2024-02-24_e7447a831cb90fea0df77f5e2be6a845_mafia

Sharing

Copy URL Twitter E-mail

General

Target

2024-02-24_e7447a831cb90fea0df77f5e2be6a845_mafia
Size

7.5MB
MD5

e7447a831cb90fea0df77f5e2be6a845
SHA1

9dccdac0b0645316891047ab1ad4a5b30c12e823
SHA256

ee2e7893c55eea5335ad58cf0f252d235f88b3f1f4dac7c2a1cef14085ab683a
SHA512

8a9e84f6f394148ae007d2e57523703fb51734b982610e1f38fdc428a676104d06730d90392c8fe83b7cad7bfa650ee544a406025792945c37b1d28c6b068c49
SSDEEP

98304:R34RoXHwJG2DbDcP74+WI3Pwy/6kmS8M08/QhHC4xkZbhpXnwEitjksxgo/ooTpV:54ur27HVCL7Zbhp3tipdxg8VaznO

Score

1^/10

Malware Config

Signatures

Files

2024-02-24_e7447a831cb90fea0df77f5e2be6a845_mafia
.exe windows:5 windows x86 arch:x86

e027d18ebfc463dcbc23de781da62d34

Code Sign

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0b
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

31/12/2015, 00:00

Not After

09/07/2019, 18:40

Subject

CN=COMODO SHA-1 Time Stamping Signer,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

08:95:bf:af:55:a6:dc:53:92:1f:cd:ff:97:11:24:bd
Certificate

Issuer

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

20/04/2015, 00:00

Not After

19/05/2017, 23:59

Subject

CN=Pokki,O=Pokki,L=San Diego,ST=California,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

10/12/2013, 00:00

Not After

09/12/2023, 23:59

Subject

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

bd:b2:80:2e:0a:eb:8d:90:81:04:aa:d0:27:9b:1c:d6:a6:ea:2f:e9
Signer

Actual PE Digest

bd:b2:80:2e:0a:eb:8d:90:81:04:aa:d0:27:9b:1c:d6:a6:ea:2f:e9

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

R:\Jenkins\Pokki (Sergey)\workspace\build\win32\Pokki\Redist\ServiceHostApp.pdb

Imports

dbghelp

SymSetOptions
SymInitialize
SymFromAddr
SymGetLineFromAddr64
SymFunctionTableAccess64
SymGetModuleBase64
StackWalk64
MiniDumpWriteDump

msimg32

AlphaBlend

gdiplus

GdipDrawImageRectRectI
GdipCreateFromHWNDICM
GdipSetCompositingMode
GdipSetCompositingQuality
GdipSetTextRenderingHint
GdipSetInterpolationMode
GdipSetSmoothingMode
GdipDrawLine
GdipDrawLines
GdipFree
GdipAlloc
GdipDeleteGraphics
GdipDisposeImage
GdipGetImageWidth
GdipGetImageHeight
GdipDrawRectangle
GdipFillRectangle
GdipFillEllipse
GdipFillPath
GdipGetImagePixelFormat
GdipGetImagePaletteSize
GdipGetImagePalette
GdipCreateBitmapFromFile
GdipSaveImageToFile
GdipCreateBitmapFromHBITMAP
GdipDrawImageRectI
GdipCreateBitmapFromHICON
GdipBitmapGetPixel
GdipBitmapSetPixel
GdipGetImageEncodersSize
GdipGetImageEncoders
GdipDeleteBrush
GdipCreatePen1
GdipDeletePen
GdipCreateStringFormat
GdipDeleteStringFormat
GdipCreatePath
GdipDeletePath
GdipFlush
GdipCreateFontFamilyFromName
GdipGetGenericFontFamilySansSerif
GdipDeleteFontFamily
GdipCreateFont
GdipDeleteFont
GdipSetImageAttributesWrapMode
GdipCreateSolidFill
GdipSetStringFormatFlags
GdipSetStringFormatTrimming
GdipClosePathFigures
GdipAddPathLine
GdipCloneBrush
GdipSetClipRectI
GdipCreateFromHWND
GdipDrawImage
GdipMeasureString
GdipDrawString
GdipDrawImageRectRect
GdipGraphicsClear
GdipRotateWorldTransform
GdipTranslateWorldTransform
GdipCreateFromHDC
GdipSetImageAttributesColorMatrix
GdipDisposeImageAttributes
GdipCreateImageAttributes
GdipBitmapApplyEffect
GdipCreateEffect
GdipSetEffectParameters
GdipDeleteEffect
GdipCloneImage
GdipDrawImageI
GdipGetImageGraphicsContext
GdiplusShutdown
GdiplusStartup
GdipBitmapUnlockBits
GdipBitmapLockBits
GdipCreateBitmapFromScan0
GdipCreateBitmapFromFileICM

