2024-02-20_1e6e3d5b272e73722b0070bd95149278_mafia

Sharing

Copy URL Twitter E-mail

General

Target

2024-02-20_1e6e3d5b272e73722b0070bd95149278_mafia
Size

7.3MB
MD5

1e6e3d5b272e73722b0070bd95149278
SHA1

9a66651b111e7acb1ffc1488037b66e721a9a658
SHA256

0446ae7cf6ae19fc92d9560863edb7853ec07af5a61458a20fb8042a32a73df7
SHA512

7ef4a159d94dbcdfd0dcdfeebf0567c13cb31bac6e287f1fb4855be631d56eee0c270baf38b4661b1a96cbb6a5a3f8dd8436d6c070b0372d49d3d2f6341ca3ca
SSDEEP

49152:qM2eyQ9LjV/+B/etx1S3Q0yWzdGlqQNnfC/BDMs425zJSsk:F4g/+VetbS3Qg8lqQN9s4AzJ

Score

10^/10

Malware Config

Signatures

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Files

2024-02-20_1e6e3d5b272e73722b0070bd95149278_mafia
.exe windows:5 windows x86 arch:x86

4332b02f47a31c08d5751a8130168741

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

19:6d:f8:a7
Certificate

Issuer

CN=Certification Authority of WoSign,O=WoSign eCommerce Services Limited,C=CN

Not Before

08/08/2012, 01:00

Not After

08/08/2027, 01:00

Subject

CN=WoSign Class 3 Code Signing CA,O=WoSign eCommerce Services Limited,C=CN

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0c:ab:99:09:9a:f4:f9
Certificate

Issuer

CN=WoSign Class 3 Code Signing CA,O=WoSign eCommerce Services Limited,C=CN

Not Before

27/11/2013, 10:48

Not After

29/11/2014, 04:33

Subject

CN=Cool Swim Technology Co.\,LTD,O=Cool Swim Technology Co.\,LTD,L=Shangrao,ST=Jiangxi,C=CN,1.2.840.113549.1.9.1=#0c0e6a6472696c69403136332e636f6d

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageMicrosoftCommercialCodeSigning

