archive[.]rar | Triage

Sharing

Copy URL Twitter E-mail

General

Target

archive.rar
Size

12.7MB
MD5

55d767c4a9a082dcbf532190219ebd3b
SHA1

0487a067d170ec35bf7d92740b43779a24b0ec49
SHA256

2556c353052261015a4782e58a901e427a7acc669027b80cd33fbbf037db6b49
SHA512

250919c3bbcd369a9dce77ff1c3240862f04b622fa5af354b62a535c6820a70ec75d6e08255455382f4fac8840f0234481122226d0f3c1d06dd42aae886e4b4e
SSDEEP

393216:5ORD6IIkaTAl/b9t0v9GTmBEvmY6vVZ6fIwGa6:5vIuub9UUcEOYcHd

Score

3^/10

pyinstaller

Malware Config

Signatures

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
static1/unpack001/steam.exe	pyinstaller

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/steam.exe

Files

archive.rar
.rar
hl/Core.dll
.dll windows:4 windows x86 arch:x86

56b7ad3681dd4acc7965dc329d0eccc6

Code Sign

05:4f:46:6c:ec:cb:e9:d6:be:e8:1f:54:35:e6:4d:47
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Code Signing CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

04/10/2018, 00:00

Not After

07/10/2021, 12:00

Subject

CN=Valve,O=Valve,L=Bellevue,ST=WA,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

03:01:9a:02:3a:ff:58:b1:6b:d6:d5:ea:e6:17:f0:66
Certificate

Issuer

CN=DigiCert Assured ID CA-1,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

22/10/2014, 00:00

Not After

22/10/2024, 00:00

Subject

CN=DigiCert Timestamp Responder,O=DigiCert,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

06:fd:f9:03:96:03:ad:ea:00:0a:eb:3f:27:bb:ba:1b
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

10/11/2006, 00:00

Not After

10/11/2021, 00:00

Subject

CN=DigiCert Assured ID CA-1,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageServerAuth
ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning
ExtKeyUsageEmailProtection
ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

3b:34:2f:26:35:c2:4f:f8:20:cb:66:e2:60:64:6d:cf:ea:a4:02:c8
Signer

Actual PE Digest

3b:34:2f:26:35:c2:4f:f8:20:cb:66:e2:60:64:6d:cf:ea:a4:02:c8

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

DebugBreak
GetProcAddress
LoadLibraryA
FreeLibrary
GetModuleHandleA
CompareStringW
CompareStringA
GetLocaleInfoW
SetEndOfFile
RaiseException
SetConsoleCtrlHandler
CreateFileA
GetOEMCP
GetACP
UnhandledExceptionFilter
SetFilePointer
GetUserDefaultLCID
EnumSystemLocalesA
GetLocaleInfoA
IsValidCodePage
IsValidLocale
HeapFree
HeapAlloc
InterlockedDecrement
InterlockedIncrement
GetTimeZoneInformation
GetSystemTime
GetLocalTime
GetCommandLineA
GetVersion
ExitProcess
TerminateProcess
GetCurrentProcess
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
DeleteCriticalSection
FatalAppExitA
GetModuleFileNameA
GetEnvironmentVariableA
GetVersionExA
HeapDestroy
HeapCreate
VirtualFree
VirtualAlloc
HeapReAlloc
IsBadWritePtr
RtlUnwind
Sleep
WideCharToMultiByte
MultiByteToWideChar
LCMapStringA
LCMapStringW
SetStdHandle
GetLastError
GetFileType
WriteFile
GetCurrentThreadId
TlsSetValue
TlsAlloc
TlsFree
SetLastError
TlsGetValue
GetCurrentThread
SetHandleCount
GetStdHandle
GetStartupInfoA
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetEnvironmentStrings
GetEnvironmentStringsW
FlushFileBuffers
ReadFile
CloseHandle
GetStringTypeA
GetStringTypeW
GetCPInfo
SetEnvironmentVariableA

wsock32

ioctlsocket
gethostbyname
WSAGetLastError
WSACleanup
WSAStartup
gethostname
socket
inet_ntoa
htons
bind
setsockopt
shutdown
closesocket
recvfrom
sendto

