SangforCSClient[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

SangforCSClient.exe
Size

2.7MB
MD5

5557b81190893b71d40f300e3864ec2b
SHA1

03fa2ead06c872221dc1b1351ed2ad4120f634e7
SHA256

2cc84e67468858b96e13a7d79003144233e8efb65cbf836f9275e990e836e20a
SHA512

c54bad462a9ed921a705ba9808676c5d9e7526b04d90ac0d19a7a1b621638d2cf625908a076a43775c9c6afe185b8fddbdac0e9a73752125f8c8cba21223162a
SSDEEP

24576:5WiR31nyZSkM7kspE0/992YR+yuITLIBG:5WiNVqSkMFi0/z2YRKk

Score

1^/10

Malware Config

Signatures

Files

SangforCSClient.exe
.exe windows x86

113d5a1b656f563291c8e3722f3bda38

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

12:18:76:db:06:e8:34:da:35:c1:98:90:e6:e6:50:d0
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

17/07/2015, 00:00

Not After

14/09/2018, 23:59

Subject

CN=Sangfor Technologies Co.\,Ltd,OU=research and development department,O=Sangfor Technologies Co.\,Ltd,L=shenzhen,ST=guangdong,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

23:4d:0d:a7:54:e1:f1:0e:ae:2e:6d:26:bb:cd:1b:18
Certificate

Issuer

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

31/12/2015, 00:00

Not After

14/09/2018, 23:59

Subject

CN=Sangfor Technologies Co.\,Ltd,OU=research and development department,O=Sangfor Technologies Co.\,Ltd,L=shenzhen,ST=guangdong,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

10/12/2013, 00:00

Not After

09/12/2023, 23:59

Subject

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

5f:d6:93:fa:b0:98:e3:f4:67:7b:b8:cb:67:2c:22:9e
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

11/06/2015, 00:00

Not After

29/12/2020, 23:59

Subject

CN=GeoTrust 2048-bit Timestamping Signer 1,O=GeoTrust Inc,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

01/01/1997, 00:00

Not After

31/12/2020, 23:59

Subject

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

91:9a:6a:7d:35:dd:49:38:d7:f2:75:f3:64:24:b5:c8:1e:34:4e:ea:cd:4b:6f:58:c4:94:63:7c:e1:19:82:b9
Signer

Actual PE Digest

91:9a:6a:7d:35:dd:49:38:d7:f2:75:f3:64:24:b5:c8:1e:34:4e:ea:cd:4b:6f:58:c4:94:63:7c:e1:19:82:b9

