36969e94a3f5cd7ea0e29fe72733205c

Sharing

Copy URL Twitter E-mail

General

Target

36969e94a3f5cd7ea0e29fe72733205c
Size

1.7MB
MD5

36969e94a3f5cd7ea0e29fe72733205c
SHA1

6f73fe35c3cfbf445ae444ea98f07c63a4138e95
SHA256

06d368adb5856035417804fe77b3c9dd98c7c6f446feb4c65c2f7ca2d38f1c02
SHA512

04ca1c7da1b2e3ae54af666eaf21a7d62a05a624b55e57089c63472e317fc7864434aecdcb62ee4fc7e0e39a9b956bea4ab76877e65f7b827340586cc64ac6bb
SSDEEP

49152:UPz96mfBRYXLwZqYrsOyq4gqkfnQ57vv719T6wgiClJJXjTLAz:sfBRYbi5sJVonQ5jv719T6zi0vX7Az

Score

3^/10

Malware Config

Signatures

Unsigned PE 4 IoCs

Checks for missing Authenticode signature.

resource
unpack001/SCopArch.dll
unpack001/SmdVB01.dll
unpack001/SmdVF01.dll
unpack001/strapnt.sys

Files

36969e94a3f5cd7ea0e29fe72733205c
.zip
SCopArch.dll
.dll windows:4 windows x86 arch:x86

27f24455b0c9986abe23905a01c99f6d

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_DLL

Imports

kernel32

CloseHandle
CreateFileA
CreateFileW
DeleteFileA
ExitProcess
FreeEnvironmentStringsA
FreeLibrary
GetACP
GetCPInfo
GetCurrentThreadId
GetEnvironmentStrings
GetFileAttributesA
GetFileAttributesW
GetFileType
GetLastError
GetLocalTime
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetProcAddress
GetProcessHeap
GetStartupInfoA
GetStdHandle
GetStringTypeW
GetVersion
GetVersionExA
GlobalMemoryStatus
HeapAlloc
HeapFree
LoadLibraryA
RaiseException
ReadFile
RtlUnwind
SetConsoleCtrlHandler
SetFileAttributesA
SetFilePointer
SetHandleCount
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
UnhandledExceptionFilter
VirtualAlloc
VirtualFree
WriteFile

user32

EnumThreadWindows
MessageBoxA
wsprintfA

unrar

ord4
ord2
ord7
ord5

Exports

Exports

@@Cab@Finalize
@@Cab@Initialize
@@Rar@Finalize
@@Rar@Initialize
ArchiveCompress
ArchiveDecompress
ArchiveDelete
CheckArchiveType
___CPPdebugHook

Sections

.text
Size: 36KB - Virtual size: 40KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 9KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 1KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.edata
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
SmdHL01.dll
SmdVB01.dll
.dll windows:4 windows x86 arch:x86

c6f8c3764d69a654166447e7c4c1c611

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_DLL

Imports

advapi32

RegCloseKey
RegOpenKeyExA
RegQueryValueExA

kernel32

CloseHandle
CompareStringA
CreateEventA
CreateFileA
DeleteCriticalSection
DeviceIoControl
EnterCriticalSection
EnumCalendarInfoA
ExitProcess
FindClose
FindFirstFileA
FreeEnvironmentStringsA
FreeLibrary
GetACP
GetCPInfo
GetCommandLineA
GetCurrentThreadId
GetDiskFreeSpaceA
GetEnvironmentStrings
GetFileSize
GetFileType
GetLastError
GetLocalTime
GetLocaleInfoA
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetProcAddress
GetProcessHeap
GetStartupInfoA
GetStdHandle
GetStringTypeExA
GetStringTypeW
GetThreadLocale
GetVersion
GetVersionExA
HeapAlloc
HeapFree
InitializeCriticalSection
InterlockedDecrement
InterlockedIncrement
LCMapStringA
LeaveCriticalSection
LoadLibraryA
LoadLibraryExA
LocalAlloc
LocalFree
MultiByteToWideChar
RaiseException
ReadFile
ResetEvent
RtlUnwind
SetConsoleCtrlHandler
SetEndOfFile
SetEvent
SetFilePointer
SetHandleCount
SetLastError
Sleep
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
UnhandledExceptionFilter
VirtualAlloc
VirtualFree
VirtualQuery
WaitForSingleObject
WideCharToMultiByte
WriteFile
lstrcpynA
lstrlenA

