Spotify[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Spotify.exe
Size

29.1MB
MD5

a5ed83f0a3c793461244926a216c831f
SHA1

9ffe33531da245055fcfd57b66154838c0eb1f45
SHA256

b0c4e62e1065ecd7c943e8712feaadd28e626da067d0b0004983c60d065e5bf0
SHA512

2768fb958edabdbf6df5a08a07a6c20925689ca00ae41c880990ffe65f471fd365f6e5a3737e43d2710b68c4b51cca47776c3a25fd7a0f358b70f83cb1d1422c
SSDEEP

393216:AJp7OdTcKcMNPizIVBKPO/XW1vi1ZxduNwUUwUd:AJp7Yo4P/xuioQ

Score

1^/10

Malware Config

Signatures

Files

Spotify.exe
.exe windows:6 windows x64 arch:x64

c162cb32ed6f86acdcb9e41d7796f155

Code Sign

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

29/04/2021, 00:00

Not After

28/04/2036, 23:59

Subject

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0f:ab:67:0a:61:bf:4b:7d:af:d5:59:35:6b:5b:cc:ff
Certificate

Issuer

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Not Before

04/10/2023, 00:00

Not After

03/10/2024, 23:59

Subject

SERIALNUMBER=556703-7485,CN=Spotify AB,O=Spotify AB,L=Stockholm,C=SE,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.3=#13025345

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16
Certificate

Issuer

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Not Before

14/07/2023, 00:00

Not After

13/10/2034, 23:59

Subject

CN=DigiCert Timestamp 2023,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

23/03/2022, 00:00

Not After

22/03/2037, 23:59

Subject

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/08/2022, 00:00

Not After

09/11/2031, 23:59

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

26:e7:72:16:41:b8:09:8d:cc:17:56:f3:c8:27:37:93:c8:62:9b:09:94:9a:5c:bc:e9:47:9f:ad:ee:ab:f9:6d
Signer

Actual PE Digest

26:e7:72:16:41:b8:09:8d:cc:17:56:f3:c8:27:37:93:c8:62:9b:09:94:9a:5c:bc:e9:47:9f:ad:ee:ab:f9:6d

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ws2_32

WSAStartup
getsockopt
shutdown
getpeername
connect
accept
__WSAFDIsSet
WSAStringToAddressW
WSARecv
getsockname
listen
getaddrinfo
freeaddrinfo
WSAIoctl
WSAAddressToStringW
WSASocketW
WSASendTo
WSASend
WSARecvFrom
WSAGetLastError
WSASetLastError
setsockopt
select
htons
ioctlsocket
closesocket
recv
recvfrom
send
sendto
WSASetEvent
WSACloseEvent
WSACreateEvent
bind
ntohs
inet_addr
gethostbyname
getprotobyname
socket
WSAWaitForMultipleEvents
WSAEnumNetworkEvents
ntohl
htonl
WSACleanup
WSAEventSelect

gdiplus

GdiplusStartup
GdipDrawImageRectRectI
GdipSetInterpolationMode
GdipBitmapUnlockBits
GdiplusShutdown
GdipCreateBitmapFromStream
GdipSetStringFormatLineAlign
GdipSetStringFormatAlign
GdipCloneStringFormat
GdipDeleteStringFormat
GdipStringFormatGetGenericDefault
GdipDrawString
GdipDeleteFont
GdipCreateFont
GdipGetGenericFontFamilySansSerif
GdipDeleteFontFamily
GdipAlloc
GdipCreateFontFamilyFromName
GdipFillEllipse
GdipSetTextRenderingHint
GdipSetSmoothingMode
GdipDeleteGraphics
GdipCreateHICONFromBitmap
GdipFree
GdipCloneBrush
GdipBitmapLockBits
GdipDeleteBrush
GdipCreateHBITMAPFromBitmap
GdipCreateBitmapFromScan0
GdipGetImageHeight
GdipGetImageWidth
GdipGetImageGraphicsContext
GdipDisposeImage
GdipCloneImage
GdipCreateSolidFill
GdipLoadImageFromStream

dbghelp

SymInitialize
SymCleanup
SymSetOptions
SymFromAddr
SymSetSearchPathW
SymGetSearchPathW
SymGetLineFromAddr64

ntdll

RtlCaptureStackBackTrace
RtlInitUnicodeString
VerSetConditionMask
RtlUnwind
RtlUnwindEx
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
RtlPcToFileHeader

oleaut32

SetErrorInfo
GetErrorInfo
SysAllocString
SysFreeString
VariantClear
SysStringLen
SysAllocStringByteLen