Key Usages

KeyUsageDigitalSignature

3d
Certificate

Issuer

CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL

Not Before

01/03/2011, 01:00

Not After

01/03/2016, 01:00

Subject

CN=Certification Authority of WoSign,O=WoSign eCommerce Services Limited,C=CN

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

f8:3e:3a:e2:64:d8:60:4a:01:45:ca:94:30:6d:3b:37:00:a6:08:8c
Signer

Actual PE Digest

f8:3e:3a:e2:64:d8:60:4a:01:45:ca:94:30:6d:3b:37:00:a6:08:8c

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

D:\jdrili\branches\2.0.2.0\Bin\PDB\jdrl.pdb

Imports

kernel32

GetTimeFormatW
FlushFileBuffers
HeapValidate
HeapCreate
GetFileAttributesA
HeapDestroy
FormatMessageW
Sleep
FormatMessageA
GetSystemTimeAsFileTime
UnlockFileEx
GetTickCount
LockFile
UnlockFile
InterlockedCompareExchange
HeapFree
QueryPerformanceCounter
HeapAlloc
GetDateFormatW
UnmapViewOfFile
MapViewOfFile
CreateMutexW
GetFileSize
CreateFileA
HeapReAlloc
GetFullPathNameA
GetFullPathNameW
InterlockedDecrement
GetPrivateProfileStringW
WritePrivateProfileStringW
RemoveDirectoryW
DeleteFileW
SetFileAttributesW
FindClose
FindNextFileW
CopyFileW
FindFirstFileW
CreateDirectoryW
GetFileAttributesW
lstrcpyW
GetCommandLineW
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
InitializeCriticalSection
ReadFile
OpenProcess
GetVersionExW
LoadResource
SetSystemTime
GetCurrentProcess
WideCharToMultiByte
GetModuleFileNameW
FreeLibrary
GetProcAddress
LoadLibraryW
CloseHandle
SetFilePointer
DosDateTimeToFileTime
FileTimeToDosDateTime
lstrcmpW
MulDiv
GetCurrentDirectoryW
FlushViewOfFile
OpenFileMappingW
GlobalUnlock
GlobalAlloc
GlobalLock
GetVolumeInformationW
DuplicateHandle
GetFileTime
GetFileSizeEx
CreateFileW
WriteFile
GetPrivateProfileIntW
TerminateProcess
ResetEvent
ResumeThread
FindResourceExW
InitializeCriticalSectionAndSpinCount
lstrcmpiW
TerminateThread
WaitForSingleObject
SetCurrentDirectoryW
InterlockedIncrement
GetLocalTime
SetLastError
FlushInstructionCache
GetCurrentThreadId
Process32NextW
Process32FirstW
CreateToolhelp32Snapshot
GetProcessTimes
InterlockedExchange
WaitForMultipleObjectsEx
DeleteTimerQueueTimer
CreateTimerQueueTimer
CreateTimerQueue
DeleteTimerQueue
lstrcpynW
LoadLibraryExW
LockResource
RaiseException
CreateEventW
QueueUserWorkItem
SetEvent
GetACP
DeleteFileA
AreFileApisANSI
GetSystemTime
LocalFree
GetTempPathA
GetCurrentProcessId
GetVersionExA
GetFileAttributesExW
GetSystemInfo
GetDiskFreeSpaceA
CreateFileMappingW
LoadLibraryA
GetDiskFreeSpaceW
LockFileEx
HeapSize
SetEndOfFile
GetTempPathW
FileTimeToLocalFileTime
SetEnvironmentVariableA
CompareStringW
SetStdHandle
WriteConsoleW
IsValidLocale
EnumSystemLocalesA
GetLocaleInfoA
GetUserDefaultLCID
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetModuleFileNameA
GetTimeZoneInformation
GetConsoleMode
GetConsoleCP
GetFileType
SetHandleCount
GetLocaleInfoW
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
IsValidCodePage
GetOEMCP
GetStdHandle
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
LCMapStringW
RtlUnwind
GetStartupInfoW
HeapSetInformation
GetCommandLineA
VirtualQuery
VirtualProtect
CreateThread
MultiByteToWideChar
lstrlenA
SystemTimeToFileTime
FileTimeToSystemTime
GetModuleHandleW
FindResourceW
SizeofResource
lstrlenW
GetLastError
ExitThread
ExitProcess
GetCPInfo
InterlockedPopEntrySList
VirtualAlloc
VirtualFree
IsProcessorFeaturePresent
GetProcessHeap
InterlockedPushEntrySList
DecodePointer
EncodePointer
GetStringTypeW

user32

RegisterWindowMessageW
MoveWindow
GetWindowThreadProcessId
GetParent
OffsetRect
ClientToScreen
SetActiveWindow
SetFocus
LoadStringA
AttachThreadInput
GetForegroundWindow
PostQuitMessage
GetCursorPos
LoadImageW
GetWindowPlacement
SetWindowPlacement
GetActiveWindow
EndPaint
GetWindowTextLengthW
DestroyAcceleratorTable
FillRect
IsChild
SetCapture
InvalidateRgn
CreateAcceleratorTableW
BeginPaint
GetWindowTextW
GetClassNameW
GetSysColor
RedrawWindow
AllowSetForegroundWindow
DrawTextW
MessageBeep
GetDoubleClickTime
GetGUIThreadInfo
ReleaseCapture
GetDlgCtrlID
GetFocus
InvalidateRect
GetWindowRgn
SetWindowRgn
GetLastActivePopup
IsWindowEnabled
MonitorFromWindow
AdjustWindowRectEx
MapWindowPoints
EnableWindow
GetMonitorInfoW
GetWindow
CloseClipboard
ExitWindowsEx
EmptyClipboard
OpenClipboard
SetClipboardData
LoadStringW
GetIconInfo
GetDC
GetWindowRect
CharUpperW
UnregisterClassA
CreateWindowExW
SetForegroundWindow
PeekMessageW
GetMessageW
TranslateMessage
DispatchMessageW
MessageBoxW
LoadCursorW
GetClassInfoExW
RegisterClassExW
GetDesktopWindow
FindWindowExW
GetWindowLongW
FindWindowW
SetWindowLongW
GetSystemMetrics
CharNextW
PtInRect
PostMessageW
SetWindowTextW
DefWindowProcW
IsDialogMessageW
SetWindowPos
SetTimer
SystemParametersInfoW
RegisterHotKey
KillTimer
SetParent
IsWindowVisible
GetClientRect
UpdateLayeredWindow
ReleaseDC
ScreenToClient
ShowWindow
IsWindow
DestroyWindow
CallWindowProcW
SendMessageW
GetDlgItem
CopyRect

