2Take1MenuVIP[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

2Take1MenuVIP.zip
Size

5.1MB
MD5

32af2eb0bc9ba24b100d94afaf643ee2
SHA1

2a8f39ac71a57b55c70cdbab8a0d6733ecdea6fd
SHA256

9b0db60d81ae37180876f341dbd98e6ea8fcd1fa048cdaad0bfd480aa52f4b97
SHA512

2fbc3555355edd876e23804f0f1a54fee7441703ff4f84877e2f914e3a1ee993ffea4f1b19dd6bb82ffce5c137c846597d85936f1ab8fe61d643db3d5ccf493e
SSDEEP

98304:1kASZIIqg8oXd/9eheC6/0AumVOolN/xwFR7tTD50kJpEk7D45b8:Wtpqg8eojXorxwFXN0Ih7cb8

Score

3^/10

Malware Config

Signatures

Unsigned PE 3 IoCs

Checks for missing Authenticode signature.

resource
unpack001/Launcher.exe
unpack001/Updater.exe
unpack001/spel64.dll

Files

2Take1MenuVIP.zip
.zip
Launcher.dat
Launcher.exe
.exe windows x64

8ba84303059bff9d986999514225e980

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

OpenThread
GetCurrentProcess
VirtualFreeEx
CreateRemoteThread
WriteProcessMemory
GetLastError
VirtualAllocEx
GetModuleFileNameA
Process32Next
Process32First
CreateToolhelp32Snapshot
InitializeSListHead
GetSystemTimeAsFileTime
GetCurrentProcessId
SetThreadContext
IsDebuggerPresent
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
GetModuleHandleW
CreateEventW
ResetEvent
SetEvent
InitializeCriticalSectionAndSpinCount
CreateFileA
GetFileSizeEx
WaitForSingleObjectEx
FormatMessageA
SetLastError
RtlDeleteFunctionTable
ReadProcessMemory
GetThreadContext
VirtualProtectEx
ResumeThread
SuspendThread
Thread32First
Thread32Next
GetProcessId
RtlAddFunctionTable
VirtualAlloc
VirtualFree
GetStartupInfoW
LoadLibraryA
GetProcAddress
GetModuleHandleA
GetCurrentDirectoryA
GetTickCount
QueryPerformanceCounter
TerminateProcess
CreateProcessA
Sleep
CreateThread
OpenProcess
ReleaseMutex
WaitForSingleObject
UnmapViewOfFile
CloseHandle
MapViewOfFile
CreateFileMappingA
OpenMutexA
GetCurrentThreadId
GetFileAttributesA
CreateDirectoryA
ExpandEnvironmentStringsA
VerifyVersionInfoA
GetSystemDirectoryA
QueryPerformanceFrequency
VerSetConditionMask
FreeLibrary
SleepEx
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
DeleteCriticalSection
ReadFile
GetStdHandle
WaitForMultipleObjects
PeekNamedPipe
GetFileType
CreateMutexExA

user32

PostQuitMessage
SendMessageA
CallWindowProcA
LoadIconA
LoadCursorA
RegisterClassExA
CreateWindowExA
ShowWindow
GetMessageA
TranslateMessage
GetDC
SetWindowLongPtrA
BeginPaint
IsWindowVisible
EndPaint
SetWindowTextA
FindWindowA
MessageBoxA
SetWindowPos
GetSystemMetrics
DefWindowProcA
DispatchMessageA
GetWindowLongPtrA
GetWindowRect
FillRect
SetFocus
LoadBitmapA
UpdateWindow
InvalidateRect

gdi32

TextOutA
SetTextAlign
SetTextColor
SetBkMode
SetBkColor
CreateFontA
CreateSolidBrush
DeleteDC
DeleteObject
BitBlt
SelectObject
CreateCompatibleDC