userenv

DeriveAppContainerSidFromAppContainerName
CreateAppContainerProfile

api-ms-win-core-profile-l1-1-0

QueryPerformanceFrequency
QueryPerformanceCounter

api-ms-win-core-processthreads-l1-1-0

SetThreadPriority
TlsAlloc
TlsGetValue
TlsSetValue
GetCurrentThread
GetProcessTimes
GetExitCodeThread
ExitProcess
GetCurrentThreadId
ExitThread
CreateThread
CreateRemoteThread
GetStartupInfoW
GetCurrentProcessId
TlsFree
TerminateThread
TerminateProcess
QueueUserAPC
ResumeThread
GetCurrentProcess
UpdateProcThreadAttribute
InitializeProcThreadAttributeList
DeleteProcThreadAttributeList
GetThreadId
SwitchToThread
CreateProcessW
GetExitCodeProcess

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemTimeAsFileTime
GetLocalTime
GetVersionExW
GetSystemTime
GetSystemInfo
GetVersion
GetWindowsDirectoryW
GetTickCount64

api-ms-win-core-interlocked-l1-1-0

InterlockedPushEntrySList
InitializeSListHead

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent
DebugBreak
OutputDebugStringW
OutputDebugStringA

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetLastError
RaiseException
SetLastError

api-ms-win-core-processthreads-l1-1-1

GetProcessMitigationPolicy
IsProcessorFeaturePresent
GetCurrentProcessorNumber
OpenProcess
SetProcessMitigationPolicy
GetProcessHandleCount

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleA
LoadResource
LockResource
SizeofResource
LoadLibraryExW
FreeLibrary
FreeLibraryAndExitThread
GetModuleHandleExW
GetModuleFileNameW
GetModuleHandleW
LoadLibraryExA
GetProcAddress
LoadStringW
SetDefaultDllDirectories

api-ms-win-core-synch-l1-1-0

ResetEvent
SleepEx
CreateEventA
AcquireSRWLockShared
CreateEventExW
InitializeSRWLock
EnterCriticalSection
SetWaitableTimer
TryAcquireSRWLockExclusive
AcquireSRWLockExclusive
InitializeCriticalSectionEx
InitializeCriticalSection
OpenMutexW
LeaveCriticalSection
ReleaseSRWLockShared
WaitForSingleObject
CreateMutexA
CreateEventW
CreateMutexW
DeleteCriticalSection
SetEvent
ReleaseSRWLockExclusive
InitializeCriticalSectionAndSpinCount

api-ms-win-core-util-l1-1-0

DecodePointer
EncodePointer

api-ms-win-core-processenvironment-l1-1-0

SetStdHandle
SetCurrentDirectoryW
GetCurrentDirectoryW
FreeEnvironmentStringsW
GetStdHandle
ExpandEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
SetEnvironmentVariableW

api-ms-win-core-file-l1-1-0

GetDiskFreeSpaceExW
GetLongPathNameW
GetFileType
SetFileAttributesW
RemoveDirectoryW
LockFile
GetFileAttributesW
GetDriveTypeW
FindFirstFileW
GetVolumePathNameW
GetFileInformationByHandle
GetFileSize
SetEndOfFile
FindNextFileW
FindFirstFileExW
FindClose
UnlockFile
FlushFileBuffers
GetFullPathNameW
GetFileSizeEx
SetFilePointerEx
ReadFile
GetFileAttributesExW
CreateFileW
WriteFile
GetTempFileNameW
CreateDirectoryW
DeleteFileW

api-ms-win-core-heap-l1-1-0

HeapDestroy
HeapReAlloc
GetProcessHeap
HeapSize
GetProcessHeaps
HeapSetInformation
HeapAlloc
HeapFree

api-ms-win-core-localization-l1-2-0

LCMapStringEx
FormatMessageA
FormatMessageW
LCMapStringW
GetLocaleInfoW
GetLocaleInfoEx
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
GetCPInfo
GetUserDefaultLocaleName
GetOEMCP
IsValidCodePage
GetUserDefaultLangID
GetACP

api-ms-win-core-string-l1-1-0

GetStringTypeW
CompareStringEx
WideCharToMultiByte
MultiByteToWideChar
CompareStringW

api-ms-win-core-file-l1-2-0

GetTempPathW

api-ms-win-core-fibers-l1-1-0

FlsSetValue
FlsGetValue
FlsAlloc
FlsFree

api-ms-win-core-datetime-l1-1-0

GetDateFormatW
GetTimeFormatW

api-ms-win-core-console-l1-1-0

ReadConsoleW
GetConsoleOutputCP
AllocConsole
WriteConsoleW
SetConsoleCtrlHandler
GetConsoleMode

