4276df63c182fa92ca4cd2cf0de34b41

Sharing

Copy URL Twitter E-mail

General

Target

4276df63c182fa92ca4cd2cf0de34b41
Size

123KB
MD5

4276df63c182fa92ca4cd2cf0de34b41
SHA1

7be16a0baa9fe545e24faa447a5eed54f39d735d
SHA256

47e2795727878bd799d966e53d192509020da1b63d96c88d0b0b060f74e286b6
SHA512

8dc485f1bf229907679ab88c97c3c30f1f73369b2d464cf388c660f0cbf9938ebf1d32ea5c179807487195eb7b86850f7eb30931d041bd7f5a5a5f0b2fae475e
SSDEEP

3072:+EnFpbaesipHmV31L+VNkpLaORer/mdGp5HUnHS:++XbRsipmVcwpuOM6E5Huy

Score

3^/10

Malware Config

Signatures

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/360safee.exe
unpack001/iexplore.exe

Files

4276df63c182fa92ca4cd2cf0de34b41
.rar
1.vbs
.vbs
360safee.exe
.exe windows:4 windows x86 arch:x86

22036ea6bc43d69448132c93dca60efa

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvbvm60

_CIcos
_adj_fptan
__vbaFreeVar
__vbaFreeVarList
__vbaEnd
_adj_fdiv_m64
_adj_fprem1
__vbaStrCat
__vbaSetSystemError
__vbaHresultCheckObj
_adj_fdiv_m32
_adj_fdiv_m16i
_adj_fdivr_m16i
_CIsin
__vbaChkstk
EVENT_SINK_AddRef
__vbaVarTstEq
DllFunctionCall
_adj_fpatan
EVENT_SINK_Release
_CIsqrt
EVENT_SINK_QueryInterface
__vbaExceptHandler
__vbaStrToUnicode
_adj_fprem
_adj_fdivr_m64
__vbaFPException
ord717
_CIlog
__vbaNew2
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaStrCopy
__vbaFreeStrList
_adj_fdivr_m32
_adj_fdiv_r
ord100
__vbaI4Var
__vbaStrToAnsi
__vbaVarCopy
_CIatan
__vbaStrMove
ord619
_allmul
__vbaLenVarB
_CItan
_CIexp
__vbaFreeStr
__vbaFreeObj

Sections

.text
Size: 8KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
QQ`.exe
.exe windows:4 windows x86 arch:x86

020cb2add5cdf3806de794648de8d665

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15/06/2007, 00:00

Not After

14/06/2012, 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

7b:92:ae:b3:83:26:5c:7c:64:53:bd:92:a0:40:a0:20
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

15/02/2009, 00:00

Not After

15/02/2010, 23:59

Subject

CN=Tencent Technology(Shenzhen) Company Limited,OU=Digital ID Class 3 - Microsoft Software Validation v2+OU=Tencent,O=Tencent Technology(Shenzhen) Company Limited,L=Shenzhen,ST=Guangdong,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

