General
-
Target
mwl.bin
-
Size
194KB
-
MD5
fa2f5bf8014321fc151f88977589655d
-
SHA1
6985e425cedebe1502219075e288b0783a0e6b11
-
SHA256
e24f667de7932ff1466bcb73dfc431165ec47f4df84cdbb0a536189465b9b68b
-
SHA512
24159724a4a7359a909f4519ebb94177464c4d85d70a7be71a97d2952b475a5838674c79a8b7d37b71aa41f8476704677c655595d02d6e237195bf1b05017dd3
-
SSDEEP
3072:Uv5ChRQUknU7TfNMXgSrayXVE9y4qQDHg2EPkoTrEsjHZvQ3hl43vpMvxGWqB2cC:dh6zU7T1DylEtDAvPJTrF5vQ37IM
Malware Config
Extracted
rhadamanthys
http://31.41.244.157/blob/goat.error
Signatures
-
Rhadamanthys family
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource mwl.bin
Files
-
mwl.bin.exe windows x86
64c1eadffab91dbab47828ec42ef51fa
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
winmm
PlaySoundW
timeGetTime
ole32
CreateStreamOnHGlobal
CoTaskMemFree
CoInitializeEx
CoUninitialize
CoTaskMemAlloc
msimg32
GradientFill
AlphaBlend
user32
IsDialogMessageW
CreateDialogParamW
DispatchMessageW
TranslateMessage
PeekMessageW
ShowWindow
shell32
DragFinish
DragAcceptFiles
DragQueryFileW
gdi32
CreateCompatibleBitmap
CreateCompatibleDC
BitBlt
DeleteDC
CreateBitmap
CreatePen
DeleteObject
CreateRectRgn
winspool.drv
ClosePrinter
OpenPrinterA
DocumentPropertiesA
kernel32
Sleep
EnterCriticalSection
GetStringTypeW
MultiByteToWideChar
LCMapStringW
GetSystemTimeAsFileTime
GetCurrentProcessId
QueryPerformanceCounter
DeleteCriticalSection
LoadLibraryW
RtlUnwind
HeapSize
LeaveCriticalSection
GetStartupInfoW
GetFileType
InitializeCriticalSectionAndSpinCount
SetHandleCount
GetEnvironmentStringsW
HeapAlloc
HeapReAlloc
HeapFree
GetTickCount
CreateIoCompletionPort
CloseHandle
GetLastError
GetQueuedCompletionStatus
InterlockedIncrement
lstrlenA
IsBadStringPtrA
IsBadReadPtr
GetProcessHeap
IsBadCodePtr
GetModuleHandleA
VirtualQuery
GetSystemInfo
HeapDestroy
HeapCreate
GetCommandLineA
HeapSetInformation
IsProcessorFeaturePresent
GetCPInfo
InterlockedDecrement
GetACP
GetOEMCP
IsValidCodePage
EncodePointer
TlsAlloc
TlsGetValue
TlsSetValue
DecodePointer
TlsFree
GetModuleHandleW
SetLastError
GetCurrentThreadId
GetProcAddress
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
TerminateProcess
GetCurrentProcess
ExitProcess
WriteFile
GetStdHandle
GetModuleFileNameW
GetModuleFileNameA
FreeEnvironmentStringsW
WideCharToMultiByte
Sections
.text Size: 43KB - Virtual size: 42KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 142KB - Virtual size: 141KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 4KB - Virtual size: 7KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.reloc Size: 4KB - Virtual size: 3KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