01d4f4d394e98932480d981c06516c17

Sharing

Copy URL Twitter E-mail

General

Target

01d4f4d394e98932480d981c06516c17
Size

132KB
MD5

01d4f4d394e98932480d981c06516c17
SHA1

5e043dce8f65c539c0244efc020ab19b09e06530
SHA256

73b7ccfb4f4cf8be28573e567504924d4f3338b8214e783f53c5be41346e08d2
SHA512

71b560063633cb46584e08b41948a1de59c9f9611a701144e21c8288069407e73e9702995a06d493c0d950972b72590547a0559ce373af14f4f6f07eee122c09
SSDEEP

3072:LQXW/rC0MiPjgVoqCtICI7IuBLEZUGslIhzghLN2swhsTS13hiM+eSN7:LQXWD2iPBNte7RBLEq0hRsw6TS13hiMq

Score

3^/10

Malware Config

Signatures

Unsigned PE 9 IoCs

Checks for missing Authenticode signature.

resource
unpack001/rcon/Client.exe
unpack001/rcon/QHSock.dll
unpack001/rcon/Server.exe
unpack001/rcon/Setup.exe
unpack001/rcon/c1.dll
unpack001/rcon/c2.dll
unpack001/rcon/s1.dll
unpack001/rcon/s2.dll
unpack001/rcon/sc.dll

Files

01d4f4d394e98932480d981c06516c17
.rar
rcon/Client.exe
.exe windows:4 windows x86 arch:x86

667825a77659da8263280624c3197230

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

mfc42

ord4353
ord5280
ord3798
ord4837
ord4441
ord2648
ord2055
ord6376
ord3749
ord5065
ord1727
ord5261
ord2446
ord2124
ord5277
ord2982
ord3147
ord3259
ord4465
ord3136
ord3262
ord2985
ord3081
ord2976
ord3830
ord3831
ord3825
ord3079
ord4080
ord4627
ord4425
ord3597
ord800
ord641
ord860
ord540
ord324
ord825
ord2370
ord4234
ord6334
ord3092
ord6199
ord4710
ord4673
ord4274
ord6375
ord4486
ord2554
ord2512
ord5731
ord3922
ord1089
ord5199
ord2396
ord3346
ord5300
ord5302
ord2725
ord4079
ord4698
ord5307
ord5289
ord5714
ord4622
ord6374
ord3738
ord561
ord815
ord693
ord686
ord808
ord2621
ord1134
ord2582
ord4402
ord3370
ord3640
ord6055
ord1776
ord5290
ord3396
ord3731
ord1146
ord1168
ord384
ord567
ord2302
ord665
ord2862
ord2096
ord1979
ord5442
ord3318
ord5186
ord354
ord2379
ord755
ord470
ord4220
ord2584
ord3654
ord6215
ord2438
ord6270
ord2863
ord1644
ord6385
ord6007
ord3998
ord616
ord1200
ord6907
ord3286
ord4299
ord795
ord3663
ord2289
ord2411
ord2023
ord4218
ord2578
ord4398
ord3402
ord3582
ord2298
ord2363
ord2301
ord2642
ord2818
ord3721
ord5163
ord2385
ord5241
ord4407
ord1775
ord4078
ord6052
ord2514
ord4998
ord4853
ord4376
ord4424
ord5265
ord1576

msvcrt

__p__fmode
__set_app_type
_except_handler3
_controlfp
_adjust_fdiv
__setusermatherr
_initterm
__getmainargs
_acmdln
exit
_XcptFilter
_exit
_onexit
__dllonexit
strrchr
_setmbcp
_strupr
__CxxFrameHandler
__p__commode

kernel32

GetModuleFileNameA
CloseHandle
CreateProcessA
GetPrivateProfileStringA
WritePrivateProfileStringA
GetModuleHandleA
GetStartupInfoA
GetSystemDirectoryA
GetLastError
CreateMutexA

user32

GetCursorPos
ModifyMenuA
GetSubMenu
LoadMenuA
SetForegroundWindow
DeleteMenu
SetTimer
KillTimer
GetSystemMetrics
GetClientRect
BringWindowToTop
DrawIcon
SendMessageA
EnableWindow
LoadIconA
IsIconic

shell32

ShellExecuteExA
ShellExecuteA

comctl32

ImageList_ReplaceIcon

c1

ord2
ord1
ord7

Sections

.text
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
rcon/QHSock.dll
.dll windows:4 windows x86 arch:x86