d4:47:97:58:18:63:51:d4:c4:d9:01:ec:98:69:65:d9:44:81:b3:4d
Signer

Actual PE Digest

d4:47:97:58:18:63:51:d4:c4:d9:01:ec:98:69:65:d9:44:81:b3:4d

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

comctl32

InitCommonControlsEx

common

?DelIdleCallback@Window@Util@@YAJPAVVTXMsgLoopIdleCallback@@@Z
??ICTXBSTR@@QAEPAPA_WXZ
?GetMemoryUsage@Sys@Util@@YAXAAK0@Z
?GetLength@CTXStringW@@QBEHXZ
?SetIdleCallback@TXTimer@@YAHPAUITXIdleCallback@@I@Z
?AddIdleCallback@Window@Util@@YAJPAVVTXMsgLoopIdleCallback@@@Z
??4CTXStringW@@QAEAAV0@PB_W@Z
?DoFormat@CFmtString@@QAEPB_WPB_W@Z
?Append@CTXStringW@@QAEXPB_W@Z
??H@YA?AVCTXStringW@@ABV0@0@Z
??0CTXStringW@@QAE@ABV0@@Z
?IsEmpty@CTXStringW@@QBE_NXZ
??H@YA?AVCTXStringW@@PB_WABV0@@Z
ord25
?Stop@TXBugMonitor@@YAHXZ
?RecordTransEnd@Perf@Util@@YAJ_JPB_WH11H@Z
?OnExitCoreCenter@Misc@Util@@YAXXZ
?GetPlatformCore@Core@Util@@YAHPAPAUITXCore@@@Z
??8@YA_NABVCTXStringW@@PB_W@Z
?SetTimeout@TXTimer@@YAHIPAUITXTimerCallback@@I@Z
?MinimzeMemory@Sys@Util@@YAXXZ
?InitPlatformFileSystem@Boot@Util@@YAHXZ
?InitPlatformI18NConfig@Boot@Util@@YAHXZ
?AddFmtString@TXStringBundle@@YAXABVCFmtString@@@Z
?InitBugReport@TXBugReport@@YAXPB_W000GGKHHKKP6G?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PAUtagBugReportInfo@1@PBD20PAX@Z@Z
?GetSession@TXLog@@YAKXZ
?GetLCID@NLS@@YAKXZ
?ValidateBugReport@TXBugReport@@YAXXZ
?CreateObjectFromDllFile@Com@Util@@YGJPB_WABU_GUID@@1PAPAXPAUIUnknown@@@Z
?InitNetwork@Network@Util@@YAHXZ
?InitPlatform@CoreCenter@Util@@YAHPA_W@Z
?InitPlatformCoreConfig@Boot@Util@@YAHXZ
?InitPlatformGFConfig@Boot@Util@@YAHXZ
??0CTXStringW@@QAE@PB_W@Z
?NotifyIdle@TXTimer@@YAXXZ
??1CTXStringW@@QAE@XZ
??0CTXBSTR@@QAE@XZ
??YCTXStringW@@QAEAAV0@PB_W@Z
??1CTXBSTR@@QAE@XZ
??4CTXStringW@@QAEAAV0@ABV0@@Z
?NotifyIdle@Window@Util@@YAJXZ
ord37
??0CTXBSTR@@QAE@PB_W@Z
??0CTXBSTR@@QAE@ABVCTXStringW@@@Z
??YCTXStringW@@QAEAAV0@ABV0@@Z
??BCTXBSTR@@QBEPA_WXZ
?ReverseFind@CTXStringW@@QBEH_W@Z
?LoadStringW@TXStringBundle@@YAPB_WPB_W@Z
?Left@CTXStringW@@QBE?AV1@H@Z
?ReleaseBuffer@CTXStringW@@QAEXH@Z
??H@YA?AVCTXStringW@@ABV0@PB_W@Z
?GetBSTR@CTXStringW@@QBEPA_WXZ
?Format@CTXStringW@@QAAXPB_WZZ
??0CTXStringW@@QAE@PA_W@Z
?GetParentDir@FS@Util@@YA?AVCTXStringW@@V3@@Z
??BCTXStringW@@QBEPB_WXZ
?CheckVistaAndStartSelfMediumLevel@Sys@Util@@YAHXZ
?TrimLeft@CTXStringW@@QAEAAV1@XZ
?GetBuffer@CTXStringW@@QAEPA_WH@Z
?Find@CTXStringW@@QBEHPB_WH@Z
??0CTXStringW@@QAE@XZ
?OnUninitCom@Misc@Util@@YAXXZ
?Find@CTXStringW@@QBEH_WH@Z
?OnExitWinMain@Misc@Util@@YAXXZ

