MetroLL[.]exe | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

MetroLL.exe
Size

14.6MB
MD5

3a058908a3c3b2a62dad35b16f5d0455
SHA1

44d0c964806ceda43dac41b0addd2046b5f34d03
SHA256

708fc4e207a05862b1147ca455022167e51e58f83d769e61a3630d9f3d4c14ee
SHA512

181f2868008a12e561bac5994c5e468f63ceafbfc6c75e0622018c27e39e95385da568fc337e6198f5fcd1872535539f178d21f6f4adfa45d4c6010210d24878
SSDEEP

393216:Mq0wjIOZ4W6b+/f1CYh5f5f5f5f5f5f5f5f5f5f5GC:gi4i9Vh5f5f5f5f5f5f5f5f5f5f5X

Score

1^/10

Malware Config

Signatures

Files

MetroLL.exe
.exe windows:5 windows x86

f4e53da236ab7c72f3e148d7758f3142

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21-12-2012 00:00

Not After

30-12-2020 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18-10-2012 00:00

Not After

29-12-2020 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

62:a8:50:3a:ee:d0:a4:6f:c8:2b:42:ec:12:7c:cd:e4
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

13-03-2013 00:00

Not After

12-05-2015 23:59

Subject

CN=Koch Media GmbH,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Koch Media GmbH,L=München,ST=Bayern,C=DE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08-02-2010 00:00

Not After

07-02-2020 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

66:8c:cd:0b:f7:07:35:42:26:8f:13:7c:16:f0:0a:4c:a0:ba:65:43
Signer

Actual PE Digest

66:8c:cd:0b:f7:07:35:42:26:8f:13:7c:16:f0:0a:4c:a0:ba:65:43

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
InterlockedExchangeAdd
Sleep
GetCommandLineA
ReleaseMutex
GetLastError
CreateMutexW
LoadLibraryW
CreateThread
OutputDebugStringA
WaitForMultipleObjects
IsDebuggerPresent
UnhandledExceptionFilter
IsProcessorFeaturePresent
GetSystemTimeAsFileTime
GetCurrentProcessId
GetTickCount
DecodePointer
EncodePointer
GetStartupInfoW
HeapSetInformation
InterlockedCompareExchange
InterlockedExchange
GetCurrentThread
SetThreadPriority
InterlockedDecrement
InterlockedIncrement
GetVersion
SetThreadExecutionState
GlobalUnlock
GlobalLock
TerminateProcess
GetProcAddress
FreeLibrary
LoadLibraryA
GetModuleHandleA
WideCharToMultiByte
LocalFree
FormatMessageA
MultiByteToWideChar
GetFileAttributesW
DeleteFileW
WriteFile
CreateFileW
CreateDirectoryW
GetThreadContext
OpenThread
SetUnhandledExceptionFilter
RaiseException
CreateFileMappingA
GetFileSize
CreateFileA
ReadFile
SetFilePointer
UnmapViewOfFile
QueryPerformanceCounter
MapViewOfFile
GetCurrentThreadId
QueryPerformanceFrequency
SetPriorityClass
GetSystemInfo
GetComputerNameA
HeapFree
HeapAlloc
SwitchToThread
SetEvent
CreateEventA
WaitForSingleObject
ReleaseSemaphore
CloseHandle
CreateSemaphoreA
TryEnterCriticalSection
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
InitializeCriticalSection
GetCurrentProcess
SetProcessWorkingSetSize
GetProcessHeap
HeapCompact

user32

LoadKeyboardLayoutA
GetKeyboardLayout
ActivateKeyboardLayout
MessageBoxA
GetAsyncKeyState
ChangeDisplaySettingsA
EnumDisplaySettingsA
GetCursorPos
SetCursorPos
DefWindowProcA
PostQuitMessage
ShowCursor
SetWindowLongA
GetWindowLongA
CreateWindowExA
AdjustWindowRect
SetRect
RegisterClassA
LoadIconA
ShowWindow
GetDoubleClickTime
SystemParametersInfoA
CloseClipboard
GetClipboardData
OpenClipboard
EndPaint
GetClientRect
BeginPaint
DestroyWindow
SetWindowPos
GetWindowRect
CreateDialogParamA
LoadBitmapA
EndDialog
DispatchMessageA
TranslateMessage
PeekMessageA
UnhookWindowsHookEx
SetWindowsHookExA
CallNextHookEx
ClientToScreen

