Shell-viewer[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

Shell-viewer.exe
Size

166KB
MD5

355ec96486fc7b1e0490fc75bd0d9bdc
SHA1

b138ec798ee47ec5dd408598b808310871321786
SHA256

49ad02d0426a13f85accc59f3e2b44212cd8edf40acf5659382f2407a8687b16
SHA512

2b71feea6747d2cc16a46c3fe9265330cdb497bedf1f848a598479db38457f3ecbd36cb73911d09e14642e0f985db39d7d56e3225b104ba0a463c76989b5270d
SSDEEP

3072:HY0dq5szpezwbjE9Tlx6KZKV9becni+X459npO/q0Hv9x+brq1ER+gIY7DjB:H1EwU29ycnivgC/Re4

Score

10^/10

Malware Config

Signatures

Nirsoft 1 IoCs

resource	yara_rule
sample	Nirsoft

Files

Shell-viewer.exe
.exe windows x64

1f870a34fc57a52a0e4c79381ab106d3

Code Sign

42:1a:f2:94:09:84:19:1f:52:0a:4b:c6:24:26:a7:4b
Certificate

Issuer

CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE

Not Before

07/06/2005, 08:09

Not After

30/05/2020, 10:48

Subject

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

47:8a:8e:fb:59:e1:d8:3f:0c:e1:42:d2:a2:87:07:be
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

10/05/2010, 00:00

Not After

10/05/2015, 23:59

Subject

CN=COMODO Time Stamping Signer,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

10:70:9d:4f:f5:54:08:d7:30:60:01:d8:ea:91:75:bb
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

24/08/2011, 00:00

Not After

30/05/2020, 10:48

Subject

CN=COMODO Code Signing CA 2,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

a1:a3:e7:28:0e:0a:2d:f1:2f:84:30:96:49:82:05:19
Certificate

Issuer

CN=COMODO Code Signing CA 2,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

17/09/2012, 00:00

Not After

17/09/2014, 23:59

Subject

CN=Nir Sofer,O=Nir Sofer,POSTALCODE=52583,STREET=5 Hashoshanim st.,L=Ramat Gan,ST=Gush Dan,C=IL

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

20:b5:61:e0:f0:85:78:fd:ee:88:46:2b:eb:8c:5c:dd:13:3e:b5:df
Signer

Actual PE Digest

20:b5:61:e0:f0:85:78:fd:ee:88:46:2b:eb:8c:5c:dd:13:3e:b5:df

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

_initterm
__getmainargs
_acmdln
exit
__setusermatherr
_exit
_c_exit
_XcptFilter
__C_specific_handler
_onexit
_commode
_fmode
__set_app_type
_cexit
__dllonexit
_purecall
_strlwr
strrchr
strcmp
malloc
strtoul
free
modf
memcmp
_mbschr
_memicmp
_itoa
_ultoa
??2@YAPEAX_K@Z
??3@YAXPEAX@Z
memcpy
_stricmp
strlen
atoi
memset
strchr
_strcmpi
_strnicmp
strcpy
strcat
strncat
sprintf

version

GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA

comctl32

ord17
ImageList_AddMasked
ImageList_Create
ImageList_SetImageCount
ord6
CreateToolbarEx
ImageList_ReplaceIcon

ws2_32

WSACleanup
WSAStartup
connect
WSAAsyncGetHostByName
WSAAsyncSelect
send
closesocket
WSASetLastError
socket
bind
htons
WSAGetLastError
htonl
inet_addr

kernel32

WriteFile
GetStartupInfoA
WinExec
GetModuleHandleA
LoadLibraryExA
GetFileSize
GetFileTime
GetTimeFormatA
GetCurrentThreadId
ExpandEnvironmentStringsA
ExitProcess
GetCurrentProcessId
ReadProcessMemory
DeleteFileA
EnumResourceNamesA
WritePrivateProfileStringA
GetPrivateProfileStringA
GetPrivateProfileIntA
FindFirstFileA
lstrlenA
FreeLibrary
GetProcAddress
LoadLibraryA
CloseHandle
GetSystemDirectoryA
FileTimeToLocalFileTime
GetWindowsDirectoryA
MultiByteToWideChar
OpenProcess
Sleep
GetCurrentProcess
CompareFileTime
WaitForSingleObject
GetFileAttributesA
CreateProcessA
FileTimeToSystemTime
CreateFileA
GlobalUnlock
GlobalLock
GlobalAlloc
GetVersionExA
GetLastError
GetLocaleInfoA
GetNumberFormatA
GetTempPathA
FormatMessageA
GetModuleFileNameA
FindNextFileA
LocalFree
ReadFile
GetTempFileNameA
GetDateFormatA
lstrcpyA
FindClose