api-ms-win-core-handle-l1-1-0

SetHandleInformation
CloseHandle
DuplicateHandle

api-ms-win-core-heap-l2-1-0

LocalFree
GlobalAlloc
LocalAlloc

api-ms-win-core-file-l2-1-0

CopyFileExW
MoveFileExW
ReplaceFileW
ReadDirectoryChangesW

api-ms-win-core-com-l1-1-0

StringFromCLSID
CoSetProxyBlanket
CoInitializeSecurity
CoTaskMemAlloc
CoGetApartmentType
CoGetObjectContext
CoCreateFreeThreadedMarshaler
PropVariantClear
CoTaskMemFree
CoCreateInstance
CoInitializeEx
CoUninitialize

api-ms-win-core-timezone-l1-1-0

GetTimeZoneInformation
SystemTimeToFileTime

api-ms-win-core-io-l1-1-0

CreateIoCompletionPort
CancelIoEx
PostQueuedCompletionStatus
GetQueuedCompletionStatus

api-ms-win-core-synch-l1-2-1

WaitForMultipleObjects
CreateWaitableTimerW

api-ms-win-core-io-l1-1-1

CancelIo

api-ms-win-core-libraryloader-l1-2-1

LoadLibraryA
FindResourceW
LoadLibraryW

bcrypt

BCryptGenRandom
BCryptCloseAlgorithmProvider
BCryptOpenAlgorithmProvider

api-ms-win-core-synch-l1-2-0

InitOnceBeginInitialize
InitOnceComplete
Sleep
InitializeConditionVariable
WakeConditionVariable
WakeAllConditionVariable
SleepConditionVariableSRW

api-ms-win-core-kernel32-legacy-l1-1-0

RegisterWaitForSingleObject
MoveFileW
UnregisterWait
CreateFileMappingA
GetSystemPowerStatus
GetComputerNameW

api-ms-win-core-toolhelp-l1-1-0

CreateToolhelp32Snapshot
Process32FirstW
Process32NextW

api-ms-win-core-psapi-l1-1-0

K32GetProcessMemoryInfo
K32GetModuleInformation

mswsock

AcceptEx
GetAcceptExSockaddrs

api-ms-win-ntuser-sysparams-l1-1-0

GetSystemMetrics
SystemParametersInfoW

api-ms-win-core-localization-obsolete-l1-2-0

GetUserDefaultUILanguage

api-ms-win-core-sysinfo-l1-2-0

GetProductInfo
GetNativeSystemInfo

api-ms-win-core-kernel32-legacy-l1-1-1

VerifyVersionInfoW

api-ms-win-core-heap-obsolete-l1-1-0

GlobalLock
GlobalUnlock
GlobalSize

winhttp

WinHttpGetProxyForUrl
WinHttpSendRequest
WinHttpQueryDataAvailable
WinHttpSetOption
WinHttpConnect
WinHttpCloseHandle
WinHttpQueryHeaders
WinHttpReceiveResponse
WinHttpSetTimeouts
WinHttpReadData
WinHttpOpen
WinHttpGetIEProxyConfigForCurrentUser
WinHttpOpenRequest
WinHttpSetCredentials
WinHttpSetStatusCallback
WinHttpAddRequestHeaders

api-ms-win-core-file-l1-2-2

GetTempPathA

api-ms-win-core-memory-l1-1-0

ReadProcessMemory
VirtualProtect
WriteProcessMemory
VirtualQuery
VirtualProtectEx
CreateFileMappingW
MapViewOfFile
UnmapViewOfFile
VirtualFreeEx
VirtualAllocEx
VirtualFree

