Load[.]zip | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

Load.zip
Size

1.2MB
MD5

48add6107d9d7f27023df514636dba42
SHA1

e0b267bb3720b63a291ba426777839e886eac785
SHA256

5a29690b42487507b0450556c55276c446da7ca41c72861e57b5685869d24cd6
SHA512

880bab6051d747a6f94262739a46764511414e43fc8ddbd6f07e246c12af53cfc7199c09b7a68f642a8654092c11a63ccc8f6c41741ca29135caf4b022358b11
SSDEEP

24576:iTODPctPOBximjSoqBjfOpabJF1Mtkr6lciKqQtBn57u6eVSQWQPZ2DqUAR:iT9mamTqBjfQabJF1FNL57uJdBPZ2ePR

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/LIBPQ.dll

Files

Load.zip
.zip

Password: infected
LIBPQ.dll
.dll windows:5 windows x86

771d1aa2684e0ad475ad0fb0801a2b40

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GetFileTime
GetSystemTimeAsFileTime
GetTimeFormatA
GetDateFormatA
HeapFree
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
HeapReAlloc
HeapAlloc
FindNextFileA
GetCommandLineA
RtlUnwind
RaiseException
VirtualProtect
VirtualAlloc
GetSystemInfo
VirtualQuery
HeapSize
GetACP
IsValidCodePage
GetTimeZoneInformation
HeapCreate
HeapDestroy
VirtualFree
GetFileSizeEx
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
GetConsoleCP
GetConsoleMode
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
InitializeCriticalSectionAndSpinCount
GetStringTypeA
GetStringTypeW
LCMapStringA
LCMapStringW
GetUserDefaultLCID
EnumSystemLocalesA
IsValidLocale
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
SetStdHandle
GetLocaleInfoW
CompareStringW
SetEnvironmentVariableA
GetFileAttributesA
FileTimeToLocalFileTime
GetTickCount
GetModuleHandleW
FileTimeToSystemTime
GetOEMCP
GetCPInfo
CreateFileA
GetFullPathNameA
GetVolumeInformationA
FindFirstFileA
FindClose
GetCurrentProcess
DuplicateHandle
GetFileSize
SetEndOfFile
UnlockFile
LockFile
FlushFileBuffers
SetFilePointer
WriteFile
ReadFile
InterlockedIncrement
TlsFree
DeleteCriticalSection
LocalReAlloc
TlsSetValue
TlsAlloc
InitializeCriticalSection
GlobalHandle
GlobalReAlloc
EnterCriticalSection
TlsGetValue
LeaveCriticalSection
LocalAlloc
GlobalFlags
WritePrivateProfileStringA
InterlockedDecrement
FormatMessageA
LocalFree
MulDiv
GlobalGetAtomNameA
GlobalFindAtomA
MultiByteToWideChar
lstrcmpW
GetVersionExA
GlobalAddAtomA
CloseHandle
GlobalUnlock
FreeResource
GlobalFree
GlobalDeleteAtom
GetCurrentThread
GetCurrentThreadId
ConvertDefaultLocale
EnumResourceLanguagesA
GetLocaleInfoA
CompareStringA
InterlockedExchange
GlobalLock
lstrcmpA
GlobalAlloc
GetLastError
ExitProcess
GetCurrentProcessId
GetModuleHandleA
Sleep
GetModuleFileNameA
GetThreadLocale
lstrlenA
GetProcessHeap
SetLastError
IsBadReadPtr
FreeLibrary
GetProcAddress
LoadLibraryA
FindResourceA
LoadResource
LockResource
SizeofResource
WideCharToMultiByte
CreateFileW

