certutil[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

certutil.exe
Size

1.3MB
MD5

c0cb87999d811b0277a2f6e737050899
SHA1

d77ac2b91ee95b780376a3285c7cee1e4f22b2f6
SHA256

a9726a5ba2f97a2816156781997c14609a6cf353f319e95fa6c7d98b42e7df7d
SHA512

99de51a96e8d08629de9cbbe86f960078e964f2ca030e337c9980f184275cf235a224a80e2fa5b89d9a9e5de860f7fc97e31bc0a9c57ca15094ac116f3bc53ca
SSDEEP

24576:adDD7ZDEu7UDWAnfLwKGsnoU1U7UVkPouDf26+Cjnxmx/haAp+2SpZJsXOeKsdgM:TuGjL351U77PJLxchKmOeKTvU

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
certutil.exe

Files

certutil.exe
.exe windows x86

3d1b742d8c7d58e6330f8d4ccf34a1ce

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

advapi32

IsValidSecurityDescriptor
GetSecurityDescriptorLength
CryptReleaseContext
CryptAcquireContextW
LookupAccountNameW
IsValidSid
ConvertSidToStringSidW
ImpersonateSelf
RevertToSelf
LookupAccountSidW
CryptGetProvParam
CryptGetUserKey
CryptGetKeyParam
CryptDestroyKey
RegCreateKeyExW
RegSetValueExW
RegSetValueExA
RegDeleteKeyExW
RegCloseKey
GetTokenInformation
GetLengthSid
CopySid
OpenProcessToken
RegQueryValueExW
RegOpenKeyExW
RegEnumKeyExW
RegCreateKeyW
RegEnumValueW
RegEnumKeyW
RegDeleteKeyW
RegDeleteValueW
CryptSetProvParam
CryptGenRandom
CryptCreateHash
CryptVerifySignatureW
CryptHashData
CryptDestroyHash
CryptSetKeyParam
CryptDecrypt
CryptImportKey
RegDeleteTreeW
RegOpenKeyW
CryptGetHashParam
CryptDuplicateKey
CryptEncrypt
CryptGenKey
EventWriteTransfer
RegUnLoadKeyW
RegOpenCurrentUser
RegQueryInfoKeyW
RegLoadKeyW
RegGetValueW
GetSidSubAuthorityCount
GetSidSubAuthority
GetSidIdentifierAuthority
SetNamedSecurityInfoW
AddAccessDeniedAce
AddAccessAllowedAce
AddAccessDeniedObjectAce
AddAccessAllowedObjectAce
AddAce
InitializeAcl
LsaStorePrivateData
LsaRetrievePrivateData
RegConnectRegistryW
AdjustTokenPrivileges
ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertSecurityDescriptorToStringSecurityDescriptorW
CryptEnumProvidersA
CryptGetDefaultProviderW
LogonUserExW
ImpersonateLoggedOnUser
CreateWellKnownSid
MakeAbsoluteSD
MakeSelfRelativeSD
LsaClose
LsaFreeMemory
LsaOpenPolicy
FreeSid
CheckTokenMembership
DuplicateToken
OpenThreadToken
ConvertStringSidToSidW
AllocateAndInitializeSid
SetSecurityDescriptorDacl
SetEntriesInAclW
GetSecurityDescriptorDacl
DeleteAce
EqualSid
GetAce
GetAclInformation
SetSecurityDescriptorOwner
InitializeSecurityDescriptor
GetSecurityDescriptorControl
CryptSignHashW
CryptSetHashParam
CryptExportKey
CryptDuplicateHash
CryptContextAddRef

