ReadXML[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

ReadXML.exe
Size

23.7MB
MD5

f01d7f2465878f9eb7b2cd4ff670fc3a
SHA1

8ff0f3adf300aa088787752c5a1ff339810c872a
SHA256

b32661e05a10d3f7e45a7472da19972c27fa518ab15177d9b53ebccbb829502a
SHA512

025c20a23bc531de77fd423f746404557e8f42ec4da9ad0782ecf921f9cb68f3d171146a44b0e5869cec8ef0f8f7ef614c060297adc7ae042c1c525e19d90d53
SSDEEP

196608:z3rLzsASLpXG81qchxwpc6hcOpMuZvunlWYL0/8Bkhv3niJ/502EQsD8XeLi:zQppXv4QsWlWYL0EBkh2/55A8

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
ReadXML.exe

Files

ReadXML.exe
.exe windows x86

b815f687855c1cc84dfc04d28bc46e65

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

FindNextFileW
RemoveDirectoryW
GetTempPathW
GetModuleFileNameA
GetSystemTime
CloseHandle
WaitForSingleObjectEx
CreateThread
SetThreadPriority
GetThreadPriority
TerminateThread
GetExitCodeThread
SuspendThread
ResumeThread
FreeLibrary
GetProcAddress
LoadLibraryW
SetErrorMode
GetVersionExA
CreateMutexA
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
TryEnterCriticalSection
DeleteCriticalSection
SetEvent
ResetEvent
FindFirstFileW
CreateEventA
CreateSemaphoreA
ReleaseMutex
WaitForSingleObject
GetSystemTimeAsFileTime
FindFirstFileA
FindNextFileA
LoadLibraryExA
QueryPerformanceCounter
QueryPerformanceFrequency
Sleep
GetFileInformationByHandle
SetEndOfFile
SetFilePointer
GetLastError
CreateFileW
GetFullPathNameW
GlobalAlloc
LocalFree
FormatMessageW
GetStdHandle
ReadFile
DuplicateHandle
CreatePipe
GetCurrentProcess
CreateProcessA
FindClose
GetCurrentDirectoryW
SetCurrentDirectoryW
GetLocalTime
WideCharToMultiByte
MultiByteToWideChar
ReleaseSemaphore
OutputDebugStringA
GetModuleFileNameW
VirtualQuery
GetProcessHeap
HeapFree
HeapAlloc
GetCurrentThreadId
GetCurrentProcessId
LoadLibraryExW
RaiseException
IsProcessorFeaturePresent
IsDebuggerPresent
DecodePointer
EncodePointer
GetModuleHandleW

advapi32

LookupAccountSidA
GetUserNameA
RegQueryValueExW
RegOpenKeyExA
RegConnectRegistryA
RegCloseKey
GetNamedSecurityInfoA

