l2[.]exe | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

l2.exe
Size

26.2MB
MD5

131ddb28f23ec31a095f7e04cac53646
SHA1

9aea97dbac5d239c3d39c01d2488cac5d394239e
SHA256

21973e7163034e17a0291f57910d8720078317c9546f4b406f9de9ef5ffc90aa
SHA512

1b44adcdf0df4a9d3feb64fc46ea936b5f6136bb6488c2bf3da9d1cfc8c5c5c5329c7616be6ac6a34e5d07db8e489546890efde0d7b671cdc7d88a45dd7618b3
SSDEEP

786432:8bA3yvmBC3EZYMnfUaab76sKmut/ax1CKucMOR:LA3E+HapsKmC/Q1CKeOR

Score

1^/10

Malware Config

Signatures

Files

l2.exe
.exe windows x86

da84b85413ef4ad518f55f83407db384

Code Sign

76:53:fe:ac:75:46:48:93:f5:e5:d7:4a:48:3a:4e:f8
Certificate

Issuer

CN=GlobalSign Code Signing Root R45,O=GlobalSign nv-sa,C=BE

Not Before

18-03-2020 00:00

Not After

18-03-2045 00:00

Subject

CN=GlobalSign Code Signing Root R45,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

77:bd:0e:05:b7:59:0b:b6:1d:47:61:53:1e:3f:75:ed
Certificate

Issuer

CN=GlobalSign Code Signing Root R45,O=GlobalSign nv-sa,C=BE

Not Before

28-07-2020 00:00

Not After

28-07-2030 00:00

Subject

CN=GlobalSign GCC R45 EV CodeSigning CA 2020,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

15:fb:36:db:ef:d5:fc:e4:09:3b:37:3e
Certificate

Issuer

CN=GlobalSign GCC R45 EV CodeSigning CA 2020,O=GlobalSign nv-sa,C=BE

Not Before

09-12-2022 13:26

Not After

10-12-2023 13:26

Subject

SERIALNUMBER=521508867,CN=Raman Karpuk,O=Raman Karpuk,L=Warszawa,ST=Województwo Mazowieckie,C=PL,1.2.840.113549.1.9.1=#0c12696e666f406163746976652d61632e636f6d,1.3.6.1.4.1.311.60.2.1.3=#1302504c,2.5.4.15=#130f427573696e65737320456e74697479

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

01:b2:8b:d4:cf:ee:ee:0d:be:d0:b3:0d:9b:f8:43:6a
Certificate

Issuer

CN=GlobalSign Timestamping CA - SHA384 - G4,O=GlobalSign nv-sa,C=BE

Not Before

06-04-2022 07:45

Not After

08-05-2033 07:45

Subject

CN=Globalsign TSA for CodeSign1 - R6,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

01:ec:1c:92:40:de:fd:2e:40:5d:7c:47:74
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R6,O=GlobalSign

Not Before

20-06-2018 00:00

Not After

10-12-2034 00:00

Subject

CN=GlobalSign Timestamping CA - SHA384 - G4,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

45:e6:bb:03:83:33:c3:85:65:48:e6:ff:45:51
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R6,O=GlobalSign

Not Before

10-12-2014 00:00

Not After

10-12-2034 00:00

Subject

CN=GlobalSign,OU=GlobalSign Root CA - R6,O=GlobalSign

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

44:66:d6:0e:a6:20:9d:87:8c:e1:2d:dc:81:92:61:29:91:a1:da:78:cc:89:f7:18:b3:3b:f3:57:c3:a5:5b:fc
Signer

Actual PE Digest

44:66:d6:0e:a6:20:9d:87:8c:e1:2d:dc:81:92:61:29:91:a1:da:78:cc:89:f7:18:b3:3b:f3:57:c3:a5:5b:fc

