Spotify[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Spotify.exe
Size

29.1MB
MD5

498e4f886f93be383e31fd6ed90dc08b
SHA1

0a7ac20020d2449c055a80488ba6406a6b8ad6f2
SHA256

997c90dc8173efbb0118602d842180373361859bed76994f02f54d5f9bdbacff
SHA512

b108f61ecc6e18065f46a6bb6ab75dd063a63f0720367d5cc0d8e684f2475d7cf03a2274c150d4c54baf2a6eeabbfe297d34d3ed851ab62073f4c046b0aa5496
SSDEEP

196608:kL24n8EUWvf3DixD3kY6rvdJQn23O/NkV5gkWVAsNRR7GF0ooSJc3oP6aKpNNC89:ki4p7VVHMAsbR7L3CcC8Y/m

Score

1^/10

Malware Config

Signatures

Files

Spotify.exe
.exe windows:6 windows x64 arch:x64

33207dace31496b9036637bcf8f5dc22

Code Sign

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

29/04/2021, 00:00

Not After

28/04/2036, 23:59

Subject

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0f:ab:67:0a:61:bf:4b:7d:af:d5:59:35:6b:5b:cc:ff
Certificate

Issuer

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Not Before

04/10/2023, 00:00

Not After

03/10/2024, 23:59

Subject

SERIALNUMBER=556703-7485,CN=Spotify AB,O=Spotify AB,L=Stockholm,C=SE,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.3=#13025345

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16
Certificate

Issuer

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Not Before

14/07/2023, 00:00

Not After

13/10/2034, 23:59

Subject

CN=DigiCert Timestamp 2023,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

23/03/2022, 00:00

Not After

22/03/2037, 23:59

Subject

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/08/2022, 00:00

Not After

09/11/2031, 23:59

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

1e:07:31:17:74:88:8f:71:99:7a:8f:43:e6:f7:24:66:33:a2:e7:29:42:3b:50:42:93:16:8e:e5:9d:11:c2:e5
Signer

Actual PE Digest

1e:07:31:17:74:88:8f:71:99:7a:8f:43:e6:f7:24:66:33:a2:e7:29:42:3b:50:42:93:16:8e:e5:9d:11:c2:e5

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\src\desktop\shell\build\desktop\Release\Spotify.pdb

Imports

ws2_32

__WSAFDIsSet
getprotobyname
gethostbyname
inet_addr
WSACreateEvent
WSACloseEvent
WSAStartup
WSAGetLastError
WSAAddressToStringW
WSASetEvent
sendto
send
recvfrom
WSASetLastError
WSACleanup
socket
WSAWaitForMultipleEvents
recv
freeaddrinfo
WSAEventSelect
WSAStringToAddressW
WSAEnumNetworkEvents
getaddrinfo
getpeername
shutdown
WSASendTo
WSARecvFrom
WSASocketW
WSASend
WSARecv
WSAIoctl
setsockopt
select
ntohs
ntohl
accept
bind
closesocket
connect
ioctlsocket
getsockname
listen
htons
htonl
getsockopt

gdiplus

GdipSetSmoothingMode
GdipDrawImageRectRectI
GdipSetInterpolationMode
GdipBitmapUnlockBits
GdipBitmapLockBits
GdipCreateBitmapFromStream
GdipSetStringFormatLineAlign
GdipSetStringFormatAlign
GdipCloneStringFormat
GdipDeleteStringFormat
GdipStringFormatGetGenericDefault
GdipDrawString
GdipDeleteFont
GdipCreateFont
GdipGetGenericFontFamilySansSerif
GdiplusStartup
GdipDeleteFontFamily
GdipCreateFontFamilyFromName
GdipFillEllipse
GdipSetTextRenderingHint
GdiplusShutdown
GdipDeleteGraphics
GdipAlloc
GdipFree
GdipCloneBrush
GdipCreateHICONFromBitmap
GdipCreateHBITMAPFromBitmap
GdipCreateBitmapFromScan0
GdipGetImageHeight
GdipGetImageWidth
GdipGetImageGraphicsContext
GdipDisposeImage
GdipDeleteBrush
GdipCreateSolidFill
GdipLoadImageFromStream
GdipCloneImage

dbghelp

SymSetOptions
SymInitialize
SymGetLineFromAddr64
SymFromAddr
SymSetSearchPathW
SymGetSearchPathW
SymCleanup

ntdll

RtlCaptureStackBackTrace
RtlInitUnicodeString
VerSetConditionMask
RtlPcToFileHeader
RtlUnwindEx
RtlLookupFunctionEntry
RtlVirtualUnwind
RtlCaptureContext
RtlUnwind