Exports

Exports

CreateInterface

Sections

.text
Size: 192KB - Virtual size: 189KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 16KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 44KB - Virtual size: 76KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 12KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
hl/DemoPlayer.dll
hl/avformat-53.dll
.dll windows:4 windows x86 arch:x86

cda9a24d0ec183721b985f721181e560

Code Sign

79:a2:a5:85:f9:d1:15:42:13:d9:b8:3e:f6:b6:8d:ed
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

01/05/2012, 00:00

Not After

31/12/2012, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G3,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4a
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/11/2006, 00:00

Not After

16/07/2036, 23:59

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

47:a9:38:ed:c7:ae:ac:8d:c7:1d:cb:b4:b4:f6:11:f8
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

28/09/2012, 00:00

Not After

23/11/2015, 23:59

Subject

CN=Valve,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Valve,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

f6:d5:e7:a5:50:27:92:93:70:c3:94:34:ac:05:e9:af:0d:85:99:23
Signer

Actual PE Digest

f6:d5:e7:a5:50:27:92:93:70:c3:94:34:ac:05:e9:af:0d:85:99:23

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_DLL

Imports

kernel32

DeleteCriticalSection
EnterCriticalSection
FreeLibrary
GetLastError
GetModuleHandleA
GetProcAddress
GetSystemTimeAsFileTime
InitializeCriticalSection
InterlockedExchange
IsDBCSLeadByteEx
LeaveCriticalSection
LoadLibraryA
MultiByteToWideChar
Sleep
TlsGetValue
VirtualProtect
VirtualQuery
WideCharToMultiByte

msvcrt

_open
__dllonexit
__lc_codepage
__mb_cur_max
_assert
_errno
_iob
_isctype
_pctype
_stricmp
_strnicmp
_winmajor
_wopen
abort
atoi
calloc
fflush
fputc
free
fwrite
getenv
localeconv
malloc
memchr
memcpy
memmove
memset
sscanf
strchr
strcmp
strcpy
strlen
strncmp
strrchr
strspn
strstr
strtol
toupper
vfprintf
wcslen

avcodec-53

av_destruct_packet
av_dup_packet
av_fast_malloc
av_fast_realloc
av_free_packet
av_get_bits_per_sample
av_get_codec_tag_string
av_grow_packet
av_init_packet
av_log_ask_for_sample
av_new_packet
av_packet_merge_side_data
av_parser_close
av_parser_init
av_parser_parse2
av_shrink_packet
av_xiphlacing
avcodec_alloc_context3
avcodec_close
avcodec_decode_audio3
avcodec_decode_video2
avcodec_find_decoder
avcodec_get_frame_defaults
avcodec_open2
avcodec_pix_fmt_to_codec_tag
avcodec_register_all
avcodec_set_dimensions
avcodec_string
ff_find_pix_fmt
ff_mpa_freq_tab
ff_mpeg4audio_get_config
ff_mpeg4audio_sample_rates
ff_raw_pix_fmt_tags
ff_toupper4

avutil-51

av_compare_mod
av_compare_ts
av_crc
av_crc_get_table
av_d2q
av_dict_copy
av_dict_free
av_dict_get
av_dict_set
av_dynarray_add
av_find_info_tag
av_free
av_freep
av_gcd
av_get_pix_fmt_name
av_int2dbl
av_int2flt
av_log
av_malloc
av_mallocz
av_opt_find
av_opt_free
av_opt_set_defaults
av_opt_set_dict
av_parse_time
av_realloc
av_reduce
av_rescale
av_rescale_q
av_rescale_rnd
av_strdup
av_strlcat
av_strlcatf
av_strlcpy
av_strstart
ff_log2_tab

