Slights_External[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

Slights_External.exe
Size

1.8MB
MD5

9a022671cd0bf81c1c87927cae0f8173
SHA1

f790799b18318732a9cf598a495cdf17d5d25248
SHA256

132b85cefafa8d0146e2d4eb71a5b328fcc0d5faefff22603637a9e9a7f5adbb
SHA512

03dc03e1bd9278c34cd65dc9ef2bf99eec3135f9e163bf8d9e45d7d6fa8ad1f976cfcff42f2c91f5324d824e599d7cbb31cf98d0e59739f85064ed609c540af8
SSDEEP

24576:gKwjU7SbjRcw+Sd7ZcLFJ9OwRshH1wmHplF+r8ptl7Fo60OegX7Ao0n2aWmNPXno:gbA7SfUawFi286mHjUwd70Erv0nS

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
Slights_External.exe

Files

Slights_External.exe
.exe windows:6 windows x64 arch:x64

e0df9b4222822dcd75f74025a85e5ad5

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

D:\VCSTUDIO\SLIGHTS\x64\Release\SlightsEX.pdb

Imports

kernel32

TerminateProcess
ResumeThread
CreateProcessW
GetStartupInfoW
GetThreadContext
GetSystemInfo
VirtualAlloc
VirtualFree
CreateFileMappingW
MapViewOfFile
UnmapViewOfFile
GetModuleFileNameA
LoadLibraryW
SetLastError
FormatMessageA
LocalFree
EnterCriticalSection
LeaveCriticalSection
SleepEx
GetSystemDirectoryA
HeapSize
VerifyVersionInfoA
GetTickCount
MoveFileExA
WaitForSingleObjectEx
GetEnvironmentVariableA
GetStdHandle
GetFileType
ReadFile
PeekNamedPipe
WaitForMultipleObjects
GetFileSizeEx
GetProcessHeap
Process32NextW
GetLastError
Sleep
MultiByteToWideChar
GetCurrentProcessId
WideCharToMultiByte
ReleaseSRWLockExclusive
HeapDestroy
RaiseException
FreeLibrary
AcquireSRWLockExclusive
WakeAllConditionVariable
SleepConditionVariableSRW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
GetLocaleInfoEx
FindClose
FindFirstFileW
GetFileAttributesExW
AreFileApisANSI
GetFileInformationByHandleEx
OutputDebugStringW
CreateEventW
CreateToolhelp32Snapshot
OpenProcess
GetModuleHandleA
CreateFileW
InitializeCriticalSectionEx
DeviceIoControl
WriteFile
WaitForDebugEvent
ContinueDebugEvent
DebugBreak
IsDebuggerPresent
lstrcmpiW
QueryFullProcessImageNameW
HeapFree
GetCurrentProcess
DeleteCriticalSection
GetProcAddress
GetWindowsDirectoryW
HeapAlloc
CreateThread
CloseHandle
HeapReAlloc
Process32FirstW
DeleteFileW
LoadLibraryA
GetCurrentThread
GetModuleHandleW
SetConsoleTitleA
VirtualProtect
QueryPerformanceCounter
QueryPerformanceFrequency
GlobalUnlock
GlobalLock
GlobalFree
CreateFileA
GlobalAlloc
GetCommandLineW

user32

GetCapture
GetActiveWindow
ScreenToClient
GetKeyState
ClientToScreen
FindWindowA
SystemParametersInfoW
LoadCursorW
SetCapture
SetCursor
GetClientRect
ReleaseCapture
UnregisterClassW
GetSystemMetrics
CreateWindowExW
SetWindowPos
DestroyWindow
GetWindow
DefWindowProcW
SetCursorPos
GetCursorPos
OpenClipboard
EmptyClipboard
CloseClipboard
GetClipboardData
SetClipboardData
UpdateWindow
ShowWindow
GetAsyncKeyState
GetWindowTextA
MessageBoxA
MessageBoxW
EnumWindows
GetClassNameA
PostQuitMessage
SetWindowLongW
TranslateMessage
GetForegroundWindow
SetWindowDisplayAffinity
PeekMessageW
DispatchMessageW
GetWindowThreadProcessId
RegisterClassExW

