b95d66a17c70743f3b1c3ab7540aa824ce11bcbea46772cc8ff56d14129a705b

Sharing

Copy URL Twitter E-mail

General

Target

b95d66a17c70743f3b1c3ab7540aa824ce11bcbea46772cc8ff56d14129a705b
Size

6.6MB
MD5

9673732684773eeedaee4be37cd337df
SHA1

7d812a7ac5f4537c2fd695744614aef2f244b764
SHA256

b95d66a17c70743f3b1c3ab7540aa824ce11bcbea46772cc8ff56d14129a705b
SHA512

1a68be50384f3d0a69d751255f4d89ab4473b00b85f6e8557afcf966d7db0e2e6a5a7ff4c620c6929f3b35b522bca9df22261be264e0597d1d76e0a84d5753b7
SSDEEP

196608:eV/Azl5id4w06N/1dLZnea/i81x6R5nBc/t:eVWl5iyw02dLHp1YLniF

Score

3^/10

Malware Config

Signatures

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/resources/clash-verge-service.exe
unpack001/resources/install-service.exe

Files

b95d66a17c70743f3b1c3ab7540aa824ce11bcbea46772cc8ff56d14129a705b
.zip
resources/Country.mmdb
resources/clash-verge-service.exe
.exe windows:6 windows x64

47b59f58ebc44d6f8d90a28cbea0211b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

FormatMessageW
CreateFileW
GetFullPathNameW
WriteConsoleW
WaitForSingleObject
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetModuleHandleW
GetModuleFileNameW
GetConsoleMode
GetWindowsDirectoryW
CreateProcessW
GetFileAttributesW
DuplicateHandle
RtlLookupFunctionEntry
GetEnvironmentVariableW
GetCurrentProcessId
CompareStringOrdinal
CreateNamedPipeW
CreateThread
ReadFileEx
SleepEx
WriteFileEx
GetStdHandle
GetCurrentProcess
QueryPerformanceFrequency
QueryPerformanceCounter
GetSystemTimeAsFileTime
GetCurrentDirectoryW
RtlCaptureContext
AcquireSRWLockShared
ReleaseSRWLockShared
PostQueuedCompletionStatus
GetCurrentThread
GetProcAddress
GetModuleHandleA
Sleep
GetQueuedCompletionStatusEx
SetFileCompletionNotificationModes
CreateMutexA
CreateIoCompletionPort
LoadLibraryA
ReleaseMutex
ReleaseSRWLockExclusive
TryAcquireSRWLockExclusive
GetFinalPathNameByHandleW
SetLastError
SwitchToThread
GetProcessHeap
HeapAlloc
SetThreadStackGuarantee
AddVectoredExceptionHandler
HeapReAlloc
GetSystemInfo
TerminateProcess
ExitProcess
GetCurrentThreadId
InitializeSListHead
RtlVirtualUnwind
IsDebuggerPresent
SetHandleInformation
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetLastError
WaitForSingleObjectEx
CloseHandle
AcquireSRWLockExclusive
GetSystemDirectoryW
HeapFree
IsProcessorFeaturePresent

ws2_32

WSACleanup
WSAStartup
shutdown
closesocket
recv
send
WSAIoctl
setsockopt
accept
getsockname
ioctlsocket
listen
bind
WSAGetLastError
WSASocketW
WSASend

advapi32

SetServiceStatus
SystemFunction036
RegisterServiceCtrlHandlerExW
StartServiceCtrlDispatcherW

ntdll

NtDeviceIoControlFile
RtlNtStatusToDosError
NtCreateFile
NtCancelIoFileEx

bcrypt

BCryptGenRandom
BCryptOpenAlgorithmProvider
BCryptCloseAlgorithmProvider

vcruntime140

__current_exception
__current_exception_context
memcpy
memcmp
memset
__CxxFrameHandler3
memmove
__C_specific_handler

api-ms-win-crt-runtime-l1-1-0

_configure_narrow_argv
exit
_get_initial_narrow_environment
_exit
__p___argc
__p___argv
_initialize_narrow_environment
_initterm
_seh_filter_exe
_set_app_type
_initterm_e
_cexit
_initialize_onexit_table
_register_onexit_function
_crt_atexit
_register_thread_local_exe_atexit_callback
_c_exit
terminate

api-ms-win-crt-math-l1-1-0

__setusermatherr

api-ms-win-crt-stdio-l1-1-0

__p__commode
_set_fmode

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

api-ms-win-crt-heap-l1-1-0

_set_new_mode
free

Sections

.text
Size: 599KB - Virtual size: 599KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 195KB - Virtual size: 195KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 17KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
resources/clash.pid
resources/geoip.dat
resources/geosite.dat
resources/install-service.exe
.exe windows:6 windows x64

