178a6cc1e56ca02a7e633cda2dcd1ee2

Sharing

Copy URL

Twitter E-mail

General

Target

178a6cc1e56ca02a7e633cda2dcd1ee2
Size

77KB
MD5

178a6cc1e56ca02a7e633cda2dcd1ee2
SHA1

21e866b93b9d6a626cb29c0e5f811b689596a69b
SHA256

84d4f6fd7eb3df2b7595b06887ba78ee8b5aba423fff9b7e8da3898a67b72314
SHA512

83224f3de56b55a0a972d9063294b758a2e6a51dbd9fa51d6c6517acded07bc96056764769347c55a73102b71aca8954b2ab6217288054fe141c185ed131aff8
SSDEEP

1536:nKCY8FQGfNdTD9c8L3hH+AfTHOBF3rKMNRAkKMKljbZ6xrS:KAFZNdFc8L3hFbg3r1NhKMKH6x+

Score

3^/10

Malware Config

Signatures

Unsigned PE 5 IoCs

Checks for missing Authenticode signature.

resource
unpack001/85812383/bin/Release/HookNTQSI.dll
unpack001/85812383/bin/Release/RemoteDll.dll
unpack001/85812383/bin/Release/TaskKeyHook.dll
unpack001/85812383/bin/Release/TrapKeys.exe
unpack001/85812383/bin/Release/remoteExe.exe

Files

178a6cc1e56ca02a7e633cda2dcd1ee2
.rar
85812383/HookNtQuerySystemInformation/HookApi.cpp
85812383/HookNtQuerySystemInformation/HookApi.dsp
85812383/HookNtQuerySystemInformation/HookApi.dsw
85812383/HookNtQuerySystemInformation/HookApi.h
85812383/HookNtQuerySystemInformation/HookApi.opt
85812383/HookNtQuerySystemInformation/HookClass.cpp
85812383/HookNtQuerySystemInformation/HookClass.h
85812383/RemoteExeSrc/Exe.clw
85812383/RemoteExeSrc/Exe.cpp
85812383/RemoteExeSrc/Exe.dsp
85812383/RemoteExeSrc/Exe.dsw
85812383/RemoteExeSrc/Exe.h
85812383/RemoteExeSrc/Exe.opt
85812383/RemoteExeSrc/Exe.rc
85812383/RemoteExeSrc/ExeDlg.cpp
85812383/RemoteExeSrc/ExeDlg.h
85812383/RemoteExeSrc/Hook.cpp
85812383/RemoteExeSrc/Hook.h
85812383/RemoteExeSrc/Resource.h
85812383/RemoteExeSrc/StdAfx.cpp
85812383/RemoteExeSrc/StdAfx.h
85812383/RemoteExeSrc/res/Exe.ico
85812383/RemoteExeSrc/res/Exe.rc2
85812383/RemotedllSrc/Dll.cpp
85812383/RemotedllSrc/Dll.dsp
85812383/RemotedllSrc/Dll.dsw
85812383/RemotedllSrc/Dll.opt
85812383/RemotedllSrc/StdAfx.cpp
85812383/RemotedllSrc/StdAfx.h
85812383/TrapKeys/Hook.cpp
85812383/TrapKeys/Hook.h
85812383/TrapKeys/NtQuery.h
85812383/TrapKeys/RES/app.ico
85812383/TrapKeys/RES/app.rc2
85812383/TrapKeys/RES/msdn.bmp
85812383/TrapKeys/StatLink.cpp
85812383/TrapKeys/StatLink.h
85812383/TrapKeys/StdAfx.cpp
85812383/TrapKeys/StdAfx.h
85812383/TrapKeys/TaskKeyHook.cpp
85812383/TrapKeys/TaskKeyHook.dep
85812383/TrapKeys/TaskKeyHook.dsp
85812383/TrapKeys/TaskKeyHook.dsw
85812383/TrapKeys/TaskKeyHook.h
85812383/TrapKeys/TaskKeyHook.mak
85812383/TrapKeys/TaskKeyHook.opt
85812383/TrapKeys/TaskKeyMgr.cpp
85812383/TrapKeys/TaskKeyMgr.h
85812383/TrapKeys/TrapKeys.clw
85812383/TrapKeys/TrapKeys.cpp
85812383/TrapKeys/TrapKeys.dep
85812383/TrapKeys/TrapKeys.dsp
85812383/TrapKeys/TrapKeys.dsw
85812383/TrapKeys/TrapKeys.mak
85812383/TrapKeys/TrapKeys.opt
.js
85812383/TrapKeys/TrapKeys.rc
85812383/TrapKeys/Wrappers.cpp
.js
85812383/TrapKeys/Wrappers.h
85812383/TrapKeys/makefile
85812383/TrapKeys/resource.h
85812383/bin/Release/HookNTQSI.dll
.dll windows:4 windows x86 arch:x86

