0bab3739096a3a93fbbe239bc3410f65

Sharing

Copy URL Twitter E-mail

General

Target

0bab3739096a3a93fbbe239bc3410f65
Size

389KB
MD5

0bab3739096a3a93fbbe239bc3410f65
SHA1

1d9b094241469d3b533d49235839ac40cf3adc75
SHA256

6d188c654434c5258d56f976434a63e393b5e896c0d3028f3f1185a86251559a
SHA512

80771f9d7028e9c4c377cd9882cb72ca3099d88ea41a6337cd4d0460b715ac15401679be5eb4eaaf71d4f4f88e065303279203516c8d4799ebaf4f8b87b5c32e
SSDEEP

12288:kAb62QPenO2pC0sewtpnmv6Brpba/gbuWZzB:1G2hOKC0seqn+6B9HzB

Score

3^/10

Malware Config

Signatures

Unsigned PE 4 IoCs

Checks for missing Authenticode signature.

resource
unpack001/whwnrecord/whwnenexe.dll
unpack001/whwnrecord/whwnpcmchange.dll
unpack001/whwnrecord/whwnplay.dll
unpack001/whwnrecord/whwnrecord.exe

Files

0bab3739096a3a93fbbe239bc3410f65
.rar
whwnrecord/whwnenexe.dll
.dll windows:4 windows x86 arch:x86

5233420551ea28bfecc6fdae0ac31c91

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

HeapCreate
GetModuleFileNameA
GetPrivateProfileIntA
GetCommandLineA
GetVersion
HeapAlloc
HeapFree
EnterCriticalSection
LeaveCriticalSection
InterlockedDecrement
InterlockedIncrement
GetProcAddress
GetModuleHandleA
GetLastError
CloseHandle
InitializeCriticalSection
ExitProcess
TerminateProcess
GetCurrentProcess
GetCurrentThreadId
TlsSetValue
TlsAlloc
TlsFree
SetLastError
TlsGetValue
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
DeleteCriticalSection
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
HeapDestroy
OutputDebugStringA
VirtualFree
WriteFile
VirtualAlloc
HeapReAlloc
SetFilePointer
RaiseException
FlushFileBuffers
ReadFile
MultiByteToWideChar
LCMapStringA
LCMapStringW
SetStdHandle
CreateFileA
GetStringTypeA
GetStringTypeW
GetCPInfo
GetACP
GetOEMCP
LoadLibraryA
RtlUnwind
SetEndOfFile

Exports

Exports

wave_enmp3_vbrheader
wave_enmp3code
wave_enmp3end
wave_enmp3init
wave_enmp3init_abr
wave_enmp3init_new
wave_enmp3init_vbr

Sections

.text
Size: 148KB - Virtual size: 147KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 218KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 12KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
whwnrecord/whwnpcmchange.dll
.dll windows:4 windows x86 arch:x86

60cf4e379582866a5bbc544ef8c844b7

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

mfc42

ord825
ord1253
ord342
ord823
ord1182
ord3663
ord1168

msvcrt

malloc
realloc
floor
free
_ftol
fprintf
_CIpow
ceil
_CIfmod
_except_handler3
?terminate@@YAXXZ
_initterm
_adjust_fdiv