Exports

Exports

_get_output_format
_nm__ff_log2_tab
_nm__ff_mpa_freq_tab
_nm__ff_mpeg4audio_sample_rates
_nm__ff_raw_pix_fmt_tags
av_add_index_entry
av_alloc_put_byte
av_append_packet
av_close_input_file
av_close_input_stream
av_codec_get_id
av_codec_get_tag
av_demuxer_open
av_dump_format
av_filename_number_test
av_find_best_stream
av_find_default_stream_index
av_find_input_format
av_find_stream_info
av_gen_search
av_get_frame_filename
av_get_output_timestamp
av_get_packet
av_gettime
av_guess_codec
av_guess_format
av_hex_dump
av_hex_dump_log
av_iformat_next
av_index_search_timestamp
av_interleave_packet_per_dts
av_interleaved_write_frame
av_match_ext
av_metadata_conv
av_metadata_copy
av_metadata_free
av_metadata_get
av_metadata_set2
av_new_program
av_new_stream
av_oformat_next
av_open_input_file
av_open_input_stream
av_pkt_dump
av_pkt_dump2
av_pkt_dump_log
av_pkt_dump_log2
av_probe_input_buffer
av_probe_input_format
av_probe_input_format2
av_probe_input_format3
av_protocol_next
av_read_frame
av_read_packet
av_read_pause
av_read_play
av_register_all
av_register_input_format
av_register_output_format
av_register_protocol2
av_sdp_create
av_seek_frame
av_seek_frame_binary
av_set_parameters
av_set_pts_info
av_update_cur_dts
av_url_read_fpause
av_url_read_fseek
av_url_read_pause
av_url_read_seek
av_url_split
av_write_frame
av_write_header
av_write_trailer
avf_sdp_create
avformat_alloc_context
avformat_alloc_output_context
avformat_alloc_output_context2
avformat_configuration
avformat_find_stream_info
avformat_free_context
avformat_license
avformat_open_input
avformat_seek_file
avformat_version
avformat_write_header
avio_alloc_context
avio_check
avio_close
avio_close_dyn_buf
avio_enum_protocols
avio_flush
avio_get_str
avio_get_str16be
avio_get_str16le
avio_open
avio_open_dyn_buf
avio_pause
avio_printf
avio_put_str
avio_put_str16le
avio_r8
avio_rb16
avio_rb24
avio_rb32
avio_rb64
avio_read
avio_rl16
avio_rl24
avio_rl32
avio_rl64
avio_seek
avio_seek_time
avio_set_interrupt_cb
avio_size
avio_skip
avio_w8
avio_wb16
avio_wb24
avio_wb32
avio_wb64
avio_wl16
avio_wl24
avio_wl32
avio_wl64
avio_write
brktimegm
codec_movaudio_tags
codec_movvideo_tags
dump_format
ff_add_index_entry
ff_celt_codec
ff_codec_bmp_tags
ff_codec_get_id
ff_codec_get_tag
ff_codec_guid_get_id
ff_codec_movsubtitle_tags
ff_codec_wav_guids
ff_codec_wav_tags
ff_crc04C11DB7_update
ff_data_to_hex
ff_find_stream_index
ff_free_parser_state
ff_gen_syncpoint_search
ff_get_bmp_header
ff_get_guid
ff_get_line
