DataExchangeHost[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

DataExchangeHost.exe
Size

253KB
MD5

1c684d351cbee157a985f153b7136f9a
SHA1

1c1d7d43df82c51a61ce852d0b226b998b47b3eb
SHA256

55a8e3733ac2e88a2975e16a4e2968b7c81fb113e02f9d14ac9b0566d41e8d23
SHA512

9685a13b4dbb226ae522c22ca59d200cb6ac6236ce4f10a11d64049b9c00ec017efaf4d4688fe6ef2082157fd7c50b03dfb85c5dc9b63e2371b01467d6571785
SSDEEP

3072:YF5uCg6AtQGfR7iz7KeIM6mzI476RQeIDeo/QmoIZae1c20iQqs6tNaaa5aaav/A:YLNIrpy28I4LDeo/P7n0iX0yblDicL4R

Score

1^/10

Malware Config

Signatures

Files

DataExchangeHost.exe
.exe windows x64

b30b5ddd9de2b3ad7df270f23adf7d33

Code Sign

33:00:00:02:66:bd:15:80:ef:a7:5c:d6:d3:00:00:00:00:02:66
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

04/03/2020, 18:30

Not After

03/03/2021, 18:30

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

ea:3f:50:b7:7d:de:0b:ab:0d:af:1c:b9:60:a2:67:e8:2f:61:f2:bd:1c:9d:b0:d0:b3:77:a8:29:3a:6a:9d:68
Signer

Actual PE Digest

ea:3f:50:b7:7d:de:0b:ab:0d:af:1c:b9:60:a2:67:e8:2f:61:f2:bd:1c:9d:b0:d0:b3:77:a8:29:3a:6a:9d:68

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

_commode
_fmode
?terminate@@YAXXZ
_lock
_unlock
_onexit
_wcmdln
__C_specific_handler
_initterm
??1type_info@@UEAA@XZ
__dllonexit
__setusermatherr
_cexit
_exit
exit
__set_app_type
__wgetmainargs
_amsg_exit
_XcptFilter
_purecall
??_V@YAXPEAX@Z
__CxxFrameHandler3
??0exception@@QEAA@AEBV0@@Z
??0exception@@QEAA@XZ
??1exception@@UEAA@XZ
??3@YAXPEAX@Z
free
?what@exception@@UEBAPEBDXZ
??0exception@@QEAA@AEBQEBD@Z
??0bad_cast@@QEAA@PEBD@Z
??0bad_cast@@QEAA@AEBV0@@Z
??1bad_cast@@UEAA@XZ
memmove_s
wcschr
malloc
_callnewh
??0exception@@QEAA@AEBQEBDH@Z
_CxxThrowException
memcpy
memmove
setlocale
__pctype_func
___lc_handle_func
___lc_codepage_func
calloc
___mb_cur_max_func
_errno
_ismbblead
__uncaught_exception
abort
memset
_wcsdup
__crtLCMapStringW
_wsetlocale
memcmp
memcpy_s
_vsnwprintf
_vsnprintf_s
ceilf

api-ms-win-core-libraryloader-l1-2-0

GetProcAddress
LoadResource
GetModuleFileNameA
GetModuleHandleExW
GetModuleHandleW
LockResource
FindResourceExW

api-ms-win-core-synch-l1-1-0

CreateEventW
ReleaseMutex
InitializeCriticalSectionEx
InitializeCriticalSection
ResetEvent
WaitForSingleObject
EnterCriticalSection
LeaveCriticalSection
ReleaseSRWLockExclusive
CreateEventExW
DeleteCriticalSection
CreateSemaphoreExW
CreateMutexExW
SetEvent
AcquireSRWLockExclusive
OpenSemaphoreW
WaitForSingleObjectEx
AcquireSRWLockShared
ReleaseSemaphore
ReleaseSRWLockShared

api-ms-win-core-heap-l1-1-0

GetProcessHeap
HeapSetInformation
HeapFree
HeapAlloc

api-ms-win-core-errorhandling-l1-1-0

SetLastError
RaiseException
UnhandledExceptionFilter
SetErrorMode
SetUnhandledExceptionFilter
GetLastError

api-ms-win-core-processthreads-l1-1-0

GetCurrentThread
OpenThreadToken
GetCurrentThreadId
GetCurrentProcess
OpenProcessToken
GetCurrentProcessId
TerminateProcess
GetProcessId
GetStartupInfoW
SetPriorityClass