advapi32

RegQueryValueExA
RegDeleteValueA
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
GetUserNameA
RegFlushKey
GetUserNameW
RegSetValueExA

msvcp100

?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAD00@Z
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z
?uncaught_exception@std@@YA_NXZ
?_Xlength_error@std@@YAXPBD@Z
?_Xout_of_range@std@@YAXPBD@Z
?_BADOFF@std@@3_JB
??_7?$basic_ostream@DU?$char_traits@D@std@@@std@@6B@
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z
??1_Locimp@locale@std@@MAE@XZ
?_Decref@facet@locale@std@@QAEPAV123@XZ
??1_Locinfo@std@@QAE@XZ
??0_Locinfo@std@@QAE@HPBD@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEXABVlocale@2@@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@K@Z
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z
?_Raise_handler@std@@3P6AXABVexception@stdext@@@ZA
?_Init@locale@std@@CAPAV_Locimp@12@XZ
?_Makeloc@_Locimp@locale@std@@CAPAV123@ABV_Locinfo@3@HPAV123@PBV23@@Z
?_Xruntime_error@std@@YAXPBD@Z
??0_Locimp@locale@std@@AAE@_N@Z
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEPAV12@PAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPAD_J@Z
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z
??1_Container_base12@std@@QAE@XZ
?_Swap_all@_Container_base0@std@@QAEXAAU12@@Z

physxloader

NxGetUtilLib
NxCreatePhysicsSDK
NxReleasePhysicsSDK
NxGetPhysicsSDK
NxGetPhysicsSDKAllocator

msvcr100

_unlink
modf
floor
_itow
__libm_sse2_acosf
__libm_sse2_log
__libm_sse2_sin
__libm_sse2_cos
__libm_sse2_tanf
__libm_sse2_powf
_CIpow
__libm_sse2_sinf
__libm_sse2_cosf
memset
__libm_sse2_atan2
memcpy
realloc
_fpclass
fflush
fprintf_s
fclose
fopen
ceil
atof
wcsncpy
strncmp
_itoa
_itoa_s
_localtime64
tolower
isprint
swprintf_s
atoi
malloc
free
wcsncpy_s
wcsstr
memchr
__libm_sse2_expf
_mkdir
_findclose
_findfirst64i32
_purecall
strrchr
_vsnprintf_s_l
_vsnprintf
_stricmp
sscanf
_time64
_filelength
vsprintf
_control87
_controlfp
strcpy_s
strcat_s
strchr
strncpy_s
_beginthread
_heapmin
_chdir
wctob
qsort
ldexp
fseek
_errno
calloc
cos
sin
memcmp
memmove
_tell
_write
_close
_read
_lseek
_open
__libm_sse2_logf
sprintf_s
printf
_msize
_expand
isspace
isdigit
btowc
fopen_s
fwrite
sprintf
strncpy
__iob_func
fprintf
__libm_sse2_tan
abort
perror
?_type_info_dtor_internal_method@type_info@@QAEXXZ
_chdrive
strstr
wcscat_s
wcscpy_s
strtol
strtoul
strtod
_ltoa
__libm_sse2_exp
__libm_sse2_atan
__libm_sse2_pow
__libm_sse2_atanf
_CIsinh
__libm_sse2_log10f
_CIfmod
_except_handler3
_CxxThrowException
__libm_sse2_acos
_crt_debugger_hook
_controlfp_s
_invoke_watson
_except_handler4_common
?terminate@@YAXXZ
__CxxFrameHandler3
_vsnprintf_s
_onexit
_lock
__dllonexit
_unlock
__set_app_type
_fmode
_commode
__setusermatherr
_configthreadlocale
_initterm_e
_initterm
_acmdln
exit
_ismbblead
_XcptFilter
_exit
_cexit
__getmainargs
_amsg_exit
ftell
fread
_fseeki64