afa85db6b7595bdb6440c08817ec17b9

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

OutputDebugStringA
GetLastError
CreateThread
CloseHandle
WaitForSingleObject
Sleep
GetStringTypeA
LCMapStringW
LCMapStringA
MultiByteToWideChar
LoadLibraryA
GetProcAddress
GetOEMCP
GetACP
GetCPInfo
HeapReAlloc
VirtualAlloc
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
WriteFile
VirtualFree
HeapCreate
HeapDestroy
GetEnvironmentStringsW
GetEnvironmentStrings
WideCharToMultiByte
FreeEnvironmentStringsW
FreeEnvironmentStringsA
GetModuleFileNameA
DeleteCriticalSection
GetStartupInfoA
GetFileType
GetStdHandle
SetHandleCount
TlsGetValue
GetCommandLineA
GetVersion
HeapFree
RtlUnwind
HeapAlloc
ExitProcess
TerminateProcess
GetCurrentProcess
GetCurrentThreadId
TlsSetValue
TlsAlloc
TlsFree
SetLastError
GetStringTypeW

user32

GetMessageA
PeekMessageA
PostThreadMessageA
MessageBoxA

ws2_32

sendto
inet_ntoa
shutdown
closesocket
WSACloseEvent
htons
htonl
socket
WSAGetLastError
setsockopt
bind
send
WSACreateEvent
WSAEventSelect
gethostname
gethostbyname
connect
recv
recvfrom
ntohl
WSAWaitForMultipleEvents
WSAEnumNetworkEvents
WSAStartup
WSACleanup
select
ioctlsocket
accept
ntohs
listen

Exports

Exports

??0CQHSock@@QAE@ABV0@@Z
??0CQHSock@@QAE@XZ
??1CQHSock@@UAE@XZ
??4CQHSock@@QAEAAV0@ABV0@@Z
??_7CQHSock@@6B@
?Accept@CQHSock@@QAEKAAV1@@Z
?ChangeNetworkSpeed@CQHSock@@QAEKK@Z
?Close@CQHSock@@QAEXXZ
?Create@CQHSock@@QAEKAAUtagNET_PARAM@@@Z
?GetAddress@CQHSock@@SAKPAD@Z
?GetHostName@CQHSock@@SAHPADK@Z
?GetLocalAddress@CQHSock@@SAKPADK@Z
?GetLocalAddress@CQHSock@@SAKXZ
?MyAccept@CQHSock@@QAEKXZ
?SendBroadcast@CQHSock@@QAEKPAXK@Z
?SendData@CQHSock@@QAEHPAXKKKG@Z
?WriteToBuffer@CQHSock@@QAEKPAXH@Z

Sections

.text
Size: 20KB - Virtual size: 17KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 912B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
rcon/Server.exe
.exe windows:4 windows x86 arch:x86

eb139f9661a918af0b922e44720f7fb0

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

mfc42

ord2648
ord2055
ord6376
ord3749
ord5065
ord1727
ord5261
ord2446
ord2124
ord5277
ord2982
ord3147
ord3259
ord4465
ord3136
ord3262
ord2985
ord3081
ord2976
ord3830
ord3831
ord3825
ord3079
ord4080
ord4627
ord4425
ord3597
ord641
ord567
ord324
ord656
ord2302
ord4234
ord3092
ord6199
ord4710
ord4673
ord4274
ord6375
ord4486
ord2554
ord2512
ord5731
ord4441
ord1089
ord5199
ord2396
ord3346
ord5300
ord5302
ord2725
ord4079
ord4698
ord5307
ord5289
ord5714
ord4622
ord3738
ord561
ord815
ord2621
ord1134
ord800
ord1146
ord1168
ord860
ord540
ord2370
ord4160
ord2863
ord2379
ord4220
ord2584
ord3654
ord2438
ord6270
ord1644
ord1200
ord6215
ord6334
ord3663
ord2363
ord2301
ord2289
ord2642
ord2818
ord4837
ord3798
ord5280
ord4353
ord6374
ord5163
ord2385
ord5241
ord4407
ord1775
ord4078
ord6052
ord2514
ord4998
ord4853
ord4376
ord5265
ord3610
ord4424
ord3402
ord5290
ord1776
ord6055
ord3922
ord825
ord1576

