2024-03-14_7a4bdcf9c32cc164c5ece694c1e6a4b9_mafia

Sharing

Copy URL Twitter E-mail

General

Target

2024-03-14_7a4bdcf9c32cc164c5ece694c1e6a4b9_mafia
Size

9.7MB
MD5

7a4bdcf9c32cc164c5ece694c1e6a4b9
SHA1

33b6dd28bc4414c6eea2ecc4997ed4c6bc614557
SHA256

14396389305afb3b5282ec365a41b007bdec83592ec875c8c3a324778a8f7d6e
SHA512

4248f0a7cd1908ebc1aa2b2e1e9979563b6da32ea91ac9f83486765e51dde1d9077d0a030c26030cd3c56b8c87ee1ea470aed4cbe2fe4fd945f6c7875cbcc60f
SSDEEP

98304:O4r/8GKTtAsN3GDN8wqtnGCzeEPlqcomj+ngWe8:inNWDydtGke0lDr8

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2024-03-14_7a4bdcf9c32cc164c5ece694c1e6a4b9_mafia

Files

2024-03-14_7a4bdcf9c32cc164c5ece694c1e6a4b9_mafia
.exe windows:5 windows x86 arch:x86

110113115e0146d05b03333113a1076d

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

SetErrorMode
Sleep
QueryPerformanceCounter
LockFile
LockFileEx
UnlockFile
OpenFileMappingW
GetVersion
GetFullPathNameA
GetFullPathNameW
WriteConsoleW
SetHandleCount
FreeEnvironmentStringsW
SetEnvironmentVariableW
SetEnvironmentVariableA
HeapSize
HeapCreate
IsProcessorFeaturePresent
IsValidLocale
EnumSystemLocalesA
GetLocaleInfoA
IsValidCodePage
GetOEMCP
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
FindFirstFileExW
GetFileType
InitializeCriticalSectionAndSpinCount
SetStdHandle
CreateThread
ExitThread
SetConsoleCtrlHandler
GetConsoleMode
FreeLibrary
HeapReAlloc
GetDateFormatA
GetTimeFormatA
GetCPInfo
GetStartupInfoW
HeapSetInformation
GetCommandLineW
RaiseException
RtlUnwind
LoadLibraryA
LCMapStringW
GetSystemInfo
GetStringTypeExW
GetUserDefaultLCID
lstrlenA
DecodePointer
EncodePointer
InterlockedExchange
InterlockedCompareExchange
GetStringTypeW
GetTempPathW
WaitForMultipleObjectsEx
PostQueuedCompletionStatus
CreateIoCompletionPort
GetQueuedCompletionStatus
GlobalAlloc
GlobalFree
GetEnvironmentStringsW
ExitProcess
SuspendThread
GetExitCodeThread
WriteFileGather
ReadFileScatter
GetComputerNameA
QueryPerformanceFrequency
TlsSetValue
TlsFree
TlsAlloc
PulseEvent
CreateEventA
ReleaseMutex
GetProcAddress
LoadLibraryW
GetConsoleCP
GetSystemTimeAsFileTime
LeaveCriticalSection
EnterCriticalSection
CreateMutexW
TryEnterCriticalSection
SetThreadPriority
GetCurrentThread
TlsGetValue
ResumeThread
ReleaseSemaphore
GetStdHandle
lstrcmpiW
GetProcessHeap
HeapAlloc
HeapFree
CompareStringW
SetLastError
ReadProcessMemory
lstrcmpW
MapViewOfFileEx
OpenFileMappingA
CreateFileMappingA
FormatMessageA
GetFileSizeEx
SwitchToThread
GetDiskFreeSpaceExW
WaitNamedPipeW
PeekNamedPipe
LocalFileTimeToFileTime
TerminateProcess
DuplicateHandle
CreateProcessW
ReadDirectoryChangesW
lstrlenW
InterlockedIncrement
FlushFileBuffers
SetFilePointerEx
GetProcessTimes
GetWindowsDirectoryW
DeleteTimerQueueEx
CreateTimerQueue
DeleteTimerQueueTimer
CreateTimerQueueTimer
SetEndOfFile
CreateFileA
ReadFile
GetPrivateProfileStringA
GetLocaleInfoW
CompareFileTime
GetCurrentDirectoryW
FormatMessageW
FileTimeToLocalFileTime
FileTimeToSystemTime
RemoveDirectoryW
CreateDirectoryW
GetDiskFreeSpaceW
ExpandEnvironmentStringsW
GetLongPathNameW
GetVolumeInformationW
GetDriveTypeW
QueryDosDeviceW
GetLogicalDriveStringsW
GetComputerNameExW
GetComputerNameW
LocalAlloc
CreateSemaphoreW
WaitForMultipleObjects
GetCurrentThreadId
GetCurrentProcess
CloseHandle
GetCurrentProcessId
ProcessIdToSessionId
CreateFileMappingW
MapViewOfFile
UnmapViewOfFile
GlobalMemoryStatusEx
SetFileTime
GetVersionExW
LoadLibraryExW
WideCharToMultiByte
GetACP
MultiByteToWideChar
CreateEventW
WaitForSingleObject
SetEvent
ResetEvent
InitializeCriticalSection
DeleteCriticalSection
GetModuleFileNameW
OutputDebugStringW
GetLocalTime
GetSystemTime
GetLastError
WriteFile
GetFileSize
MoveFileExW
CreateFileW
GetTickCount
FindClose
FindNextFileW
FindFirstFileW
CopyFileW
CancelIo
DisconnectNamedPipe
CreateNamedPipeW
ConnectNamedPipe
SetNamedPipeHandleState
InterlockedDecrement
DeviceIoControl
GetOverlappedResult
MoveFileW
GetModuleHandleW
GetTempFileNameW
GetFileAttributesW
GetFileAttributesExW
LocalFree
DeleteFileW
SetFileAttributesW
SetFilePointer
GetFileInformationByHandle
OpenProcess
SystemTimeToFileTime
GetTimeZoneInformation