gdi32

CreateSolidBrush
GetStockObject
BitBlt
SelectObject
CreateCompatibleBitmap
CreateCompatibleDC
DeleteDC
GetBitmapBits
GetPixel
DeleteObject
CreateRoundRectRgn
CreateRectRgn
PtInRegion
CreateDIBSection
GetTextColor
SetTextAlign
EnumFontFamiliesExW
GetTextAlign
Ellipse
LineTo
MoveToEx
ExtCreatePen
GetDeviceCaps
GetObjectW
SetPixel

comdlg32

GetOpenFileNameW
GetSaveFileNameW

advapi32

RegCloseKey
RegOpenKeyExW
RegQueryValueExW
RegSetValueExW
RegDeleteValueW
OpenProcessToken
LookupPrivilegeValueW
AdjustTokenPrivileges
RegOpenKeyW
RegCreateKeyW
RegCreateKeyExW
RegEnumKeyExW
RegQueryInfoKeyW
RegDeleteKeyW
RegQueryValueExA
RegOpenKeyExA

shell32

ShellExecuteA
SHGetSpecialFolderPathA
SHGetSpecialFolderPathW
CommandLineToArgvW
ShellExecuteW
ShellExecuteExW
SHGetFileInfoW

ole32

CoTaskMemAlloc
CoTaskMemRealloc
CoTaskMemFree
CoUninitialize
CoCreateInstance
CoInitialize
OleLockRunning
CLSIDFromProgID
CLSIDFromString
CreateStreamOnHGlobal
StringFromGUID2
OleInitialize
OleUninitialize
CoGetClassObject

oleaut32

VarUI4FromStr
SysFreeString
SysAllocString
VariantClear
VariantInit
VariantTimeToSystemTime
VarUdateFromDate
SystemTimeToVariantTime
SysAllocStringLen
VarDateFromStr
SysStringLen
LoadRegTypeLi
OleCreateFontIndirect
LoadTypeLi

shlwapi

StrCmpNIW
PathUnquoteSpacesW
PathGetArgsW
PathRemoveArgsW
PathFileExistsW
StrToIntW
StrCmpIW
PathFindFileNameW
PathStripToRootW
PathIsUNCW

comctl32

ImageList_Draw
_TrackMouseEvent
ImageList_GetIconSize

htmlayout

HTMLayoutSetTimer
HTMLayoutSetTimerEx
HTMLayoutShowPopup
HTMLayoutIsElementVisible
HTMLayoutGetElementIndex
HTMLayoutGetChildrenCount
HTMLayoutGetNthChild
HTMLayoutSelectParent
HTMLayoutShowPopupAt
HTMLayoutSetElementInnerText16
HTMLayoutHidePopup
HTMLayoutTrackPopupAt
HTMLayoutGetParentElement
HTMLayoutDeleteElement
HTMLayoutSelectParentW
HTMLayoutInsertElement
HTMLayoutCreateElement
HTMLayoutGetElementLocation
HTMLayoutSetAttributeByName
HTMLayoutGetElementHwnd
HTMLayoutGetElementState
ValueInt64Data
HTMLayoutControlGetValue
ValueCopy
HTMLayoutPostEvent
HTMLayoutSelectElementsW
HTMLayoutControlSetValue
ValueInit
ValueStringDataSet
ValueClear
HTMLayoutUpdateElement
HTMLayoutControlGetType
HTMLayoutSelectElements
HTMLayoutUpdateWindow
HTMLayoutCallBehaviorMethod
HTMLayoutGetElementInnerTextCB
HTMLayoutClassNameW
HTMLayoutSetCallback
HTMLayoutLoadHtmlEx
HTMLayoutLoadHtml
HTMLayoutCombineURL
HTMLayoutSetMediaType
HTMLayoutLoadFile
HTMLayoutGetAttributeCount
HTMLayoutGetNthAttribute
HTMLayout_UseElement
HTMLayout_UnuseElement
HTMLayoutGetAttributeByName
HTMLayoutDataReady
HTMLayoutDataReadyAsync
ValueIntDataSet
HTMLayoutSetMasterCSS
ValueIntData
HTMLayoutGetElementIntrinsicHeight
HTMLayoutSetEventRoot
HTMLayoutGetScrollInfo
HTMLayoutUpdateElementEx
HTMLayoutGetElementByUID
ValueNthElementValue
ValueGetValueOfKey
HTMLayoutAttachEventHandlerEx
HTMLayoutHttpRequest
HTMLayoutEnqueueMeasure
HTMLayoutRequestElementData
HTMLayoutSetCapture
HTMLayoutGetElementUID
ValueElementsCount
HTMLayoutSendEvent
HTMLayoutGetElementIntrinsicWidths
HTMLayoutSortElements
HTMLayoutDetachElement
HTMLayoutIsElementEnabled
HTMLayoutGetElementHtmlCB
HTMLayoutTraverseUIEvent
HTMLayoutSetScrollPos
HTMLayoutElementSetExpando
HTMLayoutSetElementState
HTMLayoutElementGetExpando
HTMLayoutGetFocusElement
HTMLayoutScrollToView
HTMLayoutSetStyleAttribute
HTMLayoutSetElementHtml
ValueFloatDataSet
ValueFloatData
HTMLayoutWindowAttachEventHandler
HTMLayoutGetRootElement
HTMLayoutGetGraphin
HTMLayoutRender
HTMLayoutGetElementType
HTMLayoutGetMinHeight
HTMLayoutGetStyleAttribute
HTMLayoutGetMinWidth
ValueStringData
ValueToString

