Three_Kingdoms[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

Three_Kingdoms.exe
Size

353.4MB
MD5

6d549720ec15da179b77ef0aee44c730
SHA1

6e253c0fd98a46a87866b0d9290887b4befee124
SHA256

66da38ced0f694a709cb6d248d264686247cd693862ae1f73293b4a5f6e41036
SHA512

c069e4bf02e8621f185a697e8e56dd94f0cf0c67ecfaf158f178635b22b1e3d0eee8ba14542da3748707af4bc80b1e0a7df79800d2951cf36beb2c641f29e718
SSDEEP

6291456:5YlbtS3XtxI4IY9sdbyqVoBmyQhBcf6YizBj8dX/dPyt3KvTfF+pe7epeQIt5rxZ:+lpMXDI4IY9sdbyqVoBmyQhBcf6YizBA

Score

1^/10

Malware Config

Signatures

Files

Three_Kingdoms.exe
.exe windows:6 windows x64

fc9eb72e0a06e5ba75d6c78ef5bdcec6

Code Sign

07
Certificate

Issuer

CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US

Not Before

03/05/2011, 07:00

Not After

03/05/2031, 07:00

Subject

CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

cf:b3:19:42:aa:99:f0:b8
Certificate

Issuer

CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US

Not Before

06/07/2018, 16:27

Not After

06/07/2021, 16:27

Subject

CN=The Creative Assembly Limited,O=The Creative Assembly Limited,L=Horsham,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

3d:1a:35:72:30:15:82:63:30:d0:13:71:7e:82:41:08
Certificate

Issuer

CN=Sectigo RSA Time Stamping CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

02/05/2019, 00:00

Not After

01/08/2030, 23:59

Subject

CN=Sectigo RSA Time Stamping Signer #1,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9
Certificate

Issuer

CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US

Not Before

02/05/2019, 00:00

Not After

18/01/2038, 23:59

Subject

CN=Sectigo RSA Time Stamping CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

34:c5:be:3c:db:c7:d2:df:38:16:d1:27:87:e9:a6:93:65:6f:14:b4
Signer

Actual PE Digest

34:c5:be:3c:db:c7:d2:df:38:16:d1:27:87:e9:a6:93:65:6f:14:b4

Digest Algorithm

sha1

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

RegCloseKey
RegCreateKeyExW
RegOpenKeyExA
RegQueryValueExA
RegQueryValueExW
RegSetValueExW

comdlg32

GetSaveFileNameW
GetOpenFileNameW

gdi32

CreateDCW
CreateFontIndirectA
DeleteDC
DeleteObject
ExtEscape
GetObjectA
GetStockObject
GetTextExtentPoint32W
SelectObject
SetTextColor

icuin

??0StringSearch@icu@@QEAA@AEBVUnicodeString@1@0PEAVRuleBasedCollator@1@PEAVBreakIterator@1@AEAW4UErrorCode@@@Z
??1FormattedNumber@number@icu@@QEAA@XZ
??1LocalizedNumberFormatter@number@icu@@QEAA@XZ
??1StringSearch@icu@@UEAA@XZ
?compactShort@Notation@number@icu@@SA?AV123@XZ
?createInstance@Collator@icu@@SAPEAV12@AEAW4UErrorCode@@@Z
?first@SearchIterator@icu@@QEAAHAEAW4UErrorCode@@@Z
?formatDouble@LocalizedNumberFormatter@number@icu@@QEBA?AVFormattedNumber@23@NAEAW4UErrorCode@@@Z
?notation@?$NumberFormatterSettings@VLocalizedNumberFormatter@number@icu@@@number@icu@@QEBA?AVLocalizedNumberFormatter@23@AEBVNotation@23@@Z
?toString@FormattedNumber@number@icu@@QEBA?AVUnicodeString@3@XZ
?withLocale@NumberFormatter@number@icu@@SA?AVLocalizedNumberFormatter@23@AEBVLocale@3@@Z

icuuc

??0Locale@icu@@QEAA@PEBD000@Z
??0UnicodeString@icu@@QEAA@PEB_S@Z
??1Locale@icu@@UEAA@XZ
??1UnicodeString@icu@@UEAA@XZ
??_7UnicodeString@icu@@6B@
?getBuffer@UnicodeString@icu@@QEBAPEB_SXZ
?getDefault@Locale@icu@@SAAEBV12@XZ
?getEnglish@Locale@icu@@SAAEBV12@XZ
?getFrench@Locale@icu@@SAAEBV12@XZ
?getGerman@Locale@icu@@SAAEBV12@XZ
?getKorean@Locale@icu@@SAAEBV12@XZ
?getSimplifiedChinese@Locale@icu@@SAAEBV12@XZ
?getTraditionalChinese@Locale@icu@@SAAEBV12@XZ
?length@UnicodeString@icu@@QEBAHXZ
?setDefault@Locale@icu@@SAXAEBV12@AEAW4UErrorCode@@@Z