Exports

Exports

??0Cwhwnpcmchange@@QAE@XZ
??1Cwhwnpcmchange@@UAE@XZ
??_7Cwhwnpcmchange@@6B@
?FIxKaiser@Cwhwnpcmchange@@QAENNN@Z
?FNbessI0@Cwhwnpcmchange@@QAENN@Z
?FNgcd@Cwhwnpcmchange@@QAEJJJ@Z
?FNsinc@Cwhwnpcmchange@@QAENN@Z
?MAfAllocMat@Cwhwnpcmchange@@QAEPAPAMHH@Z
?MSiCeil@Cwhwnpcmchange@@QAEHHH@Z
?MSratio@Cwhwnpcmchange@@QAEXNPAJ0NJJ@Z
?RSKaiserLPF@Cwhwnpcmchange@@QAEXPAMHNNNNN@Z
?RSKalphaXD@Cwhwnpcmchange@@QAENN@Z
?RSKalphaXatt@Cwhwnpcmchange@@QAENN@Z
?RSKattenXalpha@Cwhwnpcmchange@@QAENN@Z
?RS_conv@Cwhwnpcmchange@@SAMPBM0H@Z
?RS_parFilt@Cwhwnpcmchange@@QAEXNNPAUFspec_T@@0@Z
?RS_polyphase@Cwhwnpcmchange@@QAEXPBMHHPAUFpoly_T@@@Z
?RSexpTime@Cwhwnpcmchange@@QAEXNJPAUTval_T@@@Z
?RSincTime@Cwhwnpcmchange@@QAEXPAUTval_T@@N@Z
?RSintFilt@Cwhwnpcmchange@@QAEXNNPAUFspec_T@@PAUFpoly_T@@PANPAU_iobuf@@@Z
?RSinterp@Cwhwnpcmchange@@QAEXPBMHPAMHNPBUTval_T@@PBUFpoly_T@@@Z
?RSratio@Cwhwnpcmchange@@QAEXNHPAJPANJJPAU_iobuf@@@Z
?RSrefresh@Cwhwnpcmchange@@QAEHJQAMH@Z
?UTfree@Cwhwnpcmchange@@QAEXPAX@Z
?UTmalloc@Cwhwnpcmchange@@QAEPAXH@Z
?UTrealloc@Cwhwnpcmchange@@QAEPAXPAXH@Z
?VRfShift@Cwhwnpcmchange@@QAEXPAMHH@Z
?bandfilter_data@Cwhwnpcmchange@@QAEHPAEHHH@Z
?high_data@Cwhwnpcmchange@@QAEHPAMHH@Z
?high_filter_data@Cwhwnpcmchange@@QAEHPAEHHH@Z
?highpass_data@Cwhwnpcmchange@@QAEHPAEHHH@Z
?low_data@Cwhwnpcmchange@@QAEHPAMHH@Z
?low_filter_data@Cwhwnpcmchange@@QAEHPAEHHH@Z
?lowpass_data@Cwhwnpcmchange@@QAEHPAEHHH@Z
?pcm_bitchange@Cwhwnpcmchange@@QAEHPAE0HHH@Z
?pcm_change@Cwhwnpcmchange@@QAEHPAEH0H_N@Z
?pcm_chchange@Cwhwnpcmchange@@QAEHPAE0HHHH@Z
?pcm_close@Cwhwnpcmchange@@QAEHXZ
?pcm_combine@Cwhwnpcmchange@@QAEHPAE0HH@Z
?pcm_getch@Cwhwnpcmchange@@QAEHPAE0HHHH@Z
?pcm_init@Cwhwnpcmchange@@QAEHNHHH@Z
?pcm_setbit@Cwhwnpcmchange@@QAEXH@Z
?pcm_setch@Cwhwnpcmchange@@QAEXH@Z
?set_filter@Cwhwnpcmchange@@QAEHHHHHH@Z
?set_high_filter@Cwhwnpcmchange@@QAEHHMHH@Z
?set_low_filter@Cwhwnpcmchange@@QAEHHMHH@Z

Sections

.text
Size: 16KB - Virtual size: 13KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 160B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 888B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 504B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
whwnrecord/whwnplay.dll
.dll windows:4 windows x86 arch:x86

ff9a7b15504613a1974f37a80cb364c9

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

mfc42

ord2512
ord5731
ord2554
ord3922
ord1089
ord5199
ord2396
ord3346
ord5300
ord5302
ord2725
ord4079
ord4698
ord5307
ord5289
ord5714
ord3953
ord2982
ord6375
ord4486
ord4465
ord3136
ord3262
ord2985
ord3081
ord2976
ord3830
ord3831
ord3825
ord3079
ord4080
ord4622
ord4424
ord4274
ord561
ord825
ord815
ord3259
ord3147
ord3738
ord1578
ord600
ord1116
ord1176
ord1575
ord1168
ord1577
ord1182
ord342
ord1243
ord269
ord826
ord1570
ord1197
ord6467
ord1255
ord1253

