dcb318455c0fbfdef63c94bce376c249e31e17a85acd820d147273a030389cd2

Sharing

Copy URL Twitter E-mail

General

Target

dcb318455c0fbfdef63c94bce376c249e31e17a85acd820d147273a030389cd2
Size

683KB
MD5

01ef947aed7b2952530b58b10d4ac909
SHA1

216b4a608a9cda76db4d9dbe01a99d3ecf253ef1
SHA256

dcb318455c0fbfdef63c94bce376c249e31e17a85acd820d147273a030389cd2
SHA512

a7e466d2b48bf4eeccde4522fb65255b04bf406d0928ffbf27d24ef0c1ccfd8aca1d560f7c331402d14bf2a11a0c0cada403c4e6b5983ef236f341652507f565
SSDEEP

12288:erUX1P7+57jWSDFU+5E+1RndR9C68PgP0WgiuCXdjTLn5:erUX1P7+je+n1JE3PE0WgiuCtjPn5

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
dcb318455c0fbfdef63c94bce376c249e31e17a85acd820d147273a030389cd2

Files

dcb318455c0fbfdef63c94bce376c249e31e17a85acd820d147273a030389cd2
.exe windows:5 windows x86 arch:x86

ccc924c72d4acb651780f1db3a95b2e5

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

rpcrt4

UuidCreate

xmlkit

?GetChildrenCount@CXmlKit@@QAEHPBD@Z
?GetChildText@CXmlKit@@QAEHPBDPAD@Z
??0CXmlKit@@QAE@XZ
??1CXmlKit@@UAE@XZ
?Parse@CXmlKit@@QAEHPBD@Z
?Seek@CXmlKit@@QAEHPBD@Z
?Next@CXmlKit@@QAEHXZ
?GetChildText@CXmlKit@@QAEPBDPBD@Z
?GetChildrenCount@CXmlKit@@QAEHXZ
?Child@CXmlKit@@QAEHPBD@Z
?GetAttribute@CXmlKit@@QAEPBDPBD@Z
?Root@CXmlKit@@QAEXXZ
?GetChildInt@CXmlKit@@QAEHPBD@Z
?Next@CXmlKit@@QAEHPBD@Z
?SetChildText@CXmlKit@@QAEHPBD0@Z
?SaveFile@CXmlKit@@QAEHPBD@Z
?GetXml@CXmlKit@@QAEPBDH@Z
?Remove@CXmlKit@@QAEHXZ
?LoadFile@CXmlKit@@QAEHPBD@Z
?Parse@CXmlKit@@QAEHXZ
?Seek@CXmlKit@@QAEHPBD0@Z
?Parent@CXmlKit@@QAEHXZ
?GetText@CXmlKit@@QAEPBDXZ
?GetChildInt@CXmlKit@@QAEHPBDAAH@Z
?GetChildInt@CXmlKit@@QAEHPBDAAK@Z
?AddChild@CXmlKit@@QAEHHPBD@Z
?AddAttribute@CXmlKit@@QAEHPBD0@Z
?AddChild@CXmlKit@@QAEHHPBDH@Z
?AddChild@CXmlKit@@QAEHHPBD0@Z
?Child@CXmlKit@@QAEHXZ

zwsharem

ord13
ord19
ord22
ord15
ord23
ord16
ord20
ord12
ord11
ord21
ord10
ord9
ord7
ord4
ord3
ord24

zwsharedatam

ord3
ord4

wlxme

?Send@wlxme@@YGHIPBDH0PADH@Z

zwexchsharem

ord4
ord3

vcmonitorm

ord8
ord4
ord3
ord12

vcmonitorc

ord3
ord5
ord4

wlproxyapi

?I_AM_CLIENT@CInvoker@wlproxy@@QAEHHPBD@Z
??1CInvoker@wlproxy@@QAE@XZ
?Initialize@CInvoker@wlproxy@@QAEHPBD@Z
?StopGet@CRequest@wlproxy@@QAEXXZ
?StartGet@CRequest@wlproxy@@QAEHPBDP6GH0H00J@ZJ@Z
?Get@CRequest@wlproxy@@QAEHPBDP6GH0H00J@ZJAAPAD@Z
?CreateRequest@CInvoker@wlproxy@@QAEHPBD0AAPAVCRequest@2@@Z
?GetSession@CRequest@wlproxy@@QAEHAAPAD@Z
??0CInvoker@wlproxy@@QAE@XZ
?DestroyRequest@CInvoker@wlproxy@@QAEHPAVCRequest@2@@Z
?Terminate@CInvoker@wlproxy@@QAEHXZ

