xmrig | csrss[.]rar

Sharing

Copy URL Twitter E-mail

General

Target

csrss.rar
Size

8.7MB
MD5

1d6c2ee6fb98cd3bd72fc80ba4671168
SHA1

a3dc5b40fba745df1c010c37b070b217df7d67db
SHA256

1c7e236367636eb01b93845afdfc80e7cad1683201fe3865f1f80917bab49df3
SHA512

9869695847d1c7e5c3d09f0d728a7a02137b140f2390bc785e6cac3462a538bf1402e1d9feff989e9949596ab589bdefc744934f0eac7d4b35867f2785468fcb
SSDEEP

196608:NONyDlao6qnlPXqcu5r4RhJOKIrSkdhSGP4fTzYGCr+2Gtk3a0XW:vcjq9L67dWIr5Kk3u

Score

10^/10

upx miner xmrig

Malware Config

Signatures

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
static1/unpack001/csrss/wup/xarch/wup.exe	xmrig
static1/unpack001/csrss/wup/xarch/wup.exe	family_xmrig

Xmrig family
xmrig

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
static1/unpack001/csrss/1bf850b4d9587c1017a75a47680584c4.exe	upx
static1/unpack001/csrss/713674d5e968cbe2102394be0b2bae6f.exe	upx
static1/unpack001/csrss/dcb505dc2b9d8aac05f4ca0727f5eadb.exe	upx

Unsigned PE 9 IoCs

Checks for missing Authenticode signature.

resource
unpack001/csrss/1bf850b4d9587c1017a75a47680584c4.exe
unpack002/out.upx
unpack001/csrss/713674d5e968cbe2102394be0b2bae6f.exe
unpack003/out.upx
unpack001/csrss/dcb505dc2b9d8aac05f4ca0727f5eadb.exe
unpack004/out.upx
unpack001/csrss/injector/NtQuerySystemInformationHook.dll
unpack001/csrss/injector/injector.exe
unpack001/csrss/wup/xarch/wup.exe

Files

csrss.rar
.rar

Password: infected
csrss/1bf850b4d9587c1017a75a47680584c4.exe
.exe windows:6 windows x86 arch:x86

Password: infected

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: - Virtual size: 2.9MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 2.0MB - Virtual size: 2.0MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX2
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
out.upx
.exe windows:6 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

.text
Size: 2.2MB - Virtual size: 2.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2.4MB - Virtual size: 2.4MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 231KB - Virtual size: 327KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 1024B - Virtual size: 816B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.symtab
Size: 512B - Virtual size: 4B

IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
csrss/713674d5e968cbe2102394be0b2bae6f.exe
.exe windows:6 windows x86 arch:x86

Password: infected

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: - Virtual size: 6.0MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 2.8MB - Virtual size: 2.8MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX2
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
out.upx
.exe windows:6 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

.text
Size: 4.2MB - Virtual size: 4.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3.8MB - Virtual size: 3.8MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 231KB - Virtual size: 459KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 1024B - Virtual size: 988B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 192KB - Virtual size: 191KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.symtab
Size: 512B - Virtual size: 4B

IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
csrss/dcb505dc2b9d8aac05f4ca0727f5eadb.exe
.exe windows:6 windows x86 arch:x86

Password: infected

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: - Virtual size: 2.8MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 2.0MB - Virtual size: 2.0MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX2
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
out.upx
.exe windows:6 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

.text
Size: 2.2MB - Virtual size: 2.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2.3MB - Virtual size: 2.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 231KB - Virtual size: 326KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 1024B - Virtual size: 816B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.symtab
Size: 512B - Virtual size: 4B

IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
csrss/injector/NtQuerySystemInformationHook.dll
.dll windows:6 windows x64 arch:x64