ff_get_v_length
ff_get_wav_header
ff_hex_to_data
ff_id3v1_genre_str
ff_id3v1_read
ff_id3v2_2_metadata_conv
ff_id3v2_34_metadata_conv
ff_id3v2_3_tags
ff_id3v2_4_metadata_conv
ff_id3v2_4_tags
ff_id3v2_match
ff_id3v2_read
ff_id3v2_tag_len
ff_id3v2_tags
ff_index_search_timestamp
ff_interleave_add_packet
ff_make_absolute_url
ff_metadata_conv
ff_metadata_conv_ctx
ff_mkv_codec_tags
ff_mkv_metadata_conv
ff_mkv_mime_tags
ff_mov_iso639_to_lang
ff_mov_lang_to_iso639
ff_mov_read_chan
ff_mov_write_chan
ff_mp4_obj_type
ff_mp4_read_dec_config_descr
ff_mp4_read_descr
ff_mp4_read_descr_len
ff_new_chapter
ff_ntp_time
ff_ogm_audio_codec
ff_ogm_old_codec
ff_ogm_text_codec
ff_ogm_video_codec
ff_parse_key_value
ff_parse_specific_params
ff_program_add_stream_index
ff_put_v
ff_read_frame_flush
ff_reduce_index
ff_restore_parser_state
ff_rm_alloc_rmstream
ff_rm_codec_tags
ff_rm_free_rmstream
ff_rm_metadata
ff_rm_parse_packet
ff_rm_read_mdpr_codecdata
ff_rm_reorder_sipr_data
ff_rm_retrieve_cache
ff_sdp_write_media
ff_sipr_subpk_size
ff_skeleton_codec
ff_store_parser_state
ff_theora_codec
ff_url_join
ff_vorbis_codec
ff_vorbis_comment
ff_vorbiscomment_length
ff_vorbiscomment_metadata_conv
ff_vorbiscomment_write
ff_wav_codec_get_id
ff_win32_open
ff_write_chained
ffio_fdopen
ffio_fill
ffio_get_checksum
ffio_init_checksum
ffio_init_context
ffio_open_dyn_packet_buf
ffio_read_partial
ffio_read_varlen
ffio_rewind_with_probe_data
ffio_set_buf_size
ffurl_alloc
ffurl_close
ffurl_connect
ffurl_get_file_handle
ffurl_open
ffurl_read
ffurl_read_complete
ffurl_register_protocol
ffurl_seek
ffurl_size
ffurl_write
find_info_tag
first_protocol
get_be16
get_be24
get_be32
get_be64
get_buffer
get_byte
get_checksum
get_le16
get_le24
get_le32
get_le64
get_partial_buffer
get_strz
init_checksum
init_put_byte
matroska_video_stereo_mode
matroska_video_stereo_plane
parse_date
pcm_read_seek
put_be16
put_be24
put_be32
put_be64
put_buffer
put_byte
put_flush_packet
put_le16
put_le24
put_le32
put_le64
put_nbyte
put_strz
put_tag
url_alloc
url_close
url_close_buf
url_close_dyn_buf
url_connect
url_exist
url_fclose
url_fdopen
url_feof
url_ferror
url_fget_max_packet_size
url_fgetc
url_fgets
url_fileno
url_filesize
url_fopen
url_fprintf
url_fseek
url_fsize
url_fskip
url_ftell
url_get_file_handle
url_get_filename
url_get_max_packet_size
url_interrupt_cb
url_open
url_open_buf
url_open_dyn_buf
url_open_dyn_packet_buf
url_open_protocol
url_read
url_read_complete
url_seek
url_set_interrupt_cb
url_setbufsize
url_write