Digest Algorithm

sha256

PE Digest Matches

true

fa:d9:62:2f:20:7b:44:c8:69:71:47:32:aa:a9:9e:11:86:e4:01:46
Signer

Actual PE Digest

fa:d9:62:2f:20:7b:44:c8:69:71:47:32:aa:a9:9e:11:86:e4:01:46

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

version

GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA

winmm

timeGetTime

mfc42

ord2117
ord2860
ord6069
ord3301
ord6136
ord6134
ord4130
ord3998
ord2587
ord4406
ord3394
ord3729
ord6785
ord3708
ord4275
ord2301
ord1949
ord818
ord6442
ord613
ord6197
ord289
ord755
ord470
ord1233
ord4673
ord4274
ord6375
ord4486
ord2554
ord2512
ord5731
ord3922
ord1089
ord5199
ord5302
ord4698
ord5714
ord3738
ord561
ord815
ord1106
ord5683
ord2621
ord6438
ord1134
ord2725
ord4287
ord6380
ord668
ord1980
ord6000
ord356
ord1105
ord2859
ord6605
ord2645
ord1929
ord3797
ord6270
ord1644
ord4284
ord6928
ord6930
ord3098
ord326
ord2919
ord2077
ord1247
ord1791
ord5810
ord5481
ord2031
ord4411
ord4447
ord4863
ord4975
ord4919
ord5796
ord5478
ord1971
ord966
ord278
ord605
ord1638
ord4335
ord610
ord287
ord6139
ord5602
ord4277
ord913
ord1615
ord3500
ord922
ord923
ord2820
ord924
ord547
ord548
ord4278
ord3337
ord1871
ord700
ord3811
ord398
ord4189
ord6067
ord5655
ord529
ord804
ord781
ord796
ord4774
ord4538
ord2863
ord3654
ord2584
ord4220
ord4133
ord4297
ord2438
ord2405
ord5785
ord5710
ord4129
ord5862
ord559
ord2763
ord812
ord3571
ord283
ord5787
ord4083
ord3693
ord472
ord5788
ord1640
ord2971
ord2450
ord562
ord5789
ord816
ord323
ord640
ord1862
ord4202
ord5856
ord939
ord2614
ord940
ord6877
ord6662
ord6648
ord6779
ord6383
ord5440
ord2107
ord2841
ord6394
ord5450
ord1200
ord434
ord2141
ord5575
ord4226
ord2726
ord565
ord817
ord4622
ord5715
ord5289
ord5307
ord4699
ord4079
ord5303
ord5300
ord3346
ord2396
ord1948
ord3640
ord3370
ord4402
ord2582
ord3286
ord3302
ord6907
ord3996
ord693
ord2817
ord6880
ord5953
ord1146
ord3610
ord6453
ord3876
ord3097
ord3721
ord656
ord2864
ord6241
ord5572
ord6282
ord6283
ord795
ord4376
ord3089
ord5875
ord1641
ord2243
ord1768
ord537
ord2452
ord3619
ord2414
ord3663
ord3626
ord3573
ord4476
ord1576
ord4224
ord355
ord2515
ord3499
ord858
ord3874
ord535
ord941
ord3582
ord4398
ord2578
ord4218
ord2023
ord2411
ord2818
ord6199
ord823
ord6334
ord4160
ord3317
ord2764
ord2915
ord2379
ord5981
ord4299
ord2642
ord1168
ord2086
ord4710
ord6215
ord3092
ord4234
ord2302
ord2370
ord2289
ord825
ord567
ord3574
ord4424
ord3402
ord5290
ord4396
ord1776
ord6055
ord2575
ord324
ord540
ord860
ord641
ord609
ord616
ord800
ord3597
ord4425
ord4627
ord4080
ord3079
ord3825
ord3831
ord3830
ord2976
ord3081
ord2985
ord3262
ord3136
ord4465
ord3259
ord3147
ord2982
ord5277
ord2124
ord2446
ord5261
ord1727
ord5065
ord3749
ord6376
ord2055
ord2648
ord4441
ord4837
ord3798
ord5280
ord4353
ord6374
ord5163
ord2385
ord5241
ord4407
ord1775
ord4078
ord6052
ord2514
ord4998
ord4853
ord5265
ord4033
ord2770

msvcrt

strchr
_vsnprintf
strcmp
memset
strcat
strncpy
atoi
_snprintf
strlen
_mbscmp
strtok
__CxxFrameHandler
_stricmp
_strupr
_strcmpi
_wcsicmp
_callnewh
_setmbcp
_CxxThrowException
__dllonexit
_onexit
?terminate@@YAXXZ
_exit
_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
??1type_info@@UAE@XZ
_controlfp
strstr
strtol
strcpy
memcpy
_beginthreadex
free
malloc
isxdigit
tolower
isupper
_except_handler3
wcsncmp
_wcsnicmp
wcslen
strncmp
_strnicmp
memcmp
strrchr
atol
wcsstr
sprintf
fwrite
fclose
fread
ftell
fseek
fopen
_mbstok
__p___argv
__p___argc
_mbsnbicmp
rand
srand
time
toupper
_mbsnbcpy
_mbsicmp
asctime
localtime
realloc
_local_unwind2
wcschr
_ftol
_snwprintf
_atoi64
_purecall
memmove
atof
fprintf
fputc
_wtoi
wcsrchr
_vsnwprintf
wcscmp
isspace
isalnum
isalpha
sscanf

