carboniteservice[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

carboniteservice.exe
Size

8.6MB
MD5

e69dc35b9b016b2c2d7b74712fbfe763
SHA1

4fb2f6cc1f9fae38d1a255c160bc8a120000e123
SHA256

66df2a212905d2906f7fb52e2b50796e1338cd0462e837d93fa8913b9d8eee05
SHA512

3b48d78b84e88bcb90dd62c60a9baa4e568ae7260229a57aa092876bb57b2a587f05da3e75add468deceb7bf1c09fa0b4101d7badeebcafe3d7349cbbd8157f9
SSDEEP

98304:Vs7aHJvdB3XcjmWJVvuB6AL6P9l7hn/QWWQMW48E4abjzeZ:VjzujmWJVfAmlNQWWQl4d

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
carboniteservice.exe

Files

carboniteservice.exe
.exe windows x64

fa74d7b3cf293e52110fa35e82953925

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

gdiplus

GdipGetImageEncoders
GdipGetImageEncodersSize
GdipCreateBitmapFromHICON
GdipSaveImageToStream
GdipDisposeImage
GdipCloneImage
GdiplusShutdown
GdiplusStartup
GdipFree
GdipAlloc

winhttp

WinHttpOpen
WinHttpCloseHandle
WinHttpConnect
WinHttpReadData
WinHttpQueryDataAvailable
WinHttpCrackUrl
WinHttpOpenRequest
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpQueryHeaders
WinHttpSetOption

wtsapi32

WTSQuerySessionInformationW
WTSFreeMemory
WTSEnumerateSessionsW

version

GetFileVersionInfoSizeW
VerQueryValueW
GetFileVersionInfoW

secur32

GetUserNameExW

rstrtmgr

RmGetList
RmRegisterResources
RmEndSession
RmStartSession

mpr

WNetGetUniversalNameW

msi

ord70
ord45

vssapi

ord6
?CreateVssBackupComponents@@YAJPEAPEAVIVssBackupComponents@@@Z

pdh

PdhOpenQueryW
PdhCollectQueryData
PdhCloseQuery
PdhGetFormattedCounterValue
PdhAddCounterW
PdhRemoveCounter