user32

CharNextA
EnumThreadWindows
GetKeyboardType
GetSystemMetrics
LoadStringA
MessageBoxA
wsprintfA

oleaut32

SafeArrayCreate
SafeArrayGetElement
SafeArrayGetLBound
SafeArrayGetUBound
SafeArrayPtrOfIndex
SafeArrayPutElement
SafeArrayRedim
SysAllocStringLen
SysFreeString
SysReAllocStringLen
VarBoolFromStr
VarBstrFromBool
VarBstrFromCy
VarBstrFromDate
VarCyFromStr
VarDateFromStr
VarI4FromStr
VarNeg
VarNot
VarR8FromStr
VariantChangeTypeEx
VariantClear
VariantCopy
VariantCopyInd
VariantInit

Exports

Exports

@@Bootvacc@Finalize
@@Bootvacc@Initialize
GetSmdVBVersion
ScanBoot
___CPPdebugHook

Sections

.text
Size: 131KB - Virtual size: 132KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 18KB - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.edata
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 9KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
SmdVF01.dat
SmdVF01.dll
.dll windows:4 windows x86 arch:x86

bdc48da20daa2af467d390959ce1487b

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_DLL

Imports

advapi32

AdjustTokenPrivileges
AllocateAndInitializeSid
FreeSid
LookupPrivilegeValueA
OpenProcessToken
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteValueA
RegEnumKeyExA
RegEnumValueA
RegFlushKey
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryValueExA
RegSetValueExA
SetEntriesInAclA
SetNamedSecurityInfoA

kernel32

CloseHandle
CompareStringA
CopyFileA
CreateDirectoryA
CreateEventA
CreateFileA
DeleteCriticalSection
DeleteFileA
EnterCriticalSection
EnumCalendarInfoA
ExitProcess
FileTimeToDosDateTime
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindFirstFileA
FindNextFileA
FormatMessageA
FreeEnvironmentStringsA
FreeLibrary
GetACP
GetCPInfo
GetCommandLineA
GetCurrentDirectoryA
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDateFormatA
GetDiskFreeSpaceA
GetDriveTypeA
GetEnvironmentStrings
GetFileAttributesA
GetFileSize
GetFileType
GetFullPathNameA
GetLastError
GetLocalTime
GetLocaleInfoA
GetLogicalDrives
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetPrivateProfileStringA
GetProcAddress
GetProcessHeap
GetShortPathNameA
GetStartupInfoA
GetStdHandle
GetStringTypeExA
GetStringTypeW
GetSystemDirectoryA
GetTempFileNameA
GetTempPathA
GetThreadLocale
GetTimeZoneInformation
GetVersion
GetVersionExA
GetWindowsDirectoryA
GlobalAlloc
GlobalFree
GlobalHandle
GlobalLock
GlobalReAlloc
GlobalUnlock
HeapAlloc
HeapFree
InitializeCriticalSection
InterlockedDecrement
InterlockedIncrement
LCMapStringA
LCMapStringW
LeaveCriticalSection
LoadLibraryA
LoadLibraryExA
LocalAlloc
LocalFree
MoveFileA
MoveFileExA
MultiByteToWideChar
OpenProcess
RaiseException
ReadFile
RemoveDirectoryA
ResetEvent
RtlUnwind
SetConsoleCtrlHandler
SetEndOfFile
SetEvent
SetFileAttributesA
SetFilePointer
SetHandleCount
SetLastError
Sleep
TerminateProcess
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
UnhandledExceptionFilter
VirtualAlloc
VirtualFree
VirtualQuery
WaitForSingleObject
WideCharToMultiByte
WriteFile
WritePrivateProfileStringA
lstrcpyA
lstrcpynA
lstrlenA