Password: infected

986e63a5b77a2dc2160babf9cb41d472

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

kernel32

OpenProcess
QueryFullProcessImageNameW
CloseHandle
GetModuleHandleW
GetProcAddress
WriteConsoleW
HeapCreate
VirtualProtect
HeapFree
GetCurrentProcess
Thread32Next
Thread32First
GetCurrentThreadId
SuspendThread
ResumeThread
CreateToolhelp32Snapshot
Sleep
HeapReAlloc
HeapAlloc
HeapDestroy
GetThreadContext
GetCurrentProcessId
FlushInstructionCache
SetThreadContext
OpenThread
VirtualFree
VirtualAlloc
GetSystemInfo
VirtualQuery
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
RtlUnwindEx
InterlockedFlushSList
GetLastError
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
LoadLibraryExW
RaiseException
ExitProcess
GetModuleHandleExW
GetModuleFileNameW
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetCommandLineA
GetCommandLineW
MultiByteToWideChar
WideCharToMultiByte
GetEnvironmentStringsW
FreeEnvironmentStringsW
LCMapStringW
GetProcessHeap
GetStdHandle
GetFileType
GetStringTypeW
HeapSize
SetStdHandle
FlushFileBuffers
WriteFile
GetConsoleCP
GetConsoleMode
SetFilePointerEx
CreateFileW

Sections

.text
Size: 51KB - Virtual size: 51KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 36KB - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 384B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 248B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
csrss/injector/injector.exe
.exe windows:6 windows x64 arch:x64

Password: infected

fd6d162605478dc1606410649a092f90

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

WriteProcessMemory
SetLastError
CreateMutexW
WaitForSingleObject
OpenProcess
CreateToolhelp32Snapshot
Sleep
GetLastError
Process32NextW
Process32FirstW
CloseHandle
LoadLibraryW
VirtualAllocEx
CreateRemoteThread
lstrcmpiW
WriteConsoleW
MultiByteToWideChar
GetStringTypeW
WideCharToMultiByte
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
DeleteCriticalSection
EncodePointer
DecodePointer
LCMapStringEx
GetCPInfo
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
GetModuleHandleW
RtlUnwindEx
RtlPcToFileHeader
RaiseException
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
GetProcAddress
LoadLibraryExW
GetStdHandle
WriteFile
GetModuleFileNameW
ExitProcess
GetModuleHandleExW
GetCommandLineA
GetCommandLineW
HeapAlloc
HeapFree
GetFileType
CompareStringW
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
GetFileSizeEx
SetFilePointerEx
FlushFileBuffers
GetConsoleCP
GetConsoleMode
ReadFile
ReadConsoleW
HeapReAlloc
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
SetStdHandle
GetProcessHeap
HeapSize
CreateFileW
RtlUnwind

Sections

.text
Size: 183KB - Virtual size: 182KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 78KB - Virtual size: 78KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 384B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
csrss/wup/xarch/WinRing0x64.sys
.sys windows:6 windows x64 arch:x64

d41fa95d4642dc981f10de36f4dc8cd7

Code Sign

01:00:00:00:00:01:15:37:24:21:a8
Certificate

Issuer

CN=GlobalSign ObjectSign CA,OU=ObjectSign CA,O=GlobalSign nv-sa,C=BE

Not Before

24/09/2007, 10:50

Not After

24/09/2008, 10:50

Subject

CN=Noriyuki MIYAZAKI,C=JP,1.2.840.113549.1.9.1=#0c196869796f6869796f406372797374616c6d61726b2e696e666f

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment
KeyUsageKeyEncipherment
KeyUsageDataEncipherment

04:00:00:00:00:00:f9:7f:aa:2e:1e
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

16/12/2003, 13:00

Not After

27/01/2014, 11:00

Subject

CN=GlobalSign RootSign Partners CA,OU=RootSign Partners CA,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

04:00:00:00:00:01:08:d9:61:1c:d6
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

28/01/1999, 12:00

Not After

27/01/2014, 11:00

Subject

CN=GlobalSign Primary Object Publishing CA,OU=Primary Object Publishing CA,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