advapi32

CryptReleaseContext
CryptEncrypt
CryptImportKey
CryptAcquireContextA
CryptGenRandom
CryptCreateHash
CryptHashData
CryptDestroyHash
CryptGetHashParam
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
CryptDestroyKey

spel64

load_library

msvcp140

??Bid@locale@std@@QEAA_KXZ
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?id@?$collate@D@std@@2V0locale@2@A
_Strxfrm
_Strcoll
?_Getcoll@_Locinfo@std@@QEBA?AU_Collvec@@XZ
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z
?tolower@?$ctype@D@std@@QEBADD@Z
?_Xbad_alloc@std@@YAXXZ
?tolower@?$ctype@D@std@@QEBAPEBDPEADPEBD@Z
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z
?uncaught_exception@std@@YA_NXZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J@Z
?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@_JH@Z
?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA?AV?$fpos@U_Mbstatet@@@2@XZ
??0facet@locale@std@@IEAA@_K@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??1facet@locale@std@@MEAA@XZ
??0_Lockit@std@@QEAA@H@Z
??0_Locinfo@std@@QEAA@PEBD@Z
??1_Lockit@std@@QEAA@XZ
??1_Locinfo@std@@QEAA@XZ
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?_Incref@facet@locale@std@@UEAAXXZ
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?always_noconv@codecvt_base@std@@QEBA_NXZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?_Xinvalid_argument@std@@YAXPEBD@Z
?_Xout_of_range@std@@YAXPEBD@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Xlength_error@std@@YAXPEBD@Z
?id@?$ctype@D@std@@2V0locale@2@A

version

GetFileVersionInfoA
GetFileVersionInfoSizeA
VerQueryValueA

vcruntime140_1

__CxxFrameHandler4

vcruntime140

memcpy
__current_exception_context
_CxxThrowException
memcmp
memmove
memset
__current_exception
__std_terminate
__C_specific_handler
strstr
strrchr
_purecall
strchr
__std_exception_destroy
__std_exception_copy
memchr
__RTDynamicCast

api-ms-win-crt-heap-l1-1-0

malloc
_callnewh
realloc
free
calloc
_set_new_mode

api-ms-win-crt-runtime-l1-1-0

_initterm
_get_narrow_winmain_command_line
exit
_set_app_type
_seh_filter_exe
terminate
strerror
_cexit
_crt_atexit
_register_onexit_function
_initialize_onexit_table
_initialize_narrow_environment
_configure_narrow_argv
_c_exit
_register_thread_local_exe_atexit_callback
_beginthreadex
__sys_nerr
_initterm_e
_invalid_parameter_noinfo
_errno
_getpid
_invalid_parameter_noinfo_noreturn
_exit

api-ms-win-crt-time-l1-1-0

clock
_gmtime64
_time64
strftime
_localtime64_s

api-ms-win-crt-string-l1-1-0

strcpy_s
tolower
_stricmp
strcat_s
_strdup
strncmp
strncpy
strpbrk
isupper
strspn
strcspn
strcmp

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vsprintf_s
fgets
fopen_s
_set_fmode
fseek
fputs
ftell
__acrt_iob_func
fopen
__stdio_common_vsscanf
__p__commode
rewind
__stdio_common_vsprintf
_read
_write
fread
fclose
fwrite
_open
_lseeki64
_get_stream_buffer_pointers
_close
fputc
ungetc
fgetc
fgetpos
_fseeki64
fsetpos
setvbuf
fflush

