49ff427410a4033e45f388c9e3e81311

Sharing

Copy URL Twitter E-mail

General

Target

49ff427410a4033e45f388c9e3e81311
Size

334KB
MD5

49ff427410a4033e45f388c9e3e81311
SHA1

e994788cd4ccf2057aece023cef91dcac3e5082c
SHA256

eb09e0baf2d465d84c5d80c4e22cbcb8d4223786451120840fe26fdaf56fa4eb
SHA512

ec984a46925c7a3c475e2f725fa18949ed944d8f40e00124d6c4cb5e0dc4bb06260c489df348a33c89848f620a7869c59b5a0f9046afe8fcb2e13051a22cabb9
SSDEEP

6144:Ra7K3Xcol7EcPGcsWeXI5XuiWuPLBJGIEFVTffjQvGoSOlOtfJ:g4XcA7EKCHXOhKIYj6d58J

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
49ff427410a4033e45f388c9e3e81311

Files

49ff427410a4033e45f388c9e3e81311
.exe windows:5 windows x86 arch:x86

d2740c31b95ee77d4a621135f2f8fded

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntdll

NtTraceEvent
wcstombs
RtlEqualPrefixSid
RtlGetFullPathName_U
_wcslwr
RtlInitUnicodeString
wcstoul
RtlImageNtHeader
NtOpenObjectAuditAlarm
NtAccessCheckAndAuditAlarm
RtlCreateSecurityDescriptor
NtClose
wcsstr
RtlGetDaclSecurityDescriptor
NtDeleteKey
NtRestoreKey
RtlAddAccessDeniedObjectAce
RtlUnicodeStringToInteger
RtlSubAuthoritySid
strncpy
RtlFreeAnsiString
RtlCreateAcl
RtlGetGroupSecurityDescriptor
NtSetSecurityObject
NtNotifyChangeMultipleKeys
RtlSetSecurityObjectEx
RtlDestroyHandleTable
NtQueryVirtualMemory
RtlUnicodeToMultiByteN
RtlImpersonateSelf
RtlNewSecurityObjectWithMultipleInheritance
NtReplaceKey
RtlSetOwnerSecurityDescriptor
RtlCopySid
_chkstk
RtlGetOwnerSecurityDescriptor
RtlSetControlSecurityDescriptor
RtlEqualUnicodeString
NtReleaseSemaphore
RtlIsTextUnicode
RtlUpcaseUnicodeStringToOemString
RtlInitializeGenericTable
RtlAllocateHandle
NtDuplicateToken
RtlOemStringToUnicodeString
wcstol
RtlAddAccessAllowedObjectAce
memmove
RtlAnsiStringToUnicodeString
NtAllocateLocallyUniqueId
wcslen
NtAllocateVirtualMemory
RtlCreateQueryDebugBuffer
RtlReAllocateHeap
RtlCreateHeap
NtWaitForSingleObject
NtPrivilegedServiceAuditAlarm
NtOpenFile
RtlxAnsiStringToUnicodeSize
RtlSetInformationAcl
wcscat
NtAccessCheck
NtSaveKey
_vsnwprintf
_itow
RtlGetSecurityDescriptorRMControl
RtlAllocateHeap
RtlFirstFreeAce
RtlAddAccessAllowedAceEx
mbstowcs
_ftol
NtAdjustGroupsToken
RtlDeleteAce
NtSetInformationProcess
NtAccessCheckByType
RtlMultiByteToUnicodeN
NtDuplicateObject
NtSetInformationThread
NtQueryPerformanceCounter
RtlPrefixUnicodeString
_strnicmp
RtlDeleteSecurityObject
DbgPrint
RtlFlushSecureMemoryCache
NtQuerySecurityObject
wcschr
RtlLengthSid
RtlValidSecurityDescriptor
RtlSetSecurityObject
RtlAddAccessDeniedAce
RtlLeaveCriticalSection
RtlRandom
NtCreateSemaphore
RtlAbsoluteToSelfRelativeSD
RtlNtStatusToDosError
RtlValidRelativeSecurityDescriptor
NtQuerySymbolicLinkObject
RtlDeleteCriticalSection
NtSaveMergedKeys
swprintf
RtlUnwind
RtlOpenCurrentUser
RtlSelfRelativeToAbsoluteSD2
NtOpenKey
RtlStringFromGUID
NtDeleteValueKey
RtlQueryRegistryValues
RtlNewSecurityObjectEx
RtlFreeSid
RtlIntegerToUnicodeString
NtPrivilegeCheck
_snwprintf