user32

RegisterClipboardFormatA
PostThreadMessageA
SetFocus
GetWindowTextLengthA
GetWindowTextA
GetForegroundWindow
GetTopWindow
UnhookWindowsHookEx
GetMessageTime
GetMessagePos
MapWindowPoints
SetMenu
SetForegroundWindow
UpdateWindow
GetSubMenu
GetMenuItemID
GetMenuItemCount
CreateWindowExA
GetClassInfoExA
GetClassInfoA
RegisterClassA
GetSysColor
AdjustWindowRectEx
EqualRect
PtInRect
GetDlgCtrlID
DefWindowProcA
CallWindowProcA
GetMenu
SetWindowLongA
OffsetRect
IntersectRect
CopyAcceleratorTableA
GetWindowRect
SetCursor
SetWindowsHookExA
CallNextHookEx
GetMessageA
TranslateMessage
DispatchMessageA
IsWindowVisible
GetKeyState
PeekMessageA
GetCursorPos
ValidateRect
SetMenuItemBitmaps
GetMenuCheckMarkDimensions
LoadBitmapA
GetFocus
ModifyMenuA
GetMenuState
EnableMenuItem
CheckMenuItem
ReleaseDC
GetDC
CopyRect
GetDesktopWindow
GetActiveWindow
SetActiveWindow
CreateDialogIndirectParamA
DestroyWindow
IsWindow
GetDlgItem
GetNextDlgTabItem
EndDialog
GetWindow
SetWindowContextHelpId
MapDialogRect
SetWindowPos
PostQuitMessage
PostMessageA
GetWindowLongA
GetLastActivePopup
IsWindowEnabled
MessageBoxA
ShowWindow
EnableWindow
CharNextA
EnumWindows
GetParent
GetWindowThreadProcessId
KillTimer
SetTimer
DrawIcon
GetClientRect
GetSystemMetrics
IsIconic
SendMessageA
AppendMenuA
GetSystemMenu
LoadIconA
CharUpperA
GetSysColorBrush
MessageBeep
GetNextDlgGroupItem
InvalidateRgn
InvalidateRect
SetRect
GetWindowPlacement
IsRectEmpty
ReleaseCapture
LoadCursorA
SetCapture
EndPaint
BeginPaint
GetWindowDC
ClientToScreen
GrayStringA
DrawTextExA
DrawTextA
TabbedTextOutA
DestroyMenu
MoveWindow
SetWindowTextA
IsDialogMessageA
RegisterWindowMessageA
SendDlgItemMessageA
WinHelpA
IsChild
GetCapture
GetClassLongA
GetClassNameA
RemovePropA
SystemParametersInfoA
GetPropA
SetPropA

gdi32

SaveDC
RestoreDC
SetMapMode
DeleteObject
GetViewportExtEx
GetWindowExtEx
PtVisible
RectVisible
TextOutA
Escape
SelectObject
SetViewportOrgEx
OffsetViewportOrgEx
ScaleViewportExtEx
SetWindowExtEx
ScaleWindowExtEx
ExtSelectClipRgn
DeleteDC
GetStockObject
GetBkColor
GetTextColor
GetRgnBox
GetMapMode
ExtTextOutA
GetDeviceCaps
GetObjectA
SetBkColor
SetTextColor
GetClipBox
CreateBitmap
SetViewportExtEx
CreateRectRgnIndirect

comdlg32

GetFileTitleA

winspool.drv

DocumentPropertiesA
ClosePrinter
OpenPrinterA

advapi32

RegSetValueExA
RegCreateKeyExA
RegQueryValueA
RegOpenKeyA
RegEnumKeyA
RegDeleteKeyA
RegOpenKeyExA
RegQueryValueExA
RegCloseKey

shlwapi

PathFindFileNameA
PathStripToRootA
PathIsUNCA
PathFindExtensionA

oledlg

ord8

ole32

CoRevokeClassObject
OleInitialize
CoFreeUnusedLibraries
OleUninitialize
CreateILockBytesOnHGlobal
StgCreateDocfileOnILockBytes
StgOpenStorageOnILockBytes
OleIsCurrentClipboard
CoTaskMemAlloc
CoTaskMemFree
CLSIDFromString
CLSIDFromProgID
OleFlushClipboard
CoRegisterMessageFilter
CoGetClassObject

oleaut32

SysAllocStringLen
VariantClear
VariantChangeType
VariantInit
SysStringLen
SysAllocStringByteLen
OleCreateFontIndirect
VariantTimeToSystemTime
SystemTimeToVariantTime
SafeArrayDestroy
SysAllocString
VariantCopy
SysFreeString