kernel32

GetCurrentProcess
TerminateProcess
CreateToolhelp32Snapshot
Process32First
Process32Next
OpenProcess
LocalFree
GetVersionExA
CreateProcessA
GetCurrentProcessId
FindNextFileA
GetFileAttributesExA
UnmapViewOfFile
OpenFileMappingA
MapViewOfFile
WaitForSingleObject
DisconnectNamedPipe
InterlockedDecrement
InterlockedCompareExchange
CreateNamedPipeA
ConnectNamedPipe
InterlockedIncrement
WriteFile
ReadFile
WaitNamedPipeA
CreateFileA
SetNamedPipeHandleState
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
InitializeCriticalSection
VerifyVersionInfoA
GetModuleHandleW
GetSystemDefaultLangID
MultiByteToWideChar
OutputDebugStringA
CreateDirectoryA
GetProcessHeap
HeapAlloc
HeapFree
lstrlenA
ResumeThread
WaitForMultipleObjects
CloseHandle
GetTickCount
LoadLibraryA
GetProcAddress
FreeLibrary
Sleep
CopyFileA
WritePrivateProfileStringA
ExpandEnvironmentStringsA
FindFirstFileA
GetLastError
FindClose
FindNextFileW
FindFirstFileW
ExpandEnvironmentStringsW
SetFilePointer
CreateFileW
FlushFileBuffers
DeleteFileW
CreateDirectoryW
GetFileAttributesW
GetVersion
GetComputerNameA
GetFullPathNameA
GetFileTime
lstrcmpA
FileTimeToSystemTime
lstrlenW
GetStartupInfoA
DeleteFileA
GetFileAttributesA
SystemTimeToFileTime
GetSystemTime
lstrcatA
lstrcpyA
QueryDosDeviceA
lstrcmpiA
GetLogicalDriveStringsA
SetEvent
CreateEventA
ReleaseMutex
OpenMutexA
GetModuleFileNameA
CreateMutexA
GetFileSize
CreateThread
OpenEventA
GetCurrentThreadId
GetModuleHandleA
Thread32Next
OpenThread
Thread32First
SetLastError
GlobalFree
SetThreadLocale
CompareFileTime
MulDiv
GetThreadContext
GetCurrentThread
SetCurrentDirectoryA
GetCurrentDirectoryA
VirtualQueryEx
Module32Next
Module32First
IsBadReadPtr
SuspendThread
FlushInstructionCache
GlobalUnlock
GlobalLock
LockResource
FreeResource
GlobalAlloc
SizeofResource
LoadResource
FindResourceA
ResetEvent
TerminateThread
GetStartupInfoW
lstrcmpiW
GetLocalTime
GetWindowsDirectoryA
GetExitCodeThread
CreateProcessW
CreateFileMappingA
GetProcessId
OutputDebugStringW
OpenMutexW
OpenEventW
OpenFileMappingW
GetModuleFileNameW
VirtualFree
VirtualAlloc
CreateMutexW
CreateEventW
VirtualQuery
VirtualProtect
SetThreadContext
WideCharToMultiByte
VerSetConditionMask
LoadLibraryW