msvcrt

__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
_setmbcp
_stricmp
__CxxFrameHandler
strrchr
__p___argv
__p___argc
sprintf
_except_handler3
?terminate@@YAXXZ
__dllonexit
_onexit
_exit
__getmainargs
_acmdln
exit
_XcptFilter
_controlfp

kernel32

GetStartupInfoA
GetModuleHandleA
CreateThread
WaitForSingleObject
CloseHandle
OutputDebugStringA
GetModuleFileNameA
WritePrivateProfileStringA
GetPrivateProfileStringA
GetPrivateProfileIntA

user32

GetSystemMenu
AppendMenuA
SendMessageA
PostMessageA
SetForegroundWindow
GetCursorPos
EnableWindow
LoadIconA
LoadMenuA
ModifyMenuA
GetSubMenu

advapi32

RegOpenKeyExA
RegCreateKeyA
RegSetValueExA
StartServiceCtrlDispatcherA
RegisterServiceCtrlHandlerA
SetServiceStatus
OpenServiceA
DeleteService
OpenSCManagerA
CreateServiceA
RegCloseKey
RegDeleteValueA
CloseServiceHandle

shell32

Shell_NotifyIconA

s2

ord3
ord1
ord2

qhsock

?GetLocalAddress@CQHSock@@SAKPADK@Z
??1CQHSock@@UAE@XZ

Exports

Exports

??0CQHSock@@QAE@ABV0@@Z
??4CQHSock@@QAEAAV0@ABV0@@Z
??_7CQHSock@@6B@

Sections

.text
Size: 12KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 932B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 8KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
rcon/Setup.exe
.exe windows:4 windows x86 arch:x86

65a4ba275c6a83fe0e5636434ca17e7a

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

mfc42

ord6376
ord3749
ord5065
ord1727
ord5261
ord2446
ord2124
ord5277
ord2982
ord3147
ord3259
ord4465
ord3136
ord3262
ord2985
ord3081
ord2976
ord3830
ord3831
ord3825
ord3079
ord4080
ord4627
ord4425
ord3597
ord800
ord641
ord860
ord540
ord324
ord825
ord2365
ord2370
ord2301
ord4234
ord6334
ord2642
ord3092
ord6199
ord4710
ord4853
ord2055
ord4673
ord4274
ord6375
ord4486
ord2554
ord2512
ord5731
ord3922
ord1089
ord5199
ord2396
ord3346
ord5300
ord5302
ord2725
ord4079
ord4698
ord5307
ord5289
ord5714
ord4622
ord4424
ord3738
ord561
ord815
ord795
ord2621
ord6055
ord1776
ord5290
ord3402
ord3721
ord1146
ord1168
ord567
ord2302
ord2379
ord755
ord470
ord1200
ord2648
ord4441
ord4837
ord3798
ord5280
ord4353
ord6374
ord5163
ord2385
ord5241
ord4407
ord1775
ord4078
ord6052
ord2514
ord4998
ord4376
ord2818
ord5265
ord1576

msvcrt

_except_handler3
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
_setmbcp
__CxxFrameHandler
strrchr
sprintf
__dllonexit
_controlfp
_onexit
_exit
__getmainargs
_acmdln
exit
_XcptFilter

kernel32

GetStartupInfoA
GetModuleHandleA
GetLastError
FindFirstFileA
WritePrivateProfileStringA
GetModuleFileNameA
GetPrivateProfileIntA
GetPrivateProfileStringA

user32

IsIconic
GetClientRect
DrawIcon
SendMessageA
LoadIconA
EnableWindow
GetSystemMetrics

advapi32

CloseServiceHandle
QueryServiceStatus
ControlService
StartServiceA
OpenServiceA
DeleteService
OpenSCManagerA
CreateServiceA
ChangeServiceConfig2A

Sections

.text
Size: 8KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 956B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
rcon/c1.dll
.dll windows:4 windows x86 arch:x86

