certutil[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

certutil.exe
Size

1.5MB
MD5

291b8c8d419bf3f836d19e165742a342
SHA1

92615acb1cf78518c1e2ce470e4894bec2038a04
SHA256

beccb40598d544b665f562c6ccb725d48c4bb120fa21b376487c2f5d4761dfbb
SHA512

0bad01017f31257e99d630ac94599b5da466c65023a215b1c3010076ae88f4faaa6a513c990528b91beee8fa4bf71dfe8d28e3f6eae7c29cc65a1de358aa80f3
SSDEEP

24576:UQVo/iVU1bR2HYfcvg6xm8bu0d96+maG4Zut+X1a1LOqGxwZRlz9ZW85xt+W0z:jVoqVW2HAH8qy96+lbVa1LOqGARlz9Z0

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
certutil.exe

Files

certutil.exe
.exe windows:10 windows x64 arch:x64

323a326d7b550351b75ec637a5575902

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

IsValidSecurityDescriptor
GetSecurityDescriptorLength
CryptReleaseContext
CryptAcquireContextW
LookupAccountNameW
IsValidSid
ConvertSidToStringSidW
ImpersonateSelf
RevertToSelf
LookupAccountSidW
CryptGetProvParam
CryptGetUserKey
CryptGetKeyParam
CryptDestroyKey
RegCreateKeyExW
RegSetValueExW
RegSetValueExA
RegDeleteKeyExW
RegCloseKey
GetTokenInformation
GetLengthSid
CopySid
OpenProcessToken
RegQueryValueExW
RegOpenKeyExW
RegEnumKeyExW
RegCreateKeyW
RegEnumValueW
RegEnumKeyW
RegDeleteKeyW
RegDeleteValueW
CryptSetProvParam
CryptGenRandom
CryptCreateHash
CryptVerifySignatureW
CryptHashData
CryptDestroyHash
CryptSetKeyParam
CryptDecrypt
CryptImportKey
RegDeleteTreeW
RegOpenKeyW
CryptGetHashParam
CryptDuplicateKey
CryptEncrypt
CryptGenKey
CryptContextAddRef
GetSidSubAuthorityCount
GetSidSubAuthority
GetSidIdentifierAuthority
SetNamedSecurityInfoW
AddAccessDeniedAce
AddAccessAllowedAce
AddAccessDeniedObjectAce
AddAccessAllowedObjectAce
AddAce
InitializeAcl
LsaStorePrivateData
LsaRetrievePrivateData
RegConnectRegistryW
AdjustTokenPrivileges
ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertSecurityDescriptorToStringSecurityDescriptorW
CryptEnumProvidersA
CryptGetDefaultProviderW
LogonUserExW
ImpersonateLoggedOnUser
CreateWellKnownSid
MakeAbsoluteSD
MakeSelfRelativeSD
LsaClose
LsaFreeMemory
LsaOpenPolicy
FreeSid
CheckTokenMembership
DuplicateToken
OpenThreadToken
ConvertStringSidToSidW
AllocateAndInitializeSid
SetSecurityDescriptorDacl
SetEntriesInAclW
GetSecurityDescriptorDacl
DeleteAce
EqualSid
GetAce
GetAclInformation
SetSecurityDescriptorOwner
InitializeSecurityDescriptor
GetSecurityDescriptorControl
CryptSignHashW
CryptSetHashParam
CryptExportKey
CryptDuplicateHash

