php[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

php.exe
Size

58KB
MD5

d440a474cdb516e9c26ea70c99aae954
SHA1

83ef0ee0d199e56f8303f452ebc82ee3ea4c608a
SHA256

fa49fc8f4a9a769d126cebcbd740ba2765f1d9d8055e8b4f49bece2e4541773d
SHA512

845a326779321f53f55b1158cfc37160e3b06f6f91abb325ca0af5d5018b9268db863492eaa5fd838531e5ed68b638b5dab567228fbe1517d0cafd140a11e0ff
SSDEEP

768:GqSMS2v+eWN2UWHhgv9ESFEYKyOOS8UZ0chy98Jb/XZYcnLsYWkLmPcG7ZfGyK6C:GqlPvpWRnROOW3h08Jb5GrcG7dGX6

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
php.exe

Files

php.exe
.exe windows x86

6a05036153f60d0b30d697a66a83fdf3

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

php5ts

php_socket_strerror
php_info_print_style
php_output_activate
php_output_deactivate
zend_llist_get_first_ex
zend_hash_index_find
_estrdup
php_output_get_contents
php_url_decode
php_handle_auth_data
php_handle_special_queries
vspprintf
ts_allocate_id
zend_execute_scripts
_zend_bailout
php_escape_html_entities_ex
virtual_getcwd
zend_hash_del_key_or_index
php_set_sock_blocking
spprintf
OnUpdateBool
php_output_start_user
php_network_getaddresses
zend_hash_apply_with_arguments
zend_llist_get_next_ex
zend_ini_boolean_displayer_cb
php_select
gettimeofday
zend_register_ini_entries
php_network_freeaddresses
php_register_variable_safe
_erealloc
virtual_chdir
virtual_realpath
php_output_discard
php_network_populate_name_from_sockaddr
php_poll2
sapi_send_headers
ap_php_snprintf
php_asctime_r
php_localtime_r
zend_unregister_ini_entries
php_ini_scanned_files
_safe_malloc
zend_read_property
zend_printf
reflection_extension_ptr
zend_eval_string_ex
gc_remove_zval_from_buffer
zend_strndup
php_module_shutdown_wrapper
zend_register_constant
php_getopt
zend_ini_deactivate
_php_stream_free
virtual_fopen
sapi_shutdown
get_zend_version
compiler_globals_id
php_output_write
php_module_shutdown
zend_is_auto_global
_zend_hash_add_or_update
zend_hash_copy
core_globals_id
php_execute_script
_zval_ptr_dtor
php_handle_aborted_connection
_efree
zend_strip
display_ini_entries
php_get_highlight_struct
php_ini_scanned_path
reflection_ptr
reflection_zend_extension_ptr
executor_globals_id
_emalloc
sapi_module
zend_hash_destroy
php_output_end_all
reflection_method_ptr
zend_exception_get_default
zend_llist_copy
zend_load_extension
zend_hash_apply
php_register_variable
php_ini_opened_path
php_lint_script
reflection_function_ptr
module_registry
zend_call_method
zend_str_tolower_dup
php_printf
zend_error
php_module_startup
_php_stream_open_wrapper_ex
tsrm_shutdown
zif_dl
php_print_info
sapi_globals_id
php_request_startup
ts_resource_ex
zend_extensions
_zend_hash_init
php_import_environment_variables
sapi_startup
zend_highlight
zend_hash_find
php_info_print_module
_php_stream_get_line
_object_init_ex
open_file_for_scanning
zend_qsort
zend_hash_sort
_estrndup
zend_llist_destroy
tsrm_startup
php_request_shutdown
reflection_class_ptr
sapi_deactivate
zend_llist_sort
_zend_hash_index_update_or_next_insert
zend_llist_apply

ws2_32

htons
ntohs
getsockname
setsockopt
recv
bind
socket
closesocket
send
listen
accept
WSAGetLastError

msvcr90

_stricmp
_setmode
_read
_close
_open
_setjmp3
memset
_strdup
_controlfp_s
_invoke_watson
_except_handler4_common
_decode_pointer
_onexit
_lock
__dllonexit
_unlock
?terminate@@YAXXZ
_crt_debugger_hook
__set_app_type
_encode_pointer
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_configthreadlocale
_initterm_e
_initterm
__initenv
_XcptFilter
_exit
_cexit
__getmainargs
_amsg_exit
_stat32
toupper
strncpy
strtol
signal
strerror
strncmp
exit
fclose
getenv
fseek
realloc
ftell
strrchr
fwrite
_fmode
_fileno
fprintf
printf
isalnum
fgetc
_errno
fflush
strchr
__iob_func
strstr
rewind
malloc
free
memmove
memcpy

kernel32

GetCurrentThreadId
Sleep
InterlockedCompareExchange
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetSystemTimeAsFileTime
GetCurrentProcessId
InterlockedExchange
GetTickCount
QueryPerformanceCounter

Exports

Exports

php_cli_get_shell_callbacks
sapi_cli_single_write

Sections

.text
Size: 35KB - Virtual size: 35KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

6a05036153f60d0b30d697a66a83fdf3

Headers

DLL Characteristics

File Characteristics

Imports

php5ts

ws2_32

msvcr90

kernel32

Exports

Exports

Sections

.text Size: 35KB - Virtual size: 35KB

.rdata Size: 13KB - Virtual size: 13KB

.data Size: 1024B - Virtual size: 5KB

.rsrc Size: 4KB - Virtual size: 3KB

.reloc Size: 3KB - Virtual size: 3KB

.text
Size: 35KB - Virtual size: 35KB

.rdata
Size: 13KB - Virtual size: 13KB

.data
Size: 1024B - Virtual size: 5KB

.rsrc
Size: 4KB - Virtual size: 3KB

.reloc
Size: 3KB - Virtual size: 3KB