Yellow[.]exe | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

Yellow.exe
Size

3.9MB
MD5

66ebb16d0a73a1ebe1daf07779147d27
SHA1

63873b6c38c16f5de55081161994f2518b5ed77f
SHA256

b730fa8b5829701fe6c828ced7b79d3c882ef872b77d94d37ba511d0a3ae6a8d
SHA512

73915c935e0294f0f494b9c0fd53ea924045adae400beb6dd84ae5ae51d07e068b1b3ac4ab2f3dedf0d15fc22281b022f864180442487598c6efac7f20862b10
SSDEEP

49152:63U+I/TdjRg3RikxsOj4A58ZuBBAcfnEQdjxpUFbMXu/2FTSpQNq9f3llnAcw97u:B/Dg3MkEQdjUBYC7DAZBIBN

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
Yellow.exe

Files

Yellow.exe
.exe windows x64

b0f138b3518b7d35d190f478825445ea

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

GetFileInformationByHandle
GetModuleHandleA
GetCurrentThread
GetStdHandle
GetConsoleMode
WaitForSingleObject
WriteConsoleW
WaitForSingleObjectEx
CreateMutexA
ReleaseMutex
GetEnvironmentVariableW
RtlLookupFunctionEntry
GetModuleHandleW
FormatMessageW
GetTempPathW
GetModuleFileNameW
CreateFileW
UnhandledExceptionFilter
GetFullPathNameW
GlobalAlloc
FindNextFileW
CreateDirectoryW
FindFirstFileW
FindClose
MultiByteToWideChar
WideCharToMultiByte
GlobalSize
GlobalLock
GetEnvironmentStringsW
FreeEnvironmentStringsW
CompareStringOrdinal
GetSystemDirectoryW
GetWindowsDirectoryW
CreateProcessW
GetFileAttributesW
DuplicateHandle
GetCurrentProcessId
CreateNamedPipeW
CreateThread
ReadFileEx
SleepEx
WriteFileEx
Sleep
ExitProcess
QueryPerformanceCounter
QueryPerformanceFrequency
GetSystemTimeAsFileTime
GetCurrentDirectoryW
RtlCaptureContext
AcquireSRWLockShared
ReleaseSRWLockShared
CopyFileExW
SleepConditionVariableSRW
SetHandleInformation
WakeConditionVariable
PostQueuedCompletionStatus
ReleaseSRWLockExclusive
SetFileCompletionNotificationModes
CreateIoCompletionPort
TryAcquireSRWLockExclusive
GetFinalPathNameByHandleW
SetLastError
GetQueuedCompletionStatusEx
SwitchToThread
GlobalUnlock
GlobalFree
GetProcessHeap
HeapAlloc
SetThreadStackGuarantee
FileTimeToSystemTime
SystemTimeToTzSpecificLocalTime
SystemTimeToFileTime
GetTimeZoneInformation
RtlVirtualUnwind
FlushFileBuffers
GetTickCount
MapViewOfFile
CreateFileMappingW
FormatMessageA
GetSystemTime
FreeLibrary
GetFileSize
LockFileEx
LocalFree
UnlockFile
HeapDestroy
HeapCompact
LoadLibraryW
DeleteFileW
DeleteFileA
CreateFileA
FlushViewOfFile
OutputDebugStringW
GetFileAttributesExW
GetFileAttributesA
GetDiskFreeSpaceA
GetTempPathA
HeapSize
HeapValidate
UnmapViewOfFile
CreateMutexW
UnlockFileEx
SetEndOfFile
GetFullPathNameA
SetFilePointer
LockFile
OutputDebugStringA
GetDiskFreeSpaceW
WriteFile
HeapCreate
ReadFile
AreFileApisANSI
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
TryEnterCriticalSection
DeleteCriticalSection
GetCurrentThreadId
AddVectoredExceptionHandler
GetCurrentProcess
GetProcAddress
LoadLibraryA
WakeAllConditionVariable
HeapReAlloc
GetSystemInfo
SetUnhandledExceptionFilter
TerminateProcess
SetFilePointerEx
GetLastError
IsProcessorFeaturePresent
InitializeSListHead
IsDebuggerPresent
CloseHandle
AcquireSRWLockExclusive
GetFileInformationByHandleEx
HeapFree