advapi32

CryptEncrypt
CryptDestroyKey
CryptDestroyHash
CryptHashData
CryptCreateHash
CryptGenRandom
CryptGetHashParam
CryptReleaseContext
CryptAcquireContextA
ConvertSidToStringSidA
CopySid
SetSecurityInfo
GetUserNameA
IsValidSid
InitializeAcl
GetTokenInformation
GetLengthSid
AddAccessAllowedAce
OpenProcessToken
CryptImportKey

shell32

ShellExecuteW
ShellExecuteA

imm32

ImmGetContext
ImmReleaseContext
ImmSetCompositionWindow

msvcp140

?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@M@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAM@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?good@ios_base@std@@QEBA_NXZ
??Bios_base@std@@QEBA_NXZ
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?always_noconv@codecvt_base@std@@QEBA_NXZ
??Bid@locale@std@@QEAA_KXZ
?setf@ios_base@std@@QEAAHHH@Z
?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAADD@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
?_Xbad_function_call@std@@YAXXZ
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
_Query_perf_frequency
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?_Throw_Cpp_error@std@@YAXH@Z
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?uncaught_exception@std@@YA_NXZ
?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A
?_Xbad_alloc@std@@YAXXZ
?_Xout_of_range@std@@YAXPEBD@Z
?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Winerror_map@std@@YAHH@Z
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?id@?$ctype@D@std@@2V0locale@2@A
?_Xlength_error@std@@YAXPEBD@Z
?_Syserror_map@std@@YAPEBDH@Z
_Cnd_do_broadcast_at_thread_exit
_Thrd_sleep
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
_Query_perf_counter
_Thrd_detach
_Xtime_get_ticks
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z

dwmapi

DwmExtendFrameIntoClientArea

d3d9

Direct3DCreate9Ex

shlwapi

PathFindFileNameW

wininet

HttpOpenRequestW
InternetOpenUrlW
InternetOpenW
HttpQueryInfoW
HttpSendRequestW
InternetReadFile
InternetConnectW
InternetCloseHandle

ntdll

RtlLookupFunctionEntry
RtlAdjustPrivilege
RtlVirtualUnwind
RtlCaptureContext
NtRaiseHardError
VerSetConditionMask

normaliz

IdnToAscii

wldap32

ord50
ord45
ord60
ord143
ord41
ord22
ord26
ord27
ord32
ord33
ord35
ord79
ord30
ord200
ord217
ord301
ord46
ord211

crypt32

CertCloseStore
CertEnumCertificatesInStore
CertFindCertificateInStore
CertFreeCertificateContext
CryptStringToBinaryA
PFXImportCertStore
CryptDecodeObjectEx
CertAddCertificateContextToStore
CertFindExtension
CertGetNameStringA
CryptQueryObject
CertCreateCertificateChainEngine
CertFreeCertificateChainEngine
CertGetCertificateChain
CertFreeCertificateChain
CertOpenStore

ws2_32

gethostname
inet_ntoa
WSAStartup
gethostbyname
closesocket
recv
send
WSAGetLastError
bind
connect
getpeername
getsockname
getsockopt
htons
ntohs
setsockopt
socket
WSASetLastError
WSAIoctl
WSACleanup
sendto
recvfrom
freeaddrinfo
getaddrinfo
select
__WSAFDIsSet
ioctlsocket
listen
htonl
accept
ntohl

