certutil[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

certutil.exe
Size

1.0MB
MD5

ac9cbd27b0ff44e734fa2bb30b2a8ad4
SHA1

f9064c2a1cfee621b8a4b42e32deef50d70b6f89
SHA256

367a43db6a355a23011d466c9ffd2a5349e37e84ea6557541de9a7fce4a635a9
SHA512

5d076edfce5c6b1d2383ac47400cc928df1268b1f433bf7f91e2c03bc7fe27f720fcd86a18ab4edd42e606486dd794e5cdb8e9d1d442b01ecb902e9a2b9f5024
SSDEEP

24576:/fByy/b7NUqH7ntU0joFmkQvbIo1Q+R78KWvQ0iMUYkKFg1aiJ:HPH7O0joF99zf9FggiJ

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
certutil.exe

Files

certutil.exe
.exe windows:6 windows x86

e1f2a9d9d85be5e1b46c201a7dc75c7d

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

advapi32

CryptReleaseContext
CryptAcquireContextW
LookupAccountNameW
IsValidSid
ConvertSidToStringSidW
ImpersonateSelf
RevertToSelf
IsValidSecurityDescriptor
GetSecurityDescriptorLength
LookupAccountSidW
CryptGetProvParam
CryptGetUserKey
CryptGetKeyParam
CryptDestroyKey
GetTokenInformation
GetLengthSid
CopySid
OpenProcessToken
RegQueryValueExW
RegCloseKey
RegOpenKeyExW
RegEnumKeyExW
RegCreateKeyW
RegEnumValueW
RegSetValueExW
RegEnumKeyW
RegDeleteKeyW
RegDeleteValueW
CryptSetProvParam
CryptGenRandom
CryptCreateHash
CryptVerifySignatureW
CryptHashData
CryptDestroyHash
CryptSetKeyParam
CryptDecrypt
CryptImportKey
RegOpenKeyW
CryptGetHashParam
CryptDuplicateKey
CryptEncrypt
CryptGenKey
GetSidSubAuthorityCount
GetSidSubAuthority
GetSidIdentifierAuthority
SetNamedSecurityInfoW
AddAccessDeniedAce
AddAccessAllowedAce
AddAccessDeniedObjectAce
AddAccessAllowedObjectAce
AddAce
InitializeAcl
LsaStorePrivateData
LsaRetrievePrivateData
RegConnectRegistryW
AdjustTokenPrivileges
ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertSecurityDescriptorToStringSecurityDescriptorW
RegDeleteKeyExW
CryptEnumProvidersA
CryptGetDefaultProviderW
LogonUserExW
ImpersonateLoggedOnUser
CreateWellKnownSid
MakeAbsoluteSD
MakeSelfRelativeSD
LsaClose
LsaFreeMemory
LsaOpenPolicy
FreeSid
CheckTokenMembership
DuplicateToken
OpenThreadToken
RegCreateKeyExW
ConvertStringSidToSidW
AllocateAndInitializeSid
SetSecurityDescriptorDacl
SetEntriesInAclW
GetSecurityDescriptorDacl
DeleteAce
EqualSid
GetAce
GetAclInformation
SetSecurityDescriptorOwner
InitializeSecurityDescriptor
GetSecurityDescriptorControl
CryptSignHashW
CryptSetHashParam
CryptExportKey
CryptDuplicateHash
CryptContextAddRef

