th155[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

th155.exe
Size

5.0MB
MD5

2c2ddc7975c5bf8e5f52a936e31287ce
SHA1

c86121379efb4fa23f256a71df9f2683283a29fe
SHA256

a0b8c8b7b13d00d0cc961465d2b24827dd665599397b99e18cde602df24323b7
SHA512

489a0bd94e26d98c6e9b58e7edc9e6e68f34d25bad90ef760b82ee70258b80296b0058d1ad4ebacc6a5517443c173ea097664ad854d2b4385fb47426b5fd732f
SSDEEP

49152:fjGhkDvcnMCWtJmQrnoubZaxG2JVDhinab0qFveqpf1MbzGW3InVYMqaUNTCJWQL:fihkDvTm6TD2IWe3CyoA+n

Score

1^/10

Malware Config

Signatures

Files

th155.exe
.exe windows x86

1a17decd6b0c9874a7e0974a15f4b05f

Code Sign

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0b
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

31/12/2015, 00:00

Not After

09/07/2019, 18:40

Subject

CN=COMODO SHA-1 Time Stamping Signer,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

2a:7d:74:db:74:05:ba:6e:26:9b:6f:3c:75:7f:58:c3
Certificate

Issuer

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

30/11/2017, 00:00

Not After

30/11/2022, 23:59

Subject

CN=Tomohiko Nakajima,O=Tomohiko Nakajima,POSTALCODE=342-0038,STREET=2-9-13 minami,L=Yoshikawa-shi,ST=Saitama,C=JP

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:af
Certificate

Issuer

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

09/05/2013, 00:00

Not After

08/05/2028, 23:59

Subject

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0f:19:94:2f:df:7b:e1:92:2e:ea:4d:68:43:28:c3:79:b3:3e:31:91:73:b9:86:c7:31:cd:6c:a3:d9:ab:8b:1a
Signer

Actual PE Digest

0f:19:94:2f:df:7b:e1:92:2e:ea:4d:68:43:28:c3:79:b3:3e:31:91:73:b9:86:c7:31:cd:6c:a3:d9:ab:8b:1a

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

true

Verification

Signing Certificate

CN=Tomohiko Nakajima,O=Tomohiko Nakajima,POSTALCODE=342-0038,STREET=2-9-13 minami,L=Yoshikawa-shi,ST=Saitama,C=JP

18/01/2018, 08:29
Valid: true

Chain 1

CN=Tomohiko Nakajima,O=Tomohiko Nakajima,POSTALCODE=342-0038,STREET=2-9-13 minami,L=Yoshikawa-shi,ST=Saitama,C=JP

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

winmm

timeBeginPeriod
timeGetTime

imm32

ImmReleaseContext
ImmGetContext
ImmSetCandidateWindow
ImmGetDefaultIMEWnd
ImmSetOpenStatus

d3dx11_43

D3DX11CreateShaderResourceViewFromMemory

d3dx9_43

D3DXVec3Transform
D3DXMatrixScaling
D3DXMatrixTranslation
D3DXMatrixRotationYawPitchRoll

