FortiVPN[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

FortiVPN.exe
Size

1.1MB
MD5

9b080d9a13c86aed6e3c981151310468
SHA1

44f28cb9e7cb05f1701f9bcd9a6db32957f53a47
SHA256

ec677c0352e727003ecf46fc7c2013d72c655e74d99832754e44dee393b1fdd2
SHA512

7607187e4e1bb66a1ffddcb6d5b910ffe595c510d57e1e8333d3dbac29f39711d86f4e72cf9f5adea59a5e4038f2688d9630dfe5e54c5d812c3148291b364838
SSDEEP

12288:CgYFQYxwN33X8xhyzLlAj9pTUrwWK7MfRwT2vGNzrcYbB2ULovFPKvOBch9YX:YKNX8xYIpTUrKEvIcYTLuPKvOBch9K

Score

1^/10

Malware Config

Signatures

Files

FortiVPN.exe
.exe windows:6 windows x64

0111a2d0e20dd30a6dee142005d1e950

Code Sign

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

29-04-2021 00:00

Not After

28-04-2036 23:59

Subject

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

08:62:df:fe:c6:e9:33:2b:fa:93:b2:f1:87:86:36:42
Certificate

Issuer

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Not Before

07-06-2021 00:00

Not After

09-07-2024 23:59

Subject

CN=Fortinet Technologies (Canada) ULC,O=Fortinet Technologies (Canada) ULC,L=Burnaby,ST=British Columbia,C=CA

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

0c:4d:69:72:4b:94:fa:3c:2a:4a:3d:29:07:80:3d:5a
Certificate

Issuer

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Not Before

21-09-2022 00:00

Not After

21-11-2033 23:59

Subject

CN=DigiCert Timestamp 2022 - 2,O=DigiCert,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

23-03-2022 00:00

Not After

22-03-2037 23:59

Subject

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01-08-2022 00:00

Not After

09-11-2031 23:59

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

45:3c:78:87:50:86:da:78:7d:f5:a0:05:0b:21:6c:76:c6:95:8a:6c:91:2f:0e:ce:58:e1:9d:79:b8:6d:91:0c
Signer

Actual PE Digest

45:3c:78:87:50:86:da:78:7d:f5:a0:05:0b:21:6c:76:c6:95:8a:6c:91:2f:0e:ce:58:e1:9d:79:b8:6d:91:0c

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

utilsdll

GetUserNameBySessionIDEx
fs_get_temp_file_path
ImpersonateUserInSession
OpenGlobalEvent
ShowTrayBalloonW
cfg_is_fortivpn_running
cfg_get_vpn_compliance_settings
reg_getbinaryW
PostMessageGui
cfg_is_fortivpn_gui_running
Certificates_IsCertUsableByTunnel
reg_removesubkeyrecursiveW
Certificates_SetImpersonationFunction
reg_get_user_overridable_DWORDW
sch_stop_task_type
sch_find_running_task
sch_run_task
bBypassFsfilter
bBypassFShield
get_desired_status
SelectCurrentActiveTSSession
post_wndmsg_to_tray
post_wndmsg_to_gui
DetectPublicIP
reg_getstring_rawW
MsgPipe_Open
reg_removevalueW
VpnLockDown_GetGlobalLockedFlag
VpnLockDown_IsEnabled
DBLog_MarkTypeOfAlertRead
reg_valueexistsbykeyW
reg_setDWORDW
reg_setstringW
setThreadLocale
EnumLoggedonTSSessions
log_Alert
GlobalEventExists
Certificates_EnumTunnelCerts
Certificates_JustJSONAttributes
cfg_is_fips_error_mode
cfg_is_fips_mode_enabled
log_initialize
log_deinitialize
Log
CloseVPNSharedMemory
OpenVPNSharedMemory
IsComponentEnabled
IsComponentInstalled
MsgPipe_Close
CreateGlobalEvent
MsgPipe_PostMessage_UE
MsgPipe_UnlockPipe
MsgPipe_LockPipe
reg_createkeyW
reg_get_user_overridable_stringW
cfg_get_install_dir
reg_setstring_enc_cuW
MsgPipe_PostMessage
cfg_is_vpn_running
MsgPipe_SendRecv
??1CSslvpnAgent@@UEAA@XZ
reg_closekeyW
ps_get_process_infoW
reg_getDWORDW
reg_getstringW
reg_free
reg_getsubkeynamebyindexW
fs_disable_Wow64FsRedirection
reg_getsubkeycount
reg_openkeyW
fs_revert_Wow64FsRedirection

