FrostLoader_[.]rar

Sharing

Copy URL Twitter E-mail

General

Target

FrostLoader_.rar
Size

540KB
MD5

d26f7d087dca362fb4369f80f0c69e45
SHA1

dbb7d0532459788ae01b536c2d6d2921d9147a08
SHA256

d567fe49ec2deba97dc309df970e0245665005995a3ac08f5a329d5f493bc5c5
SHA512

c60ddad16ea5ff441905e72a7a71206e276963d0a841a16867ca145f8b3c72747f9b9e1c7c7037d383f9236c3916f4de3f52ae2491be9ea3c30ed79bd7afe7db
SSDEEP

12288:Z35xcObRC2TWWhBi4N0cnzlwdz7bHV6e167fBjFFn8q2:nxcO1l9Xnxwdz7DV6e1en8Z

Score

3^/10

Malware Config

Signatures

Unsigned PE 3 IoCs

Checks for missing Authenticode signature.

resource
unpack001/Data/en-US/EppManifest.dll.mui
unpack001/Data/en-US/MpAsDesc.dll.mui
unpack001/FrostLoader_.exe

Files

FrostLoader_.rar
.rar
Data/Game.dll
.dll windows x86

Code Sign

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3c
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/09/2021, 18:23

Not After

01/09/2022, 18:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

2d:fc:02:34:fd:23:f0:c9:f1:a8:5b:3a:7a:a8:08:43:81:ce:82:05:42:06:d2:22:90:70:85:f3:5e:d0:4c:f2
Signer

Actual PE Digest

2d:fc:02:34:fd:23:f0:c9:f1:a8:5b:3a:7a:a8:08:43:81:ce:82:05:42:06:d2:22:90:70:85:f3:5e:d0:4c:f2

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Sections

.text
Size: 512B - Virtual size: 224B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1.0MB - Virtual size: 1.0MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Data/MpClient.dll
.dll windows x86

ac7793185b5b7e2a6de1c29997ef56f2

Code Sign

33:00:00:03:3b:65:5f:ae:fa:db:75:e9:d6:00:00:00:00:03:3b
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/09/2021, 18:23

Not After

01/09/2022, 18:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

e8:5a:bb:e2:86:25:e0:d2:42:8b:55:bc:3c:80:b5:3d:ad:39:e0:e6:db:a1:d5:98:1b:9e:f1:1f:37:10:ab:7f
Signer

Actual PE Digest

e8:5a:bb:e2:86:25:e0:d2:42:8b:55:bc:3c:80:b5:3d:ad:39:e0:e6:db:a1:d5:98:1b:9e:f1:1f:37:10:ab:7f

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

api-ms-win-crt-runtime-l1-1-0

_initterm
_initialize_narrow_environment
_initialize_onexit_table
_register_onexit_function
_execute_onexit_table
_initterm_e
abort
_cexit
terminate
_beginthreadex
_errno
_configure_narrow_argv
_crt_atexit
_seh_filter_dll
_invalid_parameter_noinfo_noreturn

api-ms-win-crt-string-l1-1-0

wcstok_s
towlower
_wcsupr
iswspace
towupper
toupper
_wcsnicmp
strnlen
strncmp
wcsnlen
strcpy_s
islower
_wcsicmp
iswupper
wcsncmp
__strncnt
_isctype_l
wcsncpy_s
iswdigit
iswalpha
_wcsdup
isupper

api-ms-win-crt-convert-l1-1-0

_wcstod_l
atol
wcstoul
_ui64tow_s
wcstoull
_i64tow_s
_ui64toa_s
wcstoll
_i64toa_s

api-ms-win-crt-stdio-l1-1-0

fseek
_wfsopen
fclose
_get_stream_buffer_pointers
fread
fwrite
fgetpos
_fseeki64
fsetpos
setvbuf
fflush
ungetc
fgetc
__stdio_common_vswprintf
fputc
__stdio_common_vswscanf
__stdio_common_vsnwprintf_s
__stdio_common_vswprintf_s
__stdio_common_vsprintf_s
__stdio_common_vsprintf