psapi

QueryWorkingSet
GetProcessMemoryInfo

kernel32

WriteFile
OutputDebugStringA
FormatMessageA
GetModuleHandleA
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
TryEnterCriticalSection
InterlockedExchangeAdd
IsDebuggerPresent
SetThreadPriority
TlsGetValue
TlsFree
TlsSetValue
TlsAlloc
GetModuleHandleExW
QueryPerformanceCounter
QueryPerformanceFrequency
SystemTimeToFileTime
TzSpecificLocalTimeToSystemTime
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
OpenProcess
SetInformationJobObject
GetExitCodeProcess
CreateToolhelp32Snapshot
GetProcessIoCounters
VirtualQueryEx
HeapSetInformation
SetPriorityClass
AllocConsole
AttachConsole
Process32NextW
Process32FirstW
GetProcessHeaps
GetModuleHandleExA
TerminateProcess
GetSystemInfo
ResumeThread
AssignProcessToJobObject
ReadFile
GetStdHandle
SetHandleInformation
CreatePipe
GetProcessTimes
InterlockedIncrement
RtlCaptureStackBackTrace
GetCurrentThread
GetDiskFreeSpaceExW
GlobalMemoryStatusEx
UnregisterWaitEx
RegisterWaitForSingleObject
InterlockedExchange
GetQueuedCompletionStatus
GetModuleFileNameW
PostQueuedCompletionStatus
TerminateJobObject
InitializeCriticalSection
SignalObjectAndWait
GetProcessHandleCount
VirtualFree
VirtualAllocEx
FreeLibrary
LoadLibraryW
WriteProcessMemory
GetThreadContext
MapViewOfFile
CreateFileMappingW
InterlockedDecrement
VirtualProtectEx
GetFileAttributesW
QueryDosDeviceW
GetLongPathNameW
SetFilePointer
CreateJobObjectW
CreateNamedPipeW
SearchPathW
GetCurrentDirectoryW
DebugBreak
ReadProcessMemory
SuspendThread
CreateProcessW
DeleteFileW
ReleaseMutex
ExpandEnvironmentStringsW
GetVersionExW
GetDriveTypeW
SetEnvironmentVariableA
IsValidLocale
EnumSystemLocalesA
GetUserDefaultLCID
SetCurrentDirectoryW
GetNativeSystemInfo
InterlockedCompareExchange
LocalFree
GetVersion
LoadLibraryA
WaitForMultipleObjects
HeapAlloc
GetProcessHeap
HeapFree
VirtualQuery
MulDiv
GetEnvironmentVariableW
CreateThread
CreateTimerQueue
GetProcessId
CreateTimerQueueTimer
DeleteTimerQueue
DeleteTimerQueueTimer
CreateEventW
GetCommandLineW
SetProcessShutdownParameters
SetUnhandledExceptionFilter
Sleep
GetLastError
OpenEventW
ResetEvent
CreateDirectoryW
CreateFileW
GetSystemPowerStatus
SetLastError
FlushInstructionCache
lstrlenW
LeaveCriticalSection
EnterCriticalSection
RaiseException
GetCurrentThreadId
GetCurrentProcessId
ProcessIdToSessionId
GetUserGeoID
GetGeoInfoW
SetEvent
GetTickCount
GetCurrentProcess
DuplicateHandle
CreateSemaphoreA
CreateEventA
GetSystemTimeAsFileTime
GetModuleHandleW
GetProcAddress
WaitForSingleObject
ReleaseSemaphore
CloseHandle
lstrlenA
VirtualFreeEx
CreateMutexW
FlushConsoleInputBuffer
FindClose
FindFirstFileA
FindNextFileA
GetVersionExA
GlobalMemoryStatus
WideCharToMultiByte
FatalAppExitA
SetStdHandle
MultiByteToWideChar
ExpandEnvironmentStringsA
WriteConsoleW
SetHandleCount
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetModuleFileNameA
IsValidCodePage
GetOEMCP
GetACP
HeapCreate
GetDateFormatA
GetTimeFormatA
GetCPInfo
LCMapStringW
GetNumberOfConsoleInputEvents
PeekConsoleInputA
SetConsoleMode
ReadConsoleInputA
GetTimeZoneInformation
SetConsoleCtrlHandler
SetFileAttributesA
FindFirstFileExA
GetDriveTypeA
ExitThread
ExitProcess
GetConsoleMode
GetConsoleCP
UnhandledExceptionFilter
GetStartupInfoW
GetCommandLineA
VirtualProtect
RtlUnwind
CreateWaitableTimerA
SetWaitableTimer
OpenEventA
DecodePointer
EncodePointer
GetStringTypeW
HeapSize
HeapReAlloc
HeapDestroy
LocalAlloc
GetUserDefaultUILanguage
InterlockedPopEntrySList
VirtualAlloc
GetFileType
PeekNamedPipe
SleepEx
IsProcessorFeaturePresent
InterlockedPushEntrySList
GetSystemDefaultUILanguage
VerSetConditionMask
VerifyVersionInfoA
CreateIoCompletionPort
FindResourceA
GetLocaleInfoA
CreateFileA
GetDiskFreeSpaceW
GetDiskFreeSpaceA
GetFullPathNameW
GetFullPathNameA
FormatMessageW
GetTempPathA
UnmapViewOfFile
DeleteFileA
RemoveDirectoryW
FindFirstFileW
CreateDirectoryA
FindNextFileW
GetThreadPriority
TerminateThread
GetFileAttributesA
UnlockFileEx
LockFileEx
LockFile
UnlockFile
SetEndOfFile
AreFileApisANSI
GlobalFree
GetFileSize
GetShortPathNameW
GetConsoleDisplayMode
FreeConsole
SetThreadLocale
GetThreadLocale
CreateMutexA
GetFileSizeEx
ConnectNamedPipe
WaitNamedPipeW
SetNamedPipeHandleState
GetNamedPipeInfo
FlushFileBuffers
DisconnectNamedPipe
GetSystemTime
GetLocaleInfoW
IsWow64Process
VerifyVersionInfoW
LoadLibraryExW
EnumResourceNamesW
FindResourceW
LoadResource
SizeofResource
LockResource
FreeResource
CompareStringW
FindFirstFileExW
GetFileTime
FileTimeToLocalFileTime
GetFileInformationByHandle
GetTempPathW
GetTempFileNameW
CopyFileW
MoveFileExW
GetFileAttributesExW
OutputDebugStringW
GetExitCodeThread

