653e49b19b2d831c2dbd46e321b3bdc61512d030e1ee17362f7f4d8fc1b4c8fa

Sharing

Copy URL

Twitter E-mail

General

Target

653e49b19b2d831c2dbd46e321b3bdc61512d030e1ee17362f7f4d8fc1b4c8fa
Size

1.4MB
MD5

61431d9748aa7aac16322e0671308ec4
SHA1

46ee6a48ed20e6098e62c628b11e7f6c7f0cb6f0
SHA256

653e49b19b2d831c2dbd46e321b3bdc61512d030e1ee17362f7f4d8fc1b4c8fa
SHA512

b8910b9d2e19ca66316178121246156a23bc9e09edb9072295e4c76d5b4fea90bc3848f3f9eea09038242627393f91d9da229fd3f24988dd2a0d48a0e543f98c
SSDEEP

24576:YsZKWyqPkNey+DZPaHonmlbBW8sRPEbyJlTaN8D1o:YCMc1DZPAFBURPcyJpaNIK

Score

9^/10

oss_ak

Malware Config

Signatures

detect oss ak 1 IoCs

oss ak information detected.

oss_ak

resource	yara_rule
sample	detect_ak_stuff

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
653e49b19b2d831c2dbd46e321b3bdc61512d030e1ee17362f7f4d8fc1b4c8fa

Files

653e49b19b2d831c2dbd46e321b3bdc61512d030e1ee17362f7f4d8fc1b4c8fa
.exe windows x86

fc05ba15e91a7b1e0c402c4cf8e76a42

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

comn

CreateObjectEmail
CreateObjectUDP
SetCheckAfterIfSuccess
GetObjectVol
GetObjectGpt
GetObjectLog
GetObjectLang
GetObjectSys

encrypt

CreateEncryptObject
HexToStr
StrToHex

uilogic

TerminateSpawnProcess
CreateUiLogic

rpcrt4

RpcServerUseProtseqEpW
RpcServerListen
NdrServerCall2
UuidCreate
RpcServerRegisterIf

amnet

?InitAdapter@Amnet@@YAX_N@Z
?Socket@Amnet@@YAHH@Z
?GetAdapterAt@Amnet@@YA_NIAAUTAdapter@1@@Z
?GetHostName@Amnet@@YAXPAD@Z
?GetAdapterCount@Amnet@@YAHXZ
?Uninstall@Amnet@@YAXXZ
?Connect@Amnet@@YA_NHPADI0I@Z
?StartupTcpEngine@Amnet@@YA_NPAVIAttemperEngineSink@1@@Z
?StoppedTcpEngine@Amnet@@YA_NK@Z
?Install@Amnet@@YA_NXZ
?Disconnect@Amnet@@YA_NH_N@Z
?Send@Amnet@@YA_NHPADI_N@Z

nthelp

?ReadFile@Help32@@YAKPA_WKPAXK@Z
?FileIsExist@Help32@@YAHPA_W@Z
?ReadFileShare@Help32@@YAKPA_WKPAXK@Z
?Wchartochar@Help32@@YAXPB_WPADH@Z
?Chartowchar@Help32@@YAXPBDPA_WH@Z
?CheckWindowsUserAndPasswordIsValid@Help32@@YAHPA_W0@Z
?Encrypto@Help32@@YAXPAEK@Z
?Decrypto@Help32@@YAXPAEK@Z
?IsEmpty@Help32@@YAHPA_W@Z
?Encrypto@Help32@@YAHPAE0H@Z
?GetModuleFilePath@Help32@@YAXPA_W@Z
?CopyString@Help32@@YAXPA_W0@Z
?WriteFile@Help32@@YAKPA_WKPAXK@Z
?IsEmpty@Help32@@YAHPAD@Z