Sections

.text
Size: 135KB - Virtual size: 135KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 26KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 512B - Virtual size: 96B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

/4
Size: 512B - Virtual size: 368B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 2KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 32B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
hl/cstrike/cl_dlls/client.dll
.dll windows:4 windows x86 arch:x86

3a6114cd3ede40570f8b050de94ed48d

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

05:4f:46:6c:ec:cb:e9:d6:be:e8:1f:54:35:e6:4d:47
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Code Signing CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

04/10/2018, 00:00

Not After

07/10/2021, 12:00

Subject

CN=Valve,O=Valve,L=Bellevue,ST=WA,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

4f:b8:34:d9:e6:22:3a:03:a1:14:98:e4:5d:0f:fb:4c:f7:74:26:35
Signer

Actual PE Digest

4f:b8:34:d9:e6:22:3a:03:a1:14:98:e4:5d:0f:fb:4c:f7:74:26:35

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

InterlockedExchange
WaitForSingleObject
CreateEventA
TerminateThread
CloseHandle
SetEvent
CreateThread
GetProcAddress
LoadLibraryA
FreeLibrary
GetModuleHandleA
CompareStringW
CompareStringA
GetLocaleInfoW
SetEndOfFile
SetConsoleCtrlHandler
GetOEMCP
GetACP
CreateFileA
FlushFileBuffers
SetStdHandle
UnhandledExceptionFilter
IsBadCodePtr
SetUnhandledExceptionFilter
GetUserDefaultLCID
EnumSystemLocalesA
GetLocaleInfoA
IsValidCodePage
IsValidLocale
HeapFree
HeapAlloc
RtlUnwind
HeapReAlloc
IsBadReadPtr
ExitProcess
TerminateProcess
GetCurrentProcess
GetTimeZoneInformation
GetSystemTime
GetLocalTime
InterlockedDecrement
InterlockedIncrement
GetCommandLineA
GetVersion
Sleep
GetLastError
CreateDirectoryA
WideCharToMultiByte
HeapSize
GetModuleFileNameA
GetEnvironmentVariableA
GetVersionExA
HeapDestroy
HeapCreate
VirtualFree
VirtualAlloc
IsBadWritePtr
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
FatalAppExitA
GetCurrentThreadId
TlsSetValue
TlsAlloc
TlsFree
SetLastError
TlsGetValue
GetCurrentThread
RaiseException
MultiByteToWideChar
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
SetFilePointer
ReadFile
WriteFile
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetEnvironmentStrings
GetEnvironmentStringsW
GetCPInfo
SetEnvironmentVariableA

user32

GetCursorPos
SystemParametersInfoA
SetCursorPos

sdl2

SDL_GetRelativeMouseState
SDL_GameControllerName
SDL_GameControllerOpen
SDL_IsGameController
SDL_JoystickUpdate
SDL_GameControllerGetButton
SDL_GameControllerGetAxis
SDL_NumJoysticks

steam_api

SteamAPI_Init
SteamFriends
SteamUtils
SteamAPI_Shutdown

Exports

Exports

?AttemptToMaterialize@CBasePlayerItem@@QAEXXZ
?CorpseFallThink@CBaseMonster@@QAEXXZ
?DefaultTouch@CBasePlayerAmmo@@QAEXPAVCBaseEntity@@@Z
?DefaultTouch@CBasePlayerItem@@QAEXPAVCBaseEntity@@@Z
?DestroyItem@CBasePlayerItem@@QAEXXZ
?FallThink@CBasePlayerItem@@QAEXXZ
?Materialize@CBasePlayerAmmo@@QAEXXZ
?Materialize@CBasePlayerItem@@QAEXXZ
?PlayerDeathThink@CBasePlayer@@QAEXXZ
?SUB_CallUseToggle@CBaseEntity@@QAEXXZ
?SUB_Remove@CBaseEntity@@QAEXXZ
?Smack@CKnife@@QAEXXZ
?SwingAgain@CKnife@@QAEXXZ
CAM_Think
CL_CameraOffset
CL_CreateMove
CL_IsThirdPerson
ClientFactory
CreateInterface
Demo_ReadBuffer
F
HUD_AddEntity
HUD_ChatInputPosition
HUD_ConnectionlessPacket
HUD_CreateEntities
HUD_DirectorMessage
HUD_DrawNormalTriangles
HUD_DrawTransparentTriangles
HUD_Frame
HUD_GetHullBounds
HUD_GetPlayerTeam
HUD_GetStudioModelInterface
HUD_GetUserEntity
HUD_Init
HUD_Key_Event
HUD_PlayerMove
HUD_PlayerMoveInit
HUD_PlayerMoveTexture
HUD_PostRunCmd
HUD_ProcessPlayerState
HUD_Redraw
HUD_Reset
HUD_Shutdown
HUD_StudioEvent
HUD_TempEntUpdate
HUD_TxferLocalOverrides
HUD_TxferPredictionData
HUD_UpdateClientData
HUD_VidInit
HUD_VoiceStatus
IN_Accumulate
IN_ActivateMouse
IN_ClearStates
IN_DeactivateMouse
IN_MouseEvent
Initialize
KB_Find
V_CalcRefdef
weapon_ak47
weapon_aug
weapon_awp
weapon_c4
weapon_deagle
weapon_elite
weapon_famas
weapon_fiveseven
weapon_flashbang
weapon_g3sg1
weapon_galil
weapon_glock18
weapon_hegrenade
weapon_knife
weapon_m249
weapon_m3
weapon_m4a1
weapon_mac10
weapon_mp5navy
weapon_p228
weapon_p90
weapon_scout
weapon_sg550
weapon_sg552
weapon_smokegrenade
weapon_tmp
weapon_ump45
weapon_usp
weapon_xm1014

