certutil[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

certutil.exe
Size

1.2MB
MD5

0dda4f16ae041578b4e250ae12e06eb1
SHA1

8edbdf22acbad7681d59cd0f433041167c3e9383
SHA256

e4666c8042c0499da4caf84ea2d3c61346f91d3df5d4cd40834c736bd9c65b35
SHA512

e5c66686c658dfe4ddb8500910a59d392e95513509a82a1e76a72ff4460dd7bca601747a68b8250b536a165343b29cf13201f1fad051c1161b4372884d91c582
SSDEEP

24576:wl2ZFnvgwPY4Wii0yVAUKxaY1nRKziwHP8dAReFQ3K2pGrgzFqMOCKpN5Dr:Y4W0zxaYXNrsAgzclCKHR

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
certutil.exe

Files

certutil.exe
.exe windows x86

92eafdfbcf8b4ecd46e832973b0649d6

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

advapi32

IsValidSecurityDescriptor
GetSecurityDescriptorLength
CryptReleaseContext
CryptAcquireContextW
LookupAccountNameW
IsValidSid
ConvertSidToStringSidW
ImpersonateSelf
RevertToSelf
LookupAccountSidW
CryptGetProvParam
CryptGetUserKey
CryptGetKeyParam
CryptDestroyKey
RegCreateKeyExW
RegSetValueExW
RegSetValueExA
RegDeleteKeyExW
RegCloseKey
GetTokenInformation
GetLengthSid
CopySid
OpenProcessToken
RegQueryValueExW
RegOpenKeyExW
RegEnumKeyExW
RegCreateKeyW
RegEnumValueW
RegEnumKeyW
RegDeleteKeyW
RegDeleteValueW
CryptSetProvParam
CryptGenRandom
CryptCreateHash
CryptVerifySignatureW
CryptHashData
CryptDestroyHash
CryptSetKeyParam
CryptDecrypt
CryptImportKey
RegDeleteTreeW
RegOpenKeyW
CryptGetHashParam
CryptDuplicateKey
CryptEncrypt
CryptGenKey
CryptContextAddRef
EventWriteTransfer
RegUnLoadKeyW
RegOpenCurrentUser
RegQueryInfoKeyW
RegLoadKeyW
GetSidSubAuthorityCount
GetSidSubAuthority
GetSidIdentifierAuthority
SetNamedSecurityInfoW
AddAccessDeniedAce
AddAccessAllowedAce
AddAccessDeniedObjectAce
AddAccessAllowedObjectAce
AddAce
InitializeAcl
LsaStorePrivateData
LsaRetrievePrivateData
RegConnectRegistryW
AdjustTokenPrivileges
ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertSecurityDescriptorToStringSecurityDescriptorW
CryptEnumProvidersA
CryptGetDefaultProviderW
LogonUserExW
ImpersonateLoggedOnUser
CreateWellKnownSid
MakeAbsoluteSD
MakeSelfRelativeSD
LsaClose
LsaFreeMemory
LsaOpenPolicy
FreeSid
CheckTokenMembership
DuplicateToken
OpenThreadToken
ConvertStringSidToSidW
AllocateAndInitializeSid
SetSecurityDescriptorDacl
SetEntriesInAclW
GetSecurityDescriptorDacl
DeleteAce
EqualSid
GetAce
GetAclInformation
SetSecurityDescriptorOwner
InitializeSecurityDescriptor
GetSecurityDescriptorControl
CryptSignHashW
CryptSetHashParam
CryptExportKey
CryptDuplicateHash

