Update[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Update.exe
Size

373KB
MD5

d0a3adcbe30a1cdb0f3f368fc5135443
SHA1

a61db78ea87d862296f3caec2717bfc9497bb3a1
SHA256

98f4717fabdd7a03872192a490aebec049a29cebfaacbb2f0757d7c12865afba
SHA512

f2b67d6e37f5671a00b2c26f7968bcb3fa529c4335702e6155b940eba397394603ef736998892fcd208d9804d59a2a1cc04d8e4e7eb3a11bf9f12d2eae6a7302
SSDEEP

6144:HOEvWLNQjbkeyx1OjXoHVGYlI5nf5WxGd1Srg+F6qahw+7sAZ6:HOmW6j3y31FlIJ5c9FoPZ6

Score

1^/10

Malware Config

Signatures

Files

Update.exe
.exe windows x86

6bb8407dd9d11e11c95fef4f0314489a

Code Sign

7b:bb:c1:76:ca:4c:d0:88:46:42:6b:78:fa:2b:68:f1
Certificate

Issuer

CN=php中文网

Not Before

21/07/2017, 05:29

Not After

31/12/2039, 23:59

Subject

CN=php中文网

Extended Key Usages

ExtKeyUsageCodeSigning

25:1f:5d:98:81:82:17:2e:3c:41:9e:01:4f:b0:40:4c
Certificate

Issuer

CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN

Not Before

08/08/2009, 01:00

Not After

08/08/2024, 01:00

Subject

CN=WoSign Time Stamping Signer,O=WoSign CA Limited,C=CN

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

Signer

Actual PE Digest

Digest Algorithm

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mfc120u

ord3252
ord3253
ord3881
ord4104
ord8008
ord13724
ord8005
ord6258
ord13721
ord12804
ord6868
ord5437
ord8654
ord8657
ord13996
ord7702
ord5323
ord13328
ord8698
ord13990
ord14092
ord8226
ord4433
ord13403
ord13402
ord4349
ord2525
ord2535
ord12214
ord3259
ord1360
ord3558
ord3557
ord10011
ord3246
ord3580
ord4109
ord11972
ord11948
ord14124
ord3280
ord3279
ord8044
ord2163
ord8365
ord819
ord1348
ord7357
ord324
ord1049
ord4562
ord4560
ord4563
ord4839
ord362
ord1065
ord13404
ord5787
ord500
ord1139
ord971
ord13118
ord12514
ord1445
ord6462
ord4434
ord8636
ord10793
ord2214
ord280
ord1684
ord11837
ord2243
ord4047
ord12818
ord7825
ord1992
ord11858
ord11857
ord14326
ord12402
ord7884
ord14526
ord6251
ord14528
ord6253
ord14527
ord6252
ord992
ord6758
ord3809
ord5821
ord12114
ord8099
ord12126
ord12094
ord2230
ord2303
ord5667
ord5864
ord10131
ord6398
ord2348
ord1509
ord1507
ord4672
ord1141
ord503
ord2173
ord10919
ord3654
ord1386
ord887
ord13153
ord2341
ord2262
ord7382
ord12006
ord832
ord13612
ord2718
ord9091
ord12047
ord1108
ord8921
ord10896
ord11271
ord10353
ord4442
ord4049
ord458
ord3361
ord3362
ord3122
ord6434
ord1471
ord9020
ord2708
ord14094
ord13991
ord13997
ord8658
ord6763
ord6713
ord3839
ord2480
ord6469
ord4772
ord12792
ord1520
ord1518
ord1042
ord290
ord286
ord296
ord1658
ord2347
ord2343
ord266
ord265
ord1506
ord9007
ord1063
ord4176
ord3103
ord6393
ord6032
ord7543
ord6123
ord13616
ord3263
ord3260
ord10136
ord8092
ord2719
ord10166
ord10168
ord10167
ord10165
ord10169
ord5557
ord11600
ord11601
ord11964
ord3795
ord3790
ord11811
ord14447
ord8846
ord12095
ord6875
ord10883
ord9137
ord3224
ord13738
ord12134
ord12132
ord1711
ord1723
ord1731
ord1727
ord1736
ord4879
ord4920
ord4887
ord4899
ord4895
ord4891
ord4928
ord4916
ord4883
ord4932
ord4905
ord4867
ord4874
ord4909
ord4459
ord5693
ord9574
ord4451
ord3013
ord14449
ord7807
ord14455
ord6774
ord8227
ord11592
ord12899
ord2823
ord8699
ord13563
ord5838
ord2640
ord11999
ord3898
ord3329
ord3330
ord3223
ord12043
ord2265
ord8352
ord7542
ord1467
ord8268
ord12122
ord10314
ord12799
ord12736
ord4546
ord7881
ord8206
ord5262
ord2444
ord12413
ord12412
ord14448
ord7806
ord14454
ord6121
ord9279
ord4843
ord999
ord8655
ord5157
ord5454
ord5664
ord9231
ord5430
ord5160
ord5316
ord5137
ord7609
ord7610
ord7600
ord5314
ord8101
ord9090
ord4838
ord2204
ord3581
ord1508
ord2367