mfc140

ord11550
ord10234
ord11604
ord8784
ord2549
ord4045
ord8785
ord2438
ord985
ord1461
ord13884
ord2459
ord10330
ord7618
ord1468
ord7961
ord2200
ord13830
ord4580
ord6831
ord12869
ord12162
ord12194
ord10383
ord8180
ord12190
ord12182
ord5894
ord3844
ord6323
ord14582
ord6324
ord14583
ord6322
ord14581
ord7964
ord12474
ord14380
ord11928
ord11927
ord2027
ord7905
ord12888
ord4082
ord4143
ord9353
ord14507
ord7886
ord14509
ord12485
ord12484
ord2484
ord5336
ord8285
ord12806
ord8347
ord8429
ord3688
ord3686
ord14291
ord6505
ord5826
ord8031
ord8026
ord8426
ord1178
ord6563
ord5960
ord9089
ord4216
ord14322
ord4656
ord3839
ord5096
ord5059
ord6785
ord6533
ord12963
ord14040
ord12960
ord14029
ord8838
ord14032
ord13619
ord13036
ord12808
ord12894
ord12521
ord12501
ord13699
ord13202
ord6502
ord898
ord1403
ord6774
ord3231
ord3351
ord14044
ord5192
ord12706
ord12074
ord8997
ord10963
ord11343
ord3396
ord3395
ord3159
ord6193
ord13677
ord2758
ord12115
ord9167
ord13475
ord14149
ord3166
ord4476
ord9422
ord9332
ord7459
ord10421
ord4084
ord7970
ord1443
ord6806
ord9092
ord3250
ord4227
ord1109
ord460
ord7076
ord13908
ord2251
ord2210
ord3924
ord6581
ord4218
ord8705
ord8732
ord8326
ord8770
ord13027
ord4468
ord14461
ord2022
ord5697
ord1529
ord10687
ord983
ord1064
ord6464
ord9083
ord3140
ord8322
ord12826
ord1696
ord5898
ord305
ord3005
ord300
ord3856
ord13011
ord3949
ord9478
ord1526
ord12503
ord5095
ord5010
ord2383
ord2387
ord358
ord1470
ord995
ord4865
ord3825
ord1131
ord6523
ord9096
ord14048
ord14054
ord7783
ord5858
ord5398
ord12969
ord8776
ord4870
ord2520
ord6540
ord3874
ord316
ord2298
ord6463
ord1068
ord1000
ord6471
ord9166
ord10207
ord8182
ord5388
ord7677
ord7688
ord7687
ord6104
ord5210
ord5390
ord5231
ord5769
ord5504
ord9305
ord5739
ord5528
ord5228
ord3258
ord3363
ord3364
ord3933
ord12067
ord2680
ord5911
ord13628
ord11663
ord6848
ord14508
ord7887
ord14510
ord3050
ord4485
ord9647
ord4493
ord4972
ord4911
ord4896
ord4958
ord5003
ord4926
ord4981
ord4997
ord4938
ord4944
ord4950
ord4932
ord4987
ord4920
ord1772
ord1751
ord1765
ord1739
ord1717
ord12201
ord12205
ord13798
ord3259
ord9213
ord10950
ord6947
ord12163
ord8922
ord14502
ord11881
ord3830
ord12032
ord9085
ord11672
ord11671
ord5631
ord10240
ord10236
ord10238
ord10239
ord10237
ord14699
ord2759
ord8173
ord2407
ord5677
ord8780
ord9463
ord5011
ord3174
ord3295
ord3298
ord13681
ord6195
ord3142
ord8703
ord2988
ord3864
ord12111
ord13230
ord13966
ord3946
ord2518
ord1106
ord450
ord13234
ord4807
ord1044
ord310
ord4866
ord13028
ord4640
ord1389
ord890
ord7619
ord1507
ord2241
ord266
ord265
ord1509
ord11624
ord11839
ord11128
ord10932
ord11115
ord11623
ord9455
ord9454
ord9218
ord11112
ord11552
ord10802
ord10264
ord11680
ord10201
ord10301
ord11679
ord11191
ord10228
ord9442
ord9993
ord11827
ord10355
ord11471
ord6911
ord7751
ord10001
ord10000
ord11094
ord8968
ord11070
ord9483
ord11692
ord8869
ord8877
ord10453
ord11065
ord9480
ord9944
ord9940
ord1458
ord9468
ord11225
ord9646
ord6847
ord4351
ord1166
ord533
ord7120
ord8713
ord9192
ord12116
ord10804
ord8841
ord4562
ord10986
ord9373
ord8735
ord7461
ord1111
ord462
ord7078
ord2477
ord13584
ord2992
ord2986
ord4315
ord2678
ord11222
ord8266
ord14421
ord2748
ord3808
ord3689
ord458
ord5742
ord6194
ord13679
ord5937
ord10202
ord4869
ord12047
ord3297
ord12122
ord5008
ord5009
ord6460
ord2524
ord7651
ord2291
ord5507
ord9183
ord1067
ord363
ord7040
ord6566
ord8464
ord12632
ord1651
ord1180
ord551
ord7474
ord2252
ord5013
ord7407
ord2381
ord7413
ord6768
ord993

