fa01ddb1e7e36dbfafb3878a35a622827e1625bc36ef1d1a06ef5e870cee623d

Sharing

Copy URL Twitter E-mail

General

Target

fa01ddb1e7e36dbfafb3878a35a622827e1625bc36ef1d1a06ef5e870cee623d
Size

690KB
MD5

1b64e373a37048bcac5d91c52c468d3f
SHA1

74f6d253c78fbfa008689fdc4ca12d75f93d1089
SHA256

fa01ddb1e7e36dbfafb3878a35a622827e1625bc36ef1d1a06ef5e870cee623d
SHA512

4aff9a623433d3c6897f6ee64aac7618a3a084056b8847ea916a315bb6fd0fe3c313cc604b0a4150cf690d137bef11039322b0ffd1a7326630abfae02abbec88
SSDEEP

12288:RpSlU/2Qaisi0oFxRrPOIIv9etHUWxnEZV9mVW5MoGGiz8jL9Av027Qjl:RAttPi0oF/OIIEtHUJ9mWZi4jL9AvH7+

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
fa01ddb1e7e36dbfafb3878a35a622827e1625bc36ef1d1a06ef5e870cee623d

Files

fa01ddb1e7e36dbfafb3878a35a622827e1625bc36ef1d1a06ef5e870cee623d
.exe windows x86

6a82850cad28453461b216340968dc10

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

uactmon

ord8
ord121
ord120
ord122
ord7
ord30
ord50
ord21
ord20
ord2
ord1
ord112
ord111
ord110
ord3
ord84
ord42
ord40
ord71
ord70
ord83
ord82
ord81
ord43
ord4
ord5

usysdiag

vif_assist_get
vif_get
vif_iokit_get
vif_sysutils_get

behavior

ord1
ord5
ord6
ord2

jansson

json_string
json_deep_copy
json_delete
json_object_get
json_array_get
json_array
json_unpack
json_object_set_new
json_integer
json_array_append_new
json_array_size
json_pack
json_pack_ex
json_object
json_object_iter_value
json_object_key_to_iter
json_object_iter_next
json_object_iter
json_object_iter_key
json_object_size
json_false
json_true
json_integer_value
json_string_value

libxsse

ord30
ord10

libcobra

libcobra_release
libcobra_scan

scenter

ord10
ord12
ord1
ord6
ord2
ord5
ord11

kernel32

UnhandledExceptionFilter
OutputDebugStringW
WaitForSingleObjectEx
GetStartupInfoW
QueryPerformanceCounter
GetSystemTimeAsFileTime
InitializeSListHead
EncodePointer
GetCPInfo
SetLastError
TlsAlloc
IsDebuggerPresent
IsProcessorFeaturePresent
TlsGetValue
TlsSetValue
GetFileAttributesA
InterlockedExchange
EnterCriticalSection
GetLongPathNameW
GetCurrentProcess
InterlockedDecrement
LeaveCriticalSection
InitializeCriticalSection
OpenProcess
MultiByteToWideChar
Sleep
CloseHandle
GetWindowsDirectoryW
LocalFree
DeleteCriticalSection
WideCharToMultiByte
InterlockedIncrement
GetTickCount
GetModuleHandleA
GetProcAddress
GetVersion
CreateFileW
GetFileAttributesW
CreateDirectoryW
GetLastError
FindFirstFileW
DeleteFileW
FindNextFileW
FindClose
GetModuleFileNameW
GetModuleHandleW
GetLocalTime
TlsFree
GetPrivateProfileStringW
LoadLibraryA
GetVersionExW
GetNativeSystemInfo
HeapDestroy
HeapSize
HeapReAlloc
HeapFree
HeapAlloc
GetProcessHeap
LocalAlloc
OpenMutexW
CreateMutexW
OpenFileMappingA
CreateFileMappingA
MapViewOfFile
UnmapViewOfFile
WaitForSingleObject
ReleaseMutex
CreateEventW
SetEvent
WaitForMultipleObjects
ResumeThread
CreateThread
SizeofResource
InitializeCriticalSectionAndSpinCount
LockResource
RaiseException
FindResourceExW
LoadResource
FindResourceW
DecodePointer
DeviceIoControl
GetDriveTypeW
QueryDosDeviceW
TerminateThread
GetLogicalDrives
SetErrorMode
GetVolumeInformationW
GetDiskFreeSpaceExW
GetEnvironmentVariableW
CreateMutexA
GetCurrentThreadId
GetCurrentProcessId
ExitProcess
SetCurrentDirectoryW
SetUnhandledExceptionFilter
GetTempFileNameW
ProcessIdToSessionId
CreateProcessW
WriteFile
SetFilePointer
GetFileSize
CreateFileMappingW
MapViewOfFileEx
GetFileSizeEx
RemoveDirectoryW
ResetEvent
GetModuleFileNameA
SetFileAttributesW
SetThreadExecutionState
SetProcessWorkingSetSize
GetSystemDirectoryW
GetDriveTypeA
SetFileAttributesA
DeleteFileA
CreateToolhelp32Snapshot
Process32FirstW
TerminateProcess
Process32NextW
Module32FirstW
Module32NextW
SetEnvironmentVariableW
CompareStringW
LCMapStringW
GetLocaleInfoW
GetStringTypeW
FreeLibrary
LoadLibraryExW
RtlUnwind
GetFileType
SetFilePointerEx
GetConsoleMode
ReadConsoleW
GetConsoleCP
GetModuleHandleExW
GetStdHandle
GetACP
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
SetStdHandle
SetEndOfFile
WriteConsoleW
GetTimeZoneInformation
FindFirstFileExW
IsValidCodePage
GetOEMCP
GetCommandLineA
GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableA
ReadFile
FlushFileBuffers