kernel32

CloseHandle
CompareStringW
CopyFileW
CreateDirectoryW
CreateEventW
CreateFileA
CreateFileW
CreateMutexW
CreatePipe
CreateProcessW
CreateSemaphoreA
CreateSemaphoreW
CreateThread
DeleteCriticalSection
DeleteFileW
DeviceIoControl
DuplicateHandle
EncodePointer
EnterCriticalSection
ExitProcess
ExpandEnvironmentStringsA
FindClose
FindFirstFileA
FindFirstFileW
FindNextFileA
FindNextFileW
FormatMessageA
FreeLibrary
GetACP
GetCPInfo
GetCommandLineW
GetComputerNameA
GetCurrentDirectoryW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetDateFormatW
GetEnvironmentVariableA
GetFileAttributesA
GetFileAttributesW
GetFileSize
GetFileSizeEx
GetFileType
GetFullPathNameA
GetFullPathNameW
GetLastError
GetLocalTime
GetLocaleInfoA
GetLocaleInfoW
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleExA
GetModuleHandleExW
GetModuleHandleW
GetNumaHighestNodeNumber
GetOEMCP
GetProcAddress
GetProcessHeap
GetProcessHeaps
GetStartupInfoW
GetStdHandle
GetStringTypeW
GetSystemDirectoryW
GetSystemFileCacheSize
GetSystemInfo
GetSystemPowerStatus
GetSystemTime
GetThreadContext
GetTickCount
GetTimeFormatW
GetVersionExW
GlobalAlloc
GlobalLock
GlobalMemoryStatus
GlobalMemoryStatusEx
GlobalUnlock
HeapAlloc
HeapFree
HeapLock
HeapUnlock
HeapValidate
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
InterlockedFlushSList
InterlockedPopEntrySList
InterlockedPushEntrySList
IsDebuggerPresent
LCMapStringW
LeaveCriticalSection
LoadLibraryA
LoadLibraryExW
LoadLibraryW
LocalAlloc
LocalFree
MultiByteToWideChar
OpenProcess
OutputDebugStringA
OutputDebugStringW
PeekNamedPipe
QueryDepthSList
QueryPerformanceCounter
QueryPerformanceFrequency
RaiseException
ReadFile
RegisterWaitForSingleObject
ReleaseSemaphore
ResetEvent
ResumeThread
SetEvent
SetFileInformationByHandle
SetFilePointerEx
SetLastError
SetThreadAffinityMask
SetThreadPriority
Sleep
SleepEx
SuspendThread
TerminateProcess
TerminateThread
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
TryEnterCriticalSection
UnmapViewOfFile
VerSetConditionMask
VerifyVersionInfoW
VirtualAlloc
VirtualFree
VirtualProtect
VirtualQuery
WaitForMultipleObjects
WaitForMultipleObjectsEx
WaitForSingleObject
WaitForSingleObjectEx
WideCharToMultiByte
WriteFile
lstrcatW
lstrcmpA
lstrcmpiA
lstrcpyW
lstrlenA
lstrlenW

ole32

CoCreateInstance
CoInitialize
CoInitializeEx
CoTaskMemAlloc
CoTaskMemFree
CoUninitialize
CoCreateGuid

oleaut32

SysAllocString
SysFreeString

optanedt_x64

OptanePinFiles

rpcrt4

UuidFromStringA
UuidToStringA
RpcStringFreeA

setupapi

SetupDiDestroyDeviceInfoList
SetupDiEnumDeviceInterfaces
SetupDiGetClassDevsW
SetupDiGetDeviceInstanceIdW
SetupDiGetDeviceInterfaceDetailW

shell32

SHGetKnownFolderPath
ShellExecuteA
ShellExecuteW
CommandLineToArgvW

emp

EMP

steam_api64

SteamAPI_GetHSteamPipe
SteamAPI_GetHSteamUser
SteamAPI_Init
SteamAPI_RegisterCallResult
SteamAPI_RegisterCallback
SteamAPI_UnregisterCallResult
SteamAPI_UnregisterCallback
SteamGameServer_GetHSteamPipe
SteamGameServer_GetHSteamUser
SteamInternal_ContextInit
SteamInternal_CreateInterface
SteamInternal_GameServer_Init