kernel32

CreateSemaphoreExW
GetModuleFileNameA
LoadLibraryExA
GetProfileStringA
ResetEvent
GetFileTime
lstrlenW
VirtualFree
VirtualAlloc
GetTempPathW
GetLocalTime
K32GetProcessImageFileNameW
HeapSetInformation
UnmapViewOfFile
MapViewOfFile
CreateFileMappingW
GetSystemInfo
GetCurrentThread
CreateDirectoryW
RemoveDirectoryW
GetConsoleOutputCP
CompareStringW
FoldStringW
GetTimeFormatW
GetDateFormatW
FileTimeToLocalFileTime
LoadLibraryExW
GetSystemDirectoryW
GetCommandLineW
FileTimeToSystemTime
WriteConsoleW
GetACP
WideCharToMultiByte
OutputDebugStringA
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetStartupInfoW
LocalFree
GetSystemTime
SystemTimeToFileTime
GetSystemTimeAsFileTime
LocalAlloc
GetFileAttributesW
FreeLibrary
CompareFileTime
CreateThread
WaitForSingleObject
GetExitCodeThread
CloseHandle
GetStdHandle
GetFileType
GetConsoleMode
SetConsoleMode
SetLastError
GetProcAddress
CreateFileW
GetFileSize
DeleteFileW
lstrcmpW
GetProcessHeap
HeapFree
HeapAlloc
FormatMessageW
GetSystemDefaultLangID
InitializeCriticalSection
DeleteCriticalSection
GetModuleHandleExW
GetModuleHandleW
LocalFileTimeToFileTime
LocalReAlloc
GetUserDefaultUILanguage
GetSystemDefaultUILanguage
OpenEventW
PulseEvent
GetTickCount64
GetLastError
OpenProcess
GetProcessTimes
QueryFullProcessImageNameW
GetCurrentProcess
GetFileAttributesExW
EncodePointer
DecodePointer
LoadLibraryW
GetTickCount
Sleep
FindFirstFileW
FindNextFileW
FindClose
ReadFile
SetFilePointer
GetComputerNameW
GetComputerNameExW
GetVersionExW
FindResourceW
LoadResource
SizeofResource
LockResource
WriteFile
SetEndOfFile
EnterCriticalSection
SetConsoleCtrlHandler
LeaveCriticalSection
VerSetConditionMask
VerifyVersionInfoW
MultiByteToWideChar
SetThreadpoolTimer
SetThreadpoolWait
FindNextChangeNotification
FindCloseChangeNotification
CloseThreadpoolWait
CloseThreadpoolTimer
GetFullPathNameW
DelayLoadFailureHook
ResolveDelayLoadedAPI
FindResourceExW
GetLocaleInfoW
SearchPathW
lstrcmpiW
IsDebuggerPresent
DebugBreak
AcquireSRWLockShared
CreateThreadpoolTimer
FindFirstChangeNotificationW
CreateThreadpoolWait
SetEvent
ReleaseSemaphore
TrySubmitThreadpoolCallback
CreateSemaphoreW
CreateEventW
InitializeCriticalSectionEx
WaitForThreadpoolTimerCallbacks
ReleaseMutex
ReleaseSRWLockExclusive
OutputDebugStringW
AcquireSRWLockExclusive
GetEnvironmentVariableW
GetTempFileNameW
WaitForSingleObjectEx
OpenSemaphoreW
ReleaseSRWLockShared
CompareStringEx
RaiseException
CreateMutexExW

msvcrt

_ultow
_wcsicmp
bsearch
fopen
fgets
strchr
fputs
fseek
ferror
_swab
_strlwr
fprintf
malloc
_callnewh
??0exception@@QAE@ABQBD@Z
??0exception@@QAE@ABQBDH@Z
??0exception@@QAE@ABV0@@Z
??1exception@@UAE@XZ
?what@exception@@UBEPBDXZ
_CxxThrowException
memcpy
memmove
_XcptFilter
__p__commode
_amsg_exit
__wgetmainargs
__set_app_type
exit
_exit
_cexit
__p__fmode
__setusermatherr
_initterm
_wcmdln
_lock
strstr
__dllonexit
_onexit
??1type_info@@UAE@XZ
_errno
realloc
?terminate@@YAXXZ
_controlfp
_except_handler4_common
_ftol2
_vsnprintf
_wtoi
_stricmp
swscanf
_strnicmp
isdigit
__isascii
??_V@YAXPAX@Z
free
wcscspn
qsort
?_set_se_translator@@YAP6AXIPAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z
_wcsnicmp
wcsspn
_fgetwchar
fflush
fclose
_wfopen_s
fwprintf
wcstok
wcschr
wcsrchr
iswdigit
_vsnwprintf
_purecall
__CxxFrameHandler3
??3@YAXPAX@Z
wcsstr
strcspn
strncmp
memcmp
wcsncmp
_unlock
_itoa_s
memcpy_s
wcsncpy_s
_wcserror
wcsnlen
memset
wcscpy_s
towupper
iswlower
towlower
iswupper
sscanf_s
strpbrk
strcat_s
strcpy_s
_wcslwr
strspn
__iob_func
iswspace
vfwprintf
getenv
fwrite
ftell
_wgetenv
_fileno
_setmode
wcstoul
fgetws
feof
fgetc
_wfopen
fputws
atoi
iswalpha
_wsetlocale
isxdigit
gmtime
iswxdigit