user32

LoadBitmapA
LoadCursorA
CopyIcon
SetCursor
GetFocus
GetDlgCtrlID
ShowScrollBar
PtInRect
GetCursorPos
LoadImageA
IsIconic
DrawIcon
GetSystemMenu
GetThreadDesktop
GetUserObjectInformationA
FillRect
GetDC
ReleaseDC
SetRect
CallWindowProcA
wvsprintfA
GetAsyncKeyState
SetForegroundWindow
CreatePopupMenu
FindWindowA
LoadStringA
CopyImage
DrawStateA
HideCaret
wsprintfA
GetDesktopWindow
RegisterWindowMessageA
EnumChildWindows
PostMessageA
GetClientRect
SendMessageA
OffsetRect
SetActiveWindow
DrawFrameControl
IsWindowVisible
IsWindow
DestroyWindow
SendMessageTimeoutA
keybd_event
EnumWindows
ReleaseCapture
FrameRect
ClientToScreen
GetWindowLongA
GetSubMenu
GetMenuItemID
GetMenuItemCount
AppendMenuA
DrawEdge
DestroyIcon
DrawTextW
GetMenuItemInfoA
DrawIconEx
InflateRect
CopyRect
GetSystemMetrics
SystemParametersInfoA
GetSysColor
GetKeyboardLayout
MapVirtualKeyExA
IsCharLowerA
MapVirtualKeyA
GetKeyNameTextA
GetWindowTextA
SetFocus
SetWindowLongA
CharLowerBuffA
ShowWindow
UpdateWindow
RegisterDeviceNotificationA
UnregisterDeviceNotification
GetWindowThreadProcessId
GetMessageA
TranslateAcceleratorA
TranslateMessage
DispatchMessageA
UnregisterClassA
PostQuitMessage
DefWindowProcA
DrawFocusRect
AnimateWindow
GetWindowTextW
GetCapture
SetCapture
WindowFromPoint
EnableWindow
GetWindowRect
MessageBoxA
GetParent
InvalidateRect
RegisterClassExA
CreateWindowExA
SetWindowPos
PostThreadMessageA
SetWindowTextW
LoadIconA
KillTimer
SetTimer

gdi32

CreatePen
GetTextMetricsA
DeleteDC
GetDeviceCaps
BitBlt
PatBlt
Rectangle
GetTextColor
CreateCompatibleDC
CreateDIBitmap
CreateCompatibleBitmap
CreateBitmap
GetObjectA
CreateFontA
SelectObject
DeleteObject
GetStockObject
CreateFontIndirectA
CreateSolidBrush
GetTextExtentPoint32A

advapi32

RegQueryInfoKeyA
RegOpenKeyExA
RegQueryValueExA
RegOpenKeyA
FreeSid
SetSecurityDescriptorDacl
SetSecurityDescriptorSacl
AddAccessAllowedAce
InitializeAcl
GetLengthSid
AllocateAndInitializeSid
InitializeSecurityDescriptor
RegCreateKeyExA
RegSetValueExA
LookupAccountNameA
GetUserNameA
OpenThreadToken
GetTokenInformation
EqualSid
RegOpenKeyExW
RegQueryValueExW
OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges
RegCloseKey
RegEnumKeyExA
RegDeleteValueA
RegDeleteKeyA
ConvertStringSecurityDescriptorToSecurityDescriptorA
GetSecurityDescriptorSacl
SetSecurityInfo
RegEnumValueA
RegCreateKeyA

shell32

SHChangeNotify
ShellExecuteA
SHGetSpecialFolderPathA
SHFileOperationA
ShellExecuteExA
Shell_NotifyIconA

comctl32

ord8
_TrackMouseEvent

ole32

CoUninitialize
CoCreateInstance
CreateStreamOnHGlobal
CLSIDFromProgID
CoInitialize

olepro32

ord251

oleaut32

SysFreeString
SetErrorInfo
VariantClear
SysAllocString
VariantInit
CreateErrorInfo
VariantChangeType
GetErrorInfo

msvcp60

??1Init@ios_base@std@@QAE@XZ
??0_Winit@std@@QAE@XZ
??1_Winit@std@@QAE@XZ
?nothrow@std@@3Unothrow_t@1@B
?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ
?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z
??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z
?at@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z
?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIDI@Z
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z
?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ
?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z
?compare@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEHABV12@@Z
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@@Z
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBD@Z
?erase@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@II@Z
?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z
?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z
??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z
??1_Lockit@std@@QAE@XZ
??0_Lockit@std@@QAE@XZ
??0Init@ios_base@std@@QAE@XZ

wininet

HttpQueryInfoA
HttpSendRequestA
InternetSetCookieA
InternetSetOptionA
InternetQueryOptionA
InternetGetCookieExA
HttpOpenRequestA
InternetReadFile
InternetCloseHandle
InternetOpenA
InternetConnectA

