VeeamGuestHelper[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

VeeamGuestHelper.exe
Size

1.4MB
MD5

1351e0b128f84a660e11c345946250dc
SHA1

9c49e2a609bf760f592a28fe817de7908ef4221d
SHA256

02a13f9ecbd14acfc03b924a5fc8c5239b67be8863cacbd683211b3bfb49adb0
SHA512

3a93b6231fe59b06bb9acb8f46a9cadfb0e81c5e87e43ee1db431aade6fa360b8917c5c17c2de91575fafc084cc26d2fd833203472a72b4ec436b635cfcbc7f6
SSDEEP

24576:1hczKrjNm7ijxwKYsq1yRObu66tTwTiIw1oqwmLvi/o:1hgK1m7Ixiu6cTwTu1oqwm2g

Score

1^/10

Malware Config

Signatures

Files

VeeamGuestHelper.exe
.exe windows x64

0733294eaa1a1848c4e04ad1c86ab94f

Code Sign

02:ac:5c:26:6a:0b:40:9b:8f:0b:79:f2:ae:46:25:77
Certificate

Issuer

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

10/11/2006, 00:00

Not After

10/11/2031, 00:00

Subject

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5c
Certificate

Issuer

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

18/04/2012, 12:00

Not After

18/04/2027, 12:00

Subject

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0f:6f:90:b4:1a:f2:33:c6:4e:0a:f6:f8:b3:e5:6d:26
Certificate

Issuer

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

28/02/2019, 00:00

Not After

17/02/2022, 12:00

Subject

SERIALNUMBER=CHE-449.611.046,CN=Veeam Software Group GmbH,O=Veeam Software Group GmbH,L=Baar,ST=Zug,C=CH,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.3=#13024348

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

07/01/2016, 12:00

Not After

07/01/2031, 12:00

Subject

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/01/2021, 00:00

Not After

06/01/2031, 00:00

Subject

CN=DigiCert Timestamp 2021,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

02:ac:5c:26:6a:0b:40:9b:8f:0b:79:f2:ae:46:25:77
Certificate

Issuer

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

10/11/2006, 00:00

Not After

10/11/2031, 00:00

Subject

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5c
Certificate

Issuer

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

18/04/2012, 12:00

Not After

18/04/2027, 12:00

Subject

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0f:6f:90:b4:1a:f2:33:c6:4e:0a:f6:f8:b3:e5:6d:26
Certificate

Issuer

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

28/02/2019, 00:00

Not After

17/02/2022, 12:00

Subject

SERIALNUMBER=CHE-449.611.046,CN=Veeam Software Group GmbH,O=Veeam Software Group GmbH,L=Baar,ST=Zug,C=CH,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.3=#13024348

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/01/2021, 00:00

Not After

06/01/2031, 00:00

Subject

CN=DigiCert Timestamp 2021,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

07/01/2016, 12:00

Not After

07/01/2031, 12:00

Subject

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

d5:dd:1c:1d:27:72:f7:83:4c:4b:c0:c8:52:3f:7d:3a:a3:cf:d9:47:21:11:33:cd:bd:95:09:6c:0d:36:8b:7c
Signer

Actual PE Digest

d5:dd:1c:1d:27:72:f7:83:4c:4b:c0:c8:52:3f:7d:3a:a3:cf:d9:47:21:11:33:cd:bd:95:09:6c:0d:36:8b:7c