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetSystemDirectoryW
GetTempPathW
SetFilePointer
GetUserDefaultLocaleName
SetEnvironmentVariableW
Wow64DisableWow64FsRedirection
GetCommandLineW
ReadFile
CreateDirectoryW
GetProcAddress
LoadLibraryA
DecodePointer
SetEndOfFile
WriteConsoleW
GetTimeZoneInformation
Wow64RevertWow64FsRedirection
GetExitCodeProcess
GetFileSizeEx
WriteFile
GetTickCount
CreateProcessW
GetTickCount64
FormatMessageW
GetModuleHandleA
ReleaseMutex
CreateMutexW
GetEnvironmentVariableW
InitializeCriticalSection
GetModuleFileNameW
TerminateProcess
GetCurrentProcess
CloseHandle
DeleteFileW
GetLastError
HeapSize
GetFileAttributesExW
FlushFileBuffers
GetFullPathNameW
GetCurrentDirectoryW
HeapReAlloc
GetStringTypeW
SetStdHandle
GetProcessHeap
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineA
GetCPInfo
GetOEMCP
CreateRemoteThread
SetCurrentDirectoryW
FreeLibrary
Sleep
CreateFileW
DeviceIoControl
CreateThread
TerminateThread
WaitForSingleObject
LeaveCriticalSection
EnterCriticalSection
GetACP
IsValidCodePage
FindFirstFileExW
GetConsoleOutputCP
HeapFree
HeapAlloc
LCMapStringW
CompareStringW
SetConsoleCtrlHandler
SetFilePointerEx
FreeLibraryAndExitThread
ExitThread
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
SetEvent
ResetEvent
WaitForSingleObjectEx
CreateEventW
GetModuleHandleW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
IsDebuggerPresent
GetStartupInfoW
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
GetSystemDirectoryA
GetNativeSystemInfo
GetSystemInfo
InitializeCriticalSectionEx
SleepEx
VerSetConditionMask
QueryPerformanceFrequency
LoadLibraryW
VerifyVersionInfoW
ExpandEnvironmentStringsA
GetStdHandle
GetFileType
PeekNamedPipe
WaitForMultipleObjects
SetLastError
FormatMessageA
MultiByteToWideChar
WideCharToMultiByte
GetConsoleMode
SetConsoleMode
ReadConsoleA
ReadConsoleW
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetModuleHandleExW
SwitchToFiber
DeleteFiber
CreateFiber
FindClose
FindFirstFileW
FindNextFileW
ConvertFiberToThread
ConvertThreadToFiber
GetSystemTime
SystemTimeToFileTime
RtlUnwind
RaiseException
EncodePointer
LoadLibraryExW
MoveFileExW
ExitProcess
GetDriveTypeW
GetFileInformationByHandle
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
GetSystemTimeAsFileTime
GetModuleHandleA
CreateEventA
GetModuleFileNameW
TerminateProcess
GetCurrentProcess
CreateToolhelp32Snapshot
Thread32First
GetCurrentProcessId
GetCurrentThreadId
OpenThread
Thread32Next
CloseHandle
SuspendThread
ResumeThread
WriteProcessMemory
GetSystemInfo
VirtualAlloc
VirtualProtect
VirtualFree
GetProcessAffinityMask
SetProcessAffinityMask
GetCurrentThread
SetThreadAffinityMask
Sleep
LoadLibraryA
FreeLibrary
GetTickCount
SystemTimeToFileTime
FileTimeToSystemTime
GlobalFree
LocalAlloc
LocalFree
GetProcAddress
ExitProcess
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
DeleteCriticalSection
GetModuleHandleW
LoadResource
MultiByteToWideChar
FindResourceExW
FindResourceExA
WideCharToMultiByte
GetThreadLocale
GetUserDefaultLCID
GetSystemDefaultLCID
EnumResourceNamesA
EnumResourceNamesW
EnumResourceLanguagesA
EnumResourceLanguagesW
EnumResourceTypesA
EnumResourceTypesW
CreateFileW
LoadLibraryW
GetLastError
FlushFileBuffers
WriteConsoleW
SetStdHandle
IsProcessorFeaturePresent
DecodePointer
GetCommandLineA
RaiseException
HeapFree
GetCPInfo
InterlockedIncrement
InterlockedDecrement
GetACP
GetOEMCP
IsValidCodePage
EncodePointer
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
SetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
HeapAlloc
LCMapStringW
GetStringTypeW
SetHandleCount
GetStdHandle
InitializeCriticalSectionAndSpinCount
GetFileType
GetStartupInfoW
GetModuleFileNameA
FreeEnvironmentStringsW
GetEnvironmentStringsW
HeapCreate
HeapDestroy
QueryPerformanceCounter
HeapSize
WriteFile
RtlUnwind
SetFilePointer
GetConsoleCP
GetConsoleMode
HeapReAlloc
VirtualQuery
LocalAlloc
LocalFree
GetModuleFileNameW
ExitProcess
LoadLibraryA
GetModuleHandleA
GetProcAddress

