20c4d7282008b80d75b15154c06bbf49

Sharing

Copy URL Twitter E-mail

General

Target

20c4d7282008b80d75b15154c06bbf49
Size

532KB
MD5

20c4d7282008b80d75b15154c06bbf49
SHA1

f9fbbd3f402636ce4b2cb4ce54a6d6fd24a1e56b
SHA256

107343b19e6fdb38842d66f7f079cf41b21dc38dd41329bd8f61db2994b5747f
SHA512

9af5565e1c19f8275fe3052c7cb86a3dcc6417556c7d740ab7400650a0c45ab4257c9c5675cdb00ea75aa6b1e8ec53acb2fa2f3c5cecfbb4b8be326f71ea6648
SSDEEP

12288:r5fZQgCnQD9Ts7P5Mcp7YJeqgxDWbdjMNwbn9y6sY:kQD9TIP5MceJcxcYw

Score

1^/10

Malware Config

Signatures

Files

20c4d7282008b80d75b15154c06bbf49
.exe windows:4 windows x86 arch:x86

cf66198838134ae35981e469302a86fe

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fd
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

08/11/2006, 00:00

Not After

07/11/2021, 23:59

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageServerAuth
ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning
ExtKeyUsageNetscapeServerGatedCrypto

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

71:70:bd:93:cf:3f:18:9a:e6:45:2b:51:4c:49:34:0e
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

17/01/2013, 00:00

Not After

16/02/2016, 23:59

Subject

CN=Tencent Technology(Shenzhen) Company Limited,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Tencent Technology(Shenzhen) Company Limited,L=shenzhen,ST=guangdong,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

cd:59:65:bc:ae:72:33:7f:ad:9f:af:83:a6:15:59:82:a4:54:e3:2c
Signer

Actual PE Digest

cd:59:65:bc:ae:72:33:7f:ad:9f:af:83:a6:15:59:82:a4:54:e3:2c

Digest Algorithm

sha1

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

version

VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW

dbghelp

SymCleanup
SymGetModuleInfoW
SymLoadModule
SymInitialize
SymSetOptions

wininet

InternetCloseHandle
InternetOpenUrlA
InternetReadFile
HttpSendRequestA
HttpOpenRequestA
InternetConnectA
InternetOpenA

psapi

GetModuleFileNameExW
GetModuleFileNameExA

comctl32

ImageList_ReplaceIcon
InitCommonControlsEx
ImageList_Create

tinyxml

??1TiXmlDocument@@UAE@XZ
?Print@TiXmlDocument@@UBEXPAU_iobuf@@H@Z
?Parse@TiXmlDocument@@UAEPBDPBDPAVTiXmlParsingData@@W4TiXmlEncoding@@@Z
?ToDocument@TiXmlDocument@@UAEPAV1@XZ
?ToDocument@TiXmlDocument@@UBEPBV1@XZ
?ToElement@TiXmlNode@@UAEPAVTiXmlElement@@XZ
?ToComment@TiXmlNode@@UAEPAVTiXmlComment@@XZ
?ToComment@TiXmlNode@@UBEPBVTiXmlComment@@XZ
?GetText@TiXmlElement@@QBEPBDXZ
?NextSiblingElement@TiXmlNode@@QAEPAVTiXmlElement@@XZ
?Value@TiXmlNode@@QBEPBDXZ
?ToUnknown@TiXmlNode@@UAEPAVTiXmlUnknown@@XZ
?ToUnknown@TiXmlNode@@UBEPBVTiXmlUnknown@@XZ
?ToText@TiXmlNode@@UAEPAVTiXmlText@@XZ
??0TiXmlDocument@@QAE@XZ
?ToText@TiXmlNode@@UBEPBVTiXmlText@@XZ
?ToDeclaration@TiXmlNode@@UAEPAVTiXmlDeclaration@@XZ
?RootElement@TiXmlDocument@@QAEPAVTiXmlElement@@XZ
?ToDeclaration@TiXmlNode@@UBEPBVTiXmlDeclaration@@XZ
?Clone@TiXmlDocument@@MBEPAVTiXmlNode@@XZ
?FirstChildElement@TiXmlNode@@QAEPAVTiXmlElement@@XZ
?Accept@TiXmlDocument@@UBE_NPAVTiXmlVisitor@@@Z
?Attribute@TiXmlElement@@QBEPBDPBD@Z
?LoadFile@TiXmlDocument@@QAE_NPB_WW4TiXmlEncoding@@@Z
?ToElement@TiXmlNode@@UBEPBVTiXmlElement@@XZ