kernel32

GetFullPathNameW
CloseThreadpoolTimer
CloseThreadpoolWait
FindCloseChangeNotification
FindNextChangeNotification
SetThreadpoolWait
SetThreadpoolTimer
MultiByteToWideChar
VerifyVersionInfoW
VerSetConditionMask
LeaveCriticalSection
SetConsoleCtrlHandler
EnterCriticalSection
SetEndOfFile
WriteFile
LockResource
SizeofResource
LoadResource
FindResourceW
GetVersionExW
GetComputerNameExW
GetComputerNameW
SetFilePointer
ReadFile
FindClose
FindNextFileW
FindFirstChangeNotificationW
Sleep
GetTickCount
LoadLibraryW
DecodePointer
EncodePointer
GetFileAttributesExW
GetCurrentProcess
QueryFullProcessImageNameW
GetProcessTimes
OpenProcess
GetLastError
GetTickCount64
PulseEvent
OpenEventW
GetUserDefaultUILanguage
LocalReAlloc
LocalFileTimeToFileTime
GetModuleHandleW
RaiseException
DeleteCriticalSection
InitializeCriticalSection
GetSystemDefaultLangID
FormatMessageW
HeapAlloc
HeapFree
GetProcessHeap
lstrcmpW
CreateThreadpoolTimer
FindFirstFileW
CreateThreadpoolWait
SetEvent
ReleaseSemaphore
TrySubmitThreadpoolCallback
CreateSemaphoreW
DeleteFileW
GetFileSize
CreateFileW
CreateEventW
GetEnvironmentVariableW
GetSystemDefaultUILanguage
GetTempFileNameW
GetProcAddress
SetLastError
SetConsoleMode
LocalFree
GetSystemTime
SystemTimeToFileTime
GetSystemTimeAsFileTime
LocalAlloc
GetFileAttributesW
FreeLibrary
CompareFileTime
CreateThread
WaitForSingleObject
GetExitCodeThread
CloseHandle
GetConsoleMode
GetFileType
GetStdHandle
GetStartupInfoW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
DelayLoadFailureHook
ResolveDelayLoadedAPI
FindResourceExW
LCIDToLocaleName
GetLocaleInfoW
GetLocaleInfoEx
SearchPathW
LoadLibraryExA
GetProfileStringA
ResetEvent
GetFileTime
lstrlenW
VirtualFree
VirtualAlloc
GetTempPathW
GetLocalTime
K32GetProcessImageFileNameW
HeapSetInformation
UnmapViewOfFile
MapViewOfFile
CreateFileMappingW
GetSystemInfo
GetCurrentThread
CreateDirectoryW
RemoveDirectoryW
GetConsoleOutputCP
CompareStringW
FoldStringW
GetTimeFormatW
GetDateFormatW
FileTimeToLocalFileTime
LoadLibraryExW
GetSystemDirectoryW
GetCommandLineW
FileTimeToSystemTime
WriteConsoleW
GetACP
WideCharToMultiByte
OutputDebugStringA
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter

msvcrt

??1type_info@@UEAA@XZ
wcstok
_onexit
__dllonexit
_unlock
_lock
_commode
_fmode
realloc
__C_specific_handler
_initterm
__setusermatherr
_cexit
_exit
exit
__set_app_type
__wgetmainargs
_errno
_wcmdln
_itoa_s
memcmp
memset
wcscpy_s
towupper
iswlower
towlower
iswupper
sscanf_s
strpbrk
strcat_s
strcpy_s
strspn
getenv
fwrite
ftell
_wgetenv
_fileno
strcmp
wcstoul
fgetws
feof
fgetc
_wfopen
fputws
atoi
iswalpha
_wsetlocale
isxdigit
gmtime
iswxdigit
vfwprintf
iswspace
__iob_func
_amsg_exit
_XcptFilter
memmove
memcpy
__CxxFrameHandler3
_CxxThrowException
?what@exception@@UEBAPEBDXZ
??1exception@@UEAA@XZ
??0exception@@QEAA@AEBV0@@Z
??0exception@@QEAA@AEBQEBDH@Z
??0exception@@QEAA@AEBQEBD@Z
_callnewh
malloc
fprintf
_strlwr
_swab
ferror
fseek
fputs
strchr
fgets
fopen
calloc
bsearch
?terminate@@YAXXZ
_setmode
??_V@YAXPEAX@Z
??3@YAXPEAX@Z
__CxxFrameHandler4
_purecall
_vsnwprintf
iswdigit
wcsrchr
wcschr
fwprintf
_wfopen_s
fclose
fflush
_fgetwchar
wcsspn
_wcsnicmp
?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z
qsort
wcscspn
free
wcscmp
__isascii
isdigit
_strnicmp
swscanf
_stricmp
_wtoi
_vsnprintf
_wcslwr
strncmp
strcspn
wcsstr
strstr
wcsncmp
_ultow
_wcsicmp

