yara64[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

yara64.exe
Size

2.3MB
MD5

8f06345ada1da438a91ca3afcb4a04cc
SHA1

a6da4b63137a83b5b86b26af0eac3b205299423e
SHA256

fe05de7f5916f589e1ba86a75282b3ccfbce1f543febabbe802a25e66dcd6b4a
SHA512

ab4de06c05b44cb077685e81d7ab0584f0849f06751dccaf5fde3f0714a54d634c13b9f8e3d8e2f8fd4e57037b63b4af5696766e347947252699672632a5652b
SSDEEP

49152:ROjPW3JTKuk2o7IU6itIpbeYGmq8I4w3qlTCO2ZXzOh5PQ2mdZJiPOHwDf:y0+Kpb1RI48qWJJJH

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
yara64.exe

Files

yara64.exe
.exe windows x64

Password: purpl3sp1d3r.infected

9ace0f62c9d3d5c347e279a54c80e661

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

HeapReAlloc
HeapFree
QueryPerformanceCounter
QueryPerformanceFrequency
GetCurrentThreadId
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetCurrentProcess
OpenProcess
GetSystemInfo
VirtualQueryEx
ReadProcessMemory
GetStdHandle
GetEnvironmentVariableW
GetFileType
WriteFile
GetModuleHandleW
GetProcAddress
MultiByteToWideChar
SetLastError
GetCurrentProcessId
SwitchToThread
HeapAlloc
InitializeCriticalSectionAndSpinCount
GetModuleHandleExW
RtlVirtualUnwind
DeleteFiber
GetSystemTimeAsFileTime
ConvertFiberToThread
FreeLibrary
LoadLibraryA
LoadLibraryW
GetConsoleMode
SetConsoleMode
ReadConsoleA
ReadConsoleW
IsDebuggerPresent
InitializeSListHead
IsProcessorFeaturePresent
TerminateProcess
HeapDestroy
HeapCreate
UnmapViewOfFile
MapViewOfFile
CreateFileMappingW
GetFileSizeEx
CreateFileA
GetFileSize
GetFileAttributesW
CreateFileW
FindClose
VirtualAlloc
FindNextFileW
FindFirstFileW
ReadFile
CreateSemaphoreW
DeleteCriticalSection
CreateThread
CloseHandle
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlLookupFunctionEntry
RtlCaptureContext
GetLastError
WaitForSingleObject
InitializeCriticalSection
LeaveCriticalSection
ReleaseSemaphore
EnterCriticalSection
GetModuleHandleA
WideCharToMultiByte

user32

GetUserObjectInformationW
MessageBoxW
GetProcessWindowStation

advapi32

CryptExportKey
AdjustTokenPrivileges
LookupPrivilegeValueW
DeregisterEventSource
RegisterEventSourceW
ReportEventW
CryptAcquireContextW
CryptEnumProvidersW
CryptSignHashW
CryptDestroyHash
CryptCreateHash
CryptDecrypt
OpenProcessToken
CryptGetUserKey
CryptGetProvParam
CryptSetHashParam
CryptDestroyKey
CryptReleaseContext

bcrypt

BCryptGenRandom

vcruntime140

memset
strchr
wcsstr
memcpy
memcmp
strstr
longjmp
wcschr
memmove
__intrinsic_setjmp
__C_specific_handler
strrchr
memchr

api-ms-win-crt-runtime-l1-1-0

raise
_errno
_exit
terminate
exit
_crt_atexit
_wassert
_register_onexit_function
signal
_seh_filter_exe
_set_app_type
_configure_wide_argv
_initialize_wide_environment
_get_initial_wide_environment
_initterm
_initterm_e
_initialize_onexit_table
__p___argc
__p___wargv
_cexit
_c_exit
_register_thread_local_exe_atexit_callback
strerror_s
abort

api-ms-win-crt-stdio-l1-1-0

_set_fmode
fputs
fread
fflush
_setmode
_fileno
_read
fopen
fgets
feof
fwrite
fseek
ftell
__stdio_common_vsprintf
_close
_filelength
_wfopen
__stdio_common_vfprintf
fclose
__stdio_common_vsscanf
getc
__stdio_common_vswprintf
ferror
__stdio_common_vfwprintf
clearerr
__acrt_iob_func
_sopen_s
__p__commode

api-ms-win-crt-convert-l1-1-0

strtol
atof
strtoll
wcstol
wcstoll
strtod
atoi
strtoul
_strtoi64

api-ms-win-crt-heap-l1-1-0

realloc
calloc
free
_set_new_mode
malloc

api-ms-win-crt-filesystem-l1-1-0

_stat64i32
_waccess_s

api-ms-win-crt-string-l1-1-0

strcmp
isdigit
_wcsdup
strspn
isspace
_strdup
wcstok_s
isxdigit
strncpy
strncmp
_strnicmp
_stricmp
strcspn
strnlen
isprint
tolower

api-ms-win-crt-time-l1-1-0

_gmtime64_s
_time64
_mkgmtime64

api-ms-win-crt-utility-l1-1-0

srand
qsort
rand

api-ms-win-crt-math-l1-1-0

_dclass
pow
__setusermatherr
_isnan
log2

api-ms-win-crt-locale-l1-1-0

localeconv
_configthreadlocale

api-ms-win-crt-environment-l1-1-0

getenv

ws2_32

WSASetLastError
send
closesocket
WSACleanup
WSAGetLastError
recv

crypt32

CertGetCertificateContextProperty
CertFreeCertificateContext
CertDuplicateCertificateContext
CertFindCertificateInStore
CertEnumCertificatesInStore
CertOpenStore
CertCloseStore

Sections

.text
Size: 1.6MB - Virtual size: 1.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 549KB - Virtual size: 549KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 77KB - Virtual size: 92KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 64KB - Virtual size: 63KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.gfids
Size: 512B - Virtual size: 28B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: purpl3sp1d3r.infected

9ace0f62c9d3d5c347e279a54c80e661

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

bcrypt

vcruntime140

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-environment-l1-1-0

ws2_32

crypt32

Sections

.text Size: 1.6MB - Virtual size: 1.6MB

.rdata Size: 549KB - Virtual size: 549KB

.data Size: 77KB - Virtual size: 92KB

.pdata Size: 64KB - Virtual size: 63KB

.gfids Size: 512B - Virtual size: 28B

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 20KB - Virtual size: 19KB

.text
Size: 1.6MB - Virtual size: 1.6MB

.rdata
Size: 549KB - Virtual size: 549KB

.data
Size: 77KB - Virtual size: 92KB

.pdata
Size: 64KB - Virtual size: 63KB

.gfids
Size: 512B - Virtual size: 28B

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 20KB - Virtual size: 19KB