nanomsg

nn_socket
nn_connect
nn_errno
nn_recv
nn_send
nn_close
nn_setsockopt
nn_freemsg

wtsapi32

WTSRegisterSessionNotification
WTSUnRegisterSessionNotification

libcrypto-1_1-x64

RAND_bytes

libcfg

cfg_hash_stringW

sslvpnlib

?AfterConnected@CSslvpnBase@@QEAAXXZ
?GetUsername@CSslvpnBase@@QEAAXAEAV?$CStringT@_WV?$StrTraitMFC_DLL@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@@Z
?SetRemoteInfo@CSslvpnBase@@QEAAXPEB_W@Z
?SetSAMLFormData@CSslvpnBase@@QEAAXPEB_W@Z
?SetVPNType@CSslvpnBase@@QEAAXW4VPNType@fortivpn@@@Z
?SetDualStack@CSslvpnBase@@QEAAXK@Z
?IsCookieError@CSslvpnBase@@QEAAHXZ
?IsCredentialError@CSslvpnBase@@QEAAHXZ
?IsConnectionWithoutReauth@CSslvpnBase@@QEAAHXZ
?SortRedundantConnection@CSslvpnBase@@QEAAHPEB_W@Z
?SetDisconnectEvent@CSslvpnBase@@QEAAXXZ
??0CFortiTraySslvpn@@QEAA@XZ
??1CFortiTraySslvpn@@UEAA@XZ
?IsShadowMode@CFortiTraySslvpn@@UEAAHAEAK@Z
?GetRSANewPin@CFortiTraySslvpn@@EEAAHV?$CStringT@_WV?$StrTraitMFC_DLL@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@AEAV23@0@Z
?GetNewPin@CFortiTraySslvpn@@EEAAHV?$CStringT@_WV?$StrTraitMFC_DLL@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@AEAV23@0HPEAH@Z
?GetTokenCode@CFortiTraySslvpn@@EEAAHV?$CStringT@_WV?$StrTraitMFC_DLL@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@AEAV23@0@Z
?GetProxyAuthenticationInformation@CFortiTraySslvpn@@EEAAHAEAV?$CStringT@_WV?$StrTraitMFC_DLL@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@0AEBV23@AEAHV23@@Z
?UpdateConnectingStatus@CFortiTraySslvpn@@EEAAXK@Z
?CancelGetTokenCode@CFortiTraySslvpn@@EEAAXXZ
??1CSslvpnInfoXml@@UEAA@XZ
?BaseInit@CSslvpnBase@@QEAAXXZ
?SetConnectionWithoutReauth@CSslvpnBase@@QEAAXH@Z
?GetSessionTimeout@CSslvpnBase@@QEAAKXZ
?DisconnectFortiSslvpn@CSslvpnBase@@QEAAHAEAH@Z
?UpdateFortiSslvpnStatus@CSslvpnBase@@QEAAHXZ
?OnReconnectWithoutAuthentication@CSslvpnBase@@QEAAHXZ
?OnConnect@CSslvpnBase@@QEAAHV?$CStringT@_WV?$StrTraitMFC_DLL@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@0000HH@Z
?SetConnectionRequestSource@CFortiTraySslvpn@@QEAAXW4VPNInitiatorType@fortivpn@@@Z
?LaunchUpdateStatusThread@CFortiTraySslvpn@@QEAAXXZ
?InitFortiSslvpn@CSslvpnBase@@QEAAHAEAH@Z

