sqlplus[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

sqlplus.exe
Size

1.3MB
MD5

5b56b902028984df1c4317ee2db2265c
SHA1

888a1947f62fdc53d3c1d817fb6574aff0a65ab6
SHA256

acdede2f1f943977722aa4c3a4867594dc90e61b55d085d6dfed86247efa5f96
SHA512

71687188e7b7ff7a296421c731669ce1011cb71ebc479150811d9a8ace8aa07f21629a9cffd5c3c3240320568f254a3270b3b1beff4f1a14095b9f66e1be4c06
SSDEEP

12288:IqcqL9TUvd2Bgm3BFpsNXWuVvYElhbEIx9qX/9yYJEebmx:qqL9Tmd2em9s9JlCI6X/Ujebm

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
sqlplus.exe

Files

sqlplus.exe
.exe windows x64

9789856ccb313ca14ca0d3d9e43e2b82

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

oci

slfpd2sb
slfpf2d
lnxnur
slfpdeq
slfpd2f
slfpd2lnx
lxCmpStr
lxsCpStr
lxoCmpStr
lxoPadStr
lxoCntChar
lxoCntByte
lxhnlangid
slfpfeq
lxmcpen
lxoCpDisp
lnxmin
lnxnucg
lnxnfng
slfpfmul
slfpfdiv
slfpfsub
slfpf2fs
slfpf2s
slfpdmul
slfpddiv
slfpdsub
slfpd2fs
slfpd2s
lnxmul
lnxdiv
slfpfsqrt
slfpdsqrt
lnxsqr
lstup
lxsCnvCase
lcvb24
slfpfadd
slfpdadd
lnxadd
slfpfgt
slfpdgt
slfpflt
slfpdlt
lxoCnvCh2Wide
lemgem
slemdsp
nigcui
lficls
lfifno
lfifpo
lxlterm
lsfcln
lpmdelete
lpmterm
lputerm
lmlterm
lxsCatStr
lxscat
lstcpn
lxsCntChar
lxoCpChar
lcv42b
lmxconp2
lmxconpar2
OCIErrorGet
lxoCnvCase
slspool
upiarc
lxoSkip
lxmdigx
upigml
upisto
lxsCnvEqui
upidbg
lsfp
vsnnum_full
upista8
lxmalpx
lxmalnx
lxsCntByte
lxmr2w
lxmdssln
lxmdspx
lxhnmod
lxhnsize
SlfFopen2
OCIDescriptorFree
OCIDescriptorAlloc
OCIDateTimeConvert
OCIDateTimeToText
lxoSchPat
lxsCnvIntToNumStr
lxhcsn
lstcprs
lfimknam
lfilini
lfiopn
SlfFclose
OraStreamInit
OraStreamOpen
OraStreamClose
OraStreamTerm
lnxgfs
ldxdts
lxoCnvNumStrToInt
lxmblax
lxsCnvNumStrToInt
lfidlb
lfird
lfiwr
lxoCpToOp
lxsRepStr
lfvini
lfvtyp
lxlinit
lxinitc
lxhLangEnv
lxhnamemap
lpminit
lpmloadpkg
lsfini
lmlinit
lpuinit
lfpinit
slzgetevar
nigsui
ldxsto
ldxmdsz
ldxmxsz
kpusvcrh
kpusvc2hst
lxoCvChar
lxmc2wx
lstrtb
lstss
slfpdisnan
OCITypeByName
OCIObjectUnpin
OCITypeTypeCode
OCITypeName
OCITypeCollElem
OCITypeCollTypeCode
OCITypeCollSize
OCITypeAttrs
OCITypeIterNew
OCITypeAttrNext
OCITypeElemName
OCITypeIterFree
OCITypeElemExtTypeCode
OCITypeElemTypeCode
OCITypeElemType
OCITypeElemLength
OCIObjectMarkDelete
OCIIterCreate
OCIIterNext
OCIIterDelete
OCIIntervalToText
OCIRefHexSize
OCIRefToHex
OCIDateToText
OCINumberToText
OCIStringSize
OCIStringPtr
OCIObjectGetAttr
OCIPStreamClose
OCIObjectFree
OCIPStreamFromXMLType2
OCIPStreamFromXMLType
OCIPStreamRead
OCINlsCharSetConvert
OCINlsCharSetIdToName
OCIJsonToTextStream
OCIServerRelease2
OCIPIsConnectstringBEQ
OCIBindByName2
OCIBindByPos2
OCIDefineByPos2
OCIStmtGetNextResult
OCITypeElemCharSetForm
OCICollGetElem
OCIClientVersion
OCILobFileGetName
OCIStmtRelease
OCINumberToInt
OCIAnyDataAccess
OCIAnyDataGetType
OCIServerRelease
OCIEnvNlsCreate
OCIEnvCreate
OCIObjectGetTypeRef
OCIObjectPin
OCIObjectNew
OCILobFreeTemporary
OCILobIsTemporary
OCILogoff
OCILogon
OCIResultSetToStmt
OCIAttrSet
OCIAttrGet
OCIBreak
OCILobRead2
OCILobGetLength2
OCITransRollback
OCITransCommit
OCIParamGet
OCIDescribeAny
OCIStmtGetBindInfo
OCIStmtFetch2
OCIDefineObject
OCIDefineByPos
OCIStmtExecute
OCIStmtSetPieceInfo
OCIStmtGetPieceInfo
OCIBindObject
OCIBindByName
OCIBindByPos
OCIStmtPrepare2
OCIPasswordChange
OCISessionBegin
OCISessionEnd
OCIServerDetach
OCIServerAttach
OCIHandleFree
OCIHandleAlloc
upih2o
OCIRawSize
OCIRawPtr
lfimkpth
lfignam
lxsCntDisp
lxmlowx
SlfFseekn
SlfFtelln
SlfFread
lstprintf
Slu8ToTextl
lsfmai
lmsaicmt
lmsacin
lmsacbn
lmsatrm
lxmcpbx
lxhschar
lpucompose
lxmnceq
lxwc2lx
lpuparse
lpuresolve
vsnnum
vsnpri
lxgratio
sqlrv8c
sqlcxt
sqlaldt
sqlnult
sqlfcn
sqlclut
lctbnam
sqlprct
sltln
lfifex
slfnp
slgfn
slsprom
SlfVfprintf
lfipthad
SlfFflush
lfiflu
lpuopen
lpuread
lpuclose
lpuerror
sqlglmt
slfpf2sb
slfpfisinf
slfpfisnan
lxoCmpNStr
OCILobLocatorIsInit
lnxsni
lnxn2cg
lnxsub
OCIPing
lxoCpStr
lxmfwtx
lxmfwdx
lxoWriChar
lxoCnvIntToNumStr
ldxstd
slfpdisinf
slfpfs2d
lnxfcng
slfpfs2f
lnxpflg
sldxgd
ldxsti
ldxini
lnxscng
lxhlinfo
slfps2de
lnxcpng
slfps2fe
lmsagbf
lxmspax
lxmctex
lxmopen
lxsCmpStr
lxscop
lcvb2w
lxsulen

