Thunder_dl_7[.]9[.]41[.]5020_setup[.]1444900082[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

Thunder_dl_7.9.41.5020_setup.1444900082.exe
Size

32.2MB
MD5

6ae7976bc6617bf3b8fd7ac9c53a892c
SHA1

de230998d6e6f1eafed246689b8aca4ebbdea9a3
SHA256

9421ced1767e1c29a999ffd20187214d3fa70856363f60e7ac74933771c215ad
SHA512

503ef684f6e4fd08b08a557f9a7a1b2c60b4226bd38ad984394371c6717a3b46accf1650f7ad09a9989051ce110d2baa737ffc3305fe2845aef6e0c8512e57e3
SSDEEP

786432:MYcNXn6hrK71xhDqqGd0pAAU6KpSAWkHwS6EmkDgk2:VcNX6hw1xhQWAXugt6k6

Score

1^/10

Malware Config

Signatures

NSIS installer 1 IoCs

installer

resource	yara_rule
sample	nsis_installer_2

Files

Thunder_dl_7.9.41.5020_setup.1444900082.exe
.exe windows:5 windows x86

8005dd5bb1b494b2b5ab9e6f36e7369f

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

22:92:48:99:cd:fc:a0:ab:28:cf:2f:91:c8:f2:24:8b
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

16/06/2015, 00:00

Not After

25/07/2018, 23:59

Subject

CN=ShenZhen Thunder Networking Technologies Ltd.,OU=Operate,O=ShenZhen Thunder Networking Technologies Ltd.,L=Shenzhen,ST=Guangdong,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

f5:a3:0e:1d:ea:f1:28:8c:0a:8b:4f:05:df:5b:b8:c6:2e:27:1d:bd
Signer

Actual PE Digest

f5:a3:0e:1d:ea:f1:28:8c:0a:8b:4f:05:df:5b:b8:c6:2e:27:1d:bd

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

wininet

InternetOpenUrlA
InternetOpenW
InternetOpenUrlW
InternetReadFile
InternetCloseHandle

ws2_32

socket
WSAStartup
WSACleanup
gethostbyname
inet_addr
htons
connect
WSAAsyncSelect
send
WSAGetLastError
closesocket
recv

version

VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW

kernel32

CreateDirectoryW
GetFileAttributesW
FindFirstFileW
UnmapViewOfFile
MapViewOfFile
OpenFileMappingW
SizeofResource
DeviceIoControl
CreateFileA
GlobalMemoryStatusEx
QueryPerformanceCounter
QueryPerformanceFrequency
SetThreadPriority
SetPriorityClass
GetThreadPriority
GetPriorityClass
GetVersionExW
GetSystemInfo
GetSystemDefaultLCID
WaitForMultipleObjects
TerminateThread
CreateThread
GetCurrentProcessId
InterlockedIncrement
GetCommandLineW
MultiByteToWideChar
WideCharToMultiByte
GetSystemDirectoryW
SetDllDirectoryW
CreateFileMappingW
FileTimeToSystemTime
SetFilePointer
WriteFile
GetFileSize
GetPrivateProfileStringA
GetPrivateProfileStringW
GetPrivateProfileIntW
GetPrivateProfileSectionW
GetLocalTime
TerminateProcess
OpenProcess
ResetEvent
FreeLibrary
GetCurrentDirectoryW
SetCurrentDirectoryW
IsBadCodePtr
VirtualQuery
FindResourceExW
DuplicateHandle
ReleaseMutex
HeapAlloc
HeapFree
VirtualFree
GetProcessHeap
lstrcpynW
VirtualAlloc
GetFileInformationByHandle
MoveFileExW
ReadFile
CompareStringA
GetDriveTypeA
RemoveDirectoryW
GetConsoleOutputCP
WriteConsoleA
FlushFileBuffers
GetLocaleInfoW
IsValidLocale
EnumSystemLocalesA
GetUserDefaultLCID
GetStringTypeA
GetLocaleInfoA
InitializeCriticalSectionAndSpinCount
SetStdHandle
GetDateFormatA
GetTimeFormatA
GetCurrentDirectoryA
GetFullPathNameW
GetTimeZoneInformation
GetStartupInfoA
SetHandleCount
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetConsoleMode
GetConsoleCP
IsValidCodePage
GetOEMCP
GetModuleFileNameA
GetStdHandle
GetModuleHandleA
HeapCreate
TlsFree
TlsSetValue
TlsAlloc
TlsGetValue
GetStringTypeW
GetCPInfo
LCMapStringW
LCMapStringA
GetFileType
FileTimeToLocalFileTime
GetSystemTimeAsFileTime
ExitThread
RtlUnwind
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
InterlockedExchange
HeapSize
HeapReAlloc
HeapDestroy
IsProcessorFeaturePresent
LoadLibraryA
InterlockedCompareExchange
MoveFileW
SetEndOfFile
CopyFileW
FindNextFileW
GetVolumeInformationW
FindClose
ResumeThread
GetVersionExA
EnumResourceNamesW
GetFileSizeEx
lstrcpyA
GetFileAttributesA
CreateDirectoryA
lstrcatA
GetSystemDirectoryA
GetVolumeInformationA
WritePrivateProfileStringA
SetEnvironmentVariableA
CompareStringW
GetCurrentProcess
GetCurrentThread
CloseHandle
DeleteCriticalSection
InitializeCriticalSection
WritePrivateProfileStringW
DeleteFileW
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
LoadLibraryW
SetFileAttributesW
CreateFileW
CreateEventW
OpenEventW
SetEvent
GetTickCount
GetACP
ExitProcess
GetDiskFreeSpaceExW
LoadResource
LockResource
GlobalHandle
GlobalFree
GetTempPathW
CreateProcessW
GlobalLock
GlobalUnlock
GetModuleFileNameW
MulDiv
lstrcmpW
GetLastError
OutputDebugStringW
DebugBreak
lstrlenA
Sleep
SetLastError
lstrlenW
GetCurrentThreadId
InterlockedDecrement
FindResourceW
GlobalAlloc
FlushInstructionCache
GetLogicalDriveStringsW
GetDriveTypeW
OpenMutexW
CreateMutexW
GetModuleHandleW
GetProcAddress
LeaveCriticalSection
EnterCriticalSection
RaiseException
WaitForSingleObject
GetExitCodeProcess
GetStartupInfoW
LocalFree
WriteConsoleW