04:00:00:00:00:01:10:92:eb:82:95
Certificate

Issuer

CN=GlobalSign RootSign Partners CA,OU=RootSign Partners CA,O=GlobalSign nv-sa,C=BE

Not Before

05/02/2007, 09:00

Not After

27/01/2014, 09:00

Subject

CN=GlobalSign Time Stamping Authority,O=GlobalSign,1.2.840.113549.1.9.1=#0c1c74696d657374616d70696e666f40676c6f62616c7369676e2e636f6d

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

04:00:00:00:00:01:08:d9:61:24:48
Certificate

Issuer

CN=GlobalSign Primary Object Publishing CA,OU=Primary Object Publishing CA,O=GlobalSign nv-sa,C=BE

Not Before

22/01/2004, 09:00

Not After

27/01/2014, 10:00

Subject

CN=GlobalSign ObjectSign CA,OU=ObjectSign CA,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

61:0b:7f:6b:00:00:00:00:00:19
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:00

Not After

23/05/2016, 17:10

Subject

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

26:68:21:a3:91:74:d2:9f:6f:87:91:cf:9f:44:f1:a1:f3:43:9d:da
Signer

Actual PE Digest

26:68:21:a3:91:74:d2:9f:6f:87:91:cf:9f:44:f1:a1:f3:43:9d:da

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb

Imports

ntoskrnl.exe

IoDeleteSymbolicLink
RtlInitUnicodeString
IoDeleteDevice
IoCreateDevice
MmMapIoSpace
KeBugCheckEx
IoCreateSymbolicLink
MmUnmapIoSpace
IofCompleteRequest
__C_specific_handler

hal

HalSetBusDataByOffset
HalGetBusDataByOffset

Sections

.text
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 512B - Virtual size: 380B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 276B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 96B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 1024B - Virtual size: 546B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 960B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
csrss/wup/xarch/wup.exe
.exe windows:6 windows x64 arch:x64

Password: infected

31a090aa7e9838bda41019af05e13c76

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ws2_32

ntohs
recv
send
WSASetLastError
htons
WSARecv
WSAGetLastError
select
WSARecvFrom
WSASocketW
WSASend
gethostname
WSAIoctl
WSADuplicateSocketW
shutdown
getpeername
FreeAddrInfoW
GetAddrInfoW
htonl
socket
setsockopt
listen
closesocket
bind
WSACleanup
WSAStartup
getsockopt
getsockname
ioctlsocket

psapi

GetProcessMemoryInfo

iphlpapi

GetAdaptersAddresses

userenv

GetUserProfileDirectoryW

crypt32

CertGetCertificateContextProperty
CertOpenStore
CertCloseStore
CertEnumCertificatesInStore
CertFreeCertificateContext
CertDuplicateCertificateContext
CertFindCertificateInStore