msvcp120d

?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z
?clear@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBD_J@Z
?write@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@PB_W_J@Z
?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@PAD_J@Z
?gcount@?$basic_istream@DU?$char_traits@D@std@@@std@@QBE_JXZ
?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@V?$fpos@H@2@@Z
?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@_JH@Z
?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE?AV?$fpos@H@2@XZ
?read@?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@PA_W_J@Z
?gcount@?$basic_istream@_WU?$char_traits@_W@std@@@std@@QBE_JXZ
?seekg@?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@V?$fpos@H@2@@Z
?seekg@?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@_JH@Z
?tellg@?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAE?AV?$fpos@H@2@XZ
?uncaught_exception@std@@YA_NXZ
?good@ios_base@std@@QBE_NXZ
?flags@ios_base@std@@QBEHXZ
?width@ios_base@std@@QBE_JXZ
?width@ios_base@std@@QAE_J_J@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z
?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ
?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDXZ
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDD@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@D@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
??0_Lockit@std@@QAE@H@Z
??1_Lockit@std@@QAE@XZ
?_Getpfirst@_Container_base12@std@@QBEPAPAU_Iterator_base12@2@XZ
??0_Container_base12@std@@QAE@ABU01@@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ
?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ
?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXH@Z
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAD00@Z
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ
?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXH@Z
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAD0@Z
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAD00@Z
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEXABVlocale@2@@Z
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEPAV12@PAD_J@Z
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JXZ
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J@Z
?_BADOFF@std@@3_JB
?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@_J@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@N@Z
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UAE@XZ
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEDD@Z
??Bid@locale@std@@QAEIXZ
?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ
?always_noconv@codecvt_base@std@@QBE_NXZ
?in@?$codecvt@DDH@std@@QBEHAAHPBD1AAPBDPAD3AAPAD@Z
?out@?$codecvt@DDH@std@@QBEHAAHPBD1AAPBDPAD3AAPAD@Z
?unshift@?$codecvt@DDH@std@@QBEHAAHPAD1AAPAD@Z
?_Getcat@?$codecvt@DDH@std@@SAIPAPBVfacet@locale@2@PBV42@@Z
?exceptions@ios_base@std@@QAEXH@Z
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ
?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ
?_Gninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAPAD0PAH001@Z
?seekp@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@V?$fpos@H@2@@Z
?seekp@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@_JH@Z
?tellp@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAE?AV?$fpos@H@2@XZ
?_Fiopen@std@@YAPAU_iobuf@@PBDHH@Z
?id@?$codecvt@DDH@std@@2V0locale@2@A
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UAE@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@M@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV01@AAM@Z
??2@YAPAXIABU_DebugHeapTag_t@std@@PADH@Z
??3@YAXPAXABU_DebugHeapTag_t@std@@PADH@Z
?_DebugHeapTag_func@std@@YAABU_DebugHeapTag_t@1@XZ
??0_Container_base12@std@@QAE@XZ
??1_Container_base12@std@@QAE@XZ
?_Orphan_all@_Container_base12@std@@QAEXXZ
?_Xbad_alloc@std@@YAXXZ
?_Xlength_error@std@@YAXPBD@Z
?_Xout_of_range@std@@YAXPBD@Z
??0id@locale@std@@QAE@I@Z
?_Syserror_map@std@@YAPBDH@Z
?_Winerror_map@std@@YAPBDH@Z
?_Swap_all@_Container_base12@std@@QAEXAAU12@@Z
?eof@ios_base@std@@QBE_NXZ
?fail@ios_base@std@@QBE_NXZ
?_Debug_message@std@@YAXPB_W0I@Z
?bad@ios_base@std@@QBE_NXZ

