NOsbbu7KX0lhxRRQ8FXL[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

NOsbbu7KX0lhxRRQ8FXL.exe
Size

1.4MB
MD5

772dd5c983d078b226e378caa673b656
SHA1

c22a73188909cd09dd4b0abd02f55259edaf76bc
SHA256

bc8f4ea8f5ff857b15799f5147f640e594d8711884b9c6a61fae689d7f74ffc8
SHA512

667a6cee06562612e09095b561723c06b855c1307e3ad15f01daaf42d07d8069b27b3b9ba898781151593e106ad1af746152c4e4ae85c435b80cd254eddb79d0
SSDEEP

24576:TgAHvqz/pY+lfo+Ro1SaXgZgqagqCeQWxH9XZeYKDh6ri8id31PovTsvjaYk5ewK:NQBhohwZgqWQ+9XZKDh6ri8id31AvTOh

Score

1^/10

Malware Config

Signatures

Files

NOsbbu7KX0lhxRRQ8FXL.exe
.exe windows:6 windows x86 arch:x86

144b0dc7f7df42bcd8d959e63866766a

Code Sign

04:00:00:00:00:01:31:89:c6:50:04
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Not Before

02/08/2011, 10:00

Not After

29/03/2029, 10:00

Subject

CN=GlobalSign Timestamping CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

24:54:b8:7f:1e:14:53:ad:37:fa:a1:78
Certificate

Issuer

CN=GlobalSign Timestamping CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE

Not Before

19/02/2018, 00:00

Not After

18/03/2029, 10:00

Subject

CN=GlobalSign TSA for MS Authenticode advanced - G2

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

7a:0b:ab:6c:70:f0:a1:28:80:99:f7:7c:b3:c3:c1:aa
Certificate

Issuer

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

13/07/2019, 00:00

Not After

12/07/2022, 23:59

Subject

CN=Roblox Corporation,O=Roblox Corporation,L=San Mateo,ST=California,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

10/12/2013, 00:00

Not After

09/12/2023, 23:59

Subject

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

51:0c:08:ca:db:a5:a9:f9:e5:27:aa:2b:cc:c4:8a:58:2a:51:50:a9
Signer

Actual PE Digest

51:0c:08:ca:db:a5:a9:f9:e5:27:aa:2b:cc:c4:8a:58:2a:51:50:a9

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

powrprof

CallNtPowerInformation

winhttp

WinHttpWriteData
WinHttpSetOption
WinHttpSetTimeouts
WinHttpReadData
WinHttpAddRequestHeaders
WinHttpQueryHeaders
WinHttpReceiveResponse
WinHttpSendRequest
WinHttpConnect
WinHttpCloseHandle
WinHttpCrackUrl
WinHttpOpen
WinHttpOpenRequest