Sections

.text
Size: 780KB - Virtual size: 777KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 120KB - Virtual size: 117KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 68KB - Virtual size: 404KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 92KB - Virtual size: 89KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
hl/cstrike/cl_dlls/client.dylib
.dylib macos arch:x86
hl/cstrike/cl_dlls/client.so
.elf linux x86
steam.exe
.exe windows:5 windows x64 arch:x64

bae3d3e8262d7ce7e9ee69cc1b630d3a

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

user32

GetWindowThreadProcessId
ShowWindow

kernel32

GetModuleFileNameW
CreateSymbolicLinkW
GetProcAddress
GetCommandLineW
GetEnvironmentVariableW
SetEnvironmentVariableW
ExpandEnvironmentStringsW
CreateDirectoryW
GetTempPathW
WaitForSingleObject
Sleep
GetExitCodeProcess
CreateProcessW
SetDllDirectoryW
FreeLibrary
LoadLibraryExW
SetConsoleCtrlHandler
FindClose
FindFirstFileExW
CloseHandle
GetCurrentProcess
GetCurrentProcessId
LocalFree
FormatMessageW
MultiByteToWideChar
WideCharToMultiByte
GetConsoleWindow
HeapSize
GetLastError
WriteConsoleW
SetEndOfFile
GetStartupInfoW
TlsSetValue
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetModuleHandleW
RtlUnwindEx
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsFree
EncodePointer
RaiseException
RtlPcToFileHeader
GetCommandLineA
CreateFileW
GetDriveTypeW
GetFileInformationByHandle
GetFileType
PeekNamedPipe
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
GetFullPathNameW
RemoveDirectoryW
FindNextFileW
SetStdHandle
DeleteFileW
ReadFile
GetStdHandle
WriteFile
ExitProcess
GetModuleHandleExW
HeapFree
GetConsoleMode
ReadConsoleW
SetFilePointerEx
GetConsoleOutputCP
GetFileSizeEx
HeapAlloc
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
CompareStringW
LCMapStringW
GetCurrentDirectoryW
FlushFileBuffers
HeapReAlloc
GetFileAttributesExW
GetStringTypeW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetProcessHeap
GetTimeZoneInformation

advapi32

ConvertSidToStringSidW
GetTokenInformation
OpenProcessToken
ConvertStringSecurityDescriptorToSecurityDescriptorW

Sections

.text
Size: 167KB - Virtual size: 167KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 74KB - Virtual size: 74KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 348B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
hs.pyc

Sharing

General

Malware Config

Signatures

Files

56b7ad3681dd4acc7965dc329d0eccc6

Code Sign

05:4f:46:6c:ec:cb:e9:d6:be:e8:1f:54:35:e6:4d:47Certificate

Extended Key Usages

Key Usages

03:01:9a:02:3a:ff:58:b1:6b:d6:d5:ea:e6:17:f0:66Certificate

Extended Key Usages

Key Usages

06:fd:f9:03:96:03:ad:ea:00:0a:eb:3f:27:bb:ba:1bCertificate

Extended Key Usages

Key Usages

3b:34:2f:26:35:c2:4f:f8:20:cb:66:e2:60:64:6d:cf:ea:a4:02:c8Signer

Headers

File Characteristics

Imports

kernel32

wsock32

Exports

Exports

Sections

.text Size: 192KB - Virtual size: 189KB

.rdata Size: 16KB - Virtual size: 12KB

.data Size: 44KB - Virtual size: 76KB

.reloc Size: 12KB - Virtual size: 9KB

cda9a24d0ec183721b985f721181e560

Code Sign

79:a2:a5:85:f9:d1:15:42:13:d9:b8:3e:f6:b6:8d:edCertificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4aCertificate