kernel32

GetPrivateProfileStringA
CreateToolhelp32Snapshot
Process32First
OpenProcess
TerminateProcess
Process32Next
LoadLibraryA
FreeLibrary
GetVersionExA
WaitForSingleObject
CreateMutexA
GetSystemDirectoryA
SetFileTime
GetDriveTypeA
SetVolumeLabelA
LocalUnlock
MoveFileA
CreateFileMappingA
MapViewOfFile
UnmapViewOfFile
GetModuleHandleW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
SetEvent
ResetEvent
WaitForSingleObjectEx
GetProcAddress
OutputDebugStringA
GetDiskFreeSpaceExA
LocalFree
CreateEventW
IsDebuggerPresent
GetStartupInfoW
QueryPerformanceCounter
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
LocalLock
LocalAlloc
GetTickCount
OutputDebugStringW
MultiByteToWideChar
InterlockedExchange
GetLastError
InitializeCriticalSectionAndSpinCount
GetCurrentProcess
CreateProcessA
Sleep
GetCurrentProcessId
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
InitializeCriticalSection
GetNativeSystemInfo
CloseHandle
GetWindowsDirectoryA
FindClose
FindNextFileA
FindFirstFileA
DeleteFileA
RemoveDirectoryA
SetFileAttributesA
CreateDirectoryA
GetFileAttributesA
GetTempPathA
GetModuleFileNameA
WideCharToMultiByte

user32

SetWindowPos
GetPropA
GetDesktopWindow
ReplyMessage
InSendMessage
PtInRect
ScreenToClient
GetAsyncKeyState
InvalidateRgn
OffsetRect
DrawIcon
IsIconic
SetPropA
GetWindowLongA
GetSystemMetrics
GetMenuItemID
PostMessageA
TrackPopupMenu
SetForegroundWindow
SetMenuDefaultItem
GetSubMenu
LoadMenuW
RegisterWindowMessageA
SetWindowLongA
CallWindowProcA
UpdateWindow
GrayStringA
DrawTextExA
TabbedTextOutA
DrawTextA
SystemParametersInfoA
LoadIconA
DrawStateA
InflateRect
GetMenuState
AppendMenuA
LoadIconW
DestroyIcon
GetMenuItemInfoA
GetMenuItemCount
ReleaseCapture
ClientToScreen
GetFocus
DrawEdge
WindowFromPoint
GetCursorPos
GetCapture
KillTimer
SetTimer
SetWindowRgn
InvalidateRect
IsWindow
EqualRect
IntersectRect
SetRect
LoadImageA
IsRectEmpty
FillRect
SetRectEmpty
GetSystemMenu
GetDC
GetParent
GetWindowRect
GetWindow
EnableWindow
CopyRect
DrawFrameControl
GetSysColor
GetClientRect
SendMessageA
PostQuitMessage
GetForegroundWindow
CreatePopupMenu
ReleaseDC

gdi32

CombineRgn
OffsetRgn
GetPixel
CreateRectRgn
CreateFontIndirectA
CreateRectRgnIndirect
Escape
ExtTextOutA
TextOutA
RectVisible
PtVisible
GetTextExtentPoint32A
GetStockObject
CreatePen
CreateCompatibleBitmap
SetDIBColorTable
SelectObject
GetDIBColorTable
StretchBlt
DeleteObject
CreateDIBSection
BitBlt
CreateCompatibleDC
DeleteDC
GetObjectA
GetDeviceCaps
GetTextMetricsA
GetBkColor
GetTextColor
CreateSolidBrush

msimg32

TransparentBlt

advapi32

RegCloseKey
RegQueryValueExA
RegSetValueExA
RegCreateKeyExA
RegOpenKeyExA

shell32

ShellExecuteA
Shell_NotifyIconA

comctl32

InitCommonControlsEx
_TrackMouseEvent

ole32

CoInitialize
CoUninitialize
CoCreateGuid

oleaut32

VariantClear

msvcp140

?_Xbad_alloc@std@@YAXXZ
??1_Locinfo@std@@QAE@XZ
??0_Locinfo@std@@QAE@HPBD@Z
??4?$_Yarn@D@std@@QAEAAV01@PBD@Z
?_New_Locimp@_Locimp@locale@std@@CAPAV123@_N@Z
?_Xruntime_error@std@@YAXPBD@Z
?_Makeloc@_Locimp@locale@std@@CAPAV123@ABV_Locinfo@3@HPAV123@PBV23@@Z
?_Init@locale@std@@CAPAV_Locimp@12@_N@Z
??Bid@locale@std@@QAEIXZ
?tolower@?$ctype@D@std@@QBEDD@Z
?_Getcat@?$ctype@D@std@@SAIPAPBVfacet@locale@2@PBV42@@Z
?id@?$ctype@D@std@@2V0locale@2@A
?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ
??0_Lockit@std@@QAE@H@Z
??1_Lockit@std@@QAE@XZ
?_Xout_of_range@std@@YAXPBD@Z
?_Xlength_error@std@@YAXPBD@Z

