58b07247d992fbeb11195ba6d341a56906a48c31f3bc9abfd04dd878f8fd7531

Sharing

Copy URL Twitter E-mail

General

Target

58b07247d992fbeb11195ba6d341a56906a48c31f3bc9abfd04dd878f8fd7531
Size

1.1MB
MD5

f06a0ebfed1e26bcb3cc958ea7d79609
SHA1

7442c25a1cb1311d4edcff8032fc1a92c6c3e585
SHA256

58b07247d992fbeb11195ba6d341a56906a48c31f3bc9abfd04dd878f8fd7531
SHA512

1dc291dbdbd32b2df32b9c0de071c31dffc0d5bfa0f03aadef16e664c42901b4d08b9745ee3ee71b34abce7a9c000740c5e412cf6e6999f15887ce13e519961d
SSDEEP

24576:oaGKTXxr+aGKTXEeFOZ4l/B6IYCxQBd3r1VZ+9+NHw5fpYxk0rGHRFS2ph8K:oXqXxr+XqXda46Qgxa9so8ktzZpOK

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/ClientDaemon.exe

Files

58b07247d992fbeb11195ba6d341a56906a48c31f3bc9abfd04dd878f8fd7531
.zip
ClientDaemon.exe
.exe windows:5 windows x86 arch:x86

29b5fefb7ac137853f516c95a716de08

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

nw_elf

GetInstallDetailsPayload
SignalChromeElf

user32

CloseDesktop
CloseWindowStation
CreateDesktopW
CreateWindowExW
CreateWindowStationW
DefWindowProcW
DestroyWindow
DispatchMessageW
GetMessageW
GetProcessWindowStation
GetThreadDesktop
GetUserObjectInformationW
GetWindowLongW
PeekMessageW
PostMessageW
PostThreadMessageW
RegisterClassW
SetProcessDPIAware
SetProcessWindowStation
SetWindowLongW
TranslateMessage
UnregisterClassW
wsprintfW

kernel32

AcquireSRWLockExclusive
AssignProcessToJobObject
ChangeTimerQueueTimer
CloseHandle
CompareStringW
ConnectNamedPipe
CreateDirectoryW
CreateEventW
CreateFileMappingW
CreateFileW
CreateIoCompletionPort
CreateJobObjectW
CreateMutexW
CreateNamedPipeW
CreateProcessW
CreateRemoteThread
CreateSemaphoreW
CreateThread
CreateTimerQueue
CreateTimerQueueTimer
DebugBreak
DecodePointer
DeleteCriticalSection
DeleteFileW
DeleteTimerQueueTimer
DisconnectNamedPipe
DuplicateHandle
EncodePointer
EnterCriticalSection
EnumSystemLocalesEx
EnumSystemLocalesW
ExitProcess
ExpandEnvironmentStringsW
FileTimeToSystemTime
FindClose
FindFirstFileExW
FindNextFileW
FlushFileBuffers
FlushViewOfFile
FormatMessageA
FormatMessageW
FreeEnvironmentStringsW
FreeLibrary
FreeLibraryAndExitThread
GetACP
GetCPInfo
GetCommandLineA
GetCommandLineW
GetConsoleCP
GetConsoleMode
GetCurrentDirectoryW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetDriveTypeW
GetEnvironmentStringsW
GetEnvironmentVariableW
GetExitCodeProcess
GetFileAttributesExW
GetFileAttributesW
GetFileInformationByHandle
GetFileInformationByHandleEx
GetFileSizeEx
GetFileType
GetFullPathNameW
GetLastError
GetLocalTime
GetLocaleInfoW
GetLogicalProcessorInformation
GetLongPathNameW
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleExW
GetModuleHandleW
GetNativeSystemInfo
GetNumaHighestNodeNumber
GetOEMCP
GetProcAddress
GetProcessAffinityMask
GetProcessHandleCount
GetProcessHeaps
GetProcessId
GetProcessTimes
GetQueuedCompletionStatus
GetStartupInfoW
GetStdHandle
GetStringTypeW
GetSystemDefaultLCID
GetSystemDirectoryW
GetSystemInfo
GetSystemTimeAsFileTime
GetTempPathW
GetThreadContext
GetThreadId
GetThreadLocale
GetThreadPriority
GetThreadTimes
GetTickCount
GetTimeZoneInformation
GetUserDefaultLCID
GetUserDefaultLangID
GetUserDefaultLocaleName
GetVersion
GetVersionExW
GetWindowsDirectoryW
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSetInformation
HeapSize
InitOnceExecuteOnce
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
InitializeSListHead
InterlockedFlushSList
InterlockedPopEntrySList
InterlockedPushEntrySList
IsDebuggerPresent
IsProcessorFeaturePresent
IsValidCodePage
IsValidLocale
IsWow64Process
LCMapStringW
LeaveCriticalSection
LoadLibraryExA
LoadLibraryExW
LoadLibraryW
LocalFree
LockFileEx
MapViewOfFile
MoveFileW
MultiByteToWideChar
OpenProcess
OutputDebugStringA
OutputDebugStringW
PeekNamedPipe
PostQueuedCompletionStatus
ProcessIdToSessionId
QueryDepthSList
QueryDosDeviceW
QueryPerformanceCounter
QueryPerformanceFrequency
RaiseException
ReadConsoleW
ReadFile
ReadProcessMemory
RegisterWaitForSingleObject
ReleaseSRWLockExclusive
ReleaseSemaphore
RemoveDirectoryW
ReplaceFileW
ResetEvent
ResumeThread
RtlCaptureStackBackTrace
RtlUnwind
SearchPathW
SetConsoleCtrlHandler
SetCurrentDirectoryW
SetEndOfFile
SetEnvironmentVariableW
SetEvent
SetFileAttributesW
SetFilePointer
SetFilePointerEx
SetFileTime
SetHandleInformation
SetInformationJobObject
SetLastError
SetNamedPipeHandleState
SetProcessShutdownParameters
SetStdHandle
SetThreadAffinityMask
SetThreadPriority
SetUnhandledExceptionFilter
SignalObjectAndWait
Sleep
SleepEx
SuspendThread
SwitchToThread
SystemTimeToFileTime
SystemTimeToTzSpecificLocalTime
TerminateJobObject
TerminateProcess
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
TransactNamedPipe
TryAcquireSRWLockExclusive
TryEnterCriticalSection
TzSpecificLocalTimeToSystemTime
UnhandledExceptionFilter
UnlockFileEx
UnmapViewOfFile
UnregisterWait
UnregisterWaitEx
VirtualAlloc
VirtualAllocEx
VirtualFree
VirtualFreeEx
VirtualProtect
VirtualProtectEx
VirtualQuery
VirtualQueryEx
WaitForSingleObject
WaitForSingleObjectEx
WaitNamedPipeW
WideCharToMultiByte
WriteConsoleW
WriteFile
WriteProcessMemory
lstrlenW

