amadey | mkpub_part_a[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

mkpub_part_a.zip
Size

756KB
MD5

9a7c1989736fbff2c7b7320e33ebc4a3
SHA1

aa129c50b5cc73545044db9783dfcaae51a6177a
SHA256

ce9c6915ead719b2079c1e9092e9162e69730ba51ca1e6da1f9cfa69ec48c377
SHA512

5da884bd2c747e7e0ac9cb75398d7a9dad8be9d6de7292d7523d181dd350da57f806e46255cc3ee9b6d09fd76d9d3a96a87285daa850c83f1deaa44526d3d090
SSDEEP

12288:S7LcD2Lk58wQxPd9UDsojqQnFvuS2FtJ6kUP72pE+r5YYNJA2xV4Iej7kphGSsg:d6Lkuj5EsUuTFtJ4PiSEvJkHkRsg

Score

10^/10

amadey

Malware Config

Extracted

Family

amadey

Version

3.89

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Signatures

Amadey family
amadey

Unsigned PE 4 IoCs

Checks for missing Authenticode signature.

resource
unpack001/08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236.bin
unpack001/0ca5581683ce097e382c9bf177c33508110e79985b5332eadd3d806e2a8302e8.bin
unpack001/1cbc53c7993f35b97dd450f01b0e972016fdbeff1aa2c2674235dd931fdda12e.bin
unpack001/31793ff8cdff66c5eb829ff1637d12b7afebd5fc95794946baccb6e96bf54649.bin

Files

mkpub_part_a.zip
.zip

Password: infected
07c8ad2195949e03142d49ed59e851c2f7b9823eab51b3ec232f75ef866d01f7.bin
.exe windows:5 windows x64

Password: infected

693ffa6b44cd751ceb9044bcc8975404

Code Sign

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/08/2022, 00:00

Not After

09/11/2031, 23:59

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

23/03/2022, 00:00

Not After

22/03/2037, 23:59

Subject

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

29/04/2021, 00:00

Not After

28/04/2036, 23:59

Subject

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16
Certificate

Issuer

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Not Before

14/07/2023, 00:00

Not After

13/10/2034, 23:59

Subject

CN=DigiCert Timestamp 2023,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

06:71:35:2d:c4:c1:03:b7:0a:e7:25:e9:54:48:63:74
Certificate

Issuer

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Not Before

04/05/2023, 00:00

Not After

06/05/2026, 23:59

Subject

CN=Electronic Arts\, Inc.,OU=EAC,O=Electronic Arts\, Inc.,L=Redwood City,ST=CALIFORNIA,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

1e:9d:c2:a5:83:fc:c7:26:b3:3f:c8:48:b3:53:22:71:15:a9:4a:e5:b1:1a:be:26:99:c8:99:eb:74:93:18:08:84:6c:a6:6f:1c:a0:3e:ec:74:ba:53:fd:e4:53:68:04:10:4d:e2:04:c1:0f:09:b3:60:1f:7a:22:5a:14:a5:b7
Signer

Actual PE Digest

1e:9d:c2:a5:83:fc:c7:26:b3:3f:c8:48:b3:53:22:71:15:a9:4a:e5:b1:1a:be:26:99:c8:99:eb:74:93:18:08:84:6c:a6:6f:1c:a0:3e:ec:74:ba:53:fd:e4:53:68:04:10:4d:e2:04:c1:0f:09:b3:60:1f:7a:22:5a:14:a5:b7

Digest Algorithm

sha512

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

qt5core

?Windows8_1@QOperatingSystemVersion@@2V1@B
?compare@QOperatingSystemVersion@@CAHAEBV1@0@Z
?current@QOperatingSystemVersion@@SA?AV1@XZ
?setFileName@QLibrary@@QEAAXAEBVQString@@@Z
?load@QLibrary@@QEAA_NXZ
??0QCoreApplication@@QEAA@AEAHPEAPEADH@Z
??1QLibrary@@UEAA@XZ
??0QLibrary@@QEAA@PEAVQObject@@@Z
??1QString@@QEAA@XZ
?qErrnoWarning@@YAXHPEBDZZ
?warning@QMessageLogger@@QEBAXPEBDZZ
??0QMessageLogger@@QEAA@PEBDH0@Z
??1QCoreApplication@@UEAA@XZ
?resolve@QLibrary@@QEAAP6AXXZPEBD@Z

