Toad[.]zip | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

Toad.zip
Size

973KB
MD5

d0f563d0eb3a026d2ba0d57fded6ffab
SHA1

8bd437aebcd9638da871face3244f4343aa98275
SHA256

83aba56c1157b451632006e4fe6cb9fc44f09ada643dfb2dcbb18fcb678e5d4d
SHA512

2d193ebaba8ffb4690208427d7dbcd6ab601a96dab3c6f8fe999f91625fd168f8ce9c5614c181fad1de612a92d3ae213ea3cb1f53a99f407edb0e43b55606069
SSDEEP

24576:tsrA8A7oTTdijMqcN6BxYi3PMfuTITdTT6BMyZwearbZ1jTfXp:X8A7ovYjMqcPmbTydn4QbzTfp

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/Toad/toad.exe

Files

Toad.zip
.zip
Toad/caca.toad
Toad/imgui.ini
Toad/toad.exe
.exe windows:6 windows x64 arch:x64

46d40c4ebe21b2336e0b278bb82f556d

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

d3d9

Direct3DCreate9

winmm

waveOutGetDevCapsW
waveOutSetVolume
waveOutGetNumDevs
waveOutClose
waveOutPrepareHeader
waveOutWrite
waveOutReset
waveOutOpen
PlaySoundA

kernel32

GetModuleHandleA
SetLastError
FormatMessageA
LocalFree
EnterCriticalSection
LeaveCriticalSection
SleepEx
GetSystemDirectoryA
VerifyVersionInfoA
GetTickCount
MoveFileExA
WaitForSingleObjectEx
GetEnvironmentVariableA
GetStdHandle
GetFileType
PeekNamedPipe
WaitForMultipleObjects
GetFileSizeEx
DeleteCriticalSection
InitializeCriticalSectionEx
GetLastError
AreFileApisANSI
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
InitOnceBeginInitialize
InitOnceComplete
InitializeCriticalSectionAndSpinCount
SetEvent
ResetEvent
CreateEventW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
GlobalFree
VerifyVersionInfoW
LoadLibraryA
FreeLibrary
QueryPerformanceFrequency
QueryPerformanceCounter
VerSetConditionMask
GetModuleFileNameW
GetCurrentThread
LoadLibraryW
GetProcAddress
MultiByteToWideChar
SetPriorityClass
IsDebuggerPresent
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
Sleep
GetCurrentProcess
Beep
SetThreadPriority
GlobalLock
GlobalUnlock
GlobalAlloc
GetConsoleWindow
GetModuleHandleW
WideCharToMultiByte
CloseHandle
ReadFile
GetFileSize
CreateFileA
FindNextFileW
FindFirstFileExW
FindClose
InitializeSListHead
OutputDebugStringW

user32

EnumDisplayMonitors
TranslateMessage
DispatchMessageW
MonitorFromWindow
DefWindowProcW
PostQuitMessage
UnregisterClassW
RegisterClassExW
CreateWindowExW
DestroyWindow
LoadCursorW
GetMonitorInfoW
PeekMessageW
SetWindowLongW
GetWindowLongW
WindowFromPoint
ScreenToClient
ClientToScreen
SetCursor
AdjustWindowRectEx
GetClientRect
SetWindowTextW
ReleaseDC
GetDC
SetForegroundWindow
ReleaseCapture
SetCapture
GetCapture
GetKeyState
SetFocus
BringWindowToTop
IsIconic
SetLayeredWindowAttributes
IsChild
CallNextHookEx
UnhookWindowsHookEx
SetWindowsHookExW
GetMessageW
GetWindowThreadProcessId
EnumWindows
GetWindowTextLengthW
GetWindowTextW
IsWindowVisible
SetCursorPos
GetForegroundWindow
mouse_event
EmptyClipboard
GetClipboardData
SetClipboardData
CloseClipboard
OpenClipboard
GetCursorPos
GetAsyncKeyState
PostMessageW
GetCursorInfo
FindWindowA
GetDesktopWindow
GetWindowRect
UpdateWindow
GetActiveWindow
SetWindowPos
ShowWindow

gdi32

GetDeviceCaps

advapi32

CryptEncrypt
CryptImportKey
CryptDestroyKey
CryptDestroyHash
CryptHashData
CryptCreateHash
CryptGenRandom
CryptGetHashParam
CryptReleaseContext
CryptAcquireContextA

shell32

ShellExecuteW
ShellExecuteA

msvcp140

?_Xinvalid_argument@std@@YAXPEBD@Z
?_Xlength_error@std@@YAXPEBD@Z
?_Xout_of_range@std@@YAXPEBD@Z
_Xtime_get_ticks
_Query_perf_counter
_Query_perf_frequency
_Thrd_join
_Thrd_sleep
_Thrd_id
?_Throw_Cpp_error@std@@YAXH@Z
?_Random_device@std@@YAIXZ
?_Syserror_map@std@@YAPEBDH@Z
?_Winerror_map@std@@YAHH@Z
??0_Lockit@std@@QEAA@H@Z
??1_Lockit@std@@QEAA@XZ
??Bid@locale@std@@QEAA_KXZ
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@M@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAM@Z
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
_Cnd_do_broadcast_at_thread_exit
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Xbad_function_call@std@@YAXXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
??Bios_base@std@@QEBA_NXZ
_Thrd_detach
?_Throw_C_error@std@@YAXH@Z
?id@?$codecvt@_WDU_Mbstatet@@@std@@2V0locale@2@A
?_Incref@facet@locale@std@@UEAAXXZ
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
??4?$_Yarn@D@std@@QEAAAEAV01@PEBD@Z
?_New_Locimp@_Locimp@locale@std@@CAPEAV123@AEBV123@@Z
?_Locimp_Addfac@_Locimp@locale@std@@CAXPEAV123@PEAVfacet@23@_K@Z
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
?out@?$codecvt@_WDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEB_W1AEAPEB_WPEAD3AEAPEAD@Z
??0?$codecvt@_WDU_Mbstatet@@@std@@QEAA@_K@Z
??1?$codecvt@_WDU_Mbstatet@@@std@@MEAA@XZ
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z