Digest Algorithm

sha256

PE Digest Matches

true

4e:0c:01:8b:b1:84:81:ef:05:d9:61:a0:d8:fc:d2:32:74:f7:4a:cd
Signer

Actual PE Digest

4e:0c:01:8b:b1:84:81:ef:05:d9:61:a0:d8:fc:d2:32:74:f7:4a:cd

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

LoadLibraryExA
OpenEventW
GetModuleHandleW
GetProcessHeap
HeapSize
HeapFree
HeapReAlloc
HeapAlloc
HeapDestroy
RaiseException
DecodePointer
LoadLibraryW
WaitForMultipleObjects
GetProcAddress
FreeLibrary
Sleep
CreateEventW
WaitForSingleObject
ResetEvent
SetEvent
CloseHandle
DeleteCriticalSection
InitializeCriticalSectionEx
LeaveCriticalSection
LoadResource
LockResource
SizeofResource
LocalFree
FormatMessageW
FindResourceW
MultiByteToWideChar
WideCharToMultiByte
LocalAlloc
GetEnvironmentVariableW
CreateDirectoryW
CreateFileW
DeleteFileW
FindClose
FindFirstFileW
FindNextFileW
GetFileAttributesW
ReadFile
RemoveDirectoryW
EnterCriticalSection
SetFilePointer
GetTempPathW
DuplicateHandle
GetCurrentProcess
CreateProcessW
FindResourceExW
GetModuleFileNameW
CopyFileW
MoveFileW
MoveFileExW
WriteFile
SetLastError
ReleaseMutex
CreateMutexW
OpenMutexW
GetCurrentThread
GetCurrentThreadId
GetLocalTime
GetDateFormatW
GetTimeFormatW
CreateThread
TerminateThread
ResumeThread
GetFileTime
CompareStringW
GetVersionExW
SetUnhandledExceptionFilter
FlushFileBuffers
GetFileSizeEx
SetEndOfFile
SetFilePointerEx
SetFileTime
GetOverlappedResult
GetComputerNameExW
CreateEventA
WaitForSingleObjectEx
LocalFileTimeToFileTime
FileTimeToSystemTime
SystemTimeToFileTime
GetTimeZoneInformation
GetCurrentProcessId
GetExitCodeProcess
TlsAlloc
TlsFree
GetModuleFileNameA
GetModuleHandleA
GetStringTypeW
EncodePointer
InitializeCriticalSectionAndSpinCount
SwitchToThread
TlsGetValue
TlsSetValue
GetSystemTimeAsFileTime
LCMapStringW
GetLocaleInfoW
GetCPInfo
IsDebuggerPresent
OutputDebugStringW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
GetStartupInfoW
QueryPerformanceCounter
InitializeSListHead
FormatMessageA
RtlPcToFileHeader
RtlUnwindEx
LoadLibraryExW
GetConsoleMode
ReadConsoleInputA
SetConsoleMode
GetSystemInfo
VirtualAlloc
VirtualProtect
VirtualQuery
ExitProcess
GetModuleHandleExW
GetStdHandle
GetCommandLineA
GetCommandLineW
GetACP
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
GetFileType
GetConsoleCP
ReadConsoleW
FindFirstFileExW
IsValidCodePage
GetOEMCP
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableA
SetEnvironmentVariableW
SetStdHandle
WriteConsoleW
SetFileAttributesW
GetLastError
RtlUnwind

user32

ExitWindowsEx

advapi32

SetThreadToken
OpenThreadToken
AddAce
AdjustTokenPrivileges
CopySid
CreateWellKnownSid
GetAce
GetAclInformation
GetLengthSid
GetSecurityDescriptorControl
GetSecurityDescriptorDacl
GetSecurityDescriptorGroup
GetSecurityDescriptorLength
GetSecurityDescriptorOwner
GetSecurityDescriptorSacl
GetSidLengthRequired
GetSidSubAuthority
GetTokenInformation
ImpersonateSelf
InitializeAcl
InitializeSecurityDescriptor
InitializeSid
IsValidSid
MakeSelfRelativeSD
RevertToSelf
SetSecurityDescriptorDacl
ConvertStringSidToSidW
ConvertSidToStringSidW
RegisterServiceCtrlHandlerW
StartServiceCtrlDispatcherW
LookupPrivilegeValueW
LookupAccountSidW
EqualSid
OpenProcessToken
RegSetValueExA
RegQueryValueExA
RegQueryInfoKeyW
RegQueryInfoKeyA
RegOpenKeyExA
RegEnumValueW
RegEnumKeyW
RegEnumKeyA
RegDeleteValueA
RegDeleteKeyA
RegCreateKeyExA
StartServiceW
QueryServiceStatus
QueryServiceConfigW
OpenServiceW
OpenSCManagerW
EnumServicesStatusExW
DeleteService
CreateServiceW
ControlService
CloseServiceHandle
ChangeServiceConfig2W
ChangeServiceConfigW
RegSetValueExW
RegQueryValueExW
RegOpenKeyExW
RegCreateKeyExW
RegCloseKey
SetServiceStatus
SetNamedSecurityInfoW
GetNamedSecurityInfoW
SetEntriesInAclW

ole32

CoCreateInstance
CoInitializeEx
CoInitializeSecurity
CoUninitialize
CoCreateGuid
OleRun

shlwapi

PathRemoveFileSpecW
PathIsRelativeW

psapi

GetModuleFileNameExW

userenv

UnloadUserProfile

version

VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW

secur32

GetUserNameExW

dbghelp

SymLoadModule64
SymGetSymFromAddr64
SymUnDName64
ImageNtHeader
SymSetSearchPath
SymGetSearchPath
SymInitialize
SymGetLineFromAddr64
StackWalk64
SymSetOptions
SymGetOptions
SymCleanup
SymEnumerateModules64
EnumerateLoadedModules64
SymFunctionTableAccess64
SymGetModuleInfo64
SymGetModuleBase64
UnDecorateSymbolName