RtlInsertElementGenericTable
RtlFormatCurrentUserKeyPath
RtlAddAccessAllowedAce
_wcsicmp
RtlDestroyQueryDebugBuffer
NtQueryKey
_alloca_probe
NtOpenProcess
RtlAppendUnicodeToString
wcscmp
RtlGUIDFromString
RtlxUnicodeStringToAnsiSize
NtTerminateProcess
NtPrivilegeObjectAuditAlarm
RtlInitString
NtEnumerateKey
NtCreateDirectoryObject
NtFreeVirtualMemory
RtlIsValidIndexHandle
NtQueryInformationToken
NtAccessCheckByTypeResultListAndAuditAlarm
RtlConvertSidToUnicodeString
RtlFreeUnicodeString
RtlEqualSid
RtlAreAnyAccessesGranted
NtQueryInformationProcess
_stricmp
RtlInitUnicodeStringEx
wcsrchr
NtOpenProcessToken
NtEnumerateValueKey
RtlQueryInformationAcl
RtlIsGenericTableEmpty
RtlConvertToAutoInheritSecurityObject
NtSetValueKey
RtlMapGenericMask
NtSetEvent
RtlUpcaseUnicodeChar
RtlGetNtProductType
RtlSetDaclSecurityDescriptor
NtUnloadKey
wcsncmp
RtlLookupElementGenericTable
NtFsControlFile
strstr
RtlDetermineDosPathNameType_U
NtAccessCheckByTypeResultListAndAuditAlarmByHandle
RtlCreateUnicodeString
RtlDosPathNameToNtPathName_U
RtlEnumerateGenericTableWithoutSplaying
RtlFreeHeap
NtFlushKey
NtQueryValueKey
NtDeleteObjectAuditAlarm
RtlGetControlSecurityDescriptor
NtSetInformationObject
atol
RtlAddAccessDeniedAceEx
RtlGetAce
RtlInitializeSid
NtQueryMultipleValueKey
NtNotifyChangeKey
RtlCompareUnicodeString
RtlCopyLuid
RtlSubAuthorityCountSid
RtlInitializeCriticalSection
RtlUnicodeStringToAnsiString
NtSetInformationFile
NtOpenSymbolicLinkObject
NtLoadKey
wcscpy
NtQueryInformationThread
NtAccessCheckByTypeResultList
RtlTimeToSecondsSince1970
NtImpersonateAnonymousToken
NtAdjustPrivilegesToken
RtlCompareMemory
NtWriteFile
NtWaitForMultipleObjects
RtlInitializeHandleTable
RtlAllocateAndInitializeSid
RtlValidSid
RtlUnicodeToMultiByteSize
NtCreateEvent
RtlAdjustPrivilege
RtlCopyUnicodeString
RtlLengthSecurityDescriptor
RtlQueryProcessDebugInformation
RtlLengthRequiredSid
_wcsnicmp
RtlNewSecurityObject
RtlExpandEnvironmentStrings_U
RtlGetSaclSecurityDescriptor
NtPowerInformation
_ultow
RtlCreateUnicodeStringFromAsciiz
NtFlushBuffersFile
RtlSelfRelativeToAbsoluteSD
NtFilterToken
RtlAddAuditAccessObjectAce
NtQuerySystemTime
RtlInitAnsiString
NlsMbCodePageTag
RtlNumberGenericTableElements
NtClearEvent
wcsncpy
sprintf
NtSetInformationToken
RtlAddAce
NtAccessCheckByTypeAndAuditAlarm
NtQuerySystemInformation
RtlSetGroupSecurityDescriptor
RtlDeleteElementGenericTable
NtCreateKey
RtlMakeSelfRelativeSD
RtlQuerySecurityObject
NtQueryInformationFile
RtlAreAllAccessesGranted
NtCloseObjectAuditAlarm
RtlSetSecurityDescriptorRMControl
RtlIdentifierAuthoritySid
RtlFreeHandle
RtlEnterCriticalSection
NtSaveKeyEx
tolower
NtOpenThreadToken
NtCompareTokens
NtDeviceIoControlFile
RtlDestroyHeap
strchr
NtQueryVolumeInformationFile
RtlSetSaclSecurityDescriptor
RtlAppendUnicodeStringToString
RtlAddAuditAccessAceEx
NtReadFile
iswctype
RtlAddAuditAccessAce
RtlGetVersion
RtlDuplicateUnicodeString
RtlValidAcl
NtCreateFile