shell32

CommandLineToArgvW
SHGetFolderPathW
SHGetKnownFolderPath

advapi32

AccessCheck
ConvertSidToStringSidW
ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertStringSidToSidW
CopySid
CreateProcessAsUserW
CreateRestrictedToken
CreateWellKnownSid
DuplicateToken
DuplicateTokenEx
EqualSid
FreeSid
GetAce
GetKernelObjectSecurity
GetLengthSid
GetNamedSecurityInfoW
GetSecurityDescriptorSacl
GetSecurityInfo
GetSidSubAuthority
GetTokenInformation
ImpersonateLoggedOnUser
ImpersonateNamedPipeClient
InitializeSid
IsValidSid
LookupPrivilegeValueW
MapGenericMask
OpenProcessToken
RegCloseKey
RegCreateKeyExW
RegDeleteValueW
RegDisablePredefinedCache
RegOpenKeyExW
RegQueryValueExW
RegSetValueExW
RevertToSelf
SetEntriesInAclW
SetKernelObjectSecurity
SetSecurityInfo
SetThreadToken
SetTokenInformation
SystemFunction036

winmm

timeGetTime

shlwapi

PathMatchSpecW

psapi

GetPerformanceInfo
GetProcessMemoryInfo
QueryWorkingSetEx

version

GetFileVersionInfoSizeW
GetFileVersionInfoW
VerQueryValueW

Exports

Exports

GetHandleVerifier
IsSandboxedProcess

Sections

.text
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 318KB - Virtual size: 317KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 30KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.00cfg
Size: 512B - Virtual size: 4B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 25B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

CPADinfo
Size: 512B - Virtual size: 40B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

prot
Size: 512B - Virtual size: 184B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 470KB - Virtual size: 470KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 44KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
cb.txt
cd.txt
nw_elf.dll
.dll windows:6 windows x86 arch:x86

a9b8a364cd485776159b27e103027b89

Code Sign

04:00:00:00:00:01:2f:4e:e1:52:d7
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13/04/2011, 10:00

Not After

28/01/2028, 12:00

Subject

CN=GlobalSign Timestamping CA - G2,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

11:21:d6:99:a7:64:97:3e:f1:f8:42:7e:e9:19:cc:53:41:14
Certificate

Issuer

CN=GlobalSign Timestamping CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

24/05/2016, 00:00

Not After

24/06/2027, 00:00

Subject

CN=GlobalSign TSA for MS Authenticode - G2,O=GMO GlobalSign Pte Ltd,C=SG

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fd
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

08/11/2006, 00:00

Not After

07/11/2021, 23:59

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageServerAuth
ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning
ExtKeyUsageNetscapeServerGatedCrypto

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

26:85:4b:da:75:75:3c:37:82:1d:f6:d2:bb:a1:f5:11
Certificate

Issuer

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

30/11/2016, 00:00

Not After

29/01/2020, 23:59

Subject

CN=GNWay (Beijing) Co. Ltd,OU=R&D,O=GNWay (Beijing) Co. Ltd,L=beijing,ST=beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