msvcp140

?_Xbad_alloc@std@@YAXXZ
?_Xlength_error@std@@YAXPEBD@Z
?_Xout_of_range@std@@YAXPEBD@Z
?_Execute_once@std@@YAHAEAUonce_flag@1@P6AHPEAX1PEAPEAX@Z1@Z
?_Winerror_message@std@@YAKKPEADK@Z
?_Winerror_map@std@@YAHH@Z
?_Syserror_map@std@@YAPEBDH@Z
_Strxfrm
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z
?_Xbad_function_call@std@@YAXXZ
?_Throw_C_error@std@@YAXH@Z
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
?id@?$ctype@D@std@@2V0locale@2@A
?id@?$collate@D@std@@2V0locale@2@A
_Mtx_destroy_in_situ
_Mtx_lock
_Mtx_init_in_situ
_Strcoll
_Mtx_unlock
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?tolower@?$ctype@D@std@@QEBAPEBDPEADPEBD@Z
?tolower@?$ctype@D@std@@QEBADD@Z
??1facet@locale@std@@MEAA@XZ
??0facet@locale@std@@IEAA@_K@Z
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
?_Incref@facet@locale@std@@UEAAXXZ
??Bid@locale@std@@QEAA_KXZ
?_Getcoll@_Locinfo@std@@QEBA?AU_Collvec@@XZ
??1_Locinfo@std@@QEAA@XZ
??0_Locinfo@std@@QEAA@PEBD@Z
_Cnd_destroy_in_situ
_Cnd_signal
?_Throw_Cpp_error@std@@YAXH@Z
_Cnd_do_broadcast_at_thread_exit
_Cnd_destroy
_Cnd_wait
_Mtx_init
_Thrd_start
_Thrd_id
_Mtx_destroy
_Cnd_init
_Thrd_join
_Mtx_current_owns
_Cnd_init_in_situ
_Cnd_timedwait
_Xtime_get_ticks
_Cnd_broadcast
_Query_perf_frequency
?_Random_device@std@@YAIXZ
_Query_perf_counter
?_New_Locimp@_Locimp@locale@std@@CAPEAV123@AEBV123@@Z
?id@?$codecvt@_WDU_Mbstatet@@@std@@2V0locale@2@A
??4?$_Yarn@D@std@@QEAAAEAV01@PEBD@Z
??1?$codecvt@_WDU_Mbstatet@@@std@@MEAA@XZ
??0?$codecvt@_WDU_Mbstatet@@@std@@QEAA@_K@Z
?out@?$codecvt@_WDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEB_W1AEAPEB_WPEAD3AEAPEAD@Z
?in@?$codecvt@_WDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEA_W3AEAPEA_W@Z
?_Addfac@_Locimp@locale@std@@AEAAXPEAVfacet@23@_K@Z
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?uncaught_exception@std@@YA_NXZ
_Thrd_detach
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
?_Xinvalid_argument@std@@YAXPEBD@Z

dbghelp

MiniDumpWriteDump
MakeSureDirectoryPathExists

iphlpapi

NotifyRouteChange
NotifyAddrChange
CancelIPChangeNotify

ws2_32

freeaddrinfo
WSACleanup
inet_pton
WSAStartup
getaddrinfo

mfc140u

ord14211
ord7651
ord2967
ord4352
ord14217
ord286
ord13864
ord8161
ord5240
ord13767
ord1503
ord3579
ord6285
ord4730
ord3713
ord3697
ord1033
ord296
ord4656
ord7922
ord5227
ord7450
ord7461
ord7460
ord5062
ord5229
ord5083
ord5339
ord9041
ord5552
ord5363
ord5080
ord14221
ord6848
ord446
ord3071
ord3307
ord3308
ord3951
ord10163
ord11085
ord10704
ord8731
ord1089
ord11854
ord8901
ord2697
ord13397
ord6000
ord11813
ord7233
ord11850
ord9384
ord5582
ord4360
ord4828
ord4767
ord4752
ord4814
ord4859
ord4782
ord4837
ord4853
ord4794
ord4800
ord4806
ord4788
ord4843
ord4776
ord1755
ord1734
ord1748
ord1722
ord1700
ord11940
ord11944
ord13513
ord3173
ord8947
ord10691
ord6729
ord8656
ord14209
ord11625
ord3718
ord11771
ord8830
ord11415
ord11414
ord5451
ord9979
ord9975
ord9977
ord9978
ord9976
ord14360
ord7913
ord9946
ord3209
ord3212
ord3172
ord3278
ord3279
ord3812
ord11806
ord2629
ord5723
ord13354
ord13761
ord11406
ord6631