kernel32

FindFirstChangeNotificationW
CreateThreadpoolTimer
GetFullPathNameW
CloseThreadpoolTimer
CloseThreadpoolWait
FindCloseChangeNotification
FindNextChangeNotification
SetThreadpoolWait
SetThreadpoolTimer
MultiByteToWideChar
VerifyVersionInfoW
VerSetConditionMask
LeaveCriticalSection
SetConsoleCtrlHandler
EnterCriticalSection
SetEndOfFile
WriteFile
LockResource
SizeofResource
LoadResource
FindResourceW
GetVersionExW
GetComputerNameExW
GetComputerNameW
SetFilePointer
ReadFile
FindClose
FindNextFileW
FindFirstFileW
GetEnvironmentVariableW
GetTickCount
LoadLibraryW
DecodePointer
EncodePointer
GetFileAttributesExW
GetCurrentProcess
QueryFullProcessImageNameW
GetProcessTimes
GetLastError
GetTickCount64
PulseEvent
OpenEventW
GetSystemDefaultUILanguage
GetUserDefaultUILanguage
LocalReAlloc
LocalFileTimeToFileTime
GetModuleHandleW
RaiseException
DeleteCriticalSection
InitializeCriticalSection
GetSystemDefaultLangID
FormatMessageW
HeapAlloc
HeapFree
GetProcessHeap
lstrcmpW
DeleteFileW
GetFileSize
CreateFileW
GetProcAddress
SetLastError
GetTempFileNameW
Sleep
CreateSemaphoreW
SetConsoleMode
GetConsoleMode
TrySubmitThreadpoolCallback
LocalFree
GetSystemTime
SystemTimeToFileTime
GetSystemTimeAsFileTime
LocalAlloc
GetFileAttributesW
FreeLibrary
CompareFileTime
CreateThread
WaitForSingleObject
GetExitCodeThread
GetFileType
GetStdHandle
CloseHandle
GetStartupInfoW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
CreateEventW
DelayLoadFailureHook
ResolveDelayLoadedAPI
FindResourceExW
GetLocaleInfoW
SearchPathW
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
lstrcmpiW
CompareStringEx
LoadLibraryExA
GetProfileStringA
ResetEvent
GetFileTime
lstrlenW
VirtualFree
VirtualAlloc
GetTempPathW
GetLocalTime
K32GetProcessImageFileNameW
HeapSetInformation
UnmapViewOfFile
MapViewOfFile
CreateFileMappingW
GetSystemInfo
GetCurrentThread
CreateDirectoryW
RemoveDirectoryW
GetConsoleOutputCP
CompareStringW
FoldStringW
GetTimeFormatW
GetDateFormatW
FileTimeToLocalFileTime
LoadLibraryExW
GetSystemDirectoryW
GetCommandLineW
FileTimeToSystemTime
WriteConsoleW
GetACP
WideCharToMultiByte
OutputDebugStringA
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
TerminateProcess
ReleaseSemaphore
SetEvent
OpenProcess
CreateThreadpoolWait

msvcrt

realloc
_errno
??1type_info@@UAE@XZ
_onexit
__dllonexit
_unlock
_lock
_controlfp
_initterm
__setusermatherr
__p__fmode
_cexit
_exit
exit
__set_app_type
__wgetmainargs
?terminate@@YAXXZ
_wcmdln
_itoa_s
memcpy_s
memset
wcscpy_s
towupper
iswlower
towlower
iswupper
sscanf_s
strpbrk
strcat_s
strcpy_s
strspn
getenv
_ftol2
ftell
_wgetenv
_fileno
_setmode
wcstoul
fgetws
feof
fgetc
_wfopen
fputws
atoi
iswalpha
_wsetlocale
isxdigit
gmtime
iswxdigit
vfwprintf
iswspace
__iob_func
_amsg_exit
__p__commode
_XcptFilter
memmove
memcpy
_CxxThrowException
?what@exception@@UBEPBDXZ
??1exception@@UAE@XZ
??0exception@@QAE@ABV0@@Z
??0exception@@QAE@ABQBDH@Z
??0exception@@QAE@ABQBD@Z
_callnewh
malloc
fprintf
_strlwr
??3@YAXPAX@Z
__CxxFrameHandler3
_purecall
_except_handler4_common
fwrite
swscanf
_vsnwprintf
iswdigit
wcsrchr
wcschr
wcstok
fwprintf
_wfopen_s
fclose
fflush
_fgetwchar
wcsspn
_wcsnicmp
?_set_se_translator@@YAP6AXIPAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z
qsort
wcscspn
free
??_V@YAXPAX@Z
__isascii
isdigit
_strnicmp
memcmp
_stricmp
_wtoi
_vsnprintf
_wcslwr
strncmp
strcspn
wcsstr
strstr
wcsncmp
_ultow
_wcsicmp
bsearch
fopen
fgets
strchr
fputs
fseek
ferror
_swab