advapi32

EventWriteTransfer
EventUnregister
EventRegister
RegQueryValueExW
GetTokenInformation
SetTokenInformation
SetEntriesInAclW
GetSecurityInfo
SetSecurityInfo
AccessCheck
EqualSid
FreeSid
GetAce
ImpersonateLoggedOnUser
IsValidSid
MapGenericMask
RevertToSelf
GetNamedSecurityInfoW
OpenProcessToken
CreateRestrictedToken
DuplicateToken
DuplicateTokenEx
LookupPrivilegeValueW
GetKernelObjectSecurity
GetLengthSid
GetSecurityDescriptorSacl
SetKernelObjectSecurity
ConvertSidToStringSidW
ConvertStringSidToSidW
ConvertStringSecurityDescriptorToSecurityDescriptorW
SystemFunction036
CopySid
CreateWellKnownSid
GetSidSubAuthority
InitializeSid
CreateProcessAsUserW
SetThreadToken
RegCloseKey
RegDisablePredefinedCache
RegOpenKeyExW
RegCreateKeyExW

user32

GetProcessWindowStation
SetProcessWindowStation
CreateWindowStationW
GetThreadDesktop
CreateDesktopW
CloseWindowStation
CloseDesktop
GetUserObjectInformationW

kernel32

InitializeSListHead
GetStartupInfoW
IsProcessorFeaturePresent
UnhandledExceptionFilter
RtlLookupFunctionEntry
RtlCaptureContext
WaitForSingleObjectEx
CloseHandle
GetLastError
GetCurrentProcessId
OpenProcess
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
SetLastError
LocalFree
GetModuleHandleW
GetProcAddress
DuplicateHandle
CreateIoCompletionPort
GetQueuedCompletionStatus
PostQueuedCompletionStatus
SetEvent
ResetEvent
WaitForSingleObject
CreateEventW
GetCurrentProcess
CreateThread
GetCurrentThreadId
TerminateJobObject
SetInformationJobObject
RegisterWaitForSingleObject
UnregisterWait
SetHandleInformation
GetCurrentThread
GetProcessHandleCount
GetCurrentProcessorNumber
VirtualFree
GetModuleHandleA
SetThreadAffinityMask
GetProcessHeaps
VirtualAllocEx
VirtualProtectEx
WriteProcessMemory
LoadLibraryW
CreateJobObjectW
AssignProcessToJobObject
CreateNamedPipeW
DebugBreak
lstrlenW
HeapSetInformation
ReleaseSRWLockExclusive
CreateFileMappingW
MapViewOfFile
UnmapViewOfFile
WideCharToMultiByte
SearchPathW
GetCurrentDirectoryW
GetThreadId
CreateRemoteThread
CreateProcessW
ProcessIdToSessionId
GetFileType
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
SignalObjectAndWait
CreateMutexW
TerminateProcess
FreeLibrary
HeapDestroy
GetTickCount
GetUserDefaultLangID
GetUserDefaultLCID
GetUserDefaultLocaleName
EnumSystemLocalesEx
UnregisterWaitEx
CreateFileW
GetFileAttributesW
GetLongPathNameW
QueryDosDeviceW
ReadProcessMemory
VirtualFreeEx
GetThreadPriority
InitializeCriticalSectionAndSpinCount
RtlVirtualUnwind
InitOnceExecuteOnce
InitializeProcThreadAttributeList
DeleteProcThreadAttributeList
UpdateProcThreadAttribute
GetVersionExW
GetNativeSystemInfo
GetProductInfo
IsWow64Process
WriteFile
OutputDebugStringA
GetLocalTime
GetModuleFileNameW
FormatMessageA
AcquireSRWLockExclusive
TryAcquireSRWLockExclusive
VirtualQuery
QueryPerformanceCounter
QueryPerformanceFrequency
GetSystemTimeAsFileTime
QueryThreadCycleTime
SetThreadPriority
ExpandEnvironmentStringsW
GetCommandLineW
LoadLibraryExW
TlsGetValue
GetProcessTimes
RaiseException
SetCurrentDirectoryW
IsDebuggerPresent
SwitchToThread
K32QueryWorkingSetEx
RtlCaptureStackBackTrace
SetUnhandledExceptionFilter
TlsAlloc
TlsSetValue
TlsFree
Sleep