iphlpapi

GetAdaptersAddresses

kernel32

LoadLibraryExW
LoadResource
SizeofResource
FindResourceW
lstrcmpiW
lstrcpyW
MultiByteToWideChar
SetLastError
SetThreadPriority
FindResourceExW
LockResource
MoveFileExW
FileTimeToLocalFileTime
OutputDebugStringA
ResetEvent
FileTimeToSystemTime
GetDateFormatW
GetLocaleInfoW
GetCurrentThread
WideCharToMultiByte
FindFirstFileW
FindNextFileW
ExitProcess
GetDriveTypeW
GetFileAttributesW
GetFileAttributesExW
GetLogicalDriveStringsW
OpenProcess
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
CompareFileTime
GetEnvironmentVariableW
TlsGetValue
TlsSetValue
FindClose
GetLongPathNameW
TlsAlloc
TlsFree
GetTimeZoneInformation
CreateFileW
DeviceIoControl
LocalFree
VerSetConditionMask
CreateProcessW
VerifyVersionInfoW
WTSGetActiveConsoleSessionId
ExpandEnvironmentStringsW
ReadFile
GetSystemTime
GetSystemTimeAsFileTime
GetSystemDirectoryW
GetWindowsDirectoryW
GlobalUnlock
GlobalLock
SystemTimeToFileTime
GetTimeFormatW
GetFileSizeEx
SetEndOfFile
SetFilePointerEx
VirtualAlloc
VirtualFree
LoadLibraryW
ReadDirectoryChangesW
GetProcessTimes
GetVolumeNameForVolumeMountPointW
GetSystemInfo
GetModuleHandleA
GetComputerNameW
GetThreadTimes
GetSystemTimes
SetFileTime
FormatMessageW
FlushFileBuffers
GetVersionExW
BackupRead
BackupSeek
BackupWrite
SetWaitableTimer
CancelWaitableTimer
CreateWaitableTimerW
GetTempPathW
TerminateProcess
GetExitCodeProcess
QueryFullProcessImageNameW
LocalAlloc
SetEvent
WriteFile
MoveFileW
CreateIoCompletionPort
GetQueuedCompletionStatus
PostQueuedCompletionStatus
CancelIo
RtlCaptureContext
OutputDebugStringW
InitializeCriticalSection
TryEnterCriticalSection
ReleaseSemaphore
GetProcAddress
WaitForSingleObjectEx
CreateMutexW
CreateSemaphoreW
PulseEvent
FormatMessageA
TerminateThread
GetExitCodeThread
SetFileAttributesW
SetCurrentDirectoryW
CreateDirectoryW
FindFirstVolumeW
FindNextVolumeW
FindVolumeClose
GetDiskFreeSpaceExW
GetFullPathNameW
GetVolumeInformationW
RemoveDirectoryW
GetVolumePathNamesForVolumeNameW
CopyFileW
FindFirstFileExW
CreateFileA
GetFileTime
LocalFileTimeToFileTime
SetFilePointer
FileTimeToDosDateTime
DosDateTimeToFileTime
HeapCreate
CreateFileMappingW
MapViewOfFile
FlushViewOfFile
UnmapViewOfFile
QueueUserWorkItem
GetStdHandle
DuplicateHandle
GetFileType
QueryPerformanceCounter
GlobalMemoryStatus
FlushConsoleInputBuffer
LoadLibraryA
GetFinalPathNameByHandleW
GetFileInformationByHandle
SwitchToThread
InitOnceComplete
InitOnceBeginInitialize
QueryPerformanceFrequency
SleepConditionVariableSRW
SleepConditionVariableCS
WakeAllConditionVariable
WakeConditionVariable
InitializeConditionVariable
GetStringTypeW
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
InitializeSRWLock
GetModuleHandleW
GetModuleFileNameW
FreeLibrary
GetNativeSystemInfo
GetTickCount
DeleteCriticalSection
InitializeCriticalSectionEx
LeaveCriticalSection
EnterCriticalSection
GetProcessHeap
HeapSize
HeapFree
HeapReAlloc
GetCurrentThreadId
CreateThread
GetCurrentProcessId
GetCurrentProcess
Sleep
CreateEventW
HeapAlloc
HeapDestroy
RemoveVectoredExceptionHandler
AddVectoredExceptionHandler
GetLastError
RaiseException
CloseHandle
ExitThread
DecodePointer
DebugBreak
GetNumberOfConsoleInputEvents
SetConsoleMode
SetStdHandle
ReadConsoleW
GetOEMCP
GetACP
IsValidCodePage
GetConsoleMode
GetConsoleOutputCP
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
LCMapStringW
CompareStringW
IsDebuggerPresent
GetConsoleCP
SetConsoleCtrlHandler
WriteConsoleW
VirtualQuery
VirtualProtect
GetModuleHandleExW
FreeLibraryAndExitThread
ResumeThread
GetFileSize
DeleteFileW
GetCurrentDirectoryW
GetCommandLineW
ReleaseMutex
WaitForSingleObject
ReadConsoleInputW
PeekConsoleInputA
GetCommandLineA
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
SetFileInformationByHandle
AreFileApisANSI
CreateDirectoryExW
CreateHardLinkW
GetFileInformationByHandleEx
CreateSymbolicLinkW
RtlUnwind
GetLocaleInfoEx
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
InitOnceExecuteOnce
CreateEventExW
CreateSemaphoreExW
FlushProcessWriteBuffers
GetCurrentProcessorNumber
GetTickCount64
FreeLibraryWhenCallbackReturns
CreateThreadpoolWork
SubmitThreadpoolWork
CloseThreadpoolWork
CreateThreadpoolTimer
SetThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CloseThreadpoolTimer
CreateThreadpoolWait
SetThreadpoolWait
CloseThreadpoolWait
EncodePointer
LCMapStringEx
CompareStringEx
GetCPInfo
InitializeCriticalSectionAndSpinCount
RtlLookupFunctionEntry
RtlVirtualUnwind
PeekNamedPipe
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
GetStartupInfoW
InitializeSListHead
RtlPcToFileHeader
RtlUnwindEx
InterlockedPushEntrySList
InterlockedFlushSList
GetTempFileNameW
SystemTimeToTzSpecificLocalTime