kernel32

AreFileApisANSI
RemoveDirectoryW
GetFullPathNameW
GetFileInformationByHandle
GetFileAttributesExW
FindFirstFileExW
FindClose
DeleteFileW
CreateDirectoryW
GetComputerNameW
CreateProcessW
ProcessIdToSessionId
CreateEventA
CancelWaitableTimer
CreateWaitableTimerW
SetWaitableTimer
SetConsoleCtrlHandler
WaitForMultipleObjects
InitializeCriticalSectionEx
GetTickCount64
FlushFileBuffers
ConnectNamedPipe
GetModuleHandleW
OutputDebugStringW
OpenProcess
DisconnectNamedPipe
WaitForMultipleObjectsEx
CreateNamedPipeW
GetModuleFileNameW
GetCommandLineW
OpenMutexW
GetOverlappedResult
WriteFile
SetNamedPipeHandleState
TlsFree
LocalFree
UnhandledExceptionFilter
GetLastError
MultiByteToWideChar
OpenEventW
ResetEvent
ReleaseMutex
CreateMutexW
CreateFileW
ReadFile
SetUnhandledExceptionFilter
GetTickCount
QueryPerformanceCounter
GetSystemTimeAsFileTime
WideCharToMultiByte
GetCurrentProcessId
DeleteCriticalSection
GetProcAddress
GetLocalTime
CreateThread
CloseHandle
DeleteFileA
QueryPerformanceFrequency
SetEvent
CreateFileA
Sleep
CreateEventW
GetModuleHandleA
GetCurrentThreadId
WaitForSingleObject
ExpandEnvironmentStringsA
InitializeCriticalSection
LeaveCriticalSection
OutputDebugStringA
GetStdHandle
GetCurrentProcess
EnterCriticalSection
SetConsoleTextAttribute
SetLastError
GetConsoleScreenBufferInfo
GetModuleFileNameA
WaitForSingleObjectEx
MoveFileExW
RtlCaptureContext
RtlLookupFunctionEntry
FormatMessageA
RtlVirtualUnwind
TerminateProcess
IsProcessorFeaturePresent
InitializeSListHead
IsDebuggerPresent
TlsAlloc
InitializeCriticalSectionAndSpinCount

user32

IsWindow
DispatchMessageW
PeekMessageW
LoadStringW
TranslateMessage
EnableWindow
SetForegroundWindow
UnregisterClassW
GetWindowTextW
GetDesktopWindow
GetDlgItem
EnumThreadWindows
SendMessageW
PostThreadMessageW
MsgWaitForMultipleObjects
CloseWindowStation
SetThreadDesktop
GetThreadDesktop
CloseDesktop
SetProcessWindowStation
OpenInputDesktop
GetUserObjectInformationW
OpenDesktopW
GetProcessWindowStation
OpenWindowStationW
GetMessageW
DefWindowProcW
DestroyWindow
CreateWindowExW
RegisterClassW
PostQuitMessage
PostMessageW
GetWindowThreadProcessId
SetTimer
AttachThreadInput
GetForegroundWindow
KillTimer
SetWindowLongPtrW
GetWindowLongPtrW
DialogBoxParamW
GetWindowRect
SetWindowPos
MessageBoxW
EndDialog
GetSystemMetrics
SetWindowTextW
ShowWindow
SwitchToThisWindow
SetDlgItemTextW
GetDlgItemTextW
MoveWindow
SetFocus
GetParent

advapi32

RegOpenKeyA
RegQueryValueExA
RegGetValueW
RegOpenKeyExW
RegQueryValueExW
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
RegOpenCurrentUser
RevertToSelf
GetTokenInformation
ConvertStringSecurityDescriptorToSecurityDescriptorW
OpenProcessToken
RegCloseKey

shell32

SHGetKnownFolderPath

shlwapi

StrStrIW
SHEnumKeyExW

ole32

CoTaskMemFree
CoCreateInstance
CoUninitialize
CoInitialize
CoInitializeEx

vcruntime140

__std_exception_copy
__std_exception_destroy
wcsrchr
strrchr
memcpy
strstr
strchr
__std_terminate
_purecall
__CxxFrameHandler3
memmove
__RTDynamicCast
__C_specific_handler
_CxxThrowException
memcmp
memset

api-ms-win-crt-stdio-l1-1-0

_wfopen_s
__stdio_common_vfwprintf
setvbuf
__stdio_common_vswprintf
_fsopen
fflush
__stdio_common_vsnprintf_s
__stdio_common_vsprintf_s
__stdio_common_vfprintf
fseek
fclose
__acrt_iob_func
ftell
_set_fmode
__p__commode
_ftelli64
fwrite
__stdio_common_vsnwprintf_s

api-ms-win-crt-string-l1-1-0

wcsncmp
wcsncpy_s
isalpha
wcsncpy
strncmp
_wcsicmp
isspace
_stricmp
isdigit
strncpy_s
strncat_s

api-ms-win-crt-time-l1-1-0

_time64
_localtime64_s

api-ms-win-crt-runtime-l1-1-0

_initterm
_get_initial_narrow_environment
_initterm_e
_set_app_type
_seh_filter_exe
_cexit
_crt_atexit
_exit
_initialize_onexit_table
_initialize_narrow_environment
_configure_narrow_argv
__p___argv
_c_exit
_invalid_parameter_noinfo_noreturn
_invalid_parameter_noinfo
_register_thread_local_exe_atexit_callback
terminate
_errno
_register_onexit_function
exit
__p___argc