ntlog

?OpenLog@NTLOG@@YAHIPA_W@Z
?WriteLog@NTLOG@@YAHHIPB_WZZ

awssns

getInter

brlog

GetBrLogMgr

kernel32

MapViewOfFile
HeapFree
UnmapViewOfFile
GetLastError
CreateEventW
Sleep
GetCurrentProcess
ReadFile
ReleaseMutex
CreateFileW
SetProcessPriorityBoost
InitializeCriticalSection
ResetEvent
OpenFileMappingW
CreateDirectoryW
CreateMutexW
OpenEventW
WriteFile
WaitForSingleObject
GetTickCount
GetFileSizeEx
LeaveCriticalSection
DeleteFileW
DeleteCriticalSection
MultiByteToWideChar
EnterCriticalSection
SetEvent
SetPriorityClass
GetProcAddress
LoadLibraryW
GetModuleFileNameW
GetCurrentThreadId
GetPrivateProfileStringA
GetModuleFileNameA
GetCurrentProcessId
SetUnhandledExceptionFilter
CreateFileA
GetFileSize
SetFilePointer
CreateToolhelp32Snapshot
OpenProcess
GetVersionExW
GetLocalTime
DeleteFileA
CreateProcessW
Process32FirstW
PeekNamedPipe
FindFirstFileA
GetFileAttributesA
Process32NextW
FindNextFileA
GetPrivateProfileIntW
WideCharToMultiByte
GetComputerNameW
GetProcessHeap
HeapAlloc
FindClose
GetFileAttributesW
WritePrivateProfileStringW
GetPrivateProfileStringW
FindNextFileW
FindFirstFileW
DeviceIoControl
GetStartupInfoW
WTSGetActiveConsoleSessionId
GetExitCodeProcess
SetFileAttributesW
InterlockedExchange
GetPrivateProfileStructW
OpenMutexW
DefineDosDeviceA
GetModuleHandleW
GetSystemDirectoryA
LoadLibraryA
GetSystemInfo
SetFirmwareEnvironmentVariableW
GetFirmwareEnvironmentVariableW
FreeLibrary
GetSystemDirectoryW
SetFilePointerEx
SetLastError
IsBadWritePtr
GetWindowsDirectoryW
IsBadReadPtr
CreatePipe
FlushFileBuffers
MoveFileW
lstrlenW
GetVersionExA
GetSystemTimeAsFileTime
QueryPerformanceCounter
IsDebuggerPresent
UnhandledExceptionFilter
InterlockedCompareExchange
WritePrivateProfileStringA
CreateFileMappingW
lstrcpyW
OutputDebugStringA
CloseHandle
CreateDirectoryA
TerminateProcess
WriteConsoleA
OutputDebugStringW
WriteConsoleW

user32

DispatchMessageW
KillTimer
PostQuitMessage
DestroyWindow
LoadCursorW
CreateWindowExW
UpdateWindow
TranslateAcceleratorW
BeginPaint
RegisterClassExW
TranslateMessage
LoadAcceleratorsW
DialogBoxParamW
LoadIconW
DefWindowProcW
EndPaint
ShowWindow
GetMessageW
CloseWindow
EndDialog
wsprintfW
SendMessageW
FindWindowW
MessageBoxW
GetSystemMetrics
LoadStringW

advapi32

AllocateAndInitializeSid
FreeSid
InitializeAcl
AddAccessAllowedAce
RegFlushKey
RegSetValueExA
RegQueryValueExW
RegCloseKey
RegEnumValueW
RegQueryValueExA
RegEnumValueA
RegOpenKeyExA
LookupPrivilegeValueW
RegQueryInfoKeyW
RegEnumKeyW
RegOpenKeyW
GetUserNameW
AdjustTokenPrivileges
RegOpenKeyA
RegSetValueExW
GetLengthSid
RegDeleteValueW
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
CreateProcessAsUserW
DuplicateTokenEx
OpenProcessToken
GetTokenInformation

shell32

SHGetFolderPathW
SHGetFolderPathA

ole32

CLSIDFromString

msvcp80

?compare@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEHPB_W@Z
?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ
??A?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAA_WI@Z
?clear@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEXXZ
?assign@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV12@PB_WI@Z
??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z
?compare@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEHPBD@Z
?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z
?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z
?find_last_of@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEIPB_WI@Z
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z
?clear@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXXZ
?find_last_of@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEI_WI@Z
?find_last_of@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z
?_Myptr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEPADXZ
?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE?AV?$_String_iterator@DU?$char_traits@D@std@@V?$allocator@D@2@@2@XZ
?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE?AV?$_String_iterator@DU?$char_traits@D@std@@V?$allocator@D@2@@2@XZ
??Y?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@ABV01@@Z
?npos@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@2IB
?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ
?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z
?resize@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEXI@Z
?empty@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBE_NXZ
?find@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEIPB_WI@Z
?find@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEI_WI@Z
?substr@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBE?AV12@II@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBD@Z
?length@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEIXZ
?c_str@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEPB_WXZ
??Y?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@PB_W@Z
??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@ABV01@@Z
??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@ABV01@@Z
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ
?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z
?swap@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEXAAV12@@Z
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_W@Z
??$?8DU?$char_traits@D@std@@V?$allocator@D@1@@std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?swap@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXAAV12@@Z
?size@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEIXZ
??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@PB_W@Z
?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z
?find_first_of@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z
?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ

shlwapi

PathFileExistsW

ws2_32

closesocket
send
inet_addr
WSACleanup
WSAGetLastError
listen
WSAStartup
gethostbyname
inet_ntoa
recv
bind
accept
htons
connect
socket

msvcr80

__wgetmainargs
_strnicmp
_itoa
strchr
isspace
strncmp
isalpha
tolower
isalnum
memmove
fseek
ftell
fputc
ferror
_vsnprintf_s
_fsopen
fread
vsprintf
_vscwprintf
_vscprintf
toupper
srand
strftime
_localtime64
rand
_vsnprintf
strtol
_controlfp_s
_invoke_watson
?_type_info_dtor_internal_method@type_info@@QAEXXZ
?terminate@@YAXXZ
_except_handler4_common
_crt_debugger_hook
__set_app_type
__p__fmode
__p__commode
strrchr
_swprintf
strncpy_s
sprintf
wcscpy
strncat_s
memset
wcscat
_beginthreadex
memcpy
memcmp
wcstombs
??3@YAXPAX@Z
wcslen
swscanf_s
wcsncpy
?what@exception@std@@UBEPBDXZ
memmove_s
??1exception@std@@UAE@XZ
strcpy
??0exception@std@@QAE@XZ
malloc
??0exception@std@@QAE@ABQBD@Z
??2@YAPAXI@Z
_invalid_parameter_noinfo
??_V@YAXPAX@Z
??0exception@std@@QAE@ABV01@@Z
strlen
_time64
wcscpy_s
sscanf_s
wcscat_s
wcsncmp
wcsrchr
strcat
pow
_beginthread
strncat
_vswprintf
strstr
wcschr
mbstowcs
sprintf_s
_wtoi
printf
swprintf_s
_wcsnicmp
strcpy_s
strcmp
_wcsicmp
_localtime64_s
atoi
strcat_s
_mktime64
_ctime64_s
free
_vswprintf_c_l
wcsstr
vswprintf_s
wcscmp
_itow
system
_purecall
strncpy
fclose
_wsystem
_wfopen_s
fprintf
fwprintf
_stricmp
_vsnwprintf
mbstowcs_s
_snprintf_s
calloc
_unlock
__dllonexit
_encode_pointer
_lock
_onexit
_decode_pointer
__CxxFrameHandler3
_amsg_exit
_CxxThrowException
_cexit
_exit
_XcptFilter
exit
_wcmdln
_initterm
_initterm_e
_configthreadlocale
__setusermatherr
_adjust_fdiv

wtsapi32

WTSFreeMemory
WTSQueryUserToken
WTSEnumerateSessionsW

userenv

DestroyEnvironmentBlock
CreateEnvironmentBlock

version

GetFileVersionInfoW
GetFileVersionInfoSizeW
VerQueryValueW

winhttp

WinHttpCrackUrl
WinHttpSetTimeouts
WinHttpCloseHandle
WinHttpOpenRequest
WinHttpReadData
WinHttpSendRequest
WinHttpQueryDataAvailable
WinHttpAddRequestHeaders
WinHttpReceiveResponse
WinHttpOpen
WinHttpConnect

enumfolder

CreateEnumRemoteFolder

Exports

Exports

??4_Init_locks@std@@QAEAAV01@ABV01@@Z
?Guid2String@@YAPADAAU_GUID@@PAD@Z

Sections

.text
Size: 404KB - Virtual size: 400KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 128KB - Virtual size: 124KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 16.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 892KB - Virtual size: 896KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

fc05ba15e91a7b1e0c402c4cf8e76a42

Headers

File Characteristics

Imports

comn

encrypt

uilogic

rpcrt4

amnet

nthelp

ntlog

awssns

brlog

kernel32

user32

advapi32

shell32

ole32

msvcp80

shlwapi

ws2_32

msvcr80

wtsapi32

userenv

version

winhttp

enumfolder

Exports

Exports

Sections

.text Size: 404KB - Virtual size: 400KB

.rdata Size: 128KB - Virtual size: 124KB

.data Size: 4KB - Virtual size: 16.1MB

.rsrc Size: 892KB - Virtual size: 896KB

.text
Size: 404KB - Virtual size: 400KB

.rdata
Size: 128KB - Virtual size: 124KB

.data
Size: 4KB - Virtual size: 16.1MB

.rsrc
Size: 892KB - Virtual size: 896KB