user32

UnregisterClassA
DestroyAcceleratorTable
SetFocus
GetWindow
GetFocus
SendMessageW
CreateAcceleratorTableW
RedrawWindow
MessageBoxW
GetDesktopWindow
SetWindowLongW
BeginPaint
PostMessageW
ShowWindow
IsWindowVisible
PostThreadMessageW
PeekMessageW
GetMessageW
TranslateMessage
DispatchMessageW
PostQuitMessage
UpdateLayeredWindow
SetRect
EqualRect
IsRectEmpty
CopyRect
GetTopWindow
EndPaint
CallWindowProcW
CharUpperW
GetActiveWindow
MsgWaitForMultipleObjects
DrawFocusRect
DrawIcon
GetWindowDC
DrawTextW
GetDlgCtrlID
SetCursor
ShowCursor
SetRectEmpty
OffsetRect
UnionRect
PtInRect
IsWindow
GetClassInfoExW
LoadCursorW
wvsprintfW
DestroyIcon
LoadImageW
GetSystemMetrics
BringWindowToTop
GetWindowLongW
MonitorFromWindow
GetMonitorInfoW
MapWindowPoints
wsprintfA
wsprintfW
SetWindowTextW
SetWindowContextHelpId
MapDialogRect
GetWindowRect
EnableWindow
GetWindowTextW
DefWindowProcW
RegisterClassExW
CreateWindowExW
GetSysColor
CharNextW
MoveWindow
SetWindowPos
GetClientRect
ClientToScreen
ScreenToClient
GetDC
ReleaseDC
InvalidateRect
InvalidateRgn
SetCapture
IsChild
GetParent
GetDlgItem
GetClassNameW
ReleaseCapture
FillRect
IsWindowEnabled
KillTimer
SetTimer
UpdateWindow
FindWindowW
LoadStringW
CreateDialogIndirectParamW
DialogBoxIndirectParamW
RegisterWindowMessageW
GetWindowTextLengthW
DestroyWindow

gdi32

SelectClipRgn
SetBkMode
GetClipBox
IntersectClipRect
CreateFontIndirectW
CombineRgn
GetTextMetricsW
SetViewportOrgEx
GetTextExtentPoint32W
GetStockObject
GetObjectW
CreateSolidBrush
GetDeviceCaps
CreateCompatibleDC
CreateCompatibleBitmap
SelectObject
DeleteObject
DeleteDC
SetTextColor
CreateRectRgnIndirect
MoveToEx
CreatePen
LineTo
SetBkColor
ExtTextOutW
ExtSelectClipRgn
GetWindowOrgEx
OffsetWindowOrgEx
SetWindowOrgEx
ExcludeClipRect
SetDIBitsToDevice
StretchDIBits
CreateDIBSection
CreateRectRgn
BitBlt