iphlpapi

GetAdaptersInfo

gdiplus

GdiplusShutdown
GdiplusStartup
GdipBitmapUnlockBits
GdipBitmapLockBits
GdipCreateBitmapFromScan0
GdipCreateBitmapFromFile
GdipGetImagePalette
GdipGetImagePaletteSize
GdipGetImagePixelFormat
GdipGetImageHeight
GdipGetImageWidth
GdipCloneImage
GdipDrawImageI
GdipDeleteGraphics
GdipGetImageGraphicsContext
GdipDisposeImage
GdipAlloc
GdipFree

vcruntime140

strchr
memcpy
_except_handler4_common
__vcrt_InitializeCriticalSectionEx
__CxxFrameHandler3
memset
__std_exception_copy
__std_exception_destroy
_purecall
memchr
memmove
strrchr
strstr
_CxxThrowException
__std_terminate

api-ms-win-crt-utility-l1-1-0

srand
rand

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vsprintf
__stdio_common_vsscanf
fopen
fclose
ftell
fread
fwrite
fflush
__acrt_iob_func
__stdio_common_vfprintf
_read
_write
_close
_telli64
_lseeki64
__stdio_common_vsprintf_s
__stdio_common_vsnprintf_s
_set_fmode
_get_osfhandle
__p__commode
_commit
fseek
_sopen_s
_chsize_s

api-ms-win-crt-filesystem-l1-1-0

_mkdir
_stat64i32
_splitpath_s

api-ms-win-crt-string-l1-1-0

isdigit
strncmp
_strupr_s
strncpy
_stricmp
strtok

api-ms-win-crt-time-l1-1-0

_mktime64
strftime
_localtime64
_time64
_ftime64
_gmtime64_s

api-ms-win-crt-runtime-l1-1-0

exit
_initterm_e
_c_exit
_register_thread_local_exe_atexit_callback
_controlfp_s
_beginthread
_exit
_initterm
_resetstkoflw
_errno
_invalid_parameter_noinfo
_get_narrow_winmain_command_line
_set_app_type
_seh_filter_exe
terminate
_invalid_parameter_noinfo_noreturn
_cexit
_crt_atexit
_register_onexit_function
_initialize_onexit_table
_initialize_narrow_environment
_configure_narrow_argv

api-ms-win-crt-convert-l1-1-0

atoi
_atoi64
_itoa_s

api-ms-win-crt-heap-l1-1-0

calloc
free
malloc
_recalloc
realloc
_set_new_mode

api-ms-win-crt-multibyte-l1-1-0

_mbsnbcpy
_mbsicoll
_mbscoll

api-ms-win-crt-math-l1-1-0

__setusermatherr
_except1

api-ms-win-crt-locale-l1-1-0

_setmbcp
_configthreadlocale

Sections

.text
Size: 286KB - Virtual size: 285KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 92KB - Virtual size: 91KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gfids
Size: 512B - Virtual size: 64B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 270KB - Virtual size: 269KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 27KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

ccc924c72d4acb651780f1db3a95b2e5

Headers

DLL Characteristics

File Characteristics

Imports

rpcrt4

xmlkit

zwsharem

zwsharedatam

wlxme

zwexchsharem

vcmonitorm

vcmonitorc

wlproxyapi

mfc140

kernel32

user32

gdi32

msimg32

advapi32

shell32

comctl32

ole32

oleaut32

msvcp140

iphlpapi

gdiplus

vcruntime140

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-multibyte-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-locale-l1-1-0

Sections

.text Size: 286KB - Virtual size: 285KB

.rdata Size: 92KB - Virtual size: 91KB

.data Size: 5KB - Virtual size: 10KB

.gfids Size: 512B - Virtual size: 64B

.tls Size: 512B - Virtual size: 9B

.rsrc Size: 270KB - Virtual size: 269KB

.reloc Size: 27KB - Virtual size: 27KB

.text
Size: 286KB - Virtual size: 285KB

.rdata
Size: 92KB - Virtual size: 91KB

.data
Size: 5KB - Virtual size: 10KB

.gfids
Size: 512B - Virtual size: 64B

.tls
Size: 512B - Virtual size: 9B

.rsrc
Size: 270KB - Virtual size: 269KB

.reloc
Size: 27KB - Virtual size: 27KB