user32

CharNextA
CharUpperBuffA
EnumThreadWindows
GetKeyboardType
GetSystemMetrics
LoadStringA
MessageBoxA
wsprintfA

ole32

CoInitialize
CoUninitialize
StgOpenStorage

oleaut32

SafeArrayCreate
SafeArrayGetElement
SafeArrayGetLBound
SafeArrayGetUBound
SafeArrayPtrOfIndex
SafeArrayPutElement
SafeArrayRedim
SysAllocStringLen
SysFreeString
SysReAllocStringLen
VarBoolFromStr
VarBstrFromBool
VarBstrFromCy
VarBstrFromDate
VarCyFromStr
VarDateFromStr
VarI4FromStr
VarNeg
VarNot
VarR8FromStr
VariantChangeTypeEx
VariantClear
VariantCopy
VariantCopyInd
VariantInit

dzip32

ord1

dunzip32

ord1

Exports

Exports

@@Archvacc@Finalize
@@Archvacc@Initialize
@@Emailvacc@Finalize
@@Emailvacc@Initialize
@@Encodevacc@Finalize
@@Encodevacc@Initialize
@@Filevacc@Finalize
@@Filevacc@Initialize
@@Miscfunctions@Finalize
@@Miscfunctions@Initialize
@@Oedbx@Finalize
@@Oedbx@Initialize
@@Olevacc@Finalize
@@Olevacc@Initialize
@@Scriptvacc@Finalize
@@Scriptvacc@Initialize
@@Siglogic@Finalize
@@Siglogic@Initialize
@@Zipvacc@Finalize
@@Zipvacc@Initialize
DoInitVirusAction
GetSmdVFVersion
ScanMail
ScanScript
SetAppVersion
SetFileFlags
SetFlags
TFile
___CPPdebugHook

Sections

.text
Size: 620KB - Virtual size: 624KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 363KB - Virtual size: 384KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.edata
Size: 1024B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 6KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 51KB - Virtual size: 52KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
strap.vxd
strapnt.sys
.sys windows:6 windows x86 arch:x86

14c5cec31dc4117d3dc968f1a58327d3

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntoskrnl.exe

ExQueueWorkItem
IofCallDriver
IofCompleteRequest
_wcsnset
ZwClose
ObfDereferenceObject
IoAttachDeviceByPointer
IoCreateDevice
IoGetRelatedDeviceObject
ObReferenceObjectByHandle
ZwCreateFile
RtlInitUnicodeString
IoDeleteDevice
IoDetachDevice
ZwWriteFile
ZwOpenFile
PsCreateSystemThread
KeWaitForSingleObject
KeSetEvent
IoDeleteSymbolicLink
ProbeForWrite
memcpy
MmMapLockedPages
IoCreateSymbolicLink
ZwReadFile
strncmp
_stricmp
ExFreePoolWithTag
RtlQueryRegistryValues
ExAllocatePoolWithTag
RtlAppendUnicodeStringToString
RtlCopyUnicodeString
swprintf
RtlFreeAnsiString
_strnicmp
RtlUnicodeStringToAnsiString
wcsrchr
wcsncmp
PsTerminateSystemThread
KeCancelTimer
KeWaitForMultipleObjects
KeSetTimerEx
KeInitializeTimerEx
strstr
_strupr
wcsstr
ZwQuerySymbolicLinkObject
ZwOpenSymbolicLinkObject
IoUnregisterPlugPlayNotification
wcsncat
_wcsnicmp
wcschr
towupper
ExAllocatePool
RtlVolumeDeviceToDosName
ObfReferenceObject
IoGetDeviceObjectPointer
IoRegisterPlugPlayNotification
IoFileObjectType
KeTickCount
KeBugCheckEx
wcsncpy
memset
KeGetCurrentThread
DbgPrint
ZwQueryInformationFile
KeInitializeEvent
ExFreePool
MmUnmapLockedPages
MmBuildMdlForNonPagedPool
MmCreateMdl
KeServiceDescriptorTable
RtlUnwind

hal

KfReleaseSpinLock
ExAcquireFastMutex
ExReleaseFastMutex
KeGetCurrentIrql
KfAcquireSpinLock