user32

AdjustWindowRect
BeginPaint
CallWindowProcA
CallWindowProcW
CheckRadioButton
ClientToScreen
CloseClipboard
CreateWindowExA
CreateWindowExW
DefWindowProcW
DestroyWindow
DialogBoxIndirectParamW
DialogBoxParamW
DispatchMessageA
DrawTextW
EmptyClipboard
EnableWindow
EndDialog
EndPaint
EnumDisplayDevicesW
FlashWindowEx
GetAsyncKeyState
GetCapture
GetClipboardData
GetCursorPos
GetDC
GetDesktopWindow
GetDlgCtrlID
GetDlgItem
GetFocus
GetForegroundWindow
GetKeyboardState
GetMessageA
GetMonitorInfoW
GetSystemMetrics
GetWindowLongA
GetWindowLongPtrA
GetWindowPlacement
GetWindowRect
GetWindowTextA
GetWindowTextLengthA
GetWindowTextLengthW
GetWindowTextW
GetWindowThreadProcessId
InvalidateRect
IsDlgButtonChecked
IsWindow
IsWindowVisible
KillTimer
LoadCursorA
LoadCursorW
LoadIconA
LoadIconW
LoadStringW
MessageBoxA
MessageBoxW
MonitorFromRect
MoveWindow
OpenClipboard
PeekMessageW
PostQuitMessage
PtInRect
RegisterClassExW
RegisterClassW
RegisterDeviceNotificationW
ReleaseCapture
ReleaseDC
SendDlgItemMessageA
SendMessageA
SetCapture
SetClipboardData
SetCursor
SetKeyboardState
SetTimer
SetWindowLongA
SetWindowLongPtrA
SetWindowLongPtrW
SetWindowPlacement
SetWindowPos
SetWindowTextA
SetWindowTextW
ShowWindow
SystemParametersInfoW
TranslateMessage
UpdateWindow
wsprintfW

wininet

HttpOpenRequestA
HttpSendRequestA
InternetCloseHandle
InternetConnectA
InternetOpenA
InternetQueryOptionA
InternetReadFile
InternetSetOptionA

winmm

mixerClose
mixerGetControlDetailsW
mixerGetDevCapsW
mixerGetLineControlsW
mixerGetLineInfoW
mixerOpen
mixerSetControlDetails
timeGetTime
waveInGetNumDevs

wldap32

ord143
ord200
ord211
ord22
ord26
ord27
ord30
ord301
ord32
ord33
ord35
ord41
ord46
ord50
ord60
ord79

ws2_32

accept
ioctlsocket
WSAGetLastError
WSASetLastError
WSAStartup
WSACleanup
listen
ntohs
recv
recvfrom
select
send
bind
sendto
setsockopt
socket
closesocket
connect
getpeername
gethostname
getsockname
getsockopt
htons
freeaddrinfo
getaddrinfo

Exports

Exports

??R?$CB_BASE_DESTROY@UPIMPL@?$CB_BASE@ULEADERBOARD_FIND_RESULT@COPA@@@COPA@@@COPA@@QEAAXPEAUPIMPL@?$CB_BASE@ULEADERBOARD_FIND_RESULT@COPA@@@1@@Z
??R?$CB_BASE_DESTROY@UPIMPL@?$CB_BASE@ULEADERBOARD_SCORES_DOWNLOADED@COPA@@@COPA@@@COPA@@QEAAXPEAUPIMPL@?$CB_BASE@ULEADERBOARD_SCORES_DOWNLOADED@COPA@@@1@@Z
??R?$CB_BASE_DESTROY@UPIMPL@?$CB_BASE@ULEADERBOARD_SCORE_UPLOADED@COPA@@@COPA@@@COPA@@QEAAXPEAUPIMPL@?$CB_BASE@ULEADERBOARD_SCORE_UPLOADED@COPA@@@1@@Z
AmdPowerXpressRequestHighPerformance
NvOptimusEnablement
curl_easy_cleanup
curl_easy_duphandle
curl_easy_escape
curl_easy_getinfo
curl_easy_init
curl_easy_pause
curl_easy_perform
curl_easy_recv
curl_easy_reset
curl_easy_send
curl_easy_setopt
curl_easy_strerror
curl_easy_unescape
curl_escape
curl_formadd
curl_formfree
curl_formget
curl_free
curl_getdate
curl_getenv
curl_global_cleanup
curl_global_init
curl_global_init_mem
curl_maprintf
curl_mfprintf
curl_mprintf
curl_msnprintf
curl_msprintf
curl_multi_add_handle
curl_multi_assign
curl_multi_cleanup
curl_multi_fdset
curl_multi_info_read
curl_multi_init
curl_multi_perform
curl_multi_remove_handle
curl_multi_setopt
curl_multi_socket
curl_multi_socket_action
curl_multi_socket_all
curl_multi_strerror
curl_multi_timeout
curl_mvaprintf
curl_mvfprintf
curl_mvprintf
curl_mvsnprintf
curl_mvsprintf
curl_share_cleanup
curl_share_init
curl_share_setopt
curl_share_strerror
curl_slist_append
curl_slist_free_all
curl_strequal
curl_strnequal
curl_unescape
g_pAKPluginList
make_fiber
switch_to_fiber

