SangforUD[.]EXE[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

SangforUD.EXE.exe
Size

1.5MB
MD5

c1d8eade0b92d90b440c626272ae4035
SHA1

495ead9515f93188e07d24b0f14cb0a95929279a
SHA256

387304b50852736281a29d00ed2d8cdb3368d171215f1099b41c404e7e099193
SHA512

d948357a22ce55159877e0d98b37d1ba26bf7f45a0d877680ae5c6e7b7f50cdb8c75367c2e81178022b90b3c3244211655c462e4f26a22f76762ab023dda234a
SSDEEP

49152:B4zmomfUOdwsac0AWJ/8aklJWsMGcxZI:p9xC/8TcS

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
SangforUD.EXE.exe

Files

SangforUD.EXE.exe
.exe windows:6 windows x64 arch:x64

23060cb6d34364f3fe92b1b513c08815

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntdll

RtlVirtualUnwind
NtQuerySystemInformation
RtlGetVersion
NtQueryInformationProcess
RtlCaptureContext
RtlLookupFunctionEntry
NtCreateFile
NtDeviceIoControlFile
RtlNtStatusToDosError
NtCancelIoFileEx

kernel32

HeapFree
GetProcessHeap
SetUnhandledExceptionFilter
HeapReAlloc
SwitchToThread
InitializeSListHead
GetCurrentThreadId
GetTickCount64
HeapAlloc
TryAcquireSRWLockExclusive
ReleaseSRWLockExclusive
SetHandleInformation
AcquireSRWLockExclusive
GetStdHandle
GetConsoleMode
WaitForSingleObject
WriteConsoleW
SetLastError
SetThreadStackGuarantee
WaitForSingleObjectEx
LoadLibraryA
CreateMutexA
GetCurrentProcess
ReleaseMutex
GetEnvironmentVariableW
GetModuleHandleW
FormatMessageW
GetModuleFileNameW
CreateFileW
GetQueuedCompletionStatusEx
DeviceIoControl
GetFullPathNameW
GetFinalPathNameByHandleW
CreateDirectoryW
AddVectoredExceptionHandler
GetProcessId
CreateIoCompletionPort
SetFileCompletionNotificationModes
ReadFileEx
SleepEx
CompareStringOrdinal
GetSystemDirectoryW
GetFileAttributesW
GetWindowsDirectoryW
CreateProcessW
DuplicateHandle
GetCurrentProcessId
CreateNamedPipeW
CreateThread
GetCurrentThread
WriteFileEx
WaitForMultipleObjects
GetOverlappedResult
GetExitCodeProcess
CreateEventW
CancelIo
ReadFile
QueryPerformanceFrequency
QueryPerformanceCounter
GetSystemTimeAsFileTime
AcquireSRWLockShared
ReleaseSRWLockShared
OpenProcess
ReadProcessMemory
GetProcessTimes
GetSystemInfo
WakeConditionVariable
SleepConditionVariableSRW
GetSystemTimes
GetProcessIoCounters
GetLastError
LocalFree
VirtualQueryEx
DeleteFileW
FreeEnvironmentStringsW
PostQueuedCompletionStatus
GetEnvironmentStringsW
WakeAllConditionVariable
CloseHandle
GetProcAddress
GetFileInformationByHandle
CopyFileExW
IsDebuggerPresent
UnhandledExceptionFilter
Sleep
GetModuleHandleA
GetCurrentDirectoryW
lstrlenW
IsProcessorFeaturePresent

crypt32

CertFreeCertificateContext
CertOpenStore
CertDuplicateCertificateContext
CertDuplicateCertificateChain
CertDuplicateStore
CertGetCertificateChain
CertFreeCertificateChain
CertVerifyCertificateChainPolicy
CertEnumCertificatesInStore
CertAddCertificateContextToStore
CertCloseStore

iphlpapi

GetAdaptersAddresses
GetTcpTable

shell32

SHGetKnownFolderPath
CommandLineToArgvW

ole32

CoTaskMemFree
CoUninitialize

pdh

PdhRemoveCounter
PdhCloseQuery

ws2_32

ioctlsocket
WSASocketW
connect
shutdown
WSASend
bind
setsockopt
closesocket
getaddrinfo
freeaddrinfo
WSACleanup
WSAIoctl
getsockname
WSAGetLastError
getpeername
recv
send
getsockopt
WSAStartup

bcrypt

BCryptGenRandom

secur32

DecryptMessage
InitializeSecurityContextW
FreeContextBuffer
DeleteSecurityContext
FreeCredentialsHandle
EncryptMessage
AcceptSecurityContext
QueryContextAttributesW
AcquireCredentialsHandleA
ApplyControlToken

advapi32

GetTokenInformation
OpenProcessToken
RegQueryValueExW
RegOpenKeyExW
RegCloseKey
LookupAccountSidW

powrprof

CallNtPowerInformation

psapi

GetModuleFileNameExW
EnumProcessModulesEx

vcruntime140

memcmp
memset
memcpy
memmove
__CxxFrameHandler3
__C_specific_handler

api-ms-win-crt-string-l1-1-0

wcslen

api-ms-win-crt-runtime-l1-1-0

_initterm_e
exit
_exit
__p___argc
__p___argv
_seh_filter_exe
_cexit
_initialize_narrow_environment
_configure_narrow_argv
_initterm
_initialize_onexit_table
_register_onexit_function
_crt_atexit
terminate
_set_app_type
_get_initial_narrow_environment
_c_exit
_register_thread_local_exe_atexit_callback

api-ms-win-crt-math-l1-1-0

__setusermatherr

api-ms-win-crt-stdio-l1-1-0

_set_fmode
__p__commode

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

api-ms-win-crt-heap-l1-1-0

free
_set_new_mode

Sections

.text
Size: 913KB - Virtual size: 912KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 596KB - Virtual size: 595KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 952B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 32KB - Virtual size: 31KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 379B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gfids
Size: 512B - Virtual size: 32B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 856B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

23060cb6d34364f3fe92b1b513c08815

Headers

DLL Characteristics

File Characteristics

Imports

ntdll

kernel32

crypt32

iphlpapi

shell32

ole32

pdh

ws2_32

bcrypt

secur32

advapi32

powrprof

psapi

vcruntime140

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-heap-l1-1-0

Sections

.text Size: 913KB - Virtual size: 912KB

.rdata Size: 596KB - Virtual size: 595KB

.data Size: 512B - Virtual size: 952B

.pdata Size: 32KB - Virtual size: 31KB

.tls Size: 512B - Virtual size: 379B

.gfids Size: 512B - Virtual size: 32B

.rsrc Size: 1024B - Virtual size: 856B

.reloc Size: 7KB - Virtual size: 6KB

.text
Size: 913KB - Virtual size: 912KB

.rdata
Size: 596KB - Virtual size: 595KB

.data
Size: 512B - Virtual size: 952B

.pdata
Size: 32KB - Virtual size: 31KB

.tls
Size: 512B - Virtual size: 379B

.gfids
Size: 512B - Virtual size: 32B

.rsrc
Size: 1024B - Virtual size: 856B

.reloc
Size: 7KB - Virtual size: 6KB