b598f3fa3f0c18a543d76b693faf2d6c

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GetModuleHandleA
GetSystemInfo
SetThreadPriority
CloseHandle
Module32Next
Module32First
CreateToolhelp32Snapshot
GetCurrentThread
GetProcAddress
GetCurrentProcessId
WriteProcessMemory
GetCurrentProcess
VirtualProtect
lstrcmpiA
LoadLibraryA
LoadLibraryW
LoadLibraryExA
DisableThreadLibraryCalls
VirtualQuery
LoadLibraryExW

user32

SetWindowsHookExA
CallNextHookEx
UnhookWindowsHookEx

imagehlp

ImageDirectoryEntryToData

msvcrt

__CxxFrameHandler
__dllonexit
_adjust_fdiv
malloc
_except_handler3
??3@YAXPAX@Z
??2@YAPAXI@Z
_onexit
free
_initterm

Exports

Exports

Hook
Unhook

Sections

.text
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 360B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

SHAREDAT
Size: 4KB - Virtual size: 8B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 4KB - Virtual size: 404B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
85812383/bin/Release/RemoteDll.dll
.dll windows:4 windows x86 arch:x86

49a78104afbd18e4e5e47e68c94797ba

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

CreateThread
CloseHandle

user32

OpenDesktopA
EnumDesktopWindows
GetWindowTextA
SetWindowLongA
CallWindowProcA

msvcp60

?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB

msvcrt

memchr
free
_initterm
_adjust_fdiv
malloc

Sections

.text
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 714B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 76B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 4KB - Virtual size: 170B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
85812383/bin/Release/TaskKeyHook.dll
.dll windows:4 windows x86 arch:x86

72eeca58eb13ff7bd0f9943eddf0f905

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

mfc42

ord5731
ord3922
ord2512
ord1089
ord5199
ord2396
ord3346
ord5300
ord5302
ord2725
ord4079
ord4698
ord5307
ord5289
ord5714
ord3953
ord2982
ord3147
ord4486
ord2554
ord3136
ord3262
ord2985
ord3081
ord2976
ord3401
ord3830
ord3831
ord3825
ord3079
ord4080
ord4622
ord4424
ord3738
ord561
ord6375
ord825
ord4465
ord3259
ord815
ord269
ord826
ord1577
ord342
ord1182
ord1197
ord1570
ord1243
ord1255
ord6467
ord1116
ord1176
ord1575
ord1168
ord1253
ord600
ord1578

msvcrt

_initterm
_onexit
__CxxFrameHandler
??2@YAPAXI@Z
__dllonexit
malloc
??1type_info@@UAE@XZ
_adjust_fdiv
free

kernel32

LocalFree
LocalAlloc

user32

SetWindowsHookExA
UnhookWindowsHookEx
GetAsyncKeyState
MessageBeep
CallNextHookEx

