Physiological_Client[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

Physiological_Client.zip
Size

2.9MB
MD5

62dd61b23d09d01d34ef071b9c4dae5e
SHA1

b582efd323bfb92aca8bacab15b34ec27ab3f679
SHA256

daa8da374a7733265d53152a6fded97c669f964a6881f2310c8bbc3921488a3f
SHA512

bc96f56f703527e5b5556c17d2aeb6a530a2e357cb062d7da6097c03d75206c3990b3400786fc430ec49235380622eb3f2d7921acd48600d8c1d162884fee764
SSDEEP

49152:edBxbN9BZGsYBO6uY/Sg4MglGMhKhOkIsuEepI8vx+OIfZSsA6ojT23T:KN3BZGUA/tB7hOkIXjpI8RIBvbp3T

Score

3^/10

Malware Config

Signatures

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/Physiological_Client/Physiological Client.exe
unpack001/Physiological_Client/WinDivert.dll

Files

Physiological_Client.zip
.zip
Physiological_Client/Physiological Client.exe
.exe windows:6 windows x64 arch:x64

03542a0ccc80c82441f4a9e87b79dbe9

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

WideCharToMultiByte
SetEvent
ResetEvent
CreateEventW
RtlCaptureContext
RtlLookupFunctionEntry
QueryPerformanceCounter
VerifyVersionInfoA
LoadLibraryA
GetProcAddress
FreeLibrary
GetSystemDirectoryA
VerSetConditionMask
SleepEx
LeaveCriticalSection
EnterCriticalSection
FormatMessageA
SetLastError
GetModuleHandleW
GetModuleHandleA
GetModuleFileNameA
UnmapViewOfFile
MapViewOfFile
CreateFileA
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
OutputDebugStringW
ReadProcessMemory
WriteProcessMemory
SetFileAttributesA
CreateProcessA
OpenProcess
CreateToolhelp32Snapshot
Module32First
Module32Next
GetCurrentProcessId
GetCurrentDirectoryW
Beep
GetSystemInfo
VirtualQueryEx
FindResourceA
GetCurrentThreadId
LoadResource
LockResource
SizeofResource
CreateFileMappingA
WaitForMultipleObjects
PeekNamedPipe
GetSystemTimeAsFileTime
GetFileSizeEx
ReadFile
GetFileType
GetStdHandle
GetEnvironmentVariableA
MultiByteToWideChar
WaitForSingleObjectEx
MoveFileExA
RtlVirtualUnwind
GetTickCount
Sleep
GetCurrentProcess
DeleteCriticalSection
InitializeCriticalSectionEx
InitializeCriticalSectionAndSpinCount
GetLastError
CloseHandle

user32

GetForegroundWindow
GetWindowThreadProcessId
GetWindowTextA
GetCursorInfo
FindWindowA
SetCursorPos
GetCursorPos
SendMessageW
GetAsyncKeyState
keybd_event

advapi32

CryptGetHashParam
GetUserNameA
CryptAcquireContextA
CryptReleaseContext
CryptGenRandom
CryptCreateHash
CryptHashData
CryptDestroyHash
CryptDestroyKey
CryptEncrypt
CryptImportKey

msvcp140

?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
??1_Lockit@std@@QEAA@XZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??Bios_base@std@@QEBA_NXZ
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
??0_Lockit@std@@QEAA@H@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Xinvalid_argument@std@@YAXPEBD@Z
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD0@Z
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?always_noconv@codecvt_base@std@@QEBA_NXZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAPEAD0PEAH001@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?_Random_device@std@@YAIXZ
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
_Thrd_sleep
_Cnd_do_broadcast_at_thread_exit
_Query_perf_counter
_Query_perf_frequency
_Xtime_get_ticks
_Thrd_detach
?_Throw_Cpp_error@std@@YAXH@Z
?_Throw_C_error@std@@YAXH@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@N@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??Bid@locale@std@@QEAA_KXZ
?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?_Pnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBA_JXZ
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?_Gninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Gnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBA_JXZ
?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?width@ios_base@std@@QEAA_J_J@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ
?flags@ios_base@std@@QEBAHXZ
?width@ios_base@std@@QEBA_JXZ
?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ
?good@ios_base@std@@QEBA_NXZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?uncaught_exception@std@@YA_NXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?_Xout_of_range@std@@YAXPEBD@Z
?_Xbad_alloc@std@@YAXXZ
?_Xlength_error@std@@YAXPEBD@Z
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z