api-ms-win-core-localization-l1-2-0

FormatMessageW
GetLocaleInfoW

api-ms-win-core-debug-l1-1-0

OutputDebugStringW
IsDebuggerPresent
DebugBreak

api-ms-win-core-handle-l1-1-0

CloseHandle
DuplicateHandle

api-ms-win-core-processthreads-l1-1-1

GetProcessMitigationPolicy
OpenProcess
SetProcessMitigationPolicy

api-ms-win-core-com-l1-1-0

CreateStreamOnHGlobal
CoGetCallContext
CoReleaseMarshalData
CoMarshalInterThreadInterfaceInStream
CoUnmarshalInterface
CoMarshalInterface
CoEnableCallCancellation
CoGetCallerTID
CoTaskMemFree
CoGetMalloc
CoDisableCallCancellation
CoResumeClassObjects
CoRegisterClassObject
CoRevokeClassObject
CoAddRefServerProcess
CoReleaseServerProcess
CoCreateFreeThreadedMarshaler
CoTaskMemRealloc
CoTaskMemAlloc
CoUninitialize
CoDecrementMTAUsage
CoFreeUnusedLibrariesEx
CoInitializeEx
CoIncrementMTAUsage
CoCreateInstance
CoInitializeSecurity
CoCancelCall

api-ms-win-core-winrt-error-l1-1-0

RoOriginateError
GetRestrictedErrorInfo
SetRestrictedErrorInfo
RoTransformError
RoOriginateErrorW

api-ms-win-core-util-l1-1-0

DecodePointer
EncodePointer

api-ms-win-core-winrt-l1-1-0

RoActivateInstance
RoGetActivationFactory
RoRevokeActivationFactories
RoRegisterActivationFactories

api-ms-win-core-winrt-string-l1-1-0

WindowsCreateStringReference
WindowsStringHasEmbeddedNull
WindowsCreateString
WindowsIsStringEmpty
WindowsCompareStringOrdinal
WindowsDeleteString
WindowsGetStringLen
WindowsDuplicateString
WindowsGetStringRawBuffer

api-ms-win-core-synch-l1-2-0

Sleep
InitOnceBeginInitialize
InitOnceComplete
InitOnceExecuteOnce

api-ms-win-core-heap-l2-1-0

LocalAlloc
LocalFree

api-ms-win-core-rtlsupport-l1-1-0

RtlLookupFunctionEntry
RtlVirtualUnwind
RtlCaptureContext

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime
GetTickCount

api-ms-win-security-base-l1-1-0

DuplicateTokenEx
GetSidSubAuthority
GetTokenInformation

api-ms-win-eventing-provider-l1-1-0

EventUnregister
EventRegister
EventWriteTransfer
EventSetInformation
EventActivityIdControl

api-ms-win-core-com-l1-1-1

RoGetAgileReference

api-ms-win-core-winrt-error-l1-1-1

RoReportFailedDelegate
RoGetMatchingRestrictedErrorInfo
IsErrorPropagationEnabled

api-ms-win-shcore-taskpool-l1-1-0

SHTaskPoolQueueTask
SHTaskPoolAllowThreadReuse

api-ms-win-core-registry-l1-1-0

RegGetValueW

api-ms-win-core-file-l1-1-0

CompareFileTime

api-ms-win-core-localization-obsolete-l1-2-0

GetUserDefaultUILanguage

api-ms-win-core-threadpool-legacy-l1-1-0

DeleteTimerQueueTimer
CreateTimerQueueTimer

api-ms-win-core-threadpool-l1-2-0

WaitForThreadpoolTimerCallbacks
CreateThreadpoolTimer
SetThreadpoolTimer
CloseThreadpoolTimer

api-ms-win-core-shlwapi-legacy-l1-1-0

PathIsFileSpecW
PathFindFileNameW

api-ms-win-core-psapi-l1-1-0

QueryFullProcessImageNameW

api-ms-win-shcore-stream-winrt-l1-1-0

CreateStreamOverRandomAccessStream

api-ms-win-shcore-stream-l1-1-0

IStream_Read
IStream_Size
IStream_Reset

api-ms-win-core-debug-l1-1-1

CheckRemoteDebuggerPresent

api-ms-win-core-heap-obsolete-l1-1-0

GlobalUnlock
GlobalLock

api-ms-win-core-synch-l1-2-1

WaitForMultipleObjects

ntdll

RtlNtStatusToDosError
RtlFreeHeap
NtQueryInformationToken
ZwQueryWnfStateData
RtlAllocateHeap
RtlNtStatusToDosErrorNoTeb
RtlCompareUnicodeString
RtlInitUnicodeString