advapi32

InitializeAcl
AddAce
RegQueryValueExW
RegQueryInfoKeyW
RegOpenKeyExW
RegDeleteKeyW
RegCreateKeyW
RegSetValueExW
RegCloseKey
ConvertStringSidToSidW
GetLengthSid
SetTokenInformation
CreateProcessAsUserW
OpenThreadToken
OpenProcessToken
DuplicateTokenEx
IsValidSid
RegCreateKeyExW
GetNamedSecurityInfoW
GetAclInformation
GetAce
GetSidLengthRequired
InitializeSid
GetSidSubAuthority
EqualSid
CopySid
SetNamedSecurityInfoW

shell32

SHGetSpecialFolderPathA
SHGetPathFromIDListW
SHBrowseForFolderW
SHGetSpecialFolderPathW
SHCreateDirectoryExW
ord680
ShellExecuteExW
SHGetFileInfoW
ShellExecuteW
CommandLineToArgvW
SHGetFolderPathW
Shell_NotifyIconW

ole32

CoInitializeSecurity
CoUninitialize
CoSetProxyBlanket
CoInitialize
OleUninitialize
OleInitialize
CreateStreamOnHGlobal
CoRevokeClassObject
CoRegisterClassObject
CoTaskMemFree
CoTaskMemAlloc
CoCreateInstance
CLSIDFromString
CLSIDFromProgID
CoGetClassObject
OleLockRunning
StringFromGUID2
CoInitializeEx

oleaut32

SysAllocStringLen
SysAllocString
VariantInit
VariantClear
SysStringLen
LoadRegTypeLi
LoadTypeLi
UnRegisterTypeLi
RegisterTypeLi
SysFreeString
OleCreateFontIndirect

shlwapi

PathFindFileNameW
StrCmpW
PathAppendW
PathCombineW
PathRemoveBlanksW
StrCpyNW
PathIsRootW
PathIsDirectoryW
StrCmpNW
SHSetValueW
StrStrW
PathFindExtensionW
PathGetDriveNumberW
StrCmpIW
PathFileExistsW
SHGetValueW

comctl32

_TrackMouseEvent

msimg32

AlphaBlend

userenv

UnloadUserProfile

iphlpapi

GetAdaptersInfo

imm32

ImmDisableIME

gdiplus

GdipGetImageHeight
GdipGetImageWidth
GdipDisposeImage
GdipAlloc
GdipCloneImage
GdipLoadImageFromStream
GdipDeleteGraphics
GdipCreateFromHDC
GdipDrawImageRectI
GdipFree
GdiplusStartup

Sections

.text
Size: 726KB - Virtual size: 725KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 120KB - Virtual size: 120KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 76KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 31.3MB - Virtual size: 31.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

8005dd5bb1b494b2b5ab9e6f36e7369f

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

22:92:48:99:cd:fc:a0:ab:28:cf:2f:91:c8:f2:24:8bCertificate

Extended Key Usages

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

f5:a3:0e:1d:ea:f1:28:8c:0a:8b:4f:05:df:5b:b8:c6:2e:27:1d:bdSigner

Headers

DLL Characteristics

File Characteristics

Imports

wininet

ws2_32

version

kernel32

user32

gdi32

advapi32

shell32

ole32

oleaut32

shlwapi

comctl32

msimg32

userenv

iphlpapi

imm32

gdiplus

Sections

.text Size: 726KB - Virtual size: 725KB

.rdata Size: 120KB - Virtual size: 120KB

.data Size: 20KB - Virtual size: 76KB

.rsrc Size: 31.3MB - Virtual size: 31.3MB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

22:92:48:99:cd:fc:a0:ab:28:cf:2f:91:c8:f2:24:8b
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

f5:a3:0e:1d:ea:f1:28:8c:0a:8b:4f:05:df:5b:b8:c6:2e:27:1d:bd
Signer

.text
Size: 726KB - Virtual size: 725KB

.rdata
Size: 120KB - Virtual size: 120KB

.data
Size: 20KB - Virtual size: 76KB

.rsrc
Size: 31.3MB - Virtual size: 31.3MB