081d94f614d1021d1e6bc8ba38ef5d41ecd58c1051d201e7fd706db8d924ff44

Sharing

Copy URL Twitter E-mail

General

Target

081d94f614d1021d1e6bc8ba38ef5d41ecd58c1051d201e7fd706db8d924ff44
Size

968KB
MD5

99bd61aeba2ad3d700c231483b693e06
SHA1

b32e1f071c6c10a360dce462b6ecfb4f0d3253b4
SHA256

081d94f614d1021d1e6bc8ba38ef5d41ecd58c1051d201e7fd706db8d924ff44
SHA512

67ca0b8cf1c6edb60924195a3f536d97c0254433712786b0ff32c0ec1cef105b00cdc07f6d55bddf3061d2921189d45305e02fd1bb4f90bc80ad2121ff49fef7
SSDEEP

12288:egUav9ZiMLQIYtRdZ9gpkRlGXAe4haTGHki5Za94WoOSvEFHKCb:egX1ZLpkgvi5Zs4WozMtKCb

Score

9^/10

oss_ak

Malware Config

Signatures

detect oss ak 1 IoCs

oss ak information detected.

oss_ak

resource	yara_rule
sample	detect_ak_stuff

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
081d94f614d1021d1e6bc8ba38ef5d41ecd58c1051d201e7fd706db8d924ff44

Files

081d94f614d1021d1e6bc8ba38ef5d41ecd58c1051d201e7fd706db8d924ff44
.exe windows:4 windows x86 arch:x86

8afb56f641817dacb7bb5c48664f5dae

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

E:\svn\BRCloudv2\branches\BR_Backup_Mail\output\Win32\Release\ABCore.pdb

Imports

comn

CreateObjectEmail
CreateObjectUDP
SetCheckAfterIfSuccess
GetObjectVol
GetObjectGpt
GetObjectLog
GetObjectLang
GetObjectSys

encrypt

CreateEncryptObject
HexToStr
StrToHex

uilogic

TerminateSpawnProcess
CreateUiLogic

rpcrt4

RpcServerUseProtseqEpW
RpcServerRegisterIf
NdrServerCall2
UuidCreate
RpcServerListen

amnet

?InitAdapter@Amnet@@YAX_N@Z
?Socket@Amnet@@YAHH@Z
?GetAdapterAt@Amnet@@YA_NIAAUTAdapter@1@@Z
?GetHostName@Amnet@@YAXPAD@Z
?GetAdapterCount@Amnet@@YAHXZ
?Uninstall@Amnet@@YAXXZ
?Connect@Amnet@@YA_NHPADI0I@Z
?StartupTcpEngine@Amnet@@YA_NPAVIAttemperEngineSink@1@@Z
?StoppedTcpEngine@Amnet@@YA_NK@Z
?Install@Amnet@@YA_NXZ
?Disconnect@Amnet@@YA_NH_N@Z
?Send@Amnet@@YA_NHPADI_N@Z

nthelp

?ReadFile@Help32@@YAKPA_WKPAXK@Z
?FileIsExist@Help32@@YAHPA_W@Z
?ReadFileShare@Help32@@YAKPA_WKPAXK@Z
?Wchartochar@Help32@@YAXPB_WPADH@Z
?Chartowchar@Help32@@YAXPBDPA_WH@Z
?CheckWindowsUserAndPasswordIsValid@Help32@@YAHPA_W0@Z
?Encrypto@Help32@@YAXPAEK@Z
?Decrypto@Help32@@YAXPAEK@Z
?IsEmpty@Help32@@YAHPA_W@Z
?Encrypto@Help32@@YAHPAE0H@Z
?GetModuleFilePath@Help32@@YAXPA_W@Z
?CopyString@Help32@@YAXPA_W0@Z
?WriteFile@Help32@@YAKPA_WKPAXK@Z
?IsEmpty@Help32@@YAHPAD@Z