oleaut32

SysAllocString
VariantClear
SysStringLen
SysAllocStringByteLen
SetErrorInfo
SysFreeString
GetErrorInfo

userenv

DeriveAppContainerSidFromAppContainerName
CreateAppContainerProfile

api-ms-win-core-profile-l1-1-0

QueryPerformanceFrequency
QueryPerformanceCounter

api-ms-win-core-processthreads-l1-1-0

ResumeThread
GetCurrentThread
TerminateThread
QueueUserAPC
CreateThread
TerminateProcess
ExitProcess
GetCurrentProcess
GetExitCodeThread
SwitchToThread
ExitThread
CreateRemoteThread
SetThreadPriority
CreateProcessW
UpdateProcThreadAttribute
InitializeProcThreadAttributeList
DeleteProcThreadAttributeList
GetThreadId
GetExitCodeProcess
GetCurrentProcessId
GetCurrentThreadId
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
GetStartupInfoW
GetProcessTimes

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime
GetTickCount
GetTickCount64
GetWindowsDirectoryW
GetSystemInfo
GetSystemTime
GetVersion
GetLocalTime
GetVersionExW

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead
InterlockedPushEntrySList

api-ms-win-core-debug-l1-1-0

OutputDebugStringW
DebugBreak
OutputDebugStringA
IsDebuggerPresent

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
GetLastError
SetLastError
RaiseException
UnhandledExceptionFilter

api-ms-win-core-processthreads-l1-1-1

GetProcessHandleCount
SetProcessMitigationPolicy
OpenProcess
GetCurrentProcessorNumber
GetProcessMitigationPolicy
IsProcessorFeaturePresent

api-ms-win-core-libraryloader-l1-2-0

GetProcAddress
LoadStringW
LoadLibraryExA
FreeLibraryAndExitThread
GetModuleHandleW
FreeLibrary
GetModuleFileNameW
GetModuleHandleA
LoadResource
LockResource
SizeofResource
SetDefaultDllDirectories
GetModuleHandleExW
LoadLibraryExW

api-ms-win-core-synch-l1-1-0

ReleaseSRWLockExclusive
SleepEx
EnterCriticalSection
WaitForMultipleObjectsEx
CreateEventExW
InitializeSRWLock
LeaveCriticalSection
AcquireSRWLockShared
InitializeCriticalSectionAndSpinCount
CreateEventA
InitializeCriticalSection
AcquireSRWLockExclusive
OpenEventA
CreateEventW
SetWaitableTimer
OpenMutexW
ResetEvent
CreateMutexW
ReleaseSemaphore
DeleteCriticalSection
InitializeCriticalSectionEx
WaitForSingleObjectEx
TryAcquireSRWLockExclusive
CreateMutexA
WaitForSingleObject
SetEvent
ReleaseSRWLockShared

api-ms-win-core-util-l1-1-0

EncodePointer
DecodePointer

api-ms-win-core-processenvironment-l1-1-0

SetStdHandle
GetCommandLineA
GetEnvironmentVariableW
ExpandEnvironmentStringsW
GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
GetStdHandle
SetCurrentDirectoryW
GetCurrentDirectoryW

api-ms-win-core-file-l1-1-0

FindClose
FindFirstFileExW
FindNextFileW
GetDiskFreeSpaceExW
GetFileInformationByHandle
GetFileAttributesW
GetDriveTypeW
RemoveDirectoryW
FindFirstFileW
GetFileAttributesExW
SetEndOfFile
GetTempFileNameW
DeleteFileW
GetFileType
CreateDirectoryW
SetFileAttributesW
CreateFileW
WriteFile
GetFullPathNameW
GetVolumePathNameW
GetFileTime
GetFileSize
LockFile
ReadFile
UnlockFile
SetFilePointerEx
GetFileSizeEx
GetLongPathNameW
FlushFileBuffers

api-ms-win-core-heap-l1-1-0

HeapFree
HeapSetInformation
HeapAlloc
HeapReAlloc
HeapDestroy
GetProcessHeaps
HeapSize
GetProcessHeap

api-ms-win-core-localization-l1-2-0

EnumSystemLocalesW
GetCPInfo
LCMapStringEx
GetUserDefaultLocaleName
GetUserDefaultLCID
GetOEMCP
LCMapStringW
GetUserDefaultLangID
GetLocaleInfoEx
GetACP
IsValidLocale
FormatMessageW
FormatMessageA
IsValidCodePage
GetLocaleInfoW

api-ms-win-core-string-l1-1-0

MultiByteToWideChar
WideCharToMultiByte
CompareStringW
CompareStringEx
GetStringTypeW