kernel32

GetACP
GetVersionExA
GetThreadLocale
InterlockedCompareExchange
HeapReAlloc
HeapSize
GetLocaleInfoA
InterlockedExchange
GetStartupInfoW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
HeapDestroy
DeviceIoControl
SetFileAttributesW
GetSystemTimeAsFileTime
GetProcessTimes
QueryPerformanceCounter
EnterCriticalSection
LeaveCriticalSection
GetCommandLineW
InitializeCriticalSection
MoveFileW
VirtualQuery
VirtualFree
VirtualAlloc
GetModuleHandleW
HeapAlloc
GetProcessHeap
VirtualProtect
CloseHandle
HeapFree
GetTickCount
SetCurrentDirectoryW
OpenThread
SizeofResource
FreeLibrary
ReadProcessMemory
LockResource
WriteProcessMemory
LoadResource
FindResourceExW
CreateThread
FindResourceW
OpenProcess
GetLastError
WideCharToMultiByte
lstrlenW
lstrcatW
DeleteFileW
CopyFileW
VirtualQueryEx
LoadLibraryW
FindFirstFileW
CreateFileA
GetExitCodeProcess
FindNextFileW
TerminateProcess
FindClose
SetEvent
lstrcpyW
WaitForSingleObject
CreateProcessW
Sleep
GlobalAlloc
GlobalLock
GlobalUnlock
MultiByteToWideChar
IsDBCSLeadByte
InterlockedIncrement
InterlockedDecrement
GlobalFree
FileTimeToSystemTime
GetTimeZoneInformation
SystemTimeToTzSpecificLocalTime
ResumeThread
FreeResource
CreateEventW
GetFileAttributesW
CreateFileW
GetProcAddress
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
WriteFile
DeleteCriticalSection
RaiseException
GetVersionExW
ReadFile
SetFilePointer
GetFileSize
GetModuleFileNameW
GetPrivateProfileSectionW
GetPrivateProfileIntW
GetTempPathW
WritePrivateProfileStringW
CreateDirectoryW
GetSystemDefaultLCID
GetThreadSelectorEntry
GetCurrentProcessId
GetCurrentThreadId
GetCurrentProcess

user32

GetClassInfoExW
DefWindowProcW
IsWindow
DestroyMenu
TrackPopupMenu
GetWindowThreadProcessId
CreatePopupMenu
GetGuiResources
ReleaseDC
EnableMenuItem
CloseClipboard
GetMenuItemID
SetClipboardData
GetMenuItemCount
EmptyClipboard
OpenClipboard
RegisterClipboardFormatW
RegisterClassExW
GetWindowTextW
SendDlgItemMessageW
GetWindowTextLengthW
SetTimer
InvalidateRect
MapDialogRect
GetWindowRect
MapWindowPoints
CallWindowProcW
DrawTextW
GetDC
SetWindowLongW
EndPaint
ClientToScreen
KillTimer
BeginPaint
GetSysColorBrush
DialogBoxParamW
SetDlgItemTextW
GetWindow
GetKeyState
GetDesktopWindow
PostMessageW
EndDialog
DrawIconEx
GetDlgItem
GetClientRect
ShowWindow
LoadImageW
SetWindowPos
SetWindowTextW
SendMessageW
LoadIconW
CreateWindowExW
DestroyWindow
UnregisterClassA
EnableWindow
GetSystemMenu

gdi32

SelectObject
GetStockObject
SetTextColor
DeleteObject
CreateFontW
SetBkMode

advapi32

RegQueryValueExW
RegCloseKey
RegDeleteValueW
RegOpenKeyExW
RegCreateKeyExW
RegSetValueExW

shell32

ord155
SHBindToParent
SHGetDesktopFolder
SHGetFileInfoW
ShellExecuteW
SHGetSpecialFolderPathW
ShellExecuteExW

ole32

CreateStreamOnHGlobal
DoDragDrop
OleUninitialize
OleInitialize

oleaut32

SysFreeString
SysAllocStringByteLen
SysStringByteLen
SysAllocString
SysStringLen

gdiplus

GdipDeleteGraphics
GdipGetPropertyItem
GdipGetPropertyItemSize
GdipImageGetFrameCount
GdipAlloc
GdipFree
GdiplusShutdown
GdiplusStartup
GdipDrawImageRectI
GdipGetImageHeight
GdipGetImageWidth
GdipImageGetFrameDimensionsList
GdipCreateFromHDC
GdipDisposeImage
GdipCloneImage
GdipImageSelectActiveFrame
GdipLoadImageFromStreamICM
GdipImageGetFrameDimensionsCount