258c1c6bd0260978dde4244e8cf58ad9

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

mfc42

ord4622
ord4424
ord3738
ord561
ord815
ord641
ord665
ord354
ord693
ord616
ord686
ord1200
ord4224
ord1979
ord6215
ord6199
ord2086
ord2864
ord6467
ord3953
ord5442
ord3318
ord5186
ord2411
ord2023
ord4218
ord2578
ord4398
ord3402
ord3582
ord2582
ord6055
ord1776
ord4402
ord5290
ord3370
ord3640
ord5265
ord4376
ord4853
ord4998
ord2514
ord6052
ord4078
ord1775
ord4407
ord5241
ord2385
ord5163
ord6374
ord4353
ord5280
ord3798
ord4837
ord4441
ord2648
ord2055
ord6376
ord3749
ord5065
ord1727
ord5261
ord2446
ord2124
ord5277
ord5300
ord4425
ord3597
ord4080
ord567
ord324
ord2302
ord4234
ord2642
ord2862
ord2096
ord3996
ord3092
ord1146
ord1168
ord4710
ord6907
ord3302
ord3998
ord823
ord4220
ord2584
ord3654
ord2438
ord6270
ord2863
ord1644
ord6007
ord2652
ord1669
ord3286
ord3663
ord3876
ord2379
ord4299
ord3610
ord656
ord4275
ord3721
ord795
ord755
ord6157
ord5873
ord2754
ord6172
ord470
ord6385
ord800
ord2515
ord355
ord1116
ord1176
ord1575
ord1577
ord1182
ord342
ord1243
ord1197
ord1570
ord1253
ord1255
ord1578
ord600
ord826
ord269
ord3346
ord2396
ord5199
ord1089
ord3922
ord5731
ord2512
ord3079
ord3825
ord3831
ord3830
ord2976
ord3081
ord2985
ord3262
ord3136
ord4465
ord3259
ord3147
ord2982
ord5714
ord5289
ord5307
ord4698
ord4079
ord2725
ord384
ord5302
ord2554
ord4486
ord6375
ord4274
ord4627
ord825

msvcrt

_stricmp
__CxxFrameHandler
strchr
sprintf
strrchr
_ftol
printf
_CIpow
_EH_prolog
_except_handler3
?terminate@@YAXXZ
__dllonexit
??1type_info@@UAE@XZ
malloc
_initterm
free
_onexit
_adjust_fdiv

kernel32

LocalFree
EnterCriticalSection
LeaveCriticalSection
WaitForSingleObject
DeleteCriticalSection
FindFirstFileA
FindNextFileA
FindClose
InitializeCriticalSection
GetDriveTypeA
Sleep
CreateDirectoryA
GlobalAlloc
GlobalLock
GlobalUnlock
GlobalFree
OutputDebugStringA
CreateThread
CloseHandle
LocalAlloc

user32

SetClipboardData
CloseClipboard
EmptyClipboard
OpenClipboard
PostMessageA
PostThreadMessageA
GetDC
FillRect
ReleaseDC
InvalidateRect
KillTimer
SetTimer
PeekMessageA
SendMessageA
LoadIconA
SetForegroundWindow
GetCursorPos
EnableMenuItem
ModifyMenuA
GetSubMenu
LoadMenuA
GetClientRect
GetDesktopWindow
EnableWindow
GetParent
DrawTextA

gdi32

DeleteDC
GetDIBits
SetTextColor
DeleteObject
SelectObject
CreateCompatibleBitmap
CreateCompatibleDC
CreateSolidBrush
TextOutA
StretchDIBits

shell32

ShellExecuteExA
SHGetSpecialFolderPathA

comctl32

ImageList_ReplaceIcon

qhsock

?SendData@CQHSock@@QAEHPAXKKKG@Z
?Close@CQHSock@@QAEXXZ
?Create@CQHSock@@QAEKAAUtagNET_PARAM@@@Z
?GetAddress@CQHSock@@SAKPAD@Z
??0CQHSock@@QAE@XZ
??1CQHSock@@UAE@XZ

c2

ord7
ord6
ord4
ord1
ord3
ord5
ord2

winmm

waveOutOpen
waveOutClose
waveOutReset
waveOutUnprepareHeader
waveOutPrepareHeader
waveOutWrite

Exports

Exports

??0CQHSock@@QAE@ABV0@@Z
??4CQHSock@@QAEAAV0@ABV0@@Z
??_7CQHSock@@6B@
C1_ConnectOpen
C1_FileTransferOpen
C1_MultiView
C1_SetControl
C1_SetFullScreen
C1_SetZoom
C1_ShowToolbar