Exports

Exports

PQbackendPID
PQbinaryTuples
PQcancel
PQclear
PQclientEncoding
PQcmdStatus
PQcmdTuples
PQconndefaults
PQconnectPoll
PQconnectStart
PQconnectStartParams
PQconnectdb
PQconnectdbParams
PQconnectionNeedsPassword
PQconnectionUsedPassword
PQconninfo
PQconninfoFree
PQconninfoParse
PQconsumeInput
PQcopyResult
PQdb
PQdescribePortal
PQdescribePrepared
PQdisplayTuples
PQdsplen
PQencryptPassword
PQencryptPasswordConn
PQendcopy
PQenv2encoding
PQerrorMessage
PQescapeBytea
PQescapeByteaConn
PQescapeIdentifier
PQescapeLiteral
PQescapeString
PQescapeStringConn
PQexec
PQexecParams
PQexecPrepared
PQfformat
PQfinish
PQfireResultCreateEvents
PQflush
PQfmod
PQfn
PQfname
PQfnumber
PQfreeCancel
PQfreeNotify
PQfreemem
PQfsize
PQftable
PQftablecol
PQftype
PQgetCancel
PQgetCopyData
PQgetResult
PQgetisnull
PQgetlength
PQgetline
PQgetlineAsync
PQgetssl
PQgetvalue
PQhost
PQinitOpenSSL
PQinitSSL
PQinstanceData
PQisBusy
PQisnonblocking
PQisthreadsafe
PQlibVersion
PQmakeEmptyPGresult
PQmblen
PQnfields
PQnotifies
PQnparams
PQntuples
PQoidStatus
PQoidValue
PQoptions
PQparameterStatus
PQparamtype
PQpass
PQping
PQpingParams
PQport
PQprepare
PQprint
PQprintTuples
PQprotocolVersion
PQputCopyData
PQputCopyEnd
PQputline
PQputnbytes
PQregisterEventProc
PQregisterThreadLock
PQrequestCancel
PQresStatus
PQreset
PQresetPoll
PQresetStart
PQresultAlloc
PQresultErrorField
PQresultErrorMessage
PQresultInstanceData
PQresultSetInstanceData
PQresultStatus
PQresultVerboseErrorMessage
PQsendDescribePortal
PQsendDescribePrepared
PQsendPrepare
PQsendQuery
PQsendQueryParams
PQsendQueryPrepared
PQserverVersion
PQsetClientEncoding
PQsetErrorContextVisibility
PQsetErrorVerbosity
PQsetInstanceData
PQsetNoticeProcessor
PQsetNoticeReceiver
PQsetResultAttrs
PQsetSingleRowMode
PQsetdbLogin
PQsetnonblocking
PQsetvalue
PQsocket
PQsslAttribute
PQsslAttributeNames
PQsslInUse
PQsslStruct
PQstatus
PQtrace
PQtransactionStatus
PQtty
PQunescapeBytea
PQuntrace
PQuser
appendBinaryPQExpBuffer
appendPQExpBuffer
appendPQExpBufferChar
appendPQExpBufferStr
createPQExpBuffer
destroyPQExpBuffer
enlargePQExpBuffer
initPQExpBuffer
lo_close
lo_creat
lo_create
lo_export
lo_import
lo_import_with_oid
lo_lseek
lo_lseek64
lo_open
lo_read
lo_tell
lo_tell64
lo_truncate
lo_truncate64
lo_unlink
lo_write
pg_char_to_encoding
pg_encoding_to_char
pg_utf_mblen
pg_valid_server_encoding
pg_valid_server_encoding_id
pgresStatus
pqsignal
printfPQExpBuffer
resetPQExpBuffer
termPQExpBuffer

Sections

.text
Size: 372KB - Virtual size: 371KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 77KB - Virtual size: 76KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 14KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 40KB - Virtual size: 39KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
ML7R9U7.exe
.exe windows:6 windows x86

aa7e970761dfd4835cd6d5edbf55dc4c

Code Sign

04:44:c0
Certificate

Issuer

CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Not Before

22-10-2008 12:07

Not After

31-12-2029 12:07

Subject

CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

6e:a1:d4:94:5f:0e:69:e9:d6:f1:48:2c:58:6a:71:af
Certificate

Issuer

CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Not Before

17-04-2018 08:20

Not After

18-05-2027 08:20

Subject

CN=WoTrus Code Signing CA,O=WoTrus CA Limited,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

