4ab08fd126e8a00fbc268666def9d54c5ca84c79b038ed8cb62ccdd27d7fc1cc

Sharing

Copy URL

Twitter E-mail

General

Target

4ab08fd126e8a00fbc268666def9d54c5ca84c79b038ed8cb62ccdd27d7fc1cc
Size

843KB
MD5

f2bbbc4ea53a66218b010ecc59f49454
SHA1

22d4920f9d5444ebb65b77037fd972fa7cb7c153
SHA256

4ab08fd126e8a00fbc268666def9d54c5ca84c79b038ed8cb62ccdd27d7fc1cc
SHA512

2a93449febeba51ff04210ec5ef7065023d419ebf8c91877bf6620d6c9275440ad6013978e3aeec6e73bc88a0182f2d0bcc7d80845d6c2e7e1b4e5bed3f12f89
SSDEEP

24576:dVHXJDxzkW1ZpW0Y1caAFS5UKvzK8iN5D:d1XJNzk8OcaAFOU6zK8iN5D

Score

3^/10

Malware Config

Signatures

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/logs/2023-11-16.log
unpack001/環保業務管理系統-client.exe

Files

4ab08fd126e8a00fbc268666def9d54c5ca84c79b038ed8cb62ccdd27d7fc1cc
.zip
logs/2023-11-16.log
.dll windows:6 windows x64 arch:x64

32f5158100f0259653c60fd92c188a88

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

kernel32

FreeLibrary
VirtualProtect
Sleep
AddVectoredExceptionHandler
ReadFile
DisableThreadLibraryCalls
CreateFileW
GetCurrentThread
CloseHandle
HeapAlloc
GetFileSize
GetProcessHeap
RtlLookupFunctionEntry
RtlVirtualUnwind
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
RtlCaptureContext
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead

user32

GetDC

gdi32

EnumFontFamiliesExW

msvcp140

?_Xbad_alloc@std@@YAXXZ
?_Xout_of_range@std@@YAXPEBD@Z
?_Xlength_error@std@@YAXPEBD@Z

vcruntime140

__std_exception_destroy
__std_exception_copy
__telemetry_main_return_trigger
_CxxThrowException
__C_specific_handler
memmove
memcpy
__CxxFrameHandler3
__std_type_info_destroy_list
__telemetry_main_invoke_trigger
memset
memchr

api-ms-win-crt-string-l1-1-0

isalnum

api-ms-win-crt-runtime-l1-1-0

exit
_invalid_parameter_noinfo
_cexit
_execute_onexit_table
_register_onexit_function
_initialize_onexit_table
_initialize_narrow_environment
_seh_filter_dll
_initterm_e
_errno
_crt_atexit
_initterm
_invalid_parameter_noinfo_noreturn

api-ms-win-crt-heap-l1-1-0

free
_callnewh
malloc

Exports

Exports

GetFileVersionInfoA
GetFileVersionInfoByHandle
GetFileVersionInfoExW
GetFileVersionInfoSizeA
GetFileVersionInfoSizeExW
GetFileVersionInfoSizeW
GetFileVersionInfoW
VerFindFileA
VerFindFileW
VerInstallFileA
VerInstallFileW
VerLanguageNameA
VerLanguageNameW
VerQueryValueA
VerQueryValueW

Sections

.text
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1024B - Virtual size: 1020B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 64B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
logs/2023-11-19.txt
logs/2023-11-20.txt
logs/error.log
logs/service.log
.exe windows:6 windows x64 arch:x64

3ae8f422581c5ba70a2f2f3772ce959d

Code Sign

61:05:f7:1e:00:00:00:00:00:32
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

13-07-2009 23:00

Not After

13-10-2010 23:10

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:03:dc:f6:00:00:00:00:00:0c
Certificate

Issuer

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

25-07-2008 19:12

Not After

25-07-2011 19:22

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:159C-A3F7-2570,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

61:16:68:34:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

03-04-2007 12:53

Not After

03-04-2021 13:03

Subject

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:15:08:27:00:00:00:00:00:0c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

25-01-2006 23:22

Not After

25-01-2017 23:32

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment
KeyUsageCertSign
KeyUsageCRLSign

8d:66:b1:6f:65:df:ce:5d:f6:f5:f8:53:97:3c:21:26:f7:ad:9c:7c
Signer

Actual PE Digest

8d:66:b1:6f:65:df:ce:5d:f6:f5:f8:53:97:3c:21:26:f7:ad:9c:7c

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

LoadLibraryA
CloseHandle
Sleep
GetProcAddress
VirtualAlloc
GetLastError
WideCharToMultiByte
GetProcessHeap
SetLastError
HeapFree
HeapAlloc
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
GetSystemTimeAsFileTime
GetCurrentProcessId
GetCurrentThreadId
GetTickCount
QueryPerformanceCounter
GetModuleHandleW
SetUnhandledExceptionFilter
OutputDebugStringA
ReadProcessMemory
OpenProcess
FreeLibrary
VirtualFree
ExitProcess

