hermeticwiper | 1ce5ac704afcd510b8ff04e11d9aac294b846ea5b3f6e0b9464a58111982f798

Sharing

Copy URL

Twitter E-mail

General

Target

1ce5ac704afcd510b8ff04e11d9aac294b846ea5b3f6e0b9464a58111982f798
Size

46KB
MD5

d16317bbe5b34584c40dde2ff3dfe7ba
SHA1

d09473e1b77208b83adcfcdbf0bc8d9e3e0e9c33
SHA256

1ce5ac704afcd510b8ff04e11d9aac294b846ea5b3f6e0b9464a58111982f798
SHA512

8026169cd22b6a5d14fcf05b4e4a542ef16d416eb68905340027f4cece1c60510de94fe6202b587a959637240417bf0c722fe5f0d9e4ab08f930503547305bb3
SSDEEP

768:CbzwtZOjgf2hw+OZedvjfV/rgGVFyjM1QrEb0yWVyG3dYWSdlAqVby1jkOpuynbG:C0Ykuhw+OEVjfVrgnSgyWVJdZSdZby1S

Score

10^/10

wiper hermeticwiper

Malware Config

Signatures

Detect HermeticWiper 1 IoCs

Detect HermeticWiper Payload.

wiper

Processes:

resource	yara_rule
static1/unpack001/1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591	family_hermeticwiper

Hermeticwiper family
hermeticwiper

Files

1ce5ac704afcd510b8ff04e11d9aac294b846ea5b3f6e0b9464a58111982f798
.7z

Password: infected
1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591
.exe windows x86

fe4a2284122da348258c83ef437fbd7b

Code Sign

0c:48:73:28:73:ac:8c:ce:ba:f8:f0:e1:e8:32:9c:ec
Certificate

Issuer

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

13-04-2021 00:00

Not After

14-04-2022 23:59

Subject

SERIALNUMBER=HE 419469,CN=Hermetica Digital Ltd,O=Hermetica Digital Ltd,L=Nicosia,C=CY,1.3.6.1.4.1.311.60.2.1.3=#13024359,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5c
Certificate

Issuer

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

18-04-2012 12:00

Not After

18-04-2027 12:00

Subject

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

23:b5:b2:b7:f6:44:0d:92:ef:ac:4a:28:5d:66:3b:2a:f5:8d:f6:88
Signer

Actual PE Digest

23:b5:b2:b7:f6:44:0d:92:ef:ac:4a:28:5d:66:3b:2a:f5:8d:f6:88

Digest Algorithm

sha1

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

SERIALNUMBER=HE 419469,CN=Hermetica Digital Ltd,O=Hermetica Digital Ltd,L=Nicosia,C=CY,1.3.6.1.4.1.311.60.2.1.3=#13024359,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

11-05-2023 10:05
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

shlwapi

StrStrW
StrRChrW
StrChrW
StrToIntW
PathAddExtensionW
PathFindExtensionW
PathFileExistsW
StrCatBuffW
PathAddBackslashW
PathAppendW
StrStrIW
StrCmpNW
wnsprintfW
StrStrA

lz32

LZClose
LZCopy
LZOpenFileW

msvcrt

towupper
wcsncpy
memcpy
_except_handler3
memset

kernel32

HeapAlloc
GetProcessHeap
DeviceIoControl
GetLastError
HeapReAlloc
HeapFree
lstrcmpA
GetSystemTimeAsFileTime
CreateFileW
CloseHandle
SetFilePointerEx
ReadFile
GetDiskFreeSpaceW
lstrlenW
WriteFile
FlushFileBuffers
CreateThread
WaitForMultipleObjects
GetModuleHandleW
GetProcAddress
GetCurrentProcess
VerSetConditionMask
VerifyVersionInfoW
FindResourceW
LoadResource
LockResource
SizeofResource
GetSystemDirectoryW
DeleteFileW
WaitForSingleObject
SetThreadPriority
FindFirstFileW
FindNextFileW
FindClose
GetLogicalDriveStringsW
SetLastError
GetCommandLineW
GetModuleFileNameW
GetFileAttributesW
CreateEventW
SetEvent
ExitProcess
GetCurrentProcessId
GetFileInformationByHandle
Sleep

user32

wsprintfW
CharLowerW

advapi32

InitiateSystemShutdownExW
ControlService
CloseServiceHandle
DeleteService
StartServiceW
ChangeServiceConfigW
QueryServiceStatus
CreateServiceW
OpenServiceW
OpenSCManagerW
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
RegDeleteKeyW
CryptReleaseContext
CryptGenRandom
CryptAcquireContextW
RegQueryInfoKeyW
RegEnumKeyExW
RegOpenKeyW
RegCloseKey
RegSetValueExW

shell32

CommandLineToArgvW

Sections

.text
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 900B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 87KB - Virtual size: 86KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 920B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

fe4a2284122da348258c83ef437fbd7b

Code Sign

0c:48:73:28:73:ac:8c:ce:ba:f8:f0:e1:e8:32:9c:ecCertificate

Extended Key Usages

Key Usages

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5cCertificate

Extended Key Usages

Key Usages

23:b5:b2:b7:f6:44:0d:92:ef:ac:4a:28:5d:66:3b:2a:f5:8d:f6:88Signer

Signature Validations

Verification

11-05-2023 10:05 Valid: false

Headers

DLL Characteristics

File Characteristics

Imports

shlwapi

lz32

msvcrt

kernel32

user32

advapi32

shell32

Sections

.text Size: 16KB - Virtual size: 15KB

.rdata Size: 5KB - Virtual size: 4KB

.data Size: 512B - Virtual size: 900B

.rsrc Size: 87KB - Virtual size: 86KB

.reloc Size: 1024B - Virtual size: 920B

0c:48:73:28:73:ac:8c:ce:ba:f8:f0:e1:e8:32:9c:ec
Certificate

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5c
Certificate

23:b5:b2:b7:f6:44:0d:92:ef:ac:4a:28:5d:66:3b:2a:f5:8d:f6:88
Signer

11-05-2023 10:05
Valid: false

.text
Size: 16KB - Virtual size: 15KB

.rdata
Size: 5KB - Virtual size: 4KB

.data
Size: 512B - Virtual size: 900B

.rsrc
Size: 87KB - Virtual size: 86KB

.reloc
Size: 1024B - Virtual size: 920B