f42ba08206b4afad74f79e01ffc63b64ee1443ef1b85edea7c4300968486761b

Sharing

Copy URL Twitter E-mail

General

Target

f42ba08206b4afad74f79e01ffc63b64ee1443ef1b85edea7c4300968486761b
Size

929KB
MD5

e9640458c0743ef9173fa07f912e55d7
SHA1

0df4342a59cea38ea10548c7928711eb8019a661
SHA256

f42ba08206b4afad74f79e01ffc63b64ee1443ef1b85edea7c4300968486761b
SHA512

b953f98920de079e144613472b9b0a69340f0221d5f3853c0d6481c0d358d103f679f8d7e3d20f57c2c161be5a20fb1697e5112b844f8586d9cbf991f2c200a7
SSDEEP

12288:MLe8l0uxsB4dTlaFHvqophaTGHkIeMUoqojZESy:MLe8eYm1vFefoqojK

Score

9^/10

oss_ak

Malware Config

Signatures

detect oss ak 1 IoCs

oss ak information detected.

oss_ak

resource	yara_rule
sample	detect_ak_stuff

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
f42ba08206b4afad74f79e01ffc63b64ee1443ef1b85edea7c4300968486761b

Files

f42ba08206b4afad74f79e01ffc63b64ee1443ef1b85edea7c4300968486761b
.exe windows:4 windows x86

f1bbb090ff99ba6a70e0e1f144577ca9

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

comn

CreateObjectEmail
CreateObjectUDP
SetCheckAfterIfSuccess
GetObjectVol
GetObjectGpt
GetObjectLog
GetObjectLang
GetObjectSys

encrypt

CreateEncryptObject
HexToStr
StrToHex

uilogic

TerminateSpawnProcess
CreateUiLogic

rpcrt4

RpcServerUseProtseqEpW
RpcServerListen
NdrServerCall2
UuidCreate
RpcServerRegisterIf

amnet

?InitAdapter@Amnet@@YAX_N@Z
?Socket@Amnet@@YAHH@Z
?GetAdapterAt@Amnet@@YA_NIAAUTAdapter@1@@Z
?GetHostName@Amnet@@YAXPAD@Z
?GetAdapterCount@Amnet@@YAHXZ
?Uninstall@Amnet@@YAXXZ
?Connect@Amnet@@YA_NHPADI0I@Z
?StartupTcpEngine@Amnet@@YA_NPAVIAttemperEngineSink@1@@Z
?StoppedTcpEngine@Amnet@@YA_NK@Z
?Install@Amnet@@YA_NXZ
?Disconnect@Amnet@@YA_NH_N@Z
?Send@Amnet@@YA_NHPADI_N@Z

nthelp

?ReadFile@Help32@@YAKPA_WKPAXK@Z
?FileIsExist@Help32@@YAHPA_W@Z
?ReadFileShare@Help32@@YAKPA_WKPAXK@Z
?Wchartochar@Help32@@YAXPB_WPADH@Z
?Chartowchar@Help32@@YAXPBDPA_WH@Z
?CheckWindowsUserAndPasswordIsValid@Help32@@YAHPA_W0@Z
?Encrypto@Help32@@YAXPAEK@Z
?Decrypto@Help32@@YAXPAEK@Z
?IsEmpty@Help32@@YAHPA_W@Z
?Encrypto@Help32@@YAHPAE0H@Z
?GetModuleFilePath@Help32@@YAXPA_W@Z
?CopyString@Help32@@YAXPA_W0@Z
?WriteFile@Help32@@YAKPA_WKPAXK@Z
?IsEmpty@Help32@@YAHPAD@Z