08:b0:4e:9f:13:6a:6d:e0:a5:dd:1e:3f:05:da:c7:10
Certificate

Issuer

CN=WoTrus Code Signing CA,O=WoTrus CA Limited,C=CN

Not Before

19-11-2020 14:10

Not After

19-11-2021 14:10

Subject

CN=北京慧影智虹科技有限公司,O=北京慧影智虹科技有限公司,L=北京市,ST=北京市,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01-01-2021 00:00

Not After

06-01-2031 00:00

Subject

CN=DigiCert Timestamp 2021,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

07-01-2016 12:00

Not After

07-01-2031 12:00

Subject

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

6a:1f:8c:bd:41:89:c6:1e:b5:c7:f9:02:33:1c:16:41:a6:26:ba:5b:32:98:b1:ee:65:63:7f:21:30:cc:e2:85
Signer

Actual PE Digest

6a:1f:8c:bd:41:89:c6:1e:b5:c7:f9:02:33:1c:16:41:a6:26:ba:5b:32:98:b1:ee:65:63:7f:21:30:cc:e2:85

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

zlib1

gzdopen
gzopen
inflateInit_
deflateInit_
gzerror
gzclose
gzeof
gzgetc
gzgets
gzwrite
gzread
inflateEnd
inflate
deflateEnd
deflate

libintl3

ord40
ord27
ord51
ord35

libpq

ord35
ord37
ord38
ord39
ord46
ord47
ord95
ord94
ord55
ord74
ord126
ord64
ord130
ord34
ord45
ord77
ord76
ord70
ord90
ord91
ord75
ord68
ord120
ord121
ord122
ord21
ord33
ord48
ord105
ord85
ord72
ord104
ord103
ord24
ord20
ord138
ord140
ord97
ord96
ord14
ord9
ord4
ord156
ord67
ord69
ord92
ord115
ord123
ord56
ord54
ord53
ord15
ord113
ord11
ord10
ord8
ord7

ws2_32

getsockname
connect
listen
bind
accept
__WSAFDIsSet
recv
select
send
socket
WSAStartup
WSACleanup
WSAGetLastError
closesocket

kernel32

TerminateProcess
UnhandledExceptionFilter
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
SetUnhandledExceptionFilter
GetModuleHandleW
SleepEx
GetProcAddress
GetModuleHandleExA
FreeLibrary
SetEnvironmentVariableA
GetShortPathNameA
FindNextFileA
FindFirstFileA
FindClose
SetConsoleMode
GetConsoleMode
WideCharToMultiByte
MultiByteToWideChar
MoveFileExA
FormatMessageA
DeviceIoControl
RemoveDirectoryA
GetFileAttributesExA
GetFileAttributesA
CreateFileA
CreateDirectoryA
LocalFree
LocalAlloc
CreateProcessA
GetCurrentProcess
WaitForSingleObject
CreatePipe
GetLastError
DuplicateHandle
ReadFile
GetCurrentDirectoryA
SetConsoleCtrlHandler
TlsSetValue
TlsGetValue
TlsAlloc
TerminateThread
GetCurrentThreadId
WaitForMultipleObjects
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
CloseHandle

advapi32

AddAccessAllowedAceEx
GetAce
GetAclInformation
GetLengthSid
GetTokenInformation
InitializeAcl
SetTokenInformation
AddAce

vcruntime140

memcpy
memmove
strrchr
__std_type_info_destroy_list
strchr
_except_handler4_common
strstr
memset

api-ms-win-crt-heap-l1-1-0

_set_new_mode
realloc
malloc
free

api-ms-win-crt-convert-l1-1-0

strtol
strtoul
atoi

api-ms-win-crt-string-l1-1-0

strcspn
tolower
toupper
strnlen
isalpha
strncpy
isupper
_strdup
isdigit
strspn
isspace
strncmp
islower