msvcrt

__CxxFrameHandler
_EH_prolog
??2@YAPAXI@Z
??1type_info@@UAE@XZ
_adjust_fdiv
malloc
_initterm
free
_onexit
__dllonexit

kernel32

LocalFree
LocalAlloc

Exports

Exports

whwn_getexedata
whwn_writeexedata
whwn_writeexefile

Sections

.text
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 492KB - Virtual size: 492KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 848B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
whwnrecord/whwnrecord.exe
.exe windows:4 windows x86 arch:x86

dc15f1daff13625f9a0c584700719ffc

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

winmm

waveOutPrepareHeader
waveOutWrite
waveOutUnprepareHeader
waveOutClose
waveOutOpen
waveInPrepareHeader
waveInStart
waveInAddBuffer
waveInStop
waveInReset
waveInUnprepareHeader
mixerGetControlDetailsA
mixerGetNumDevs
waveInOpen
mixerOpen
mixerGetID
mixerSetControlDetails
mixerGetLineInfoA
mixerGetLineControlsA
mixerClose
waveInClose

whwnpcmchange

??0Cwhwnpcmchange@@QAE@XZ
??1Cwhwnpcmchange@@UAE@XZ
?set_high_filter@Cwhwnpcmchange@@QAEHHMHH@Z
?set_low_filter@Cwhwnpcmchange@@QAEHHMHH@Z
?low_filter_data@Cwhwnpcmchange@@QAEHPAEHHH@Z
?high_filter_data@Cwhwnpcmchange@@QAEHPAEHHH@Z

mfc42

ord5678
ord1862
ord4220
ord2584
ord3654
ord2438
ord823
ord6142
ord4083
ord2863
ord5606
ord3571
ord3573
ord3693
ord4129
ord2763
ord4277
ord5683
ord2567
ord5788
ord2614
ord858
ord3619
ord2971
ord5759
ord6192
ord5756
ord6186
ord4330
ord6189
ord6021
ord6172
ord5873
ord5789
ord3701
ord500
ord5736
ord5579
ord5571
ord6061
ord5864
ord3596
ord6194
ord2405
ord1175
ord2096
ord2408
ord5860
ord1574
ord772
ord6055
ord1776
ord5794
ord807
ord2920
ord2012
ord2120
ord554
ord4163
ord1644
ord5572
ord2915
ord939
ord940
ord941
ord5787
ord4133
ord4297
ord1621
ord2764
ord4202
ord5856
ord536
ord2452
ord2753
ord1195
ord472
ord5440
ord6383
ord5450
ord6394
ord2575
ord5290
ord3402
ord4396
ord3574
ord809
ord609
ord556
ord567
ord4275
ord4424
ord5053
ord4774
ord5981
ord6270
ord283
ord613
ord6880
ord289
ord2122
ord4160
ord6358
ord1088
ord2578
ord2411
ord2023
ord4218
ord4398
ord3582
ord616
ord541
ord801
ord6143
ord2450
ord5861
ord2363
ord6111
ord6334
ord6199
ord4694
ord1099
ord2289
ord2370
ord2301
ord2642
ord2818
ord3721
ord795
ord3797
ord2754
ord6197
ord6605
ord1200
ord926
ord6170
ord4287
ord6734
ord3716
ord790
ord4123
ord2380
ord3766
ord2566
ord3920
ord1920
ord4589
ord4588
ord4899
ord4370
ord4892
ord5076
ord4341
ord4349
ord4889
ord4531
ord4545
ord4543
ord4526
ord4524
ord4963
ord4108
ord3081
ord3748
ord1725
ord5260
ord4432
ord517
ord784
ord4262
ord5766
ord6131
ord6216
ord3755
ord4723
ord4960
ord924
ord1924
ord3496
ord2587
ord4406
ord3394
ord3729
ord804
ord4267
ord6379
ord6215
ord2086
ord2862
ord4673
ord4274
ord6375
ord4486
ord2554
ord2512
ord5731
ord3922
ord1089
ord5199
ord2396
ord3346
ord5300
ord5302
ord2725
ord4079
ord4698
ord5307
ord5289
ord5714
ord4622
ord3738
ord561
ord815
ord2621
ord1134
ord1105
ord4224
ord2243
ord3499
ord355
ord2985
ord3262
ord3136
ord4465
ord3259
ord3147
ord2982
ord5277
ord2124
ord2446
ord5261
ord1727
ord5065
ord3749
ord6376
ord2055
ord2648
ord4441
ord4837
ord3798
ord5280
ord4353
ord6374
ord5163
ord2385
ord5241
ord4407
ord1775
ord4078
ord6052
ord2514
ord4998
ord4853
ord4376
ord5265
ord860
ord535
ord4710
ord686
ord384
ord2864
ord537
ord470
ord5781
ord2859
ord2713
ord1641
ord323
ord1640
ord2414
ord5785
ord2860
ord540
ord1168
ord1146
ord800
ord3874
ord5875
ord3663
ord640
ord755
ord4234
ord3626
ord3706
ord324
ord2302
ord825
ord4425
ord641
ord3597
ord3079
ord4627
ord4080
ord3830
ord3825
ord3831
ord3089
ord2976
ord4476
ord4284
ord2379
ord5240
ord1576