gdiplus

GdipCreateBitmapFromFileICM
GdipCreateHICONFromBitmap
GdipGetGenericFontFamilySansSerif
GdiplusShutdown
GdiplusStartup
GdipDrawImagePointsI
GdipTransformMatrixPointsI
GdipTranslateMatrix
GdipRotateMatrix
GdipDeleteMatrix
GdipCreateMatrix2
GdipDrawString
GdipCreateSolidFill
GdipCreateFont
GdipDeleteFontFamily
GdipCreateStringFormat
GdipDeleteStringFormat
GdipSetStringFormatLineAlign
GdipDrawImageI
GdipGetImageHeight
GdipGetImageWidth
GdipDrawImage
GdipGetImageEncodersSize
GdipGetImageEncoders
GdipFree
GdipDisposeImage
GdipAlloc
GdipCloneImage
GdipCreateBitmapFromFile
GdipSetStringFormatAlign
GdipCreateBitmapFromScan0
GdipGetImageGraphicsContext
GdipDeleteGraphics
GdipCloneBitmapAreaI
GdipCreateFromHDC
GdipReleaseDC
GdipDeleteBrush
GdipCloneBrush
GdipDeleteFont
GdipCreateFontFamilyFromName

bugtrapu

BT_SetAppName
BT_UninstallSehFilter
BT_InstallSehFilter
BT_SetSupportHost
BT_SetSupportPort
BT_SetSupportEMail
BT_SetFlags
BT_SetReportFormat

