4385db012a67e6bff83a7b0e1cb43fe8

Sharing

Copy URL

Twitter E-mail

General

Target

4385db012a67e6bff83a7b0e1cb43fe8
Size

2.5MB
MD5

4385db012a67e6bff83a7b0e1cb43fe8
SHA1

21358adfbaac2c866ed293813fc7d12476bb8ca6
SHA256

f426ec6da6d82921eadaca18c53163451799775ce66ec6ddb85193a7bd5138b8
SHA512

232ed227c810216a9a418f1d26ee3d2a90e5afd1fe0f17a3a2ad4424708af126661959527b9e5587b5cc93927dfa034fb9f2c64789cee25c9ff80fb202a3ee72
SSDEEP

49152:nCbRquA/m2yL5zufFiV+XenmE3/zDD4t:woqLVjnm24

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
4385db012a67e6bff83a7b0e1cb43fe8

Files

4385db012a67e6bff83a7b0e1cb43fe8
.exe windows:6 windows x64 arch:x64

754a865a9eebb214e7a6f31dbffc6594

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

DeleteFileW
RemoveDirectoryW
FindClose
MoveFileW
SetFileAttributesW
FindNextFileW
CopyFileW
GetDriveTypeW
CopyFileExW
GetTempFileNameW
GetComputerNameExW
SetLastError
GetLocalTime
MultiByteToWideChar
GetFileAttributesW
MoveFileExW
FindFirstFileW
DebugBreak
GetProcessHeap
HeapFree
HeapAlloc
DeleteCriticalSection
HeapSetInformation
DecodePointer
LockResource
GetLastError
RaiseException
InitializeCriticalSectionEx
SizeofResource
LoadResource
FindResourceW
GetSystemTimeAsFileTime
GetCurrentProcessId
QueryPerformanceCounter
IsProcessorFeaturePresent
EncodePointer
OutputDebugStringW
IsDebuggerPresent
ResetEvent
SubmitThreadpoolWork
TerminateProcess
Sleep
CreateThreadpoolWork
CloseThreadpoolWork
CloseThreadpool
SetThreadpoolThreadMinimum
CloseThreadpoolCleanupGroupMembers
CreateThreadpoolCleanupGroup
SetThreadpoolThreadMaximum
CreateThreadpool
CloseThreadpoolCleanupGroup
GetFinalPathNameByHandleW
DeviceIoControl
DuplicateHandle
CreateEventW
GetExitCodeProcess
SetEvent
WaitForSingleObject
CreateProcessW
GetCurrentThreadId
EnterCriticalSection
Wow64RevertWow64FsRedirection
LeaveCriticalSection
Wow64DisableWow64FsRedirection
InitializeCriticalSection
LoadLibraryA
LoadLibraryW
WideCharToMultiByte
GetVersionExW
GetNativeSystemInfo
ExpandEnvironmentStringsW
LocalFree
CloseHandle
GetShortPathNameW
GetProcAddress
GetLongPathNameW
GetCurrentDirectoryW
GetTempPathW
CreateFileW
GetModuleFileNameW
GetSystemDirectoryW
GetCurrentThread
GetModuleHandleW
GetCurrentProcess
SearchPathW
GetEnvironmentVariableW

user32

LoadStringW

advapi32

OpenThreadToken
GetTokenInformation
DuplicateToken
ConvertSidToStringSidW
RegDeleteKeyExW
RegQueryValueExW
RegQueryInfoKeyW
RegDeleteValueW
RegEnumValueW
RegEnumKeyExW
RegSetValueExW
SetThreadToken
EventWrite
CreateProcessAsUserW
RegOpenKeyExW
RegCloseKey
RegCreateKeyExW
RegOpenCurrentUser
EventUnregister
EventRegister
EventActivityIdControl
CryptHashData
CryptDestroyHash
CryptCreateHash
CryptReleaseContext
CryptAcquireContextW
CryptGetHashParam
RevertToSelf
ImpersonateLoggedOnUser
OpenProcessToken

shell32

SHGetKnownFolderPath
ord165

ole32

CoCreateInstance
CoTaskMemFree
CoInitializeEx
CoCreateGuid
CLSIDFromString
StringFromGUID2
CoUninitialize