user32

GetWindowRect
EnumWindowStationsA
IsWindowVisible
GetSystemMetrics
UnregisterDeviceNotification
CloseWindowStation
EnumDesktopsA
CloseDesktop
OpenWindowStationA
OpenDesktopA
EnumDesktopWindows
GetParent
GetWindowThreadProcessId

advapi32

AllocateAndInitializeSid
SetSecurityDescriptorDacl
RegQueryValueExA
RegCreateKeyExA
RegSetKeySecurity
RegSetValueExW
RegSetValueExA
InitializeSecurityDescriptor
RegOpenKeyExA
RegDeleteValueA
RegQueryValueExW
RegCloseKey
OpenProcessToken
ConvertSidToStringSidW
GetTokenInformation
SetEntriesInAclW
FreeSid
OpenServiceW
ChangeServiceConfigW
QueryServiceConfigW
StartServiceW
DeleteService
OpenSCManagerW
CloseServiceHandle
CreateServiceW
DuplicateToken
SetServiceStatus
RegisterServiceCtrlHandlerExW
RegOpenKeyExW
LookupPrivilegeValueW
AdjustTokenPrivileges
StartServiceCtrlDispatcherW
RegDeleteValueW
RegCreateKeyExW
GetLengthSid
InitializeAcl
AddAccessAllowedAce
RegEnumKeyW
QueryServiceStatusEx
RegNotifyChangeKeyValue
DuplicateTokenEx
SetTokenInformation
CreateProcessAsUserW

shell32

ShellExecuteW
SHGetFolderPathW
SHGetSpecialFolderPathA
SHGetSpecialFolderPathW

ole32

CoCreateInstance
CoInitializeEx

topsecdb

ord3
ord8
ord1
ord11
ord10
ord13
ord9

shlwapi

SHDeleteKeyW
PathFileExistsA
PathFileExistsW

topseccomm

CreateLPCServer

iphlpapi

SetTcpEntry

ws2_32

__WSAFDIsSet
send
select
htons
WSAStartup
WSACleanup
ioctlsocket
setsockopt
socket
inet_addr
bind
getsockname
listen
closesocket
accept
connect
recv

setupapi

SetupDiGetClassDevsW
SetupDiEnumDeviceInterfaces
CM_Get_DevNode_Registry_PropertyW
CM_Get_Parent
SetupDiGetDeviceInterfaceDetailW
CM_Get_DevNode_Status
SetupDiDestroyDeviceInfoList
CM_Request_Device_EjectW
SetupDiOpenDeviceInterfaceW

dbghelp

MiniDumpWriteDump

repaireng

?EnableSystemUpdate@LeakRepairEng@@YAJJ@Z
?ListInstalledPatchs@LeakRepairEng@@YAPAUjson_t@@XZ
?CreateTask@LeakRepairEng@@YAPAVITask@1@PBD0PAUjson_t@@PAVIDownloader@1@@Z
?CreateDownloader@LeakRepairEng@@YAPAVIDownloader@1@XZ

userenv

DestroyEnvironmentBlock
CreateEnvironmentBlock

wtsapi32

WTSQueryUserToken

psapi

EnumDeviceDrivers
GetDeviceDriverBaseNameA

crypt32

CryptMsgClose
CertCloseStore
CertFreeCertificateContext
CertGetNameStringW
CertFindCertificateInStore
CryptMsgGetParam
CryptQueryObject

Sections

.text
Size: 483KB - Virtual size: 483KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 116KB - Virtual size: 116KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 43KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gfids
Size: 1024B - Virtual size: 540B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 40KB - Virtual size: 40KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 35KB - Virtual size: 38KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

6a82850cad28453461b216340968dc10

Headers

DLL Characteristics

File Characteristics

Imports

uactmon

usysdiag

behavior

jansson

libxsse

libcobra

scenter

kernel32

user32

advapi32

shell32

ole32

topsecdb

shlwapi

topseccomm

iphlpapi

ws2_32

setupapi

dbghelp

repaireng

userenv

wtsapi32

psapi

crypt32

Sections

.text Size: 483KB - Virtual size: 483KB

.rdata Size: 116KB - Virtual size: 116KB

.data Size: 12KB - Virtual size: 43KB

.tls Size: 512B - Virtual size: 9B

.gfids Size: 1024B - Virtual size: 540B

.rsrc Size: 40KB - Virtual size: 40KB

.reloc Size: 35KB - Virtual size: 38KB

.text
Size: 483KB - Virtual size: 483KB

.rdata
Size: 116KB - Virtual size: 116KB

.data
Size: 12KB - Virtual size: 43KB

.tls
Size: 512B - Virtual size: 9B

.gfids
Size: 1024B - Virtual size: 540B

.rsrc
Size: 40KB - Virtual size: 40KB

.reloc
Size: 35KB - Virtual size: 38KB