ygfdt[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

ygfdt.exe
Size

231KB
MD5

17e40315660830aa625483bbf608730c
SHA1

c8f5825499315eaf4b5046ff79ac9553e71ad1c0
SHA256

f11009988b813821857c8d2db0f88e1d45b20762f62a3cf432339f352b12cefe
SHA512

0a3468dcff23ccb2458a8241388b7092d0711a4ebb491d5d8141cc352db8008fc6afc9af1e668104ac657fb4b3651ebcfdf1575557ff918d0f0905cd88c59e85
SSDEEP

3072:SjLkDn5/8z/slvgqGn+jALebLNyZAQ6Yvk5j2vo0C5wX4HkJ:SkDn98zkeWALevNyQxlT0fX4H0

Score

1^/10

Malware Config

Signatures

Files

ygfdt.exe
.exe windows x86

c2e6bbcf8c043d17c74c1e20d80c9247

Code Sign

33:00:00:00:f3:67:3d:83:61:98:0f:1c:a6:00:00:00:00:00:f3
Certificate

Issuer

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/08/2018, 20:19

Not After

23/11/2019, 20:19

Subject

CN=Microsoft Time-Stamp Service,OU=Microsoft America Operations+OU=Thales TSS ESN:F6FF-2DA7-BB75,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

33:00:00:01:b1:dd:ed:ba:54:e9:65:b8:5f:00:01:00:00:01:b1
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

12/07/2018, 20:11

Not After

26/07/2019, 20:11

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:33:26:1a:00:00:00:00:00:31
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

31/08/2010, 22:19

Not After

31/08/2020, 22:29

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:16:68:34:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

03/04/2007, 12:53

Not After

03/04/2021, 13:03

Subject

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

d7:45:8d:65:15:ca:65:93:0d:44:38:28:58:e0:02:5b:99:e6:58:7f
Signer

Actual PE Digest

d7:45:8d:65:15:ca:65:93:0d:44:38:28:58:e0:02:5b:99:e6:58:7f

Digest Algorithm

sha1

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

24/10/2018, 03:03
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

advapi32

RegOpenKeyExW
RegDeleteValueW
RegCloseKey
RegCreateKeyExW
RegSetValueExW
RegQueryValueExW
CryptGenRandom
CryptAcquireContextW
CheckTokenMembership
FreeSid
AllocateAndInitializeSid
RegQueryValueExA
GetTokenInformation
OpenProcessToken
RegEnumValueW
RegEnumKeyExW
RegDeleteKeyW
RegQueryInfoKeyW
CryptReleaseContext

kernel32

FlushFileBuffers
CreateFileA
WriteConsoleW
GetConsoleOutputCP
WriteConsoleA
SetStdHandle
CloseHandle
GetVersionExW
GetStringTypeW
GetStringTypeA
LCMapStringW
LCMapStringA
GetLocaleInfoA
GetConsoleMode
GetConsoleCP
RtlUnwind
InitializeCriticalSection
LoadLibraryA
HeapReAlloc
IsValidCodePage
GetOEMCP
GetACP
GetCPInfo
GetCurrentProcessId
QueryPerformanceCounter
VirtualFree
HeapCreate
HeapDestroy
GetFileType
SetHandleCount
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsA
GetCurrentProcess
GetModuleHandleW
FreeLibrary
InterlockedDecrement
InterlockedIncrement
GetProcAddress
InterlockedCompareExchange
LoadLibraryW
LocalFree
GetCommandLineW
GetLastError
GetModuleFileNameW
CreateProcessW
GetTickCount
HeapAlloc
GetProcessHeap
HeapFree
DuplicateHandle
DeleteCriticalSection
EnterCriticalSection
TryEnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
CreateThread
WaitForMultipleObjectsEx
WideCharToMultiByte
MultiByteToWideChar
GetUserDefaultUILanguage
GetLocaleInfoW
CreateEventW
SetEvent
WaitForMultipleObjects
WriteFile
CreateFileW
GetFileSize
ReadFile
SetFilePointer
RemoveDirectoryW
DeleteFileW
GetEnvironmentVariableW
FreeResource
FindResourceExW
FindResourceW
LoadResource
GlobalLock
GlobalAlloc
SizeofResource
GlobalUnlock
RaiseException
InterlockedExchange
GlobalFree
LockResource
GetSystemDefaultLCID
GetSystemTimeAsFileTime
DosDateTimeToFileTime
SetEndOfFile
GetFileAttributesExW
CreateDirectoryW
GetCommandLineA
GetVersionExA
GetStartupInfoA
VirtualProtect
VirtualAlloc
GetModuleHandleA
GetSystemInfo
VirtualQuery
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
SetLastError
GetCurrentThreadId
Sleep
HeapSize
ExitProcess
GetStdHandle
GetModuleFileNameA
LocalAlloc

