key Usages

Key Usages

33:00:00:00:64:47:84:94:86:db:41:19:38:00:00:00:00:00:64Certificate

Extended Key Usages

61:0e:90:d2:00:00:00:00:00:03Certificate

Key Usages

73:80:03:68:0d:8e:dc:1d:b4:0d:3e:e7:4c:4e:d1:ad:cc:85:7e:74:34:ea:cc:49:9f:97:5e:b4:02:52:a9:d6Signer

Signature Validations

Verification

16/03/2023, 15:36 Valid: false

2f:3e:8e:60:4b:6d:19:6f:98:35:f8:d2:5c:76:74:66:d7:0d:ce:a8Signer

Signature Validations

Verification

29/10/2016, 12:19 Valid: false

Headers

DLL Characteristics

File Characteristics

Imports

netapi32

pdh

kernel32

advapi32

ole32

sqlos

sqlmin

sqllang

sqltses

sqldk

opends60

qds

msvcp120

msvcr120

Exports

Exports

Sections

.text Size: 131KB - Virtual size: 131KB

.rdata Size: 64KB - Virtual size: 64KB

.data Size: 160KB - Virtual size: 191KB

.pdata Size: 6KB - Virtual size: 6KB

AssertDa Size: 512B - Virtual size: 475B

.rsrc Size: 2KB - Virtual size: 2KB

.reloc Size: 1KB - Virtual size: 1KB

33:00:00:00:c5:96:40:60:4b:f4:de:ae:2e:00:00:00:00:00:c5
Certificate

33:00:00:01:40:96:a9:ee:70:56:fe:cc:07:00:01:00:00:01:40
Certificate

61:33:26:1a:00:00:00:00:00:31
Certificate

61:16:68:34:00:00:00:00:00:1c
Certificate

33:00:00:00:64:47:84:94:86:db:41:19:38:00:00:00:00:00:64
Certificate

61:0e:90:d2:00:00:00:00:00:03
Certificate

73:80:03:68:0d:8e:dc:1d:b4:0d:3e:e7:4c:4e:d1:ad:cc:85:7e:74:34:ea:cc:49:9f:97:5e:b4:02:52:a9:d6
Signer

16/03/2023, 15:36
Valid: false

2f:3e:8e:60:4b:6d:19:6f:98:35:f8:d2:5c:76:74:66:d7:0d:ce:a8
Signer

29/10/2016, 12:19
Valid: false

.text
Size: 131KB - Virtual size: 131KB

.rdata
Size: 64KB - Virtual size: 64KB

.data
Size: 160KB - Virtual size: 191KB

.pdata
Size: 6KB - Virtual size: 6KB

AssertDa
Size: 512B - Virtual size: 475B

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 1KB - Virtual size: 1KB