spotify[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

spotify.exe
Size

1.2MB
MD5

e036ebab9eb989d648507daa87f703a0
SHA1

e5a08f487133469625648640703baced38b0d844
SHA256

5e6ec1b1da2d0d751033fe54cc47cc0de43d4c824b83b0abdd2fa1cf195d7b76
SHA512

2ca6a324b49e55b92085a7ace8ff8894178586227391044ea672a79421dd843a0270edb080c29412e12882ede52255c9b7678606a5dc70571af47136b0476cbf
SSDEEP

24576:GJpRKm15KdPI24PulUL49rWMVYbQ0VgsIiQch0lhSMXlZNwmOKNzjtM:0pRXGuLCyYYbt8hpiYzjt

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
spotify.exe

Files

spotify.exe
.exe windows:6 windows x64 arch:x64

8c4476c9bb91469ef2ffb0209a4c51d1

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

ReleaseSRWLockExclusive
AcquireSRWLockExclusive
QueryPerformanceCounter
GetTickCount
QueryPerformanceFrequency
GetSystemDirectoryA
FreeLibrary
Sleep
MultiByteToWideChar
WideCharToMultiByte
SetLastError
FormatMessageW
MoveFileExA
WaitForSingleObjectEx
Beep
LoadResource
DeleteFileA
LockResource
LoadLibraryA
CreateFileA
GetTempPathA
GetModuleHandleA
FindResourceA
WriteFile
SizeofResource
SetConsoleTitleA
CreateProcessA
GetConsoleWindow
CloseHandle
Process32Next
CreateToolhelp32Snapshot
OpenProcess
Process32First
EnterCriticalSection
GetProcessHeap
GetEnvironmentVariableA
GetFileType
ReadFile
PeekNamedPipe
WaitForMultipleObjects
SleepEx
VerSetConditionMask
VerifyVersionInfoW
GetFileSizeEx
InitializeCriticalSectionAndSpinCount
SetEvent
ResetEvent
CreateEventW
GetModuleHandleW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
DeleteCriticalSection
HeapDestroy
HeapAlloc
HeapReAlloc
GetLastError
HeapSize
InitializeCriticalSectionEx
LeaveCriticalSection
LocalFree
GetStdHandle
SetConsoleTextAttribute
GetConsoleScreenBufferInfo
CheckRemoteDebuggerPresent
IsDebuggerPresent
GetCurrentProcessId
VirtualProtectEx
GetCurrentProcess
VirtualQueryEx
ReadProcessMemory
GetSystemInfo
WriteProcessMemory
GetTempFileNameA
GetModuleFileNameA
GetProcAddress
HeapFree
OutputDebugStringW

user32

GetKeyNameTextA
ShowWindow
EnumWindows
GetWindowTextA
MapVirtualKeyA
FindWindowA
keybd_event
GetCursorInfo
SendMessageW
GetAsyncKeyState
GetWindowThreadProcessId
GetForegroundWindow
SetCursorPos
GetCursorPos

advapi32

GetUserNameA
CryptImportKey
CryptDestroyKey
CryptDestroyHash
CryptHashData
CryptCreateHash
CryptGetHashParam
CryptReleaseContext
CryptAcquireContextA
ConvertSidToStringSidA
CopySid
IsValidSid
OpenProcessToken
GetLengthSid
GetTokenInformation
RegGetValueA
RegOpenKeyExA
CreateServiceA
CloseServiceHandle
OpenSCManagerA
DeleteService
ControlService
OpenServiceA
RegCloseKey
CryptEncrypt
RegCreateKeyExW
RegSetValueExW
RegOpenKeyExW
RegQueryValueExW

shell32

ord680

msvcp140

??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??Bios_base@std@@QEBA_NXZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
??Bid@locale@std@@QEAA_KXZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@I@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A
?_Xbad_function_call@std@@YAXXZ
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
?id@?$ctype@D@std@@2V0locale@2@A
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?id@?$time_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@2V0locale@2@A
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
?classic@locale@std@@SAAEBV12@XZ
?id@?$numpunct@D@std@@2V0locale@2@A
?_Getcat@?$time_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?put@?$time_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@QEBA?AV?$ostreambuf_iterator@DU?$char_traits@D@std@@@2@V32@AEAVios_base@2@DPEBUtm@@PEBD3@Z
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?imbue@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAA?AVlocale@2@AEBV32@@Z
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@M@Z
??1facet@locale@std@@MEAA@XZ
??0facet@locale@std@@IEAA@_K@Z
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
?_Incref@facet@locale@std@@UEAAXXZ
?_Gettrue@_Locinfo@std@@QEBAPEBDXZ
?_Getfalse@_Locinfo@std@@QEBAPEBDXZ
??1_Locinfo@std@@QEAA@XZ
??0_Locinfo@std@@QEAA@PEBD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
_Query_perf_frequency
?_Throw_Cpp_error@std@@YAXH@Z
?uncaught_exceptions@std@@YAHXZ
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Xbad_alloc@std@@YAXXZ
?_Throw_C_error@std@@YAXH@Z
?_Xlength_error@std@@YAXPEBD@Z
_Cnd_do_broadcast_at_thread_exit
_Thrd_sleep
_Query_perf_counter
_Thrd_detach
_Xtime_get_ticks
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?good@ios_base@std@@QEBA_NXZ
?_Getcvt@_Locinfo@std@@QEBA?AU_Cvtvec@@XZ
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?_Xinvalid_argument@std@@YAXPEBD@Z
?_Xout_of_range@std@@YAXPEBD@Z
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?_Random_device@std@@YAIXZ
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAPEAD0PEAH001@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ

userenv

UnloadUserProfile

winmm

timeBeginPeriod

wininet

InternetCheckConnectionA

normaliz

IdnToAscii
IdnToUnicode

ws2_32

WSAEventSelect
WSAEnumNetworkEvents
WSACreateEvent
WSACloseEvent
send
getsockopt
WSAWaitForMultipleEvents
closesocket
WSAGetLastError
ntohs
WSASetLastError
WSAStartup
WSACleanup
setsockopt
WSAIoctl
htons
socket
__WSAFDIsSet
select
accept
bind
connect
getsockname
htonl
listen
recv
getaddrinfo
freeaddrinfo
recvfrom
sendto
ioctlsocket
gethostname
WSAResetEvent
getpeername

wldap32

ord30
ord79
ord45
ord60
ord211
ord200
ord33
ord32
ord27
ord26
ord22
ord35
ord301
ord217
ord46
ord41
ord50
ord143

crypt32

CertEnumCertificatesInStore
CertFindCertificateInStore
CertFreeCertificateContext
CryptStringToBinaryA
PFXImportCertStore
CryptDecodeObjectEx
CertAddCertificateContextToStore
CertFindExtension
CertGetNameStringA
CryptQueryObject
CertCreateCertificateChainEngine
CertFreeCertificateChainEngine
CertGetCertificateChain
CertFreeCertificateChain
CertOpenStore
CertCloseStore

bcrypt

BCryptGenRandom

vcruntime140_1

__CxxFrameHandler4

vcruntime140

memcmp
memchr
__current_exception_context
_CxxThrowException
strchr
__current_exception
strstr
memcpy
strrchr
__std_exception_destroy
__std_exception_copy
__std_terminate
wcsstr
__C_specific_handler
memmove
memset

api-ms-win-crt-runtime-l1-1-0

_c_exit
_register_thread_local_exe_atexit_callback
__p___argc
_errno
__sys_nerr
_resetstkoflw
_exit
_invalid_parameter_noinfo_noreturn
_initterm_e
_configure_narrow_argv
_invalid_parameter_noinfo
_initialize_narrow_environment
_initterm
_initialize_onexit_table
_get_initial_narrow_environment
exit
_set_app_type
__p___argv
_seh_filter_exe
_cexit
_beginthreadex
system
terminate
_register_onexit_function
_crt_atexit
__sys_errlist

api-ms-win-crt-heap-l1-1-0

free
_set_new_mode
calloc
_callnewh
realloc
malloc

api-ms-win-crt-stdio-l1-1-0

ftell
__stdio_common_vsscanf
fseek
_close
_fileno
_write
_read
_lseeki64
fputc
feof
fputs
fflush
fgets
_get_stream_buffer_pointers
_fseeki64
fread
fclose
fsetpos
ungetc
fopen
setvbuf
fgetpos
__p__commode
__stdio_common_vsprintf
_set_fmode
fwrite
__acrt_iob_func
_open
fgetc

api-ms-win-crt-convert-l1-1-0

strtoul
strtoll
strtoull
strtol
strtod
atoi
strtof
wcstombs

api-ms-win-crt-string-l1-1-0

isdigit
isupper
toupper
strcmp
_strdup
strncpy
strcspn
strncmp
_stricmp
strpbrk
strspn
tolower

api-ms-win-crt-filesystem-l1-1-0

_unlock_file
_stat64
_lock_file
_unlink
_access
_fstat64

api-ms-win-crt-math-l1-1-0

round
_ldsign
_fdsign
roundf
_dclass
__setusermatherr
_fdclass
_ldclass
_fdopen
ceilf
pow
_dsign

api-ms-win-crt-conio-l1-1-0

_getch

api-ms-win-crt-locale-l1-1-0

_configthreadlocale
localeconv

api-ms-win-crt-utility-l1-1-0

qsort

api-ms-win-crt-time-l1-1-0

_time64
strftime
_gmtime64

Sections

.text
Size: 777KB - Virtual size: 776KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 286KB - Virtual size: 286KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 30KB - Virtual size: 29KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 139KB - Virtual size: 139KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

8c4476c9bb91469ef2ffb0209a4c51d1

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

shell32

msvcp140

userenv

winmm

wininet

normaliz

ws2_32

wldap32

crypt32

bcrypt

vcruntime140_1

vcruntime140

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-conio-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-time-l1-1-0

Sections

.text Size: 777KB - Virtual size: 776KB

.rdata Size: 286KB - Virtual size: 286KB

.data Size: 5KB - Virtual size: 9KB

.pdata Size: 30KB - Virtual size: 29KB

.rsrc Size: 139KB - Virtual size: 139KB

.reloc Size: 2KB - Virtual size: 2KB

.text
Size: 777KB - Virtual size: 776KB

.rdata
Size: 286KB - Virtual size: 286KB

.data
Size: 5KB - Virtual size: 9KB

.pdata
Size: 30KB - Virtual size: 29KB

.rsrc
Size: 139KB - Virtual size: 139KB

.reloc
Size: 2KB - Virtual size: 2KB