msvcrt

_initterm
_stricmp
_amsg_exit
?terminate@@YAXXZ
exit
_cexit
_exit
_XcptFilter
__C_specific_handler
__getmainargs
_errno
atol
_iob
_strdup
_vsnprintf
fprintf
printf
wprintf
_strupr
strchr
malloc
free
_strlwr
strstr
strrchr
toupper
__set_app_type
_fmode
_commode
__setusermatherr

ntdll

RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
NtClose
RtlNtStatusToDosError
NtOpenThread
NtQueryInformationProcess
NtQuerySystemInformation
RtlUnicodeStringToAnsiString
NtQueryInformationThread

dbghelp

SymSetOptions
EnumerateLoadedModules64
SymGetOptions

version

GetFileVersionInfoA
GetFileVersionInfoSizeA
VerQueryValueA

advapi32

CloseServiceHandle
OpenSCManagerA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken

user32

OpenDesktopA
GetWindowTextA
OpenWindowStationA
GetWindowLongA
EnumDesktopsA
SetThreadDesktop
GetWindowThreadProcessId
GetWindow
CloseDesktop
FindWindowExA
EnumWindowStationsA
GetProcessWindowStation
CloseWindowStation
GetThreadDesktop
EnumWindows
SetProcessWindowStation

ole32

CoCreateInstance
CoInitialize
CoUninitialize

oleaut32

SysFreeString

Sections

.text
Size: 27KB - Virtual size: 26KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 2.9MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1024B - Virtual size: 792B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 468B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
環保業務管理系統-client.exe
.exe windows:4 windows x86 arch:x86

90ff0ea55b269656bb0aa667cb635d81

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetFileAttributesA
InterlockedIncrement
InterlockedDecrement
IsBadWritePtr
lstrlenW
FatalAppExitA
DebugBreak
lstrcpyW
FreeResource
FindResourceW
LoadResource
GetCurrentProcess
SizeofResource
GetConsoleWindow
GetFileAttributesW
GetModuleFileNameW
GetLongPathNameW
LockResource
CloseHandle
GetFileSize
_llseek
WriteFile
ReadFile
CreateFileW
VirtualFree
FreeLibrary
SetDllDirectoryW
WaitForSingleObject
GetDllDirectoryW
CreateRemoteThread
InitializeCriticalSection
OpenProcess
VirtualFreeEx
LoadLibraryW
ReadProcessMemory
LeaveCriticalSection
GetProcAddress
VirtualAlloc
EnterCriticalSection
VirtualAllocEx
OpenThread
GetProcessId
GetExitCodeThread
GetSystemInfo
DeleteCriticalSection
GetCurrentThreadId
GetCurrentProcessId
WriteProcessMemory
GetTickCount
SetFilePointer
GetCurrentThread
TerminateThread
Sleep
SuspendThread
ResumeThread
SystemTimeToTzSpecificLocalTime
GetSystemTimeAsFileTime
TzSpecificLocalTimeToSystemTime
GetTimeZoneInformation
GetLocalTime
GetSystemTime
AllocConsole
SetEndOfFile
FlushConsoleInputBuffer
ReadConsoleW
SetConsoleCP
SetConsoleMode
GetConsoleOutputCP
LocalFree
GetFileType
SetConsoleCtrlHandler
SetConsoleOutputCP
SetConsoleWindowInfo
SetConsoleTitleW
GetNativeSystemInfo
HeapAlloc
HeapFree
GetProcessHeap
IsBadReadPtr
SetLastError
LoadLibraryA
VirtualProtect
GetCPInfo
GetOEMCP
IsValidCodePage
GetModuleHandleW
ExitProcess
DecodePointer
GetCommandLineW
HeapSetInformation
GetStartupInfoW
EncodePointer
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
TerminateProcess
GetFullPathNameW
HeapReAlloc
GetStringTypeW
ExitThread
CreateThread
RtlUnwind
GetTimeFormatW
GetDateFormatW
DuplicateHandle
CreateProcessA
DeleteFileW
MoveFileW
SetStdHandle
InitializeCriticalSectionAndSpinCount
CreateProcessW
RaiseException
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetUserDefaultLCID
GetLocaleInfoW
GetLocaleInfoA
EnumSystemLocalesA
IsValidLocale
LCMapStringW
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
HeapCreate
QueryPerformanceCounter
GetConsoleCP
GetConsoleMode
FlushFileBuffers
IsProcessorFeaturePresent
CompareStringW
CreateFileA
CreatePipe
GetExitCodeProcess
HeapSize
WriteConsoleW
GetCurrentDirectoryW
GetDriveTypeW
SetEnvironmentVariableA
SetEnvironmentVariableW
GetLastError
MultiByteToWideChar
WideCharToMultiByte
FormatMessageA
GetModuleFileNameA
GetModuleHandleA
SetErrorMode
GetStdHandle
GetACP