kernelutil

?GetBuildVer@Version@@YAKXZ
?GetVersionExW@Version@@YAXAAUtagVersionInfo@1@@Z
?GetProgramBinDir@Sys@Util@@YA?AVCTXStringW@@V3@@Z
?GetUserDataSaveSetting@Sys@Util@@YA?AVCTXStringW@@AAKAAV3@@Z
?GetProgramRootDir@Sys@Util@@YA?AVCTXStringW@@XZ
?GetMajorVer@Version@@YAEXZ
?GetMinorVer@Version@@YAEXZ
?GetGlobalSysDir@Sys@Util@@YA?AVCTXStringW@@XZ
?Init@Version@@YAHXZ

gf

?SetCustomObjectFactory@GF@Util@@YAXP6AHABU_GUID@@0PAPAX@Z@Z

apputil

?SetEnablePreload@Misc@Util@@YAXH@Z
?GetEnablePreload@Misc@Util@@YAHXZ
?SetPerfReportDataForWord@PerfDataReportUtil@@YAXPA_WKH@Z
?SetPerfReportDataForBool@PerfDataReportUtil@@YAXPA_WH@Z

kernel32

CreateMutexW
GetCurrentProcessId
DeleteCriticalSection
LoadLibraryW
CreateEventW
GetProcAddress
SetThreadPriority
FreeLibrary
GetCurrentProcess
InterlockedDecrement
QueryPerformanceCounter
CreateProcessW
GetVersionExW
Sleep
GetTickCount
OpenEventW
WaitForSingleObject
SetEvent
CloseHandle
GetProcessTimes
GetSystemTimeAsFileTime
DeleteFileA
lstrcpynA
WriteProcessMemory
LoadLibraryA
GetModuleFileNameA
GetDriveTypeW
GetModuleFileNameW
InterlockedIncrement
GetCurrentThreadId
SetEnvironmentVariableW
GetEnvironmentVariableW
GlobalMemoryStatus
QueryPerformanceFrequency
GetSystemInfo
InitializeCriticalSection
GetModuleHandleW
CreateThread
OpenMutexW
InterlockedExchange
InterlockedCompareExchange
GetStartupInfoW
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetCurrentThread
lstrlenW

user32

WaitMessage
PostThreadMessageW
MessageBoxW
PeekMessageW
TranslateMessage
DispatchMessageW

advapi32

RegQueryValueExW
RegCloseKey
RegSetValueExW
RegOpenKeyExW
RegCreateKeyExW

ole32

OleUninitialize
OleInitialize
CLSIDFromProgID
CoInitialize
CoCreateInstance
CoUninitialize

atl80

ord32
ord64
ord30

msvcp80

??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ
??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@PB_W@Z
??$?M_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@0@Z
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_W@Z
??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@ABV01@@Z

msvcr80

_initterm_e
_configthreadlocale
_wcmdln
__setusermatherr
_adjust_fdiv
__p__commode
exit
_XcptFilter
_exit
_cexit
__wgetmainargs
_amsg_exit
?terminate@@YAXXZ
__p__fmode
__set_app_type
_except_handler4_common
?_type_info_dtor_internal_method@type_info@@QAEXXZ
_crt_debugger_hook
_invoke_watson
_controlfp_s
__CxxFrameHandler3
_initterm
??3@YAXPAX@Z
??2@YAPAXI@Z
??_V@YAXPAX@Z
_invalid_parameter_noinfo
??0exception@std@@QAE@ABV01@@Z
??1exception@std@@UAE@XZ
__argc
__wargv
wcsncmp
_time64
??0exception@std@@QAE@XZ
_wtoi
_CxxThrowException
memset
__CxxFrameHandler
_snprintf
memcpy
strlen
_mbsrchr
_unlock
__dllonexit
_encode_pointer
_lock
_onexit
_decode_pointer