Sections

.text
Size: 78KB - Virtual size: 78KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 1000B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
strapvista.sys
.sys windows:6 windows x86 arch:x86

d4aa57616a6a137655f85bb95a50f2f3

Code Sign

79:a2:a5:85:f9:d1:15:42:13:d9:b8:3e:f6:b6:8d:ed
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

01/05/2012, 00:00

Not After

31/12/2012, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G3,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fd
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

08/11/2006, 00:00

Not After

07/11/2021, 23:59

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageServerAuth
ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning
ExtKeyUsageNetscapeServerGatedCrypto

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

61:0c:12:06:00:00:00:00:00:1b
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:01

Not After

23/05/2016, 17:11

Subject

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

1b:81:e7:96:2f:15:1f:d0:c7:1e:19:06:87:3b:af:51
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

25/04/2012, 00:00

Not After

25/04/2013, 23:59

Subject

CN=AvSoft Technologies,OU=Digital ID Class 3 - Microsoft Software Validation v2+OU=AvSoft,O=AvSoft Technologies,L=New Delhi,ST=Delhi,C=IN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

4c:c7:57:db:3a:f9:8a:e5:89:c6:e7:b7:88:28:96:9b:50:b5:41:cc
Signer

Actual PE Digest

4c:c7:57:db:3a:f9:8a:e5:89:c6:e7:b7:88:28:96:9b:50:b5:41:cc

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntoskrnl.exe

IoVolumeDeviceToDosName
KeAreAllApcsDisabled
RtlAppendUnicodeStringToString
RtlCopyUnicodeString
wcsncmp
ExFreePoolWithTag
RtlCompareMemory
ExAllocatePoolWithTag
ZwClose
ObReferenceObjectByHandle
PsCreateSystemThread
ObfDereferenceObject
KeWaitForSingleObject
KeSetEvent
RtlFreeAnsiString
_strnicmp
RtlUnicodeStringToAnsiString
strncpy
wcsrchr
_stricmp
memcpy
KeCancelTimer
KeWaitForMultipleObjects
KeSetTimerEx
KeInitializeTimerEx
ZwQueryInformationFile
ZwOpenFile
strncmp
RtlQueryRegistryValues
ZwReadFile
strstr
_strupr
_wcsicmp
wcsncpy
_wcsnicmp
KeTickCount
KeBugCheckEx
RtlUnwind
memset
KeGetCurrentThread
KeInitializeEvent
IofCompleteRequest
RtlInitUnicodeString
IoCreateDevice
IoCreateSymbolicLink
IoDeleteDevice
IoDeleteSymbolicLink
PsTerminateSystemThread
DbgPrint

hal

ExReleaseFastMutex
KeGetCurrentIrql
ExAcquireFastMutex

fltmgr.sys

FltClose
FltCancelFileOpen
FltRegisterFilter
FltStartFiltering
FltUnregisterFilter
FltCreateFile

Sections

.text
Size: 132KB - Virtual size: 131KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 896B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
strapvista64.sys
.sys windows:6 windows x64 arch:x64

b3ee4649d48f0368e1bbd0a046f24e1e

Code Sign

79:a2:a5:85:f9:d1:15:42:13:d9:b8:3e:f6:b6:8d:ed
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

01/05/2012, 00:00

Not After

31/12/2012, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G3,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fd
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

08/11/2006, 00:00

Not After

07/11/2021, 23:59

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageServerAuth
ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning
ExtKeyUsageNetscapeServerGatedCrypto