kernel32

InitializeCriticalSection
DeleteCriticalSection
VirtualAlloc
VirtualQuery
VirtualFree
GetSystemInfo
GetTickCount
SetThreadPriority
GlobalLock
GlobalUnlock
GetCurrentDirectoryA
GetPrivateProfileIntA
GetPrivateProfileStringA
CreateFileW
ReadDirectoryChangesW
WaitForSingleObject
RaiseException
DecodePointer
InitializeCriticalSectionAndSpinCount
QueryPerformanceCounter
QueryPerformanceFrequency
GetLocalTime
ResetEvent
ReleaseMutex
GetCurrentThread
SetThreadAffinityMask
GetCurrentThreadId
FindClose
GetModuleHandleA
GetCurrentProcessId
LoadLibraryA
GetProcAddress
FreeLibrary
FindFirstFileA
FindNextFileA
GetFullPathNameA
DeleteFileA
CreateDirectoryA
GetConsoleScreenBufferInfo
SetConsoleTextAttribute
GetStdHandle
VirtualProtect
GetWindowsDirectoryA
SetEvent
ReleaseSemaphore
LeaveCriticalSection
EnterCriticalSection
GetFileSizeEx
ReadFile
OutputDebugStringA
GetVersionExA
GetLastError
SetCurrentDirectoryA
OpenEventA
CreateWaitableTimerA
WaitForSingleObjectEx
CreateMutexA
GetDriveTypeA
GetModuleFileNameA
GetFileType
GlobalAlloc
SleepEx
VerifyVersionInfoA
VerSetConditionMask
GetQueuedCompletionStatus
SetWaitableTimer
CreateIoCompletionPort
PostQueuedCompletionStatus
QueueUserAPC
TerminateThread
WaitForMultipleObjects
WriteConsoleW
SetStdHandle
SetEnvironmentVariableA
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
GetOEMCP
IsValidCodePage
FindFirstFileExA
GetTimeZoneInformation
HeapSize
GetConsoleCP
CloseHandle
CreateFileA
GetFileAttributesA
Sleep
SetFilePointer
WriteFile
GetSystemTimeAsFileTime
CreateEventA
CreateSemaphoreA
FlushFileBuffers
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetTimeFormatW
GetDateFormatW
ReadConsoleW
GetConsoleMode
GetACP
HeapReAlloc
ExitProcess
GetModuleHandleExW
ResumeThread
ExitThread
RtlUnwind
LoadLibraryW
WaitForMultipleObjectsEx
UnregisterWaitEx
QueryDepthSList
InterlockedFlushSList
InterlockedPushEntrySList
InterlockedPopEntrySList
GetFileSize
SystemTimeToFileTime
GetVersionExW
LoadLibraryExW
GetModuleFileNameW
FreeLibraryAndExitThread
GetThreadTimes
GetExitCodeProcess
LocalFree
TryEnterCriticalSection
DuplicateHandle
GetCurrentProcess
GetExitCodeThread
WideCharToMultiByte
SetLastError
CreateEventW
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetModuleHandleW
EncodePointer
MultiByteToWideChar
GetCPInfo
CompareStringW
LCMapStringW
GetLocaleInfoW
GetStringTypeW
FormatMessageA
GetCurrentDirectoryW
CreateDirectoryW
DeleteFileW
FindFirstFileW
FindNextFileW
GetFileAttributesW
GetFileAttributesExW
SetEndOfFile
SetFilePointerEx
DeviceIoControl
MoveFileExW
AreFileApisANSI
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
GetShortPathNameA
HeapFree
WaitForDebugEvent
ContinueDebugEvent
GetSystemWindowsDirectoryA
RtlCaptureStackBackTrace
OpenProcess
GetSystemDirectoryA
K32GetModuleBaseNameA
K32GetModuleInformation
HeapAlloc
GetThreadContext
CreateFileMappingA
DebugActiveProcess
ReadProcessMemory
GetProcessHeap
OpenFileMappingA
CreateProcessA
K32EnumProcessModules
MapViewOfFile
OpenThread
OutputDebugStringW
CreateTimerQueue
SignalObjectAndWait
SwitchToThread
CreateThread
GetThreadPriority
GetLogicalProcessorInformation
CreateTimerQueueTimer
ChangeTimerQueueTimer
DeleteTimerQueueTimer
GetNumaHighestNodeNumber
GetProcessAffinityMask
RegisterWaitForSingleObject
UnregisterWait

user32

GetMonitorInfoA
MessageBoxA
SetWindowTextA
GetAsyncKeyState
EnumDisplaySettingsA
SetClipboardData
ReleaseDC
CallNextHookEx
MonitorFromWindow
GetDC
SendMessageA
SetCursor
GetCursorPos
ShowCursor
UpdateWindow
RegisterClassExA
PostQuitMessage
LoadIconA
EmptyClipboard
IsHungAppWindow
GetWindowRect
GetClientRect
CharPrevA
CharNextA
GetWindowThreadProcessId
GetWindow
IsWindowVisible
IsWindow
GetTopWindow
ClipCursor
CloseClipboard
GetClipboardData
OpenClipboard
GetWindowInfo
AdjustWindowRectEx
GetMessageA
DispatchMessageA
LoadCursorA
ScreenToClient
GetActiveWindow
ShowWindow
SetTimer
GetWindowLongA
DefWindowProcA
CreateWindowExA
TranslateMessage
PeekMessageA
EnumWindows
GetWindowTextA
FindWindowExA
UnhookWindowsHookEx
wsprintfA
GetClassNameA
FillRect
PostMessageA
SetWindowsHookExA
KillTimer