normaliz

IdnToAscii

wldap32

ord50
ord46
ord45
ord143
ord22
ord211
ord26
ord41
ord217
ord60
ord301
ord200
ord30
ord79
ord35
ord33
ord32
ord27

crypt32

CertGetCertificateChain
CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
CertCloseStore
CryptQueryObject
CertGetNameStringA
CertFindExtension
CertFreeCertificateChain
CryptDecodeObjectEx
PFXImportCertStore
CryptStringToBinaryA
CertFreeCertificateContext
CertFindCertificateInStore
CertEnumCertificatesInStore
CertOpenStore
CertAddCertificateContextToStore

ws2_32

setsockopt
socket
closesocket
recv
WSAIoctl
WSAStartup
WSACleanup
send
WSAGetLastError
accept
htonl
listen
ioctlsocket
__WSAFDIsSet
select
getaddrinfo
freeaddrinfo
recvfrom
sendto
gethostname
bind
ntohl
connect
getpeername
ntohs
htons
getsockopt
WSASetLastError
getsockname

api-ms-win-crt-stdio-l1-1-0

_lseeki64
ungetc
fgetc
ftell
fseek
_fseeki64
_get_stream_buffer_pointers
feof
setvbuf
fgetpos
_open
_close
__stdio_common_vsscanf
fputs
_write
_read
fsetpos
fopen
fclose
fputc
fwrite
fread
__acrt_iob_func
__stdio_common_vsprintf
fgets
fflush

api-ms-win-crt-runtime-l1-1-0

_cexit
terminate
_register_onexit_function
__sys_nerr
strerror
_initialize_onexit_table
_invalid_parameter_noinfo_noreturn
_errno
exit
system
_beginthreadex
_getpid
abort
_crt_atexit

api-ms-win-crt-heap-l1-1-0

calloc
realloc
free
malloc
_callnewh

api-ms-win-crt-convert-l1-1-0

strtoul
strtol
atoi
strtoll

api-ms-win-crt-time-l1-1-0

_time64
_gmtime64

api-ms-win-crt-math-l1-1-0

round
roundf
truncf

api-ms-win-crt-string-l1-1-0

strncpy
strncmp
tolower
strpbrk
strcmp
strcspn
toupper
_stricmp
isdigit
_strdup
isupper
strspn

api-ms-win-crt-utility-l1-1-0

qsort

api-ms-win-crt-filesystem-l1-1-0

_access
_stat64
_fstat64
_lock_file
_unlock_file
_unlink

vcruntime140

strchr
__FrameUnwindFilter
__CxxUnregisterExceptionObject
__CxxDetectRethrow
__current_exception_context
__current_exception
strstr
strrchr
__CxxExceptionFilter
memcmp
memchr
memset
memmove
memcpy
_CxxThrowException
__std_exception_destroy
__std_exception_copy
__CxxQueryExceptionSize
__CxxRegisterExceptionObject

windivert

WinDivertClose
WinDivertOpen
WinDivertRecv
WinDivertSend

gdi32

CreateRoundRectRgn

winmm

timeBeginPeriod

shlwapi

PathFindFileNameA
PathFindExtensionA

mscoree

_CorExeMain

Sections

Size: 472KB - Virtual size: 471KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Size: 1024B - Virtual size: 800B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Size: 1007KB - Virtual size: 1006KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 3KB - Virtual size: 45KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 1.4MB - Virtual size: 1.4MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Size: 240KB - Virtual size: 240KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