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vsprintf
_commit
feof
puts
_write
_tempnam
_fileno
fputs
_get_osfhandle
getc
fputc
_close
_getcwd
_setmode
_dup
fclose
_ftelli64
_fseeki64
ferror
__stdio_common_vsscanf
fflush
_set_fmode
__acrt_iob_func
_open
fwrite
fread
fopen
fgets
fgetc
__p__commode
_pclose

api-ms-win-crt-runtime-l1-1-0

_exit
_initterm_e
_beginthreadex
_endthreadex
_initterm
_get_initial_narrow_environment
__p___argc
_configure_narrow_argv
__p___argv
_set_app_type
abort
_seh_filter_exe
strerror
_errno
_cexit
_initialize_onexit_table
_register_onexit_function
exit
_execute_onexit_table
_c_exit
terminate
_register_thread_local_exe_atexit_callback
_initialize_narrow_environment
_seh_filter_dll
_crt_atexit
_controlfp_s
_crt_at_quick_exit

api-ms-win-crt-time-l1-1-0

_time64
strftime
_mktime64
_localtime64

api-ms-win-crt-environment-l1-1-0

_putenv
getenv

api-ms-win-crt-math-l1-1-0

__setusermatherr
_fdopen
_dclass

api-ms-win-crt-filesystem-l1-1-0

_umask
_mkdir
_unlink
_stat64i32

api-ms-win-crt-locale-l1-1-0

setlocale
_configthreadlocale

Sections

.text
Size: 200KB - Virtual size: 200KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 124KB - Virtual size: 124KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gfids
Size: 512B - Virtual size: 36B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 24KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
info.txt
libiconv2.dll
.dll .ps1 windows:4 windows x86
libintl3.dll
.dll windows:4 windows x86

11d4cea984db7aee4eb18d2031242a3e

Code Sign

04:44:c0
Certificate

Issuer

CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Not Before

22-10-2008 12:07

Not After

31-12-2029 12:07

Subject

CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

6e:a1:d4:94:5f:0e:69:e9:d6:f1:48:2c:58:6a:71:af
Certificate

Issuer

CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Not Before

17-04-2018 08:20

Not After

18-05-2027 08:20

Subject

CN=WoTrus Code Signing CA,O=WoTrus CA Limited,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

08:b0:4e:9f:13:6a:6d:e0:a5:dd:1e:3f:05:da:c7:10
Certificate

Issuer

CN=WoTrus Code Signing CA,O=WoTrus CA Limited,C=CN

Not Before

19-11-2020 14:10

Not After

19-11-2021 14:10

Subject

CN=北京慧影智虹科技有限公司,O=北京慧影智虹科技有限公司,L=北京市,ST=北京市,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01-01-2021 00:00

Not After

06-01-2031 00:00

Subject

CN=DigiCert Timestamp 2021,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

07-01-2016 12:00

Not After

07-01-2031 12:00

Subject

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

9b:22:61:3d:4c:48:82:7e:fe:51:59:e6:8c:75:cf:db:e3:48:a5:b9:47:c5:04:f8:b9:93:b6:98:b1:02:99:4a
Signer

Actual PE Digest

9b:22:61:3d:4c:48:82:7e:fe:51:59:e6:8c:75:cf:db:e3:48:a5:b9:47:c5:04:f8:b9:93:b6:98:b1:02:99:4a

Digest Algorithm

sha256

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_DLL

Imports

libiconv2

libiconv
libiconv_close
libiconv_open
libiconv_set_relocation_prefix

advapi32

RegCloseKey
RegOpenKeyExA
RegQueryValueExA

kernel32

AddAtomA
AreFileApisANSI
CloseHandle
CreateDirectoryA
CreateFileA
DeviceIoControl
FindAtomA
FindClose
FindFirstFileA
FindNextFileA
FreeLibrary
GetACP
GetAtomNameA
GetCurrentDirectoryA
GetDiskFreeSpaceA
GetDriveTypeA
GetFileAttributesA
GetFileInformationByHandle
GetFileSize
GetFileType
GetFullPathNameA
GetLastError
GetLogicalDriveStringsA
GetModuleFileNameA
GetModuleHandleA
GetProcAddress
GetProcessHeap
GetShortPathNameA
GetSystemInfo
GetSystemTimeAsFileTime
GetThreadLocale
GetTimeZoneInformation
GetVersion
GetVersionExA
GetVolumeInformationA
HeapAlloc
HeapFree
LoadLibraryA
MultiByteToWideChar
PeekNamedPipe
SearchPathA
SetErrorMode
UnlockFile
lstrcmpiA
lstrcpyA