Sections

.text
Size: 36KB - Virtual size: 32KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 20KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 68KB - Virtual size: 65KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
iexplore.exe
.exe windows:5 windows x86 arch:x86

b06090332cc8fb8aeb9b846fdd7ff33c

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvcrt

_except_handler3

kernel32

UnhandledExceptionFilter
GetCommandLineA
lstrlenW
MultiByteToWideChar
CreateEventA
GetCurrentThreadId
lstrcatA
lstrlenA
lstrcmpiA
lstrcpyA
GetModuleFileNameA
FreeLibrary
GetProcAddress
LoadLibraryA
GetVersionExA
UnmapViewOfFile
CloseHandle
ReleaseMutex
SetEvent
WaitForSingleObject
CreateProcessA
lstrcpynA
GetCurrentProcessId
DuplicateHandle
GetCurrentProcess
CreateMutexA
MapViewOfFile
CreateFileMappingA
WaitForMultipleObjects
GetModuleFileNameW
OpenProcess
GetLastError
SetUnhandledExceptionFilter
LocalFree
LocalAlloc
GetModuleHandleA
ExitThread
GetStartupInfoA
SetErrorMode
TerminateProcess
QueryPerformanceCounter
GetTickCount
GetSystemTimeAsFileTime

user32

GetShellWindow
GetClassNameA
SendMessageA
PeekMessageA
MsgWaitForMultipleObjects
DestroyWindow
TranslateMessage
DispatchMessageA
LoadStringA
DefWindowProcA
RegisterClassA
CreateMenu
CreateWindowExA
ShowWindow
GetForegroundWindow
wsprintfA

shlwapi

SHGetValueA
ord243
ord276
ord437
ord376
ord80
ord185
SHRegGetBoolUSValueA
PathRemoveFileSpecA
PathAppendA
PathQuoteSpacesA
StrCpyNW
wnsprintfA
PathFindFileNameA
StrStrIA
ord241

shdocvw

ord101
ord158

Exports

Exports

DllGetLCID

Sections

.text
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 156B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 82KB - Virtual size: 81KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

22036ea6bc43d69448132c93dca60efa

Headers

File Characteristics

Imports

msvbvm60

Sections

.text Size: 8KB - Virtual size: 6KB

.data Size: 4KB - Virtual size: 2KB

.rsrc Size: 4KB - Virtual size: 2KB

020cb2add5cdf3806de794648de8d665

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5Certificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2Certificate

Extended Key Usages

Key Usages

7b:92:ae:b3:83:26:5c:7c:64:53:bd:92:a0:40:a0:20Certificate

Extended Key Usages

Key Usages

d4:47:97:58:18:63:51:d4:c4:d9:01:ec:98:69:65:d9:44:81:b3:4dSigner

Headers

File Characteristics

Imports

comctl32

common

kernelutil

gf

apputil

kernel32

user32

advapi32

ole32

atl80

msvcp80

msvcr80

Sections

.text Size: 36KB - Virtual size: 32KB

.rdata Size: 20KB - Virtual size: 17KB

.data Size: 8KB - Virtual size: 10KB

.rsrc Size: 68KB - Virtual size: 65KB

b06090332cc8fb8aeb9b846fdd7ff33c

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

kernel32

user32

shlwapi

shdocvw

Exports

Exports

Sections

.text Size: 7KB - Virtual size: 7KB

.data Size: 512B - Virtual size: 156B

.rsrc Size: 82KB - Virtual size: 81KB

.text
Size: 8KB - Virtual size: 6KB

.data
Size: 4KB - Virtual size: 2KB

.rsrc
Size: 4KB - Virtual size: 2KB

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

7b:92:ae:b3:83:26:5c:7c:64:53:bd:92:a0:40:a0:20
Certificate

d4:47:97:58:18:63:51:d4:c4:d9:01:ec:98:69:65:d9:44:81:b3:4d
Signer

.text
Size: 36KB - Virtual size: 32KB

.rdata
Size: 20KB - Virtual size: 17KB

.data
Size: 8KB - Virtual size: 10KB

.rsrc
Size: 68KB - Virtual size: 65KB

.text
Size: 7KB - Virtual size: 7KB

.data
Size: 512B - Virtual size: 156B

.rsrc
Size: 82KB - Virtual size: 81KB