certcli

CAEnumCertTypesEx
ord356
ord205
ord213
ord254
ord360
ord223
ord256
ord246
ord225
ord358
ord207
ord359
ord217
ord258
CAGetCertTypeFlagsEx
CAGetCertTypePropertyEx
CAFreeCertTypeProperty
CAGetCertTypeKeySpec
ord357
CACertTypeGetSecurity
CAGetCertTypeExtensions
CAFreeCertTypeExtensions
CAEnumCertTypesForCAEx
CAGetCertTypeProperty
CACertTypeAccessCheckEx
CAEnumNextCertType
CACloseCertType
ord373
CAEnumFirstCA
CAFindByName
CAGetCAProperty
CAFreeCAProperty
CAEnumNextCA
CACloseCA
ord362
CAGetCAFlags
CAGetCAExpiration
CAAccessCheck
ord361
CAGetCACertificate
CAGetCASecurity
CASetCAProperty
CAUpdateCAEx
CAFindByCertType
ord257
ord218
ord255
CAEnumCertTypesForCA
CACountCertTypes
CACertTypeAccessCheck
CACountCAs
CARemoveCACertificateTypeEx
CAAddCACertificateTypeEx
CAUpdateCA
ord260
ord366
ord252
ord261
ord253
ord203
ord247
ord210
CASetCASecurity
CASetCACertificate
CASetCAFlags
CACreateNewCA
CAFindCertTypeByName
ord370
ord245
CAGetCertTypeExpiration

crypt32

CryptFindOIDInfo
CertGetCertificateContextProperty
CertFindExtension
CryptEncodeObjectEx
CertFreeCertificateContext
CertCloseStore
CertDuplicateCertificateContext
CertEnumCRLsInStore
CertFreeCRLContext
CertCreateCRLContext
CryptExportPKCS8
PFXExportCertStoreEx
PFXExportCertStore
CryptFreeOIDFunctionAddress
CryptGetOIDFunctionAddress
CryptInitOIDFunctionSet
CertStrToNameW
CryptDecryptMessage
CryptEncryptMessage
CryptSignMessage
CryptFormatObject
CertAddCertificateLinkToStore
CertGetIntendedKeyUsage
CryptHashPublicKeyInfo
CryptStringToBinaryW
CryptMsgOpenToDecode
CertNameToStrW
CryptSignCertificate
CryptExportPublicKeyInfoEx
CryptSignAndEncodeCertificate
CertDuplicateStore
CryptMsgUpdate
CryptMsgOpenToEncode
CryptBinaryToStringW
CertOpenServerOcspResponse
I_CryptWalkAllLruCacheEntries
I_CryptRemoveLruEntry
I_CryptGetLruEntryData
I_CryptFindLruEntry
I_CryptReleaseLruEntry
I_CryptInsertLruEntry
I_CryptCreateLruEntry
CertCloseServerOcspResponse
I_CryptFreeLruCache
I_CryptCreateLruCache
CryptMsgEncodeAndSignCTL
CertGetNameStringA
CertSetCertificateContextPropertiesFromCTLEntry
CertCreateContext
I_CertProtectFunction
CertAddStoreToCollection
CertVerifyCertificateChainPolicy
CryptMemFree
CertVerifySubjectCertificateContext
CryptVerifyCertificateSignatureEx
CertGetEnhancedKeyUsage
CertVerifyCRLTimeValidity
CertVerifyRevocation
CertVerifyTimeValidity
CryptEnumKeyIdentifierProperties
CryptImportPublicKeyInfo
CertDuplicateCRLContext
CertDeleteCRLFromStore
CertAddCTLContextToStore
CertAddCRLContextToStore
CertEnumSystemStore
CertEnumSystemStoreLocation
CertEnumPhysicalStore
CertControlStore
CertSaveStore
CertAddSerializedElementToStore
CertAddEncodedCTLToStore
CertAddEncodedCRLToStore
CertAddEncodedCertificateToStore
CertSetCTLContextProperty
CertSetCRLContextProperty
CryptFindCertificateKeyProvInfo
CryptAcquireCertificatePrivateKey
CertEnumCertificateContextProperties
CertGetCRLContextProperty
CertEnumCRLContextProperties
CertGetCTLContextProperty
CertEnumCTLContextProperties
CertSetStoreProperty
CertComparePublicKeyInfo
CryptExportPublicKeyInfo
CertFreeCTLContext
CertCreateCTLContext
CertEnumCTLsInStore
CertDeleteCertificateFromStore
CertGetNameStringW
CryptDecodeObjectEx
CryptQueryObject
CryptMsgGetParam
CryptVerifyDetachedMessageSignature
CryptMsgGetAndVerifySigner
CryptMsgControl
PFXIsPFXBlob
PFXImportCertStore
CryptImportPKCS8
CertGetPublicKeyLength
CryptMsgClose
CertAddCertificateContextToStore
CertSetCertificateContextProperty
CryptGetKeyIdentifierProperty
CertFindAttribute
CryptHashCertificate
CryptDecodeObject
CertOpenStore
CertFindCertificateInStore
CertEnumCertificatesInStore
CryptFindLocalizedName
CryptVerifyCertificateSignature
CertCompareCertificateName
CertFreeCertificateChain
CertGetCertificateChain
CryptHashCertificate2
CryptImportPublicKeyInfoEx2
CryptRegisterOIDInfo
CertCreateCertificateContext
CryptEnumOIDInfo

