winlister[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

winlister.exe
Size

63KB
MD5

a57b0d81081ee158d02a1b3ad4d20bb1
SHA1

102e4a3f05d2e8b9de8c3fee844e1cf43746478f
SHA256

805b4fbf4243d7426441da9aedf6e0f8be1cf31f7c412f5d31950c6f058c9ce7
SHA512

46d631bb08c6e9e5c6f1a7e61e5d8fd3a4817fbc138033b300f394729b2ffeffa7381b724a7406c665ad3607bbf6a965826d41b07b9cec2cd1ae52fc7f577633
SSDEEP

768:fUu7WleamRGpyysniU7byLzy9J3Ol/qTTyvJGTSg7vo3Mi+1blucWJx4W4KxYRBF:feXayC9JgSivHJY1BBaxsyU7ZfVbiAP

Score

10^/10

Malware Config

Signatures

Nirsoft 1 IoCs

resource	yara_rule
sample	Nirsoft

Files

winlister.exe
.exe windows:4 windows x64

2b292941503159f46536548642e259e0

Code Sign

42:1a:f2:94:09:84:19:1f:52:0a:4b:c6:24:26:a7:4b
Certificate

Issuer

CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE

Not Before

07/06/2005, 08:09

Not After

30/05/2020, 10:48

Subject

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0b
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

31/12/2015, 00:00

Not After

09/07/2019, 18:40

Subject

CN=COMODO SHA-1 Time Stamping Signer,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

10:70:9d:4f:f5:54:08:d7:30:60:01:d8:ea:91:75:bb
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

24/08/2011, 00:00

Not After

30/05/2020, 10:48

Subject

CN=COMODO Code Signing CA 2,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

1a:f0:66:0e:83:7a:35:a2:cd:92:ec:61:3f:c1:5d:b8
Certificate

Issuer

CN=COMODO Code Signing CA 2,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

12/09/2014, 00:00

Not After

12/09/2019, 23:59

Subject

CN=Nir Sofer,O=Nir Sofer,POSTALCODE=52583,STREET=5 Hashoshanim st.,L=Ramat Gan,ST=Gush Dan,C=IL

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

bd:1b:1e:45:0b:bd:d5:df:88:67:8e:7d:da:22:3d:17
Certificate

Issuer

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

30/03/2016, 00:00

Not After

30/06/2019, 23:59

Subject

CN=Nir Sofer,O=Nir Sofer,POSTALCODE=52583,STREET=5 Hashoshanim st.,L=Ramat Gan,ST=Gush Dan,C=IL

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:af
Certificate

Issuer

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

09/05/2013, 00:00

Not After

08/05/2028, 23:59

Subject

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

4e:b0:87:8f:cc:24:35:36:b2:d8:c9:f7:bf:39:55:77
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

31/12/2015, 00:00

Not After

09/07/2019, 18:40

Subject

CN=COMODO SHA-256 Time Stamping Signer,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

7f:46:d8:f3:17:2b:84:0d:d0:d4:74:c8:78:e2:70:f9:12:57:81:b2:08:47:52:e9:56:ea:46:ca:ec:78:8c:ba
Signer

Actual PE Digest

7f:46:d8:f3:17:2b:84:0d:d0:d4:74:c8:78:e2:70:f9:12:57:81:b2:08:47:52:e9:56:ea:46:ca:ec:78:8c:ba

Digest Algorithm

sha256

PE Digest Matches

true

7b:bf:2e:42:07:38:0b:f6:60:75:a1:48:e8:ba:c0:a7:56:d5:57:b7
Signer

Actual PE Digest

7b:bf:2e:42:07:38:0b:f6:60:75:a1:48:e8:ba:c0:a7:56:d5:57:b7

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

_c_exit
_exit
_cexit
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_commode
_fmode
__set_app_type
strrchr
_XcptFilter
_itoa
_strcmpi
strcmp
_snprintf
free
_memicmp
modf
_mbsicmp
__C_specific_handler
_onexit
__dllonexit
_mbschr
memcmp
strtoul
malloc
??2@YAPEAX_K@Z
??3@YAXPEAX@Z
strlen
memcpy
strcpy
memset
strncat
sprintf
strcat

comctl32

CreateToolbarEx
ImageList_ReplaceIcon
ImageList_AddMasked
ImageList_Create
ImageList_SetImageCount
ord6
ord17

version

GetFileVersionInfoA
VerQueryValueA
GetFileVersionInfoSizeA

kernel32

GetStartupInfoA
WritePrivateProfileStringA
GetPrivateProfileIntA
GetPrivateProfileStringA
Process32Next
Process32First
CreateToolhelp32Snapshot
GetCurrentProcessId
DeleteFileA
WriteFile
GetFileSize
ReadFile
GetVersionExA
GetModuleFileNameA
TerminateProcess
CloseHandle
GetWindowsDirectoryA
OpenProcess
GetProcAddress
LoadLibraryA
FreeLibrary
GetTempPathA
GlobalLock
GetTempFileNameA
LocalFree
GlobalAlloc
GetModuleHandleA
lstrcpyA
lstrlenA
WideCharToMultiByte
LoadLibraryExA
GlobalUnlock
FormatMessageA
GetLastError
CreateFileA