api-ms-win-crt-heap-l1-1-0

realloc
_calloc_base
free
_free_base
_malloc_base
_callnewh
malloc

advapi32

RegOpenKeyExW
RegSetValueExW
RegEnumKeyExW
RegCreateKeyExW
RegDeleteKeyW
RegQueryInfoKeyW
RegNotifyChangeKeyValue
RegDeleteValueW
RegEnumValueW
RegisterEventSourceW
DeregisterEventSource
GetTraceLoggerHandle
GetTraceEnableLevel
GetTraceEnableFlags
RegisterTraceGuidsW
UnregisterTraceGuids
TraceMessage
OpenServiceW
QueryServiceStatus
CloseServiceHandle
NotifyServiceStatusChangeW
OpenSCManagerW
EventWriteTransfer
QueryServiceConfigW
LookupAccountSidW
EnableTrace
ControlTraceW
StartTraceW
QueryTraceW
RegQueryValueExW
RegCloseKey
GetTokenInformation
OpenThreadToken
GetLengthSid
ChangeServiceConfigW
InitializeAcl
StartServiceW
FreeSid
OpenProcessToken
CopySid
AllocateAndInitializeSid
CheckTokenMembership
ConvertStringSidToSidW
EventUnregister
EventRegister
DuplicateTokenEx
SetEntriesInAclW
ReportEventW

crypt32

CertVerifyCertificateChainPolicy

kernel32

OpenProcess
SetLastError
UnmapViewOfFile
WideCharToMultiByte
FormatMessageW
LocalFree
FreeLibrary
GetTickCount
QueryPerformanceCounter
CreateFileW
SwitchToThread
ResetEvent
DeleteFileW
FlushViewOfFile
FlushFileBuffers
GetCurrentProcess
GetLastError
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
GetModuleHandleW
GetProcAddress
FormatMessageA
InitializeSRWLock
TryAcquireSRWLockExclusive
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
QueryPerformanceFrequency
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
InitializeCriticalSectionAndSpinCount
InitializeSListHead
IsDebuggerPresent
RtlUnwind
InterlockedPushEntrySList
InterlockedFlushSList
RaiseException
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
EncodePointer
InitializeCriticalSectionEx
LoadLibraryExW
UnregisterWaitEx
HeapAlloc
DeleteTimerQueueTimer
GetFinalPathNameByHandleW
SetFileAttributesW
RemoveDirectoryW
FindFirstFileW
FindNextFileW
FindClose
GetFileAttributesW
GetProcessTimes
ExpandEnvironmentStringsW
GetVersionExW
CreateDirectoryW
CopyFileW
CreateThread
CreateEventW
SetEvent
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
GetFileAttributesExW
GetModuleHandleExW
ReleaseMutex
WaitForMultipleObjects
CreateMutexW
MultiByteToWideChar
CloseHandle
Sleep
WaitForSingleObject
WaitForSingleObjectEx
RegisterWaitForSingleObject
GetCurrentThread
HeapFree
SetEnvironmentVariableW
CompareStringEx
WriteFile
InitOnceComplete
InitOnceBeginInitialize
CreateTimerQueueTimer
GetFileSizeEx
ReadFile
FileTimeToSystemTime
VirtualQuery
MapViewOfFile
CreateFileMappingW
CreateSemaphoreW
CreateProcessW
GetStringTypeW
GetSystemInfo
GetNativeSystemInfo
LoadLibraryExA
VirtualProtect
HeapDestroy
HeapReAlloc
HeapSize
HeapValidate
HeapCreate
CreateThreadpoolWork
SubmitThreadpoolWork
CloseThreadpoolIo
CreateThreadpoolTimer
SetThreadpoolWait
DuplicateHandle
GetSystemDirectoryW
OpenFileMappingW
SetThreadpoolTimer
OpenEventW
CreateThreadpoolWait
CloseThreadpoolTimer
SetThreadpoolThreadMaximum
WaitForThreadpoolWaitCallbacks
GetModuleFileNameW
ReleaseSemaphore
CloseThreadpoolWait
VirtualLock
GetTickCount64
TryEnterCriticalSection
SetThreadpoolThreadMinimum
WaitForThreadpoolWorkCallbacks
CancelThreadpoolIo
GetLocalTime
GetEnvironmentVariableW
CompareFileTime
WaitForThreadpoolTimerCallbacks
WaitForThreadpoolIoCallbacks
LocalFileTimeToFileTime
SystemTimeToFileTime
CreateThreadpoolIo
LCMapStringEx
CreateThreadpool
LoadLibraryW
StartThreadpoolIo
DebugBreak
CloseThreadpool
CloseThreadpoolWork
GetProcessHeap
TlsFree
TlsGetValue
TlsAlloc
TlsSetValue
DecodePointer
CreateIoCompletionPort
PostQueuedCompletionStatus
GetQueuedCompletionStatus
SizeofResource
LockResource
CancelSynchronousIo
LoadResource
FindResourceW