msvcrt

_chmod
_close
_getpid
_open
_read
_strdup
_stricmp
__dllonexit
__mb_cur_max
_assert
_close
_errno
_fdopen
_filelengthi64
_flsbuf
_get_osfhandle
_getcwd
_iob
_isctype
_open
_pctype
_snprintf
_snwprintf
_stricmp
_vsnprintf
_vsnwprintf
abort
calloc
ctime
fclose
fflush
fgets
fopen
fprintf
fputwc
free
fwrite
getenv
isalpha
malloc
memcpy
printf
realloc
setlocale
sprintf
sscanf
strcat
strchr
strcmp
strcpy
strcspn
strlen
strncmp
strncpy
strpbrk
strrchr
strspn
strstr
strtoul
tolower
toupper
vfprintf
vfwprintf
vsprintf
wcschr

ole32

CoCreateInstance
CoUninitialize
OleInitialize

Exports

Exports

DllGetVersion
_nl_expand_alias
_nl_explode_name
_nl_find_domain
_nl_find_language
_nl_find_msg
_nl_free_domain_conv
_nl_init_domain_conv
_nl_language_preferences_default
_nl_load_domain
_nl_locale_name
_nl_locale_name_default
_nl_locale_name_posix
_nl_log_untranslated
_nl_make_l10nflist
_nl_msg_cat_cntr
_nl_normalize_codeset
bind_textdomain_codeset
bindtextdomain
dcgettext
dcngettext
dgettext
dngettext
gettext
libintl_asprintf
libintl_bind_textdomain_codeset
libintl_bindtextdomain
libintl_dcgettext
libintl_dcigettext
libintl_dcngettext
libintl_dgettext
libintl_dngettext
libintl_fprintf
libintl_fwprintf
libintl_gettext
libintl_gettext_extract_plural
libintl_gettext_free_exp
libintl_gettext_germanic_plural
libintl_gettextparse
libintl_ngettext
libintl_nl_current_default_domain
libintl_nl_default_default_domain
libintl_nl_default_dirname
libintl_nl_domain_bindings
libintl_printf
libintl_relocate
libintl_set_relocation_prefix
libintl_snprintf
libintl_sprintf
libintl_swprintf
libintl_textdomain
libintl_vasnprintf
libintl_vasnwprintf
libintl_vasprintf
libintl_vfprintf
libintl_vfwprintf
libintl_vprintf
libintl_vsnprintf
libintl_vsprintf
libintl_vswprintf
libintl_vwprintf
libintl_wprintf
locale_charset
ngettext
st_flags
textdomain

Sections

.text
Size: 86KB - Virtual size: 85KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 192B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 1KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
zlib1.dll
.dll windows:4 windows x86

cec7e91effade93cc9df7812b7b4a801

Code Sign

04:44:c0
Certificate

Issuer

CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Not Before

22-10-2008 12:07

Not After

31-12-2029 12:07

Subject

CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

6e:a1:d4:94:5f:0e:69:e9:d6:f1:48:2c:58:6a:71:af
Certificate

Issuer

CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Not Before

17-04-2018 08:20

Not After

18-05-2027 08:20

Subject

CN=WoTrus Code Signing CA,O=WoTrus CA Limited,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

08:b0:4e:9f:13:6a:6d:e0:a5:dd:1e:3f:05:da:c7:10
Certificate

Issuer

CN=WoTrus Code Signing CA,O=WoTrus CA Limited,C=CN

Not Before

19-11-2020 14:10

Not After

19-11-2021 14:10

Subject

CN=北京慧影智虹科技有限公司,O=北京慧影智虹科技有限公司,L=北京市,ST=北京市,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01-01-2021 00:00

