certutil[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

certutil.exe
Size

1.2MB
MD5

09a8a29baa3a451713fd3d07943b4a43
SHA1

867dd630be582b85d9870e0bbe8adca068b7ba43
SHA256

e2a5fb1ca722474b76d6da5c5b1d438a1e58beca52864862555c9ab1b533e72d
SHA512

5d9ae3f3fcc6136eec9a524e64c3684f23d401665ed878bd009f0e58ffe2295ce230dc30fb0403a0332589e03d765d77202041d44faba808177c921b39dcb8d7
SSDEEP

24576:ybmY2A9/m64I/DSFYNUIMizVnDJ0hf1z8fU7lz+3jKExi:yyLAQ2DS0UINRsN4SIjli

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
certutil.exe

Files

certutil.exe
.exe windows:6 windows x64

b2519502397ed5514c55da61afc6fecc

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

CryptReleaseContext
CryptAcquireContextW
LookupAccountNameW
IsValidSid
ConvertSidToStringSidW
ImpersonateSelf
RevertToSelf
IsValidSecurityDescriptor
GetSecurityDescriptorLength
LookupAccountSidW
CryptGetProvParam
CryptGetUserKey
CryptGetKeyParam
CryptDestroyKey
GetTokenInformation
GetLengthSid
CopySid
OpenProcessToken
RegQueryValueExW
RegCloseKey
RegOpenKeyExW
RegEnumKeyExW
RegCreateKeyW
RegEnumValueW
RegSetValueExW
RegEnumKeyW
RegDeleteKeyW
RegDeleteValueW
CryptSetProvParam
CryptGenRandom
CryptCreateHash
CryptVerifySignatureW
CryptHashData
CryptDestroyHash
CryptSetKeyParam
CryptDecrypt
CryptImportKey
RegOpenKeyW
CryptGetHashParam
CryptDuplicateKey
CryptEncrypt
CryptGenKey
GetSidSubAuthorityCount
GetSidSubAuthority
GetSidIdentifierAuthority
SetNamedSecurityInfoW
AddAccessDeniedAce
AddAccessAllowedAce
AddAccessDeniedObjectAce
AddAccessAllowedObjectAce
AddAce
InitializeAcl
LsaStorePrivateData
LsaRetrievePrivateData
RegConnectRegistryW
AdjustTokenPrivileges
ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertSecurityDescriptorToStringSecurityDescriptorW
RegDeleteKeyExW
CryptEnumProvidersA
CryptGetDefaultProviderW
LogonUserExW
ImpersonateLoggedOnUser
CreateWellKnownSid
MakeAbsoluteSD
MakeSelfRelativeSD
LsaClose
LsaFreeMemory
LsaOpenPolicy
FreeSid
CheckTokenMembership
DuplicateToken
OpenThreadToken
RegCreateKeyExW
ConvertStringSidToSidW
AllocateAndInitializeSid
SetSecurityDescriptorDacl
SetEntriesInAclW
GetSecurityDescriptorDacl
DeleteAce
EqualSid
GetAce
GetAclInformation
SetSecurityDescriptorOwner
InitializeSecurityDescriptor
GetSecurityDescriptorControl
CryptSignHashW
CryptSetHashParam
CryptExportKey
CryptDuplicateHash
CryptContextAddRef