ws2_32

setsockopt
connect
WSASend
getaddrinfo
freeaddrinfo
WSAStartup
WSACleanup
getsockopt
WSAIoctl
recv
send
shutdown
getsockname
getpeername
WSASocketW
WSAGetLastError
accept
listen
bind
ioctlsocket
socket
closesocket

crypt32

CertOpenStore
CryptUnprotectData
CertDuplicateStore
CertVerifyCertificateChainPolicy
CertFreeCertificateChain
CertGetCertificateChain
CertFreeCertificateContext
CertDuplicateCertificateChain
CertAddCertificateContextToStore
CertEnumCertificatesInStore
CertCloseStore
CertDuplicateCertificateContext

advapi32

AllocateAndInitializeSid
CheckTokenMembership
FreeSid
RegCreateKeyExA
RegSetValueExA
RegQueryValueExW
RegOpenKeyExW
SystemFunction036
RegCloseKey

bcrypt

BCryptGenRandom

user32

EmptyClipboard
CloseClipboard
SetClipboardData
OpenClipboard
EnumDisplaySettingsExW
EnumDisplayMonitors
GetMonitorInfoW
GetClipboardData

ntdll

NtCreateFile
NtCancelIoFileEx
NtDeviceIoControlFile
RtlNtStatusToDosError

secur32

DeleteSecurityContext
EncryptMessage
QueryContextAttributesW
FreeCredentialsHandle
AcceptSecurityContext
FreeContextBuffer
InitializeSecurityContextW
AcquireCredentialsHandleA
DecryptMessage
ApplyControlToken

oleaut32

SafeArrayUnaccessData
SafeArrayAccessData
SafeArrayGetUBound
SafeArrayGetLBound
SysAllocStringLen
VariantClear
SysFreeString
SafeArrayDestroy

gdi32

DeleteDC
GetDeviceCaps
CreateDCW
CreateCompatibleDC
CreateCompatibleBitmap
SelectObject
SetStretchBltMode
StretchBlt
GetDIBits
GetObjectW
DeleteObject

ole32

CoSetProxyBlanket
CoCreateInstance
CoInitializeSecurity
CoInitializeEx

vcruntime140

strrchr
__CxxFrameHandler3
memcmp
memset
memcpy
__C_specific_handler
__current_exception
__current_exception_context
memmove

api-ms-win-crt-string-l1-1-0

strlen
strcmp
strncmp
strcspn

api-ms-win-crt-utility-l1-1-0

_rotl64
qsort

api-ms-win-crt-heap-l1-1-0

realloc
_msize
_set_new_mode
malloc
free

api-ms-win-crt-time-l1-1-0

_localtime64_s

api-ms-win-crt-math-l1-1-0

_dclass
__setusermatherr
log

api-ms-win-crt-runtime-l1-1-0

_endthreadex
_beginthreadex
__p___argc
__p___argv
_cexit
_exit
_c_exit
_register_thread_local_exe_atexit_callback
exit
_initterm_e
terminate
_configure_narrow_argv
_initialize_narrow_environment
_get_initial_narrow_environment
_set_app_type
_crt_atexit
_initterm
_register_onexit_function
_initialize_onexit_table
_seh_filter_exe

api-ms-win-crt-stdio-l1-1-0

__p__commode
_set_fmode

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

Sections

.text
Size: 2.7MB - Virtual size: 2.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 24KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 64KB - Virtual size: 64KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 26KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

b0f138b3518b7d35d190f478825445ea

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

ws2_32

crypt32

advapi32

bcrypt

user32

ntdll

secur32

oleaut32

gdi32

ole32

vcruntime140

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-locale-l1-1-0

Sections

.text Size: 2.7MB - Virtual size: 2.7MB

.rdata Size: 1.1MB - Virtual size: 1.1MB

.data Size: 24KB - Virtual size: 27KB

.pdata Size: 64KB - Virtual size: 64KB

.reloc Size: 26KB - Virtual size: 26KB

.text
Size: 2.7MB - Virtual size: 2.7MB

.rdata
Size: 1.1MB - Virtual size: 1.1MB

.data
Size: 24KB - Virtual size: 27KB

.pdata
Size: 64KB - Virtual size: 64KB

.reloc
Size: 26KB - Virtual size: 26KB