user32

GetDesktopWindow
IsWindowVisible
LoadImageW
LoadStringW
GetMessageW
TranslateMessage
DispatchMessageW
GetUserObjectInformationW
PostThreadMessageW
FindWindowW
RegisterClassW
UnregisterClassW
CreateWindowExW
DestroyWindow
CharUpperW
CharNextW
MessageBoxW
GetWindowLongPtrW
GetDC
ReleaseDC
DefWindowProcW
GetProcessWindowStation
PeekMessageW
SetWindowLongPtrW
GetSystemMetrics
DestroyIcon

gdi32

CreateCompatibleBitmap
GetDIBits
GetObjectW
DeleteObject
GetDeviceCaps

shell32

SHGetFolderPathW
ExtractIconExW
SHGetFileInfoW
ord155
SHGetSpecialFolderLocation
SHChangeNotify
ShellExecuteW
SHFileOperationW
ExtractIconW

ole32

CoSetProxyBlanket
CoCreateGuid
CoRevertToSelf
CoImpersonateClient
CoInitialize
CoTaskMemFree
CoTaskMemRealloc
CoTaskMemAlloc
CreateStreamOnHGlobal
CoCreateInstance
CoInitializeSecurity
CoReleaseServerProcess
CoAddRefServerProcess
CoDisconnectObject
CoRevokeClassObject
CoRegisterClassObject
CoInitializeEx
CoUninitialize
GetHGlobalFromStream
CoQueryProxyBlanket
StringFromGUID2
CoResumeClassObjects

oleaut32

SysAllocStringLen
UnRegisterTypeLi
RegisterTypeLi
LoadRegTypeLi
LoadTypeLi
SysAllocStringByteLen
SysStringLen
SysFreeString
SysAllocString
SafeArrayDestroy
SafeArrayGetUBound
SafeArrayGetLBound
SafeArrayAccessData
SafeArrayUnaccessData
SafeArrayCreateVector
VariantInit
CreateErrorInfo
VariantClear
VariantChangeType
SysStringByteLen
SystemTimeToVariantTime
GetErrorInfo
VariantTimeToSystemTime
VarUI4FromStr
SetErrorInfo

advapi32

OpenThreadToken
GetUserNameW
RevertToSelf
ImpersonateLoggedOnUser
GetTokenInformation
DuplicateToken
LogonUserW
LookupAccountSidW
FreeSid
AllocateAndInitializeSid
StartServiceCtrlDispatcherW
SetServiceStatus
RegisterServiceCtrlHandlerW
QueryServiceStatus
OpenServiceW
OpenSCManagerW
DeleteService
CreateServiceW
ControlService
CloseServiceHandle
ChangeServiceConfig2W
ChangeServiceConfigW
RegSetValueExW
RegQueryInfoKeyW
RegOpenKeyExW
RegEnumKeyExW
RegDeleteValueW
RegDeleteKeyW
RegCreateKeyExW
RegCloseKey
LookupPrivilegeValueW
ReportEventW
RegisterEventSourceW
DeregisterEventSource
AdjustTokenPrivileges
OpenProcessToken
RegEnumKeyW
RegOpenKeyW
RegQueryValueExW
RegEnumValueW
RegLoadKeyW
RegUnLoadKeyW
LsaFreeMemory
LsaClose
LsaOpenPolicy
LsaEnumerateAccountRights
LsaNtStatusToWinError
ConvertStringSidToSidW
EncryptFileW
OpenEncryptedFileRawW
ReadEncryptedFileRaw
WriteEncryptedFileRaw
CloseEncryptedFileRaw
SetFileSecurityW
GetNamedSecurityInfoW
ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertSecurityDescriptorToStringSecurityDescriptorW
CheckTokenMembership
CopySid
GetLengthSid
IsValidSid
PrivilegeCheck
AccessCheck
CreateWellKnownSid
MapGenericMask
GetSecurityInfo
LsaQueryInformationPolicy
ConvertSidToStringSidW
RegConnectRegistryW
RegFlushKey
RegGetKeySecurity
RegNotifyChangeKeyValue
RegOpenKeyTransactedW
RegSetKeySecurity
CryptAcquireContextW
CryptReleaseContext
CryptGenRandom
SetThreadToken