kernel32

GetFileAttributesExW
GetTempFileNameW
GetEnvironmentVariableW
VerifyVersionInfoW
VerSetConditionMask
LeaveCriticalSection
SetConsoleCtrlHandler
EnterCriticalSection
SetEndOfFile
WriteFile
LockResource
SizeofResource
LoadResource
FindResourceW
GetVersionExW
GetComputerNameExW
GetComputerNameW
SetFilePointer
GetFileSize
CreateFileW
ReadFile
FindClose
FindNextFileW
FindFirstFileW
Sleep
GetTickCount
LoadLibraryW
DecodePointer
EncodePointer
GetCurrentProcess
GetLastError
GetTickCount64
PulseEvent
OpenEventW
GetSystemDefaultUILanguage
GetUserDefaultUILanguage
LocalReAlloc
GetModuleHandleW
RaiseException
DeleteCriticalSection
InitializeCriticalSection
GetSystemDefaultLangID
FormatMessageW
HeapAlloc
HeapFree
GetProcessHeap
lstrcmpW
DeleteFileW
lstrcmpiW
GetProcAddress
SetLastError
SetConsoleMode
GetConsoleMode
GetFileType
GetStdHandle
CloseHandle
GetExitCodeThread
WaitForSingleObject
CreateThread
CompareFileTime
FreeLibrary
GetStartupInfoW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
OutputDebugStringA
MultiByteToWideChar
FileTimeToSystemTime
LocalFileTimeToFileTime
FileTimeToLocalFileTime
LocalFree
GetSystemTime
SystemTimeToFileTime
GetSystemTimeAsFileTime
LocalAlloc
GetFileAttributesW
DelayLoadFailureHook
GetLocaleInfoW
FindResourceExW
SearchPathW
LoadLibraryExA
GetProfileStringA
SetEvent
ResetEvent
CreateEventW
GetFileTime
lstrlenW
GetCommandLineW
VirtualFree
VirtualAlloc
GetTempPathW
WriteConsoleW
GetACP
WideCharToMultiByte
GetLocalTime
OpenProcess
HeapSetInformation
LoadLibraryExW
GetSystemDirectoryW
CompareStringW
UnmapViewOfFile
MapViewOfFile
CreateFileMappingW
GetSystemInfo
GetCurrentThread
FoldStringW
CreateDirectoryW
RemoveDirectoryW
GetConsoleOutputCP
GetFullPathNameW
GetTimeFormatW
GetDateFormatW

msvcrt

__dllonexit
_unlock
_lock
?terminate@@YAXXZ
wcscmp
_itoa_s
memcmp
memcpy
memset
wcscpy_s
towupper
iswlower
towlower
iswupper
sscanf
strpbrk
wcstok
memmove
wcschr
wcsrchr
iswdigit
strcat_s
strcpy_s
strspn
fwrite
ftell
_fileno
_setmode
wcstoul
fgetws
feof
fgetc
_wfopen
fputws
atoi
isdigit
vfwprintf
__iob_func
_wgetenv
_onexit
iswxdigit
_wsetlocale
iswalpha
isxdigit
__isascii
gmtime
iswspace
__CxxFrameHandler3
realloc
_errno
??1type_info@@UEAA@XZ
_commode
_fmode
_wcmdln
__C_specific_handler
_initterm
__setusermatherr
_cexit
_exit
exit
__set_app_type
__wgetmainargs
_amsg_exit
_XcptFilter
_CxxThrowException
_callnewh
?what@exception@@UEBAPEBDXZ
??1exception@@UEAA@XZ
??0exception@@QEAA@AEBV0@@Z
??0exception@@QEAA@AEBQEBDH@Z
malloc
fprintf
_strlwr
_vsnwprintf
fwprintf
_iob
_wfopen_s
fclose
_purecall
fflush
_wcsicmp
_fgetwchar
wcsspn
_wcsnicmp
wcsstr
?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z
qsort
wcscspn
getenv
free
strcmp
_strnicmp
swscanf
_stricmp
_wtoi
_vsnprintf
_wcslwr
strstr
wcsncmp
_ultow
strncmp
bsearch
fopen
fgets
strchr
fputs
fseek
strcspn
ferror
_swab

certcli

CASetCASecurity
ord358
ord207
ord359
ord225
ord246
ord223
ord360
ord213
ord205
ord206
ord356
CAEnumCertTypesEx
CAFindCertTypeByName
ord258
CAGetCertTypeFlagsEx
CAGetCertTypePropertyEx
CAFreeCertTypeProperty
CAGetCertTypeKeySpec
CAGetCertTypeExpiration
CAGetCertTypeExtensions
CAFreeCertTypeExtensions
CAEnumCertTypesForCAEx
CAGetCertTypeProperty
CACertTypeAccessCheckEx
CAEnumNextCertType
CACloseCertType
ord373
CAEnumFirstCA
CAFindByName
CAGetCAProperty
CAFreeCAProperty
CAEnumNextCA
CACloseCA
ord362
CAGetCAFlags
CAGetCAExpiration
CAAccessCheck
ord361
CAGetCACertificate
CAGetCASecurity
CASetCAProperty
CAUpdateCAEx
CAFindByCertType
ord256
ord218
ord254
CAEnumCertTypesForCA
CACountCertTypes
CACertTypeAccessCheck
CACountCAs
ord217
ord245
ord370
CACreateNewCA
CASetCAFlags
CASetCACertificate
ord366
ord208
CARemoveCACertificateTypeEx
CAAddCACertificateTypeEx
CAUpdateCA
ord252
ord261
ord260
ord253
ord203
ord247
ord210
ord357