certcli

ord357
ord359
ord207
ord358
ord225
ord246
ord256
ord223
ord360
ord254
ord213
ord205
ord356
CAEnumCertTypesEx
ord258
CAGetCertTypeFlagsEx
CAGetCertTypePropertyEx
CAFreeCertTypeProperty
CAGetCertTypeKeySpec
CAFindCertTypeByName
CACertTypeGetSecurity
CAGetCertTypeExtensions
CAFreeCertTypeExtensions
CAEnumCertTypesForCAEx
CAGetCertTypeProperty
CACertTypeAccessCheckEx
CAEnumNextCertType
CACloseCertType
ord373
CAEnumFirstCA
CAFindByName
CAGetCAProperty
CAFreeCAProperty
CAEnumNextCA
CACloseCA
ord362
CAGetCAFlags
CAGetCAExpiration
CAAccessCheck
ord361
CAGetCACertificate
CAGetCASecurity
CASetCAProperty
CAUpdateCAEx
CAFindByCertType
ord257
ord218
ord255
CAEnumCertTypesForCA
CACountCertTypes
CACertTypeAccessCheck
CACountCAs
ord217
ord245
ord370
CARemoveCACertificateTypeEx
CAAddCACertificateTypeEx
CAUpdateCA
ord260
ord366
ord252
ord261
ord253
ord203
ord247
ord210
CASetCASecurity
CASetCACertificate
CASetCAFlags
CACreateNewCA
CAGetCertTypeExpiration

crypt32

CryptEncodeObjectEx
CertFreeCertificateContext
CertDuplicateCertificateContext
CertFindExtension
CryptFindOIDInfo
CryptExportPKCS8
PFXExportCertStoreEx
PFXExportCertStore
CryptFreeOIDFunctionAddress
CryptGetOIDFunctionAddress
CryptInitOIDFunctionSet
CertStrToNameW
CryptDecryptMessage
CryptEncryptMessage
CryptSignMessage
CryptFormatObject
CertAddCertificateLinkToStore
CertGetIntendedKeyUsage
CryptHashPublicKeyInfo
CryptStringToBinaryW
CryptMsgOpenToDecode
CertNameToStrW
CryptSignCertificate
CryptExportPublicKeyInfoEx
CryptSignAndEncodeCertificate
CertDuplicateStore
CryptMsgUpdate
CryptMsgOpenToEncode
CryptBinaryToStringW
CertOpenServerOcspResponse
I_CryptWalkAllLruCacheEntries
I_CryptRemoveLruEntry
I_CryptGetLruEntryData
I_CryptFindLruEntry
I_CryptReleaseLruEntry
I_CryptInsertLruEntry
I_CryptCreateLruEntry
CertCloseServerOcspResponse
I_CryptFreeLruCache
I_CryptCreateLruCache
CryptMsgEncodeAndSignCTL
CertGetNameStringA
CertSetCertificateContextPropertiesFromCTLEntry
CertCreateContext
I_CertProtectFunction
CertAddStoreToCollection
CertVerifyCertificateChainPolicy
CryptMemFree
CertVerifySubjectCertificateContext
CryptVerifyCertificateSignatureEx
CertGetEnhancedKeyUsage
CertVerifyCRLTimeValidity
CertVerifyRevocation
CertVerifyTimeValidity
CryptEnumKeyIdentifierProperties
CryptImportPublicKeyInfo
CertDuplicateCRLContext
CertDeleteCRLFromStore
CertAddCTLContextToStore
CertAddCRLContextToStore
CertEnumSystemStore
CertEnumSystemStoreLocation
CertEnumPhysicalStore
CertControlStore
CertSaveStore
CertAddSerializedElementToStore
CertAddEncodedCTLToStore
CertAddEncodedCRLToStore
CertAddEncodedCertificateToStore
CertSetCTLContextProperty
CertSetCRLContextProperty
CryptFindCertificateKeyProvInfo
CryptAcquireCertificatePrivateKey
CertEnumCertificateContextProperties
CertGetCRLContextProperty
CertEnumCRLContextProperties
CertGetCTLContextProperty
CertEnumCTLContextProperties
CertSetStoreProperty
CertComparePublicKeyInfo
CryptExportPublicKeyInfo
CertFreeCTLContext
CertCreateCTLContext
CertEnumCTLsInStore
CertDeleteCertificateFromStore
CertGetNameStringW
CryptDecodeObjectEx
CryptQueryObject
CryptMsgGetParam
CryptVerifyDetachedMessageSignature
CryptMsgGetAndVerifySigner
CryptMsgControl
PFXIsPFXBlob
PFXImportCertStore
CryptImportPKCS8
CertGetPublicKeyLength
CryptMsgClose
CertAddCertificateContextToStore
CertSetCertificateContextProperty
CryptGetKeyIdentifierProperty
CertFindAttribute
CryptHashCertificate
CryptDecodeObject
CertOpenStore
CertFindCertificateInStore
CertEnumCertificatesInStore
CryptFindLocalizedName
CryptVerifyCertificateSignature
CertCompareCertificateName
CertFreeCertificateChain
CertGetCertificateChain
CryptHashCertificate2
CryptImportPublicKeyInfoEx2
CryptRegisterOIDInfo
CertCreateCertificateContext
CryptEnumOIDInfo
CertCreateCRLContext
CertFreeCRLContext
CertEnumCRLsInStore
CertCloseStore
CertGetCertificateContextProperty