api-ms-win-core-file-l1-2-0

GetTempPathW

api-ms-win-core-fibers-l1-1-0

FlsGetValue
FlsAlloc
FlsSetValue
FlsFree

api-ms-win-core-datetime-l1-1-0

GetDateFormatW
GetTimeFormatW

api-ms-win-core-console-l1-1-0

WriteConsoleW
ReadConsoleW
SetConsoleCtrlHandler
WriteConsoleA
GetConsoleMode
GetConsoleOutputCP
AllocConsole

api-ms-win-core-handle-l1-1-0

SetHandleInformation
DuplicateHandle
CloseHandle

api-ms-win-core-heap-l2-1-0

LocalFree
GlobalFree
LocalAlloc
GlobalAlloc

api-ms-win-core-file-l2-1-0

ReplaceFileW
CopyFileExW
ReadDirectoryChangesW
MoveFileExW
CreateDirectoryExW

api-ms-win-core-com-l1-1-0

StringFromCLSID
CoGetObjectContext
CoInitializeEx
CoUninitialize
CoCreateInstance
CoTaskMemAlloc
CoCreateFreeThreadedMarshaler
CoInitializeSecurity
CoGetApartmentType
CLSIDFromString
CoSetProxyBlanket
CoTaskMemFree
PropVariantClear

api-ms-win-core-timezone-l1-1-0

SystemTimeToFileTime
GetTimeZoneInformation

api-ms-win-core-io-l1-1-0

PostQueuedCompletionStatus
GetQueuedCompletionStatus
CreateIoCompletionPort
CancelIoEx
DeviceIoControl

api-ms-win-core-synch-l1-2-1

WaitForMultipleObjects
CreateWaitableTimerW

bcrypt

BCryptOpenAlgorithmProvider
BCryptGenRandom
BCryptCloseAlgorithmProvider

api-ms-win-core-synch-l1-2-0

SleepConditionVariableSRW
InitializeConditionVariable
InitOnceBeginInitialize
WakeAllConditionVariable
Sleep
InitOnceComplete
WakeConditionVariable

mswsock

GetAcceptExSockaddrs
AcceptEx

api-ms-win-core-io-l1-1-1

CancelIo

api-ms-win-core-libraryloader-l1-2-1

LoadLibraryW
LoadLibraryA
FindResourceW

api-ms-win-core-toolhelp-l1-1-0

Process32NextW
Process32FirstW
CreateToolhelp32Snapshot

api-ms-win-core-kernel32-legacy-l1-1-0

UnregisterWait
GetSystemPowerStatus
RegisterWaitForSingleObject
MoveFileW
CreateFileMappingA
GetComputerNameW

api-ms-win-core-psapi-l1-1-0

K32GetModuleInformation
K32GetProcessMemoryInfo
K32GetModuleFileNameExW

api-ms-win-ntuser-sysparams-l1-1-0

GetSystemMetrics
SystemParametersInfoW

api-ms-win-core-localization-obsolete-l1-2-0

GetUserDefaultUILanguage

api-ms-win-core-sysinfo-l1-2-0

GetProductInfo
GetNativeSystemInfo

api-ms-win-core-kernel32-legacy-l1-1-1

VerifyVersionInfoW

api-ms-win-core-heap-obsolete-l1-1-0

GlobalLock
GlobalUnlock
GlobalSize

api-ms-win-core-file-l1-2-2

AreFileApisANSI
GetTempPathA

api-ms-win-core-memory-l1-1-0

UnmapViewOfFile
CreateFileMappingW
ReadProcessMemory
VirtualFreeEx
WriteProcessMemory
MapViewOfFile
VirtualFree
VirtualProtectEx
VirtualQuery
VirtualAllocEx
VirtualProtect

winhttp

WinHttpSetStatusCallback
WinHttpOpen
WinHttpCloseHandle
WinHttpConnect
WinHttpReadData
WinHttpQueryDataAvailable
WinHttpSendRequest
WinHttpSetCredentials
WinHttpReceiveResponse
WinHttpSetOption
WinHttpGetIEProxyConfigForCurrentUser
WinHttpSetTimeouts
WinHttpOpenRequest
WinHttpAddRequestHeaders
WinHttpQueryHeaders
WinHttpGetProxyForUrl

api-ms-win-core-synch-ansi-l1-1-0

OpenMutexA
CreateSemaphoreA

api-ms-win-core-kernel32-legacy-l1-1-2

OpenFileMappingA

api-ms-win-core-console-l1-2-0

AttachConsole

api-ms-win-core-console-l3-2-0

GetCurrentConsoleFont

api-ms-win-core-job-l2-1-0

AssignProcessToJobObject
SetInformationJobObject
CreateJobObjectW

iphlpapi

GetAdaptersAddresses

crypt32

CertGetNameStringA

wintrust

WTHelperGetProvCertFromChain
WinVerifyTrust
WTHelperProvDataFromStateData
WTHelperGetProvSignerFromChain