api-ms-win-crt-filesystem-l1-1-0

_stat64i32

api-ms-win-crt-heap-l1-1-0

malloc
_callnewh
realloc
_set_new_mode
free
calloc

api-ms-win-crt-utility-l1-1-0

rand

api-ms-win-crt-convert-l1-1-0

strtoul
_wtol

api-ms-win-crt-locale-l1-1-0

___lc_codepage_func
_configthreadlocale
setlocale

api-ms-win-crt-math-l1-1-0

__setusermatherr

Exports

Exports

??0CSslvpnAgent@@QEAA@AEBV0@@Z
??0CSslvpnInfoXml@@QEAA@AEBV0@@Z
??4COptionOp@@QEAAAEAV0@AEBV0@@Z
??4CSslvpnAgent@@QEAAAEAV0@AEBV0@@Z
??4CSslvpnInfoXml@@QEAAAEAV0@AEBV0@@Z
??_7CSslvpnAgent@@6B@
??_7CSslvpnInfoXml@@6B@
?GetSessionTimeout@CSslvpnInfoXml@@QEAAKXZ
?IsEnabled@CSslvpnInfoXml@@QEBA_NXZ
?IsProxyAuthDlgCancelClicked@CFortiTraySslvpn@@UEAAHXZ
?IsTunnelConnectWithoutReauthentication@CSslvpnInfoXml@@QEBA_NXZ
?SetProxyAuthDlgCancelClicked@CFortiTraySslvpn@@UEAAXH@Z
?SetTunnelConnectWithoutReauthentication@CSslvpnInfoXml@@QEAAXH@Z
?__autoclassinit2@CFortiTraySslvpn@@QEAAX_K@Z
?__autoclassinit2@CSslvpnAgent@@QEAAX_K@Z

Sections

.text
Size: 625KB - Virtual size: 625KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 239KB - Virtual size: 238KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 18KB - Virtual size: 221KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 26KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 211KB - Virtual size: 211KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

0111a2d0e20dd30a6dee142005d1e950

Code Sign

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9Certificate

Extended Key Usages

Key Usages

08:62:df:fe:c6:e9:33:2b:fa:93:b2:f1:87:86:36:42Certificate

Extended Key Usages

Key Usages

0c:4d:69:72:4b:94:fa:3c:2a:4a:3d:29:07:80:3d:5aCertificate

Extended Key Usages

Key Usages

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5bCertificate

Extended Key Usages

Key Usages

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5aCertificate

Key Usages

45:3c:78:87:50:86:da:78:7d:f5:a0:05:0b:21:6c:76:c6:95:8a:6c:91:2f:0e:ce:58:e1:9d:79:b8:6d:91:0cSigner

Headers

DLL Characteristics

File Characteristics

Imports

utilsdll

nanomsg

wtsapi32

libcrypto-1_1-x64

libcfg

sslvpnlib

msvcp140

dbghelp

iphlpapi

ws2_32

mfc140u

kernel32

user32

advapi32

shell32

shlwapi

ole32

vcruntime140

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-math-l1-1-0

Exports

Exports

Sections

.text Size: 625KB - Virtual size: 625KB

.rdata Size: 239KB - Virtual size: 238KB

.data Size: 18KB - Virtual size: 221KB

.pdata Size: 26KB - Virtual size: 26KB

.rsrc Size: 211KB - Virtual size: 211KB

.reloc Size: 4KB - Virtual size: 3KB

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9
Certificate

08:62:df:fe:c6:e9:33:2b:fa:93:b2:f1:87:86:36:42
Certificate

0c:4d:69:72:4b:94:fa:3c:2a:4a:3d:29:07:80:3d:5a
Certificate

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

45:3c:78:87:50:86:da:78:7d:f5:a0:05:0b:21:6c:76:c6:95:8a:6c:91:2f:0e:ce:58:e1:9d:79:b8:6d:91:0c
Signer

.text
Size: 625KB - Virtual size: 625KB

.rdata
Size: 239KB - Virtual size: 238KB

.data
Size: 18KB - Virtual size: 221KB

.pdata
Size: 26KB - Virtual size: 26KB

.rsrc
Size: 211KB - Virtual size: 211KB

.reloc
Size: 4KB - Virtual size: 3KB