Exports

Exports

?AreTaskKeysDisabled@@YAHXZ
?DisableTaskKeys@@YAHHH@Z

Sections

.text
Size: 12KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.mydata
Size: 4KB - Virtual size: 265B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 4KB - Virtual size: 628B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
85812383/bin/Release/TrapKeys.exe
.exe windows:4 windows x86 arch:x86

fc9274bb255f4129ee49d3672b9d6835

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

taskkeyhook

?AreTaskKeysDisabled@@YAHXZ
?DisableTaskKeys@@YAHHH@Z

shlwapi

PathAppendA
PathRemoveFileSpecA

mfc42

ord3259
ord4465
ord3136
ord3262
ord2985
ord3081
ord3147
ord2976
ord3830
ord3831
ord3825
ord3079
ord4080
ord4627
ord4424
ord795
ord860
ord5875
ord3797
ord4160
ord3089
ord3874
ord825
ord3619
ord3626
ord3663
ord2414
ord1641
ord2860
ord5241
ord3402
ord3721
ord567
ord540
ord2124
ord6375
ord4486
ord2554
ord2512
ord5731
ord5277
ord2982
ord5199
ord2396
ord3346
ord5300
ord5302
ord4079
ord4698
ord5307
ord5289
ord5714
ord3401
ord4622
ord3738
ord926
ord2514
ord1200
ord5265
ord4376
ord4853
ord4998
ord6052
ord1775
ord5280
ord4425
ord3597
ord641
ord324
ord4234
ord4710
ord6241
ord6335
ord1168
ord1146
ord4202
ord2764
ord537
ord538
ord858
ord800
ord535
ord2446
ord5261
ord1727
ord5065
ord3749
ord6376
ord2055
ord2648
ord4441
ord4837
ord3798
ord5290
ord4353
ord6374
ord5163
ord2385
ord4407
ord1776
ord4078
ord6055
ord4275
ord1929
ord3922
ord1089
ord815
ord561
ord1576

msvcrt

_except_handler3
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
__getmainargs
_acmdln
_controlfp
_exit
_XcptFilter
_setmbcp
__CxxFrameHandler
memset
__dllonexit
_onexit
exit

kernel32

VirtualAllocEx
CreateRemoteThread
WaitForSingleObject
ReadProcessMemory
CreateToolhelp32Snapshot
Process32First
Process32Next
GetCurrentProcess
CloseHandle
GetLastError
LoadLibraryExA
FormatMessageA
LocalFree
FreeLibrary
lstrcpynA
GetProcAddress
GetModuleHandleA
OpenProcess
GetCurrentProcessId
LoadLibraryA
VerifyVersionInfoA
VerSetConditionMask
GetModuleFileNameA
GetStartupInfoA
WriteProcessMemory

user32

EnableWindow
InvalidateRect
MessageBoxA
wsprintfA
IsWindowEnabled
LoadIconA
FindWindowA
SendMessageA
LoadCursorA
SetCursor
MessageBeep
IsWindow

gdi32

CreateFontIndirectA
GetObjectA
GetStockObject

advapi32

RegDeleteValueA
RegQueryValueExA
RegOpenKeyA
RegCreateKeyA
RegSetValueExA
OpenProcessToken
AdjustTokenPrivileges
LookupPrivilegeValueA

shell32

ShellExecuteA

Sections

.text
Size: 20KB - Virtual size: 16KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
85812383/bin/Release/remoteExe.exe
.exe windows:4 windows x86 arch:x86

478500edb5f958d36499737d92bfd9e7

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

mfc42

ord3147
ord3259
ord4465
ord3136
ord3262
ord2985
ord2982
ord3081
ord2976
ord3830
ord3831
ord3825
ord3079
ord4080
ord4622
ord5289
ord5714
ord561
ord825
ord815
ord641
ord2514
ord2621
ord5265
ord4376
ord4853
ord4998
ord6052
ord4078
ord1775
ord4407
ord5241
ord3738
ord4424
ord5307
ord4353
ord5280
ord3798
ord4837
ord4441
ord2648
ord2055
ord6376
ord3749
ord5065
ord1727
ord5261
ord4673
ord2124
ord5277
ord4627
ord4425
ord3597
ord1146
ord1168
ord324
ord4234
ord4710
ord2379
ord755
ord470
ord537
ord800
ord2764
ord4202
ord926
ord2554
ord4486
ord6375
ord4274
ord4698
ord4079
ord2725
ord5302
ord5300
ord3346
ord2396
ord5199
ord1089
ord3922
ord5731
ord2512
ord6374
ord2385
ord5163
ord2446
ord1576

