fa[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

fa.exe
Size

1.4MB
MD5

789b42c04b86115cf0e439f7817c2ea1
SHA1

d834c475a163412c929fc74ad4560fc84771652d
SHA256

95dd7b76dfb72f9bd582571dcb3fe1574de8baab7c9e5eb743b721c30ff9147d
SHA512

a3752c6c9e3ac6fc47579904863d901a624549835b68d52b916b18a60b50c191ae36b2beec695433bd04d9d5de3e0587765fb61488899b8f1de906459419bc6e
SSDEEP

24576:C42U38Ok1YaPyciMtcLltQlIcdGUAOinxvV6KLHM0iajZk7kVnc/:Zp8Ok1YIZiM6LltodGXO6UKLs0pdCp

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
fa.exe

Files

fa.exe
.exe windows x64

dea5f27a04bc7e1b59993040ef0b5c7b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

VirtualQuery
InitializeCriticalSectionEx
MultiByteToWideChar
GetFileAttributesA
RaiseException
DecodePointer
DeleteCriticalSection
WideCharToMultiByte
OpenProcess
CreateToolhelp32Snapshot
Module32FirstW
ReadProcessMemory
Module32NextW
LocalLock
GetSystemTimes
Process32NextW
Process32FirstW
GetSystemInfo
K32GetPerformanceInfo
GetSystemTimeAsFileTime
K32QueryWorkingSet
GetProcessTimes
GetExitCodeProcess
K32GetModuleFileNameExW
K32EnumProcessModulesEx
Sleep
LoadLibraryW
GetProcAddress
GetVersionExW
GetLogicalDriveStringsW
GetDiskFreeSpaceExW
GetComputerNameW
GlobalMemoryStatusEx
GetDriveTypeW
LocalFileTimeToFileTime
SystemTimeToFileTime
LocalAlloc
GetModuleHandleW
GetEnvironmentVariableW
GetCurrentThreadId
SuspendThread
ResumeThread
OutputDebugStringW
GetCurrentDirectoryW
GetThreadContext
GetThreadId
FreeLibrary
ExpandEnvironmentStringsA
GetTempPathA
SetEndOfFile
HeapSize
SetStdHandle
GetProcessHeap
SetEnvironmentVariableW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetOEMCP
GetCurrentProcessId
WriteConsoleW
GetCurrentThread
GetModuleFileNameW
GetStdHandle
GetCurrentProcess
LocalFree
CloseHandle
GetFileAttributesExW
GetLastError
FormatMessageW
CreateFileW
FindClose
DeviceIoControl
FindNextFileW
GetFullPathNameW
GetACP
IsValidCodePage
FindFirstFileExW
HeapReAlloc
GetTimeZoneInformation
ReadConsoleW
ReadFile
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetLocaleInfoW
LCMapStringW
CompareStringW
GetTimeFormatW
GetDateFormatW
GetConsoleMode
GetConsoleOutputCP
FindFirstFileW
RtlCaptureContext
FlushFileBuffers
GetFileType
SetFilePointerEx
GetFileSizeEx
HeapAlloc
HeapFree
GetCommandLineW
GetCommandLineA
WriteFile
ExitProcess
GetModuleHandleExW
FreeLibraryAndExitThread
ExitThread
CreateThread
LoadLibraryExW
TlsFree
TlsSetValue
RtlUnwind
TlsGetValue
TlsAlloc
SetLastError
RtlUnwindEx
GetStringTypeW
GetLocaleInfoEx
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
SetEvent
ResetEvent
WaitForSingleObjectEx
CreateEventW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
GetStartupInfoW
QueryPerformanceCounter
InitializeSListHead
FormatMessageA
InitializeConditionVariable
WakeConditionVariable
WakeAllConditionVariable
SleepConditionVariableCS
SleepConditionVariableSRW
QueryPerformanceFrequency
InitializeSRWLock
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
TryEnterCriticalSection
GetExitCodeThread
EncodePointer
LCMapStringEx
CompareStringEx
GetCPInfo

user32

GetSystemMetrics

advapi32

OpenServiceW
RegQueryValueExW
RegEnumValueW
RegOpenKeyExW
ConvertSidToStringSidW
CloseServiceHandle
OpenSCManagerW
QueryServiceConfigW
QueryServiceConfig2W
GetUserNameW
EnumServicesStatusW
QueryServiceStatusEx
RegCloseKey
RegQueryInfoKeyW

ole32

CoInitializeEx
CoInitialize
CoUninitialize
CoCreateInstance

oleaut32

VariantInit
SysFreeString
SysAllocString
VariantTimeToSystemTime
VariantClear

pdh

PdhCloseQuery
PdhCollectQueryData
PdhAddCounterW
PdhGetFormattedCounterValue
PdhOpenQueryW
PdhRemoveCounter

iphlpapi

GetExtendedUdpTable
GetExtendedTcpTable
GetAdaptersAddresses

ws2_32

ntohs
inet_ntoa

ntdll

RtlVirtualUnwind
RtlPcToFileHeader
RtlLookupFunctionEntry
RtlIpv6AddressToStringW

version

VerQueryValueA
GetFileVersionInfoA
GetFileVersionInfoW
VerQueryValueW
GetFileVersionInfoSizeW
GetFileVersionInfoSizeA

dbghelp

StackWalk64
SymGetSymFromAddr64
SymInitialize
SymCleanup
SymGetModuleBase64
SymGetModuleInfo64
UnDecorateSymbolName
SymGetLineFromAddr64
SymFunctionTableAccess64
SymSetOptions
SymGetOptions

wevtapi

EvtFormatMessage
EvtRender
EvtCreateRenderContext
EvtQuery
EvtOpenPublisherMetadata
EvtNext
EvtClose

netapi32

NetUserGetInfo
NetApiBufferFree
NetLocalGroupGetMembers
NetUserEnum
NetLocalGroupEnum

Sections

.text
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 258KB - Virtual size: 258KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 25KB - Virtual size: 33KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 41KB - Virtual size: 41KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 252B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

dea5f27a04bc7e1b59993040ef0b5c7b

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

ole32

oleaut32

pdh

iphlpapi

ws2_32

ntdll

version

dbghelp

wevtapi

netapi32

Sections

.text Size: 1.1MB - Virtual size: 1.1MB

.rdata Size: 258KB - Virtual size: 258KB

.data Size: 25KB - Virtual size: 33KB

.pdata Size: 41KB - Virtual size: 41KB

_RDATA Size: 512B - Virtual size: 252B

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 6KB - Virtual size: 6KB

.text
Size: 1.1MB - Virtual size: 1.1MB

.rdata
Size: 258KB - Virtual size: 258KB

.data
Size: 25KB - Virtual size: 33KB

.pdata
Size: 41KB - Virtual size: 41KB

_RDATA
Size: 512B - Virtual size: 252B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 6KB - Virtual size: 6KB