Behavioral task
behavioral1
Sample
3647bace25f94430a534aba8aba08a731571ab2ab22f95ac209096e2c32ef81c.exe
Resource
win7-20230220-en
General
-
Target
58d02ed4bc010363facf162ac2976905.bin
-
Size
51KB
-
MD5
d8b77d90ce14c8970687cdb5ceef6244
-
SHA1
95603a85d79441ad07d29f074e82cde855d04b91
-
SHA256
56ebf05567c76a58d9556cf1f535ea7dd8d9fc3870ae47215739d9678ab6a872
-
SHA512
90401b19ae77b523b1127bdf5b0c6a2bab57354802dd3e3e57096ff8d98e09f3bfca5c2d451fc059cd79bb096fbe2fac3a51383c761ce823fd1241d0322310c5
-
SSDEEP
1536:uEflG7P3NI1bxRi0LikysrhjNY00Ygzrg:N9+Ej3jysrhjKVYgz0
Malware Config
Extracted
netwire
majika.gotdns.ch:1120
nik.pointto.us:1120
nikouh.pointto.us:1120
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
naza
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
true
-
mutex
CVkJEjPx
-
offline_keylogger
true
-
password
vodka
-
registry_autorun
false
-
use_mutex
true
Signatures
Files
-
58d02ed4bc010363facf162ac2976905.bin.zip
Password: infected
-
3647bace25f94430a534aba8aba08a731571ab2ab22f95ac209096e2c32ef81c.exe.exe windows x86
Password: infected
4e6ba17721530f6e9a509b1380c99995
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED
Imports
advapi32
CryptAcquireContextA
CryptCreateHash
CryptDestroyHash
CryptGetHashParam
CryptHashData
CryptReleaseContext
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteValueA
RegEnumKeyExA
RegEnumValueA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
crypt32
CryptUnprotectData
gdi32
BitBlt
CreateCompatibleBitmap
CreateCompatibleDC
DeleteDC
DeleteObject
GetDIBits
SelectObject
kernel32
CloseHandle
CreateDirectoryA
CreateFileA
CreateMutexA
CreatePipe
CreateProcessA
CreateToolhelp32Snapshot
DeleteFileA
EnterCriticalSection
ExitProcess
FileTimeToSystemTime
FindClose
FindFirstFileA
FindNextFileA
FreeLibrary
GetCommandLineA
GetComputerNameA
GetCurrentProcessId
GetCurrentThreadId
GetDiskFreeSpaceExA
GetDriveTypeA
GetFileAttributesA
GetFileAttributesExA
GetLastError
GetLocalTime
GetLogicalDriveStringsA
GetModuleFileNameA
GetProcAddress
GetProcessTimes
GetStartupInfoA
GetSystemInfo
GetSystemTime
GetTickCount
GetVersionExA
GetVolumeInformationA
InitializeCriticalSection
LeaveCriticalSection
LoadLibraryA
LocalFree
MoveFileA
OpenProcess
PeekNamedPipe
Process32First
Process32Next
ReadFile
ReleaseMutex
ResumeThread
SetErrorMode
SetFileAttributesA
SetFilePointer
Sleep
TerminateProcess
WideCharToMultiByte
WriteFile
msvcrt
_beginthreadex
_filelengthi64
_vscprintf
_vsnprintf
calloc
fclose
fflush
fgetpos
fgets
fopen
fread
free
fsetpos
fwrite
getenv
malloc
memcpy
memset
printf
realloc
sprintf
strcat
strchr
strcmp
strcpy
strlen
netapi32
NetApiBufferFree
NetWkstaGetInfo
shell32
SHFileOperationA
user32
CreateWindowExA
DefWindowProcA
DispatchMessageA
EnumWindows
GetDC
GetDesktopWindow
GetForegroundWindow
GetKeyNameTextA
GetKeyState
GetKeyboardState
GetMessageA
GetSystemMetrics
GetWindowTextA
IsWindowVisible
MapVirtualKeyA
PostQuitMessage
RegisterClassExA
ReleaseDC
SendMessageA
SetCursorPos
SetWindowTextA
ShowWindow
ToAscii
TranslateMessage
keybd_event
mouse_event
ws2_32
WSACleanup
WSAGetLastError
WSAIoctl
WSAStartup
__WSAFDIsSet
closesocket
connect
gethostbyname
gethostname
htons
inet_ntoa
ioctlsocket
ntohs
recv
select
send
setsockopt
shutdown
socket
Sections
.text Size: 113KB - Virtual size: 112KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.data Size: 9KB - Virtual size: 9KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.bss Size: - Virtual size: 25KB
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.edata Size: 512B - Virtual size: 49B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.idata Size: 4KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.reloc Size: 3KB - Virtual size: 3KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