imm32

ImmSetCompositionWindow
ImmAssociateContextEx
ImmReleaseContext
ImmSetCandidateWindow
ImmGetContext

normaliz

IdnToAscii

wldap32

ord35
ord33
ord217
ord143
ord200
ord30
ord79
ord32
ord27
ord26
ord22
ord301
ord50
ord45
ord60
ord211
ord46
ord41

crypt32

CertFreeCertificateChain
CertGetNameStringA
CertGetCertificateChain
CertFindExtension
CertAddCertificateContextToStore
CryptDecodeObjectEx
CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
CryptQueryObject
CertOpenStore
CertCloseStore
CertEnumCertificatesInStore
CertFindCertificateInStore
CertFreeCertificateContext
CryptStringToBinaryA
PFXImportCertStore

ws2_32

freeaddrinfo
recvfrom
sendto
gethostname
ntohl
bind
select
connect
__WSAFDIsSet
ioctlsocket
getpeername
getsockname
getsockopt
htons
ntohs
send
listen
htonl
setsockopt
accept
socket
recv
WSACleanup
closesocket
getaddrinfo
WSAStartup
WSAIoctl
WSASetLastError
WSAGetLastError

vcruntime140

__current_exception_context
__current_exception
__C_specific_handler
strrchr
strchr
memchr
memset
memmove
memcpy
memcmp
_CxxThrowException
strstr
__std_terminate
__std_exception_copy
__std_exception_destroy

vcruntime140_1

__CxxFrameHandler4

api-ms-win-crt-runtime-l1-1-0

terminate
_initialize_narrow_environment
_initialize_onexit_table
_register_onexit_function
_getpid
_cexit
_seh_filter_exe
_set_app_type
__sys_nerr
_get_initial_narrow_environment
_initterm
_initterm_e
_exit
_crt_atexit
__p___argc
__p___argv
_c_exit
_register_thread_local_exe_atexit_callback
strerror
exit
_errno
system
abort
_invalid_parameter_noinfo_noreturn
_wassert
_beginthreadex
_configure_narrow_argv

api-ms-win-crt-string-l1-1-0

strncpy
strcmp
strncmp
tolower
strpbrk
_strdup
isupper
strspn
strcspn

api-ms-win-crt-heap-l1-1-0

malloc
free
_callnewh
realloc
_set_new_mode
calloc

api-ms-win-crt-convert-l1-1-0

strtoll
strtod
atof
strtoull
atoi
strtoul
strtol

api-ms-win-crt-time-l1-1-0

_time64
_gmtime64_s
_localtime64_s
_mktime64
_mkgmtime64
_gmtime64

api-ms-win-crt-math-l1-1-0

log
logf
atan2f
__setusermatherr
_dsign
log10
floor
log2f
ceilf
acosf
sinf
cosf
sqrtf
fmodf
ceil
pow
powf
_dclass

api-ms-win-crt-stdio-l1-1-0

_open
_write
_read
__p__commode
__stdio_common_vsprintf
_set_fmode
_get_stream_buffer_pointers
_wfopen
fseek
ungetc
setvbuf
ftell
__acrt_iob_func
__stdio_common_vsscanf
_lseeki64
feof
fputs
fwrite
fopen
_fseeki64
fsetpos
fgets
fread
fputc
fgetpos
fgetc
fflush
fclose
_close

api-ms-win-crt-filesystem-l1-1-0

_lock_file
_unlock_file
_stat64
_access
_unlink
_fstat64

api-ms-win-crt-locale-l1-1-0

localeconv
_configthreadlocale
___lc_codepage_func

api-ms-win-crt-environment-l1-1-0

getenv

api-ms-win-crt-utility-l1-1-0

qsort

Sections

.text
Size: 1.0MB - Virtual size: 1.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 637KB - Virtual size: 637KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 14KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 42KB - Virtual size: 42KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

46d40c4ebe21b2336e0b278bb82f556d

Headers

DLL Characteristics

File Characteristics

Imports

d3d9

winmm

kernel32

user32

gdi32

advapi32

shell32

msvcp140

imm32

normaliz

wldap32

crypt32

ws2_32

vcruntime140

vcruntime140_1

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-environment-l1-1-0

api-ms-win-crt-utility-l1-1-0

Sections

.text Size: 1.0MB - Virtual size: 1.0MB

.rdata Size: 637KB - Virtual size: 637KB

.data Size: 14KB - Virtual size: 22KB

.pdata Size: 42KB - Virtual size: 42KB

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 2KB - Virtual size: 2KB

.text
Size: 1.0MB - Virtual size: 1.0MB

.rdata
Size: 637KB - Virtual size: 637KB

.data
Size: 14KB - Virtual size: 22KB

.pdata
Size: 42KB - Virtual size: 42KB

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 2KB - Virtual size: 2KB