;sFI39(w
Size: 682KB - Virtual size: 682KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.text
Size: 545KB - Virtual size: 544KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1.4MB - Virtual size: 1.4MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Physiological_Client/README PLEASE CYDE.txt
Physiological_Client/WinDivert.dll
.dll windows:4 windows x64 arch:x64

0b649f8e17494bb31b47f6e959a1769c

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_DLL

Imports

advapi32

CloseServiceHandle
CreateServiceW
DeleteService
OpenSCManagerW
OpenServiceW
RegCloseKey
RegCreateKeyExA
RegSetValueExA
RegSetValueExW
StartServiceW

kernel32

CloseHandle
CreateEventW
CreateFileW
CreateMutexW
DeviceIoControl
GetLastError
GetModuleFileNameW
GetOverlappedResult
HeapAlloc
HeapCreate
HeapDestroy
ReleaseMutex
SetLastError
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
WaitForSingleObject

Exports

Exports

WinDivertClose
WinDivertGetParam
WinDivertHelperCalcChecksums
WinDivertHelperCompileFilter
WinDivertHelperDecrementTTL
WinDivertHelperEvalFilter
WinDivertHelperFormatFilter
WinDivertHelperFormatIPv4Address
WinDivertHelperFormatIPv6Address
WinDivertHelperHashPacket
WinDivertHelperHtonIPv6Address
WinDivertHelperHtonIpv6Address
WinDivertHelperHtonl
WinDivertHelperHtonll
WinDivertHelperHtons
WinDivertHelperNtohIPv6Address
WinDivertHelperNtohIpv6Address
WinDivertHelperNtohl
WinDivertHelperNtohll
WinDivertHelperNtohs
WinDivertHelperParseIPv4Address
WinDivertHelperParseIPv6Address
WinDivertHelperParsePacket
WinDivertOpen
WinDivertRecv
WinDivertRecvEx
WinDivertSend
WinDivertSendEx
WinDivertSetParam
WinDivertShutdown

Sections

.text
Size: 30KB - Virtual size: 30KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 32B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.pdata
Size: 1024B - Virtual size: 840B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.xdata
Size: 1024B - Virtual size: 800B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 16B

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 512B - Virtual size: 240B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

03542a0ccc80c82441f4a9e87b79dbe9

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

msvcp140

normaliz

wldap32

crypt32

ws2_32

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

vcruntime140

windivert

gdi32

winmm

shlwapi

mscoree

Sections

Size: 472KB - Virtual size: 471KB

Size: 1024B - Virtual size: 800B

Size: 1007KB - Virtual size: 1006KB

Size: 3KB - Virtual size: 45KB

Size: 12KB - Virtual size: 11KB

Size: 1.4MB - Virtual size: 1.4MB

Size: 1KB - Virtual size: 1KB

Size: 240KB - Virtual size: 240KB

;sFI39(w Size: 682KB - Virtual size: 682KB

.text Size: 545KB - Virtual size: 544KB

.rsrc Size: 1.4MB - Virtual size: 1.4MB

0b649f8e17494bb31b47f6e959a1769c

Headers

File Characteristics

Imports

advapi32

kernel32

Exports

Exports

Sections

.text Size: 30KB - Virtual size: 30KB

.data Size: 512B - Virtual size: 32B

.rdata Size: 9KB - Virtual size: 8KB

.pdata Size: 1024B - Virtual size: 840B

.xdata Size: 1024B - Virtual size: 800B

.bss Size: - Virtual size: 16B

.edata Size: 1KB - Virtual size: 1KB

.idata Size: 1KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 240B

;sFI39(w
Size: 682KB - Virtual size: 682KB

.text
Size: 545KB - Virtual size: 544KB

.rsrc
Size: 1.4MB - Virtual size: 1.4MB

.text
Size: 30KB - Virtual size: 30KB

.data
Size: 512B - Virtual size: 32B

.rdata
Size: 9KB - Virtual size: 8KB

.pdata
Size: 1024B - Virtual size: 840B

.xdata
Size: 1024B - Virtual size: 800B

.bss
Size: - Virtual size: 16B

.edata
Size: 1KB - Virtual size: 1KB

.idata
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 240B