api-ms-win-core-synch-ansi-l1-1-0

OpenMutexA

api-ms-win-core-kernel32-legacy-l1-1-2

OpenFileMappingA

api-ms-win-core-console-l1-2-0

AttachConsole

api-ms-win-core-console-l3-2-0

GetCurrentConsoleFont

api-ms-win-core-job-l2-1-0

SetInformationJobObject
AssignProcessToJobObject
CreateJobObjectW

api-ms-win-core-localization-l1-2-1

EnumSystemLocalesEx

api-ms-win-core-threadpool-legacy-l1-1-0

UnregisterWaitEx

api-ms-win-core-processthreads-l1-1-2

SetThreadInformation

api-ms-win-core-wow64-l1-1-0

IsWow64Process

api-ms-win-core-processtopology-obsolete-l1-1-0

SetThreadAffinityMask

api-ms-win-mm-time-l1-1-0

timeGetTime

api-ms-win-core-namedpipe-l1-1-0

CreateNamedPipeW

kernel32

GetFileTime
DeviceIoControl
CreateDirectoryExW
WriteConsoleA
GetConsoleScreenBufferInfo
SetConsoleTextAttribute
CreateSemaphoreA
WaitForMultipleObjectsEx
K32GetModuleFileNameExW
AreFileApisANSI
SetThreadDescription
OpenEventA
GlobalFree
PowerClearRequest
TerminateJobObject
ReleaseSemaphore
GetEnvironmentVariableW
WaitForSingleObjectEx
QueryInformationJobObject
K32EnumProcessModules
PowerSetRequest
PowerCreateRequest
RegisterApplicationRestart
QueryDosDeviceW

dsound

ord11
ord2

avrt

AvSetMmThreadCharacteristicsW
AvRevertMmThreadCharacteristics
AvSetMmThreadPriority

wintrust

WTHelperGetProvCertFromChain
WTHelperGetProvSignerFromChain
WTHelperProvDataFromStateData
WinVerifyTrust

crypt32

CertGetNameStringA

iphlpapi

GetAdaptersAddresses

api-ms-win-core-threadpool-l1-2-0

CloseThreadpoolWork
SubmitThreadpoolWork
CreateThreadpoolWork
FreeLibraryWhenCallbackReturns
TrySubmitThreadpoolCallback

Exports

Exports

GetHandleVerifier
IsSandboxedProcess

Sections

.text
Size: 16.8MB - Virtual size: 16.8MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3.9MB - Virtual size: 3.9MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 7.4MB - Virtual size: 7.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 871KB - Virtual size: 871KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 348B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 67KB - Virtual size: 67KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

c162cb32ed6f86acdcb9e41d7796f155

Code Sign

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9Certificate

Extended Key Usages

Key Usages

0f:ab:67:0a:61:bf:4b:7d:af:d5:59:35:6b:5b:cc:ffCertificate

Extended Key Usages

Key Usages

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16Certificate

Extended Key Usages

Key Usages

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5bCertificate

Extended Key Usages

Key Usages

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5aCertificate

Key Usages

26:e7:72:16:41:b8:09:8d:cc:17:56:f3:c8:27:37:93:c8:62:9b:09:94:9a:5c:bc:e9:47:9f:ad:ee:ab:f9:6dSigner

Headers

DLL Characteristics

File Characteristics

Imports

ws2_32

gdiplus

dbghelp

ntdll

oleaut32

userenv

api-ms-win-core-profile-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-interlocked-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-util-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-file-l1-2-0

api-ms-win-core-fibers-l1-1-0

api-ms-win-core-datetime-l1-1-0

api-ms-win-core-console-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-file-l2-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-io-l1-1-0

api-ms-win-core-synch-l1-2-1

api-ms-win-core-io-l1-1-1

api-ms-win-core-libraryloader-l1-2-1

bcrypt

api-ms-win-core-synch-l1-2-0

api-ms-win-core-kernel32-legacy-l1-1-0

api-ms-win-core-toolhelp-l1-1-0

api-ms-win-core-psapi-l1-1-0

mswsock

api-ms-win-ntuser-sysparams-l1-1-0

api-ms-win-core-localization-obsolete-l1-2-0

api-ms-win-core-sysinfo-l1-2-0

api-ms-win-core-kernel32-legacy-l1-1-1

api-ms-win-core-heap-obsolete-l1-1-0

winhttp

api-ms-win-core-file-l1-2-2

api-ms-win-core-memory-l1-1-0

api-ms-win-core-synch-ansi-l1-1-0

api-ms-win-core-kernel32-legacy-l1-1-2

api-ms-win-core-console-l1-2-0

api-ms-win-core-console-l3-2-0

api-ms-win-core-job-l2-1-0

api-ms-win-core-localization-l1-2-1

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9
Certificate

0f:ab:67:0a:61:bf:4b:7d:af:d5:59:35:6b:5b:cc:ff
Certificate

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16
Certificate

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

26:e7:72:16:41:b8:09:8d:cc:17:56:f3:c8:27:37:93:c8:62:9b:09:94:9a:5c:bc:e9:47:9f:ad:ee:ab:f9:6d
Signer

.text
Size: 16.8MB - Virtual size: 16.8MB

.rdata
Size: 3.9MB - Virtual size: 3.9MB

.data
Size: 7.4MB - Virtual size: 7.6MB

.pdata
Size: 871KB - Virtual size: 871KB

_RDATA
Size: 512B - Virtual size: 348B

.rsrc
Size: 67KB - Virtual size: 67KB