kernel32

SetConsoleCtrlHandler
EnterCriticalSection
SetEndOfFile
WriteFile
LockResource
SizeofResource
LoadResource
FindResourceW
GetVersionExW
GetComputerNameExW
GetComputerNameW
SetFilePointer
GetFileSize
CreateFileW
ReadFile
FindClose
FindNextFileW
FindFirstFileW
Sleep
GetTickCount
LoadLibraryW
DecodePointer
LeaveCriticalSection
GetFileAttributesExW
GetCurrentProcess
GetLastError
GetTickCount64
VerifyVersionInfoW
GetSystemDefaultUILanguage
GetUserDefaultUILanguage
LocalReAlloc
GetModuleHandleW
RaiseException
DeleteCriticalSection
InitializeCriticalSection
GetSystemDefaultLangID
FormatMessageW
HeapAlloc
HeapFree
GetProcessHeap
lstrcmpW
DeleteFileW
lstrcmpiW
GetProcAddress
SetLastError
SetConsoleMode
EncodePointer
VerSetConditionMask
GetConsoleMode
GetFileType
GetStdHandle
CloseHandle
GetExitCodeThread
WaitForSingleObject
CreateThread
CompareFileTime
FreeLibrary
GetStartupInfoW
GetEnvironmentVariableW
GetTempFileNameW
OpenEventW
PulseEvent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
GetModuleHandleA
LocalFree
GetSystemTime
SystemTimeToFileTime
GetSystemTimeAsFileTime
LocalAlloc
GetFileAttributesW
DelayLoadFailureHook
GetLocaleInfoW
FindResourceExW
SearchPathW
LoadLibraryExA
GetProfileStringA
SetEvent
ResetEvent
CreateEventW
GetFileTime
lstrlenW
GetCommandLineW
VirtualFree
VirtualAlloc
GetTempPathW
WriteConsoleW
GetACP
WideCharToMultiByte
GetLocalTime
OpenProcess
HeapSetInformation
LoadLibraryExW
GetSystemDirectoryW
CompareStringW
UnmapViewOfFile
MapViewOfFile
CreateFileMappingW
GetSystemInfo
GetCurrentThread
FoldStringW
CreateDirectoryW
RemoveDirectoryW
GetConsoleOutputCP
GetFullPathNameW
GetTimeFormatW
GetDateFormatW
FileTimeToLocalFileTime
LocalFileTimeToFileTime
FileTimeToSystemTime
MultiByteToWideChar
OutputDebugStringA
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter

msvcrt

_controlfp
_onexit
__dllonexit
_unlock
_itoa_s
memset
memcpy
wcscpy_s
towupper
iswlower
towlower
iswupper
sscanf
wcstok
memmove
wcschr
wcsrchr
iswdigit
strpbrk
strcat_s
strcpy_s
strspn
fwrite
ftell
_fileno
_setmode
wcstoul
fgetws
feof
fgetc
_wfopen
fputws
atoi
isdigit
__iob_func
vfwprintf
_wgetenv
_except_handler4_common
iswxdigit
_wsetlocale
iswalpha
isxdigit
__isascii
gmtime
iswspace
_lock
?terminate@@YAXXZ
__CxxFrameHandler3
realloc
_errno
??1type_info@@UAE@XZ
_wcmdln
_initterm
__setusermatherr
__p__fmode
_cexit
_exit
exit
__set_app_type
__wgetmainargs
_amsg_exit
__p__commode
_XcptFilter
_CxxThrowException
_callnewh
?what@exception@@UBEPBDXZ
??1exception@@UAE@XZ
??0exception@@QAE@ABV0@@Z
??0exception@@QAE@XZ
malloc
_vsnwprintf
fwprintf
_iob
_wfopen_s
fclose
_strnicmp
_purecall
fflush
_fgetwchar
wcsspn
_wcsnicmp
wcsstr
?_set_se_translator@@YAP6AXIPAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z
qsort
wcscspn
getenv
free
_wcsicmp
memcmp
swscanf
_stricmp
_wtoi
_vsnprintf
_wcslwr
strstr
wcsncmp
_ultow
strncmp
bsearch
fopen
fgets
strchr
fputs
fseek
strcspn
ferror
_swab
_strlwr
fprintf

certcli

ord207
CACertTypeAccessCheck
ord358
ord359
ord225
ord246
ord223
ord360
ord213
ord205
ord206
ord356
CAEnumCertTypesEx
CAFindCertTypeByName
ord258
CAGetCertTypeFlagsEx
CAGetCertTypePropertyEx
CAFreeCertTypeProperty
CAGetCertTypeKeySpec
CAGetCertTypeExpiration
CAGetCertTypeExtensions
CAFreeCertTypeExtensions
CAEnumCertTypesForCAEx
CAGetCertTypeProperty
CACertTypeAccessCheckEx
CAEnumNextCertType
CACloseCertType
ord373
CAEnumFirstCA
CAFindByName
CAGetCAProperty
CAFreeCAProperty
CAEnumNextCA
CACloseCA
ord362
CAGetCAFlags
CAGetCAExpiration
CAAccessCheck
ord361
CAGetCACertificate
CAGetCASecurity
CASetCAProperty
CAUpdateCAEx
CAFindByCertType
ord256
ord218
ord254
CAEnumCertTypesForCA
CACountCertTypes
ord366
ord208
CARemoveCACertificateTypeEx
CAAddCACertificateTypeEx
CAUpdateCA
ord252
ord261
ord260
ord253
ord203
ord247
ord210
CASetCASecurity
CASetCACertificate
CASetCAFlags
CACreateNewCA
ord370
ord245
ord217
CACountCAs
ord357