ws2_32

socket
WSAStartup
htons
inet_addr
WSACleanup
closesocket
ntohl
recv
connect

netapi32

Netbios

version

VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW

winmm

PlaySoundW

cryptopp

?ParameterSupported@?$TF_CryptoSystemBase@VPK_Decryptor@CryptoPP@@V?$TF_Base@VTrapdoorFunctionInverse@CryptoPP@@VPK_EncryptionMessageEncodingMethod@2@@2@@CryptoPP@@UBE_NPBD@Z
?FixedMaxPlaintextLength@?$TF_CryptoSystemBase@VPK_Decryptor@CryptoPP@@V?$TF_Base@VTrapdoorFunctionInverse@CryptoPP@@VPK_EncryptionMessageEncodingMethod@2@@2@@CryptoPP@@UBEIXZ
?FixedCiphertextLength@?$TF_CryptoSystemBase@VPK_Decryptor@CryptoPP@@V?$TF_Base@VTrapdoorFunctionInverse@CryptoPP@@VPK_EncryptionMessageEncodingMethod@2@@2@@CryptoPP@@UBEIXZ
?Put2@?$StringSinkTemplate@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@CryptoPP@@UAEIPBEIH_N@Z
?IsolatedInitialize@?$StringSinkTemplate@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@CryptoPP@@UAEXABVNameValuePairs@2@@Z
??0?$StringSinkTemplate@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@CryptoPP@@QAE@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z
?InputBufferIsEmpty@?$Unflushable@VFilter@CryptoPP@@@CryptoPP@@MBE_NXZ
?ChannelFlush@?$Unflushable@VFilter@CryptoPP@@@CryptoPP@@UAE_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@_NH1@Z
?MaxPlaintextLength@?$PK_FixedLengthCryptoSystemImpl@VPK_Decryptor@CryptoPP@@@CryptoPP@@UBEII@Z
?CiphertextLength@?$PK_FixedLengthCryptoSystemImpl@VPK_Decryptor@CryptoPP@@@CryptoPP@@UBEII@Z
?IsolatedFlush@?$Unflushable@VFilter@CryptoPP@@@CryptoPP@@UAE_N_N0@Z
?DigestSize@?$OAEP@VSHA1@CryptoPP@@VP1363_MGF1@2@@CryptoPP@@MBEIXZ
?NewHash@?$OAEP@VSHA1@CryptoPP@@VP1363_MGF1@2@@CryptoPP@@MBEPAVHashTransformation@2@XZ
?IsolatedFlush@?$Bufferless@VSink@CryptoPP@@@CryptoPP@@UAE_N_N0@Z
??1?$StringSinkTemplate@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@CryptoPP@@UAE@XZ
??1TF_DecryptorBase@CryptoPP@@UAE@XZ
??_DInvertibleRSAFunction@CryptoPP@@QAEXXZ
?StaticAlgorithmName@RSA@CryptoPP@@SAPBDXZ
?ParameterSupported@OAEP_Base@CryptoPP@@UBE_NPBD@Z
?AlgorithmName@Algorithm@CryptoPP@@UBE?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ
?CreatePutSpace@BufferedTransformation@CryptoPP@@UAEPAEAAI@Z
?CanModifyInput@BufferedTransformation@CryptoPP@@UBE_NXZ
?PutModifiable2@BufferedTransformation@CryptoPP@@UAEIPAEIH_N@Z
?IsolatedMessageSeriesEnd@BufferedTransformation@CryptoPP@@UAE_N_N@Z
?SetAutoSignalPropagation@BufferedTransformation@CryptoPP@@UAEXH@Z
?GetAutoSignalPropagation@BufferedTransformation@CryptoPP@@UBEHXZ
?GetNextMessageSeries@BufferedTransformation@CryptoPP@@UAE_NXZ
?NumberOfMessagesInThisSeries@BufferedTransformation@CryptoPP@@UBEIXZ
?NumberOfMessageSeries@BufferedTransformation@CryptoPP@@UBEIXZ
?Attachable@BufferedTransformation@CryptoPP@@UAE_NXZ