api-ms-win-core-string-l1-1-0

WideCharToMultiByte
MultiByteToWideChar
GetStringTypeW

api-ms-win-core-atoms-l1-1-0

GlobalGetAtomNameW

api-ms-win-security-capability-l1-1-0

CapabilityCheck

api-ms-win-rtcore-ntuser-window-l1-1-0

ClientToScreen
GetPropW
AllowSetForegroundWindow
GetDesktopWindow
GetForegroundWindow
GetWindowLongW
GetParent
DestroyWindow
DefWindowProcW
GetWindowThreadProcessId
SendMessageW
ShowWindow
ScreenToClient
WindowFromPoint
GetWindowLongPtrW
SetForegroundWindow
SetWindowLongPtrW
CreateWindowExW
UnregisterClassW
PostMessageW
SetTimer
GetMessageW
TranslateMessage
DispatchMessageW
GetClassInfoExW
RegisterClassExW

api-ms-win-ntuser-sysparams-l1-1-0

SystemParametersInfoW
GetSystemMetrics

api-ms-win-rtcore-ntuser-private-l1-1-0

CreateWindowInBand

dwrite

DWriteCreateFactory

api-ms-win-rtcore-ntuser-clipboard-l1-1-0

GetClipboardFormatNameW

api-ms-win-appmodel-runtime-l1-1-0

GetPackageFullName

combase

ord69
ord99

twinapi

ord11
ord12

dcomp

DCompositionCreateDevice2
ord1019

user32

SendInput
ord2521
ord2557
GetTopLevelWindow
ord2550
ReleaseCapture
GetWindowDpiAwarenessContext
IsIconic
GetCapture
AttachThreadInput
GetSysColor
GetAsyncKeyState
SetProcessDefaultLayout
SetCapture

d2d1

ord7

d3d11

D3D11CreateDevice

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Sections

.text
Size: 169KB - Virtual size: 169KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.imrsiv
Size: - Virtual size: 4B

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 59KB - Virtual size: 59KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 72B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

b30b5ddd9de2b3ad7df270f23adf7d33

Code Sign

33:00:00:02:66:bd:15:80:ef:a7:5c:d6:d3:00:00:00:00:02:66Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

ea:3f:50:b7:7d:de:0b:ab:0d:af:1c:b9:60:a2:67:e8:2f:61:f2:bd:1c:9d:b0:d0:b3:77:a8:29:3a:6a:9d:68Signer

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-com-l1-1-0

api-ms-win-core-winrt-error-l1-1-0

api-ms-win-core-util-l1-1-0

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-com-l1-1-1

api-ms-win-core-winrt-error-l1-1-1

api-ms-win-shcore-taskpool-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-localization-obsolete-l1-2-0

api-ms-win-core-threadpool-legacy-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-shlwapi-legacy-l1-1-0

api-ms-win-core-psapi-l1-1-0

api-ms-win-shcore-stream-winrt-l1-1-0

api-ms-win-shcore-stream-l1-1-0

api-ms-win-core-debug-l1-1-1

api-ms-win-core-heap-obsolete-l1-1-0

api-ms-win-core-synch-l1-2-1

ntdll

api-ms-win-core-string-l1-1-0

api-ms-win-core-atoms-l1-1-0

api-ms-win-security-capability-l1-1-0

api-ms-win-rtcore-ntuser-window-l1-1-0

api-ms-win-ntuser-sysparams-l1-1-0

api-ms-win-rtcore-ntuser-private-l1-1-0

dwrite

api-ms-win-rtcore-ntuser-clipboard-l1-1-0

api-ms-win-appmodel-runtime-l1-1-0

combase

twinapi

dcomp

user32

d2d1

d3d11

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

Sections

.text Size: 169KB - Virtual size: 169KB

.imrsiv Size: - Virtual size: 4B

.rdata Size: 59KB - Virtual size: 59KB

.data Size: 1024B - Virtual size: 4KB

.pdata Size: 8KB - Virtual size: 8KB

.didat Size: 512B - Virtual size: 72B

.rsrc Size: 2KB - Virtual size: 2KB

.reloc Size: 2KB - Virtual size: 2KB

33:00:00:02:66:bd:15:80:ef:a7:5c:d6:d3:00:00:00:00:02:66
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

ea:3f:50:b7:7d:de:0b:ab:0d:af:1c:b9:60:a2:67:e8:2f:61:f2:bd:1c:9d:b0:d0:b3:77:a8:29:3a:6a:9d:68
Signer

.text
Size: 169KB - Virtual size: 169KB

.imrsiv
Size: - Virtual size: 4B

.rdata
Size: 59KB - Virtual size: 59KB

.data
Size: 1024B - Virtual size: 4KB

.pdata
Size: 8KB - Virtual size: 8KB

.didat
Size: 512B - Virtual size: 72B

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 2KB - Virtual size: 2KB