api-ms-win-crt-convert-l1-1-0

strtoul
strtoll
strtol
atoi

api-ms-win-crt-filesystem-l1-1-0

_stat64
_unlock_file
_fstat64
_lock_file
_unlink
remove
_access
rename

api-ms-win-crt-utility-l1-1-0

rand_s
srand
rand
qsort

api-ms-win-crt-environment-l1-1-0

_dupenv_s
getenv

api-ms-win-crt-multibyte-l1-1-0

_mbspbrk
_mbsncmp
_mbschr
_mbsnbcpy

api-ms-win-crt-math-l1-1-0

ceilf
__setusermatherr

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

crypt32

CertFindCertificateInStore
CertCloseStore
CertFreeCertificateContext
CertOpenStore
CertGetCertificateChain
CertFreeCertificateChainEngine
CertAddCertificateContextToStore
CryptQueryObject
CertFreeCertificateChain
CertGetNameStringA
CertCreateCertificateChainEngine
CertEnumCertificatesInStore
CryptStringToBinaryA

ws2_32

socket
WSAStartup
ntohl
gethostname
htonl
WSACleanup
getaddrinfo
freeaddrinfo
accept
listen
recvfrom
sendto
__WSAFDIsSet
select
bind
WSAIoctl
closesocket
WSASetLastError
getpeername
getsockname
ioctlsocket
ntohs
connect
getsockopt
htons
setsockopt
send
WSAGetLastError
recv

wldap32

ord32
ord211
ord26
ord30
ord301
ord50
ord143
ord60
ord217
ord41
ord33
ord79
ord200
ord27
ord35
ord45
ord46
ord22

Sections

.text
Size: 490KB - Virtual size: 489KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 126KB - Virtual size: 126KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 21KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 669KB - Virtual size: 669KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.vlizer
Size: 3.0MB - Virtual size: 8.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Updater.exe
.exe windows x64

91533cd0901a926548d904883f897c08

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

GetTickCount
QueryPerformanceCounter
DeleteCriticalSection
InitializeCriticalSectionEx
LeaveCriticalSection
EnterCriticalSection
SleepEx
FreeLibrary
VerSetConditionMask
GetProcAddress
FormatMessageA
LoadLibraryA
UnhandledExceptionFilter
GetModuleHandleA
VerifyVersionInfoA
CreateDirectoryA
GetFileAttributesA
GetLastError
GetCurrentThreadId
SetLastError
ExpandEnvironmentStringsA
ReadFile
GetStdHandle
WaitForMultipleObjects
PeekNamedPipe
GetFileType
WaitForSingleObjectEx
GetFileSizeEx
CreateFileA
RtlCaptureContext
RtlLookupFunctionEntry
QueryPerformanceFrequency
RtlVirtualUnwind
GetModuleHandleW
GetCurrentProcessId
GetSystemTimeAsFileTime
InitializeSListHead
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
GetModuleFileNameW
CloseHandle
CreateProcessA
Sleep
GetSystemDirectoryA
SetConsoleTitleA

ole32

CoCreateInstance
CoInitialize
CoUninitialize

msvcp140

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
?_Xbad_alloc@std@@YAXXZ
?_Xlength_error@std@@YAXPEBD@Z
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?_Xout_of_range@std@@YAXPEBD@Z
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?id@?$ctype@D@std@@2V0locale@2@A
??Bid@locale@std@@QEAA_KXZ
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?uncaught_exception@std@@YA_NXZ
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z

vcruntime140_1

__CxxFrameHandler4

vcruntime140

__std_exception_copy
__std_terminate
memcpy
__C_specific_handler
memmove
memchr
strrchr
__std_exception_destroy
__current_exception
strchr
memcmp
strstr
memset
_CxxThrowException
_local_unwind
__current_exception_context

api-ms-win-crt-runtime-l1-1-0

_seh_filter_exe
_register_thread_local_exe_atexit_callback
_crt_atexit
_register_onexit_function
_exit
_initialize_narrow_environment
_set_app_type
__p___argc
terminate
_beginthreadex
exit
__p___argv
_getpid
__sys_nerr
_get_initial_narrow_environment
_initterm
strerror
_configure_narrow_argv
_initterm_e
_initialize_onexit_table
_invalid_parameter_noinfo_noreturn
_c_exit
_cexit
_errno