comctl32

ord413
ord410
_TrackMouseEvent
ord412

powrprof

GetPwrCapabilities
SetSuspendState

wtsapi32

WTSDisconnectSession
WTSRegisterSessionNotification

advapi32

RegDeleteValueW
RegOpenKeyExW
RegCloseKey
RegisterEventSourceA
ReportEventA
DeregisterEventSource
RegDeleteKeyW
SetEntriesInAclW
GetSecurityInfo
CreateWellKnownSid
RegQueryValueExW
RegSetValueExW
CopySid
EqualSid
DuplicateToken
DuplicateTokenEx
CreateRestrictedToken
SetThreadToken
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
AllocateAndInitializeSid
FreeSid
GetSecurityDescriptorLength
RegEnumKeyExW
RegEnumKeyW
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
GetUserNameW
GetCurrentHwProfileW
RegCreateKeyExW
GetAclInformation
InitializeAcl
AddAce
AddAccessAllowedAceEx
GetAce
RegOpenKeyW
OpenThreadToken
CryptAcquireContextW
CryptCreateHash
CryptHashData
CryptGetHashParam
CryptDestroyHash
CryptReleaseContext
ConvertStringSecurityDescriptorToSecurityDescriptorW
GetSecurityDescriptorSacl
SetSecurityInfo
ConvertStringSidToSidW
GetLengthSid
SetTokenInformation
RevertToSelf
RegDisablePredefinedCache
RegisterTraceGuidsW
TraceEvent
UnregisterTraceGuids
GetTraceLoggerHandle
GetTraceEnableFlags
GetTraceEnableLevel
GetSidSubAuthorityCount
GetSidSubAuthority
CreateProcessAsUserW
RegNotifyChangeKeyValue
RegEnumValueW
RegQueryInfoKeyW
GetTokenInformation
ConvertSidToStringSidW

gdi32

CreateSolidBrush
CreateFontIndirectW
SetTextColor
CreateBitmap
GetTextExtentPoint32W
SetMapMode
GetTextMetricsW
CreateFontW
BitBlt
CreateDIBSection
CreateCompatibleBitmap
LPtoDP
GetObjectW
SetDIBColorTable
SelectObject
DeleteDC
CreateCompatibleDC
TextOutW
SetDIBits
GetDeviceCaps
GetBitmapBits
GetObjectA
SetBkMode
SetBrushOrgEx
GetStockObject
DeleteObject
GetDIBits
CreateDCA

ws2_32

sendto
recvfrom
getaddrinfo
listen
freeaddrinfo
connect
socket
closesocket
getpeername
getsockopt
htons
bind
ntohs
getsockname
setsockopt
WSAIoctl
send
recv
select
WSAGetLastError
__WSAFDIsSet
WSASetLastError
WSAStartup
WSACleanup
accept
ioctlsocket
gethostname
shutdown