user32

GetMenuItemCount
SetForegroundWindow
AttachThreadInput
EnumWindows
RegisterWindowMessageA
PostQuitMessage
TrackPopupMenu
IsDialogMessageA
TranslateMessage
DispatchMessageA
DeferWindowPos
BeginDeferWindowPos
EndDeferWindowPos
GetMessageA
SetWindowPos
GetSysColorBrush
ShowWindow
ChildWindowFromPoint
GetMenuItemInfoA
LoadCursorA
GetDlgItemInt
EndDialog
GetDlgItem
CreateWindowExA
SetDlgItemInt
SetDlgItemTextA
GetDlgItemTextA
SetWindowTextA
SendDlgItemMessageA
PostMessageA
SetMenu
LoadAcceleratorsA
DefWindowProcA
TranslateAcceleratorA
MessageBoxA
GetWindowPlacement
SendMessageA
RegisterClassA
UpdateWindow
GetWindowRect
GetSystemMetrics
SetWindowPlacement
DestroyIcon
FindWindowA
LoadImageA
LoadIconA
GetWindowThreadProcessId
GetWindowLongA
SetWindowLongA
SetFocus
InvalidateRect
LoadStringA
GetClassNameA
CloseClipboard
GetMenuStringA
GetClientRect
SetClipboardData
EnableWindow
GetCursorPos
MapWindowPoints
GetSysColor
GetMenu
MoveWindow
OpenClipboard
EmptyClipboard
CheckMenuItem
GetDC
EnableMenuItem
ReleaseDC
GetParent
SetCursor
GetSubMenu
GetWindowTextA
LoadMenuA
ModifyMenuA
DialogBoxParamA
GetDlgCtrlID
DestroyMenu
CreateDialogParamA
EnumChildWindows
DestroyWindow

gdi32

GetTextExtentPoint32A
SetBkColor
GetStockObject
GetDeviceCaps
SetTextColor
CreateFontIndirectA
SetBkMode
DeleteObject

comdlg32

GetSaveFileNameA
FindTextA

advapi32

RegLoadKeyA
RegCloseKey
RegDeleteKeyA
RegDeleteValueA
RegCreateKeyA
RegConnectRegistryA
CryptAcquireContextA
CryptCreateHash
RegEnumKeyExA
RegQueryValueExA
RegSetValueExA
RegEnumValueA
RegQueryInfoKeyA
RegOpenKeyExA
RegCreateKeyExA
CryptReleaseContext
CryptGetHashParam
CryptHashData
CryptDestroyHash
RegUnLoadKeyA

shell32

ExtractIconExA
ShellExecuteA
ShellExecuteExA
Shell_NotifyIconA

ole32

OleInitialize
OleUninitialize
DoDragDrop

Sections

.text
Size: 108KB - Virtual size: 108KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 24KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 18KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

1f870a34fc57a52a0e4c79381ab106d3

Code Sign

42:1a:f2:94:09:84:19:1f:52:0a:4b:c6:24:26:a7:4bCertificate

Key Usages

47:8a:8e:fb:59:e1:d8:3f:0c:e1:42:d2:a2:87:07:beCertificate

Extended Key Usages

Key Usages

10:70:9d:4f:f5:54:08:d7:30:60:01:d8:ea:91:75:bbCertificate

Extended Key Usages

Key Usages

a1:a3:e7:28:0e:0a:2d:f1:2f:84:30:96:49:82:05:19Certificate

Extended Key Usages

Key Usages

20:b5:61:e0:f0:85:78:fd:ee:88:46:2b:eb:8c:5c:dd:13:3e:b5:dfSigner

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

version

comctl32

ws2_32

kernel32

user32

gdi32

comdlg32

advapi32

shell32

ole32

Sections

.text Size: 108KB - Virtual size: 108KB

.rdata Size: 24KB - Virtual size: 24KB

.data Size: 1KB - Virtual size: 5KB

.pdata Size: 6KB - Virtual size: 5KB

.rsrc Size: 18KB - Virtual size: 18KB

42:1a:f2:94:09:84:19:1f:52:0a:4b:c6:24:26:a7:4b
Certificate

47:8a:8e:fb:59:e1:d8:3f:0c:e1:42:d2:a2:87:07:be
Certificate

10:70:9d:4f:f5:54:08:d7:30:60:01:d8:ea:91:75:bb
Certificate

a1:a3:e7:28:0e:0a:2d:f1:2f:84:30:96:49:82:05:19
Certificate

20:b5:61:e0:f0:85:78:fd:ee:88:46:2b:eb:8c:5c:dd:13:3e:b5:df
Signer

.text
Size: 108KB - Virtual size: 108KB

.rdata
Size: 24KB - Virtual size: 24KB

.data
Size: 1KB - Virtual size: 5KB

.pdata
Size: 6KB - Virtual size: 5KB

.rsrc
Size: 18KB - Virtual size: 18KB