rpcrt4

NdrClientCall2
UuidToStringW
UuidFromStringW
RpcBindingFromStringBindingW
RpcBindingSetAuthInfoExW
RpcBindingSetOption
RpcBindingFree
RpcSmDestroyClientContext
UuidCreate
RpcStringBindingComposeW
RpcStringFreeW

wintrust

CryptCATAdminAcquireContext
WTHelperGetProvSignerFromChain
CryptCATCatalogInfoFromContext
CryptCATAdminReleaseCatalogContext
WTHelperProvDataFromStateData
WinVerifyTrust
CryptCATAdminEnumCatalogFromHash
CryptCATAdminCalcHashFromFileHandle
CryptCATAdminReleaseContext

ntdll

RtlNtStatusToDosError
RtlGetVersion

api-ms-win-crt-utility-l1-1-0

rand
qsort

api-ms-win-crt-locale-l1-1-0

_free_locale
_create_locale
setlocale
_unlock_locales
_lock_locales
___lc_collate_cp_func
___lc_locale_name_func
___lc_codepage_func
___mb_cur_max_func
__pctype_func

api-ms-win-crt-math-l1-1-0

ceil

userenv

RegisterGPNotification
UnregisterGPNotification

api-ms-win-crt-filesystem-l1-1-0

_unlock_file
_lock_file

Exports

Exports

MpAddDynamicSignatureFile
MpAllocMemory
MpAmsiCloseSession
MpAmsiNotify
MpAmsiScan
MpAsrSetHipsUserExclusion
MpChangeCapability
MpCheckAccessForClipboardOperation
MpCheckAccessForClipboardOperationEx
MpCheckAccessForClipboardOperationEx2
MpCheckAccessForDragDropOperation
MpCheckAccessForDragDropOperation2
MpCheckAccessForPrintOperation
MpCheckAccessForPrintOperation2
MpCleanControl
MpCleanOpen
MpCleanPrecheckStart
MpCleanStart
MpClientUtilExportFunctions
MpClose
MpConfigClose
MpConfigDelValue
MpConfigGetValue
MpConfigGetValueAlloc
MpConfigInitialize
MpConfigIteratorClose
MpConfigIteratorEnum
MpConfigIteratorEnumV2
MpConfigIteratorOpen
MpConfigOpen
MpConfigQueryProtection
MpConfigRegisterForNotifications
MpConfigSetValue
MpConfigUninitialize
MpConfigUnregisterNotifications
MpConveyDlpBypass
MpConveySampleSubmissionResult
MpConveyUserChoiceForDlpNotification
MpConveyUserChoiceForDlpNotificationEx
MpConveyUserChoiceForSampleList
MpCreateComInstance
MpDbgAllocMemory
MpDebugExportFunctions
MpDefenderIsPrintAccessCheckNeeded
MpDefenderPrintAccessCheck
MpDefenderPrintDataProvide
MpDelegateCopyFile
MpDeleteAsrHistory
MpDetectionEnumerate
MpDetectionQuery
MpDlpDelegateEnforcement
MpDlpGetOperationEnforcmentMode
MpDlpInitializeEnforcementMode
MpDlpNotifyCloseDocumentFile
MpDlpNotifyPostOpenDocumentFile
MpDlpNotifyPostSaveAsDocument
MpDlpNotifyPostStartPrint
MpDlpNotifyPreOpenDocumentFile
MpDlpNotifyPrePrint
MpDlpNotifyPreSaveAsDocument
MpDynamicSignatureEnumerate
MpDynamicSignatureOpen
MpElevateCleanHandle
MpElevationHandleAcquire
MpElevationHandleActivate
MpElevationHandleAttach
MpElevationHandleOpen
MpErrorMessageFormat
MpFastMemoryScan
MpFastMemoryScanOpen
MpFlushLowfiCache
MpForcedReboot
MpFreeFileTrustExtraInfo
MpFreeMemory
MpFreeTSModeInfo
MpGenerateSignature
MpGenerateSignatureEx
MpGenerateThreatReport
MpGetASRPerRuleExclusions
MpGetAsrBlockedActionInfos
MpGetAsrBlockedActions