?AttachedTransformation@BufferedTransformation@CryptoPP@@UAEPAV12@XZ
?AttachedTransformation@BufferedTransformation@CryptoPP@@UBEPBV12@XZ
?Detach@BufferedTransformation@CryptoPP@@UAEXPAV12@@Z
?AccessMaterial@PrivateKeyAlgorithm@CryptoPP@@UAEAAVCryptoMaterial@2@XZ
?GetMaterial@PrivateKeyAlgorithm@CryptoPP@@UBEABVCryptoMaterial@2@XZ
?TransferTo2@Sink@CryptoPP@@UAEIAAVBufferedTransformation@2@AA_KABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@_N@Z
?CopyRangeTo2@Sink@CryptoPP@@UBEIAAVBufferedTransformation@2@AA_K_KABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@_N@Z
?Attachable@Filter@CryptoPP@@UAE_NXZ
?ShouldPropagateMessageEnd@Filter@CryptoPP@@MBE_NXZ
?ShouldPropagateMessageSeriesEnd@Filter@CryptoPP@@MBE_NXZ
?Put2@FilterWithBufferedInput@CryptoPP@@UAEIPBEIH_N@Z
?PutModifiable2@FilterWithBufferedInput@CryptoPP@@UAEIPAEIH_N@Z
?InitializeDerivedAndReturnNewSizes@FilterWithBufferedInput@CryptoPP@@MAEXABVNameValuePairs@2@AAI11@Z
?InitializeDerived@FilterWithBufferedInput@CryptoPP@@MAEXABVNameValuePairs@2@@Z
?NextPutSingle@FilterWithBufferedInput@CryptoPP@@MAEXPBE@Z
?FlushDerived@FilterWithBufferedInput@CryptoPP@@MAEXXZ
?NextPut@FilterWithBufferedInput@CryptoPP@@MAEHPBEI@Z
?FirstPut@SimpleProxyFilter@CryptoPP@@UAEXPBE@Z
?LastPut@SimpleProxyFilter@CryptoPP@@UAEXPBEI@Z
?Clone@Clonable@CryptoPP@@UBEPAV12@XZ
??0PK_DecryptorFilter@CryptoPP@@QAE@AAVRandomNumberGenerator@1@ABVPK_Decryptor@1@PAVBufferedTransformation@1@@Z
??1PK_DecryptorFilter@CryptoPP@@UAE@XZ
??0StringSource@CryptoPP@@QAE@PBD_NPAVBufferedTransformation@1@@Z
??1StringSource@CryptoPP@@UAE@XZ
?NewMGF@?$OAEP@VSHA1@CryptoPP@@VP1363_MGF1@2@@CryptoPP@@MBEPAVMaskGeneratingFunction@2@XZ
??0InvertibleRSAFunction@CryptoPP@@QAE@XZ
??0TF_DecryptorBase@CryptoPP@@QAE@XZ
?StaticAlgorithmName@?$OAEP@VSHA1@CryptoPP@@VP1363_MGF1@2@@CryptoPP@@SA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ
??0?$OAEP@VSHA1@CryptoPP@@VP1363_MGF1@2@@CryptoPP@@QAE@XZ
??1?$OAEP@VSHA1@CryptoPP@@VP1363_MGF1@2@@CryptoPP@@UAE@XZ
?Decrypt@TF_DecryptorBase@CryptoPP@@UBE?AUDecodingResult@2@AAVRandomNumberGenerator@2@PBEIPAEABVNameValuePairs@2@@Z
?Unpad@OAEP_Base@CryptoPP@@UBE?AUDecodingResult@2@PBEIPAEABVNameValuePairs@2@@Z
?Pad@OAEP_Base@CryptoPP@@UBEXAAVRandomNumberGenerator@2@PBEIPAEIABVNameValuePairs@2@@Z
?MaxUnpaddedLength@OAEP_Base@CryptoPP@@UBEII@Z
?IsolatedInitialize@HexDecoder@CryptoPP@@UAEXABVNameValuePairs@2@@Z
?Put2@BaseN_Decoder@CryptoPP@@UAEIPBEIH_N@Z
?NextPutModifiable@ProxyFilter@CryptoPP@@UAEXPAEI@Z
?NextPutMultiple@ProxyFilter@CryptoPP@@UAEXPBEI@Z
?NewDefaultAttachment@Filter@CryptoPP@@MBEPAVBufferedTransformation@2@XZ
?AttachedTransformation@Filter@CryptoPP@@UBEPBVBufferedTransformation@2@XZ
