syshelper[.]exe[.]7z

Sharing

Copy URL Twitter E-mail

General

Target

syshelper.exe.7z
Size

568KB
MD5

687c2789a9f657750db4f104c1f98c9d
SHA1

cdc70f4587ac5afccddd9b0968274a4fd80386a3
SHA256

96eb3e6d593912fea0d1a4320e304baec81a0f91261b61e5b48bde50d1607b61
SHA512

ab40fea920509f8977336116a372059df7981e55bd8ecfcbfe13969d84248ef821893526dcf889355e71fac567d80e4d2a57f1de14dc9965757dbbaa0467cf60
SSDEEP

12288:5YgWtZv/xH/Qpu8pJBGdrMDgeSQFu9JvU7g/5xDbL8ek:5YgW3vtQSMDvunU8/nD

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/syshelper.exe

Files

syshelper.exe.7z
.7z

Password: infected
syshelper.exe
.exe windows x64

Password: infected

891f5d4f479fa93dc89e1418a9bb735b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

SetEndOfFile
SetStdHandle
GetTimeZoneInformation
GetExitCodeProcess
WaitForSingleObject
HeapReAlloc
FlushFileBuffers
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetLocaleInfoW
LCMapStringW
CompareStringW
GetTimeFormatW
GetDateFormatW
HeapFree
HeapAlloc
GetConsoleOutputCP
IsValidCodePage
GetACP
GetOEMCP
GetCommandLineA
GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
GetProcessHeap
HeapSize
WriteConsoleW
Sleep
GetComputerNameA
GetModuleFileNameA
GetSystemInfo
CreatePipe
CreateFileA
CreateFileW
ReadFile
SetFilePointer
WriteFile
CloseHandle
GetLastError
GetCurrentDirectoryW
CreateDirectoryW
DeleteFileW
FindClose
FindFirstFileW
FindNextFileW
GetFileAttributesW
GetFileAttributesExW
DeviceIoControl
LocalFree
FormatMessageW
MultiByteToWideChar
WideCharToMultiByte
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
QueryPerformanceCounter
GetTickCount
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
DeleteCriticalSection
QueryPerformanceFrequency
GetSystemDirectoryW
FreeLibrary
GetModuleHandleW
GetProcAddress
LoadLibraryW
SetLastError
MoveFileExW
WaitForSingleObjectEx
GetEnvironmentVariableA
GetCurrentProcessId
GetStdHandle
GetFileType
PeekNamedPipe
WaitForMultipleObjects
SleepEx
VerSetConditionMask
GetModuleHandleA
VerifyVersionInfoW
GetFileSizeEx
FormatMessageA
GetLocaleInfoEx
FindFirstFileExW
GetFileInformationByHandle
GetFullPathNameW
SetFileInformationByHandle
GetTempPathW
AreFileApisANSI
CopyFileW
CreateHardLinkW
GetFileInformationByHandleEx
CreateSymbolicLinkW
RtlPcToFileHeader
RaiseException
InitializeSRWLock
TryAcquireSRWLockExclusive
GetCurrentThreadId
EncodePointer
DecodePointer
LCMapStringEx
CompareStringEx
GetCPInfo
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
GetSystemTimeAsFileTime
GetStringTypeW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
InitializeCriticalSectionAndSpinCount
SetEvent
ResetEvent
CreateEventW
IsDebuggerPresent
GetStartupInfoW
InitializeSListHead
RtlUnwindEx
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
LoadLibraryExW
RtlUnwind
ExitProcess
GetModuleHandleExW
DuplicateHandle
CreateProcessW
CreateThread
ExitThread
FreeLibraryAndExitThread
GetDriveTypeW
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
SetFilePointerEx
GetModuleFileNameW
GetConsoleMode
ReadConsoleW
lstrcmpiW

advapi32

CryptEncrypt
CryptAcquireContextW
CryptReleaseContext
CryptGetHashParam
CryptCreateHash
CryptImportKey
GetUserNameA
GetCurrentHwProfileW
RegGetValueA
CryptHashData
CryptDestroyKey
CryptDestroyHash

bcrypt

BCryptGenRandom

ws2_32

ioctlsocket
getpeername
sendto
recvfrom
freeaddrinfo
getaddrinfo
recv
listen
htonl
getsockname
connect
bind
accept
select
__WSAFDIsSet
inet_pton
socket
gethostname
WSAIoctl
setsockopt
WSACleanup
WSAStartup
inet_ntop
WSASetLastError
ntohs
WSAGetLastError
closesocket
WSAWaitForMultipleEvents
WSAResetEvent
WSAEventSelect
WSAEnumNetworkEvents
WSACreateEvent
WSACloseEvent
send
getsockopt
htons

crypt32

CertCreateCertificateChainEngine
CertFreeCertificateChainEngine
CertGetCertificateChain
CertFreeCertificateChain
CryptQueryObject
CertGetNameStringW
CertFindExtension
CertAddCertificateContextToStore
CryptDecodeObjectEx
PFXImportCertStore
CryptStringToBinaryW
CertFreeCertificateContext
CertFindCertificateInStore
CertEnumCertificatesInStore
CertCloseStore
CertOpenStore

Sections

.text
Size: 1.2MB - Virtual size: 1.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 249KB - Virtual size: 249KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 70KB - Virtual size: 70KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 348B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

Password: infected

891f5d4f479fa93dc89e1418a9bb735b

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

advapi32

bcrypt

ws2_32

crypt32

Sections

.text Size: 1.2MB - Virtual size: 1.2MB

.rdata Size: 249KB - Virtual size: 249KB

.data Size: 12KB - Virtual size: 20KB

.pdata Size: 70KB - Virtual size: 70KB

_RDATA Size: 512B - Virtual size: 348B

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 5KB - Virtual size: 5KB

.text
Size: 1.2MB - Virtual size: 1.2MB

.rdata
Size: 249KB - Virtual size: 249KB

.data
Size: 12KB - Virtual size: 20KB

.pdata
Size: 70KB - Virtual size: 70KB

_RDATA
Size: 512B - Virtual size: 348B

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 5KB - Virtual size: 5KB