36b715b1bf068ce955772b9d751ed05a

Sharing

Copy URL Twitter E-mail

General

Target

36b715b1bf068ce955772b9d751ed05a
Size

827KB
MD5

36b715b1bf068ce955772b9d751ed05a
SHA1

2863a5c06bfd323f79fa7b49301ade29407f5577
SHA256

872bec62c9fca39812adf7c3091c53ba71ebfc4e54bfef6a739e3851d4e5943e
SHA512

d285881daf1052d9436b74edc1cfa2ceefe680c4da8d9bf9defa0d8531d93c941ed58da92f7c6dc5ec1686c568d18b06c5d0337496ababd1d3e7b38dc2f44da2
SSDEEP

24576:6SxXdTtHXvJ9Nm6v8NzXGsjmJqZMAdlfzv6c8xC:9xf3vjNjv8dXGbQ+AdFzck

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
36b715b1bf068ce955772b9d751ed05a

Files

36b715b1bf068ce955772b9d751ed05a
.exe windows:5 windows x86 arch:x86

d0f52f5ebd18f4ff89b80a2d117d3465

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

gdi32

GetBrushAttributes
GetStretchBltMode
CloseEnhMetaFile
GetEnhMetaFilePixelFormat
ExtFloodFill
SetViewportExtEx
Ellipse
FONTOBJ_pxoGetXform
GetNearestColor
FONTOBJ_pvTrueTypeFontFile
XFORMOBJ_iGetXform
SwapBuffers
PATHOBJ_bEnumClipLines
GetTextExtentPointA
CreateHatchBrush
gdiPlaySpoolStream
GdiSetLastError
GdiPlayEMF
GdiEntry6
CreateRectRgn
GdiConvertFont
PATHOBJ_vEnumStartClipLines
EudcLoadLinkW
GetTextExtentPointW
GetDCBrushColor
GdiConvertToDevmodeW
LPtoDP

winsta

ServerLicensingGetPolicyInformationA
WinStationShutdownSystem
WinStationGetLanAdapterNameA
WinStationQueryInformationA
_WinStationUpdateUserConfig
_WinStationNotifyNewSession
_NWLogonSetAdmin
ServerLicensingLoadPolicy
_WinStationShadowTargetSetup
_WinStationCheckForApplicationName
WinStationQueryInformationW
ServerSetInternetConnectorStatus
ServerLicensingClose
WinStationEnumerate_IndexedW
_WinStationNotifyDisconnectPipe
_WinStationReInitializeSecurity
ServerLicensingGetPolicyInformationW
_WinStationNotifyLogon
_WinStationCallback
WinStationSendWindowMessage
ServerGetInternetConnectorStatus
_WinStationFUSCanRemoteUserDisconnect
_WinStationGetApplicationInfo
WinStationRenameA
_WinStationShadowTarget
WinStationConnectCallback
WinStationFreeGAPMemory
WinStationRemoveLicense
WinStationSetInformationA
WinStationShadowStop
ServerLicensingUnloadPolicy
_NWLogonQueryAdmin
WinStationNameFromLogonIdW
WinStationEnumerateA
WinStationGetProcessSid
WinStationEnumerateLicenses
WinStationRenameW

shlwapi

SHRegQueryUSValueW
SHRegCreateUSKeyA
StrRetToBSTR
UrlCompareW
StrChrIW
SHDeleteKeyA
PathIsSameRootW
PathQuoteSpacesW
StrCatBuffW
StrStrW
SHRegCloseUSKey
GetMenuPosFromID
SHIsLowMemoryMachine
SHGetValueA
StrRetToStrW
AssocQueryStringA
UrlGetPartW
PathIsNetworkPathA
UrlUnescapeW
UrlApplySchemeA
UrlCombineW
StrFormatByteSizeW
StrStrNIW
UrlGetPartA
StrSpnW
SHDeleteOrphanKeyW
PathIsRelativeW
StrFormatKBSizeA
PathBuildRootW
PathAddBackslashW
PathIsDirectoryEmptyA
PathIsSystemFolderW

wldap32

ldap_memfreeA
ber_flatten
ldap_delete_extW
ldap_unbind
ldap_count_entries
ldap_bind_s
ldap_modrdnA
ldap_ufn2dn
ldap_modrdn2W
ldap_create_sort_controlA
ldap_search_ext
ldap_modrdn2_s
ldap_extended_operation_sW
ldap_control_freeW
ldap_dn2ufn
ldap_get_values_lenW
ldap_search_sW
ldap_free_controlsW
ldap_get_valuesW
ldap_search_st
ldap_modrdn2
ldap_create_sort_controlW
ldap_addW
ldap_init
ldap_escape_filter_element
ldap_compare_ext_sA

