php[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

php.exe
Size

123KB
MD5

8db8ff7802efe20753a50e3653703740
SHA1

05ceaf802e222f254c8e09bae6753b81f638d260
SHA256

d09c3c5bdeac44d08a4be559111a6790a34b0b636d3f4749949c43e6e21c544b
SHA512

f73af38eff7d60be7c227fe2cc9ce8f846451b1d8764c550286e9dfac305e0c45b683d7a504a302d5f22f91cbed75ac969943919c850b19f3d0d852bc1cb5d5d
SSDEEP

3072:mG9kH+yvsBmF+PNSILfyuY1NkfgnVDh4YtJOHz4F:m6kHZ4YEf2JhnJOHz+

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
php.exe

Files

php.exe
.exe windows x64

5e821d6d40a8405ab17924b0b85a85c3

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

php7

zend_register_ini_entries
_zend_hash_add@@24
php_format_date
php_escape_html_entities_ex
gettimeofday
php_win32_ioutil_chdir_w
_zend_hash_index_update@@24
zend_vspprintf
_zend_handle_numeric_str_ex@@24
add_assoc_stringl_ex
php_select
_zend_hash_update@@24
_estrndup@@16
php_poll2
zend_strndup@@16
zend_llist_get_next_ex
php_raw_url_decode
_safe_malloc@@24
__zend_realloc
_estrdup@@8
smart_str_realloc@@16
_array_init
php_handle_auth_data
php_set_sock_blocking
zend_hash_index_del@@16
zend_ini_boolean_displayer_cb
php_network_populate_name_from_sockaddr
php_register_variable_safe
smart_str_erealloc@@16
php_network_freeaddresses
zend_llist_apply_with_argument
php_sys_stat_ex
php_network_getaddresses
zend_execute_scripts
zend_hash_apply_with_arguments
zend_hash_index_find@@16
zend_llist_get_first_ex
OnUpdateBool
_zend_hash_str_add@@32
php_error_docref0
zend_parse_parameters
zend_hash_copy@@24
php_module_shutdown_wrapper
php_printf
zend_highlight
open_file_for_scanning
php_win32_ioutil_normalize_path_w
zend_printf
zend_ce_exception
_emalloc@@8
_efree@@8
php_output_write
reflection_class_ptr
zend_read_property
php_info_print_module
php_lint_script
zend_llist_apply
php_import_environment_variables
php_get_highlight_struct
php_execute_script
reflection_extension_ptr
php_win32_cp_conv_w_to_cur
zend_unregister_ini_entries
php_win32_cp_get_orig
php_win32_cp_conv_utf8_to_w
_zend_hash_init@@32
php_win32_code_to_errno
php_handle_aborted_connection
zif_dl
display_ini_entries
php_win32_cp_conv_cur_to_w
reflection_ptr
zend_sort
php_ini_scanned_path
php_print_info
php_request_startup
zend_hash_str_find@@24
sapi_deactivate
php_win32_cp_cli_do_restore
php_getopt
_zend_hash_str_update@@32
_php_stream_get_line
get_zend_version
tsrm_realpath
zend_extensions
executor_globals
zend_error
zend_llist_destroy
zend_spprintf
module_registry
php_win32_cp_get_by_id
zend_eval_string_ex
php_socket_error_str
_zval_ptr_dtor
php_win32_ioutil_getcwd_w
zend_hash_apply@@16
zend_strip
zend_call_method
php_request_shutdown
php_ini_opened_path
_php_stream_free
_php_stream_open_wrapper_ex
php_win32_console_is_own
zend_ini_deactivate
sapi_globals
_object_init_ex
__zend_malloc
zend_str_tolower_dup@@16
php_ini_scanned_files
php_win32_cp_cli_do_setup
zend_hash_destroy@@8
zend_register_constant
core_globals
php_win32_cp_use_unicode
php_win32_console_fileno_set_vt100
compiler_globals
php_output_end_all
zend_llist_copy
reflection_method_ptr
zend_load_extension
php_module_shutdown
php_win32_cp_conv_ascii_to_w
sapi_startup
php_module_startup
zend_is_auto_global_str
reflection_zend_extension_ptr
zend_llist_sort
sapi_send_headers
php_win32_cp_conv_to_w
php_register_variable
php_socket_strerror
reflection_function_ptr
zend_hash_sort_ex@@32
sapi_module
ap_php_snprintf
sapi_shutdown

ws2_32

WSAGetLastError
setsockopt
htons
closesocket
listen
recv
accept
ntohs
socket
send
getsockname
bind

shell32

CommandLineToArgvW

kernel32

UnhandledExceptionFilter
GetModuleHandleW
SetConsoleCtrlHandler
SetLastError
GetCommandLineW
GetACP
LocalFree
GetLastError
GetConsoleTitleW
SetConsoleTitleW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
InitializeSListHead
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
IsDebuggerPresent

vcruntime140

memcpy
memmove
strstr
strchr
strrchr
__C_specific_handler
memset
__intrinsic_setjmp

api-ms-win-crt-runtime-l1-1-0

_crt_atexit
_register_onexit_function
_initialize_onexit_table
strerror
terminate
_set_errno
_errno
_register_thread_local_exe_atexit_callback
_c_exit
_cexit
__p___argv
exit
_get_errno
__p___argc
_seh_filter_exe
_set_app_type
signal
_configure_narrow_argv
_initialize_narrow_environment
_get_initial_narrow_environment
_initterm
_initterm_e
_exit

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vsprintf
ftell
ferror
fopen
__acrt_iob_func
fflush
fclose
__p__commode
clearerr
_read
fseek
fgetc
__stdio_common_vfprintf
_setmode
_write
_fseeki64
_set_fmode
fread
_close
fgets
_open
_fileno
rewind
fwrite
_wfopen
__p__fmode
_ftelli64
_lseek
feof

api-ms-win-crt-heap-l1-1-0

malloc
_set_new_mode
realloc
free

api-ms-win-crt-string-l1-1-0

_strdup
wcsncmp
toupper
strncpy
strncmp
isalnum
_stricmp
strcmp

api-ms-win-crt-environment-l1-1-0

getenv

api-ms-win-crt-time-l1-1-0

_ctime64_s
_ftime64

api-ms-win-crt-utility-l1-1-0

bsearch

api-ms-win-crt-convert-l1-1-0

strtol

api-ms-win-crt-math-l1-1-0

__setusermatherr

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

Exports

Exports

OPENSSL_Applink
php_cli_get_shell_callbacks
sapi_cli_single_write

Sections

.text
Size: 43KB - Virtual size: 43KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 50KB - Virtual size: 49KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 17KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

5e821d6d40a8405ab17924b0b85a85c3

Headers

DLL Characteristics

File Characteristics

Imports

php7

ws2_32

shell32

kernel32

vcruntime140

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-environment-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-locale-l1-1-0

Exports

Exports

Sections

.text Size: 43KB - Virtual size: 43KB

.rdata Size: 50KB - Virtual size: 49KB

.data Size: 17KB - Virtual size: 27KB

.pdata Size: 2KB - Virtual size: 1KB

.rsrc Size: 4KB - Virtual size: 4KB

.reloc Size: 4KB - Virtual size: 4KB

.text
Size: 43KB - Virtual size: 43KB

.rdata
Size: 50KB - Virtual size: 49KB

.data
Size: 17KB - Virtual size: 27KB

.pdata
Size: 2KB - Virtual size: 1KB

.rsrc
Size: 4KB - Virtual size: 4KB

.reloc
Size: 4KB - Virtual size: 4KB