api-ms-win-crt-heap-l1-1-0

malloc
calloc
realloc
_set_new_mode
_callnewh
free

api-ms-win-crt-stdio-l1-1-0

fgetc
fwrite
fgetpos
_fseeki64
fsetpos
setvbuf
fflush
fputc
_get_stream_buffer_pointers
fclose
fopen_s
fseek
ftell
rewind
__acrt_iob_func
__stdio_common_vfprintf_s
__stdio_common_vfwprintf_s
__stdio_common_vsprintf_s
ungetc
_close
_open
_write
_read
__p__commode
_set_fmode
_lseeki64
fgets
__stdio_common_vsscanf
fputs
fopen
__stdio_common_vsprintf
fread

api-ms-win-crt-filesystem-l1-1-0

_unlock_file
remove
_unlink
_fstat64
_lock_file
_access
_stat64

api-ms-win-crt-time-l1-1-0

_localtime64_s
_time64
_gmtime64
strftime

api-ms-win-crt-convert-l1-1-0

strtol
atoi
strtoul
strtoll

api-ms-win-crt-string-l1-1-0

strncmp
tolower
_strdup
_stricmp
isupper
strpbrk
strspn
strcspn
strcmp
strncpy

api-ms-win-crt-environment-l1-1-0

_dupenv_s
getenv

api-ms-win-crt-multibyte-l1-1-0

_mbschr
_mbsnbcpy
_mbsncmp
_mbspbrk

api-ms-win-crt-utility-l1-1-0

qsort

api-ms-win-crt-math-l1-1-0

__setusermatherr

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

crypt32

CertFreeCertificateContext
CertEnumCertificatesInStore
CertCloseStore
CertFindCertificateInStore
CertOpenStore
CertGetCertificateChain
CertFreeCertificateChainEngine
CertAddCertificateContextToStore
CryptQueryObject
CertFreeCertificateChain
CertGetNameStringA
CertCreateCertificateChainEngine
CryptStringToBinaryA

ws2_32

recvfrom
sendto
freeaddrinfo
ioctlsocket
__WSAFDIsSet
select
bind
WSAIoctl
closesocket
getaddrinfo
WSASetLastError
htonl
getpeername
gethostname
ntohl
send
accept
setsockopt
getsockname
recv
socket
WSAStartup
WSACleanup
listen
htons
ntohs
getsockopt
connect
WSAGetLastError

wldap32

ord79
ord143
ord200
ord27
ord26
ord41
ord46
ord50
ord301
ord211
ord30
ord217
ord35
ord33
ord32
ord45
ord60
ord22

advapi32

CryptDestroyKey
CryptEncrypt
CryptImportKey
CryptAcquireContextA
CryptGenRandom
CryptCreateHash
CryptHashData
CryptDestroyHash
CryptGetHashParam
CryptReleaseContext

Sections

.text
Size: 372KB - Virtual size: 372KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 95KB - Virtual size: 95KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 15KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 363KB - Virtual size: 363KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.vlizer
Size: 2.0MB - Virtual size: 2.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
spel64.dll
.dll windows x64

2e7b0100a9237666ee729368d7009231

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

kernel32

WriteProcessMemory
VirtualFree
VirtualAlloc
GetProcessId
Thread32Next
Thread32First
SuspendThread
ResumeThread
CreateToolhelp32Snapshot
Sleep
LoadLibraryA
CloseHandle
GetThreadContext
GetProcAddress
VirtualAllocEx
ReadProcessMemory
VirtualFreeEx
SetThreadContext
OpenThread
GetCurrentProcess
CreateRemoteThread
WaitForSingleObject
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
DisableThreadLibraryCalls
InitializeSListHead
IsDebuggerPresent
RtlCaptureContext