kernel32

GetCommTimeouts
VirtualAlloc
FindFirstVolumeW
IsDBCSLeadByteEx
GetCurrentProcess
LoadLibraryA
BindIoCompletionCallback
CopyFileA
CompareStringW
GetSystemTimeAsFileTime
ExpandEnvironmentStringsA
ConvertFiberToThread
WaitNamedPipeW
GetConsoleAliasesLengthW
SetNamedPipeHandleState
WaitForSingleObjectEx
GlobalAddAtomW
GetNativeSystemInfo
GetProcessWorkingSetSize
GetUserDefaultLangID
GlobalMemoryStatusEx
DebugActiveProcessStop
Toolhelp32ReadProcessMemory
Process32FirstW
WritePrivateProfileStructA
EnumResourceLanguagesW
AddConsoleAliasA
GetCurrentProcessId
GlobalDeleteAtom
SetConsoleTitleA
CreateTimerQueue
lstrcmpW
CreateConsoleScreenBuffer
GlobalFix

rasapi32

RasGetEntryDialParamsW
RasGetAutodialAddressA
RasGetEntryPropertiesW
RasScriptGetIpAddress
RasDeleteSubEntryW
RasGetConnectionStatistics
RasFreeEapUserIdentityW
RasSetAutodialEnableW
RasSetSubEntryPropertiesA
DwRasUninitialize
RasEnumEntriesW
RasGetEapUserIdentityA
RasCreatePhonebookEntryA
RasScriptTerm
RasGetEapUserDataA
RasGetSubEntryHandleW
RasScriptInit
RasGetSubEntryPropertiesW
RasGetSubEntryHandleA
RasGetConnectStatusW
RasSetCustomAuthDataA
RasGetEntryHrasconnW
RasConnectionNotificationA
RasSetCredentialsW
RasClearLinkStatistics
RasGetCredentialsA
DwCloneEntry
RasDeleteSubEntryA
RasSetEntryPropertiesA
RasScriptReceive
RasDialW
RasValidateEntryNameW
RasSetCustomAuthDataW
RasRenameEntryW

ntdll

NtFreeUserPhysicalPages
ZwQueryIntervalProfile
ZwGetContextThread
_wcsicmp
RtlRegisterWait
NtSetInformationKey
NtAccessCheckAndAuditAlarm
RtlCreateUnicodeStringFromAsciiz
RtlLocalTimeToSystemTime
NtDuplicateToken
ZwQueryTimerResolution
RtlSetSecurityObject
NtQueryOpenSubKeys
ZwPrivilegeObjectAuditAlarm
RtlIsValidIndexHandle
RtlIpv4StringToAddressA
RtlpNtEnumerateSubKey
RtlEqualSid
NtSetLdtEntries
NtCancelIoFile
RtlCaptureContext
RtlRealSuccessor
LdrSetAppCompatDllRedirectionCallback
_strlwr
RtlLogStackBackTrace
NtFreeVirtualMemory
RtlAppendPathElement
ZwSetHighEventPair
RtlReleaseResource
ZwDeleteFile
RtlGenerate8dot3Name
RtlAddAuditAccessAce
NtFlushKey
RtlIpv6AddressToStringW
NtReadRequestData
strcmp
RtlDestroyProcessParameters