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

61:0c:12:06:00:00:00:00:00:1b
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:01

Not After

23/05/2016, 17:11

Subject

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

1b:81:e7:96:2f:15:1f:d0:c7:1e:19:06:87:3b:af:51
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

25/04/2012, 00:00

Not After

25/04/2013, 23:59

Subject

CN=AvSoft Technologies,OU=Digital ID Class 3 - Microsoft Software Validation v2+OU=AvSoft,O=AvSoft Technologies,L=New Delhi,ST=Delhi,C=IN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

e6:ee:13:4c:26:12:ae:2f:b6:5f:cf:eb:e6:c1:11:31:40:15:ed:9e
Signer

Actual PE Digest

e6:ee:13:4c:26:12:ae:2f:b6:5f:cf:eb:e6:c1:11:31:40:15:ed:9e

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

RtlCopyUnicodeString
ObfDereferenceObject
IoCreateDevice
IoVolumeDeviceToDosName
wcsncmp
PsCreateSystemThread
ExAllocatePoolWithTag
DbgPrint
KeAreAllApcsDisabled
IoDeleteSymbolicLink
ZwClose
ExFreePoolWithTag
ExReleaseFastMutex
RtlAppendUnicodeStringToString
IofCompleteRequest
ExAcquireFastMutex
ObReferenceObjectByHandle
RtlFreeAnsiString
ZwOpenFile
KeInitializeTimerEx
KeCancelTimer
KeInitializeEvent
KeWaitForMultipleObjects
_stricmp
_strnicmp
RtlUnicodeStringToAnsiString
KeSetTimerEx
strncpy
wcsrchr
PsTerminateSystemThread
strncmp
RtlQueryRegistryValues
ZwReadFile
strstr
_strupr
_wcsicmp
_wcsnicmp
wcsncpy
KeBugCheckEx
IoCreateSymbolicLink
KeSetEvent
IoDeleteDevice
RtlCompareMemory
RtlInitUnicodeString
ZwQueryInformationFile
KeWaitForSingleObject
__C_specific_handler

fltmgr.sys

FltCreateFile
FltStartFiltering
FltRegisterFilter
FltUnregisterFilter
FltCancelFileOpen
FltClose

Sections

.text
Size: 151KB - Virtual size: 150KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 896B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 84B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