ntlog

?OpenLog@NTLOG@@YAHIPA_W@Z
?WriteLog@NTLOG@@YAHHIPB_WZZ

awssns

getInter

brlog

GetBrLogMgr

kernel32

MapViewOfFile
HeapFree
UnmapViewOfFile
GetLastError
CreateEventW
Sleep
TerminateProcess
CreateDirectoryW
OpenEventW
CreateMutexW
WriteFile
GetFileSizeEx
DeleteFileW
GetTickCount
WaitForSingleObject
LeaveCriticalSection
DeleteCriticalSection
MultiByteToWideChar
EnterCriticalSection
SetEvent
SetPriorityClass
ReadFile
ReleaseMutex
CreateFileW
SetProcessPriorityBoost
InitializeCriticalSection
ResetEvent
OpenFileMappingW
GetProcAddress
LoadLibraryW
GetModuleFileNameW
GetCurrentThreadId
SetUnhandledExceptionFilter
GetPrivateProfileStringA
GetModuleFileNameA
GetCurrentProcessId
CreateFileA
GetFileSize
SetFilePointer
OpenProcess
GetVersionExW
DeleteFileA
GetLocalTime
CreateProcessW
Process32FirstW
GetFileAttributesA
FindFirstFileA
Process32NextW
FindNextFileA
GetPrivateProfileIntW
GetComputerNameW
WideCharToMultiByte
GetProcessHeap
CreateFileMappingW
CreateToolhelp32Snapshot
GetFileAttributesW
WritePrivateProfileStringW
GetPrivateProfileStringW
GetStartupInfoW
DeviceIoControl
GetExitCodeProcess
WTSGetActiveConsoleSessionId
FindFirstFileW
InterlockedExchange
SetFileAttributesW
FindNextFileW
GetPrivateProfileStructW
OpenMutexW
FreeLibrary
GetSystemDirectoryW
DefineDosDeviceA
GetModuleHandleW
GetSystemDirectoryA
LoadLibraryA
GetSystemInfo
SetFirmwareEnvironmentVariableW
GetFirmwareEnvironmentVariableW
IsBadReadPtr
SetFilePointerEx
SetLastError
IsBadWritePtr
GetWindowsDirectoryW
PeekNamedPipe
CreatePipe
GetVersionExA
MoveFileW
FlushFileBuffers
lstrlenW
GetSystemTimeAsFileTime
QueryPerformanceCounter
IsDebuggerPresent
UnhandledExceptionFilter
InterlockedCompareExchange
CreateDirectoryA
HeapAlloc
lstrcpyW
WriteConsoleW
GetCurrentProcess
FindClose
CloseHandle
OutputDebugStringA
WriteConsoleA
OutputDebugStringW

user32

KillTimer
PostQuitMessage
DestroyWindow
CreateWindowExW
UpdateWindow
LoadCursorW
LoadStringW
TranslateAcceleratorW
DefWindowProcW
RegisterClassExW
TranslateMessage
DialogBoxParamW
LoadAcceleratorsW
LoadIconW
EndPaint
ShowWindow
CloseWindow
GetMessageW
EndDialog
DispatchMessageW
wsprintfW
SendMessageW
FindWindowW
MessageBoxW
GetSystemMetrics
BeginPaint

advapi32

AllocateAndInitializeSid
FreeSid
InitializeAcl
AddAccessAllowedAce
RegSetValueExW
RegDeleteValueW
RegQueryValueExW
RegQueryValueExA
RegEnumValueA
RegOpenKeyExA
LookupPrivilegeValueW
RegQueryInfoKeyW
RegEnumKeyW
RegOpenKeyW
RegCloseKey
RegEnumValueW
GetUserNameW
AdjustTokenPrivileges
RegFlushKey
RegSetValueExA
GetLengthSid
RegOpenKeyA
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
DuplicateTokenEx
OpenProcessToken
GetTokenInformation
CreateProcessAsUserW

shell32

SHGetFolderPathW
SHGetFolderPathA

ole32

CLSIDFromString

msvcp80

?compare@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEHPB_W@Z
?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ
??A?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAA_WI@Z
?clear@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEXXZ
?assign@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV12@PB_WI@Z
?compare@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEHPBD@Z
?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z
?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z
??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z
?clear@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXXZ
?find_last_of@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEI_WI@Z
?find_last_of@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEIPB_WI@Z
?find_last_of@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z
?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE?AV?$_String_iterator@DU?$char_traits@D@std@@V?$allocator@D@2@@2@XZ
?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE?AV?$_String_iterator@DU?$char_traits@D@std@@V?$allocator@D@2@@2@XZ
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z
??Y?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@ABV01@@Z
?npos@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@2IB
?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z
?resize@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEXI@Z
?empty@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBE_NXZ
?find@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEIPB_WI@Z
?find@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEI_WI@Z
?substr@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBE?AV12@II@Z
??$?8DU?$char_traits@D@std@@V?$allocator@D@1@@std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z
?length@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEIXZ
?c_str@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEPB_WXZ
??Y?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@PB_W@Z
??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@ABV01@@Z
??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ
?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ
?swap@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEXAAV12@@Z
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_W@Z
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@ABV01@@Z
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?swap@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXAAV12@@Z
?size@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEIXZ
??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@PB_W@Z
?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z
?find_first_of@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z
?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBD@Z