crypt32

CertFreeCertificateContext
CertGetCertificateContextProperty
CertDuplicateCertificateContext
CertCloseStore
CertFindExtension
CryptFindOIDInfo
CryptEncodeObjectEx
CertEnumCRLsInStore
CertFreeCRLContext
CertCreateCRLContext
CryptEnumOIDInfo
CertCreateCertificateContext
PFXExportCertStoreEx
PFXExportCertStore
CryptFreeOIDFunctionAddress
CryptGetOIDFunctionAddress
CryptInitOIDFunctionSet
CertNameToStrW
CertStrToNameW
PFXImportCertStore
CryptFormatObject
CryptDecryptMessage
CryptEncryptMessage
CryptSignMessage
CertAddCertificateLinkToStore
CertGetIntendedKeyUsage
CryptHashPublicKeyInfo
CryptSignCertificate
CryptMsgOpenToDecode
CryptStringToBinaryW
CryptSignAndEncodeCertificate
CryptImportPublicKeyInfoEx2
CertDuplicateStore
CryptMsgUpdate
CryptMsgOpenToEncode
CertCreateCTLContext
CertSetCertificateContextPropertiesFromCTLEntry
CertCreateContext
I_CertProtectFunction
CertAddStoreToCollection
CertVerifyCertificateChainPolicy
CryptMemFree
CertVerifySubjectCertificateContext
CryptVerifyCertificateSignatureEx
CertGetEnhancedKeyUsage
CertVerifyCRLTimeValidity
CertVerifyRevocation
CertVerifyTimeValidity
CryptVerifyCertificateSignature
CryptEnumKeyIdentifierProperties
CryptImportPublicKeyInfo
CertDuplicateCRLContext
CertDeleteCRLFromStore
CertAddCTLContextToStore
CertAddCRLContextToStore
CertEnumSystemStore
CertEnumSystemStoreLocation
CertEnumPhysicalStore
CertControlStore
CertSaveStore
CryptFindLocalizedName
CertAddSerializedElementToStore
CertAddEncodedCTLToStore
CertAddEncodedCRLToStore
CertAddEncodedCertificateToStore
CertFreeCTLContext
CertSetCTLContextProperty
CertSetCRLContextProperty
CryptFindCertificateKeyProvInfo
CryptAcquireCertificatePrivateKey
CertEnumCertificateContextProperties
CertGetCRLContextProperty
CertEnumCRLContextProperties
CertGetCTLContextProperty
CertEnumCTLContextProperties
CertSetStoreProperty
CertAddCertificateContextToStore
CertFreeCertificateChain
CertGetCertificateChain
CertSetCertificateContextProperty
CertComparePublicKeyInfo
CryptExportPublicKeyInfo
CryptHashCertificate2
CryptDecodeObjectEx
CertEnumCTLsInStore
CertDeleteCertificateFromStore
CertGetNameStringW
CertOpenStore
CryptQueryObject
CryptMsgClose
CryptMsgGetParam
CryptMsgGetAndVerifySigner
CryptMsgControl
CertFindCertificateInStore
CertEnumCertificatesInStore
PFXIsPFXBlob
CertGetPublicKeyLength
CryptGetKeyIdentifierProperty
CertFindAttribute
CryptHashCertificate
CertCompareCertificateName
CryptDecodeObject
CryptRegisterOIDInfo

cabinet

ord23
ord22
ord21
ord20

comctl32

InitCommonControlsEx

cryptui

CryptUIDlgFreeCAContext
CryptUIDlgViewCRLW
CryptUIDlgViewCertificateW

gdi32

GetStockObject

ncrypt

NCryptIsKeyHandle
NCryptOpenStorageProvider
NCryptImportKey
NCryptFreeObject
NCryptGetProperty
BCryptFreeBuffer
NCryptSetProperty
NCryptFinalizeKey
BCryptCloseAlgorithmProvider
BCryptCreateHash
BCryptDecrypt
BCryptDestroyHash
BCryptDestroyKey
BCryptEncrypt
BCryptExportKey
BCryptFinishHash
BCryptGenRandom
BCryptGetProperty
BCryptHashData
BCryptOpenAlgorithmProvider
BCryptSetProperty
BCryptSignHash
BCryptVerifySignature
NCryptCreatePersistedKey
NCryptDecrypt
NCryptDeleteKey
NCryptDeriveKey
NCryptEncrypt
NCryptExportKey
NCryptOpenKey
NCryptSecretAgreement
NCryptSignHash
NCryptVerifySignature
NCryptEnumAlgorithms
NCryptIsAlgSupported
NCryptEnumKeys
NCryptEnumStorageProviders
NCryptFreeBuffer
BCryptEnumAlgorithms
BCryptQueryProviderRegistration
BCryptEnumContexts
BCryptQueryContextConfiguration
BCryptEnumContextFunctions
BCryptResolveProviders