msvcrt

_setmbcp
_except_handler3
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
__getmainargs
_acmdln
exit
_XcptFilter
_controlfp
_exit
__CxxFrameHandler
__dllonexit
_onexit

kernel32

GetLastError
CloseHandle
GetCurrentProcess
Process32Next
Process32First
CreateToolhelp32Snapshot
CreateRemoteThread
WriteProcessMemory
VirtualAllocEx
GetProcAddress
GetModuleHandleA
OpenProcess
ReadProcessMemory
GetStartupInfoA
FormatMessageA

user32

IsIconic
GetSystemMetrics
GetClientRect
EnableWindow
DrawIcon
MessageBoxA
LoadIconA
SendMessageA

advapi32

AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken

Sections

.text
Size: 8KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 868B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
85812383/下载说明.htm
.html .js polyglot

Sharing

General

Malware Config

Signatures

Files

b598f3fa3f0c18a543d76b693faf2d6c

Headers

File Characteristics

Imports

kernel32

user32

imagehlp

msvcrt

Exports

Exports

Sections

.text Size: 4KB - Virtual size: 2KB

.rdata Size: 4KB - Virtual size: 1KB

.data Size: 4KB - Virtual size: 360B

SHAREDAT Size: 4KB - Virtual size: 8B

.reloc Size: 4KB - Virtual size: 404B

49a78104afbd18e4e5e47e68c94797ba

Headers

File Characteristics

Imports

kernel32

user32

msvcp60

msvcrt

Sections

.text Size: 4KB - Virtual size: 1KB

.rdata Size: 4KB - Virtual size: 714B

.data Size: 4KB - Virtual size: 76B

.reloc Size: 4KB - Virtual size: 170B

72eeca58eb13ff7bd0f9943eddf0f905

Headers

File Characteristics

Imports

mfc42

msvcrt

kernel32

user32

Exports

Exports

Sections

.text Size: 12KB - Virtual size: 10KB

.rdata Size: 4KB - Virtual size: 1KB

.data Size: 4KB - Virtual size: 6KB

.idata Size: 4KB - Virtual size: 1KB

.mydata Size: 4KB - Virtual size: 265B

.reloc Size: 4KB - Virtual size: 628B

fc9274bb255f4129ee49d3672b9d6835

Headers

File Characteristics

Imports

taskkeyhook

shlwapi

mfc42

msvcrt

kernel32

user32

gdi32

advapi32

shell32

Sections

.text Size: 20KB - Virtual size: 16KB

.rdata Size: 8KB - Virtual size: 6KB

.data Size: 4KB - Virtual size: 2KB

.rsrc Size: 20KB - Virtual size: 19KB

478500edb5f958d36499737d92bfd9e7

Headers

File Characteristics

Imports

mfc42

msvcrt

kernel32

user32

advapi32

Sections

.text Size: 8KB - Virtual size: 4KB

.text
Size: 4KB - Virtual size: 2KB

.rdata
Size: 4KB - Virtual size: 1KB

.data
Size: 4KB - Virtual size: 360B

SHAREDAT
Size: 4KB - Virtual size: 8B

.reloc
Size: 4KB - Virtual size: 404B

.text
Size: 4KB - Virtual size: 1KB

.rdata
Size: 4KB - Virtual size: 714B

.data
Size: 4KB - Virtual size: 76B

.reloc
Size: 4KB - Virtual size: 170B

.text
Size: 12KB - Virtual size: 10KB

.rdata
Size: 4KB - Virtual size: 1KB

.data
Size: 4KB - Virtual size: 6KB

.idata
Size: 4KB - Virtual size: 1KB

.mydata
Size: 4KB - Virtual size: 265B

.reloc
Size: 4KB - Virtual size: 628B

.text
Size: 20KB - Virtual size: 16KB

.rdata
Size: 8KB - Virtual size: 6KB

.data
Size: 4KB - Virtual size: 2KB

.rsrc
Size: 20KB - Virtual size: 19KB

.text
Size: 8KB - Virtual size: 4KB

.rdata
Size: 4KB - Virtual size: 2KB

.data
Size: 4KB - Virtual size: 868B

.rsrc
Size: 4KB - Virtual size: 2KB