Toolbar[.]exe | Triage

Resubmissions

20/04/2023, 13:14

230420-qgp73saa79 1

05/04/2023, 12:05

230405-n9axraee59 1

Sharing

Copy URL Twitter E-mail

General

Target

Toolbar.exe
Size

3.3MB
MD5

813eb60a3f2e3587deaf57e8693d9b7c
SHA1

b761f6a793deed25ed47ffa20fdb18c0f38b95e3
SHA256

0fd523732aef47be98d3b588a5993f64a4e7e14cb4c94d46be477a0813d7fac6
SHA512

0f108aed4fb9b464e9606e25040acad0800c657e3ceae8e985a133a997cd9cf65ae781fe6343f2fea4dc3bf0c3f74fcf24347b326eee6c415ff3e3db629725ef
SSDEEP

49152:JUROVbT7fkbVCs/2cex8CfdVY36EfrTzcZweOCPySER2UXUJ9dMGNnAwbr/CHo9Y:JBVDfjDYKEgZD6SRUERMGNAl7hHk2

Score

1^/10

Malware Config

Signatures

Files

Toolbar.exe
.exe windows x86

3cbdd98c6525d44f6005a58fa0889697

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15/06/2007, 00:00

Not After

14/06/2012, 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

28:6f:8a:30:e2:ea:c6:96:5b:93:6f:82:6a:05:30:5d
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

17/06/2008, 00:00

Not After

17/06/2011, 23:59

Subject

CN=Ask.com,OU=Digital ID Class 3 - Microsoft Software Validation v2+OU=Distribution,O=Ask.com,L=Oakland,ST=California,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

38:0a:36:0f:28:3e:e8:d6:7d:ef:b7:5c:36:84:e5:ed:ec:e0:ff:bd
Signer

Actual PE Digest

38:0a:36:0f:28:3e:e8:d6:7d:ef:b7:5c:36:84:e5:ed:ec:e0:ff:bd

Digest Algorithm

sha1

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Ask.com,OU=Digital ID Class 3 - Microsoft Software Validation v2+OU=Distribution,O=Ask.com,L=Oakland,ST=California,C=US

17/05/2011, 20:32
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

shlwapi

PathFileExistsW
StrStrIW
StrCmpNIW
SHDeleteValueW

msi

ord159
ord92
ord8
ord205
ord113
ord163
ord160
ord20
ord32
ord118
ord125
ord70

kernel32

SetEndOfFile
GetLocaleInfoW
WriteConsoleW
GetConsoleOutputCP
WriteConsoleA
GetCommandLineW
FileTimeToDosDateTime
GetTempFileNameW
lstrlenA
FindResourceW
LoadResource
WaitForSingleObject
GetTickCount
WriteFile
WideCharToMultiByte
SizeofResource
GetExitCodeProcess
CreateFileW
MultiByteToWideChar
lstrlenW
GetTempPathW
FindFirstFileA
FindClose
GetLocalTime
lstrcmpiW
lstrcatW
CloseHandle
FileTimeToLocalFileTime
GetProcessHeap
LocalFree
lstrcpyW
CreateFileA
SetFilePointer
ReadFile
GetLastError
GetVersionExW
CreateDirectoryW
GetPrivateProfileStringW
GetFileTime
InterlockedDecrement
GetSystemDefaultLangID
FreeLibrary
GetCurrentProcess
GetModuleHandleW
LoadLibraryW
GetProcAddress
GetSystemInfo
SetStdHandle
LoadLibraryA
InitializeCriticalSectionAndSpinCount
TlsSetValue
TlsFree
SetLastError
GetCurrentThreadId
HeapCreate
VirtualFree
DeleteFileW
TlsAlloc
TlsGetValue
IsValidCodePage
GetOEMCP
GetModuleHandleA
IsValidLocale
EnumSystemLocalesA
GetLocaleInfoA
GetUserDefaultLCID
HeapSize
GetACP
GetStringTypeW
LCMapStringA
LCMapStringW
RtlUnwind
GetCurrentProcessId
QueryPerformanceCounter
RaiseException
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetModuleFileNameW
GetStringTypeA
FlushFileBuffers
GetConsoleMode
GetConsoleCP
GetStartupInfoA
GetFileType
SetHandleCount
GetModuleFileNameA
GetStdHandle
ExitProcess
HeapReAlloc
VirtualAlloc
GetStartupInfoW
GetCPInfo
GetSystemTimeAsFileTime
InterlockedIncrement
InterlockedCompareExchange
InterlockedExchange
Sleep
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
HeapFree
HeapAlloc
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent

user32

GetSystemMetrics

advapi32

RegEnumKeyExW
RegDeleteKeyW
RegDeleteValueW
RegSetValueExW
RegCloseKey
RegOpenKeyExW
RegEnumValueW
RegQueryInfoKeyW
RegQueryValueExW

shell32

ShellExecuteExW
CommandLineToArgvW
SHGetFolderPathW

ole32

CoCreateInstance
OleInitialize
OleUninitialize
CoUninitialize
CoInitialize

oleaut32

SysAllocString
VariantInit
SysFreeString

wininet

InternetSetOptionW
HttpSendRequestW
HttpSendRequestExW
InternetCanonicalizeUrlW
HttpSendRequestA
HttpAddRequestHeadersA
HttpOpenRequestW
HttpQueryInfoW
InternetConnectW
InternetCrackUrlW
InternetOpenW
HttpEndRequestW
InternetCloseHandle
InternetReadFile

version

GetFileVersionInfoW
VerQueryValueW
GetFileVersionInfoSizeW

rpcrt4

UuidToStringW
RpcStringFreeW
UuidCreate

Sections

.text
Size: 201KB - Virtual size: 201KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 60KB - Virtual size: 60KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 7KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 3.0MB - Virtual size: 3.0MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 21KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Resubmissions

Sharing

General

Malware Config

Signatures

Files

3cbdd98c6525d44f6005a58fa0889697

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5Certificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2Certificate

Extended Key Usages

Key Usages

28:6f:8a:30:e2:ea:c6:96:5b:93:6f:82:6a:05:30:5dCertificate

Extended Key Usages

Key Usages

38:0a:36:0f:28:3e:e8:d6:7d:ef:b7:5c:36:84:e5:ed:ec:e0:ff:bdSigner

Signature Validations

Verification

17/05/2011, 20:32 Valid: false

Headers

DLL Characteristics

File Characteristics

Imports

shlwapi

msi

kernel32

user32

advapi32

shell32

ole32

oleaut32

wininet

version

rpcrt4

Sections

.text Size: 201KB - Virtual size: 201KB

.rdata Size: 60KB - Virtual size: 60KB

.data Size: 7KB - Virtual size: 14KB

.rsrc Size: 3.0MB - Virtual size: 3.0MB

.reloc Size: 21KB - Virtual size: 20KB

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

28:6f:8a:30:e2:ea:c6:96:5b:93:6f:82:6a:05:30:5d
Certificate

38:0a:36:0f:28:3e:e8:d6:7d:ef:b7:5c:36:84:e5:ed:ec:e0:ff:bd
Signer

17/05/2011, 20:32
Valid: false

.text
Size: 201KB - Virtual size: 201KB

.rdata
Size: 60KB - Virtual size: 60KB

.data
Size: 7KB - Virtual size: 14KB

.rsrc
Size: 3.0MB - Virtual size: 3.0MB

.reloc
Size: 21KB - Virtual size: 20KB