Sections

.text
Size: 48KB - Virtual size: 47KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 20KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 268KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 8KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
rcon/c2.dll
.dll windows:4 windows x86 arch:x86

c86838dc828cd1c8c94c7ff68b9bbef3

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

mfc42

ord5300
ord5302
ord4079
ord4698
ord5307
ord5289
ord5714
ord2982
ord3147
ord3259
ord4465
ord3136
ord3262
ord2985
ord3081
ord2976
ord3830
ord3831
ord3825
ord3079
ord4080
ord4622
ord4424
ord3738
ord561
ord825
ord815
ord6199
ord6215
ord2086
ord2864
ord823
ord6467
ord3953
ord2725
ord6055
ord1776
ord5290
ord3402
ord3721
ord5265
ord4376
ord4853
ord4998
ord2514
ord6052
ord4078
ord1775
ord4407
ord5241
ord2385
ord5163
ord6374
ord4353
ord5280
ord3346
ord4837
ord2554
ord2648
ord2055
ord6376
ord3749
ord5065
ord1727
ord5261
ord2446
ord2124
ord5277
ord4627
ord4425
ord3597
ord795
ord641
ord540
ord567
ord324
ord800
ord2302
ord4234
ord860
ord1146
ord1168
ord4710
ord1768
ord6197
ord4284
ord1200
ord6128
ord755
ord6157
ord470
ord2379
ord4694
ord6129
ord5768
ord3754
ord5148
ord4809
ord941
ord2358
ord3092
ord1176
ord1575
ord1577
ord1182
ord342
ord1243
ord1197
ord1570
ord1253
ord1255
ord2396
ord5199
ord1089
ord3922
ord5731
ord3798
ord2512
ord1578
ord600
ord826
ord269
ord4486
ord6375
ord4441
ord4274
ord1116

msvcrt

_EH_prolog
__dllonexit
_onexit
free
_initterm
malloc
_adjust_fdiv
??1type_info@@UAE@XZ
__CxxFrameHandler

kernel32

LocalFree
GlobalLock
GlobalUnlock
GetCurrentThreadId
OutputDebugStringA
LocalAlloc

user32

GetParent
SetTimer
UnhookWindowsHookEx
EnableWindow
PostMessageA
GetDesktopWindow
GetForegroundWindow
SendMessageA
CallNextHookEx
KillTimer
AnimateWindow
InvalidateRect
GetSystemMetrics
GetWindowRect
GetClientRect
OpenClipboard
GetClipboardData
CloseClipboard
SetWindowsHookExA
LoadIconA

gdi32

SetDIBitsToDevice
PatBlt
StretchDIBits

Exports

Exports

C2_Create
C2_SetControl
C2_SetData
C2_SetFullScreen
C2_SetWindowText
C2_SetZoom
C2_ShowToolbar

Sections

.text
Size: 24KB - Virtual size: 20KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
rcon/readme.txt
rcon/s1.dll
.dll windows:4 windows x86 arch:x86

e0914f609b19873defe993756df22a7b

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

mfc42

ord2512
ord5731
ord3922
ord1089
ord5199
ord2396
ord3346
ord5300
ord5302
ord2725
ord4079
ord4698
ord5307
ord5289
ord5714
ord3953
ord2982
ord3147
ord3259
ord4465
ord3136
ord3262
ord2985
ord2554
ord2976
ord3830
ord3831
ord3825
ord3079
ord4080
ord4622
ord4424
ord3738
ord561
ord825
ord815
ord823
ord1116
ord1176
ord1575
ord1168
ord1577
ord1182
ord342
ord1243
ord1197
ord1570
ord4486
ord6375
ord3081
ord4274
ord1253
ord1255
ord6467
ord1578
ord600
ord826
ord269

msvcrt

__CxxFrameHandler
_EH_prolog
__dllonexit
_onexit
free
_initterm
malloc
_adjust_fdiv
??1type_info@@UAE@XZ

kernel32

LocalFree
OutputDebugStringA
LocalAlloc

user32

GetSystemMetrics
mouse_event
SetCursorPos
keybd_event

sc

ord1
ord5
ord6
ord4
ord3
ord2

Exports

Exports

S1_GetScreenData
S1_NewStart
S1_SetControlData
S1_Start
S1_Stop

Sections

.text
Size: 20KB - Virtual size: 18KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 16KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 920B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 876B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
rcon/s2.dll
.dll windows:4 windows x86 arch:x86