f4de7888b138cd01c2137acbef7c3639

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

AddVectoredExceptionHandler
HeapFree
CloseHandle
FindClose
FindFirstFileW
SetThreadStackGuarantee
GetFileInformationByHandle
CreateFileW
GetModuleFileNameW
GetCurrentThread
GetEnvironmentVariableW
GetProcessHeap
AcquireSRWLockShared
RtlCaptureContext
GetCurrentDirectoryW
ExitProcess
AcquireSRWLockExclusive
GetFullPathNameW
FormatMessageW
GetModuleHandleW
RtlLookupFunctionEntry
ReleaseMutex
GetCurrentProcess
CreateMutexA
LoadLibraryA
SetLastError
WaitForSingleObjectEx
WriteConsoleW
WaitForSingleObject
GetConsoleMode
GetStdHandle
ReleaseSRWLockExclusive
TryAcquireSRWLockExclusive
GetProcAddress
GetLastError
GetModuleHandleA
HeapReAlloc
GetFileInformationByHandleEx
HeapAlloc
ReleaseSRWLockShared
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
RtlVirtualUnwind
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent

advapi32

CloseServiceHandle
StartServiceW
QueryServiceStatusEx
OpenServiceW
OpenSCManagerW
CreateServiceW
ChangeServiceConfig2W

vcruntime140

__CxxFrameHandler3
memcpy
memset
memcmp
memmove
__C_specific_handler
__current_exception
__current_exception_context

api-ms-win-crt-runtime-l1-1-0

_crt_atexit
terminate
_register_onexit_function
_initialize_onexit_table
_set_app_type
_register_thread_local_exe_atexit_callback
_c_exit
_cexit
__p___argv
__p___argc
_configure_narrow_argv
_exit
exit
_initterm_e
_initterm
_get_initial_narrow_environment
_initialize_narrow_environment
_seh_filter_exe

api-ms-win-crt-math-l1-1-0

__setusermatherr

api-ms-win-crt-stdio-l1-1-0

__p__commode
_set_fmode

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

api-ms-win-crt-heap-l1-1-0

_set_new_mode
free

Sections

.text
Size: 120KB - Virtual size: 119KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 32KB - Virtual size: 31KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 632B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 852B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
resources/wintun.dll
.dll windows:6 windows x64

01ce5951b7d0dcca222159a28511a055

Code Sign

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/01/2021, 00:00

Not After

06/01/2031, 00:00

Subject

CN=DigiCert Timestamp 2021,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

07/01/2016, 12:00

Not After

07/01/2031, 12:00

Subject

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:20:4d:b4:00:00:00:00:00:27
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15/04/2011, 19:45

Not After

15/04/2021, 19:55

Subject

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

06:63:d5:fc:a7:28:88:2f:36:ff:1b:df:5d:85:f0:ba
Certificate

Issuer

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

10/12/2018, 00:00

Not After

14/12/2021, 12:00

Subject

SERIALNUMBER=4227913,CN=WireGuard LLC,O=WireGuard LLC,L=Boulder,ST=Colorado,C=US,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.2=#13044f68696f,1.3.6.1.4.1.311.60.2.1.3=#13025553

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5c
Certificate

Issuer

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

18/04/2012, 12:00

Not After

18/04/2027, 12:00

Subject

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

d8:b2:c9:fd:88:91:f9:1c:30:2d:36:f9:b1:b3:95:7d:da:2e:ea:b0:e7:6f:7a:16:e7:90:01:98:4b:e8:2f:39
Signer

Actual PE Digest

d8:b2:c9:fd:88:91:f9:1c:30:2d:36:f9:b1:b3:95:7d:da:2e:ea:b0:e7:6f:7a:16:e7:90:01:98:4b:e8:2f:39

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

kernel32

HeapCreate
GetCurrentProcess
LoadLibraryExA
CloseHandle
HeapDestroy
GetProcAddress
LocalFree
GetModuleHandleW
IsWow64Process
HeapFree
SetLastError
WaitForSingleObject
CreateFileW
OpenProcess
QueueUserWorkItem
CreateEventW
Sleep
GetLastError
SetEvent
HeapAlloc
GetCurrentProcessId
GetProcessTimes
RemoveDirectoryW
DeleteFileW
FormatMessageW
EnterCriticalSection
CreatePrivateNamespaceW
OpenPrivateNamespaceW
LeaveCriticalSection
InitializeCriticalSection
CreateBoundaryDescriptorW
CreateMutexW
ReleaseMutex
ClosePrivateNamespace
AddSIDToBoundaryDescriptor
DeleteCriticalSection
DeleteBoundaryDescriptor
ExpandEnvironmentStringsW
HeapReAlloc
CreateDirectoryW
SizeofResource
WriteFile
LockResource
LoadResource
FindResourceW
GetWindowsDirectoryW
VirtualFree
DeviceIoControl
VirtualAlloc
InitializeCriticalSectionAndSpinCount
ReadFile
SetHandleInformation
CreatePipe
GetExitCodeThread
CreateThread
CreateProcessW
WriteConsoleW
GetConsoleMode
GetConsoleOutputCP
FlushFileBuffers
HeapSize
RaiseException
GetSystemInfo
VirtualProtect
VirtualQuery
FreeLibrary
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
RtlUnwindEx
InterlockedFlushSList
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
LoadLibraryExW
EncodePointer
RtlPcToFileHeader
ExitProcess
GetModuleHandleExW
GetModuleFileNameW
GetStdHandle
GetFileType
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetCommandLineA
GetCommandLineW
MultiByteToWideChar
WideCharToMultiByte
GetEnvironmentStringsW
FreeEnvironmentStringsW
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
LCMapStringW
GetProcessHeap
GetStringTypeW
SetFilePointerEx
SetStdHandle