MpGetAsrBlockedProcesses
MpGetCallistoDetections
MpGetCopyAcceleratorProcessStatus
MpGetDevMode
MpGetDeviceControlSecurityPolicies
MpGetDeviceControlStatus
MpGetDlpEvents
MpGetEngineVersion
MpGetFCValue
MpGetHIPSRuleInfo
MpGetHybridMode
MpGetMAPSConnectivityStatusInfo
MpGetRunningMode
MpGetSampleChunk
MpGetSampleListRequiringConsent
MpGetTDTFeatureStatus
MpGetTDTFeatureStatusEx
MpGetTPStateInfo
MpGetTSModeInfo
MpGetTaskSchedulerStrings
MpGetThreatExecutionInfo
MpHandleClose
MpIsDeviceControlAvailable
MpIsGivenRunningModeSupported
MpIsRtpAutoEnable
MpManagerDisable
MpManagerEnable
MpManagerOpen
MpManagerStatusQuery
MpManagerStatusQueryEx
MpManagerVersionQuery
MpManagerXBGMDisable
MpManagerXBGMEnable
MpMemoryScanStart
MpNetworkCapture
MpNotificationRegister
MpOfflineScanInstall
MpOfflineScanStatusQuery
MpOpen
MpProductGenuineCheck
MpQuarantineRequest
MpQueryDefaultFolderGuardList
MpQueryEngineConfigDword
MpQueryFileTrustByHandle
MpQueryFileTrustByHandle2
MpRemapCallistoDetections
MpRemoveDynamicSignatureFile
MpReportClipboardOwner
MpRequestSnooze
MpRollbackPlatform
MpSampleQuery
MpSampleSubmit
MpScanControl
MpScanResult
MpScanStart
MpScanStartEx
MpSendBrowserHeartbeat
MpSendDeviceControlToast
MpSetBreakTheGlassStatus
MpSetTPState
MpSetUacElevationDefaultWindowHandle
MpShowDlpDetailsDialog
MpShutdownCopyAcceleratorProcess
MpSmartLockerEnable
MpTelemetryAddToAverageDWORD
MpTelemetryAddToStreamDWORD
MpTelemetryAddToStreamDWORD64
MpTelemetryAddToStreamString
MpTelemetryIncrementDWORD
MpTelemetryInitialize
MpTelemetryIsOptIn
MpTelemetryLiteralAddToAverageDWORD
MpTelemetryLiteralAddToStreamDWORD
MpTelemetryLiteralAddToStreamDWORD64
MpTelemetryLiteralAddToStreamString
MpTelemetryLiteralIncrementDWORD
MpTelemetryLiteralSetDWORD
MpTelemetryLiteralSetDWORD64
MpTelemetryLiteralSetIfMaxDWORD
MpTelemetryLiteralSetIfMinDWORD
MpTelemetryLiteralSetString
MpTelemetrySetConsent
MpTelemetrySetDWORD
MpTelemetrySetDWORD64
MpTelemetrySetIfMaxDWORD
MpTelemetrySetIfMinDWORD
MpTelemetrySetString
MpTelemetryUninitialize
MpTelemetryUpdateUserConsent
MpTelemetryUpload
MpThreatAction
MpThreatEnumerate
MpThreatHistoryRequest
MpThreatLocalizedInfoQuery
MpThreatOpen
MpThreatQuery
MpThreatRollup
MpTriggerErrorHeartbeatReport
MpTriggerHeartbeatOnUninstall
MpTriggerStatusRefreshNotification
MpUnblockEngine
MpUnblockPlatform
MpUnblockSignatures
MpUpdateBrowserActiveTab
MpUpdateControl
MpUpdateDevMode
MpUpdateEngine
MpUpdatePlatform
MpUpdateStart
MpUpdateStartEx
MpUpdateTSMode
MpUpdateTSModeEx
MpUtilsExportFunctions
MpWDEnable
MpXBGMEnable
MpXBGMFreeEvent
MpXBGMGetData
MpXBGMPutData
MpXBGMUpdateIV
MputAddToAverageDWORD64Rpc
MputAddToAverageDWORDRpc
MputIncrementDWORD64Rpc
MputIncrementDWORDRpc
MputSetBoolRpc
MputSetDWORD64Rpc
MputSetDWORDRpc
MputSetIfMaxDWORD64Rpc
MputSetIfMaxDWORDRpc
MputSetIfMinDWORD64Rpc
MputSetIfMinDWORDRpc
MputSetStringRpc
WDEnable
WDStatus