10/12/2013, 00:00

Not After

09/12/2023, 23:59

Subject

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

55:4f:a8:ad:88:35:55:d5:ba:f9:fb:91:33:35:48:31:a9:8d:2a:dc
Signer

Actual PE Digest

55:4f:a8:ad:88:35:55:d5:ba:f9:fb:91:33:35:48:31:a9:8d:2a:dc

Digest Algorithm

sha1

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

FindClose
CreateFileA
GetFileSize
VirtualAlloc
CloseHandle
ReadFile
CreateFileW
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
DeleteCriticalSection
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
GetModuleHandleW
RaiseException
InterlockedFlushSList
RtlUnwind
GetLastError
SetLastError
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
GetProcAddress
LoadLibraryExW
EncodePointer
GetModuleFileNameW
GetModuleHandleExW
ExitProcess
HeapAlloc
HeapValidate
GetSystemInfo
LCMapStringW
GetStdHandle
GetFileType
WriteFile
OutputDebugStringW
WriteConsoleW
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetCommandLineA
GetCommandLineW
MultiByteToWideChar
WideCharToMultiByte
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetProcessHeap
HeapFree
HeapReAlloc
HeapSize
HeapQueryInformation
FlushFileBuffers
GetConsoleOutputCP
GetConsoleMode
SetStdHandle
GetFileSizeEx
SetFilePointerEx
GetStringTypeW
DecodePointer

Exports

Exports

AddDllToBlacklist
CrashForException_ExportThunk
DrainLog
DumpHungProcessWithPtype_ExportThunk
DumpProcessWithoutCrash
ElfGetReporterClient
GetCrashReports_ExportThunk
GetCrashpadDatabasePath_ExportThunk
GetHandleVerifier
GetInstallDetailsPayload
GetUserDataDirectoryThunk
InjectDumpForHungInput_ExportThunk
IsBlacklistInitialized
RegisterLogNotification
RequestSingleCrashUpload_ExportThunk
SetMetricsClientId
SetUploadConsent_ExportThunk
SignalChromeElf
SignalInitializeCrashReporting
SuccessfullyBlocked

Sections

.text
Size: 204KB - Virtual size: 204KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 63KB - Virtual size: 62KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

29b5fefb7ac137853f516c95a716de08

Headers

DLL Characteristics

File Characteristics

Imports

nw_elf

user32

kernel32

shell32

advapi32

winmm

shlwapi

psapi

version

Exports

Exports

Sections

.text Size: 1.1MB - Virtual size: 1.1MB

.rdata Size: 318KB - Virtual size: 317KB

.data Size: 8KB - Virtual size: 30KB

.00cfg Size: 512B - Virtual size: 4B

.tls Size: 512B - Virtual size: 25B

CPADinfo Size: 512B - Virtual size: 40B

prot Size: 512B - Virtual size: 184B

.rsrc Size: 470KB - Virtual size: 470KB

.reloc Size: 44KB - Virtual size: 44KB

a9b8a364cd485776159b27e103027b89

Code Sign

04:00:00:00:00:01:2f:4e:e1:52:d7Certificate

Key Usages

11:21:d6:99:a7:64:97:3e:f1:f8:42:7e:e9:19:cc:53:41:14Certificate

Extended Key Usages

Key Usages

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fdCertificate

Extended Key Usages

Key Usages

26:85:4b:da:75:75:3c:37:82:1d:f6:d2:bb:a1:f5:11Certificate

Extended Key Usages

Key Usages

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2aCertificate

Extended Key Usages

Key Usages

55:4f:a8:ad:88:35:55:d5:ba:f9:fb:91:33:35:48:31:a9:8d:2a:dcSigner

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

Exports

Exports

Sections

.text Size: 204KB - Virtual size: 204KB

.rdata Size: 63KB - Virtual size: 62KB

.data Size: 2KB - Virtual size: 6KB

.reloc Size: 8KB - Virtual size: 8KB

.rsrc Size: 1KB - Virtual size: 1KB

.text
Size: 1.1MB - Virtual size: 1.1MB

.rdata
Size: 318KB - Virtual size: 317KB

.data
Size: 8KB - Virtual size: 30KB

.00cfg
Size: 512B - Virtual size: 4B

.tls
Size: 512B - Virtual size: 25B

CPADinfo
Size: 512B - Virtual size: 40B

prot
Size: 512B - Virtual size: 184B

.rsrc
Size: 470KB - Virtual size: 470KB

.reloc
Size: 44KB - Virtual size: 44KB

04:00:00:00:00:01:2f:4e:e1:52:d7
Certificate

11:21:d6:99:a7:64:97:3e:f1:f8:42:7e:e9:19:cc:53:41:14
Certificate

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fd
Certificate

26:85:4b:da:75:75:3c:37:82:1d:f6:d2:bb:a1:f5:11
Certificate

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

55:4f:a8:ad:88:35:55:d5:ba:f9:fb:91:33:35:48:31:a9:8d:2a:dc
Signer

.text
Size: 204KB - Virtual size: 204KB

.rdata
Size: 63KB - Virtual size: 62KB

.data
Size: 2KB - Virtual size: 6KB

.reloc
Size: 8KB - Virtual size: 8KB

.rsrc
Size: 1KB - Virtual size: 1KB