msvcrt

_except_handler3
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
_mbsstr
_setmbcp
__CxxFrameHandler
free
malloc
wcscpy
wcslen
_ftol
memmove
_mbscmp
_mbsnbcpy
sprintf
_controlfp
fclose
fopen
exit
fflush
fwrite
fseek
calloc
rand
fread
fprintf
_iob
_onexit
clock
__dllonexit
_acmdln
_exit
_XcptFilter
__getmainargs

kernel32

HeapAlloc
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
DeleteFileA
Sleep
GetTempPathA
GetProcAddress
WinExec
lstrcpyA
lstrcatA
LoadLibraryA
FreeLibrary
GetWindowsDirectoryA
SizeofResource
GlobalAlloc
MulDiv
GlobalUnlock
lstrcmpiA
GlobalLock
LoadResource
LockResource
FindResourceA
lstrlenW
lstrlenA
GetCPInfo
GetVersionExA
DeleteCriticalSection
GetVersion
MoveFileA
CreateThread
HeapFree
QueryPerformanceFrequency
GetModuleHandleA
QueryPerformanceCounter
GetProcessHeap
ExitProcess
GetStartupInfoA

user32

WindowFromPoint
ClientToScreen
PostMessageA
DrawFocusRect
OffsetRect
InflateRect
GetActiveWindow
GetParent
SetCursor
DrawStateA
CreateIconIndirect
GetIconInfo
LoadImageA
GetDlgItem
KillTimer
GetClientRect
MessageBeep
FrameRect
SetTimer
ScreenToClient
GetMessagePos
IsWindow
CopyIcon
LoadCursorA
UpdateWindow
RedrawWindow
GetFocus
SetCapture
ReleaseCapture
DestroyWindow
IsMenu
CreateWindowExA
RegisterClassExA
DefWindowProcA
SetWindowPos
GetSystemMenu
PtInRect
SetForegroundWindow
GetWindowLongA
DestroyCursor
GetSubMenu
GrayStringA
TabbedTextOutA
LoadBitmapA
GetSysColorBrush
GetMenuStringA
CreateMenu
CreatePopupMenu
GetMenuItemID
GetMenuState
ModifyMenuA
GetMenuItemCount
AppendMenuA
GetDesktopWindow
GetDC
DrawTextA
ReleaseDC
DestroyIcon
SystemParametersInfoA
GetSysColor
CopyRect
FillRect
DrawEdge
SetRect
GetMenuItemInfoA
EnableWindow
GetWindowDC
GetWindowRect
GetSystemMetrics
SendMessageA
LoadIconA
CopyImage
DrawIconEx
InvalidateRect
GetNextDlgTabItem
BringWindowToTop
SetWindowLongA
ShowWindow