cabinet

ord20
ord21
ord22
ord23

comctl32

InitCommonControlsEx

cryptui

CryptUIDlgFreeCAContext
CryptUIDlgViewCRLW
CryptUIDlgViewCertificateW

gdi32

GetStockObject

ncrypt

NCryptFreeObject
BCryptVerifySignature
BCryptDestroyKey
NCryptOpenStorageProvider
NCryptImportKey
NCryptSetProperty
NCryptFinalizeKey
BCryptSetProperty
BCryptGetProperty
BCryptCloseAlgorithmProvider
SslEnumProtocolProviders
SslOpenProvider
SslFreeBuffer
SslFreeObject
NCryptGetProperty
BCryptFreeBuffer
BCryptOpenAlgorithmProvider
BCryptCreateHash
BCryptHashData
BCryptFinishHash
BCryptDestroyHash
BCryptDecrypt
BCryptEncrypt
BCryptExportKey
BCryptGenRandom
BCryptSignHash
NCryptCreatePersistedKey
NCryptDecrypt
NCryptDeleteKey
NCryptDeriveKey
NCryptEncrypt
NCryptExportKey
NCryptOpenKey
NCryptSecretAgreement
NCryptSignHash
NCryptVerifySignature
NCryptEnumAlgorithms
NCryptIsAlgSupported
NCryptEnumKeys
NCryptEnumStorageProviders
NCryptFreeBuffer
BCryptEnumAlgorithms
BCryptGenerateKeyPair
BCryptQueryProviderRegistration
BCryptEnumContexts
BCryptQueryContextConfiguration
BCryptEnumContextFunctions
BCryptResolveProviders
NCryptIsKeyHandle

netapi32

DsGetDcNameW
NetApiBufferFree
NetUserGetGroups
DsRoleGetPrimaryDomainInformation
DsRoleFreeMemory
DsGetSiteNameW

normaliz

IdnToUnicode
IdnToAscii

ntdll

RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
NtQuerySystemTime
RtlTimeToSecondsSince1970
NtQuerySystemInformationEx
WinSqmIncrementDWORD

ntdsapi

DsFreeNameResultW
DsCrackNamesW
DsFreeDomainControllerInfoW
DsBindW
DsUnBindW
DsGetDomainControllerInfoW