ws2_32

listen
WSACleanup
closesocket
WSAIoctl
WSARecv
WSASend
WSASocketW
getaddrinfo
freeaddrinfo
connect
ioctlsocket
getpeername
shutdown
WSASetLastError
gethostbyname
gethostbyaddr
socket
sendto
WSAStartup
accept
bind
send
select
recvfrom
recv
ntohs
inet_ntoa
WSAGetLastError
inet_addr
setsockopt
htons
htonl
getsockname

netapi32

NetWkstaGetInfo
NetShareGetInfo
NetUserGetInfo
NetUserEnum
NetApiBufferFree
NetUserGetLocalGroups
NetLocalGroupAddMembers
NetUserChangePassword
NetUserDel
NetUserAdd

shlwapi

UrlEscapeW
PathRemoveFileSpecW
StrCpyNW
StrCmpW
UrlEscapeA

rpcrt4

UuidToStringW
UuidFromStringW
UuidCreateSequential
UuidEqual
RpcStringFreeW

wininet

InternetGetConnectedState
InternetAutodial

userenv

LoadUserProfileW
DeleteProfileW
UnloadUserProfile

dbghelp

MiniDumpWriteDump
UnDecorateSymbolName
SymGetSymFromAddr64
SymUnDName64
SymInitialize
SymGetLineFromAddr64
SymGetModuleBase64
SymGetModuleInfo64
SymFunctionTableAccess64
SymCleanup
SymGetOptions
SymSetOptions
StackWalk64

crypt32

CertCloseStore
CertOpenSystemStoreW
CertEnumCertificatesInStore

Sections

.text
Size: 6.2MB - Virtual size: 6.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.6MB - Virtual size: 1.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 357KB - Virtual size: 479KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 271KB - Virtual size: 270KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 244B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 54KB - Virtual size: 53KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 36KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

fa74d7b3cf293e52110fa35e82953925

Headers

DLL Characteristics

File Characteristics

Imports

gdiplus

winhttp

wtsapi32

version

secur32

rstrtmgr

mpr

msi

vssapi

pdh

iphlpapi

kernel32

user32

gdi32

shell32

ole32

oleaut32

advapi32

ws2_32

netapi32

shlwapi

rpcrt4

wininet

userenv

dbghelp

crypt32

Sections

.text Size: 6.2MB - Virtual size: 6.2MB

.rdata Size: 1.6MB - Virtual size: 1.6MB

.data Size: 357KB - Virtual size: 479KB

.pdata Size: 271KB - Virtual size: 270KB

_RDATA Size: 512B - Virtual size: 244B

.rsrc Size: 54KB - Virtual size: 53KB

.reloc Size: 36KB - Virtual size: 35KB

.text
Size: 6.2MB - Virtual size: 6.2MB

.rdata
Size: 1.6MB - Virtual size: 1.6MB

.data
Size: 357KB - Virtual size: 479KB

.pdata
Size: 271KB - Virtual size: 270KB

_RDATA
Size: 512B - Virtual size: 244B

.rsrc
Size: 54KB - Virtual size: 53KB

.reloc
Size: 36KB - Virtual size: 35KB