ntdll

NtQuerySystemInformation
RtlNtStatusToDosError
RtlGetNtVersionNumbers
NtQueryKey
NtQuerySystemTime

Exports

Exports

WintunAllocateSendPacket
WintunCloseAdapter
WintunCreateAdapter
WintunDeleteDriver
WintunEndSession
WintunGetAdapterLUID
WintunGetReadWaitEvent
WintunGetRunningDriverVersion
WintunOpenAdapter
WintunReceivePacket
WintunReleaseReceivePacket
WintunSendPacket
WintunSetLogger
WintunStartSession

Sections

.text
Size: 137KB - Virtual size: 137KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 62KB - Virtual size: 62KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 1024B - Virtual size: 536B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

_RDATA
Size: 512B - Virtual size: 252B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 191KB - Virtual size: 190KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

47b59f58ebc44d6f8d90a28cbea0211b

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

ws2_32

advapi32

ntdll

bcrypt

vcruntime140

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-heap-l1-1-0

Sections

.text Size: 599KB - Virtual size: 599KB

.rdata Size: 195KB - Virtual size: 195KB

.data Size: 1024B - Virtual size: 1KB

.pdata Size: 17KB - Virtual size: 16KB

.reloc Size: 5KB - Virtual size: 5KB

f4de7888b138cd01c2137acbef7c3639

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

advapi32

vcruntime140

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-heap-l1-1-0

Sections

.text Size: 120KB - Virtual size: 119KB

.rdata Size: 32KB - Virtual size: 31KB

.data Size: 512B - Virtual size: 632B

.pdata Size: 4KB - Virtual size: 4KB

.reloc Size: 1024B - Virtual size: 852B

01ce5951b7d0dcca222159a28511a055

Code Sign

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:ddCertificate

Extended Key Usages

Key Usages

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15Certificate

Extended Key Usages

Key Usages

61:20:4d:b4:00:00:00:00:00:27Certificate

Key Usages

06:63:d5:fc:a7:28:88:2f:36:ff:1b:df:5d:85:f0:baCertificate

Extended Key Usages

Key Usages

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5cCertificate

Extended Key Usages

Key Usages

d8:b2:c9:fd:88:91:f9:1c:30:2d:36:f9:b1:b3:95:7d:da:2e:ea:b0:e7:6f:7a:16:e7:90:01:98:4b:e8:2f:39Signer

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

ntdll

Exports

Exports

Sections

.text Size: 137KB - Virtual size: 137KB

.rdata Size: 62KB - Virtual size: 62KB

.data Size: 3KB - Virtual size: 7KB

.pdata Size: 7KB - Virtual size: 6KB

.didat Size: 1024B - Virtual size: 536B

_RDATA Size: 512B - Virtual size: 252B

.rsrc Size: 191KB - Virtual size: 190KB

.reloc Size: 2KB - Virtual size: 1KB

.text
Size: 599KB - Virtual size: 599KB

.rdata
Size: 195KB - Virtual size: 195KB

.data
Size: 1024B - Virtual size: 1KB

.pdata
Size: 17KB - Virtual size: 16KB

.reloc
Size: 5KB - Virtual size: 5KB

.text
Size: 120KB - Virtual size: 119KB

.rdata
Size: 32KB - Virtual size: 31KB

.data
Size: 512B - Virtual size: 632B

.pdata
Size: 4KB - Virtual size: 4KB

.reloc
Size: 1024B - Virtual size: 852B

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

61:20:4d:b4:00:00:00:00:00:27
Certificate

06:63:d5:fc:a7:28:88:2f:36:ff:1b:df:5d:85:f0:ba
Certificate

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5c
Certificate

d8:b2:c9:fd:88:91:f9:1c:30:2d:36:f9:b1:b3:95:7d:da:2e:ea:b0:e7:6f:7a:16:e7:90:01:98:4b:e8:2f:39
Signer

.text
Size: 137KB - Virtual size: 137KB

.rdata
Size: 62KB - Virtual size: 62KB

.data
Size: 3KB - Virtual size: 7KB

.pdata
Size: 7KB - Virtual size: 6KB

.didat
Size: 1024B - Virtual size: 536B

_RDATA
Size: 512B - Virtual size: 252B

.rsrc
Size: 191KB - Virtual size: 190KB

.reloc
Size: 2KB - Virtual size: 1KB