hermeticwiper | 6bdb7716047c883698f4e4e14a6e47fe79d6e8c610b9f8400c8b01d3c071b065

Sharing

Copy URL

Twitter E-mail

General

Target

6bdb7716047c883698f4e4e14a6e47fe79d6e8c610b9f8400c8b01d3c071b065
Size

46KB
MD5

050e72a56eca357ea9043a009d583278
SHA1

4c9b7fee625832faf6fc60f1a15f132d9fa7ba4f
SHA256

6bdb7716047c883698f4e4e14a6e47fe79d6e8c610b9f8400c8b01d3c071b065
SHA512

c2ff5a0ae510e9649eafeb9329d5a5d316294ac8f0ddf2868d914788000ed60b353ad2cd3fbb79afa527a219f678989594c3c2d5590d74de42b4b59ff21a3681
SSDEEP

768:2vzux++dur3WAaLx+R/m8085hdYOd979sLTx8JKxnal/yVC+dgjpGnUPXlbVv:2ixbMaL0w+DjzKg5iCknOR

Score

10^/10

wiper hermeticwiper

Malware Config

Signatures

Detect HermeticWiper 1 IoCs

Detect HermeticWiper Payload.

wiper

resource	yara_rule
static1/unpack001/1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591	family_hermeticwiper

Hermeticwiper family
hermeticwiper

Files

6bdb7716047c883698f4e4e14a6e47fe79d6e8c610b9f8400c8b01d3c071b065
.7z

Password: infected
1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591
.exe windows x86

fe4a2284122da348258c83ef437fbd7b

Code Sign

0c:48:73:28:73:ac:8c:ce:ba:f8:f0:e1:e8:32:9c:ec
Certificate

Issuer

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

13-04-2021 00:00

Not After

14-04-2022 23:59

Subject

SERIALNUMBER=HE 419469,CN=Hermetica Digital Ltd,O=Hermetica Digital Ltd,L=Nicosia,C=CY,1.3.6.1.4.1.311.60.2.1.3=#13024359,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5c
Certificate

Issuer

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

18-04-2012 12:00

Not After

18-04-2027 12:00

Subject

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

23:b5:b2:b7:f6:44:0d:92:ef:ac:4a:28:5d:66:3b:2a:f5:8d:f6:88
Signer

Actual PE Digest

23:b5:b2:b7:f6:44:0d:92:ef:ac:4a:28:5d:66:3b:2a:f5:8d:f6:88

Digest Algorithm

sha1

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

SERIALNUMBER=HE 419469,CN=Hermetica Digital Ltd,O=Hermetica Digital Ltd,L=Nicosia,C=CY,1.3.6.1.4.1.311.60.2.1.3=#13024359,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

03-05-2023 12:02
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

shlwapi

StrStrW
StrRChrW
StrChrW
StrToIntW
PathAddExtensionW
PathFindExtensionW
PathFileExistsW
StrCatBuffW
PathAddBackslashW
PathAppendW
StrStrIW
StrCmpNW
wnsprintfW
StrStrA

lz32

LZClose
LZCopy
LZOpenFileW

msvcrt

towupper
wcsncpy
memcpy
_except_handler3
memset

kernel32

HeapAlloc
GetProcessHeap
DeviceIoControl
GetLastError
HeapReAlloc
HeapFree
lstrcmpA
GetSystemTimeAsFileTime
CreateFileW
CloseHandle
SetFilePointerEx
ReadFile
GetDiskFreeSpaceW
lstrlenW
WriteFile
FlushFileBuffers
CreateThread
WaitForMultipleObjects
GetModuleHandleW
GetProcAddress
GetCurrentProcess
VerSetConditionMask
VerifyVersionInfoW
FindResourceW
LoadResource
LockResource
SizeofResource
GetSystemDirectoryW
DeleteFileW
WaitForSingleObject
SetThreadPriority
FindFirstFileW
FindNextFileW
FindClose
GetLogicalDriveStringsW
SetLastError
GetCommandLineW
GetModuleFileNameW
GetFileAttributesW
CreateEventW
SetEvent
ExitProcess
GetCurrentProcessId
GetFileInformationByHandle
Sleep

user32

wsprintfW
CharLowerW

advapi32

InitiateSystemShutdownExW
ControlService
CloseServiceHandle
DeleteService
StartServiceW
ChangeServiceConfigW
QueryServiceStatus
CreateServiceW
OpenServiceW
OpenSCManagerW
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
RegDeleteKeyW
CryptReleaseContext
CryptGenRandom
CryptAcquireContextW
RegQueryInfoKeyW
RegEnumKeyExW
RegOpenKeyW
RegCloseKey
RegSetValueExW

shell32

CommandLineToArgvW

Sections

.text
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 900B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 87KB - Virtual size: 86KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 920B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

fe4a2284122da348258c83ef437fbd7b

Code Sign

0c:48:73:28:73:ac:8c:ce:ba:f8:f0:e1:e8:32:9c:ecCertificate

Extended Key Usages

Key Usages

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5cCertificate

Extended Key Usages

Key Usages

23:b5:b2:b7:f6:44:0d:92:ef:ac:4a:28:5d:66:3b:2a:f5:8d:f6:88Signer

Signature Validations

Verification

03-05-2023 12:02 Valid: false

Headers

DLL Characteristics

File Characteristics

Imports

shlwapi

lz32

msvcrt

kernel32

user32

advapi32

shell32

Sections

.text Size: 16KB - Virtual size: 15KB

.rdata Size: 5KB - Virtual size: 4KB

.data Size: 512B - Virtual size: 900B

.rsrc Size: 87KB - Virtual size: 86KB

.reloc Size: 1024B - Virtual size: 920B

0c:48:73:28:73:ac:8c:ce:ba:f8:f0:e1:e8:32:9c:ec
Certificate

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5c
Certificate

23:b5:b2:b7:f6:44:0d:92:ef:ac:4a:28:5d:66:3b:2a:f5:8d:f6:88
Signer

03-05-2023 12:02
Valid: false

.text
Size: 16KB - Virtual size: 15KB

.rdata
Size: 5KB - Virtual size: 4KB

.data
Size: 512B - Virtual size: 900B

.rsrc
Size: 87KB - Virtual size: 86KB

.reloc
Size: 1024B - Virtual size: 920B