cabinet

ord20
ord22
ord21
ord23

comctl32

InitCommonControlsEx

cryptui

CryptUIDlgViewCRLW
CryptUIDlgFreeCAContext
CryptUIDlgViewCertificateW

gdi32

GetStockObject

ncrypt

NCryptFreeObject
BCryptVerifySignature
BCryptDestroyKey
NCryptOpenStorageProvider
NCryptImportKey
NCryptSetProperty
NCryptFinalizeKey
BCryptSetProperty
BCryptGetProperty
BCryptCloseAlgorithmProvider
SslEnumProtocolProviders
SslOpenProvider
SslFreeBuffer
SslFreeObject
NCryptGetProperty
BCryptFreeBuffer
BCryptOpenAlgorithmProvider
BCryptCreateHash
BCryptHashData
BCryptFinishHash
BCryptDestroyHash
BCryptDecrypt
BCryptEncrypt
BCryptExportKey
BCryptGenRandom
BCryptSignHash
NCryptCreatePersistedKey
NCryptDecrypt
NCryptDeleteKey
NCryptDeriveKey
NCryptEncrypt
NCryptExportKey
NCryptOpenKey
NCryptSecretAgreement
NCryptSignHash
NCryptVerifySignature
NCryptEnumAlgorithms
NCryptIsAlgSupported
NCryptEnumKeys
NCryptEnumStorageProviders
NCryptFreeBuffer
BCryptEnumAlgorithms
BCryptGenerateKeyPair
BCryptQueryProviderRegistration
BCryptEnumContexts
BCryptQueryContextConfiguration
BCryptEnumContextFunctions
BCryptResolveProviders
NCryptIsKeyHandle

netapi32

NetUserGetGroups
DsRoleGetPrimaryDomainInformation
DsGetDcNameW
DsRoleFreeMemory
NetApiBufferFree
DsGetSiteNameW

normaliz

IdnToUnicode
IdnToAscii

ntdll

RtlNtStatusToDosError
RtlGetPersistedStateLocation
NtQuerySystemTime
RtlTimeToSecondsSince1970
NtQuerySystemInformationEx
WinSqmIncrementDWORD