27f24455b0c9986abe23905a01c99f6d

Headers

File Characteristics

Imports

kernel32

user32

unrar

Exports

Exports

Sections

.text Size: 36KB - Virtual size: 40KB

.data Size: 9KB - Virtual size: 12KB

.tls Size: 512B - Virtual size: 4KB

.idata Size: 1KB - Virtual size: 4KB

.edata Size: 512B - Virtual size: 4KB

.rsrc Size: 512B - Virtual size: 4KB

.reloc Size: 2KB - Virtual size: 4KB

c6f8c3764d69a654166447e7c4c1c611

Headers

File Characteristics

Imports

advapi32

kernel32

user32

oleaut32

Exports

Exports

Sections

.text Size: 131KB - Virtual size: 132KB

.data Size: 18KB - Virtual size: 36KB

.tls Size: 512B - Virtual size: 4KB

.idata Size: 2KB - Virtual size: 4KB

.edata Size: 512B - Virtual size: 4KB

.rsrc Size: 4KB - Virtual size: 4KB

.reloc Size: 9KB - Virtual size: 12KB

bdc48da20daa2af467d390959ce1487b

Headers

File Characteristics

Imports

advapi32

kernel32

user32

ole32

oleaut32

dzip32

dunzip32

Exports

Exports

Sections

.text Size: 620KB - Virtual size: 624KB

.data Size: 363KB - Virtual size: 384KB

.tls Size: 512B - Virtual size: 4KB

.idata Size: 4KB - Virtual size: 4KB

.edata Size: 1024B - Virtual size: 4KB

.rsrc Size: 6KB - Virtual size: 8KB

.reloc Size: 51KB - Virtual size: 52KB

14c5cec31dc4117d3dc968f1a58327d3

Headers

File Characteristics

Imports

ntoskrnl.exe

hal

Sections

.text Size: 78KB - Virtual size: 78KB

.rdata Size: 1KB - Virtual size: 1KB

.data Size: 3KB - Virtual size: 3KB

INIT Size: 2KB - Virtual size: 2KB

.rsrc Size: 1024B - Virtual size: 1000B

.reloc Size: 3KB - Virtual size: 3KB

d4aa57616a6a137655f85bb95a50f2f3

Code Sign

79:a2:a5:85:f9:d1:15:42:13:d9:b8:3e:f6:b6:8d:edCertificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

.text
Size: 36KB - Virtual size: 40KB

.data
Size: 9KB - Virtual size: 12KB

.tls
Size: 512B - Virtual size: 4KB

.idata
Size: 1KB - Virtual size: 4KB

.edata
Size: 512B - Virtual size: 4KB

.rsrc
Size: 512B - Virtual size: 4KB

.reloc
Size: 2KB - Virtual size: 4KB

.text
Size: 131KB - Virtual size: 132KB

.data
Size: 18KB - Virtual size: 36KB

.tls
Size: 512B - Virtual size: 4KB

.idata
Size: 2KB - Virtual size: 4KB

.edata
Size: 512B - Virtual size: 4KB

.rsrc
Size: 4KB - Virtual size: 4KB

.reloc
Size: 9KB - Virtual size: 12KB

.text
Size: 620KB - Virtual size: 624KB

.data
Size: 363KB - Virtual size: 384KB

.tls
Size: 512B - Virtual size: 4KB

.idata
Size: 4KB - Virtual size: 4KB

.edata
Size: 1024B - Virtual size: 4KB

.rsrc
Size: 6KB - Virtual size: 8KB

.reloc
Size: 51KB - Virtual size: 52KB

.text
Size: 78KB - Virtual size: 78KB

.rdata
Size: 1KB - Virtual size: 1KB

.data
Size: 3KB - Virtual size: 3KB

INIT
Size: 2KB - Virtual size: 2KB

.rsrc
Size: 1024B - Virtual size: 1000B

.reloc
Size: 3KB - Virtual size: 3KB

79:a2:a5:85:f9:d1:15:42:13:d9:b8:3e:f6:b6:8d:ed
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fd
Certificate

61:0c:12:06:00:00:00:00:00:1b
Certificate

1b:81:e7:96:2f:15:1f:d0:c7:1e:19:06:87:3b:af:51
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

4c:c7:57:db:3a:f9:8a:e5:89:c6:e7:b7:88:28:96:9b:50:b5:41:cc
Signer

.text
Size: 132KB - Virtual size: 131KB

.rdata
Size: 1KB - Virtual size: 1KB

.data
Size: 1KB - Virtual size: 2KB

INIT
Size: 2KB - Virtual size: 2KB

.rsrc
Size: 1024B - Virtual size: 896B

.reloc
Size: 4KB - Virtual size: 4KB

79:a2:a5:85:f9:d1:15:42:13:d9:b8:3e:f6:b6:8d:ed
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fd
Certificate

61:0c:12:06:00:00:00:00:00:1b
Certificate

1b:81:e7:96:2f:15:1f:d0:c7:1e:19:06:87:3b:af:51
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

e6:ee:13:4c:26:12:ae:2f:b6:5f:cf:eb:e6:c1:11:31:40:15:ed:9e
Signer

.text
Size: 151KB - Virtual size: 150KB

.rdata
Size: 3KB - Virtual size: 2KB

.data
Size: 1KB - Virtual size: 3KB

.pdata
Size: 2KB - Virtual size: 1KB

INIT
Size: 2KB - Virtual size: 2KB

.rsrc
Size: 1024B - Virtual size: 896B

.reloc
Size: 512B - Virtual size: 84B