ole32

CoTaskMemFree

qt5webenginecore

?staticSandboxInterfaceInfo@QtWebEngineCore@@YAPEAUSandboxInterfaceInfo@sandbox@@PEAU23@@Z
?processMain@QtWebEngineCore@@YAHHPEAPEBD@Z

msvcp140

?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
?tellp@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA?AV?$fpos@U_Mbstatet@@@2@XZ
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@G@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?width@ios_base@std@@QEAA_J_J@Z
?width@ios_base@std@@QEBA_JXZ
?flags@ios_base@std@@QEBAHXZ
?good@ios_base@std@@QEBA_NXZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z
?_Xout_of_range@std@@YAXPEBD@Z
?_Xlength_error@std@@YAXPEBD@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z

vcruntime140

memcmp
__std_exception_destroy
_CxxThrowException
memmove
memchr
__std_exception_copy
__C_specific_handler
_purecall
__CxxFrameHandler3
memset
__std_terminate
strchr
strstr
memcpy

api-ms-win-crt-heap-l1-1-0

free
_set_new_mode
realloc
malloc
_callnewh

api-ms-win-crt-runtime-l1-1-0

_set_app_type
_cexit
_get_narrow_winmain_command_line
_initterm
_invalid_parameter_noinfo_noreturn
_initterm_e
_errno
_seh_filter_exe
exit
_c_exit
_crt_atexit
_register_onexit_function
_initialize_onexit_table
_register_thread_local_exe_atexit_callback
_exit
_initialize_narrow_environment
_configure_narrow_argv
abort
terminate

api-ms-win-crt-string-l1-1-0

wcscmp
_wcsdup
_wcsicmp
isxdigit
_wcsnicmp

api-ms-win-crt-stdio-l1-1-0

__p__commode
_set_fmode
fwrite
fflush
__acrt_iob_func
__stdio_common_vsnprintf_s
__stdio_common_vsprintf
__stdio_common_vswprintf
__stdio_common_vsnwprintf_s
__stdio_common_vsscanf

api-ms-win-crt-math-l1-1-0

round
exp
log
ceil
_dtest
floor
__setusermatherr

api-ms-win-crt-environment-l1-1-0

getenv

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

shell32

CommandLineToArgvW

winmm

timeGetTime

Exports

Exports

GetHandleVerifier
IsSandboxedProcess
TargetConfigureOPMProtectedOutput
TargetConfigureOPMProtectedOutput64
TargetCreateNamedPipeW
TargetCreateNamedPipeW64
TargetCreateOPMProtectedOutputs
TargetCreateOPMProtectedOutputs64
TargetCreateProcessA
TargetCreateProcessA64
TargetCreateProcessW
TargetCreateProcessW64
TargetCreateThread
TargetCreateThread64
TargetDestroyOPMProtectedOutput
TargetDestroyOPMProtectedOutput64
TargetEnumDisplayDevicesA
TargetEnumDisplayDevicesA64
TargetEnumDisplayMonitors
TargetEnumDisplayMonitors64
TargetGdiDllInitialize
TargetGdiDllInitialize64
TargetGetCertificate
TargetGetCertificate64
TargetGetCertificateByHandle
TargetGetCertificateByHandle64
TargetGetCertificateSize
TargetGetCertificateSize64
TargetGetCertificateSizeByHandle
TargetGetCertificateSizeByHandle64
TargetGetMonitorInfoA
TargetGetMonitorInfoA64
TargetGetMonitorInfoW
TargetGetMonitorInfoW64
TargetGetOPMInformation
TargetGetOPMInformation64
TargetGetOPMRandomNumber
TargetGetOPMRandomNumber64
TargetGetStockObject
TargetGetStockObject64
TargetGetSuggestedOPMProtectedOutputArraySize
TargetGetSuggestedOPMProtectedOutputArraySize64
TargetNtCreateEvent
TargetNtCreateEvent64
TargetNtCreateFile
TargetNtCreateFile64
TargetNtCreateKey
TargetNtCreateKey64
TargetNtCreateSection
TargetNtCreateSection64
TargetNtMapViewOfSection
TargetNtMapViewOfSection64
TargetNtOpenEvent
TargetNtOpenEvent64
TargetNtOpenFile
TargetNtOpenFile64
TargetNtOpenKey
TargetNtOpenKey64
TargetNtOpenKeyEx
TargetNtOpenKeyEx64
TargetNtOpenProcess
TargetNtOpenProcess64
TargetNtOpenProcessToken
TargetNtOpenProcessToken64
TargetNtOpenProcessTokenEx
TargetNtOpenProcessTokenEx64
TargetNtOpenThread
TargetNtOpenThread64
TargetNtOpenThreadToken
TargetNtOpenThreadToken64
TargetNtOpenThreadTokenEx
TargetNtOpenThreadTokenEx64
TargetNtQueryAttributesFile
TargetNtQueryAttributesFile64
TargetNtQueryFullAttributesFile
TargetNtQueryFullAttributesFile64
TargetNtSetInformationFile
TargetNtSetInformationFile64
TargetNtSetInformationThread
TargetNtSetInformationThread64
TargetNtUnmapViewOfSection
TargetNtUnmapViewOfSection64
TargetRegisterClassW
TargetRegisterClassW64
TargetSetOPMSigningKeyAndSequenceNumbers
TargetSetOPMSigningKeyAndSequenceNumbers64
g_handles_to_close
g_interceptions
g_nt
g_originals
g_shared_IPC_size
g_shared_delayed_integrity_level
g_shared_delayed_mitigations
g_shared_policy_size
g_shared_section