crypt32

CryptEncodeObjectEx
CryptFindOIDInfo
CertFindExtension
CertFreeCertificateContext
CertDuplicateCertificateContext
PFXExportCertStoreEx
PFXExportCertStore
CryptFreeOIDFunctionAddress
CryptGetOIDFunctionAddress
CryptInitOIDFunctionSet
CertNameToStrW
CertStrToNameW
PFXImportCertStore
CryptFormatObject
CryptDecryptMessage
CryptEncryptMessage
CryptSignMessage
CertAddCertificateLinkToStore
CertGetIntendedKeyUsage
CryptHashPublicKeyInfo
CryptSignCertificate
CryptMsgOpenToDecode
CryptStringToBinaryW
CryptSignAndEncodeCertificate
CryptImportPublicKeyInfoEx2
CertDuplicateStore
CryptMsgUpdate
CryptMsgOpenToEncode
CertCreateCTLContext
CertSetCertificateContextPropertiesFromCTLEntry
CertCreateContext
I_CertProtectFunction
CertAddStoreToCollection
CertVerifyCertificateChainPolicy
CryptMemFree
CertVerifySubjectCertificateContext
CryptVerifyCertificateSignatureEx
CertGetEnhancedKeyUsage
CertVerifyCRLTimeValidity
CertVerifyRevocation
CertVerifyTimeValidity
CryptVerifyCertificateSignature
CryptEnumKeyIdentifierProperties
CryptImportPublicKeyInfo
CertDuplicateCRLContext
CertDeleteCRLFromStore
CertAddCTLContextToStore
CertAddCRLContextToStore
CertEnumSystemStore
CertEnumSystemStoreLocation
CertEnumPhysicalStore
CertControlStore
CertSaveStore
CryptFindLocalizedName
CertAddSerializedElementToStore
CertAddEncodedCTLToStore
CertAddEncodedCRLToStore
CertAddEncodedCertificateToStore
CertFreeCTLContext
CertSetCTLContextProperty
CertSetCRLContextProperty
CryptFindCertificateKeyProvInfo
CryptAcquireCertificatePrivateKey
CertEnumCertificateContextProperties
CertGetCRLContextProperty
CertEnumCRLContextProperties
CertGetCTLContextProperty
CertEnumCTLContextProperties
CertSetStoreProperty
CertAddCertificateContextToStore
CertFreeCertificateChain
CertGetCertificateChain
CertSetCertificateContextProperty
CertComparePublicKeyInfo
CryptExportPublicKeyInfo
CryptHashCertificate2
CryptDecodeObjectEx
CertEnumCTLsInStore
CertDeleteCertificateFromStore
CertGetNameStringW
CertOpenStore
CryptQueryObject
CryptMsgClose
CryptMsgGetParam
CryptMsgGetAndVerifySigner
CryptMsgControl
CertFindCertificateInStore
CertEnumCertificatesInStore
PFXIsPFXBlob
CertGetPublicKeyLength
CryptGetKeyIdentifierProperty
CertFindAttribute
CryptHashCertificate
CertCompareCertificateName
CryptDecodeObject
CryptRegisterOIDInfo
CertCreateCertificateContext
CryptEnumOIDInfo
CertCreateCRLContext
CertFreeCRLContext
CertEnumCRLsInStore
CertCloseStore
CertGetCertificateContextProperty

cabinet

ord20
ord22
ord23
ord21

comctl32

InitCommonControlsEx

cryptui

CryptUIDlgViewCRLW
CryptUIDlgFreeCAContext
CryptUIDlgViewCertificateW

gdi32

GetStockObject

ncrypt

NCryptIsKeyHandle
NCryptOpenStorageProvider
NCryptImportKey
NCryptFreeObject
NCryptGetProperty
BCryptFreeBuffer
NCryptSetProperty
NCryptFinalizeKey
BCryptCloseAlgorithmProvider
BCryptCreateHash
BCryptDecrypt
BCryptDestroyHash
BCryptDestroyKey
BCryptEncrypt
BCryptExportKey
BCryptFinishHash
BCryptGenRandom
BCryptGetProperty
BCryptHashData
BCryptOpenAlgorithmProvider
BCryptSetProperty
BCryptSignHash
BCryptVerifySignature
NCryptCreatePersistedKey
NCryptDecrypt
NCryptDeleteKey
NCryptDeriveKey
NCryptEncrypt
NCryptExportKey
NCryptOpenKey
NCryptSecretAgreement
NCryptSignHash
NCryptVerifySignature
NCryptEnumAlgorithms
NCryptIsAlgSupported
NCryptEnumKeys
NCryptEnumStorageProviders
NCryptFreeBuffer
BCryptEnumAlgorithms
BCryptQueryProviderRegistration
BCryptEnumContexts
BCryptQueryContextConfiguration
BCryptEnumContextFunctions
BCryptResolveProviders