Key Usages

47:a9:38:ed:c7:ae:ac:8d:c7:1d:cb:b4:b4:f6:11:f8Certificate

Extended Key Usages

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

f6:d5:e7:a5:50:27:92:93:70:c3:94:34:ac:05:e9:af:0d:85:99:23Signer

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

msvcrt

avcodec-53

avutil-51

Exports

Exports

Sections

.text Size: 135KB - Virtual size: 135KB

.data Size: 26KB - Virtual size: 26KB

.rdata Size: 512B - Virtual size: 96B

/4 Size: 512B - Virtual size: 368B

.bss Size: - Virtual size: 2KB

.edata Size: 8KB - Virtual size: 7KB

.idata Size: 4KB - Virtual size: 3KB

.CRT Size: 512B - Virtual size: 24B

.tls Size: 512B - Virtual size: 32B

.reloc Size: 3KB - Virtual size: 3KB

3a6114cd3ede40570f8b050de94ed48d

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

05:4f:46:6c:ec:cb:e9:d6:be:e8:1f:54:35:e6:4d:47Certificate

Extended Key Usages

Key Usages

4f:b8:34:d9:e6:22:3a:03:a1:14:98:e4:5d:0f:fb:4c:f7:74:26:35Signer

Headers

05:4f:46:6c:ec:cb:e9:d6:be:e8:1f:54:35:e6:4d:47
Certificate

03:01:9a:02:3a:ff:58:b1:6b:d6:d5:ea:e6:17:f0:66
Certificate

06:fd:f9:03:96:03:ad:ea:00:0a:eb:3f:27:bb:ba:1b
Certificate

3b:34:2f:26:35:c2:4f:f8:20:cb:66:e2:60:64:6d:cf:ea:a4:02:c8
Signer

.text
Size: 192KB - Virtual size: 189KB

.rdata
Size: 16KB - Virtual size: 12KB

.data
Size: 44KB - Virtual size: 76KB

.reloc
Size: 12KB - Virtual size: 9KB

79:a2:a5:85:f9:d1:15:42:13:d9:b8:3e:f6:b6:8d:ed
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4a
Certificate

47:a9:38:ed:c7:ae:ac:8d:c7:1d:cb:b4:b4:f6:11:f8
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

f6:d5:e7:a5:50:27:92:93:70:c3:94:34:ac:05:e9:af:0d:85:99:23
Signer

.text
Size: 135KB - Virtual size: 135KB

.data
Size: 26KB - Virtual size: 26KB

.rdata
Size: 512B - Virtual size: 96B

/4
Size: 512B - Virtual size: 368B

.bss
Size: - Virtual size: 2KB

.edata
Size: 8KB - Virtual size: 7KB

.idata
Size: 4KB - Virtual size: 3KB

.CRT
Size: 512B - Virtual size: 24B

.tls
Size: 512B - Virtual size: 32B

.reloc
Size: 3KB - Virtual size: 3KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

05:4f:46:6c:ec:cb:e9:d6:be:e8:1f:54:35:e6:4d:47
Certificate

4f:b8:34:d9:e6:22:3a:03:a1:14:98:e4:5d:0f:fb:4c:f7:74:26:35
Signer

.text
Size: 780KB - Virtual size: 777KB

.rdata
Size: 120KB - Virtual size: 117KB

.data
Size: 68KB - Virtual size: 404KB

.reloc
Size: 92KB - Virtual size: 89KB

.text
Size: 167KB - Virtual size: 167KB

.rdata
Size: 74KB - Virtual size: 74KB

.data
Size: 3KB - Virtual size: 12KB

.pdata
Size: 9KB - Virtual size: 8KB

_RDATA
Size: 512B - Virtual size: 348B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 2KB - Virtual size: 1KB