?CopyRangeTo2@Filter@CryptoPP@@UBEIAAVBufferedTransformation@2@AA_K_KABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@_N@Z
?TransferTo2@Filter@CryptoPP@@UAEIAAVBufferedTransformation@2@AA_KABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@_N@Z
?Peek@BufferedTransformation@CryptoPP@@UBEIAAE@Z
?Peek@BufferedTransformation@CryptoPP@@UBEIPAEI@Z
?Get@BufferedTransformation@CryptoPP@@UAEIAAE@Z
?Get@BufferedTransformation@CryptoPP@@UAEIPAEI@Z
?MaxRetrievable@BufferedTransformation@CryptoPP@@UBE_KXZ
?MessageSeriesEnd@Filter@CryptoPP@@UAE_NH_N@Z
?Flush@Filter@CryptoPP@@UAE_N_NH0@Z
?Initialize@Filter@CryptoPP@@UAEXABVNameValuePairs@2@H@Z
?IsolatedFlush@ProxyFilter@CryptoPP@@UAE_N_N0@Z
?IsolatedInitialize@FilterWithBufferedInput@CryptoPP@@UAEXABVNameValuePairs@2@@Z
?Attach@BufferedTransformation@CryptoPP@@UAEXPAV12@@Z
?SetRetrievalChannel@BufferedTransformation@CryptoPP@@UAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z
?SkipAll@BufferedTransformation@CryptoPP@@UAEXXZ
?SkipMessages@BufferedTransformation@CryptoPP@@UAEII@Z
?GetNextMessage@BufferedTransformation@CryptoPP@@UAE_NXZ
?TotalBytesRetrievable@BufferedTransformation@CryptoPP@@UBE_KXZ
?Skip@BufferedTransformation@CryptoPP@@UAE_K_K@Z
?AnyMessages@BufferedTransformation@CryptoPP@@UBE_NXZ
?AnyRetrievable@BufferedTransformation@CryptoPP@@UBE_NXZ
??0RandomPool@CryptoPP@@QAE@XZ
?CreateDecryptionFilter@PK_Decryptor@CryptoPP@@UBEPAVBufferedTransformation@2@AAVRandomNumberGenerator@2@PAV32@ABVNameValuePairs@2@@Z
?GetWaitObjects@BufferedTransformation@CryptoPP@@UAEXAAVWaitObjectContainer@2@ABVCallStack@2@@Z
?GetMaxWaitObjectCount@BufferedTransformation@CryptoPP@@UBEIXZ
?ChannelMessageSeriesEnd@BufferedTransformation@CryptoPP@@UAE_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@H_N@Z
?ChannelFlush@BufferedTransformation@CryptoPP@@UAE_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@_NH1@Z
?MessageSeriesEnd@BufferedTransformation@CryptoPP@@UAE_NH_N@Z
?Flush@BufferedTransformation@CryptoPP@@UAE_N_NH0@Z
?AttachedTransformation@Filter@CryptoPP@@UAEPAVBufferedTransformation@2@XZ
?Detach@Filter@CryptoPP@@UAEXPAVBufferedTransformation@2@@Z
?ChannelCreatePutSpace@BufferedTransformation@CryptoPP@@UAEPAEABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAI@Z
?Initialize@BufferedTransformation@CryptoPP@@UAEXABVNameValuePairs@2@H@Z
?ChannelPutModifiable2@BufferedTransformation@CryptoPP@@UAEIABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PAEIH_N@Z
?ChannelPut2@BufferedTransformation@CryptoPP@@UAEIABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PBEIH_N@Z
?NumberOfMessages@BufferedTransformation@CryptoPP@@UBEIXZ
?Flush@?$Unflushable@VFilter@CryptoPP@@@CryptoPP@@UAE_N_NH0@Z
??0HexDecoder@CryptoPP@@QAE@PAVBufferedTransformation@1@@Z
??1HexDecoder@CryptoPP@@UAE@XZ
??1RandomPool@CryptoPP@@UAE@XZ