user32

RegisterClassA
GetClientRect
CopyImage
MapWindowPoints
IsWindowVisible
LoadIconA
WinHelpA
CallWindowProcA
EqualRect
GetActiveWindow
SetWindowPos
ShowWindow
GetSystemMenu
SetActiveWindow
IsIconic
ModifyMenuA
GetWindowThreadProcessId
GetMessageW
TranslateMessage
PeekMessageW
DispatchMessageW
SendMessageA
SetForegroundWindow
MessageBoxW
SetWindowRgn
GetWindowRect
wsprintfA
SetFocus
OffsetRect
IntersectRect
MessageBoxA
GetWindowLongA
CreateWindowExA
DefWindowProcA
IsWindow

ole32

OleRegGetUserType
CreateOleAdviseHolder
CoTaskMemAlloc
OleCreate
OleSetContainedObject
StringFromIID
CLSIDFromString
CLSIDFromProgID
CoRegisterClassObject
CoRevokeClassObject
MkParseDisplayName
CreateBindCtx
CoCreateInstance
GetRunningObjectTable
CoTaskMemFree
StringFromCLSID
OleInitialize
OleUninitialize
CoLockObjectExternal

shlwapi

StrFormatByteSizeW
SHDeleteKeyA

gdi32

SetViewportOrgEx
SetWindowOrgEx
DeleteObject
CreateRectRgnIndirect
SetViewportExtEx
SetWindowExtEx
SetMapMode

advapi32

RegQueryValueExA
RegSetValueExA
RegCreateKeyExA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
RegCloseKey
RegEnumKeyExA
RegOpenKeyExA

shell32

ord165

oleaut32

OleSavePictureFile
UnRegisterTypeLi
GetActiveObject
VariantInit
VariantCopyInd
VariantClear
LoadTypeLibEx
SysAllocString
SysStringLen
SysAllocStringLen
LoadRegTypeLi
LHashValOfNameSys
SafeArrayCreateVector
VariantTimeToSystemTime
SafeArrayAccessData
VariantCopy
SafeArrayDestroy
SafeArrayCreate
SystemTimeToVariantTime
SafeArrayGetDim
VariantChangeType
SafeArrayGetElement
SafeArrayUnaccessData
SafeArrayPutElement
DispGetIDsOfNames
SysFreeString

Sections

.text
Size: 585KB - Virtual size: 584KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 106KB - Virtual size: 106KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 9KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 822KB - Virtual size: 821KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

32f5158100f0259653c60fd92c188a88

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

msvcp140

vcruntime140

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-heap-l1-1-0

Exports

Exports

Sections

.text Size: 11KB - Virtual size: 10KB

.rdata Size: 7KB - Virtual size: 6KB

.data Size: 512B - Virtual size: 9KB

.pdata Size: 1024B - Virtual size: 1020B

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 512B - Virtual size: 64B

3ae8f422581c5ba70a2f2f3772ce959d

Code Sign

61:05:f7:1e:00:00:00:00:00:32Certificate

Extended Key Usages

Key Usages

61:03:dc:f6:00:00:00:00:00:0cCertificate

Extended Key Usages

Key Usages

61:16:68:34:00:00:00:00:00:1cCertificate

Extended Key Usages

Key Usages

61:15:08:27:00:00:00:00:00:0cCertificate

Extended Key Usages

Key Usages

8d:66:b1:6f:65:df:ce:5d:f6:f5:f8:53:97:3c:21:26:f7:ad:9c:7cSigner

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

msvcrt

ntdll

dbghelp

version

advapi32

user32

ole32

oleaut32

Sections

.text Size: 27KB - Virtual size: 26KB

.data Size: 1KB - Virtual size: 2.9MB

.pdata Size: 1024B - Virtual size: 792B

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 468B

90ff0ea55b269656bb0aa667cb635d81

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

ole32

shlwapi

gdi32

advapi32

shell32

oleaut32

Sections

.text Size: 585KB - Virtual size: 584KB

.rdata Size: 106KB - Virtual size: 106KB

.data Size: 9KB - Virtual size: 18KB

.rsrc Size: 822KB - Virtual size: 821KB

.text
Size: 11KB - Virtual size: 10KB

.rdata
Size: 7KB - Virtual size: 6KB

.data
Size: 512B - Virtual size: 9KB

.pdata
Size: 1024B - Virtual size: 1020B

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 512B - Virtual size: 64B

61:05:f7:1e:00:00:00:00:00:32
Certificate

61:03:dc:f6:00:00:00:00:00:0c
Certificate

61:16:68:34:00:00:00:00:00:1c
Certificate

61:15:08:27:00:00:00:00:00:0c
Certificate

8d:66:b1:6f:65:df:ce:5d:f6:f5:f8:53:97:3c:21:26:f7:ad:9c:7c
Signer

.text
Size: 27KB - Virtual size: 26KB

.data
Size: 1KB - Virtual size: 2.9MB

.pdata
Size: 1024B - Virtual size: 792B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 468B

.text
Size: 585KB - Virtual size: 584KB

.rdata
Size: 106KB - Virtual size: 106KB

.data
Size: 9KB - Virtual size: 18KB

.rsrc
Size: 822KB - Virtual size: 821KB