Sections

.text
Size: 796KB - Virtual size: 795KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 28KB - Virtual size: 30KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 84B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 48KB - Virtual size: 47KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Data/en-US/EppManifest.dll.mui
.dll windows x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Sections

.rdata
Size: 512B - Virtual size: 224B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Data/en-US/MpAsDesc.dll.mui
.dll windows x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Sections

.rdata
Size: 512B - Virtual size: 224B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 48KB - Virtual size: 52KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
FrostLoader_.exe
.exe windows x86

205b5a26282a28fd3b95bae3e604cb79

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

SizeofResource
FindResourceW
LoadLibraryA
LockResource
FreeConsole
SetConsoleCtrlHandler
WriteConsoleW
LoadResource
GetProcAddress
GetModuleHandleW
GetModuleHandleA
VirtualProtect
VirtualAlloc
Sleep
CreateThread
CreateMutexA
GetLastError
WaitForSingleObject
lstrlenW
SetFileApisToOEM
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoW
IsProcessorFeaturePresent
GetCurrentProcess
TerminateProcess
RtlUnwind
SetLastError
EncodePointer
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
LoadLibraryExW
RaiseException
GetStdHandle
WriteFile
GetModuleFileNameW
ExitProcess
GetModuleHandleExW
GetCommandLineA
GetCommandLineW
HeapAlloc
HeapFree
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
MultiByteToWideChar
WideCharToMultiByte
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
SetStdHandle
GetFileType
GetStringTypeW
CompareStringW
LCMapStringW
GetProcessHeap
HeapSize
HeapReAlloc
FlushFileBuffers
GetConsoleOutputCP
GetConsoleMode
SetFilePointerEx
CreateFileW
CloseHandle
DecodePointer

gdi32

SetTextColor
SetBkMode
SelectObject
GetStockObject
DeleteObject
CreateFontIndirectA
GetObjectA

comdlg32

GetOpenFileNameA
GetSaveFileNameA

advapi32

RegDeleteKeyA

Sections

.text
Size: 62KB - Virtual size: 62KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 25KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 176KB - Virtual size: 176KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
How to use.txt
Lang.ini