msvcr120d

strtod
strtol
strtoul
free
malloc
_ecvt_s
memset
strcmp
strchr
strstr
??0exception@std@@QAE@XZ
??0exception@std@@QAE@ABQBDH@Z
??0exception@std@@QAE@ABV01@@Z
??1exception@std@@UAE@XZ
fmod
ceil
floor
fclose
ferror
fopen
fread
_fseeki64
_ftelli64
fwrite
sprintf
_wfopen
_finite
_isnan
_wassert
?what@exception@std@@UBEPBDXZ
acos
asin
atan2
cos
sin
memcmp
_strtoui64
__iob_func
fprintf_s
_CrtDbgReport
_getpid
calloc
realloc
strcpy_s
wcscpy_s
wcslen
_malloc_dbg
_calloc_dbg
_realloc_dbg
_free_dbg
vsprintf_s
isspace
toupper
tolower
strcat_s
_stricmp
strpbrk
strrchr
strtok_s
sscanf
modf
qsort
_HUGE
atoi
atan
tan
getenv_s
_dupenv_s
_wfullpath
_wsplitpath_s
_tempnam
_wremove
strncmp
wcscat_s
wcschr
wcsncpy_s
_wcsicmp
_wgetcwd
_strtoi64
_wmkdir
_waccess
_waccess_s
_wstat64i32
_getcwd
_chdrive
strcspn
bsearch
_snprintf
rand
srand
printf
remove
_time64
isdigit
pow
_invalid_parameter
_CrtDbgReportW
exp
log
strftime
_localtime64
fflush
fopen_s
fprintf
fseek
ftell
_filbuf
clearerr
feof
_fileno
fputs
fscanf
_lock_file
_unlock_file
_ungetc_nolock
_wrename
_wstat64
_wutime64
_chsize_s
setlocale
mbstowcs_s
wcscmp
wcsncmp
wcsrchr
wcstok_s
strcpy
vfprintf
strcat
strncpy
_close
_read
_write
_fpclass
log10
labs
isalnum
_logb
isupper
memchr
??_V@YAXPAX@Z
??8type_info@@QBE_NABV0@@Z
isalpha
_fdopen
setvbuf
abort
getenv
strncat
_gmtime64_s
fgets
_strnicmp
rewind
abs
_vacopy
strcoll
wcscoll
atol
wcstombs_s
_errno
putc
__daylight
__timezone
_tzset
_getdcwd
_getdrive
islower
_vsnprintf
_ctime64
_strdup
strtok
iswalpha
iswalnum
iswascii
rename
tmpnam_s
fputc
isxdigit
ispunct
isprint
isgraph
iscntrl
iswupper
iswlower
iswdigit
iswxdigit
iswspace
iswpunct
iswprint
iswgraph
iswcntrl
towupper
towlower
___mb_cur_max_func
mbtowc
mbstowcs
wctomb
wcstombs
_vsnwprintf
__RTDynamicCast
strerror
_fstat64
_lseeki64
_open
_get_osfhandle
freopen
exit
_wrmdir
_wunlink
ungetc
_commit
_fstat64i32
_fmode
_gmtime64
_mktime64
_access
_open_osfhandle
_wstat32
memcpy_s
??0exception@std@@QAE@ABQBD@Z
fgetc
fgetpos
fsetpos
??0bad_cast@std@@QAE@PBD@Z
??0bad_cast@std@@QAE@ABV01@@Z
??1bad_cast@std@@UAE@XZ
_lock
_unlock
__dllonexit
_onexit
_CRT_RTC_INITW
??1type_info@@UAE@XZ
_except1
_crt_debugger_hook
__crtUnhandledException
__crtTerminateProcess
_XcptFilter
_amsg_exit
__getmainargs
__set_app_type
_CrtSetCheckCount
_exit
_cexit
_configthreadlocale
__setusermatherr
_initterm_e
_initterm
__initenv
_commode
_vsnprintf_s
?terminate@@YAXXZ
_except_handler4_common
__crtSetUnhandledExceptionFilter
_invoke_watson
_controlfp_s
_wmakepath_s
atof
__CxxFrameHandler3
_CxxThrowException
memmove
strlen
memcpy
_hypot
sqrt
fabs
??3@YAXPAX@Z
??2@YAPAXI@Z
_purecall
_wchdir
strncpy_s
_unlink
_isatty
_timezone
_putenv

Sections

.textbss
Size: - Virtual size: 7.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.text
Size: 14.6MB - Virtual size: 14.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3.1MB - Virtual size: 3.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5.2MB - Virtual size: 5.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 17KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 815KB - Virtual size: 815KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

b815f687855c1cc84dfc04d28bc46e65

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

advapi32

msvcp120d

msvcr120d

Sections

.textbss Size: - Virtual size: 7.1MB

.text Size: 14.6MB - Virtual size: 14.6MB

.rdata Size: 3.1MB - Virtual size: 3.1MB

.data Size: 5.2MB - Virtual size: 5.3MB

.idata Size: 17KB - Virtual size: 17KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 815KB - Virtual size: 815KB

.textbss
Size: - Virtual size: 7.1MB

.text
Size: 14.6MB - Virtual size: 14.6MB

.rdata
Size: 3.1MB - Virtual size: 3.1MB

.data
Size: 5.2MB - Virtual size: 5.3MB

.idata
Size: 17KB - Virtual size: 17KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 815KB - Virtual size: 815KB