winutils[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

winutils.exe
Size

110KB
MD5

6f6bf7900ea06a13bcd896eb5453435b
SHA1

a96587a3243508d43fb0273700b7751d29df39fa
SHA256

e7a33bbd1d9c0cd0711ccd0b65b1d4d38f7a73f18725ebac0d7d31820fed6a6d
SHA512

612ae7ed4fc2c4c1334e29713f80ac485772b977464d0a405feed84d514808918274a42dd85a1aa478b2251abab6dcf353c84fd5e071d9eee7844c2015f586db
SSDEEP

3072:pWjA1KwsR/nUoISOJcWq9PnVsi9Skz2v1MFX:pywQSSOJceA

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
winutils.exe

Files

winutils.exe
.exe windows:5 windows x64

013608ea8b9f408c7a818a9326acaf7f

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

GetCurrentDirectoryW
QueryInformationJobObject
GetExitCodeProcess
GetProcessTimes
WaitForSingleObject
CreateJobObjectW
SetEnvironmentVariableW
SetInformationJobObject
CreateHardLinkW
FindNextFileW
FindFirstFileW
GetSystemInfo
GetSystemTimes
CreateSymbolicLinkW
DeviceIoControl
LocalFree
DeleteFileW
CloseHandle
DuplicateHandle
CreatePipe
OpenJobObjectW
FindClose
lstrlenW
GetFileAttributesW
GetSystemTimeAsFileTime
QueryPerformanceCounter
Sleep
EncodePointer
UnhandledExceptionFilter
RtlVirtualUnwind
GetFileInformationByHandle
RtlLookupFunctionEntry
RtlCaptureContext
DecodePointer
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
RemoveDirectoryW
CreateEventW
LocalAlloc
RegisterWaitForSingleObject
GetLastError
CreateFileW
GetModuleFileNameW
TerminateProcess
FormatMessageW
AssignProcessToJobObject
OpenProcess
CompareStringEx
SetEvent
SetHandleInformation
SetUnhandledExceptionFilter
ExitProcess
FileTimeToSystemTime
ResumeThread
TerminateJobObject
OutputDebugStringW
IsDebuggerPresent
CreateDirectoryW
GetCurrentProcess
MoveFileExW
CreateProcessW
CopyFileExW
UnregisterWait

advapi32

GetSecurityDescriptorDacl
AdjustTokenPrivileges
AddAccessDeniedAceEx
GetLengthSid
LsaNtStatusToWinError
IsValidSid
AllocateLocallyUniqueId
MakeAbsoluteSD
LsaClose
SetFileSecurityW
LookupAccountSidW
LookupPrivilegeValueW
SetNamedSecurityInfoW
SetSecurityDescriptorDacl
LookupAccountNameW
BuildSecurityDescriptorW
GetSecurityDescriptorControl
GetTokenInformation
OpenProcessToken
ConvertSecurityDescriptorToStringSecurityDescriptorW
AddAce
SetSecurityInfo
InitializeAcl
GetSecurityInfo
CreateProcessAsUserW
AddAccessAllowedAceEx
GetUserNameW
CreateWellKnownSid
ConvertSidToStringSidW
ReportEventW
RegisterServiceCtrlHandlerW
SetServiceStatus
GetNamedSecurityInfoW
GetAce
DeregisterEventSource
EqualSid
GetAclInformation
StartServiceCtrlDispatcherW
RegisterEventSourceW

msvcr100

_CxxThrowException
?_type_info_dtor_internal_method@type_info@@QEAAXXZ
_onexit
_lock
__dllonexit
_unlock
?terminate@@YAXXZ
__crt_debugger_hook
__set_app_type
_fmode
_commode
__setusermatherr
_configthreadlocale
_initterm_e
_initterm
__winitenv
exit
_cexit
_exit
_XcptFilter
__C_specific_handler
__wgetmainargs
_amsg_exit
??2@YAPEAX_K@Z
memcpy_s
??3@YAXPEAX@Z
_wsplitpath_s
swprintf_s
iswctype
calloc
wcsspn
fclose
wcscat_s
_wfopen_s
wprintf
wcstol
_errno
fwprintf_s
malloc
free
wcschr
_vsnwprintf
__iob_func
wcsnlen
fwprintf
fprintf_s
__CxxFrameHandler3

rpcrt4

RpcServerRegisterIfEx
NdrServerCall2
RpcMgmtStopServerListening
RpcServerListen
RpcServerUseProtseqIfW
RpcFreeAuthorizationContext
RpcGetAuthorizationContextForClient

authz

AuthzAccessCheck
AuthzFreeResourceManager
AuthzFreeContext
AuthzInitializeContextFromToken
AuthzInitializeContextFromSid
AuthzInitializeResourceManager

psapi

GetProcessMemoryInfo
GetPerformanceInfo

powrprof

CallNtPowerInformation

pdh

PdhCloseQuery
PdhGetRawCounterArrayW
PdhAddCounterW
PdhOpenQueryW
PdhCollectQueryData

netapi32

NetApiBufferFree
NetUserGetLocalGroups

secur32

LsaFreeReturnBuffer
LsaLogonUser
LsaLookupAuthenticationPackage
LsaRegisterLogonProcess

userenv

UnloadUserProfile
LoadUserProfileW
DestroyEnvironmentBlock
CreateEnvironmentBlock

ole32

OleRun
CoInitialize
CoUninitialize
CoCreateInstance

oleaut32

GetErrorInfo
SysFreeString
SysStringByteLen
VariantChangeType
SysAllocString
SysStringLen
VariantInit
SysAllocStringByteLen
VariantCopy
VariantClear

Sections

.text
Size: 65KB - Virtual size: 65KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 26KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 832B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 454B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

013608ea8b9f408c7a818a9326acaf7f

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

advapi32

msvcr100

rpcrt4

authz

psapi

powrprof

pdh

netapi32

secur32

userenv

ole32

oleaut32

Sections

.text Size: 65KB - Virtual size: 65KB

.rdata Size: 12KB - Virtual size: 12KB

.data Size: 26KB - Virtual size: 28KB

.pdata Size: 3KB - Virtual size: 2KB

.rsrc Size: 1024B - Virtual size: 832B

.reloc Size: 512B - Virtual size: 454B

.text
Size: 65KB - Virtual size: 65KB

.rdata
Size: 12KB - Virtual size: 12KB

.data
Size: 26KB - Virtual size: 28KB

.pdata
Size: 3KB - Virtual size: 2KB

.rsrc
Size: 1024B - Virtual size: 832B

.reloc
Size: 512B - Virtual size: 454B