shlwapi

PathFileExistsW

ws2_32

inet_addr
WSAStartup
WSACleanup
recv
gethostbyname
WSAGetLastError
send
closesocket
inet_ntoa
accept
bind
listen
htons
connect
socket

msvcr80

_cexit
_itoa
_strnicmp
tolower
isalnum
strchr
isspace
strncmp
isalpha
memmove
fread
fseek
ftell
fputc
ferror
_vsnprintf_s
_fsopen
srand
vsprintf
_vscwprintf
_vscprintf
toupper
rand
strftime
_localtime64
strtol
_vsnprintf
_controlfp_s
_invoke_watson
?_type_info_dtor_internal_method@type_info@@QAEXXZ
?terminate@@YAXXZ
_except_handler4_common
_crt_debugger_hook
__set_app_type
__p__fmode
__p__commode
strrchr
strncpy_s
_swprintf
wcscpy
memset
sprintf
strncat_s
_beginthreadex
wcscat
memcpy
swscanf_s
wcsncpy
?what@exception@std@@UBEPBDXZ
memmove_s
strcpy
??2@YAPAXI@Z
??1exception@std@@UAE@XZ
??0exception@std@@QAE@XZ
malloc
??_V@YAXPAX@Z
??0exception@std@@QAE@ABQBD@Z
_invalid_parameter_noinfo
_time64
strlen
??0exception@std@@QAE@ABV01@@Z
wcscpy_s
wcscat_s
sscanf_s
wcstombs
??3@YAXPAX@Z
memcmp
wcslen
wcsncmp
wcsrchr
strcat
pow
strncat
_vswprintf
strstr
wcschr
mbstowcs
sprintf_s
_wtoi
swprintf_s
_wcsnicmp
_wcsicmp
strcpy_s
strcmp
atoi
_mktime64
_ctime64_s
_beginthread
free
_vswprintf_c_l
wcsstr
vswprintf_s
wcscmp
_itow
printf
system
_purecall
strncpy
fprintf
fwprintf
_stricmp
_vsnwprintf
mbstowcs_s
strcat_s
_snprintf_s
fclose
_wsystem
_wfopen_s
calloc
_unlock
__dllonexit
_encode_pointer
_lock
_onexit
_decode_pointer
__CxxFrameHandler3
_amsg_exit
__wgetmainargs
_CxxThrowException
_exit
_XcptFilter
exit
_wcmdln
_initterm
_initterm_e
_configthreadlocale
__setusermatherr
_adjust_fdiv

wtsapi32

WTSFreeMemory
WTSQueryUserToken
WTSEnumerateSessionsW

userenv

CreateEnvironmentBlock
DestroyEnvironmentBlock

version

GetFileVersionInfoW
GetFileVersionInfoSizeW
VerQueryValueW

winhttp

WinHttpConnect
WinHttpOpenRequest
WinHttpCrackUrl
WinHttpReceiveResponse
WinHttpQueryDataAvailable
WinHttpOpen
WinHttpAddRequestHeaders
WinHttpSetTimeouts
WinHttpCloseHandle
WinHttpSendRequest
WinHttpReadData

enumfolder

CreateEnumRemoteFolder

Exports

Exports

??4_Init_locks@std@@QAEAAV01@ABV01@@Z
?Guid2String@@YAPADAAU_GUID@@PAD@Z

Sections

.text
Size: 392KB - Virtual size: 391KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 116KB - Virtual size: 112KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 4KB - Virtual size: 16.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 392KB - Virtual size: 392KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

f1bbb090ff99ba6a70e0e1f144577ca9

Headers

File Characteristics

Imports

comn

encrypt

uilogic

rpcrt4

amnet

nthelp

ntlog

awssns

brlog

kernel32

user32

advapi32

shell32

ole32

msvcp80

shlwapi

ws2_32

msvcr80

wtsapi32

userenv

version

winhttp

enumfolder

Exports

Exports

Sections

.text Size: 392KB - Virtual size: 391KB

.rdata Size: 116KB - Virtual size: 112KB

.data Size: 4KB - Virtual size: 16.1MB

.rsrc Size: 392KB - Virtual size: 392KB

.text
Size: 392KB - Virtual size: 391KB

.rdata
Size: 116KB - Virtual size: 112KB

.data
Size: 4KB - Virtual size: 16.1MB

.rsrc
Size: 392KB - Virtual size: 392KB