General
-
Target
1864-33-0x0000000000080000-0x0000000000111000-memory.dmp.file
-
Size
559KB
-
MD5
7ea83973cb032d372efdc7b6de78467d
-
SHA1
3eca616cbf2ffebdf3f9ad85217b36229980eec6
-
SHA256
e89a12f935b5c52a834060a643fb4fedb61c13307c164f2b5cbcb29d14b1d7e0
-
SHA512
4d7e7281ae3df7b142a05b2bdfd4bf67ef2f4245a678b530b0ca458626c7c1be588ce58eb58d7338f32e264a832a5c23119686de8ed09a1542f13690331b6392
-
SSDEEP
12288:QTh+CfHel/TrAmFvUyTFZPsj8w6Sw98MYXwlktzW6XlORNB7MRWop:QFfHUTrAmeqvPS+8M0lE7CH
Malware Config
Signatures
-
Qakbot family
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource 1864-33-0x0000000000080000-0x0000000000111000-memory.dmp.file
Files
-
1864-33-0x0000000000080000-0x0000000000111000-memory.dmp.file.exe windows:5 windows x86 arch:x86
510fcd1c61673b9a48954b01d659ae75
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
msvcrt
strncpy
_ftol2_sse
_ltoa
_except_handler3
strchr
_wtol
memcpy
memset
userenv
GetUserProfileDirectoryW
shlwapi
wvnsprintfA
wvnsprintfW
StrStrW
StrStrIW
StrStrIA
PathUnquoteSpacesW
ole32
CoInitialize
CoCreateInstance
CoUninitialize
CoSetProxyBlanket
CoInitializeSecurity
CoInitializeEx
shell32
CommandLineToArgvW
ShellExecuteW
SHGetFolderPathW
setupapi
SetupDiGetDeviceRegistryPropertyA
SetupDiGetClassDevsA
SetupDiEnumDeviceInfo
SetupDiDestroyDeviceInfoList
kernel32
SystemTimeToFileTime
GetSystemTime
Sleep
lstrcpynW
CloseHandle
SetEvent
SleepEx
OpenEventA
GetCurrentProcessId
GetLastError
lstrcmpiW
FreeLibrary
GetProcAddress
LoadLibraryA
GetModuleHandleA
WaitForSingleObject
CreateEventA
ExitProcess
GetDriveTypeW
lstrcmpA
CopyFileW
GetCommandLineW
lstrlenW
lstrlenA
lstrcmpiA
GetSystemTimeAsFileTime
HeapCreate
HeapAlloc
HeapFree
GetExitCodeProcess
TerminateProcess
ResumeThread
WideCharToMultiByte
MultiByteToWideChar
lstrcatA
lstrcatW
lstrcpyA
GetLocalTime
GetEnvironmentVariableA
GetEnvironmentVariableW
GetFileSize
VirtualAlloc
CreateMutexA
OpenMutexA
ReleaseMutex
GetCurrentProcess
GetCurrentThread
LocalAlloc
LoadResource
SizeofResource
FindResourceA
GetVolumeInformationW
GetComputerNameW
GetSystemInfo
GetVersionExA
GetModuleFileNameW
SetEnvironmentVariableA
SetEnvironmentVariableW
GetWindowsDirectoryW
GetTickCount
GetModuleFileNameA
ExpandEnvironmentStringsW
GetThreadContext
TerminateThread
CreateThread
OpenProcess
VirtualFree
DeleteFileW
GetFileAttributesA
GetFileAttributesW
LocalFree
lstrcpyW
CreateDirectoryW
user32
CharUpperBuffA
CharUpperBuffW
MessageBoxA
advapi32
RegisterServiceCtrlHandlerA
StartServiceCtrlDispatcherA
SetServiceStatus
EqualSid
LookupAccountNameW
OpenProcessToken
OpenThreadToken
GetTokenInformation
LookupPrivilegeValueA
ConvertSidToStringSidW
RegLoadKeyW
RegUnLoadKeyW
RegSetValueExW
RegQueryValueExW
SetFileSecurityW
RegDeleteValueW
RegOpenKeyExW
RegQueryInfoKeyW
RegCloseKey
RegEnumValueW
LookupAccountSidW
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
GetSidSubAuthorityCount
GetSidSubAuthority
CreateProcessAsUserW
netapi32
NetApiBufferFree
NetUserEnum
NetGetDCName
Sections
.text Size: 79KB - Virtual size: 79KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 33KB - Virtual size: 32KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 6KB - Virtual size: 14KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 435KB - Virtual size: 434KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 4KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