Sections

.text
Size: 470KB - Virtual size: 469KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 85KB - Virtual size: 84KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 24KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236.bin
.exe windows:6 windows x86

Password: infected

3865972614d44e518713c9a6183fed14

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

CreateFileA
CloseHandle
GetSystemInfo
CreateThread
GetThreadContext
GetProcAddress
VirtualAllocEx
RemoveDirectoryA
GetFileAttributesA
CreateProcessA
CreateDirectoryA
SetThreadContext
WriteConsoleW
ReadConsoleW
SetEndOfFile
HeapReAlloc
HeapSize
GetLastError
CopyFileA
GetTempPathA
Sleep
GetModuleHandleA
SetCurrentDirectoryA
ResumeThread
GetComputerNameExW
GetVersionExW
CreateMutexA
VirtualAlloc
WriteFile
VirtualFree
WriteProcessMemory
GetModuleFileNameA
ReadProcessMemory
ReadFile
SetFilePointerEx
GetTimeZoneInformation
GetConsoleMode
GetConsoleCP
FlushFileBuffers
GetStringTypeW
GetProcessHeap
SetEnvironmentVariableW
FreeEnvironmentStringsW
GetEnvironmentStringsW
WideCharToMultiByte
GetCPInfo
GetOEMCP
GetACP
IsValidCodePage
FindNextFileW
FindFirstFileExW
FindClose
SetStdHandle
GetFullPathNameW
GetCurrentDirectoryW
DeleteFileW
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
SetEvent
ResetEvent
WaitForSingleObjectEx
CreateEventW
GetModuleHandleW
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoW
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
GetCurrentProcess
TerminateProcess
RaiseException
SetLastError
RtlUnwind
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
LoadLibraryExW
ExitProcess
GetModuleHandleExW
CreateFileW
GetDriveTypeW
GetFileInformationByHandle
GetFileType
PeekNamedPipe
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
GetModuleFileNameW
GetStdHandle
GetCommandLineA
GetCommandLineW
HeapFree
HeapAlloc
MultiByteToWideChar
CompareStringW
LCMapStringW
DecodePointer

advapi32

RegCloseKey
RegQueryValueExA
GetSidSubAuthorityCount
GetSidSubAuthority
GetUserNameA
LookupAccountNameA
RegSetValueExA
RegOpenKeyExA
GetSidIdentifierAuthority

shell32

ShellExecuteA
ord680
SHGetFolderPathA

wininet

HttpOpenRequestA
InternetReadFile
InternetConnectA
HttpSendRequestA
InternetCloseHandle
InternetOpenA
InternetOpenW
InternetOpenUrlA

Sections

.text
Size: 169KB - Virtual size: 168KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 34KB - Virtual size: 33KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
0ca5581683ce097e382c9bf177c33508110e79985b5332eadd3d806e2a8302e8.bin
.dll windows:4 windows x86

Password: infected

dae02f32a21e03ce65412f6e56942daa

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

mscoree

_CorDllMain

Sections

.text
Size: 72KB - Virtual size: 72KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 888B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
1cbc53c7993f35b97dd450f01b0e972016fdbeff1aa2c2674235dd931fdda12e.bin
.dll windows:4 windows x86