msdart

?IsMillnm@CMdVersionInfo@@SAHXZ
??1CSmallSpinLock@@QAE@XZ
?_TryWriteLock@CReaderWriterLock3@@AAE_NJ@Z
?sm_dblDfltSpinAdjFctr@CFakeLock@@1NA
?ConvertExclusiveToShared@CLKRLinearHashTable@@QBEXXZ
?_LockSpin@CSmallSpinLock@@AAEXXZ
?SetSpinCount@CSpinLock@@QAE_NG@Z
?Last@CDoubleList@@QBEQAVCListEntry@@XZ
?GetDefaultSpinAdjustmentFactor@CReaderWriterLock@@SGNXZ
?IsEmpty@CLockedSingleList@@QBE_NXZ
?IsWin98orLater@CMdVersionInfo@@SAHXZ
?ConvertSharedToExclusive@CCritSec@@QAEXXZ
?IsWriteLocked@CReaderWriterLock2@@QBE_NXZ
??1CLockedDoubleList@@QAE@XZ
?_RemoveThisFromGlobalList@CLKRLinearHashTable@@AAEXXZ
?GetDefaultSpinCount@CReaderWriterLock@@SGGXZ
?_Unlock@CSpinLock@@AAEXXZ
?ReadUnlock@CCritSec@@QAEXXZ
?CheckTable@CLKRHashTable@@QBEHXZ
?_TryReadLock@CReaderWriterLock@@AAE_NXZ
?_SubTable@CLKRHashTable@@ABEPAVCLKRLinearHashTable@@K@Z
??4CLockedDoubleList@@QAEAAV0@ABV0@@Z
??0CSingleList@@QAE@XZ
??1CSingleList@@QAE@XZ
?sm_pfnTryEnterCriticalSection@CCriticalSection@@0P6GHPAU_RTL_CRITICAL_SECTION@@@ZA
?TryReadLock@CReaderWriterLock3@@QAE_NXZ
?ConvertSharedToExclusive@CSmallSpinLock@@QAEXXZ
?ReadLock@CCritSec@@QAEXXZ
?GetDefaultSpinCount@CFakeLock@@SGGXZ
?GetDefaultSpinCount@CSpinLock@@SGGXZ
?Push@CLockedSingleList@@QAEXQAVCSingleListEntry@@@Z
?FindRecord@CLKRLinearHashTable@@QBE?AW4LK_RETCODE@@PBX@Z
?_SegIndex@CLKRLinearHashTable@@ABEKK@Z
?SetBucketLockSpinCount@CLKRHashTable@@QAEXG@Z
?_PredTrue@CLKRLinearHashTable@@CG?AW4LK_PREDICATE@@PBXPAX@Z
??4CReaderWriterLock2@@QAEAAV0@ABV0@@Z
?_H0@CLKRLinearHashTable@@CGKKK@Z
?IsReadLocked@CReaderWriterLock3@@QBE_NXZ
?_IsLocked@CSpinLock@@ABE_NXZ
?Pop@CLockedSingleList@@QAEQAVCSingleListEntry@@XZ
?sm_dblDfltSpinAdjFctr@CSpinLock@@1NA
?_TryReadLock@CReaderWriterLock2@@AAE_NXZ
??4CDoubleList@@QAEAAV0@ABV0@@Z
??4CReaderWriterLock3@@QAEAAV0@ABV0@@Z
?ReadLock@CSpinLock@@QAEXXZ

hid

HidD_GetManufacturerString
HidP_GetSpecificValueCaps
HidP_SetUsageValue
HidD_FreePreparsedData
HidP_SetUsages
HidD_GetPhysicalDescriptor
HidP_GetCaps
HidD_SetFeature
HidD_GetFeature
HidD_GetNumInputBuffers
HidP_GetValueCaps
HidP_GetUsageValue
HidP_InitializeReportForID
HidP_MaxDataListLength
HidP_GetExtendedAttributes
HidD_FlushQueue
HidP_SetData
HidP_GetData
HidD_SetConfiguration
HidD_GetAttributes
HidD_GetConfiguration
HidP_GetUsageValueArray
HidP_MaxUsageListLength
HidP_TranslateUsagesToI8042ScanCodes
HidD_GetMsGenreDescriptor
HidD_Hello
HidP_UsageListDifference
HidP_GetLinkCollectionNodes
HidD_GetHidGuid
HidD_SetOutputReport

pstorec

DllUnregisterServer
DllCanUnloadNow
DllGetClassObject
PStoreCreateInstance
DllRegisterServer
PStoreEnumProviders

Sections

.text
Size: 78KB - Virtual size: 78KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 136KB - Virtual size: 136KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 604KB - Virtual size: 1.9MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 296B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

d0f52f5ebd18f4ff89b80a2d117d3465

Headers

DLL Characteristics

File Characteristics

Imports

gdi32

winsta

shlwapi

wldap32

kernel32

rasapi32

ntdll

msdart

hid

pstorec

Sections

.text Size: 78KB - Virtual size: 78KB

.rdata Size: 136KB - Virtual size: 136KB

.data Size: 604KB - Virtual size: 1.9MB

.rsrc Size: 6KB - Virtual size: 6KB

.reloc Size: 512B - Virtual size: 296B

.text
Size: 78KB - Virtual size: 78KB

.rdata
Size: 136KB - Virtual size: 136KB

.data
Size: 604KB - Virtual size: 1.9MB

.rsrc
Size: 6KB - Virtual size: 6KB

.reloc
Size: 512B - Virtual size: 296B