crypt32

CertCloseStore
CertFreeCertificateContext
CertGetCertificateContextProperty
CertFindCertificateInStore
CertOpenSystemStoreW
CertAddCTLContextToStore
CryptFindCertificateKeyProvInfo
CertGetNameStringA
CertGetCRLContextProperty
CertEnumCertificatesInStore
CertOpenSystemStoreA
CertNameToStrA
PFXImportCertStore

pdh

PdhAddCounterA
PdhGetFormattedCounterValue
PdhOpenQueryA
PdhCollectQueryData
PdhCloseQuery

psapi

EnumProcesses
GetProcessImageFileNameA
GetModuleFileNameExA
EnumProcessModules

dbghelp

SymGetSymFromAddr
UnDecorateSymbolName
SymUnDName
SymGetModuleInfo
SymGetLineFromAddr
SymLoadModule
SymFunctionTableAccess
StackWalk
SymInitialize
SymGetOptions
SymGetModuleBase
ImageDirectoryEntryToDataEx
SymSetOptions

ws2_32

send
shutdown
gethostname
WSASend
WSARecv
WSASetLastError
WSAAsyncSelect
connect
accept
WSACleanup
WSAStartup
ntohl
htonl
htons
getsockname
closesocket
bind
inet_addr
socket
recv
recvfrom
select
ntohs
inet_ntoa
listen
WSAGetLastError

wtsapi32

WTSFreeMemory
WTSEnumerateProcessesW

shlwapi

StrStrIA
StrChrIA

msi

ord216
ord172

Sections

.text
Size: 616KB - Virtual size: 613KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 144KB - Virtual size: 141KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 85KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1.9MB - Virtual size: 1.9MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

113d5a1b656f563291c8e3722f3bda38

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

12:18:76:db:06:e8:34:da:35:c1:98:90:e6:e6:50:d0Certificate

Extended Key Usages

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

23:4d:0d:a7:54:e1:f1:0e:ae:2e:6d:26:bb:cd:1b:18Certificate

Extended Key Usages

Key Usages

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2aCertificate

Extended Key Usages

Key Usages

5f:d6:93:fa:b0:98:e3:f4:67:7b:b8:cb:67:2c:22:9eCertificate

Extended Key Usages

Key Usages

Certificate

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

91:9a:6a:7d:35:dd:49:38:d7:f2:75:f3:64:24:b5:c8:1e:34:4e:ea:cd:4b:6f:58:c4:94:63:7c:e1:19:82:b9Signer

fa:d9:62:2f:20:7b:44:c8:69:71:47:32:aa:a9:9e:11:86:e4:01:46Signer

Headers

File Characteristics

Imports

version

winmm

mfc42

msvcrt

kernel32

user32

gdi32

advapi32

shell32

comctl32

ole32

olepro32

oleaut32

msvcp60

wininet

crypt32

pdh

psapi

dbghelp

ws2_32

wtsapi32

shlwapi

msi

Sections

.text Size: 616KB - Virtual size: 613KB

.rdata Size: 144KB - Virtual size: 141KB

.data Size: 8KB - Virtual size: 85KB

.rsrc Size: 1.9MB - Virtual size: 1.9MB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

12:18:76:db:06:e8:34:da:35:c1:98:90:e6:e6:50:d0
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

23:4d:0d:a7:54:e1:f1:0e:ae:2e:6d:26:bb:cd:1b:18
Certificate

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

5f:d6:93:fa:b0:98:e3:f4:67:7b:b8:cb:67:2c:22:9e
Certificate

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

91:9a:6a:7d:35:dd:49:38:d7:f2:75:f3:64:24:b5:c8:1e:34:4e:ea:cd:4b:6f:58:c4:94:63:7c:e1:19:82:b9
Signer

fa:d9:62:2f:20:7b:44:c8:69:71:47:32:aa:a9:9e:11:86:e4:01:46
Signer

.text
Size: 616KB - Virtual size: 613KB

.rdata
Size: 144KB - Virtual size: 141KB

.data
Size: 8KB - Virtual size: 85KB

.rsrc
Size: 1.9MB - Virtual size: 1.9MB