Password: infected

dae02f32a21e03ce65412f6e56942daa

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

mscoree

_CorDllMain

Sections

.text
Size: 26KB - Virtual size: 26KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 968B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
31793ff8cdff66c5eb829ff1637d12b7afebd5fc95794946baccb6e96bf54649.bin
.exe windows:1 windows x86

Password: infected

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Sections

CODE
Size: 611KB - Virtual size: 611KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

DATA
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

BSS
Size: - Virtual size: 5KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: - Virtual size: 8B

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: - Virtual size: 34KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 67KB - Virtual size: 66KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

Password: infected

Password: infected

693ffa6b44cd751ceb9044bcc8975404

Code Sign

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5aCertificate

Key Usages

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5bCertificate

Extended Key Usages

Key Usages

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9Certificate

Extended Key Usages

Key Usages

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16Certificate

Extended Key Usages

Key Usages

06:71:35:2d:c4:c1:03:b7:0a:e7:25:e9:54:48:63:74Certificate

Extended Key Usages

Key Usages

1e:9d:c2:a5:83:fc:c7:26:b3:3f:c8:48:b3:53:22:71:15:a9:4a:e5:b1:1a:be:26:99:c8:99:eb:74:93:18:08:84:6c:a6:6f:1c:a0:3e:ec:74:ba:53:fd:e4:53:68:04:10:4d:e2:04:c1:0f:09:b3:60:1f:7a:22:5a:14:a5:b7Signer

Headers

DLL Characteristics

File Characteristics

Imports

qt5core

advapi32

user32

kernel32

ole32

qt5webenginecore

msvcp140

vcruntime140

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-environment-l1-1-0

api-ms-win-crt-locale-l1-1-0

shell32

winmm

Exports

Exports

Sections

.text Size: 470KB - Virtual size: 469KB

.rdata Size: 85KB - Virtual size: 84KB

.data Size: 5KB - Virtual size: 19KB

.pdata Size: 24KB - Virtual size: 24KB

.rsrc Size: 2KB - Virtual size: 1KB

.reloc Size: 2KB - Virtual size: 2KB

Password: infected

3865972614d44e518713c9a6183fed14

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

advapi32

shell32

wininet

Sections

.text Size: 169KB - Virtual size: 168KB

.rdata Size: 34KB - Virtual size: 33KB

.data Size: 6KB - Virtual size: 9KB

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 8KB - Virtual size: 8KB

Password: infected

dae02f32a21e03ce65412f6e56942daa

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

.text Size: 72KB - Virtual size: 72KB

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9
Certificate

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16
Certificate

06:71:35:2d:c4:c1:03:b7:0a:e7:25:e9:54:48:63:74
Certificate

1e:9d:c2:a5:83:fc:c7:26:b3:3f:c8:48:b3:53:22:71:15:a9:4a:e5:b1:1a:be:26:99:c8:99:eb:74:93:18:08:84:6c:a6:6f:1c:a0:3e:ec:74:ba:53:fd:e4:53:68:04:10:4d:e2:04:c1:0f:09:b3:60:1f:7a:22:5a:14:a5:b7
Signer

.text
Size: 470KB - Virtual size: 469KB

.rdata
Size: 85KB - Virtual size: 84KB

.data
Size: 5KB - Virtual size: 19KB

.pdata
Size: 24KB - Virtual size: 24KB

.rsrc
Size: 2KB - Virtual size: 1KB

.reloc
Size: 2KB - Virtual size: 2KB

.text
Size: 169KB - Virtual size: 168KB

.rdata
Size: 34KB - Virtual size: 33KB

.data
Size: 6KB - Virtual size: 9KB

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 8KB - Virtual size: 8KB

.text
Size: 72KB - Virtual size: 72KB

.rsrc
Size: 1024B - Virtual size: 888B

.reloc
Size: 512B - Virtual size: 12B

.text
Size: 26KB - Virtual size: 26KB

.rsrc
Size: 1024B - Virtual size: 968B

.reloc
Size: 512B - Virtual size: 12B

CODE
Size: 611KB - Virtual size: 611KB

DATA
Size: 4KB - Virtual size: 4KB

BSS
Size: - Virtual size: 5KB

.idata
Size: 10KB - Virtual size: 9KB

.tls
Size: - Virtual size: 8B

.rdata
Size: 512B - Virtual size: 24B

.reloc
Size: - Virtual size: 34KB

.rsrc
Size: 67KB - Virtual size: 66KB