rpcrt4

UuidToStringA
UuidCreate
RpcStringFreeA

psapi

GetModuleFileNameExW
EnumProcessModules
EnumProcesses
GetModuleInformation

userenv

UnloadUserProfile

vcruntime140_1

__CxxFrameHandler4

vcruntime140

memset
__current_exception
__current_exception_context
__std_terminate
strstr
strchr
__std_exception_destroy
memcpy
__std_exception_copy
wcsstr
_CxxThrowException
__C_specific_handler
memchr
memcmp
memmove
strrchr

api-ms-win-crt-stdio-l1-1-0

_open
_fseeki64
fsetpos
ungetc
setvbuf
fgetpos
fgets
_pclose
_popen
ftell
fopen
fgetc
__stdio_common_vsprintf_s
_set_fmode
fputs
__p__commode
feof
__acrt_iob_func
fflush
fclose
fseek
fputc
_read
_get_stream_buffer_pointers
__stdio_common_vfprintf
_close
_write
_lseeki64
__stdio_common_vsscanf
fread
fwrite
__stdio_common_vsprintf
_wfopen

api-ms-win-crt-string-l1-1-0

strncpy
strncmp
isprint
strpbrk
_strdup
tolower
strnlen
strspn
wcscpy_s
strcspn
strcmp
isupper
strtok_s

api-ms-win-crt-utility-l1-1-0

rand
qsort

api-ms-win-crt-heap-l1-1-0

free
_callnewh
realloc
_recalloc
_set_new_mode
malloc
calloc

api-ms-win-crt-convert-l1-1-0

strtod
atof
strtoll
strtoull
strtol
_wtoi
strtoul
atoi

api-ms-win-crt-runtime-l1-1-0

_configure_narrow_argv
_getpid
_initialize_narrow_environment
_initialize_onexit_table
_register_onexit_function
exit
perror
_beginthreadex
_cexit
_seh_filter_exe
system
terminate
_resetstkoflw
_set_app_type
__sys_nerr
strerror
_get_initial_narrow_environment
_initterm
abort
_register_thread_local_exe_atexit_callback
_c_exit
__p___argv
__p___argc
_exit
_crt_atexit
_initterm_e
_invalid_parameter_noinfo_noreturn
_errno
_invalid_parameter_noinfo

api-ms-win-crt-time-l1-1-0

_localtime64_s
_gmtime64
_time64
strftime

api-ms-win-crt-filesystem-l1-1-0

_unlock_file
_fstat64
_lock_file
_unlink
_access
_stat64

api-ms-win-crt-locale-l1-1-0

_configthreadlocale
___lc_codepage_func
localeconv

api-ms-win-crt-math-l1-1-0

atan2f
__setusermatherr
atanf
ceilf
cosf
asinf
_dclass
floorf
tanf
fmodf
sqrtf
pow
powf
sinf
sqrt
_hypotf

Sections

.text
Size: 989KB - Virtual size: 989KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 576KB - Virtual size: 575KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 242KB - Virtual size: 251KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 38KB - Virtual size: 37KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 488B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

e0df9b4222822dcd75f74025a85e5ad5

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

advapi32

shell32

imm32

msvcp140

dwmapi

d3d9

shlwapi

wininet

ntdll

normaliz

wldap32

crypt32

ws2_32

rpcrt4

psapi

userenv

vcruntime140_1

vcruntime140

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-math-l1-1-0

Sections

.text Size: 989KB - Virtual size: 989KB

.rdata Size: 576KB - Virtual size: 575KB

.data Size: 242KB - Virtual size: 251KB

.pdata Size: 38KB - Virtual size: 37KB

.rsrc Size: 512B - Virtual size: 488B

.reloc Size: 2KB - Virtual size: 1KB

.text
Size: 989KB - Virtual size: 989KB

.rdata
Size: 576KB - Virtual size: 575KB

.data
Size: 242KB - Virtual size: 251KB

.pdata
Size: 38KB - Virtual size: 37KB

.rsrc
Size: 512B - Virtual size: 488B

.reloc
Size: 2KB - Virtual size: 1KB