netapi32

DsGetSiteNameW
DsGetDcNameW
NetApiBufferFree
NetUserGetGroups
DsRoleGetPrimaryDomainInformation
DsRoleFreeMemory

normaliz

IdnToUnicode

ntdll

WinSqmIncrementDWORD
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
NtQuerySystemTime
RtlTimeToSecondsSince1970

ntdsapi

DsFreeDomainControllerInfoW
DsFreeNameResultW
DsUnBindW
DsCrackNamesW
DsBindW
DsGetDomainControllerInfoW

setupapi

SetupFindNextLine
SetupGetStringFieldW
SetupCloseInfFile
SetupGetFieldCount
SetupFindFirstLineW
SetupGetLineCountW
SetupOpenInfFileW
SetupGetIntField

shell32

SHGetFolderPathW
SHGetKnownFolderPath

version

VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW

wldap32

ord16
ord12
ord18
ord113
ord140
ord224
ord142
ord79
ord127
ord167
ord147
ord206
ord135
ord203
ord36
ord26
ord27
ord191
ord41
ord65
ord155
ord210
ord13
ord145
ord14
ord73
ord208

ole32

CoInitializeEx
CoCreateInstance
CLSIDFromString
CLSIDFromProgID
StringFromCLSID
ProgIDFromCLSID
CoInitialize
CoTaskMemFree
CoUninitialize
CoTaskMemAlloc
CoCreateInstanceEx
CoSetProxyBlanket
StgOpenStorageEx
PropVariantClear

oleaut32

VariantInit
VariantClear
SysFreeString
SysStringByteLen
SysAllocString
SysAllocStringLen
SafeArrayCreate
SafeArrayPutElement
SafeArrayDestroy
SafeArrayGetDim
SafeArrayGetLBound
SafeArrayGetUBound
SafeArrayAccessData
SafeArrayGetElement
SafeArrayUnaccessData
SysAllocStringByteLen
SysStringLen
VariantTimeToSystemTime
SystemTimeToVariantTime
VariantCopyInd
CreateErrorInfo
SetErrorInfo

rpcrt4

NdrClientCall3
UuidCreate
I_RpcExceptionFilter

secur32

GetUserNameExW
GetComputerObjectNameW
TranslateNameW

user32

CheckDlgButton
SetDlgItemInt
EndDialog
SetCursor
CharLowerW
GetDesktopWindow
SendDlgItemMessageA
EnableWindow
GetDlgItem
GetWindowLongPtrW
CallWindowProcW
GetWindowTextW
ShowWindow
SetFocus
SetWindowLongPtrW
SetDlgItemTextW
GetDlgItemInt
IsDlgButtonChecked
GetDlgItemTextW
DialogBoxParamW
SetWindowTextW
TranslateMessage
GetMessageW
LoadStringW
DispatchMessageW
PostQuitMessage
DefWindowProcW
LoadIconW
RegisterClassW
CreateWindowExW
PostMessageW
LoadCursorW
MessageBoxW
UpdateWindow
SendMessageW

Sections

.text
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 50KB - Virtual size: 62KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 25KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 23KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 376B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

b2519502397ed5514c55da61afc6fecc

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

kernel32

msvcrt

certcli

crypt32

cabinet

comctl32

cryptui

gdi32

ncrypt

netapi32

normaliz

ntdll

ntdsapi

setupapi

shell32

version

wldap32

ole32

oleaut32

rpcrt4

secur32

user32

Sections

.text Size: 1.1MB - Virtual size: 1.1MB

.data Size: 50KB - Virtual size: 62KB

.pdata Size: 25KB - Virtual size: 25KB

.idata Size: 23KB - Virtual size: 23KB

.didat Size: 512B - Virtual size: 376B

.rsrc Size: 4KB - Virtual size: 3KB

.reloc Size: 8KB - Virtual size: 8KB

.text
Size: 1.1MB - Virtual size: 1.1MB

.data
Size: 50KB - Virtual size: 62KB

.pdata
Size: 25KB - Virtual size: 25KB

.idata
Size: 23KB - Virtual size: 23KB

.didat
Size: 512B - Virtual size: 376B

.rsrc
Size: 4KB - Virtual size: 3KB

.reloc
Size: 8KB - Virtual size: 8KB