kernel32

GetStdHandle
SetConsoleMode
GetConsoleMode
QueryPerformanceFrequency
QueryPerformanceCounter
SizeofResource
LockResource
LoadResource
FindResourceW
ExpandEnvironmentStringsA
CreateMutexW
WaitForSingleObject
CreateEventW
ExitProcess
GetConsoleWindow
GetSystemFirmwareTable
HeapFree
HeapAlloc
GetProcessHeap
MultiByteToWideChar
SetPriorityClass
GetCurrentProcess
SetThreadPriority
GetSystemPowerStatus
GetCurrentThread
GetProcAddress
GetModuleHandleW
GetTickCount
CloseHandle
FreeConsole
VirtualProtect
VirtualFree
VirtualAlloc
GetLargePageMinimum
LocalAlloc
GetLastError
LocalFree
FlushInstructionCache
GetCurrentThreadId
AddVectoredExceptionHandler
WriteFile
DeviceIoControl
GetModuleFileNameW
CreateFileW
DeleteFileW
SetLastError
GetSystemTime
SystemTimeToFileTime
GetModuleHandleExW
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
SwitchToFiber
DeleteFiber
CreateFiber
FindClose
FindFirstFileW
FindNextFileW
WideCharToMultiByte
GetFileType
ConvertFiberToThread
ConvertThreadToFiber
GetCurrentProcessId
GetSystemTimeAsFileTime
FreeLibrary
LoadLibraryA
LoadLibraryW
GetEnvironmentVariableW
ReadConsoleA
ReadConsoleW
PostQueuedCompletionStatus
CreateFileA
DuplicateHandle
SetEvent
ResetEvent
CreateEventA
Sleep
QueueUserWorkItem
RegisterWaitForSingleObject
UnregisterWait
GetNumberOfConsoleInputEvents
ReadConsoleInputW
FillConsoleOutputCharacterW
FillConsoleOutputAttribute
GetConsoleCursorInfo
SetConsoleCursorInfo
GetConsoleScreenBufferInfo
SetConsoleCursorPosition
SetConsoleTextAttribute
WriteConsoleInputW
CreateDirectoryW
SetConsoleTitleA
WriteConsoleW
GetFileAttributesW
GetFileInformationByHandle
GetFileSizeEx
GetFinalPathNameByHandleW
GetFullPathNameW
ReadFile
RemoveDirectoryW
SetFilePointerEx
SetFileTime
GetSystemInfo
MapViewOfFile
FlushViewOfFile
UnmapViewOfFile
CreateFileMappingA
ReOpenFile
CopyFileW
MoveFileExW
CreateHardLinkW
GetFileInformationByHandleEx
CreateSymbolicLinkW
InitializeCriticalSection
SetConsoleCtrlHandler
GetCurrentDirectoryW
GetLongPathNameW
GetShortPathNameW
CreateIoCompletionPort
ReadDirectoryChangesW
VerSetConditionMask
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
SetCurrentDirectoryW
GetTempPathW
GlobalMemoryStatusEx
RtlUnwind
VerifyVersionInfoA
FileTimeToSystemTime
SetHandleInformation
CancelIo
SetFileCompletionNotificationModes
LoadLibraryExW
FormatMessageA
SetErrorMode
GetQueuedCompletionStatus
ConnectNamedPipe
PeekNamedPipe
CreateNamedPipeW
CancelIoEx
CancelSynchronousIo
SwitchToThread
TerminateProcess
GetExitCodeProcess
UnregisterWaitEx
LCMapStringW
DebugBreak
TryEnterCriticalSection
InitializeConditionVariable
WakeConditionVariable
WakeAllConditionVariable
SleepConditionVariableCS
ReleaseSemaphore
ResumeThread
GetNativeSystemInfo
CreateSemaphoreA
GetModuleHandleA
GetStartupInfoW
GetModuleFileNameA
GetVersionExA
GetProcessAffinityMask
SetProcessAffinityMask
SetThreadAffinityMask
GetComputerNameA
RtlCaptureContext
GetStringTypeW
RtlLookupFunctionEntry
GetDiskFreeSpaceW
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
IsDebuggerPresent
InitializeSListHead
RtlUnwindEx
RtlPcToFileHeader
RaiseException
SetStdHandle
GetCommandLineA
GetCommandLineW
CreateThread
ExitThread
FreeLibraryAndExitThread
GetDriveTypeW
SystemTimeToTzSpecificLocalTime
GetFileAttributesExW
SetFileAttributesW
GetConsoleOutputCP
CompareStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
HeapReAlloc
GetTimeZoneInformation
HeapSize
SetEndOfFile
FindFirstFileExW
IsValidCodePage
GetACP
GetOEMCP
FlushFileBuffers
InitializeSRWLock
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
InitializeCriticalSectionEx
WaitForSingleObjectEx
GetExitCodeThread
SleepConditionVariableSRW
EncodePointer
DecodePointer
LCMapStringEx
CompareStringEx
GetCPInfo