wldap32

ord143
ord26
ord211
ord60
ord50
ord79
ord200
ord22
ord35
ord32
ord30
ord46
ord33
ord27
ord301
ord41

normaliz

IdnToUnicode
IdnToAscii

secur32

GetUserNameExW

ole32

CoCreateGuid
StringFromGUID2
CoSetProxyBlanket
CoInitializeSecurity
OleInitialize
OleUninitialize
CoTaskMemFree
PropVariantClear
CoAllowSetForegroundWindow
CoInitializeEx
CoCreateInstance
CoUninitialize

oleaut32

CreateErrorInfo
SysFreeString
SysAllocString
VariantInit
VariantClear
SafeArrayDestroy
SysAllocStringLen
VariantCopy
SafeArrayGetUBound
SafeArrayGetLBound
SafeArrayGetElement
GetErrorInfo
VariantChangeType
SetErrorInfo

libpokki

?Pump@IPokki@@SAXXZ
?Destroy@IPokki@@SAXPAV1@_N@Z
?SetOSModal@IPokki@@SAX_N@Z
?libPokkiStart@@YAHPAXP6AHXZPB_W_N@Z
?RunMessageLoop@IPokki@@SAXXZ
?DoIdleTasks@IPokki@@SAXXZ
?EnableBrowserPurge@IPokki@@SAX_N@Z
?PluginsRefresh@IPokki@@SAXP6AXXZ@Z
?PluginsUnload@IPokki@@SAXPB_W@Z
?CreateInstance@IPokki@@SAPAV1@PB_W0PAVIPokkiListener@@@Z

shlwapi

SHDeleteKeyW
StrRetToBufW
ord176
SHStrDupW
ord487
StrChrIW

winmm

timeBeginPeriod
timeGetTime
timeEndPeriod

rpcrt4

RpcStringFreeW
UuidCreateSequential
UuidToStringW

msi

ord217
ord173

winhttp

WinHttpOpen
WinHttpGetProxyForUrl
WinHttpCloseHandle

userenv

ExpandEnvironmentStringsForUserW
GetUserProfileDirectoryW
CreateEnvironmentBlock
DestroyEnvironmentBlock

version

GetFileVersionInfoSizeW
GetFileVersionInfoW
VerQueryValueW

wininet

DeleteUrlCacheEntryW
InternetQueryOptionW

hid

HidD_GetHidGuid

setupapi

SetupDiEnumDeviceInfo
SetupDiGetDeviceRegistryPropertyW
SetupDiGetClassDevsW

mfplat

MFCreateAttributes

mf

MFEnumDeviceSources

comdlg32

GetSaveFileNameW

Sections

.text
Size: 5.2MB - Virtual size: 5.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 952KB - Virtual size: 951KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 133KB - Virtual size: 159KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 2B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1.0MB - Virtual size: 1.0MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 226KB - Virtual size: 226KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

e027d18ebfc463dcbc23de781da62d34

Code Sign

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0bCertificate

Extended Key Usages

Key Usages

08:95:bf:af:55:a6:dc:53:92:1f:cd:ff:97:11:24:bdCertificate

Extended Key Usages

Key Usages

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2aCertificate

Extended Key Usages

Key Usages

bd:b2:80:2e:0a:eb:8d:90:81:04:aa:d0:27:9b:1c:d6:a6:ea:2f:e9Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

dbghelp

msimg32

gdiplus

psapi

kernel32

comctl32

powrprof

wtsapi32

advapi32

gdi32

ws2_32

wldap32

normaliz

secur32

ole32

oleaut32

libpokki

shlwapi

winmm

rpcrt4

msi

winhttp

userenv

version

wininet

hid

setupapi

mfplat

mf

comdlg32

Sections

.text Size: 5.2MB - Virtual size: 5.2MB

.rdata Size: 952KB - Virtual size: 951KB

.data Size: 133KB - Virtual size: 159KB

.tls Size: 512B - Virtual size: 2B

.rsrc Size: 1.0MB - Virtual size: 1.0MB

.reloc Size: 226KB - Virtual size: 226KB

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0b
Certificate

08:95:bf:af:55:a6:dc:53:92:1f:cd:ff:97:11:24:bd
Certificate

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

bd:b2:80:2e:0a:eb:8d:90:81:04:aa:d0:27:9b:1c:d6:a6:ea:2f:e9
Signer

.text
Size: 5.2MB - Virtual size: 5.2MB

.rdata
Size: 952KB - Virtual size: 951KB

.data
Size: 133KB - Virtual size: 159KB

.tls
Size: 512B - Virtual size: 2B

.rsrc
Size: 1.0MB - Virtual size: 1.0MB

.reloc
Size: 226KB - Virtual size: 226KB