user32

GetSubMenu
TranslateAcceleratorA
UpdateWindow
KillTimer
LoadAcceleratorsA
GetWindowPlacement
GetMessageA
GetWindowTextA
SetMenu
GetWindowThreadProcessId
LoadMenuA
RegisterClassA
SetTimer
DispatchMessageA
DeferWindowPos
PostQuitMessage
TrackPopupMenu
BeginDeferWindowPos
EnumWindows
SetCursor
EndDialog
GetDlgItem
SetDlgItemTextA
DialogBoxParamA
SendMessageA
LoadCursorA
GetSysColorBrush
SetWindowTextA
ChildWindowFromPoint
GetWindowLongA
SetForegroundWindow
MessageBoxA
IsWindowVisible
PostMessageA
ShowWindow
SetWindowPos
GetClassLongA
SendMessageTimeoutA
LoadIconA
SetDlgItemInt
SendDlgItemMessageA
SetFocus
GetDlgItemInt
InvalidateRect
GetMenu
EmptyClipboard
EnableMenuItem
ReleaseDC
GetDC
SetClipboardData
EnableWindow
GetMenuStringA
LoadImageA
GetCursorPos
GetWindowRect
MoveWindow
ScreenToClient
GetSysColor
DefWindowProcA
GetSystemMetrics
GetClientRect
GetClassNameA
CheckMenuItem
CloseClipboard
OpenClipboard
EndDeferWindowPos
DestroyWindow
DestroyIcon
TranslateMessage
CreateWindowExA

gdi32

SetBkColor
GetDeviceCaps
CreateFontIndirectA
SetBkMode
DeleteObject
SetTextColor

comdlg32

GetSaveFileNameA

advapi32

RegDeleteKeyA

shell32

ShellExecuteExA
ExtractIconExA
ShellExecuteA

Sections

.text
Size: 28KB - Virtual size: 27KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

2b292941503159f46536548642e259e0

Code Sign

42:1a:f2:94:09:84:19:1f:52:0a:4b:c6:24:26:a7:4bCertificate

Key Usages

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0bCertificate

Extended Key Usages

Key Usages

10:70:9d:4f:f5:54:08:d7:30:60:01:d8:ea:91:75:bbCertificate

Extended Key Usages

Key Usages

1a:f0:66:0e:83:7a:35:a2:cd:92:ec:61:3f:c1:5d:b8Certificate

Extended Key Usages

Key Usages

bd:1b:1e:45:0b:bd:d5:df:88:67:8e:7d:da:22:3d:17Certificate

Extended Key Usages

Key Usages

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:afCertificate

Extended Key Usages

Key Usages

4e:b0:87:8f:cc:24:35:36:b2:d8:c9:f7:bf:39:55:77Certificate

Extended Key Usages

Key Usages

7f:46:d8:f3:17:2b:84:0d:d0:d4:74:c8:78:e2:70:f9:12:57:81:b2:08:47:52:e9:56:ea:46:ca:ec:78:8c:baSigner

7b:bf:2e:42:07:38:0b:f6:60:75:a1:48:e8:ba:c0:a7:56:d5:57:b7Signer

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

comctl32

version

kernel32

user32

gdi32

comdlg32

advapi32

shell32

Sections

.text Size: 28KB - Virtual size: 27KB

.rdata Size: 10KB - Virtual size: 10KB

.data Size: 1024B - Virtual size: 3KB

.pdata Size: 1KB - Virtual size: 1KB

.rsrc Size: 9KB - Virtual size: 9KB

42:1a:f2:94:09:84:19:1f:52:0a:4b:c6:24:26:a7:4b
Certificate

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0b
Certificate

10:70:9d:4f:f5:54:08:d7:30:60:01:d8:ea:91:75:bb
Certificate

1a:f0:66:0e:83:7a:35:a2:cd:92:ec:61:3f:c1:5d:b8
Certificate

bd:1b:1e:45:0b:bd:d5:df:88:67:8e:7d:da:22:3d:17
Certificate

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:af
Certificate

4e:b0:87:8f:cc:24:35:36:b2:d8:c9:f7:bf:39:55:77
Certificate

7f:46:d8:f3:17:2b:84:0d:d0:d4:74:c8:78:e2:70:f9:12:57:81:b2:08:47:52:e9:56:ea:46:ca:ec:78:8c:ba
Signer

7b:bf:2e:42:07:38:0b:f6:60:75:a1:48:e8:ba:c0:a7:56:d5:57:b7
Signer

.text
Size: 28KB - Virtual size: 27KB

.rdata
Size: 10KB - Virtual size: 10KB

.data
Size: 1024B - Virtual size: 3KB

.pdata
Size: 1KB - Virtual size: 1KB

.rsrc
Size: 9KB - Virtual size: 9KB