rpcrt4

RpcBindingFree
RpcBindingCopy
UuidToStringW
RpcStringFreeW
RpcBindingVectorFree
RpcServerListen
RpcServerUseProtseqW
RpcServerUseProtseqEpW
RpcMgmtStopServerListening
RpcBindingFromStringBindingW
RpcRevertToSelf
RpcBindingSetAuthInfoW
RpcBindingSetAuthInfoExW
RpcServerRegisterAuthInfoW
RpcBindingServerFromClient
RpcMgmtEpEltInqDone
RpcStringFreeA
UuidToStringA
UuidFromStringA
UuidFromStringW
RpcImpersonateClient
RpcBindingToStringBindingW

ntdsapi

DsMakeSpnW

shell32

SHGetFolderPathW

oleaut32

GetErrorInfo
SysAllocStringLen
SysStringByteLen
SysAllocStringByteLen
SetErrorInfo
SysAllocString
SysFreeString
SystemTimeToVariantTime
VariantTimeToSystemTime
VarDateFromStr
VarBstrFromDate
VariantInit
VariantClear
CreateErrorInfo

Sections

.text
Size: 896KB - Virtual size: 896KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 407KB - Virtual size: 406KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 31KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 80KB - Virtual size: 79KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

0733294eaa1a1848c4e04ad1c86ab94f

Code Sign

02:ac:5c:26:6a:0b:40:9b:8f:0b:79:f2:ae:46:25:77Certificate

Key Usages

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5cCertificate

Extended Key Usages

Key Usages

0f:6f:90:b4:1a:f2:33:c6:4e:0a:f6:f8:b3:e5:6d:26Certificate

Extended Key Usages

Key Usages

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15Certificate

Extended Key Usages

Key Usages

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:ddCertificate

Extended Key Usages

Key Usages

02:ac:5c:26:6a:0b:40:9b:8f:0b:79:f2:ae:46:25:77Certificate

Key Usages

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5cCertificate

Extended Key Usages

Key Usages

0f:6f:90:b4:1a:f2:33:c6:4e:0a:f6:f8:b3:e5:6d:26Certificate

Extended Key Usages

Key Usages

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:ddCertificate

Extended Key Usages

Key Usages

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15Certificate

Extended Key Usages

Key Usages

d5:dd:1c:1d:27:72:f7:83:4c:4b:c0:c8:52:3f:7d:3a:a3:cf:d9:47:21:11:33:cd:bd:95:09:6c:0d:36:8b:7cSigner

4e:0c:01:8b:b1:84:81:ef:05:d9:61:a0:d8:fc:d2:32:74:f7:4a:cdSigner

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

ole32

shlwapi

psapi

userenv

version

secur32

dbghelp

rpcrt4

ntdsapi

shell32

oleaut32

Sections

.text Size: 896KB - Virtual size: 896KB

.rdata Size: 407KB - Virtual size: 406KB

.data Size: 20KB - Virtual size: 31KB

.pdata Size: 80KB - Virtual size: 79KB

.rsrc Size: 10KB - Virtual size: 9KB

.reloc Size: 5KB - Virtual size: 5KB

02:ac:5c:26:6a:0b:40:9b:8f:0b:79:f2:ae:46:25:77
Certificate

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5c
Certificate

0f:6f:90:b4:1a:f2:33:c6:4e:0a:f6:f8:b3:e5:6d:26
Certificate

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

02:ac:5c:26:6a:0b:40:9b:8f:0b:79:f2:ae:46:25:77
Certificate

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5c
Certificate

0f:6f:90:b4:1a:f2:33:c6:4e:0a:f6:f8:b3:e5:6d:26
Certificate

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

d5:dd:1c:1d:27:72:f7:83:4c:4b:c0:c8:52:3f:7d:3a:a3:cf:d9:47:21:11:33:cd:bd:95:09:6c:0d:36:8b:7c
Signer

4e:0c:01:8b:b1:84:81:ef:05:d9:61:a0:d8:fc:d2:32:74:f7:4a:cd
Signer

.text
Size: 896KB - Virtual size: 896KB

.rdata
Size: 407KB - Virtual size: 406KB

.data
Size: 20KB - Virtual size: 31KB

.pdata
Size: 80KB - Virtual size: 79KB

.rsrc
Size: 10KB - Virtual size: 9KB

.reloc
Size: 5KB - Virtual size: 5KB