Sharing

General

Malware Config

Signatures

Files

Code Sign

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3cCertificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

2d:fc:02:34:fd:23:f0:c9:f1:a8:5b:3a:7a:a8:08:43:81:ce:82:05:42:06:d2:22:90:70:85:f3:5e:d0:4c:f2Signer

Headers

DLL Characteristics

File Characteristics

Sections

.text Size: 512B - Virtual size: 224B

.rsrc Size: 1.0MB - Virtual size: 1.0MB

ac7793185b5b7e2a6de1c29997ef56f2

Code Sign

33:00:00:03:3b:65:5f:ae:fa:db:75:e9:d6:00:00:00:00:03:3bCertificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

e8:5a:bb:e2:86:25:e0:d2:42:8b:55:bc:3c:80:b5:3d:ad:39:e0:e6:db:a1:d5:98:1b:9e:f1:1f:37:10:ab:7fSigner

Headers

DLL Characteristics

File Characteristics

Imports

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-heap-l1-1-0

advapi32

crypt32

kernel32

rpcrt4

wintrust

ntdll

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-math-l1-1-0

userenv

api-ms-win-crt-filesystem-l1-1-0

Exports

Exports

Sections

.text Size: 796KB - Virtual size: 795KB

.data Size: 28KB - Virtual size: 30KB

.idata Size: 9KB - Virtual size: 9KB

.didat Size: 512B - Virtual size: 84B

.rsrc Size: 3KB - Virtual size: 2KB

.reloc Size: 48KB - Virtual size: 47KB

Headers

DLL Characteristics

File Characteristics

Sections

.rdata Size: 512B - Virtual size: 224B

.rsrc Size: 1KB - Virtual size: 4KB

Headers

DLL Characteristics

File Characteristics

Sections

.rdata Size: 512B - Virtual size: 224B

.rsrc Size: 48KB - Virtual size: 52KB

205b5a26282a28fd3b95bae3e604cb79

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

gdi32

comdlg32

advapi32

Sections

.text Size: 62KB - Virtual size: 62KB

.rdata Size: 25KB - Virtual size: 25KB

.data Size: 2KB - Virtual size: 4KB

.rsrc Size: 176KB - Virtual size: 176KB

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3c
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

2d:fc:02:34:fd:23:f0:c9:f1:a8:5b:3a:7a:a8:08:43:81:ce:82:05:42:06:d2:22:90:70:85:f3:5e:d0:4c:f2
Signer

.text
Size: 512B - Virtual size: 224B

.rsrc
Size: 1.0MB - Virtual size: 1.0MB

33:00:00:03:3b:65:5f:ae:fa:db:75:e9:d6:00:00:00:00:03:3b
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

e8:5a:bb:e2:86:25:e0:d2:42:8b:55:bc:3c:80:b5:3d:ad:39:e0:e6:db:a1:d5:98:1b:9e:f1:1f:37:10:ab:7f
Signer

.text
Size: 796KB - Virtual size: 795KB

.data
Size: 28KB - Virtual size: 30KB

.idata
Size: 9KB - Virtual size: 9KB

.didat
Size: 512B - Virtual size: 84B

.rsrc
Size: 3KB - Virtual size: 2KB

.reloc
Size: 48KB - Virtual size: 47KB

.rdata
Size: 512B - Virtual size: 224B

.rsrc
Size: 1KB - Virtual size: 4KB

.rdata
Size: 512B - Virtual size: 224B

.rsrc
Size: 48KB - Virtual size: 52KB

.text
Size: 62KB - Virtual size: 62KB

.rdata
Size: 25KB - Virtual size: 25KB

.data
Size: 2KB - Virtual size: 4KB

.rsrc
Size: 176KB - Virtual size: 176KB