4ac5555f334f4018829949bf8b2a51fd

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

mfc42

ord4424
ord3738
ord561
ord815
ord354
ord665
ord1979
ord3318
ord5186
ord823
ord5442
ord1176
ord1575
ord4622
ord1577
ord1182
ord342
ord1243
ord1197
ord1570
ord1253
ord1255
ord6467
ord1578
ord600
ord826
ord269
ord4080
ord3079
ord3825
ord3831
ord3830
ord2976
ord3081
ord2985
ord3262
ord3136
ord4465
ord3259
ord3147
ord2982
ord3953
ord5714
ord5289
ord5307
ord4698
ord4079
ord2725
ord5302
ord5300
ord3346
ord825
ord2396
ord5199
ord1089
ord3922
ord5731
ord2512
ord2554
ord4486
ord6375
ord4274
ord1168
ord1116

msvcrt

free
_onexit
__dllonexit
?terminate@@YAXXZ
_except_handler3
_EH_prolog
_CIpow
printf
_CIacos
_ftol
strchr
sprintf
__CxxFrameHandler
malloc
_adjust_fdiv
??1type_info@@UAE@XZ
_initterm

kernel32

CreateDirectoryA
GlobalAlloc
GlobalFree
CreateThread
InitializeCriticalSection
MoveFileA
DeleteCriticalSection
OutputDebugStringA
GetCurrentThreadId
GlobalLock
GlobalUnlock
Sleep
GetCurrentProcess
CloseHandle
FindFirstFileA
FindNextFileA
FindClose
EnterCriticalSection
LeaveCriticalSection
LocalFree
LocalAlloc
GetDriveTypeA
WaitForSingleObject

user32

GetDC
GetSystemMetrics
ReleaseDC
GetMessageA
mouse_event
keybd_event
GetThreadDesktop
GetUserObjectInformationA
ExitWindowsEx
CloseClipboard
GetClipboardData
OpenClipboard
SetThreadDesktop
CloseDesktop
PostThreadMessageA
EmptyClipboard
SetClipboardData
SetCursorPos
GetProcessWindowStation
OpenWindowStationA
SetProcessWindowStation
OpenDesktopA
PostMessageA
CloseWindowStation
PeekMessageA
OpenInputDesktop

gdi32

BitBlt
CreateCompatibleDC
GetDIBits
DeleteDC
CreateCompatibleBitmap
SelectObject
DeleteObject

advapi32

LookupPrivilegeValueA
OpenProcessToken
AdjustTokenPrivileges

shell32

SHFileOperationA
SHGetSpecialFolderPathA

s1

ord1
ord3
ord2
ord5

qhsock

?Create@CQHSock@@QAEKAAUtagNET_PARAM@@@Z
?Accept@CQHSock@@QAEKAAV1@@Z
?SendData@CQHSock@@QAEHPAXKKKG@Z
?Close@CQHSock@@QAEXXZ
??0CQHSock@@QAE@XZ
??1CQHSock@@UAE@XZ

winmm

waveInOpen
waveInPrepareHeader
waveInStart
waveInUnprepareHeader
waveInReset
waveInClose
waveInAddBuffer

Exports

Exports

??0CQHSock@@QAE@ABV0@@Z
??4CQHSock@@QAEAAV0@ABV0@@Z
??_7CQHSock@@6B@
S2_Init
S2_SetPassword
S2_Uninit

Sections

.text
Size: 44KB - Virtual size: 43KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 48KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 920B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
rcon/sc.dll
.dll windows:4 windows x86 arch:x86

e0734db71824c0013737c5b1044e427f

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

mfc42

ord3346
ord5300
ord5302
ord2725
ord4079
ord4698
ord5307
ord5289
ord5714
ord3953
ord2982
ord3147
ord3259
ord4465
ord3136
ord3262
ord2985
ord3081
ord2976
ord3830
ord2396
ord3825
ord3922
ord4080
ord4622
ord4424
ord3738
ord561
ord815
ord823
ord1116
ord1176
ord1575
ord1168
ord1577
ord1182
ord342
ord1243
ord1197
ord1570
ord5199
ord3831
ord1089
ord1253
ord1255
ord6467
ord1578
ord5731
ord2512
ord2554
ord4486
ord6375
ord4274
ord3079
ord825
ord269
ord826
ord600

msvcrt

malloc
_EH_prolog
__dllonexit
_onexit
??1type_info@@UAE@XZ
_adjust_fdiv
__CxxFrameHandler
_initterm
free

kernel32

LocalFree
LocalAlloc

user32

GetDC
GetSystemMetrics
ReleaseDC

gdi32

CreateCompatibleBitmap
SelectObject
BitBlt
GetDIBits
DeleteDC
DeleteObject
CreateCompatibleDC