ws2_32

WSAStartup
ntohl
ioctlsocket
inet_ntoa
inet_addr
select
WSARecvFrom
ntohs
setsockopt
WSASetLastError
htons
htonl
WSASendTo
gethostbyname
closesocket
__WSAFDIsSet
socket
bind
WSACleanup
WSAGetLastError

winmm

timeBeginPeriod
timeGetTime

d3dx9_43

D3DXMatrixInverse
D3DXMatrixTranspose
D3DXPlaneTransform
D3DXCreateEffect
D3DXCreateEffectCompiler
D3DXDisassembleEffect
D3DXCreateEffectPool
D3DXCreateCubeTexture
D3DXCreateTexture
D3DXCreateVolumeTexture
D3DXGetDeclVertexSize

steam_api

SteamAPI_SetMiniDumpComment
SteamAPI_Init
SteamAPI_WriteMiniDump
SteamUtils
SteamFriends
SteamAPI_RunCallbacks
SteamUserStats
SteamAPI_Shutdown
SteamUser
SteamAPI_RegisterCallResult
SteamApps
SteamAPI_RegisterCallback
SteamAPI_UnregisterCallback
SteamAPI_UnregisterCallResult
SteamClient
SteamRemoteStorage

gdi32

DeleteDC
GetStockObject
DeleteObject
SelectObject
CreateCompatibleDC
GetObjectA
BitBlt

shell32

SHGetSpecialFolderPathW

ole32

CoTaskMemAlloc
CoInitializeEx
CoTaskMemFree
CoCreateInstance

dinput8

DirectInput8Create

xinput1_3

ord3
ord2

Exports

Exports

??0_Mutex@std@@QAE@W4_Uninitialized@1@@Z
??4_Init_locks@std@@QAEAAV01@ABV01@@Z

Sections

.text
Size: 7.5MB - Virtual size: 7.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.4MB - Virtual size: 1.4MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 84KB - Virtual size: 287KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4.4MB - Virtual size: 4.4MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 866KB - Virtual size: 866KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.bind
Size: 415KB - Virtual size: 415KB

IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

f4e53da236ab7c72f3e148d7758f3142

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

62:a8:50:3a:ee:d0:a4:6f:c8:2b:42:ec:12:7c:cd:e4Certificate

Extended Key Usages

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

66:8c:cd:0b:f7:07:35:42:26:8f:13:7c:16:f0:0a:4c:a0:ba:65:43Signer

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

msvcp100

physxloader

msvcr100

ws2_32

winmm

d3dx9_43

steam_api

gdi32

shell32

ole32

dinput8

xinput1_3

Exports

Exports

Sections

.text Size: 7.5MB - Virtual size: 7.5MB

.rdata Size: 1.4MB - Virtual size: 1.4MB

.data Size: 84KB - Virtual size: 287KB

.rsrc Size: 4.4MB - Virtual size: 4.4MB

.reloc Size: 866KB - Virtual size: 866KB

.bind Size: 415KB - Virtual size: 415KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

62:a8:50:3a:ee:d0:a4:6f:c8:2b:42:ec:12:7c:cd:e4
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

66:8c:cd:0b:f7:07:35:42:26:8f:13:7c:16:f0:0a:4c:a0:ba:65:43
Signer

.text
Size: 7.5MB - Virtual size: 7.5MB

.rdata
Size: 1.4MB - Virtual size: 1.4MB

.data
Size: 84KB - Virtual size: 287KB

.rsrc
Size: 4.4MB - Virtual size: 4.4MB

.reloc
Size: 866KB - Virtual size: 866KB

.bind
Size: 415KB - Virtual size: 415KB