certcli

CAGetCAProperty
CAFindByName
CAEnumFirstCA
ord373
CACloseCertType
CAEnumNextCertType
CACertTypeAccessCheckEx
CAGetCertTypeProperty
CAEnumCertTypesForCAEx
CAFreeCertTypeExtensions
CAGetCertTypeExtensions
CACertTypeGetSecurity
CAGetCertTypeExpiration
CAGetCertTypeKeySpec
CAFreeCertTypeProperty
CAGetCertTypePropertyEx
CAEnumNextCA
ord258
CAEnumCertTypesEx
ord356
ord205
ord213
ord254
ord360
ord223
ord256
ord246
ord225
ord362
CAGetCAFlags
CAGetCAExpiration
CAAccessCheck
ord361
CAGetCACertificate
CAGetCASecurity
CASetCAProperty
CAUpdateCAEx
CAFindByCertType
ord257
ord218
ord255
CAEnumCertTypesForCA
CACountCertTypes
CACertTypeAccessCheck
CARemoveCACertificateTypeEx
CAAddCACertificateTypeEx
CAUpdateCA
CAFreeCAProperty
ord260
ord366
ord252
ord261
ord253
ord203
ord247
ord210
CASetCASecurity
CASetCACertificate
CASetCAFlags
CACountCAs
CACreateNewCA
CAFindCertTypeByName
ord370
ord245
CAGetCertTypeFlagsEx
ord358
ord207
ord217
CACloseCA
ord359
ord357