netapi32

DsGetSiteNameW
DsGetDcNameW
NetApiBufferFree
NetUserGetGroups
DsRoleGetPrimaryDomainInformation
DsRoleFreeMemory

normaliz

IdnToUnicode

ntdll

WinSqmIncrementDWORD
NtQuerySystemTime
RtlTimeToSecondsSince1970

ntdsapi

DsFreeDomainControllerInfoW
DsGetDomainControllerInfoW
DsFreeNameResultW
DsUnBindW
DsCrackNamesW
DsBindW

setupapi

SetupGetStringFieldW
SetupFindNextLine
SetupGetFieldCount
SetupFindFirstLineW
SetupGetLineCountW
SetupOpenInfFileW
SetupCloseInfFile
SetupGetIntField

shell32

SHGetFolderPathW
SHGetKnownFolderPath

version

VerQueryValueW
GetFileVersionInfoSizeW
GetFileVersionInfoW

wldap32

ord18
ord113
ord140
ord224
ord142
ord79
ord127
ord167
ord147
ord206
ord135
ord203
ord36
ord26
ord27
ord191
ord41
ord65
ord155
ord210
ord13
ord145
ord14
ord73
ord208
ord12
ord16

ole32

CoUninitialize
CoCreateInstance
CLSIDFromString
CLSIDFromProgID
StringFromCLSID
ProgIDFromCLSID
CoInitialize
CoTaskMemFree
CoInitializeEx
CoTaskMemAlloc
CoCreateInstanceEx
CoSetProxyBlanket
StgOpenStorageEx
PropVariantClear

oleaut32

SysFreeString
SysStringByteLen
VariantClear
SysAllocStringLen
SafeArrayCreate
SafeArrayPutElement
SafeArrayDestroy
SafeArrayGetDim
SafeArrayGetLBound
SafeArrayGetUBound
SafeArrayAccessData
SafeArrayGetElement
SafeArrayUnaccessData
SysAllocStringByteLen
SysStringLen
VariantTimeToSystemTime
SystemTimeToVariantTime
VariantCopyInd
CreateErrorInfo
VariantInit
SetErrorInfo
SysAllocString

rpcrt4

I_RpcExceptionFilter
NdrClientCall2
UuidCreate

secur32

GetComputerObjectNameW
TranslateNameW
GetUserNameExW

user32

GetDlgItemInt
IsDlgButtonChecked
GetDlgItemTextW
EnableWindow
GetDlgItem
EndDialog
LoadCursorW
MessageBoxW
SendMessageW
SetCursor
CharLowerW
GetDesktopWindow
SetDlgItemInt
CheckDlgButton
SetDlgItemTextW
ShowWindow
DialogBoxParamW
SetWindowTextW
GetWindowLongW
CallWindowProcW
GetWindowTextW
SetFocus
SetWindowLongW
UpdateWindow
LoadStringW
DispatchMessageW
PostQuitMessage
DefWindowProcW
LoadIconW
RegisterClassW
CreateWindowExW
PostMessageW
GetMessageW
TranslateMessage
SendDlgItemMessageA

Sections

.text
Size: 927KB - Virtual size: 926KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 31KB - Virtual size: 41KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 18KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 188B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 53KB - Virtual size: 53KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

e1f2a9d9d85be5e1b46c201a7dc75c7d

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

kernel32

msvcrt

certcli

crypt32

cabinet

comctl32

cryptui

gdi32

ncrypt

netapi32

normaliz

ntdll

ntdsapi

setupapi

shell32

version

wldap32

ole32

oleaut32

rpcrt4

secur32

user32

Sections

.text Size: 927KB - Virtual size: 926KB

.data Size: 31KB - Virtual size: 41KB

.idata Size: 18KB - Virtual size: 17KB

.didat Size: 512B - Virtual size: 188B

.rsrc Size: 4KB - Virtual size: 3KB

.reloc Size: 53KB - Virtual size: 53KB

.text
Size: 927KB - Virtual size: 926KB

.data
Size: 31KB - Virtual size: 41KB

.idata
Size: 18KB - Virtual size: 17KB

.didat
Size: 512B - Virtual size: 188B

.rsrc
Size: 4KB - Virtual size: 3KB

.reloc
Size: 53KB - Virtual size: 53KB