api-ms-win-core-processthreads-l1-1-3

SetThreadDescription

api-ms-win-core-console-l2-1-0

SetConsoleTextAttribute
GetConsoleScreenBufferInfo

api-ms-win-core-localization-l1-2-1

EnumSystemLocalesEx

api-ms-win-core-threadpool-legacy-l1-1-0

UnregisterWaitEx

api-ms-win-core-processthreads-l1-1-2

SetThreadInformation

api-ms-win-core-wow64-l1-1-0

IsWow64Process

api-ms-win-core-processtopology-obsolete-l1-1-0

SetThreadAffinityMask

api-ms-win-mm-time-l1-1-0

timeGetTime

kernel32

PowerClearRequest
QueryInformationJobObject
QueryDosDeviceW
RegisterApplicationRestart
PowerCreateRequest
PowerSetRequest
TerminateJobObject
K32EnumProcessModules

dsound

ord2
ord11

avrt

AvSetMmThreadPriority
AvSetMmThreadCharacteristicsW
AvRevertMmThreadCharacteristics

api-ms-win-core-threadpool-l1-2-0

FreeLibraryWhenCallbackReturns
CreateThreadpoolWork
SubmitThreadpoolWork
CloseThreadpoolWork
TrySubmitThreadpoolCallback

Exports

Exports

GetHandleVerifier
IsSandboxedProcess

Sections

.text
Size: 16.9MB - Virtual size: 16.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4.0MB - Virtual size: 4.0MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 7.3MB - Virtual size: 7.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 876KB - Virtual size: 876KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 348B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 67KB - Virtual size: 67KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

33207dace31496b9036637bcf8f5dc22

Code Sign

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9Certificate

Extended Key Usages

Key Usages

0f:ab:67:0a:61:bf:4b:7d:af:d5:59:35:6b:5b:cc:ffCertificate

Extended Key Usages

Key Usages

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16Certificate

Extended Key Usages

Key Usages

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5bCertificate

Extended Key Usages

Key Usages

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5aCertificate

Key Usages

1e:07:31:17:74:88:8f:71:99:7a:8f:43:e6:f7:24:66:33:a2:e7:29:42:3b:50:42:93:16:8e:e5:9d:11:c2:e5Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ws2_32

gdiplus

dbghelp

ntdll

oleaut32

userenv

api-ms-win-core-profile-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-interlocked-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-util-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-file-l1-2-0

api-ms-win-core-fibers-l1-1-0

api-ms-win-core-datetime-l1-1-0

api-ms-win-core-console-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-file-l2-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-io-l1-1-0

api-ms-win-core-synch-l1-2-1

bcrypt

api-ms-win-core-synch-l1-2-0

mswsock

api-ms-win-core-io-l1-1-1

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-core-toolhelp-l1-1-0

api-ms-win-core-kernel32-legacy-l1-1-0

api-ms-win-core-psapi-l1-1-0

api-ms-win-ntuser-sysparams-l1-1-0

api-ms-win-core-localization-obsolete-l1-2-0

api-ms-win-core-sysinfo-l1-2-0

api-ms-win-core-kernel32-legacy-l1-1-1

api-ms-win-core-heap-obsolete-l1-1-0

api-ms-win-core-file-l1-2-2

api-ms-win-core-memory-l1-1-0

winhttp

api-ms-win-core-synch-ansi-l1-1-0

api-ms-win-core-kernel32-legacy-l1-1-2

api-ms-win-core-console-l1-2-0

api-ms-win-core-console-l3-2-0

api-ms-win-core-job-l2-1-0

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9
Certificate

0f:ab:67:0a:61:bf:4b:7d:af:d5:59:35:6b:5b:cc:ff
Certificate

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16
Certificate

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

1e:07:31:17:74:88:8f:71:99:7a:8f:43:e6:f7:24:66:33:a2:e7:29:42:3b:50:42:93:16:8e:e5:9d:11:c2:e5
Signer

.text
Size: 16.9MB - Virtual size: 16.9MB

.rdata
Size: 4.0MB - Virtual size: 4.0MB

.data
Size: 7.3MB - Virtual size: 7.6MB

.pdata
Size: 876KB - Virtual size: 876KB

_RDATA
Size: 512B - Virtual size: 348B

.rsrc
Size: 67KB - Virtual size: 67KB