crypt32

CryptExportPKCS8
PFXExportCertStoreEx
PFXExportCertStore
CryptFreeOIDFunctionAddress
CryptGetOIDFunctionAddress
CryptInitOIDFunctionSet
CertStrToNameW
CryptDecryptMessage
CryptEncryptMessage
CryptSignMessage
CryptFormatObject
CertAddCertificateLinkToStore
CertGetIntendedKeyUsage
CryptHashPublicKeyInfo
CryptStringToBinaryW
CryptMsgOpenToDecode
CertNameToStrW
CryptSignCertificate
CryptExportPublicKeyInfoEx
CryptSignAndEncodeCertificate
CertDuplicateStore
CryptMsgUpdate
CryptMsgOpenToEncode
CryptBinaryToStringW
CertOpenServerOcspResponse
I_CryptWalkAllLruCacheEntries
I_CryptRemoveLruEntry
I_CryptGetLruEntryData
I_CryptFindLruEntry
I_CryptReleaseLruEntry
I_CryptInsertLruEntry
I_CryptCreateLruEntry
CertCloseServerOcspResponse
I_CryptFreeLruCache
I_CryptCreateLruCache
CryptMsgEncodeAndSignCTL
CertGetNameStringA
CertSetCertificateContextPropertiesFromCTLEntry
CertCreateContext
I_CertProtectFunction
CertAddStoreToCollection
CertVerifyCertificateChainPolicy
CryptMemFree
CertVerifySubjectCertificateContext
CryptVerifyCertificateSignatureEx
CertGetEnhancedKeyUsage
CertVerifyCRLTimeValidity
CertVerifyRevocation
CertVerifyTimeValidity
CryptEnumKeyIdentifierProperties
CryptImportPublicKeyInfo
CertDuplicateCRLContext
CertDeleteCRLFromStore
CertAddCTLContextToStore
CertAddCRLContextToStore
CertEnumSystemStore
CertEnumSystemStoreLocation
CertEnumPhysicalStore
CertControlStore
CertSaveStore
CertAddSerializedElementToStore
CertAddEncodedCTLToStore
CertAddEncodedCRLToStore
CertAddEncodedCertificateToStore
CertSetCTLContextProperty
CertSetCRLContextProperty
CryptFindCertificateKeyProvInfo
CryptAcquireCertificatePrivateKey
CertEnumCertificateContextProperties
CertGetCRLContextProperty
CertEnumCRLContextProperties
CertGetCTLContextProperty
CertEnumCTLContextProperties
CertSetStoreProperty
CertComparePublicKeyInfo
CryptExportPublicKeyInfo
CertFreeCTLContext
CertCreateCTLContext
CertEnumCTLsInStore
CertDeleteCertificateFromStore
CertGetNameStringW
CryptDecodeObjectEx
CryptQueryObject
CryptMsgGetParam
CryptVerifyDetachedMessageSignature
CryptMsgGetAndVerifySigner
CryptMsgControl
PFXIsPFXBlob
PFXImportCertStore
CryptImportPKCS8
CertGetPublicKeyLength
CryptMsgClose
CertAddCertificateContextToStore
CertSetCertificateContextProperty
CryptGetKeyIdentifierProperty
CertFindAttribute
CryptHashCertificate
CryptDecodeObject
CertOpenStore
CertFindCertificateInStore
CertEnumCertificatesInStore
CryptFindLocalizedName
CryptVerifyCertificateSignature
CertCompareCertificateName
CertFreeCertificateChain
CertGetCertificateChain
CryptHashCertificate2
CryptImportPublicKeyInfoEx2
CryptRegisterOIDInfo
CertCreateCertificateContext
CryptEnumOIDInfo
CertCreateCRLContext
CertFreeCRLContext
CertEnumCRLsInStore
CertCloseStore
CertGetCertificateContextProperty
CryptFindOIDInfo
CryptEncodeObjectEx
CertFreeCertificateContext
CertFindExtension
CertDuplicateCertificateContext

cabinet

ord23
ord22
ord21
ord20

comctl32

InitCommonControlsEx

cryptui

CryptUIDlgViewCertificateW
CryptUIDlgFreeCAContext
CryptUIDlgViewCRLW

gdi32

GetStockObject

ncrypt

NCryptSecretAgreement
NCryptIsKeyHandle
BCryptVerifySignature
BCryptDestroyKey
NCryptOpenStorageProvider
NCryptImportKey
NCryptSetProperty
NCryptFinalizeKey
BCryptSetProperty
BCryptGetProperty
BCryptCloseAlgorithmProvider
SslEnumProtocolProviders
SslOpenProvider
SslFreeBuffer
SslFreeObject
NCryptGetProperty
BCryptFreeBuffer
BCryptOpenAlgorithmProvider
BCryptCreateHash
BCryptHashData
BCryptFinishHash
BCryptDestroyHash
BCryptDecrypt
BCryptEncrypt
BCryptExportKey
BCryptResolveProviders
BCryptEnumContextFunctions
BCryptQueryContextConfiguration
BCryptEnumContexts
BCryptQueryProviderRegistration
BCryptGenerateKeyPair
BCryptEnumAlgorithms
NCryptFreeBuffer
NCryptEnumStorageProviders
NCryptEnumKeys
NCryptIsAlgSupported
NCryptEnumAlgorithms
NCryptVerifySignature
NCryptSignHash
NCryptFreeObject
NCryptOpenKey
NCryptExportKey
NCryptEncrypt
NCryptDeriveKey
NCryptDeleteKey
NCryptDecrypt
NCryptCreatePersistedKey
BCryptSignHash
BCryptGenRandom

netapi32

NetApiBufferFree
NetUserGetGroups
DsGetDcNameW
DsGetSiteNameW
DsRoleGetPrimaryDomainInformation
DsRoleFreeMemory

normaliz

IdnToAscii
IdnToUnicode

ntdll

WinSqmIncrementDWORD
RtlNtStatusToDosError
RtlGetPersistedStateLocation
NtQuerySystemTime
RtlTimeToSecondsSince1970
NtQuerySystemInformationEx