kernel32

CreateFileW
GetSystemDirectoryW
LocalAlloc
GetSystemInfo
InterlockedDecrement
_lclose
MoveFileW
LocalReAlloc
MultiByteToWideChar
WritePrivateProfileStringW
WaitNamedPipeW
SetUnhandledExceptionFilter
lstrcpyA
GetModuleHandleExW
ResumeThread
GetSystemWindowsDirectoryW
OpenEventW
GetLastError
InterlockedExchangeAdd
ReadFile
GetVersionExA
SetLastError
LocalFree
GetFileSize
GetFileAttributesW
OutputDebugStringW
SetThreadPriority
GetCurrentThreadId
CreateFileMappingA
CreateEventW
SleepEx
LoadLibraryW
SetErrorMode
GetComputerNameA
CompareFileTime
CancelIo
GetFileSizeEx
UnhandledExceptionFilter
InitializeCriticalSection
GetLongPathNameW
LoadLibraryA
GetCurrentProcess
lstrlenW
FindClose
RaiseException
FindFirstFileW
OpenProcess
UnmapViewOfFile
GetCurrentThread
FormatMessageW
CreateMutexW
ExpandEnvironmentStringsW
FindResourceExW
lstrlenA
GetPrivateProfileStringW
GlobalMemoryStatus
GetComputerNameW
lstrcmpiW
GetFullPathNameW
SetNamedPipeHandleState
GetVolumeInformationW
DelayLoadFailureHook
CreateFileA
GetFileTime
lstrcpyW
CloseHandle
DeleteCriticalSection
ResetEvent
SetFilePointer
HeapFree
GetDiskFreeSpaceExW
HeapAlloc
WideCharToMultiByte
VirtualAlloc
lstrcpynW
Sleep
FindFirstFileExW
FreeLibrary
WriteFile
GetCommandLineW
EnterCriticalSection
MapViewOfFile
ExpandEnvironmentStringsA
GetProcessHeap
lstrcatW
LoadLibraryExW
GetCurrentProcessId
VirtualFree
GetLogicalDriveStringsW
GetProfileIntA
ExitThread
GetWindowsDirectoryW
GetModuleFileNameW
GetSystemTimeAsFileTime
EnumUILanguagesW
GetModuleHandleA
SetEvent
GetLocalTime
GetComputerNameExW
CreateThread
WaitForMultipleObjectsEx
ReleaseMutex
GetProcAddress
GetTimeZoneInformation
ReadProcessMemory
GetModuleHandleW
GetTickCount
GetOverlappedResult
CreateEventA
InterlockedExchange
LoadResource
GetProfileStringA
FindNextFileW
WaitForSingleObject
OpenFile
CreateProcessInternalW
GetSystemTime
GetFullPathNameA
LeaveCriticalSection
CopyFileW
DeleteFileW
GetDriveTypeW
InterlockedCompareExchange
CreateProcessInternalA
FindResourceA
GetUserDefaultUILanguage
SearchPathW
GetPrivateProfileIntW
InterlockedIncrement
AreFileApisANSI
DeviceIoControl
GetFileAttributesExW
OpenMutexW
TerminateProcess
SizeofResource
lstrcmpW
GetDiskFreeSpaceW
DuplicateHandle
GetPriorityClass
IsBadWritePtr
QueryPerformanceCounter
CreateFileMappingW

rpcrt4

RpcEpResolveBinding
RpcBindingSetAuthInfoA
RpcBindingSetAuthInfoExW
RpcBindingFree
I_RpcExceptionFilter
I_RpcMapWin32Status
RpcRevertToSelf
RpcSsDestroyClientContext
RpcStringFreeW
I_RpcBindingIsClientLocal
UuidCreate
RpcBindingSetAuthInfoExA
RpcBindingSetAuthInfoW
NdrClientCall2
RpcBindingFromStringBindingW
RpcStringBindingComposeW
RpcRaiseException
UuidFromStringW
RpcImpersonateClient
RpcBindingToStringBindingW
UuidToStringW
RpcStringBindingParseW
NDRCContextBinding

Sections

.text
Size: 261KB - Virtual size: 261KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 15KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 7.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 52KB - Virtual size: 52KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

d2740c31b95ee77d4a621135f2f8fded

Headers

DLL Characteristics

File Characteristics

Imports

ntdll

kernel32

rpcrt4

Sections

.text Size: 261KB - Virtual size: 261KB

.rsrc Size: 15KB - Virtual size: 14KB

.data Size: 3KB - Virtual size: 7.1MB

.rdata Size: 52KB - Virtual size: 52KB

.tls Size: 512B - Virtual size: 4KB

.text
Size: 261KB - Virtual size: 261KB

.rsrc
Size: 15KB - Virtual size: 14KB

.data
Size: 3KB - Virtual size: 7.1MB

.rdata
Size: 52KB - Virtual size: 52KB

.tls
Size: 512B - Virtual size: 4KB