syshelper[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

syshelper.exe
Size

1.5MB
MD5

4ae63a32b887d6eb6bc8b16dc7bbe3fb
SHA1

65bcf96531303eb9122eed8eb80c8caed7647ab5
SHA256

a78b0370fe3f72cdf769a4dc0ec3718c09f0aa5c550cfaa311d06c2d1f2b7301
SHA512

c7920cb90859877ba8623e9f85d5f150146a62e3e5326616aac2a2f00f784c1dee3e51cc522c68278bc392346f93d35ac48eeda6cdc8e15ff7c7ca3c9a727f38
SSDEEP

24576:cPsDFTLVjFMZzwRZAgDlSWWmq96ni3IhECZe9lJ+8Ko2BCHJYF8NK:cPs9VhMZ0jywiRCen

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
syshelper.exe

Files

syshelper.exe
.exe windows x64

891f5d4f479fa93dc89e1418a9bb735b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

SetEndOfFile
SetStdHandle
GetTimeZoneInformation
GetExitCodeProcess
WaitForSingleObject
HeapReAlloc
FlushFileBuffers
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetLocaleInfoW
LCMapStringW
CompareStringW
GetTimeFormatW
GetDateFormatW
HeapFree
HeapAlloc
GetConsoleOutputCP
IsValidCodePage
GetACP
GetOEMCP
GetCommandLineA
GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
GetProcessHeap
HeapSize
WriteConsoleW
Sleep
GetComputerNameA
GetModuleFileNameA
GetSystemInfo
CreatePipe
CreateFileA
CreateFileW
ReadFile
SetFilePointer
WriteFile
CloseHandle
GetLastError
GetCurrentDirectoryW
CreateDirectoryW
DeleteFileW
FindClose
FindFirstFileW
FindNextFileW
GetFileAttributesW
GetFileAttributesExW
DeviceIoControl
LocalFree
FormatMessageW
MultiByteToWideChar
WideCharToMultiByte
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
QueryPerformanceCounter
GetTickCount
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
DeleteCriticalSection
QueryPerformanceFrequency
GetSystemDirectoryW
FreeLibrary
GetModuleHandleW
GetProcAddress
LoadLibraryW
SetLastError
MoveFileExW
WaitForSingleObjectEx
GetEnvironmentVariableA
GetCurrentProcessId
GetStdHandle
GetFileType
PeekNamedPipe
WaitForMultipleObjects
SleepEx
VerSetConditionMask
GetModuleHandleA
VerifyVersionInfoW
GetFileSizeEx
FormatMessageA
GetLocaleInfoEx
FindFirstFileExW
GetFileInformationByHandle
GetFullPathNameW
SetFileInformationByHandle
GetTempPathW
AreFileApisANSI
CopyFileW
CreateHardLinkW
GetFileInformationByHandleEx
CreateSymbolicLinkW
RtlPcToFileHeader
RaiseException
InitializeSRWLock
TryAcquireSRWLockExclusive
GetCurrentThreadId
EncodePointer
DecodePointer
LCMapStringEx
CompareStringEx
GetCPInfo
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
GetSystemTimeAsFileTime
GetStringTypeW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
InitializeCriticalSectionAndSpinCount
SetEvent
ResetEvent
CreateEventW
IsDebuggerPresent
GetStartupInfoW
InitializeSListHead
RtlUnwindEx
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
LoadLibraryExW
RtlUnwind
ExitProcess
GetModuleHandleExW
DuplicateHandle
CreateProcessW
CreateThread
ExitThread
FreeLibraryAndExitThread
GetDriveTypeW
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
SetFilePointerEx
GetModuleFileNameW
GetConsoleMode
ReadConsoleW
lstrcmpiW

advapi32

CryptEncrypt
CryptAcquireContextW
CryptReleaseContext
CryptGetHashParam
CryptCreateHash
CryptImportKey
GetUserNameA
GetCurrentHwProfileW
RegGetValueA
CryptHashData
CryptDestroyKey
CryptDestroyHash

bcrypt

BCryptGenRandom

ws2_32

ioctlsocket
getpeername
sendto
recvfrom
freeaddrinfo
getaddrinfo
recv
listen
htonl
getsockname
connect
bind
accept
select
__WSAFDIsSet
inet_pton
socket
gethostname
WSAIoctl
setsockopt
WSACleanup
WSAStartup
inet_ntop
WSASetLastError
ntohs
WSAGetLastError
closesocket
WSAWaitForMultipleEvents
WSAResetEvent
WSAEventSelect
WSAEnumNetworkEvents
WSACreateEvent
WSACloseEvent
send
getsockopt
htons

crypt32

CertCreateCertificateChainEngine
CertFreeCertificateChainEngine
CertGetCertificateChain
CertFreeCertificateChain
CryptQueryObject
CertGetNameStringW
CertFindExtension
CertAddCertificateContextToStore
CryptDecodeObjectEx
PFXImportCertStore
CryptStringToBinaryW
CertFreeCertificateContext
CertFindCertificateInStore
CertEnumCertificatesInStore
CertCloseStore
CertOpenStore

Sections

.text
Size: 1.2MB - Virtual size: 1.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 249KB - Virtual size: 249KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 70KB - Virtual size: 70KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 348B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

891f5d4f479fa93dc89e1418a9bb735b

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

advapi32

bcrypt

ws2_32

crypt32

Sections

.text Size: 1.2MB - Virtual size: 1.2MB

.rdata Size: 249KB - Virtual size: 249KB

.data Size: 12KB - Virtual size: 20KB

.pdata Size: 70KB - Virtual size: 70KB

_RDATA Size: 512B - Virtual size: 348B

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 5KB - Virtual size: 5KB

.text
Size: 1.2MB - Virtual size: 1.2MB

.rdata
Size: 249KB - Virtual size: 249KB

.data
Size: 12KB - Virtual size: 20KB

.pdata
Size: 70KB - Virtual size: 70KB

_RDATA
Size: 512B - Virtual size: 348B

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 5KB - Virtual size: 5KB