800768b6c809f23e4d8a2818a3a02f99

Sharing

Copy URL Twitter E-mail

General

Target

800768b6c809f23e4d8a2818a3a02f99
Size

125KB
MD5

800768b6c809f23e4d8a2818a3a02f99
SHA1

2e0f4ba39f3377be8250e634461d6f4600bc5d49
SHA256

585303d733a712fd8c0f910e16596934e2b7212c0d0a542d532d617f95d6315d
SHA512

31b80f8467ab1c9f1e5891f291ffef5e1b6b8110b40f5eb1784c19c6075c601284a3fef7da3a1c60f059f3a1e6f04e9f6af7a5465f6bf445be3e7b8ca8c4449b
SSDEEP

3072:nlkuVAR5xlBdLqGJY6Dp5MK+SgqBR9waYvBkPkoBF:lk7RJC0p6K+S/ZqBkPNH

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
800768b6c809f23e4d8a2818a3a02f99

Files

800768b6c809f23e4d8a2818a3a02f99
.exe windows:5 windows x86 arch:x86

ab15e4203c16729738800f73314e52ac

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntdll

RtlReAllocateHeap
LdrQueryImageFileExecutionOptions
ZwSetDebugFilterState
NtCreateDirectoryObject
RtlDeleteElementGenericTableAvl
memcmp
wcstol
_i64toa
RtlEnlargedUnsignedMultiply
RtlEnableEarlyCriticalSectionEventCreation
ZwGetWriteWatch
RtlAcquirePebLock
LdrShutdownProcess
RtlUnhandledExceptionFilter
ZwOpenObjectAuditAlarm
memset
NtOpenSection
ZwQueryDebugFilterState
NtLockRegistryKey
RtlIdentifierAuthoritySid
ZwReleaseSemaphore
NtCloseObjectAuditAlarm
strncpy
RtlQueryEnvironmentVariable_U
ZwIsProcessInJob
ZwWaitForKeyedEvent
NtPrivilegeCheck
NtQueueApcThread
NtPlugPlayControl
ZwImpersonateAnonymousToken
NtResumeProcess

crypt32

CertGetCRLContextProperty
CryptEncodeObjectEx
I_CryptFreeLruCache
CryptFindCertificateKeyProvInfo
I_CryptRemoveLruEntry
CryptMsgOpenToDecode
CertDeleteCRLFromStore
CryptMsgDuplicate
CryptProtectData
CryptExportPublicKeyInfo
CryptQueryObject
PFXExportCertStore
I_CryptUninstallOssGlobal
CryptSIPGetSignedDataMsg
CryptGetOIDFunctionValue
I_CryptEnableLruOfEntries
CryptFindOIDInfo
CertSetCRLContextProperty
CryptUnregisterDefaultOIDFunction
CertEnumCTLsInStore
RegSetValueExU
I_CryptGetFileVersion
CertDeleteCTLFromStore
CryptMsgVerifyCountersignatureEncodedEx
PFXImportCertStore
CertFindExtension
CryptFormatObject
CryptAcquireContextU
CryptFindLocalizedName
CertUnregisterSystemStore
CryptGetKeyIdentifierProperty
CryptSIPAddProvider
CryptHashPublicKeyInfo
CertAddSerializedElementToStore
CertDeleteCertificateFromStore
CertAddEncodedCTLToStore
CryptInitOIDFunctionSet

winmm

midiStreamPosition
mixerGetControlDetailsW
mixerOpen
midiInGetErrorTextW
auxGetDevCapsW
mciGetDriverData
PlaySoundA
wod32Message
midiStreamClose
sndPlaySoundA
mixerMessage
joyGetPosEx
mciGetDeviceIDFromElementIDW
mmioAscend
mixerSetControlDetails
midiOutGetID
timeBeginPeriod
waveInClose
mod32Message
joyGetThreshold
midiInGetDevCapsA
waveOutRestart
midiOutClose
mciGetYieldProc
joySetCapture
waveOutSetPlaybackRate
waveOutSetVolume
mmioInstallIOProcW
waveOutGetNumDevs
WOWAppExit
mmioGetInfo
midiConnect
mixerGetLineInfoA
mciDriverYield
midiStreamOpen
waveInStart