Exports

Exports

SC_GetChangeInfo
SC_GetColorTable
SC_GetFullScreen
SC_IsColor555
SC_Start
SC_Stop

Sections

.text
Size: 8KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 952B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 646B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
rcon/server.dat
rcon/新云软件.url
.url

Sharing

General

Malware Config

Signatures

Files

667825a77659da8263280624c3197230

Headers

File Characteristics

Imports

mfc42

msvcrt

kernel32

user32

shell32

comctl32

c1

Sections

.text Size: 16KB - Virtual size: 15KB

.rdata Size: 8KB - Virtual size: 7KB

.data Size: 4KB - Virtual size: 1KB

.rsrc Size: 8KB - Virtual size: 7KB

afa85db6b7595bdb6440c08817ec17b9

Headers

File Characteristics

Imports

kernel32

user32

ws2_32

Exports

Exports

Sections

.text Size: 20KB - Virtual size: 17KB

.rdata Size: 4KB - Virtual size: 3KB

.data Size: 4KB - Virtual size: 3KB

.rsrc Size: 4KB - Virtual size: 912B

.reloc Size: 4KB - Virtual size: 1KB

eb139f9661a918af0b922e44720f7fb0

Headers

File Characteristics

Imports

mfc42

msvcrt

kernel32

user32

advapi32

shell32

s2

qhsock

Exports

Exports

Sections

.text Size: 12KB - Virtual size: 8KB

.rdata Size: 8KB - Virtual size: 5KB

.data Size: 4KB - Virtual size: 932B

.rsrc Size: 8KB - Virtual size: 4KB

65a4ba275c6a83fe0e5636434ca17e7a

Headers

File Characteristics

Imports

mfc42

msvcrt

kernel32

user32

advapi32

Sections

.text Size: 8KB - Virtual size: 5KB

.rdata Size: 4KB - Virtual size: 3KB

.data Size: 4KB - Virtual size: 956B

.rsrc Size: 4KB - Virtual size: 2KB

258c1c6bd0260978dde4244e8cf58ad9

Headers

File Characteristics

Imports

mfc42

msvcrt

kernel32

user32

gdi32

shell32

comctl32

.text
Size: 16KB - Virtual size: 15KB

.rdata
Size: 8KB - Virtual size: 7KB

.data
Size: 4KB - Virtual size: 1KB

.rsrc
Size: 8KB - Virtual size: 7KB

.text
Size: 20KB - Virtual size: 17KB

.rdata
Size: 4KB - Virtual size: 3KB

.data
Size: 4KB - Virtual size: 3KB

.rsrc
Size: 4KB - Virtual size: 912B

.reloc
Size: 4KB - Virtual size: 1KB

.text
Size: 12KB - Virtual size: 8KB

.rdata
Size: 8KB - Virtual size: 5KB

.data
Size: 4KB - Virtual size: 932B

.rsrc
Size: 8KB - Virtual size: 4KB

.text
Size: 8KB - Virtual size: 5KB

.rdata
Size: 4KB - Virtual size: 3KB

.data
Size: 4KB - Virtual size: 956B

.rsrc
Size: 4KB - Virtual size: 2KB

.text
Size: 48KB - Virtual size: 47KB

.rdata
Size: 20KB - Virtual size: 18KB

.data
Size: 20KB - Virtual size: 268KB

.rsrc
Size: 8KB - Virtual size: 6KB

.reloc
Size: 8KB - Virtual size: 5KB

.text
Size: 24KB - Virtual size: 20KB

.rdata
Size: 16KB - Virtual size: 15KB

.data
Size: 4KB - Virtual size: 5KB

.rsrc
Size: 4KB - Virtual size: 2KB

.reloc
Size: 4KB - Virtual size: 1KB

.text
Size: 20KB - Virtual size: 18KB

.rdata
Size: 16KB - Virtual size: 12KB

.data
Size: 4KB - Virtual size: 4KB

.rsrc
Size: 4KB - Virtual size: 920B

.reloc
Size: 4KB - Virtual size: 876B

.text
Size: 44KB - Virtual size: 43KB

.rdata
Size: 16KB - Virtual size: 15KB

.data
Size: 20KB - Virtual size: 48KB

.rsrc
Size: 4KB - Virtual size: 920B

.reloc
Size: 4KB - Virtual size: 2KB