gdi32

GetObjectW
CreateFontIndirectW
DeleteObject
DeleteDC
CreateCompatibleDC
CreateDIBSection
CreateSolidBrush
SelectObject
SetStretchBltMode
StretchBlt
GetStockObject
SetDIBColorTable

msimg32

GradientFill

shlwapi

SHDeleteKeyW
PathAppendW
SHGetValueW
PathRemoveFileSpecW
PathCombineW
PathFileExistsW

shell32

SHFileOperationW
CommandLineToArgvW
ShellExecuteW
ShellExecuteExW
SHGetFolderPathW

comctl32

ord17
PropertySheetW
InitCommonControlsEx

user32

DialogBoxParamW
GetWindowLongW
EndDialog
HideCaret
ReleaseDC
LoadIconW
GetDlgItem
EnableWindow
PostQuitMessage
SetWindowTextW
GetWindowRect
MapWindowPoints
InvalidateRect
GetDC
ShowWindow
BeginPaint
EndPaint
IsDlgButtonChecked
IsWindowEnabled
GetMonitorInfoW
SetWindowPos
PostMessageW
LoadStringW
GetParent
FillRect
GetSysColor
MonitorFromWindow
SystemParametersInfoW
MsgWaitForMultipleObjects
DestroyWindow
SetWindowLongW
SendMessageW

ole32

CoInitializeEx
CreateStreamOnHGlobal
CoCreateInstance
CoTaskMemAlloc
CoTaskMemFree
CoUninitialize
CoInitialize

oleaut32

SysAllocString
SysAllocStringLen
VariantClear
VarBstrCmp
SysFreeString
VariantInit

Sections

.text
Size: 203KB - Virtual size: 202KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 14KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

c2e6bbcf8c043d17c74c1e20d80c9247

Code Sign

33:00:00:00:f3:67:3d:83:61:98:0f:1c:a6:00:00:00:00:00:f3Certificate

Extended Key Usages

33:00:00:01:b1:dd:ed:ba:54:e9:65:b8:5f:00:01:00:00:01:b1Certificate

Extended Key Usages

61:33:26:1a:00:00:00:00:00:31Certificate

Key Usages

61:16:68:34:00:00:00:00:00:1cCertificate

Extended Key Usages

Key Usages

d7:45:8d:65:15:ca:65:93:0d:44:38:28:58:e0:02:5b:99:e6:58:7fSigner

Signature Validations

Verification

24/10/2018, 03:03 Valid: false

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

kernel32

gdi32

msimg32

shlwapi

shell32

comctl32

user32

ole32

oleaut32

Sections

.text Size: 203KB - Virtual size: 202KB

.data Size: 5KB - Virtual size: 13KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 14KB - Virtual size: 13KB

33:00:00:00:f3:67:3d:83:61:98:0f:1c:a6:00:00:00:00:00:f3
Certificate

33:00:00:01:b1:dd:ed:ba:54:e9:65:b8:5f:00:01:00:00:01:b1
Certificate

61:33:26:1a:00:00:00:00:00:31
Certificate

61:16:68:34:00:00:00:00:00:1c
Certificate

d7:45:8d:65:15:ca:65:93:0d:44:38:28:58:e0:02:5b:99:e6:58:7f
Signer

24/10/2018, 03:03
Valid: false

.text
Size: 203KB - Virtual size: 202KB

.data
Size: 5KB - Virtual size: 13KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 14KB - Virtual size: 13KB