ifsutil

?CheckValidSecurityDescriptor@IFS_SYSTEM@@SGEKPAU_SECURITY_DESCRIPTOR@@@Z
?IsEntryPresent@AUTOREG@@SGEPBVWSTRING@@0@Z
?Initialize@DP_DRIVE@@QAEEPBVWSTRING@@PAVMESSAGE@@EEG@Z
?RemoveAll@NUMBER_SET@@QAEEXZ
??1TLINK@@UAE@XZ
?DosDriveNameToNtDriveName@IFS_SYSTEM@@SGEPBVWSTRING@@PAV2@@Z
?DeleteEntry@AUTOREG@@SGEPBVWSTRING@@0@Z
?AddEdge@DIGRAPH@@QAEEKK@Z
?AddDriveName@MOUNT_POINT_MAP@@QAEEPAVWSTRING@@0@Z
?EnableFileSystem@IFS_SYSTEM@@SGEPBVWSTRING@@@Z
?InvalidateVolume@IO_DP_DRIVE@@QAEEXZ
??1VOL_LIODPDRV@@UAE@XZ
?QueryParents@DIGRAPH@@QBEEKPAVNUMBER_SET@@@Z
?ChkDsk@VOL_LIODPDRV@@QAEEW4FIX_LEVEL@@PAVMESSAGE@@KKGPAKPBVWSTRING@@@Z
??0DP_DRIVE@@QAE@XZ
?QueryNtfsSupportInfo@DP_DRIVE@@SGJPAXPAE@Z
?DismountVolume@IFS_SYSTEM@@SGEPBVWSTRING@@@Z
?FlushCache@IO_DP_DRIVE@@QAEEXZ
?QueryNtfsTime@IFS_SYSTEM@@SGXPAT_LARGE_INTEGER@@@Z
?GetMessageW@SUPERAREA@@QAEPAVMESSAGE@@XZ
?QueryVolumeName@MOUNT_POINT_MAP@@QAEEPAVWSTRING@@0@Z
?Initialize@LOG_IO_DP_DRIVE@@QAEEPBVWSTRING@@PAVMESSAGE@@EG@Z
?Initialize@CANNED_SECURITY@@QAEEXZ
?Write@LOG_IO_DP_DRIVE@@QAEEVBIG_INT@@KPAX@Z
?GetAt@MOUNT_POINT_MAP@@QAEEKPAVWSTRING@@0@Z
??0LOG_IO_DP_DRIVE@@QAE@XZ
?Set@BIG_INT@@QAEXEPBE@Z
?PushEntry@AUTOREG@@SGEPBVWSTRING@@@Z
?GetMessageW@IO_DP_DRIVE@@QAEPAVMESSAGE@@XZ
?Sort@TLINK@@QAEXXZ
?IsFileSystemEnabled@IFS_SYSTEM@@SGEPBVWSTRING@@PAE@Z
??0DIGRAPH_EDGE@@QAE@XZ
?QueryNumber@NUMBER_SET@@QBE?AVBIG_INT@@V2@@Z
?Read@LOG_IO_DP_DRIVE@@QAEEVBIG_INT@@KPAX@Z
??1INTSTACK@@UAE@XZ
?GetNextDataSlot@TLINK@@QAEAAVBIG_INT@@XZ
?WriteToFile@IFS_SYSTEM@@SGEPBVWSTRING@@PAXKE@Z
?Initialize@READ_WRITE_CACHE@@QAEEPAVIO_DP_DRIVE@@K@Z
?QueryCanonicalNtDriveName@IFS_SYSTEM@@SGEPBVWSTRING@@PAV2@@Z
?EnableVolumeCompression@IFS_SYSTEM@@SGEPBVWSTRING@@@Z
??1LOG_IO_DP_DRIVE@@UAE@XZ
?Initialize@VOL_LIODPDRV@@IAEEPBVWSTRING@@0PAVSUPERAREA@@PAVMESSAGE@@E@Z

advapi32

SystemFunction030
ElfOpenBackupEventLogW
RegQueryMultipleValuesW
QueryAllTracesW
CreateProcessWithLogonW
ConvertSecurityDescriptorToStringSecurityDescriptorW
AddAccessAllowedAceEx
SetKernelObjectSecurity
EnableTrace
InitializeAcl
CredEnumerateA
SaferiIsExecutableFileType
CryptGetDefaultProviderA
SystemFunction018
MSChapSrvChangePassword
RegisterTraceGuidsW
CryptAcquireContextA
CryptHashData
RegFlushKey
LookupAccountNameW
AccessCheckByTypeResultListAndAuditAlarmA
BuildSecurityDescriptorA
AbortSystemShutdownA
QueryServiceConfig2A
ElfOpenEventLogW
WmiQuerySingleInstanceA
ElfRegisterEventSourceA
CredDeleteW
ControlService
MakeAbsoluteSD2
SystemFunction001
CryptDestroyKey
CredReadW
CryptEnumProviderTypesA
RegOpenKeyExW

kernel32

CloseConsoleHandle
GetComputerNameExA
GetNextVDMCommand
EnumerateLocalComputerNamesA
GlobalWire
DnsHostnameToComputerNameW
SwitchToFiber
SetConsoleMenuClose
SetConsoleScreenBufferSize
LoadLibraryA
GetProfileSectionA
GetExitCodeThread
SwitchToThread
lstrcmpA
SetEndOfFile
SetFileApisToOEM
LockResource
GetTapeStatus
GetLocaleInfoW
MoveFileWithProgressW
DeviceIoControl
FlushViewOfFile
ConvertFiberToThread
GetCPInfoExA
WriteProfileStringA
CreateWaitableTimerA
VerifyVersionInfoW
ReleaseMutex
ExitVDM
RegisterWaitForSingleObjectEx
VDMOperationStarted
GetComputerNameA
GlobalSize
GetComputerNameW
EnumResourceTypesA
ReadConsoleOutputCharacterA
SetConsoleNumberOfCommandsW
GetCurrentProcessId
CreateMailslotW
EnumSystemCodePagesA
EnumResourceLanguagesW
GlobalFindAtomW
GetCurrencyFormatW
InterlockedPushEntrySList
GetConsoleInputExeNameA
VirtualAlloc
SetConsoleOS2OemFormat
GetCommModemStatus

Sections

.text
Size: 62KB - Virtual size: 62KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 26KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 32KB - Virtual size: 105KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 1024B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 1024B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

ab15e4203c16729738800f73314e52ac

Headers

DLL Characteristics

File Characteristics

Imports

ntdll

crypt32

winmm

ifsutil

advapi32

kernel32

Sections

.text Size: 62KB - Virtual size: 62KB

.rdata Size: 26KB - Virtual size: 26KB

.data Size: 32KB - Virtual size: 105KB

.rsrc Size: 1024B - Virtual size: 1024B

.reloc Size: 1024B - Virtual size: 1024B

.text
Size: 62KB - Virtual size: 62KB

.rdata
Size: 26KB - Virtual size: 26KB

.data
Size: 32KB - Virtual size: 105KB

.rsrc
Size: 1024B - Virtual size: 1024B

.reloc
Size: 1024B - Virtual size: 1024B