kernel32

EnterCriticalSection
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
GetModuleHandleW
GetThreadLocale
InitializeCriticalSection
LoadLibraryExA
LeaveCriticalSection
GetModuleHandleExA
GetConsoleScreenBufferInfo
GetStdHandle
ReadConsoleInputA
GetCurrentProcess
TerminateProcess
CreateProcessA
WaitForSingleObject
GetExitCodeProcess
FormatMessageA
LocalFree
CloseHandle
LoadLibraryA
GetModuleHandleA
GetProcAddress
GetEnvironmentVariableA
RtlCaptureContext

vcruntime140

memcpy
memset
longjmp
memchr
__intrinsic_setjmp
__C_specific_handler
__std_type_info_destroy_list
__current_exception
__current_exception_context

api-ms-win-crt-stdio-l1-1-0

__p__commode
_set_fmode
__stdio_common_vsprintf
__acrt_iob_func
__stdio_common_vfprintf

api-ms-win-crt-runtime-l1-1-0

__p___argc
_seh_filter_exe
_seh_filter_dll
_initialize_onexit_table
_register_onexit_function
_execute_onexit_table
_crt_atexit
_register_thread_local_exe_atexit_callback
terminate
_set_app_type
_c_exit
_configure_narrow_argv
_initialize_narrow_environment
_get_initial_narrow_environment
_initterm
_initterm_e
_cexit
_exit
abort
_crt_at_quick_exit
__p___argv
exit
perror
_errno
signal

api-ms-win-crt-string-l1-1-0

strcat_s
strncat
strlen
strcspn
tolower
strncpy
strtok_s

api-ms-win-crt-heap-l1-1-0

malloc
free
realloc
_set_new_mode

api-ms-win-crt-environment-l1-1-0

getenv

api-ms-win-crt-time-l1-1-0

_ftime64

api-ms-win-crt-math-l1-1-0

__setusermatherr

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

Sections

.text
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 128KB - Virtual size: 128KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 20KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 16KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.00cfg
Size: 512B - Virtual size: 337B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

9789856ccb313ca14ca0d3d9e43e2b82

Headers

DLL Characteristics

File Characteristics

Imports

oci

kernel32

vcruntime140

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-environment-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-locale-l1-1-0

Sections

.text Size: 1.1MB - Virtual size: 1.1MB

.rdata Size: 128KB - Virtual size: 128KB

.data Size: 5KB - Virtual size: 13KB

.pdata Size: 20KB - Virtual size: 20KB

.idata Size: 16KB - Virtual size: 16KB

.00cfg Size: 512B - Virtual size: 337B

_RDATA Size: 6KB - Virtual size: 5KB

.rsrc Size: 2KB - Virtual size: 1KB

.reloc Size: 8KB - Virtual size: 7KB

.text
Size: 1.1MB - Virtual size: 1.1MB

.rdata
Size: 128KB - Virtual size: 128KB

.data
Size: 5KB - Virtual size: 13KB

.pdata
Size: 20KB - Virtual size: 20KB

.idata
Size: 16KB - Virtual size: 16KB

.00cfg
Size: 512B - Virtual size: 337B

_RDATA
Size: 6KB - Virtual size: 5KB

.rsrc
Size: 2KB - Virtual size: 1KB

.reloc
Size: 8KB - Virtual size: 7KB