kernel32

GetFileAttributesExW
GetFileSizeEx
SetFileTime
GetSystemTime
CreateFileMappingW
MapViewOfFile
UnmapViewOfFile
lstrcpyW
SystemTimeToFileTime
OpenEventA
WaitForSingleObjectEx
GetCurrentProcessId
ResetEvent
GetStdHandle
FindClose
FindFirstFileW
FindNextFileW
GetDiskFreeSpaceExW
RemoveDirectoryW
SetFileAttributesW
ReleaseMutex
CreateMutexW
CreateEventW
Sleep
GetCurrentProcess
TerminateProcess
GetExitCodeProcess
GetCurrentThread
CreateProcessW
OpenProcess
GetLocalTime
GetTickCount
FreeLibrary
GetModuleFileNameW
LoadLibraryW
lstrlenW
BeginUpdateResourceW
UpdateResourceA
EndUpdateResourceW
CopyFileW
GetGeoInfoW
GetUserGeoID
GetUserDefaultLCID
FreeConsole
AttachConsole
GetConsoleScreenBufferInfo
SetConsoleTextAttribute
GetSystemTimeAsFileTime
CreateSemaphoreA
ReleaseSemaphore
DuplicateHandle
GetModuleHandleA
K32EnumProcesses
K32GetProcessImageFileNameW
GetCommandLineW
IsWow64Process
QueryPerformanceCounter
QueryPerformanceFrequency
FileTimeToSystemTime
GetFileTime
LocalFileTimeToFileTime
SetFilePointer
DosDateTimeToFileTime
lstrcatW
GetShortPathNameW
SetLastError
CreateSemaphoreW
GlobalAlloc
GlobalUnlock
GlobalLock
GlobalFree
IsDebuggerPresent
FormatMessageA
GetSystemInfo
WaitForMultipleObjectsEx
SetWaitableTimer
ResumeThread
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetLogicalProcessorInformation
CreateWaitableTimerA
GetFileType
SetUnhandledExceptionFilter
LoadResource
VerifyVersionInfoW
GetExitCodeThread
GetVersion
LockFileEx
SetEndOfFile
UnlockFileEx
SetProcessShutdownParameters
SetConsoleCtrlHandler
GetProcessTimes
SuspendThread
GetProcessId
GetThreadContext
IsProcessorFeaturePresent
GetTimeZoneInformation
GetThreadLocale
GetSystemDefaultLCID
InitializeCriticalSection
VirtualQueryEx
ReadProcessMemory
SetNamedPipeHandleState
TransactNamedPipe
CreateNamedPipeW
WaitNamedPipeW
SetFilePointerEx
FindFirstFileExW
ConnectNamedPipe
DisconnectNamedPipe
CreateIoCompletionPort
GetQueuedCompletionStatus
PostQueuedCompletionStatus
UnregisterWaitEx
RegisterWaitForSingleObject
OutputDebugStringW
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
TryEnterCriticalSection
InitOnceExecuteOnce
FindResourceExW
ExitProcess
SystemTimeToTzSpecificLocalTime
PeekNamedPipe
GetFileInformationByHandle
GetDriveTypeW
GetModuleHandleExW
ExitThread
GetConsoleCP
ReadConsoleW
GetConsoleMode
GetCommandLineA
RtlUnwind
CreateTimerQueue
QueryDepthSList
InterlockedFlushSList
InterlockedPushEntrySList
InterlockedPopEntrySList
VirtualFree
VirtualProtect
VirtualAlloc
LoadLibraryExW
FreeLibraryAndExitThread
GetThreadTimes
UnregisterWait
SetThreadAffinityMask
GetProcessAffinityMask
GetNumaHighestNodeNumber
DeleteTimerQueueTimer
ChangeTimerQueueTimer
GetFileAttributesW
CreateTimerQueueTimer
GetThreadPriority
SetThreadPriority
SignalObjectAndWait
InitializeSListHead
GetStartupInfoW
UnhandledExceptionFilter
GetCPInfo
GetStringTypeW
GetLocaleInfoW
LCMapStringW
CompareStringW
SwitchToThread
EncodePointer
FindResourceA
FormatMessageW
LocalFree
GetVersionExW
GetTempPathW
WriteFile
ReadFile
GetFileSize
DeleteFileW
VerSetConditionMask
GetCurrentThreadId
WideCharToMultiByte
MultiByteToWideChar
FindResourceW
SizeofResource
FlushFileBuffers
CreateThread
LockResource
CreateFileW
CreateDirectoryW
DeleteCriticalSection
GetProcessHeap
HeapSize
HeapFree
HeapReAlloc
HeapAlloc
HeapDestroy
GetLastError
RaiseException
DecodePointer
SetEvent
CreateEventA
GetProcAddress
GetModuleHandleW
WaitForSingleObject
InitializeCriticalSectionEx
CloseHandle
IsValidLocale
EnumSystemLocalesW
SetStdHandle
GetCurrentDirectoryW
GetFullPathNameW
IsValidCodePage
GetACP
GetOEMCP
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
WriteConsoleW
SleepEx

user32

GetMessageW
PostThreadMessageW
CharUpperW
CharNextW
LoadAcceleratorsW
ShowWindow
TranslateMessage
DispatchMessageW
TranslateAcceleratorW
AllowSetForegroundWindow
UnregisterClassW
MessageBoxW
EnumWindows
GetWindowThreadProcessId
LoadIconW
MessageBoxA
MessageBoxExW
PostMessageW
IsWindowVisible
SetForegroundWindow
GetWindowTextW
SendMessageW
DefWindowProcW
CallWindowProcW
RegisterClassW
CreateWindowExW
DestroyWindow
GetDlgItem
KillTimer
EnableWindow
GetSystemMetrics
GetWindowLongW
SetWindowLongW
LoadBitmapW
SetTimer
SetWindowTextW

gdi32

DeleteObject
CreateSolidBrush

shell32

SHGetFolderPathAndSubDirW
ShellExecuteW
CommandLineToArgvW
ShellExecuteExW
Shell_NotifyIconW