msvcp140

?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAPEAD0PEAH001@Z
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J@Z
?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@_JH@Z
?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA?AV?$fpos@U_Mbstatet@@@2@XZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
??Bid@locale@std@@QEAA_KXZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?_Xlength_error@std@@YAXPEBD@Z
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
??0_Lockit@std@@QEAA@H@Z
??1_Lockit@std@@QEAA@XZ
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z

vcruntime140_1

__CxxFrameHandler4

vcruntime140

memcpy
memset
memmove
__std_exception_destroy
__std_exception_copy
__std_terminate
__C_specific_handler
__std_type_info_destroy_list
_CxxThrowException

api-ms-win-crt-stdio-l1-1-0

fclose
fflush
fputc
fwrite
_get_stream_buffer_pointers
_fseeki64
fread
fsetpos
ungetc
setvbuf
fgetpos
fgetc

api-ms-win-crt-filesystem-l1-1-0

_lock_file
_unlock_file

api-ms-win-crt-runtime-l1-1-0

_crt_atexit
_register_onexit_function
_cexit
_initialize_onexit_table
_invalid_parameter_noinfo_noreturn
_initialize_narrow_environment
_seh_filter_dll
_execute_onexit_table
_initterm_e
_initterm
_configure_narrow_argv

api-ms-win-crt-heap-l1-1-0

_callnewh
free
malloc

Exports

Exports

free_library
free_library_ex
hijack_first_thread
hijack_thread
load_library
load_library_ex

Sections

.text
Size: 14KB - Virtual size: 13KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 120B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

8ba84303059bff9d986999514225e980

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

spel64

msvcp140

version

vcruntime140_1

vcruntime140

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-environment-l1-1-0

api-ms-win-crt-multibyte-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-locale-l1-1-0

crypt32

ws2_32

wldap32

Sections

.text Size: 490KB - Virtual size: 489KB

.rdata Size: 126KB - Virtual size: 126KB

.data Size: 4KB - Virtual size: 7KB

.pdata Size: 21KB - Virtual size: 20KB

.rsrc Size: 669KB - Virtual size: 669KB

.reloc Size: - Virtual size: 1KB

.vlizer Size: 3.0MB - Virtual size: 8.1MB

91533cd0901a926548d904883f897c08

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

ole32

msvcp140

vcruntime140_1

vcruntime140

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-environment-l1-1-0

api-ms-win-crt-multibyte-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-locale-l1-1-0

crypt32

ws2_32

wldap32

advapi32

Sections

.text Size: 372KB - Virtual size: 372KB

.rdata Size: 95KB - Virtual size: 95KB

.data Size: 2KB - Virtual size: 4KB

.pdata Size: 15KB - Virtual size: 14KB

.rsrc Size: 363KB - Virtual size: 363KB

.reloc Size: - Virtual size: 1KB

.vlizer Size: 2.0MB - Virtual size: 2.0MB

2e7b0100a9237666ee729368d7009231

Headers

DLL Characteristics

File Characteristics

.text
Size: 490KB - Virtual size: 489KB

.rdata
Size: 126KB - Virtual size: 126KB

.data
Size: 4KB - Virtual size: 7KB

.pdata
Size: 21KB - Virtual size: 20KB

.rsrc
Size: 669KB - Virtual size: 669KB

.reloc
Size: - Virtual size: 1KB

.vlizer
Size: 3.0MB - Virtual size: 8.1MB

.text
Size: 372KB - Virtual size: 372KB

.rdata
Size: 95KB - Virtual size: 95KB

.data
Size: 2KB - Virtual size: 4KB

.pdata
Size: 15KB - Virtual size: 14KB

.rsrc
Size: 363KB - Virtual size: 363KB

.reloc
Size: - Virtual size: 1KB

.vlizer
Size: 2.0MB - Virtual size: 2.0MB

.text
Size: 14KB - Virtual size: 13KB

.rdata
Size: 10KB - Virtual size: 10KB

.data
Size: 1024B - Virtual size: 2KB

.pdata
Size: 1KB - Virtual size: 1KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 120B