ntdsapi

DsUnBindW
DsFreeNameResultW
DsFreeDomainControllerInfoW
DsCrackNamesW
DsGetDomainControllerInfoW
DsBindW

setupapi

SetupGetStringFieldW
SetupFindNextLine
SetupGetFieldCount
SetupFindFirstLineW
SetupGetIntField
SetupCloseInfFile
SetupOpenInfFileW
SetupGetLineCountW

shell32

SHGetFolderPathW
SHGetKnownFolderPath

version

VerQueryValueW
GetFileVersionInfoSizeW
GetFileVersionInfoW

wldap32

ord203
ord36
ord26
ord27
ord191
ord41
ord65
ord210
ord13
ord145
ord14
ord73
ord206
ord16
ord12
ord18
ord155
ord127
ord79
ord142
ord224
ord140
ord113
ord135
ord147
ord208
ord167

ole32

CoTaskMemFree
CoInitialize
CoUninitialize
CoInitializeEx
CLSIDFromString
CLSIDFromProgID
StringFromCLSID
ProgIDFromCLSID
CoTaskMemAlloc
CoCreateInstanceEx
CoSetProxyBlanket
CoCreateInstance
StgOpenStorageEx
PropVariantClear

oleaut32

VariantClear
SysAllocString
SysAllocStringLen
SysAllocStringByteLen
SafeArrayCreate
SafeArrayPutElement
SafeArrayGetElement
SysStringLen
VariantInit
SafeArrayAccessData
VariantCopyInd
CreateErrorInfo
SetErrorInfo
SafeArrayGetUBound
SystemTimeToVariantTime
SysStringByteLen
SafeArrayGetLBound
SafeArrayGetDim
SafeArrayUnaccessData
VariantTimeToSystemTime
SysFreeString
SafeArrayDestroy

rpcrt4

UuidIsNil
RpcStringFreeW
UuidToStringW
NdrClientCall2
I_RpcExceptionFilter
UuidCreate
UuidFromStringW

secur32

TranslateNameW
GetComputerObjectNameW
GetUserNameExW

user32

DialogBoxParamW
SetWindowTextW
GetWindowLongW
CallWindowProcW
GetDlgItemTextW
IsDlgButtonChecked
GetDlgItemInt
RegisterClassW
CreateWindowExW
PostMessageW
GetMessageW
TranslateMessage
DispatchMessageW
ShowWindow
GetDesktopWindow
CharLowerW
SetCursor
SendMessageW
MessageBoxW
SetDlgItemTextW
GetDlgItem
EnableWindow
SendDlgItemMessageA
EndDialog
SetDlgItemInt
SetFocus
SetWindowLongW
GetWindowTextW
CheckDlgButton
UpdateWindow
LoadStringW
PostQuitMessage
DefWindowProcW
LoadIconW
LoadCursorW

shlwapi

PathFindFileNameW

Sections

.text
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 39KB - Virtual size: 48KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 19KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 376B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 65KB - Virtual size: 65KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

92eafdfbcf8b4ecd46e832973b0649d6

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

kernel32

msvcrt

certcli

crypt32

cabinet

comctl32

cryptui

gdi32

ncrypt

netapi32

normaliz

ntdll

ntdsapi

setupapi

shell32

version

wldap32

ole32

oleaut32

rpcrt4

secur32

user32

shlwapi

Sections

.text Size: 1.1MB - Virtual size: 1.1MB

.data Size: 39KB - Virtual size: 48KB

.idata Size: 19KB - Virtual size: 19KB

.didat Size: 512B - Virtual size: 376B

.rsrc Size: 4KB - Virtual size: 4KB

.reloc Size: 65KB - Virtual size: 65KB

.text
Size: 1.1MB - Virtual size: 1.1MB

.data
Size: 39KB - Virtual size: 48KB

.idata
Size: 19KB - Virtual size: 19KB

.didat
Size: 512B - Virtual size: 376B

.rsrc
Size: 4KB - Virtual size: 4KB

.reloc
Size: 65KB - Virtual size: 65KB