appvpolicy

ord3

appvmanifest

ord3

msvcp120

?_Incref@facet@locale@std@@UEAAXXZ
?_Orphan_all@_Container_base0@std@@QEAAXXZ
?_Swap_all@_Container_base0@std@@QEAAXAEAU12@@Z
?_Xbad_function_call@std@@YAXXZ
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z
?id@?$ctype@_W@std@@2V0locale@2@A
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?id@?$collate@_W@std@@2V0locale@2@A
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
??_7facet@locale@std@@6B@
_Wcscoll
_Wcsxfrm
??_7_Facet_base@std@@6B@
?_Winerror_map@std@@YAPEBDH@Z
?_Syserror_map@std@@YAPEBDH@Z
?_BADOFF@std@@3_JB
?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A
?_Xbad_alloc@std@@YAXXZ
?wcerr@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A
?_Xout_of_range@std@@YAXPEBD@Z
??1?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
?_Lock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAAXXZ
?showmanyc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JXZ
?uflow@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAGXZ
?xsgetn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JPEA_W_J@Z
?xsputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JPEB_W_J@Z
?setbuf@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAPEAV12@PEA_W_J@Z
?sync@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAHXZ
?imbue@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAXAEBVlocale@2@@Z
??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z
??1?$basic_ostream@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@K@Z
??1?$basic_istream@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
??1?$basic_iostream@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
?setg@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAXPEA_W00@Z
?setp@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAXPEA_W0@Z
?_Pninc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAPEA_WXZ
??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IEAA@XZ
??0?$basic_iostream@_WU?$char_traits@_W@std@@@std@@QEAA@PEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@@Z
??0?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAA@XZ
?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ
?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z
?widen@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBA_WD@Z
?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAA_JPEB_W_J@Z
?put@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@_W@Z
??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@AEAI@Z
??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@AEAH@Z
??0?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAA@PEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z
?_Getcvt@_Locinfo@std@@QEBA?AU_Cvtvec@@XZ
?_Getlconv@_Locinfo@std@@QEBAPEBUlconv@@XZ
?_Getfalse@_Locinfo@std@@QEBAPEBDXZ
?_Gettrue@_Locinfo@std@@QEBAPEBDXZ
??0?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAA@PEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z
_Mbrtowc
?classic@locale@std@@SAAEBV12@XZ
?id@?$numpunct@_W@std@@2V0locale@2@A
??1_Container_base12@std@@QEAA@XZ
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@_N@Z
?widen@?$ctype@_W@std@@QEBA_WD@Z
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@J@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@H@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@I@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@_K@Z
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
??0_Locinfo@std@@QEAA@PEBD@Z
??1_Locinfo@std@@QEAA@XZ
?_Getcoll@_Locinfo@std@@QEBA?AU_Collvec@@XZ
??1_Facet_base@std@@UEAA@XZ
??Bid@locale@std@@QEAA_KXZ
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
??0facet@locale@std@@IEAA@_K@Z
??1facet@locale@std@@MEAA@XZ
?is@?$ctype@_W@std@@QEBA_NF_W@Z
?tolower@?$ctype@_W@std@@QEBA_W_W@Z
?tolower@?$ctype@_W@std@@QEBAPEB_WPEA_WPEB_W@Z
?_Getcat@?$ctype@_W@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?_Xlength_error@std@@YAXPEBD@Z
?uncaught_exception@std@@YA_NXZ
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
?exceptions@ios_base@std@@QEAAXH@Z

msvcr120

??3@YAXPEAX@Z
_stricmp
memmove
free
_purecall
_wtoi
towupper
swprintf_s
swscanf_s
_ultow_s
??8type_info@@QEBA_NAEBV0@@Z
__CxxFrameHandler3
strrchr
??2@YAPEAX_K@Z
_wcsicmp
?what@exception@std@@UEBAPEBDXZ
??1exception@std@@UEAA@XZ
memcpy
??0exception@std@@QEAA@AEBQEBDH@Z
??0exception@std@@QEAA@AEBV01@@Z
wcscpy_s
_wcsnicmp
_wcslwr_s
_wcsupr_s
iswalpha
iswspace
iswdigit
iswctype
?terminate@@YAXXZ
??1bad_cast@std@@UEAA@XZ
??0bad_cast@std@@QEAA@PEBD@Z
??0bad_cast@std@@QEAA@AEBV01@@Z
strchr
wcsncmp
wcschr
realloc
_wsplitpath_s
ldiv
memcpy_s
_wmakepath_s
??_V@YAXPEAX@Z
rand
srand
_time64
??0exception@std@@QEAA@XZ
memset
_lock
_unlock
_calloc_crt
__dllonexit
__C_specific_handler
_onexit
_XcptFilter
_amsg_exit
__wgetmainargs
_CxxThrowException
__RTDynamicCast
memcmp
__crtSetUnhandledExceptionFilter
?_type_info_dtor_internal_method@type_info@@QEAAXXZ
__crtCapturePreviousContext
__crtTerminateProcess
__crtUnhandledException
__crt_debugger_hook
_commode
_fmode
__winitenv
_initterm
_initterm_e
__setusermatherr
_configthreadlocale
_cexit
_exit
exit
__set_app_type

shlwapi

PathFileExistsW
PathFindExtensionW
PathCanonicalizeW
PathIsUNCW
SHCreateStreamOnFileEx

userenv

ExpandEnvironmentStringsForUserW
UnloadUserProfile
CreateEnvironmentBlock
DestroyEnvironmentBlock

ntdll

NtQueryKey

rpcrt4

RpcBindingFromStringBindingW
UuidCreate
NdrClientCall2
RpcMgmtIsServerListening
RpcStringFreeW
RpcBindingFree
RpcMgmtSetCancelTimeout
RpcBindingSetAuthInfoExW
RpcCancelThread
RpcStringBindingComposeW

msi

ord96
ord173
ord160
ord217
ord32
ord118
ord8
ord159
ord49

oleaut32

SysAllocString
VariantClear
VariantChangeType
VariantCopy
VariantInit
SysFreeString

Sections

.text
Size: 1.3MB - Virtual size: 1.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 729KB - Virtual size: 728KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 49KB - Virtual size: 55KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 61KB - Virtual size: 60KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 408KB - Virtual size: 748KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

754a865a9eebb214e7a6f31dbffc6594

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

shell32

ole32

appvpolicy

appvmanifest

msvcp120

msvcr120

shlwapi

userenv

ntdll

rpcrt4

msi

oleaut32

Sections

.text Size: 1.3MB - Virtual size: 1.3MB

.rdata Size: 729KB - Virtual size: 728KB

.data Size: 49KB - Virtual size: 55KB

.pdata Size: 61KB - Virtual size: 60KB

.rsrc Size: 9KB - Virtual size: 8KB

.reloc Size: 408KB - Virtual size: 748KB

.text
Size: 1.3MB - Virtual size: 1.3MB

.rdata
Size: 729KB - Virtual size: 728KB

.data
Size: 49KB - Virtual size: 55KB

.pdata
Size: 61KB - Virtual size: 60KB

.rsrc
Size: 9KB - Virtual size: 8KB

.reloc
Size: 408KB - Virtual size: 748KB