user32

UpdateWindow
RegisterClassExA
BeginPaint
CreateWindowExA
DefWindowProcA
LoadBitmapA
IsWindow
ShowWindow
SetWindowPos
GetDC
InvalidateRect
EndPaint
MessageBoxW
GetDesktopWindow
GetUserObjectInformationW
GetProcessWindowStation
DestroyWindow
LoadCursorA
GetWindowRect
CharUpperBuffW

gdi32

SelectObject
CreateCompatibleDC
GetDIBits
BitBlt

advapi32

CryptAcquireContextW
CryptSignHashW
CryptDestroyHash
CryptCreateHash
CryptDecrypt
CryptExportKey
CryptGetUserKey
CryptGetProvParam
CryptSetHashParam
AllocateAndInitializeSid
FreeSid
CheckTokenMembership
RegDeleteValueW
RegCloseKey
RegCreateKeyExW
RegSetValueExW
RegGetValueW
CreateServiceW
CloseServiceHandle
OpenSCManagerA
DeleteService
ControlService
StartServiceA
OpenServiceW
QueryServiceStatusEx
DeregisterEventSource
RegisterEventSourceW
ReportEventW
CryptDestroyKey
CryptReleaseContext
CryptEnumProvidersW

shell32

CommandLineToArgvW
ShellExecuteA
ShellExecuteExW

ws2_32

closesocket
WSAStartup
getaddrinfo
ioctlsocket
socket
inet_addr
bind
listen
accept
select
connect
WSAGetLastError
__WSAFDIsSet
recv
send
shutdown
getpeername
getsockname
getsockopt
ntohs
setsockopt
WSASetLastError
WSAIoctl
WSACleanup
recvfrom
sendto
gethostname
getnameinfo
freeaddrinfo
htons

shlwapi

PathAppendA
PathRemoveFileSpecW
StrStrIW
PathCombineW

dnsapi

DnsQuery_A
DnsFree

crypt32

CertOpenStore
CertCloseStore
CertEnumCertificatesInStore
CertFindCertificateInStore
CertDuplicateCertificateContext
CertFreeCertificateContext
CertGetCertificateContextProperty

wldap32

ord147
ord301
ord133
ord79
ord142
ord167
ord145
ord219
ord46
ord14
ord216
ord208
ord41
ord118
ord26
ord27
ord127