gdi32

GetObjectA
FillRgn
CreateEllipticRgnIndirect
SetPixelV
SetBkMode
SetROP2
MoveToEx
LineTo
CreateICA
GetDIBits
ExtCreateRegion
StretchBlt
BitBlt
CombineRgn
CreateRectRgn
RoundRect
CreateCompatibleBitmap
CreateCompatibleDC
GetDeviceCaps
GetBkMode
CreatePen
CreateSolidBrush
CreateFontIndirectA
GetTextExtentPoint32W
GetTextExtentPoint32A
Ellipse
DeleteDC
DeleteObject
SelectObject
CreateDIBSection
PtVisible
RectVisible
SetPixel
GetPixel
TextOutA
ExtTextOutA
PatBlt
Escape
Rectangle
GetStockObject
SetTextColor
SetBkColor
CreateBitmap
SetViewportOrgEx
GetViewportOrgEx
FloodFill

advapi32

RegCloseKey
RegQueryValueExA
RegOpenKeyExA
RegQueryValueA

shell32

ShellExecuteExA
Shell_NotifyIconA
ShellExecuteA

comctl32

ImageList_AddMasked
_TrackMouseEvent
ImageList_Draw
ImageList_ReplaceIcon
ImageList_GetImageCount
ImageList_GetIcon

ole32

CreateStreamOnHGlobal

olepro32

ord251

Sections

.text
Size: 288KB - Virtual size: 284KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 32KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 82KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 224KB - Virtual size: 221KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
whwnrecord/使用说明.txt
whwnrecord/新云软件.url
.url

Sharing

General

Malware Config

Signatures

Files

5233420551ea28bfecc6fdae0ac31c91

Headers

File Characteristics

Imports

kernel32

Exports

Exports

Sections

.text Size: 148KB - Virtual size: 147KB

.rdata Size: 20KB - Virtual size: 19KB

.data Size: 12KB - Virtual size: 218KB

.reloc Size: 12KB - Virtual size: 8KB

60cf4e379582866a5bbc544ef8c844b7

Headers

File Characteristics

Imports

mfc42

msvcrt

Exports

Exports

Sections

.text Size: 16KB - Virtual size: 13KB

.rdata Size: 4KB - Virtual size: 3KB

.data Size: 4KB - Virtual size: 160B

.rsrc Size: 4KB - Virtual size: 888B

.reloc Size: 4KB - Virtual size: 504B

ff9a7b15504613a1974f37a80cb364c9

Headers

File Characteristics

Imports

mfc42

msvcrt

kernel32

Exports

Exports

Sections

.text Size: 4KB - Virtual size: 1KB

.rdata Size: 4KB - Virtual size: 1KB

.data Size: 492KB - Virtual size: 492KB

.rsrc Size: 4KB - Virtual size: 848B

.reloc Size: 4KB - Virtual size: 1KB

dc15f1daff13625f9a0c584700719ffc

Headers

File Characteristics

Imports

winmm

whwnpcmchange

mfc42

msvcrt

kernel32

user32

gdi32

advapi32

shell32

comctl32

ole32

olepro32

Sections

.text Size: 288KB - Virtual size: 284KB

.rdata Size: 32KB - Virtual size: 28KB

.data Size: 12KB - Virtual size: 82KB

.rsrc Size: 224KB - Virtual size: 221KB

.text
Size: 148KB - Virtual size: 147KB

.rdata
Size: 20KB - Virtual size: 19KB

.data
Size: 12KB - Virtual size: 218KB

.reloc
Size: 12KB - Virtual size: 8KB

.text
Size: 16KB - Virtual size: 13KB

.rdata
Size: 4KB - Virtual size: 3KB

.data
Size: 4KB - Virtual size: 160B

.rsrc
Size: 4KB - Virtual size: 888B

.reloc
Size: 4KB - Virtual size: 504B

.text
Size: 4KB - Virtual size: 1KB

.rdata
Size: 4KB - Virtual size: 1KB

.data
Size: 492KB - Virtual size: 492KB

.rsrc
Size: 4KB - Virtual size: 848B

.reloc
Size: 4KB - Virtual size: 1KB

.text
Size: 288KB - Virtual size: 284KB

.rdata
Size: 32KB - Virtual size: 28KB

.data
Size: 12KB - Virtual size: 82KB

.rsrc
Size: 224KB - Virtual size: 221KB