msvcr120

__crtSetUnhandledExceptionFilter
_invoke_watson
_controlfp_s
__dllonexit
_calloc_crt
_unlock
??1type_info@@UAE@XZ
_commode
_fmode
_wcmdln
_initterm
_initterm_e
__setusermatherr
_configthreadlocale
_cexit
_except_handler4_common
exit
__CxxFrameHandler3
__set_app_type
__wgetmainargs
_amsg_exit
__crtGetShowWindowMode
_XcptFilter
wcsrchr
atol
_snprintf
wcslen
strstr
memmove
malloc
?terminate@@YAXXZ
_except1
__crtTerminateProcess
__crtUnhandledException
_crt_debugger_hook
_exit
_onexit
labs
memcpy_s
_CxxThrowException
_recalloc
free
calloc
_snwprintf
strlen
memset
memcpy
memcmp
_purecall
_lock

kernel32

FreeResource
LockResource
DecodePointer
LoadLibraryW
OutputDebugStringW
GetProcAddress
FreeLibrary
CompareStringW
GetModuleFileNameW
GetPrivateProfileIntW
GetPrivateProfileStringW
MoveFileWithProgressW
MoveFileW
DeleteFileW
WideCharToMultiByte
lstrlenA
lstrcpynW
GetTickCount
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
EnterCriticalSection
InterlockedExchange
MultiByteToWideChar
EncodePointer
IsDebuggerPresent
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
lstrlenW
lstrcmpW
GetLastError
WritePrivateProfileStringW
FindResourceW
SizeofResource
LoadResource

user32

RedrawWindow
GetWindowRect
SendMessageW
IsIconic
GetSystemMetrics
DrawIcon
LoadIconW
GetDesktopWindow
DefWindowProcW
BringWindowToTop
SetActiveWindow
SetForegroundWindow
FindWindowW
SetWindowRgn
MoveWindow
GetDlgCtrlID
BeginPaint
EndPaint
AdjustWindowRectEx
ClientToScreen
GetWindow
UpdateLayeredWindow
IsRectEmpty
EnumChildWindows
IsZoomed
SetRect
SetTimer
GetParent
PostMessageW
GetClientRect
InvalidateRect
LoadCursorW
EnableWindow

gdi32

DeleteObject
SelectObject
CreateDIBSection
GetObjectW
CreateFontW
DeleteDC
GetTextMetricsA
CombineRgn
CreateRectRgn
GetCurrentObject
CreateCompatibleDC
GetTextExtentPointA
CreateRoundRectRgn
BitBlt

shell32

ShellExecuteW
SHCreateDirectoryExW

comctl32

_TrackMouseEvent
ord17

ole32

CreateStreamOnHGlobal

oleaut32

VariantInit
SysAllocString

wininet

InternetCanonicalizeUrlW
InternetCrackUrlW

gdiplus

GdipSetImageAttributesColorMatrix
GdipDisposeImageAttributes
GdipCreateImageAttributes
GdipLoadImageFromFileICM
GdipLoadImageFromFile
GdiplusStartup
GdiplusShutdown
GdipDrawImageRectRectI
GdipReleaseDC
GdipDeleteGraphics
GdipCreateFromHDC
GdipGetImageHeight
GdipGetImageWidth
GdipDisposeImage
GdipCloneImage
GdipLoadImageFromStreamICM
GdipLoadImageFromStream
GdipFree
GdipAlloc
GdipDrawImageRectRect

msvcp120

?_Syserror_map@std@@YAPBDH@Z
??0id@locale@std@@QAE@I@Z
?_Xout_of_range@std@@YAXPBD@Z
?_Xlength_error@std@@YAXPBD@Z
?_Xbad_alloc@std@@YAXXZ
?_Winerror_map@std@@YAPBDH@Z

ws2_32

closesocket
connect
htons
inet_addr
recv
send
socket
gethostbyname
WSASetLastError
WSAGetLastError
WSAAsyncSelect
WSAStartup
WSACleanup

Sections

.text
Size: 94KB - Virtual size: 94KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 31KB - Virtual size: 31KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 229KB - Virtual size: 229KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

6bb8407dd9d11e11c95fef4f0314489a

Code Sign

7b:bb:c1:76:ca:4c:d0:88:46:42:6b:78:fa:2b:68:f1Certificate

Extended Key Usages

25:1f:5d:98:81:82:17:2e:3c:41:9e:01:4f:b0:40:4cCertificate

Extended Key Usages

Key Usages

Signer

Headers

DLL Characteristics

File Characteristics

Imports

mfc120u

msvcr120

kernel32

user32

gdi32

shell32

comctl32

ole32

oleaut32

wininet

gdiplus

msvcp120

ws2_32

Sections

.text Size: 94KB - Virtual size: 94KB

.rdata Size: 31KB - Virtual size: 31KB

.data Size: 6KB - Virtual size: 7KB

.rsrc Size: 229KB - Virtual size: 229KB

.reloc Size: 7KB - Virtual size: 7KB

7b:bb:c1:76:ca:4c:d0:88:46:42:6b:78:fa:2b:68:f1
Certificate

25:1f:5d:98:81:82:17:2e:3c:41:9e:01:4f:b0:40:4c
Certificate

.text
Size: 94KB - Virtual size: 94KB

.rdata
Size: 31KB - Virtual size: 31KB

.data
Size: 6KB - Virtual size: 7KB

.rsrc
Size: 229KB - Virtual size: 229KB

.reloc
Size: 7KB - Virtual size: 7KB