Not After

06-01-2031 00:00

Subject

CN=DigiCert Timestamp 2021,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

07-01-2016 12:00

Not After

07-01-2031 12:00

Subject

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

e5:db:36:43:72:4d:be:e3:b7:50:1d:53:61:67:6c:0e:e9:a5:4d:6a:2c:ee:04:91:bc:65:bf:ba:ea:65:ff:99
Signer

Actual PE Digest

e5:db:36:43:72:4d:be:e3:b7:50:1d:53:61:67:6c:0e:e9:a5:4d:6a:2c:ee:04:91:bc:65:bf:ba:ea:65:ff:99

Digest Algorithm

sha256

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_DLL

Imports

kernel32

DeleteCriticalSection
EnterCriticalSection
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetLastError
GetModuleHandleA
GetProcAddress
GetSystemTimeAsFileTime
GetTickCount
InitializeCriticalSection
LeaveCriticalSection
LoadLibraryW
QueryPerformanceCounter
SetUnhandledExceptionFilter
Sleep
TerminateProcess
TlsGetValue
UnhandledExceptionFilter
VirtualProtect
VirtualQuery

msvcrt

_close
_open
_read
_write
__dllonexit
_amsg_exit
_errno
_initterm
_iob
_lock
_lseeki64
_onexit
_unlock
_vsnprintf
_wopen
abort
calloc
free
fwrite
malloc
memchr
memcpy
memset
sprintf
strcat
strcpy
strerror
strlen
strncmp
vfprintf
wcstombs

Exports

Exports

adler32
adler32_combine
adler32_combine64
compress
compress2
compressBound
crc32
crc32_combine
crc32_combine64
deflate
deflateBound
deflateCopy
deflateEnd
deflateInit2_
deflateInit_
deflateParams
deflatePending
deflatePrime
deflateReset
deflateResetKeep
deflateSetDictionary
deflateSetHeader
deflateTune
get_crc_table
gzbuffer
gzclearerr
gzclose
gzclose_r
gzclose_w
gzdirect
gzdopen
gzeof
gzerror
gzflush
gzgetc
gzgetc_
gzgets
gzoffset
gzoffset64
gzopen
gzopen64
gzopen_w
gzprintf
gzputc
gzputs
gzread
gzrewind
gzseek
gzseek64
gzsetparams
gztell
gztell64
gzungetc
gzwrite
inflate
inflateBack
inflateBackEnd
inflateBackInit_
inflateCopy
inflateEnd
inflateGetHeader
inflateInit2_
inflateInit_
inflateMark
inflatePrime
inflateReset
inflateReset2
inflateResetKeep
inflateSetDictionary
inflateSync
inflateSyncPoint
inflateUndermine
uncompress
zError
zlibCompileFlags
zlibVersion

Sections

.text
Size: 58KB - Virtual size: 57KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 88B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 18KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 968B

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 44B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 32B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 900B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

771d1aa2684e0ad475ad0fb0801a2b40

Headers

File Characteristics

Imports

kernel32

user32

gdi32

comdlg32

winspool.drv

advapi32

shlwapi

oledlg

ole32

oleaut32

Exports

Exports

Sections

.text Size: 372KB - Virtual size: 371KB

.rdata Size: 77KB - Virtual size: 76KB

.data Size: 12KB - Virtual size: 28KB

.rsrc Size: 14KB - Virtual size: 13KB

.reloc Size: 40KB - Virtual size: 39KB

aa7e970761dfd4835cd6d5edbf55dc4c

Code Sign

04:44:c0Certificate

Key Usages

6e:a1:d4:94:5f:0e:69:e9:d6:f1:48:2c:58:6a:71:afCertificate

Extended Key Usages

Key Usages

08:b0:4e:9f:13:6a:6d:e0:a5:dd:1e:3f:05:da:c7:10Certificate

Extended Key Usages

Key Usages

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:ddCertificate

Extended Key Usages

Key Usages

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15Certificate

Extended Key Usages

Key Usages

6a:1f:8c:bd:41:89:c6:1e:b5:c7:f9:02:33:1c:16:41:a6:26:ba:5b:32:98:b1:ee:65:63:7f:21:30:cc:e2:85Signer