user32

GetProcessWindowStation
ShowWindow
GetLastInputInfo
GetUserObjectInformationW
GetSystemMetrics
MapVirtualKeyW
DispatchMessageA
TranslateMessage
GetMessageA
MessageBoxW

shell32

SHGetSpecialFolderPathA

ole32

CoInitializeEx
CoCreateInstance
CoUninitialize

advapi32

SystemFunction036
GetUserNameW
CryptEnumProvidersW
CryptSignHashW
CryptDestroyHash
CryptCreateHash
CryptDecrypt
CryptExportKey
CryptGetUserKey
CryptGetProvParam
CryptSetHashParam
CryptDestroyKey
CryptReleaseContext
CryptAcquireContextW
ReportEventW
RegisterEventSourceW
DeregisterEventSource
CreateServiceW
QueryServiceStatus
CloseServiceHandle
OpenSCManagerW
QueryServiceConfigA
DeleteService
ControlService
StartServiceW
OpenServiceW
LookupPrivilegeValueW
AdjustTokenPrivileges
OpenProcessToken
LsaOpenPolicy
LsaAddAccountRights
LsaClose
GetTokenInformation

bcrypt

BCryptGenRandom

Sections

.text
Size: 3.5MB - Virtual size: 3.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.4MB - Virtual size: 1.4MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 62KB - Virtual size: 2.7MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 125KB - Virtual size: 124KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RANDOMX
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

_SHA3_25
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

_TEXT_CN
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

_TEXT_CN
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 244B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 15KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 32KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