setupapi

SetupFindNextLine
SetupGetFieldCount
SetupGetStringFieldW
SetupOpenInfFileW
SetupFindFirstLineW
SetupGetLineCountW
SetupCloseInfFile
SetupGetIntField

shell32

SHGetFolderPathW
SHGetKnownFolderPath

version

GetFileVersionInfoW
GetFileVersionInfoSizeW
VerQueryValueW

wldap32

ord16
ord208
ord14
ord145
ord13
ord210
ord65
ord12
ord18
ord27
ord73
ord113
ord140
ord224
ord142
ord79
ord127
ord167
ord147
ord155
ord206
ord135
ord203
ord36
ord26
ord41
ord191

ole32

CoTaskMemFree
CoInitialize
CoUninitialize
CoInitializeEx
CLSIDFromString
CLSIDFromProgID
StringFromCLSID
ProgIDFromCLSID
CoTaskMemAlloc
CoCreateInstanceEx
CoSetProxyBlanket
CoCreateInstance
StgOpenStorageEx
PropVariantClear

oleaut32

SetErrorInfo
CreateErrorInfo
VariantCopyInd
SystemTimeToVariantTime
VariantTimeToSystemTime
SysStringLen
SafeArrayDestroy
SafeArrayPutElement
SafeArrayCreate
SysAllocStringByteLen
SysAllocStringLen
SysAllocString
VariantClear
VariantInit
SysStringByteLen
SafeArrayUnaccessData
SysFreeString
SafeArrayGetDim
SafeArrayGetLBound
SafeArrayGetUBound
SafeArrayAccessData
SafeArrayGetElement

rpcrt4

NdrClientCall3
I_RpcExceptionFilter
UuidCreate

secur32

TranslateNameW
GetUserNameExW
GetComputerObjectNameW

user32

GetDlgItemTextW
GetDesktopWindow
DialogBoxParamW
SetWindowTextW
GetWindowLongPtrW
CharLowerW
SetCursor
SetFocus
GetWindowTextW
ShowWindow
LoadStringW
UpdateWindow
SetWindowLongPtrW
IsDlgButtonChecked
GetDlgItemInt
LoadCursorW
SetDlgItemTextW
CallWindowProcW
SendMessageW
GetDlgItem
EnableWindow
EndDialog
DispatchMessageW
TranslateMessage
GetMessageW
PostMessageW
CreateWindowExW
RegisterClassW
LoadIconW
DefWindowProcW
PostQuitMessage
SetDlgItemInt
CheckDlgButton
MessageBoxW
SendDlgItemMessageA

shlwapi

PathFindFileNameW

Sections

.text
Size: 1.0MB - Virtual size: 1.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 300KB - Virtual size: 298KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 64KB - Virtual size: 73KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 36KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 776B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 8KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 12KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

323a326d7b550351b75ec637a5575902

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

kernel32

msvcrt

certcli

crypt32

cabinet

comctl32

cryptui

gdi32

ncrypt

netapi32

normaliz

ntdll

ntdsapi

setupapi

shell32

version

wldap32

ole32

oleaut32

rpcrt4

secur32

user32

shlwapi

Sections

.text Size: 1.0MB - Virtual size: 1.0MB

.rdata Size: 300KB - Virtual size: 298KB

.data Size: 64KB - Virtual size: 73KB

.pdata Size: 36KB - Virtual size: 32KB

.didat Size: 4KB - Virtual size: 776B

.rsrc Size: 8KB - Virtual size: 4KB

.reloc Size: 12KB - Virtual size: 8KB

.text
Size: 1.0MB - Virtual size: 1.0MB

.rdata
Size: 300KB - Virtual size: 298KB

.data
Size: 64KB - Virtual size: 73KB

.pdata
Size: 36KB - Virtual size: 32KB

.didat
Size: 4KB - Virtual size: 776B

.rsrc
Size: 8KB - Virtual size: 4KB

.reloc
Size: 12KB - Virtual size: 8KB