ntlog

?OpenLog@NTLOG@@YAHIPA_W@Z
?WriteLog@NTLOG@@YAHHIPB_WZZ

awssns

getInter

brlog

GetBrLogMgr

kernel32

MapViewOfFile
HeapFree
UnmapViewOfFile
GetLastError
CreateEventW
Sleep
TerminateProcess
ReadFile
ReleaseMutex
CreateFileW
SetProcessPriorityBoost
InitializeCriticalSection
ResetEvent
OpenFileMappingW
CreateDirectoryW
CreateMutexW
OpenEventW
WriteFile
WaitForSingleObject
GetTickCount
GetFileSizeEx
LeaveCriticalSection
DeleteFileW
DeleteCriticalSection
MultiByteToWideChar
EnterCriticalSection
SetEvent
SetPriorityClass
GetProcAddress
LoadLibraryW
GetModuleFileNameW
GetCurrentThreadId
GetPrivateProfileStringA
GetModuleFileNameA
GetCurrentProcessId
SetUnhandledExceptionFilter
CreateFileA
GetFileSize
SetFilePointer
GetFileAttributesW
DeleteFileA
GetLocalTime
OpenProcess
GetVersionExW
Process32FirstW
WriteConsoleA
CreateProcessW
FindFirstFileA
GetFileAttributesA
Process32NextW
FindNextFileA
GetPrivateProfileIntW
WideCharToMultiByte
GetProcessHeap
CreateFileMappingW
GetComputerNameW
CreateDirectoryA
WritePrivateProfileStringW
GetPrivateProfileStringW
DeviceIoControl
GetStartupInfoW
WTSGetActiveConsoleSessionId
GetExitCodeProcess
SetFileAttributesW
InterlockedExchange
FindFirstFileW
FindNextFileW
GetPrivateProfileStructW
OpenMutexW
DefineDosDeviceA
GetModuleHandleW
GetSystemDirectoryA
LoadLibraryA
GetSystemInfo
SetFirmwareEnvironmentVariableW
GetFirmwareEnvironmentVariableW
FreeLibrary
GetSystemDirectoryW
IsBadReadPtr
SetFilePointerEx
SetLastError
IsBadWritePtr
GetWindowsDirectoryW
OutputDebugStringW
PeekNamedPipe
CreatePipe
GetVersionExA
GetSystemTimeAsFileTime
QueryPerformanceCounter
IsDebuggerPresent
UnhandledExceptionFilter
InterlockedCompareExchange
FindClose
HeapAlloc
lstrcpyW
OutputDebugStringA
GetCurrentProcess
CreateToolhelp32Snapshot
CloseHandle
FlushFileBuffers
MoveFileW
lstrlenW
WriteConsoleW

user32

KillTimer
PostQuitMessage
DestroyWindow
CreateWindowExW
UpdateWindow
LoadCursorW
LoadStringW
TranslateAcceleratorW
DefWindowProcW
RegisterClassExW
TranslateMessage
DialogBoxParamW
LoadAcceleratorsW
LoadIconW
EndPaint
ShowWindow
CloseWindow
GetMessageW
EndDialog
DispatchMessageW
wsprintfW
SendMessageW
FindWindowW
MessageBoxW
GetSystemMetrics
BeginPaint

advapi32

AllocateAndInitializeSid
FreeSid
InitializeAcl
AddAccessAllowedAce
RegSetValueExA
RegSetValueExW
RegQueryValueExW
RegEnumValueW
RegQueryValueExA
RegEnumValueA
RegOpenKeyExA
LookupPrivilegeValueW
RegQueryInfoKeyW
RegEnumKeyW
RegOpenKeyW
RegCloseKey
GetUserNameW
AdjustTokenPrivileges
RegOpenKeyA
RegFlushKey
GetLengthSid
RegDeleteValueW
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
CreateProcessAsUserW
DuplicateTokenEx
GetTokenInformation
OpenProcessToken

shell32

SHGetFolderPathW
SHGetFolderPathA

ole32

CLSIDFromString

msvcp80

?compare@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEHPB_W@Z
?substr@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBE?AV12@II@Z
??A?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAA_WI@Z
?clear@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEXXZ
?assign@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV12@PB_WI@Z
?compare@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEHPBD@Z
?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z
?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z
??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z
?find_last_of@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEIPB_WI@Z
?find_last_of@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z
?clear@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXXZ
?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE?AV?$_String_iterator@DU?$char_traits@D@std@@V?$allocator@D@2@@2@XZ
?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE?AV?$_String_iterator@DU?$char_traits@D@std@@V?$allocator@D@2@@2@XZ
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z
?find_last_of@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEI_WI@Z
??Y?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@ABV01@@Z
?npos@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@2IB
?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ
?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z
?resize@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEXI@Z
?empty@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBE_NXZ
?find@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEIPB_WI@Z
?find@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEI_WI@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBD@Z
?length@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEIXZ
?c_str@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEPB_WXZ
??Y?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@PB_W@Z
??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@ABV01@@Z
??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@ABV01@@Z
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ
?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z
?swap@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEXAAV12@@Z
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_W@Z
?swap@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXAAV12@@Z
?size@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEIXZ
??$?8DU?$char_traits@D@std@@V?$allocator@D@1@@std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@PB_W@Z
?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z
?find_first_of@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z
?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ

shlwapi

PathFileExistsW

ws2_32

connect
inet_addr
send
WSACleanup
WSAGetLastError
bind
WSAStartup
gethostbyname
inet_ntoa
recv
listen
accept
htons
closesocket
socket

msvcr80

_cexit
_itoa
_strnicmp
tolower
isalnum
strchr
isspace
strncmp
isalpha
memmove
fread
fseek
ftell
fputc
ferror
_vsnprintf_s
_fsopen
srand
_vscprintf
vsprintf
_vscwprintf
toupper
rand
strftime
_localtime64
strtol
_vsnprintf
_controlfp_s
_invoke_watson
?_type_info_dtor_internal_method@type_info@@QAEXXZ
?terminate@@YAXXZ
_except_handler4_common
_crt_debugger_hook
__set_app_type
__p__fmode
__p__commode
strrchr
strncpy_s
_swprintf
wcscpy
memset
sprintf
strncat_s
_beginthreadex
wcscat
memcpy
sscanf_s
wcscat_s
memcmp
wcstombs
??3@YAXPAX@Z
wcslen
swscanf_s
wcsncpy
?what@exception@std@@UBEPBDXZ
memmove_s
??1exception@std@@UAE@XZ
strcpy
??0exception@std@@QAE@XZ
malloc
??0exception@std@@QAE@ABQBD@Z
??2@YAPAXI@Z
_invalid_parameter_noinfo
??_V@YAXPAX@Z
??0exception@std@@QAE@ABV01@@Z
strlen
_time64
wcscpy_s
wcsncmp
wcsrchr
strcat
pow
_beginthread
_vswprintf
strncat
strstr
wcschr
mbstowcs
sprintf_s
_wtoi
strcpy_s
strcmp
_wcsnicmp
swprintf_s
_wcsicmp
_ctime64_s
atoi
_mktime64
free
_vswprintf_c_l
wcsstr
vswprintf_s
wcscmp
_itow
printf
system
_purecall
strncpy
mbstowcs_s
strcat_s
_snprintf_s
fclose
_wsystem
_wfopen_s
fprintf
fwprintf
_stricmp
_vsnwprintf
calloc
_unlock
__dllonexit
_encode_pointer
_lock
_onexit
_decode_pointer
__CxxFrameHandler3
_amsg_exit
__wgetmainargs
_CxxThrowException
_exit
_XcptFilter
exit
_wcmdln
_initterm
_initterm_e
_configthreadlocale
__setusermatherr
_adjust_fdiv

wtsapi32

WTSFreeMemory
WTSQueryUserToken
WTSEnumerateSessionsW

userenv

DestroyEnvironmentBlock
CreateEnvironmentBlock

version

GetFileVersionInfoW
GetFileVersionInfoSizeW
VerQueryValueW

winhttp

WinHttpOpen
WinHttpOpenRequest
WinHttpCrackUrl
WinHttpQueryDataAvailable
WinHttpSendRequest
WinHttpAddRequestHeaders
WinHttpReceiveResponse
WinHttpConnect
WinHttpReadData
WinHttpSetTimeouts
WinHttpCloseHandle

enumfolder

CreateEnumRemoteFolder

Exports

Exports

??4_Init_locks@std@@QAEAAV01@ABV01@@Z
?Guid2String@@YAPADAAU_GUID@@PAD@Z

Sections

.text
Size: 404KB - Virtual size: 401KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 140KB - Virtual size: 137KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 4KB - Virtual size: 16.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 396KB - Virtual size: 396KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

8afb56f641817dacb7bb5c48664f5dae

Headers

File Characteristics

PDB Paths

Imports

comn

encrypt

uilogic

rpcrt4

amnet

nthelp

ntlog

awssns

brlog

kernel32

user32

advapi32

shell32

ole32

msvcp80

shlwapi

ws2_32

msvcr80

wtsapi32

userenv

version

winhttp

enumfolder

Exports

Exports

Sections

.text Size: 404KB - Virtual size: 401KB

.rdata Size: 140KB - Virtual size: 137KB

.data Size: 4KB - Virtual size: 16.1MB

.rsrc Size: 396KB - Virtual size: 396KB

.text
Size: 404KB - Virtual size: 401KB

.rdata
Size: 140KB - Virtual size: 137KB

.data
Size: 4KB - Virtual size: 16.1MB

.rsrc
Size: 396KB - Virtual size: 396KB