Password: infected

Headers

File Characteristics

Sections

UPX0 Size: - Virtual size: 2.9MB

UPX1 Size: 2.0MB - Virtual size: 2.0MB

UPX2 Size: 512B - Virtual size: 4KB

Headers

File Characteristics

Sections

.text Size: 2.2MB - Virtual size: 2.2MB

.rdata Size: 2.4MB - Virtual size: 2.4MB

.data Size: 231KB - Virtual size: 327KB

.idata Size: 1024B - Virtual size: 816B

.symtab Size: 512B - Virtual size: 4B

Password: infected

Headers

DLL Characteristics

File Characteristics

Sections

UPX0 Size: - Virtual size: 6.0MB

UPX1 Size: 2.8MB - Virtual size: 2.8MB

UPX2 Size: 512B - Virtual size: 4KB

Headers

DLL Characteristics

File Characteristics

Sections

.text Size: 4.2MB - Virtual size: 4.2MB

.rdata Size: 3.8MB - Virtual size: 3.8MB

.data Size: 231KB - Virtual size: 459KB

.idata Size: 1024B - Virtual size: 988B

.reloc Size: 192KB - Virtual size: 191KB

.symtab Size: 512B - Virtual size: 4B

Password: infected

Headers

File Characteristics

Sections

UPX0 Size: - Virtual size: 2.8MB

UPX1 Size: 2.0MB - Virtual size: 2.0MB

UPX2 Size: 512B - Virtual size: 4KB

Headers

File Characteristics

Sections

.text Size: 2.2MB - Virtual size: 2.2MB

.rdata Size: 2.3MB - Virtual size: 2.3MB

.data Size: 231KB - Virtual size: 326KB

.idata Size: 1024B - Virtual size: 816B

.symtab Size: 512B - Virtual size: 4B

Password: infected

986e63a5b77a2dc2160babf9cb41d472

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

Sections

.text Size: 51KB - Virtual size: 51KB

.rdata Size: 36KB - Virtual size: 36KB

.data Size: 3KB - Virtual size: 7KB

.pdata Size: 4KB - Virtual size: 3KB

_RDATA Size: 512B - Virtual size: 384B

.rsrc Size: 512B - Virtual size: 248B

.reloc Size: 2KB - Virtual size: 1KB

Password: infected

fd6d162605478dc1606410649a092f90

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

Sections

.text Size: 183KB - Virtual size: 182KB

.rdata Size: 78KB - Virtual size: 78KB

.data Size: 5KB - Virtual size: 11KB

UPX0
Size: - Virtual size: 2.9MB

UPX1
Size: 2.0MB - Virtual size: 2.0MB

UPX2
Size: 512B - Virtual size: 4KB

.text
Size: 2.2MB - Virtual size: 2.2MB

.rdata
Size: 2.4MB - Virtual size: 2.4MB

.data
Size: 231KB - Virtual size: 327KB

.idata
Size: 1024B - Virtual size: 816B

.symtab
Size: 512B - Virtual size: 4B

UPX0
Size: - Virtual size: 6.0MB

UPX1
Size: 2.8MB - Virtual size: 2.8MB

UPX2
Size: 512B - Virtual size: 4KB

.text
Size: 4.2MB - Virtual size: 4.2MB

.rdata
Size: 3.8MB - Virtual size: 3.8MB

.data
Size: 231KB - Virtual size: 459KB

.idata
Size: 1024B - Virtual size: 988B

.reloc
Size: 192KB - Virtual size: 191KB

.symtab
Size: 512B - Virtual size: 4B

UPX0
Size: - Virtual size: 2.8MB

UPX1
Size: 2.0MB - Virtual size: 2.0MB

UPX2
Size: 512B - Virtual size: 4KB

.text
Size: 2.2MB - Virtual size: 2.2MB

.rdata
Size: 2.3MB - Virtual size: 2.3MB

.data
Size: 231KB - Virtual size: 326KB

.idata
Size: 1024B - Virtual size: 816B

.symtab
Size: 512B - Virtual size: 4B

.text
Size: 51KB - Virtual size: 51KB

.rdata
Size: 36KB - Virtual size: 36KB

.data
Size: 3KB - Virtual size: 7KB

.pdata
Size: 4KB - Virtual size: 3KB

_RDATA
Size: 512B - Virtual size: 384B

.rsrc
Size: 512B - Virtual size: 248B

.reloc
Size: 2KB - Virtual size: 1KB

.text
Size: 183KB - Virtual size: 182KB

.rdata
Size: 78KB - Virtual size: 78KB

.data
Size: 5KB - Virtual size: 11KB

.pdata
Size: 10KB - Virtual size: 9KB

_RDATA
Size: 512B - Virtual size: 384B

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 3KB - Virtual size: 2KB

01:00:00:00:00:01:15:37:24:21:a8
Certificate

04:00:00:00:00:00:f9:7f:aa:2e:1e
Certificate

04:00:00:00:00:01:08:d9:61:1c:d6
Certificate

04:00:00:00:00:01:10:92:eb:82:95
Certificate

04:00:00:00:00:01:08:d9:61:24:48
Certificate

61:0b:7f:6b:00:00:00:00:00:19
Certificate

26:68:21:a3:91:74:d2:9f:6f:87:91:cf:9f:44:f1:a1:f3:43:9d:da
Signer

.text
Size: 2KB - Virtual size: 1KB

.rdata
Size: 512B - Virtual size: 380B

.data
Size: 512B - Virtual size: 276B

.pdata
Size: 512B - Virtual size: 96B

INIT
Size: 1024B - Virtual size: 546B

.rsrc
Size: 1024B - Virtual size: 960B

.text
Size: 3.5MB - Virtual size: 3.5MB

.rdata
Size: 1.4MB - Virtual size: 1.4MB

.data
Size: 62KB - Virtual size: 2.7MB

.pdata
Size: 125KB - Virtual size: 124KB

_RANDOMX
Size: 3KB - Virtual size: 3KB

_SHA3_25
Size: 2KB - Virtual size: 2KB

_TEXT_CN
Size: 10KB - Virtual size: 9KB

_TEXT_CN
Size: 4KB - Virtual size: 4KB

_RDATA
Size: 512B - Virtual size: 244B

.rsrc
Size: 15KB - Virtual size: 14KB

.reloc
Size: 32KB - Virtual size: 32KB