bcrypt

BCryptGenRandom

version

GetFileVersionInfoA
VerQueryValueA
GetFileVersionInfoSizeA

Exports

Exports

�!40��x)��G�k�Q)��5Y[ "�I>��ۉL^�U��;�}��<�18� 6��X�A��C�¬¡|�%T�ZY�� u��[��l�p�#�rЌV/��;�cc�j�~� ñ γҔx 4G�j�� *��]/h��~��O�$�?��,��ǥ�A��P-v�<V]��k0��T�4�d��Q8��-�r�w�7�܇ƅ�-�WJM5��/tFF�X��h�� `��#��}ے5yu-Q�>��&�-�Z�d��g(��>��ج��y�I�Oo��Nω� &�wa[٩qd��p�~,R��:$��-U�;��u� `��T\��c�;��Xg��4i_��Y��濈��*X�8��/�A��7V�E��c��~$y�/ӭ��?g��N;�8��]o�4��yUV#aJ=L�$��%/"BX�U^&� �X2գhQ�{��=��\]�i(\X�2��>Ft��1��$��Ϣ�p�l��[*��I�+X!��u��$��%�� ,oXR�d��W08@�t��R�64�;d�y��#��0� A.�PB��V�@v�g�s��Z��X�.��ӧ�!��?��􍞡�Xۮ<CG�٤ڃ-5B��R��D;驷P�$8�>)�e�(��uv��b.��8��!R��2��E �*�r���?�n�q��e�&�U��-�J'��p��1�� 5�˂�0Z�i*��e��"��n�ƥ/�B�\35�U2��g�=Ɵ�lO�� j�Z��ߞ�S;�&�qpRX+�-��>��󢞣8�cR�=� ��g^L1W��g[ܪNn��)A��B�? ��oPWC�wx��Ћ.�7� ��\.�$��9 ?�~��FD��ܑ+J�=𳑕��Y�+��$�F��YxWI�@��Z'z kYǹ�h��\iU++i�&L�4��-Jm~_��H/��6�n�fUխ��K�o��>�c��E��J�\"w�}\8c�sTs��M��v�M,x��TڪP��g��Λ�x"��︑��e��o�گ �X��WE�G��AJݶ�Cs0�.�i�DL��Z#~`M9g�O�c�w��<�ⴍ��i�b�T��dK<bۇ��3��Q�y�%5J�ed_p;�ꆁ}}3�JƵ%"|'0��'צ��]�b��Y� ��Z��1bCK_�-�8��v�O�F�*Fa�>�"�o��RkM� �p�I#��F�ĀX��ϙVQ��4�� "G]�~�e�~�:�Z�%{ؐbs��d�|?��$�H�u��sP��kY�T�+�ρ�0R��c�2 ��|+�g�F厗ab�'}�1��Z�m!x�uc�WX�I�95��>�f��l��}b��8i��|On�1FN��>:Jh��<[ꐋ��(Vg�� w��ଣR�k+��WY� {�`�'r焌��o��`��|=�\��=��R��o�{酴��b+5>l��!˸t;�/�ճ��Xp��\/w�:��2��y�G�zC&(KD�!A��+?�.u"<ri"0z�))�33��F�O��KK�k}'�;GjM� �'��C��]�ԉ��/׻�ge�VOҬ��\�xߎ��UA��։utu袞5��eV�f��N�ۥ?_��'~�� ʝ{�+p��[��<�\�$v��{�D8 �Դ��0��C�ӫ�6R��<nD2�>fe�y0�C��g��+��(��[��^�Z��qD��N5�n � 19A66�?�ܩ�*PD�`Z[��{��xu� ә�_Kθ[�ea,�Rl<C��"�Ye��`yM�ޓ5L��Z��I��s��%�ޏ��ɳ�$<ƋǛM��Bwo�n�� hU�/��d�ߒ�4�~��:��h�K�I��=R�p^��M�9V�Ug2��K�P�J� p#u2��/?Ӹ�!�]�2��P�_1��Y�+��'��rIu$�jK2��ıRb9��_�V�Q�a%�Φo�/-��{��Z��#�xu�Rի@��k��S�,\�x��U�xQ6�A��sU��MƧ�o]��{<7U�6rS<Ec�%��.=#N��n��|E�f��ԩ*�w�h�� *��ȟo.$'=� ��/�"c�%�W�ЌҖ��o��I�0( ��}i!��v�q�\��sK�(�xY�0�%wH$ n��7�T�ș��]��p ��`�e��1��i<��E��y h�֚Z�Y�� "L8��f��cwJ&YZ��v8Y��Øp�~7�H��x;O�G�F��J��%��RY�j1��p)��ؼ��'V�$�L�Q0�6�Ƭ��3[l�Q �2 D6��=jcX��ff��%%��4��A�N�6� ��T��nR� 8��O�1Ca��!��H��it(�K9R�kT�m�ܰ)�p9�5�ݜ�U��z489�L�G M�7�=|[/�+�M��rL��V�T��12��\��Y�w�iW�*c`�:�u�m��Ʃ��_|��?Ti�;��sKI��C�N�0s^AQa�"��2�%��6�s��e�_��;Ft�a�?%h��!�>/c6(��Էc��z��A��=�y�� NܦLv ��TmZ��A��4uњ�Q�5/!z!"�:��䝙�"�+k��A��Lw��V�Z��>8�ן~gq��qQ6��%��F$]�p�Ф��<ZB��G�44��I��Fo�M�)��_7�_�&�~m��G��$d��ߑ�5#ت�L'6��>��է?{ ��4��?jм�:|��r�Ϳ�(��8xٲO�כ��

Sections

.text
Size: 1.8MB - Virtual size: 1.8MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 479KB - Virtual size: 479KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 18KB - Virtual size: 34KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.aaz0
Size: 21.3MB - Virtual size: 21.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.aaz1
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.aaz2
Size: 2.2MB - Virtual size: 2.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 351KB - Virtual size: 350KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

da84b85413ef4ad518f55f83407db384

Code Sign

76:53:fe:ac:75:46:48:93:f5:e5:d7:4a:48:3a:4e:f8Certificate

Key Usages

77:bd:0e:05:b7:59:0b:b6:1d:47:61:53:1e:3f:75:edCertificate

Extended Key Usages

Key Usages

15:fb:36:db:ef:d5:fc:e4:09:3b:37:3eCertificate

Extended Key Usages

Key Usages

01:b2:8b:d4:cf:ee:ee:0d:be:d0:b3:0d:9b:f8:43:6aCertificate

Extended Key Usages

Key Usages

01:ec:1c:92:40:de:fd:2e:40:5d:7c:47:74Certificate

Key Usages

45:e6:bb:03:83:33:c3:85:65:48:e6:ff:45:51Certificate

Key Usages

44:66:d6:0e:a6:20:9d:87:8c:e1:2d:dc:81:92:61:29:91:a1:da:78:cc:89:f7:18:b3:3b:f3:57:c3:a5:5b:fcSigner

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

shell32

ws2_32

shlwapi

dnsapi

crypt32

wldap32

bcrypt

version

Exports

Exports

Sections

.text Size: 1.8MB - Virtual size: 1.8MB

.rdata Size: 479KB - Virtual size: 479KB

.data Size: 18KB - Virtual size: 34KB

.aaz0 Size: 21.3MB - Virtual size: 21.3MB

.aaz1 Size: 2KB - Virtual size: 1KB

.aaz2 Size: 2.2MB - Virtual size: 2.2MB

.rsrc Size: 351KB - Virtual size: 350KB

76:53:fe:ac:75:46:48:93:f5:e5:d7:4a:48:3a:4e:f8
Certificate

77:bd:0e:05:b7:59:0b:b6:1d:47:61:53:1e:3f:75:ed
Certificate

15:fb:36:db:ef:d5:fc:e4:09:3b:37:3e
Certificate

01:b2:8b:d4:cf:ee:ee:0d:be:d0:b3:0d:9b:f8:43:6a
Certificate

01:ec:1c:92:40:de:fd:2e:40:5d:7c:47:74
Certificate

45:e6:bb:03:83:33:c3:85:65:48:e6:ff:45:51
Certificate

44:66:d6:0e:a6:20:9d:87:8c:e1:2d:dc:81:92:61:29:91:a1:da:78:cc:89:f7:18:b3:3b:f3:57:c3:a5:5b:fc
Signer

.text
Size: 1.8MB - Virtual size: 1.8MB

.rdata
Size: 479KB - Virtual size: 479KB

.data
Size: 18KB - Virtual size: 34KB

.aaz0
Size: 21.3MB - Virtual size: 21.3MB

.aaz1
Size: 2KB - Virtual size: 1KB

.aaz2
Size: 2.2MB - Virtual size: 2.2MB

.rsrc
Size: 351KB - Virtual size: 350KB