shlwapi

PathFileExistsW

msvcp80

??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@ABV01@@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ
??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ
??Y?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@PB_W@Z
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@ABV01@@Z
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_W@Z
??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@PB_W@Z
?npos@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@2IB
?substr@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBE?AV12@II@Z
??$?M_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@0@Z
?rfind@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEI_WI@Z
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z
?reserve@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDI@Z
??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@@Z
?resize@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEXI@Z
??A?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAA_WI@Z
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ID@Z
??$?HDU?$char_traits@D@std@@V?$allocator@D@1@@std@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z
??$?HDU?$char_traits@D@std@@V?$allocator@D@1@@std@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z
??$?HDU?$char_traits@D@std@@V?$allocator@D@1@@std@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z
?clear@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXXZ
??Y?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@_W@Z
?reserve@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEXI@Z
?clear@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEXXZ
??Y?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@ABV01@@Z
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z
?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z

msvcr80

_invalid_parameter_noinfo
memcpy
memset
malloc
vsprintf_s
_vscprintf
swscanf
wcsncmp
vswprintf_s
__wargv
__argc
_vscwprintf
_mbscmp
free
wcschr
srand
wcslen
memcpy_s
_purecall
memmove_s
??3@YAXPAX@Z
strlen
_time32
_mbsstr
_snprintf
_mbslwr_s
??0exception@std@@QAE@XZ
??_V@YAXPAX@Z
??2@YAPAXI@Z
??0exception@std@@QAE@ABQBD@Z
wcscmp
??0exception@std@@QAE@ABV01@@Z
wcsrchr
_wcslwr_s
??1exception@std@@UAE@XZ
?what@exception@std@@UBEPBDXZ
iswspace
_wcsicmp
memcmp
strcmp
strtoul
fprintf
wcscpy
wcscat
_wfopen
fseek
ftell
_lock
fwrite
_encode_pointer
__dllonexit
_unlock
fclose
_beginthreadex
wcsstr
towlower
isspace
_onexit
strncpy_s
tolower
sprintf_s
isalnum
_wtoi
wcsncpy
_time64
memmove
iswalnum
iswalpha
iswdigit
fread
wcscat_s
wcscpy_s
_gmtime32
_snwprintf
_decode_pointer
?terminate@@YAXXZ
_amsg_exit
__wgetmainargs
_cexit
_exit
_XcptFilter
exit
_wcmdln
_initterm
_initterm_e
_configthreadlocale
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler4_common
_crt_debugger_hook
?_type_info_dtor_internal_method@type_info@@QAEXXZ
_invoke_watson
_controlfp_s
_mbsicmp
_mbschr
strncmp
strchr
__CxxFrameHandler3
strrchr
atoi
_CxxThrowException

wtsapi32

WTSFreeMemory
WTSQuerySessionInformationW

crypt32

CertGetNameStringW

wintrust

WTHelperProvDataFromStateData
WTHelperGetProvSignerFromChain
WTHelperGetProvCertFromChain
WinVerifyTrust

iphlpapi

GetAdaptersAddresses
GetAdaptersInfo

netapi32

Netbios

Sections

.text
Size: 144KB - Virtual size: 141KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 64KB - Virtual size: 63KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 64KB - Virtual size: 62KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Hq;
Size: 244KB - Virtual size: 244KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

cf66198838134ae35981e469302a86fe

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fdCertificate

Extended Key Usages

Key Usages

71:70:bd:93:cf:3f:18:9a:e6:45:2b:51:4c:49:34:0eCertificate

Extended Key Usages

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

cd:59:65:bc:ae:72:33:7f:ad:9f:af:83:a6:15:59:82:a4:54:e3:2cSigner

Headers

DLL Characteristics

File Characteristics

Imports

version

dbghelp

wininet

psapi

comctl32

tinyxml

kernel32

user32

gdi32

advapi32

shell32

ole32

oleaut32

gdiplus

shlwapi

msvcp80

msvcr80

wtsapi32

crypt32

wintrust

iphlpapi

netapi32

Sections

.text Size: 144KB - Virtual size: 141KB

.rdata Size: 64KB - Virtual size: 63KB

.data Size: 4KB - Virtual size: 4KB

.rsrc Size: 64KB - Virtual size: 62KB

Hq; Size: 244KB - Virtual size: 244KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fd
Certificate

71:70:bd:93:cf:3f:18:9a:e6:45:2b:51:4c:49:34:0e
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

cd:59:65:bc:ae:72:33:7f:ad:9f:af:83:a6:15:59:82:a4:54:e3:2c
Signer

.text
Size: 144KB - Virtual size: 141KB

.rdata
Size: 64KB - Virtual size: 63KB

.data
Size: 4KB - Virtual size: 4KB

.rsrc
Size: 64KB - Virtual size: 62KB

Hq;
Size: 244KB - Virtual size: 244KB