Headers

DLL Characteristics

File Characteristics

Imports

zlib1

libintl3

libpq

ws2_32

kernel32

advapi32

vcruntime140

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-environment-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-locale-l1-1-0

Sections

.text Size: 200KB - Virtual size: 200KB

.rdata Size: 124KB - Virtual size: 124KB

.data Size: 1KB - Virtual size: 2KB

.gfids Size: 512B - Virtual size: 36B

.rsrc Size: 24KB - Virtual size: 23KB

11d4cea984db7aee4eb18d2031242a3e

Code Sign

04:44:c0Certificate

Key Usages

6e:a1:d4:94:5f:0e:69:e9:d6:f1:48:2c:58:6a:71:afCertificate

Extended Key Usages

Key Usages

08:b0:4e:9f:13:6a:6d:e0:a5:dd:1e:3f:05:da:c7:10Certificate

.text
Size: 372KB - Virtual size: 371KB

.rdata
Size: 77KB - Virtual size: 76KB

.data
Size: 12KB - Virtual size: 28KB

.rsrc
Size: 14KB - Virtual size: 13KB

.reloc
Size: 40KB - Virtual size: 39KB

04:44:c0
Certificate

6e:a1:d4:94:5f:0e:69:e9:d6:f1:48:2c:58:6a:71:af
Certificate

08:b0:4e:9f:13:6a:6d:e0:a5:dd:1e:3f:05:da:c7:10
Certificate

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

6a:1f:8c:bd:41:89:c6:1e:b5:c7:f9:02:33:1c:16:41:a6:26:ba:5b:32:98:b1:ee:65:63:7f:21:30:cc:e2:85
Signer

.text
Size: 200KB - Virtual size: 200KB

.rdata
Size: 124KB - Virtual size: 124KB

.data
Size: 1KB - Virtual size: 2KB

.gfids
Size: 512B - Virtual size: 36B

.rsrc
Size: 24KB - Virtual size: 23KB

04:44:c0
Certificate

6e:a1:d4:94:5f:0e:69:e9:d6:f1:48:2c:58:6a:71:af
Certificate

08:b0:4e:9f:13:6a:6d:e0:a5:dd:1e:3f:05:da:c7:10
Certificate

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

9b:22:61:3d:4c:48:82:7e:fe:51:59:e6:8c:75:cf:db:e3:48:a5:b9:47:c5:04:f8:b9:93:b6:98:b1:02:99:4a
Signer

.text
Size: 86KB - Virtual size: 85KB

.data
Size: 512B - Virtual size: 192B

.bss
Size: - Virtual size: 1KB

.edata
Size: 2KB - Virtual size: 1KB

.idata
Size: 3KB - Virtual size: 3KB

.rsrc
Size: 4KB - Virtual size: 3KB

.reloc
Size: 4KB - Virtual size: 3KB

04:44:c0
Certificate

6e:a1:d4:94:5f:0e:69:e9:d6:f1:48:2c:58:6a:71:af
Certificate

08:b0:4e:9f:13:6a:6d:e0:a5:dd:1e:3f:05:da:c7:10
Certificate

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

e5:db:36:43:72:4d:be:e3:b7:50:1d:53:61:67:6c:0e:e9:a5:4d:6a:2c:ee:04:91:bc:65:bf:ba:ea:65:ff:99
Signer

.text
Size: 58KB - Virtual size: 57KB

.data
Size: 512B - Virtual size: 88B

.rdata
Size: 18KB - Virtual size: 17KB

.bss
Size: - Virtual size: 968B

.edata
Size: 2KB - Virtual size: 1KB

.idata
Size: 1KB - Virtual size: 1KB

.CRT
Size: 512B - Virtual size: 44B

.tls
Size: 512B - Virtual size: 32B

.rsrc
Size: 1024B - Virtual size: 900B

.reloc
Size: 1KB - Virtual size: 1KB