Exports

Exports

??0CppSQLite3DB@@AAE@ABV0@@Z
??0CppSQLite3DB@@QAE@XZ
??0CppSQLite3Exception@@QAE@ABV0@@Z
??0CppSQLite3Exception@@QAE@HPA_W_N@Z
??0CppSQLite3Query@@QAE@ABV0@@Z
??0CppSQLite3Query@@QAE@PAUsqlite3@@PAUsqlite3_stmt@@_N2@Z
??0CppSQLite3Query@@QAE@XZ
??0CppSQLite3Statement@@QAE@ABV0@@Z
??0CppSQLite3Statement@@QAE@PAUsqlite3@@PAUsqlite3_stmt@@@Z
??0CppSQLite3Statement@@QAE@XZ
??1CppSQLite3DB@@UAE@XZ
??1CppSQLite3Exception@@UAE@XZ
??1CppSQLite3Query@@UAE@XZ
??1CppSQLite3Statement@@UAE@XZ
??4CppSQLite3DB@@AAEAAV0@ABV0@@Z
??4CppSQLite3Exception@@QAEAAV0@ABV0@@Z
??4CppSQLite3Query@@QAEAAV0@ABV0@@Z
??4CppSQLite3Statement@@QAEAAV0@ABV0@@Z
??ECppSQLite3Query@@QAEAAV0@H@Z
??ECppSQLite3Query@@QAEAAV0@XZ
??_7CppSQLite3DB@@6B@
??_7CppSQLite3Exception@@6B@
??_7CppSQLite3Query@@6B@
??_7CppSQLite3Statement@@6B@
?SQLiteVersion@CppSQLite3DB@@SAPBDXZ
?bind@CppSQLite3Statement@@QAEXHH@Z
?bind@CppSQLite3Statement@@QAEXHN@Z
?bind@CppSQLite3Statement@@QAEXHPBEH@Z
?bind@CppSQLite3Statement@@QAEXHPB_W@Z
?bindNull@CppSQLite3Statement@@QAEXH@Z
?checkDB@CppSQLite3DB@@AAEXXZ
?checkDB@CppSQLite3Statement@@AAEXXZ
?checkVM@CppSQLite3Query@@AAEXXZ
?checkVM@CppSQLite3Statement@@AAEXXZ
?close@CppSQLite3DB@@QAEXXZ
?compile@CppSQLite3DB@@AAEPAUsqlite3_stmt@@PB_W@Z
?compileStatement@CppSQLite3DB@@QAE?AVCppSQLite3Statement@@PB_W@Z
?eof@CppSQLite3Query@@QAE_NXZ
?errorCode@CppSQLite3Exception@@QAE?BHXZ
?errorCodeAsString@CppSQLite3Exception@@SAPB_WH@Z
?errorMessage@CppSQLite3Exception@@QAEPB_WXZ
?execDML@CppSQLite3DB@@QAEHPB_W@Z
?execDML@CppSQLite3Statement@@QAEHXZ
?execQuery@CppSQLite3DB@@QAE?AVCppSQLite3Query@@PB_W@Z
?execScalar@CppSQLite3DB@@QAEHPB_W@Z
?execScalarStr@CppSQLite3DB@@QAE?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@PB_W@Z
?fieldDataType@CppSQLite3Query@@QAEHH@Z
?fieldDeclType@CppSQLite3Query@@QAEPB_WH@Z
?fieldIndex@CppSQLite3Query@@QAEHPB_W@Z
?fieldIsNull@CppSQLite3Query@@QAE_NH@Z
?fieldIsNull@CppSQLite3Query@@QAE_NPB_W@Z
?fieldName@CppSQLite3Query@@QAEPB_WH@Z
?fieldValue@CppSQLite3Query@@QAEPB_WH@Z
?fieldValue@CppSQLite3Query@@QAEPB_WPB_W@Z
?finalize@CppSQLite3Query@@QAEXXZ
?finalize@CppSQLite3Statement@@QAEXXZ
?getBlobField@CppSQLite3Query@@QAEPBEHAAH@Z
?getBlobField@CppSQLite3Query@@QAEPBEPB_WAAH@Z
?getFloatField@CppSQLite3Query@@QAENHN@Z
?getFloatField@CppSQLite3Query@@QAENPB_WN@Z
?getIntField@CppSQLite3Query@@QAEHHH@Z
?getIntField@CppSQLite3Query@@QAEHPB_WH@Z
?getStringField@CppSQLite3Query@@QAEPB_WHPB_W@Z
?getStringField@CppSQLite3Query@@QAEPB_WPB_W0@Z
?interrupt@CppSQLite3DB@@QAEXXZ
?isopen@CppSQLite3DB@@QBE_NXZ
?lastRowId@CppSQLite3DB@@QAE_JXZ
?nextRow@CppSQLite3Query@@QAEXXZ
?numFields@CppSQLite3Query@@QAEHXZ
?open@CppSQLite3DB@@QAEXPB_W@Z
?reset@CppSQLite3Statement@@QAEXXZ
?setBusyTimeout@CppSQLite3DB@@QAEXH@Z
?tableExists@CppSQLite3DB@@QAE_NPB_W@Z

Sections

.text
Size: 1.6MB - Virtual size: 1.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 319KB - Virtual size: 318KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 67KB - Virtual size: 96KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 5.3MB - Virtual size: 5.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 100KB - Virtual size: 100KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

4332b02f47a31c08d5751a8130168741

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

19:6d:f8:a7Certificate

Key Usages

0c:ab:99:09:9a:f4:f9Certificate

Extended Key Usages

Key Usages

3dCertificate

Key Usages

f8:3e:3a:e2:64:d8:60:4a:01:45:ca:94:30:6d:3b:37:00:a6:08:8cSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

gdi32

comdlg32

advapi32

shell32

ole32

oleaut32

shlwapi

comctl32

htmlayout

gdiplus

bugtrapu

ws2_32

netapi32

version

winmm

cryptopp

Exports

Exports

Sections

.text Size: 1.6MB - Virtual size: 1.6MB

.rdata Size: 319KB - Virtual size: 318KB

.data Size: 67KB - Virtual size: 96KB

.rsrc Size: 5.3MB - Virtual size: 5.3MB

.reloc Size: 100KB - Virtual size: 100KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

19:6d:f8:a7
Certificate

0c:ab:99:09:9a:f4:f9
Certificate

3d
Certificate

f8:3e:3a:e2:64:d8:60:4a:01:45:ca:94:30:6d:3b:37:00:a6:08:8c
Signer

.text
Size: 1.6MB - Virtual size: 1.6MB

.rdata
Size: 319KB - Virtual size: 318KB

.data
Size: 67KB - Virtual size: 96KB

.rsrc
Size: 5.3MB - Virtual size: 5.3MB

.reloc
Size: 100KB - Virtual size: 100KB