ntdsapi

DsBindW
DsFreeDomainControllerInfoW
DsGetDomainControllerInfoW
DsFreeNameResultW
DsCrackNamesW
DsUnBindW

setupapi

SetupGetIntField
SetupFindNextLine
SetupGetFieldCount
SetupGetStringFieldW
SetupFindFirstLineW
SetupGetLineCountW
SetupOpenInfFileW
SetupCloseInfFile

shell32

SHGetKnownFolderPath
SHGetFolderPathW

version

GetFileVersionInfoW
GetFileVersionInfoSizeW
VerQueryValueW

wldap32

ord208
ord16
ord73
ord12
ord18
ord14
ord145
ord13
ord113
ord140
ord224
ord142
ord79
ord127
ord167
ord147
ord155
ord206
ord135
ord203
ord36
ord26
ord27
ord191
ord41
ord65
ord210

ole32

CoCreateInstance
CoTaskMemFree
CoInitialize
CoUninitialize
CoInitializeEx
CLSIDFromString
CLSIDFromProgID
StringFromCLSID
ProgIDFromCLSID
CoTaskMemAlloc
CoCreateInstanceEx
CoSetProxyBlanket
StgOpenStorageEx
PropVariantClear

oleaut32

VariantCopyInd
SystemTimeToVariantTime
SafeArrayUnaccessData
SafeArrayGetElement
SafeArrayAccessData
SafeArrayGetUBound
SafeArrayGetLBound
SafeArrayGetDim
SetErrorInfo
SysFreeString
CreateErrorInfo
VariantTimeToSystemTime
SysStringLen
SafeArrayDestroy
SafeArrayPutElement
VariantClear
SafeArrayCreate
SysAllocStringByteLen
SysAllocStringLen
SysAllocString
VariantInit
SysStringByteLen

rpcrt4

NdrClientCall2
UuidCreate
UuidIsNil
UuidFromStringW
RpcStringFreeW
UuidToStringW
I_RpcExceptionFilter

secur32

GetUserNameExW
TranslateNameW
GetComputerObjectNameW

user32

LoadIconW
DefWindowProcW
PostQuitMessage
LoadStringW
UpdateWindow
SetWindowLongW
SetFocus
ShowWindow
GetWindowTextW
CallWindowProcW
GetWindowLongW
SetWindowTextW
PostMessageW
GetMessageW
GetDlgItemTextW
IsDlgButtonChecked
GetDlgItemInt
EndDialog
SetDlgItemInt
CheckDlgButton
SendDlgItemMessageA
EnableWindow
GetDlgItem
SetDlgItemTextW
LoadCursorW
MessageBoxW
SendMessageW
SetCursor
CharLowerW
GetDesktopWindow
RegisterClassW
TranslateMessage
DispatchMessageW
DialogBoxParamW
CreateWindowExW

shlwapi

PathFindFileNameW

Sections

.text
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 39KB - Virtual size: 49KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 376B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 67KB - Virtual size: 66KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

3d1b742d8c7d58e6330f8d4ccf34a1ce

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

kernel32

msvcrt

certcli

crypt32

cabinet

comctl32

cryptui

gdi32

ncrypt

netapi32

normaliz

ntdll

ntdsapi

setupapi

shell32

version

wldap32

ole32

oleaut32

rpcrt4

secur32

user32

shlwapi

Sections

.text Size: 1.1MB - Virtual size: 1.1MB

.data Size: 39KB - Virtual size: 49KB

.idata Size: 20KB - Virtual size: 19KB

.didat Size: 512B - Virtual size: 376B

.rsrc Size: 4KB - Virtual size: 4KB

.reloc Size: 67KB - Virtual size: 66KB

.text
Size: 1.1MB - Virtual size: 1.1MB

.data
Size: 39KB - Virtual size: 49KB

.idata
Size: 20KB - Virtual size: 19KB

.didat
Size: 512B - Virtual size: 376B

.rsrc
Size: 4KB - Virtual size: 4KB

.reloc
Size: 67KB - Virtual size: 66KB