ole32

CoCreateInstance
CoUninitialize
CoCreateGuid
CoInitialize
CreateStreamOnHGlobal

oleaut32

SysStringLen
VariantInit
VariantClear

advapi32

CryptReleaseContext
RegDeleteKeyExW
RegDeleteKeyW
OpenProcessToken
RegQueryValueExW
RegOpenKeyExW
RegDeleteValueW
RegSetValueExW
RegCreateKeyExW
RegCloseKey
RegEnumValueW
RegFlushKey
RegOpenKeyExA
RegQueryInfoKeyW
RegQueryValueExA
CryptGetHashParam
CryptCreateHash
CryptHashData
CryptDestroyHash
BuildSecurityDescriptorW
BuildExplicitAccessWithNameW
ConvertStringSecurityDescriptorToSecurityDescriptorW
ImpersonateNamedPipeClient
RevertToSelf
SystemFunction036
GetTokenInformation
CryptAcquireContextW
RegEnumKeyExW

shlwapi

StrCpyW
StrRChrW
PathAddBackslashW
HashData
SHDeleteKeyW
PathFileExistsW
StrCmpNW
PathRemoveExtensionW
SHCopyKeyW
StrDupW

iphlpapi

GetAdaptersInfo

version

GetFileVersionInfoW
GetFileVersionInfoSizeW
VerQueryValueW

sensapi

IsNetworkAlive

winmm

timeSetEvent
timeGetDevCaps
timeBeginPeriod
timeGetTime

wininet

InternetOpenW
InternetCloseHandle
InternetConnectW
InternetReadFile
HttpQueryInfoW
HttpQueryInfoA
HttpEndRequestW
HttpSendRequestExW
HttpSendRequestW
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpOpenRequestW
InternetSetOptionW
InternetQueryOptionW
InternetQueryDataAvailable
InternetWriteFile

ws2_32

inet_ntoa
getaddrinfo
freeaddrinfo
closesocket
connect
htons
send
sendto
socket
WSAStartup
WSACleanup
WSAGetLastError

comctl32

_TrackMouseEvent
InitCommonControlsEx

gdiplus

GdipCreateBitmapFromStream
GdipFree
GdiplusStartup
GdiplusShutdown
GdipCloneImage
GdipDisposeImage
GdipCreateHBITMAPFromBitmap
GdipAlloc

Sections

.text
Size: 983KB - Virtual size: 982KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 274KB - Virtual size: 273KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 23KB - Virtual size: 430KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

CPADinfo
Size: 512B - Virtual size: 40B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 87KB - Virtual size: 86KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 49KB - Virtual size: 48KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

144b0dc7f7df42bcd8d959e63866766a

Code Sign

04:00:00:00:00:01:31:89:c6:50:04Certificate

Key Usages

24:54:b8:7f:1e:14:53:ad:37:fa:a1:78Certificate

Extended Key Usages

Key Usages

7a:0b:ab:6c:70:f0:a1:28:80:99:f7:7c:b3:c3:c1:aaCertificate

Extended Key Usages

Key Usages

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2aCertificate

Extended Key Usages

Key Usages

51:0c:08:ca:db:a5:a9:f9:e5:27:aa:2b:cc:c4:8a:58:2a:51:50:a9Signer

Headers

DLL Characteristics

File Characteristics

Imports

powrprof

winhttp

kernel32

user32

gdi32

shell32

ole32

oleaut32

advapi32

shlwapi

iphlpapi

version

sensapi

winmm

wininet

ws2_32

comctl32

gdiplus

Sections

.text Size: 983KB - Virtual size: 982KB

.rdata Size: 274KB - Virtual size: 273KB

.data Size: 23KB - Virtual size: 430KB

CPADinfo Size: 512B - Virtual size: 40B

.rsrc Size: 87KB - Virtual size: 86KB

.reloc Size: 49KB - Virtual size: 48KB

04:00:00:00:00:01:31:89:c6:50:04
Certificate

24:54:b8:7f:1e:14:53:ad:37:fa:a1:78
Certificate

7a:0b:ab:6c:70:f0:a1:28:80:99:f7:7c:b3:c3:c1:aa
Certificate

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

51:0c:08:ca:db:a5:a9:f9:e5:27:aa:2b:cc:c4:8a:58:2a:51:50:a9
Signer

.text
Size: 983KB - Virtual size: 982KB

.rdata
Size: 274KB - Virtual size: 273KB

.data
Size: 23KB - Virtual size: 430KB

CPADinfo
Size: 512B - Virtual size: 40B

.rsrc
Size: 87KB - Virtual size: 86KB

.reloc
Size: 49KB - Virtual size: 48KB