gdi32

SelectObject
CreateDIBSection
AddFontMemResourceEx
BitBlt
GetStockObject
GetDeviceCaps
CreateCompatibleDC

advapi32

LookupPrivilegeValueA
ImpersonateSelf
AddAccessDeniedAce
OpenProcessToken
GetUserNameA
GetTokenInformation
OpenThreadToken
AddAccessAllowedAce
GetLengthSid
SetSecurityInfo
InitializeAcl
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
AdjustTokenPrivileges
FreeSid
AllocateAndInitializeSid

shell32

ShellExecuteA
SHFileOperationA

ole32

CoSetProxyBlanket
CoCreateInstance
CoUninitialize
CoInitialize

oleaut32

SysFreeString
SysAllocString

wintrust

WinVerifyTrust

version

VerQueryValueA
GetFileVersionInfoA
GetFileVersionInfoSizeA

dbghelp

SymFunctionTableAccess
StackWalk
SymGetModuleBase
SymInitialize
SymFromAddr
SymGetSymFromAddr

dinput8

DirectInput8Create

xinput9_1_0

XInputGetState
XInputGetCapabilities

d3d11

D3D11CreateDeviceAndSwapChain

dsound

ord11

ws2_32

freeaddrinfo
WSASend
WSASendTo
WSARecvFrom
getaddrinfo
bind
htons
ntohs
htonl
ntohl
WSAGetLastError
WSAStringToAddressW
setsockopt
select
ioctlsocket
WSASetLastError
WSAStartup
WSACleanup
closesocket
WSASocketW

Sections

.text
Size: 3.5MB - Virtual size: 3.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 259KB - Virtual size: 286KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gfids
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

_RDATA
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 186KB - Virtual size: 186KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

1a17decd6b0c9874a7e0974a15f4b05f

Code Sign

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0bCertificate

Extended Key Usages

Key Usages

2a:7d:74:db:74:05:ba:6e:26:9b:6f:3c:75:7f:58:c3Certificate

Extended Key Usages

Key Usages

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:afCertificate

Extended Key Usages

Key Usages

0f:19:94:2f:df:7b:e1:92:2e:ea:4d:68:43:28:c3:79:b3:3e:31:91:73:b9:86:c7:31:cd:6c:a3:d9:ab:8b:1aSigner

Signature Validations

Verification

18/01/2018, 08:29 Valid: true

Chain 1

Headers

DLL Characteristics

File Characteristics

Imports

winmm

imm32

d3dx11_43

d3dx9_43

kernel32

user32

gdi32

advapi32

shell32

ole32

oleaut32

wintrust

version

dbghelp

dinput8

xinput9_1_0

d3d11

dsound

ws2_32

Sections

.text Size: 3.5MB - Virtual size: 3.5MB

.rdata Size: 1.1MB - Virtual size: 1.1MB

.data Size: 259KB - Virtual size: 286KB

.gfids Size: 4KB - Virtual size: 4KB

.tls Size: 512B - Virtual size: 9B

_RDATA Size: 1KB - Virtual size: 1KB

.rsrc Size: 9KB - Virtual size: 8KB

.reloc Size: 186KB - Virtual size: 186KB

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0b
Certificate

2a:7d:74:db:74:05:ba:6e:26:9b:6f:3c:75:7f:58:c3
Certificate

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:af
Certificate

0f:19:94:2f:df:7b:e1:92:2e:ea:4d:68:43:28:c3:79:b3:3e:31:91:73:b9:86:c7:31:cd:6c:a3:d9:ab:8b:1a
Signer

18/01/2018, 08:29
Valid: true

.text
Size: 3.5MB - Virtual size: 3.5MB

.rdata
Size: 1.1MB - Virtual size: 1.1MB

.data
Size: 259KB - Virtual size: 286KB

.gfids
Size: 4KB - Virtual size: 4KB

.tls
Size: 512B - Virtual size: 9B

_RDATA
Size: 1KB - Virtual size: 1KB

.rsrc
Size: 9KB - Virtual size: 8KB

.reloc
Size: 186KB - Virtual size: 186KB