Sections

.sdata
Size: 41.9MB - Virtual size: 41.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.edata
Size: 5.9MB - Virtual size: 5.9MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.xpdata
Size: 388KB - Virtual size: 7.8MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2.3MB - Virtual size: 2.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 67KB - Virtual size: 68KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_READ

.sbss
Size: 301.8MB - Virtual size: 301.8MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.code
Size: 512B - Virtual size: 501B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.xtext
Size: 512B - Virtual size: 20B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 28KB - Virtual size: 28KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.xtls
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.arch
Size: 512B - Virtual size: 97B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.link
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rdata
Size: 1.0MB - Virtual size: 1.0MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

fc9eb72e0a06e5ba75d6c78ef5bdcec6

Code Sign

07Certificate

Key Usages

cf:b3:19:42:aa:99:f0:b8Certificate

Extended Key Usages

Key Usages

3d:1a:35:72:30:15:82:63:30:d0:13:71:7e:82:41:08Certificate

Extended Key Usages

Key Usages

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9Certificate

Extended Key Usages

Key Usages

34:c5:be:3c:db:c7:d2:df:38:16:d1:27:87:e9:a6:93:65:6f:14:b4Signer

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

comdlg32

gdi32

icuin

icuuc

kernel32

ole32

oleaut32

optanedt_x64

rpcrt4

setupapi

shell32

emp

steam_api64

user32

wininet

winmm

wldap32

ws2_32

Exports

Exports

Sections

.sdata Size: 41.9MB - Virtual size: 41.9MB

.edata Size: 5.9MB - Virtual size: 5.9MB

.xpdata Size: 388KB - Virtual size: 7.8MB

.pdata Size: 2.3MB - Virtual size: 2.3MB

.tls Size: 67KB - Virtual size: 68KB

.data Size: 3KB - Virtual size: 4KB

.sbss Size: 301.8MB - Virtual size: 301.8MB

.code Size: 512B - Virtual size: 501B

.xtext Size: 512B - Virtual size: 20B

.reloc Size: 28KB - Virtual size: 28KB

.xtls Size: 4KB - Virtual size: 3KB

.arch Size: 512B - Virtual size: 97B

.link Size: 16KB - Virtual size: 15KB

.rdata Size: 1.0MB - Virtual size: 1.0MB

07
Certificate

cf:b3:19:42:aa:99:f0:b8
Certificate

3d:1a:35:72:30:15:82:63:30:d0:13:71:7e:82:41:08
Certificate

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9
Certificate

34:c5:be:3c:db:c7:d2:df:38:16:d1:27:87:e9:a6:93:65:6f:14:b4
Signer

.sdata
Size: 41.9MB - Virtual size: 41.9MB

.edata
Size: 5.9MB - Virtual size: 5.9MB

.xpdata
Size: 388KB - Virtual size: 7.8MB

.pdata
Size: 2.3MB - Virtual size: 2.3MB

.tls
Size: 67KB - Virtual size: 68KB

.data
Size: 3KB - Virtual size: 4KB

.sbss
Size: 301.8MB - Virtual size: 301.8MB

.code
Size: 512B - Virtual size: 501B

.xtext
Size: 512B - Virtual size: 20B

.reloc
Size: 28KB - Virtual size: 28KB

.xtls
Size: 4KB - Virtual size: 3KB

.arch
Size: 512B - Virtual size: 97B

.link
Size: 16KB - Virtual size: 15KB

.rdata
Size: 1.0MB - Virtual size: 1.0MB