user32

EnumWindows
GetForegroundWindow
GetWindowThreadProcessId
GetWindowTextW
GetWindowInfo
PostMessageW
ReleaseDC
wsprintfW
GetSystemMetrics
GetWindowRect
GetWindowDC
PostThreadMessageW
MessageBoxW
DdeUninitialize
DdeInitializeW
DdeNameService
GetDesktopWindow
SetWindowTextA
DispatchMessageW
DdeAccessData
DdeGetData
DdeQueryConvInfo
GetParent
DdeUnaccessData
DdeDisconnect
DdeClientTransaction
DdeCreateStringHandleW
DdeConnect
DdeGetLastError
DdeFreeStringHandle
GetShellWindow
LoadStringW
GetWindowLongW
CreateWindowExW
SetWindowLongW
RegisterClassExW
LoadIconW
LoadCursorW
SystemParametersInfoW
DdeQueryStringW
GetMessageW
SendMessageW
CloseClipboard
EmptyClipboard
SetTimer
TranslateMessage
RegisterHotKey
UnregisterHotKey
OpenDesktopW
SwitchDesktop
CloseDesktop
DefWindowProcW
SetClipboardData
keybd_event
OpenClipboard

advapi32

RegisterEventSourceW
GetTokenInformation
RegQueryValueExW
RegCreateKeyExW
SetEntriesInAclW
AllocateAndInitializeSid
ConvertSidToStringSidW
IsValidSid
LsaClose
RegCloseKey
RegOpenKeyExW
RegNotifyChangeKeyValue
SetNamedSecurityInfoW
GetSecurityDescriptorSacl
SetSecurityDescriptorControl
CheckTokenMembership
ReportEventW
DeregisterEventSource
RegCreateKeyW
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
LookupAccountNameW
EqualSid
RegOpenKeyW
ConvertStringSecurityDescriptorToSecurityDescriptorW
FreeSid
SetSecurityDescriptorSacl
RegQueryInfoKeyW
RegEnumKeyExW
RegEnumValueW
RegDeleteKeyW
RegDeleteValueW
RegSetValueExW
ConvertStringSidToSidW
LookupAccountSidW
LsaOpenPolicy
LsaQueryInformationPolicy

shell32

ShellExecuteW
ShellExecuteExW
SHGetFolderPathW

ole32

StgOpenStorage
StgCreateDocfileOnILockBytes
StgIsStorageILockBytes
StgOpenStorageOnILockBytes
PropVariantClear
CoCreateGuid
CoTaskMemFree
CLSIDFromString
CoCreateInstance
OleRun
StringFromGUID2
CoInitialize
IIDFromString
CoUninitialize

fcregex

validateRegularExperssion

fcagui

?handleMessage@IDlpeConsoleHandler@@QAEXH_J0@Z
?setNotificationHistory@IDlpeConsoleHandler@@QAEXAAV?$list@UHistoryNotification@@V?$allocator@UHistoryNotification@@@std@@@std@@@Z
?reloadScanRecordList@IDlpeConsoleHandler@@QAEXW4ScanInfoType@@@Z
?setAgentStatus@IDlpeConsoleHandler@@QAEXAAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z
??0ChallengeResponsInfo@@QAE@AAU0@@Z
?addNotificationToHistory@IDlpeConsoleHandler@@QAEXAAUHistoryNotification@@@Z
?removeNotificationFromHistory@IDlpeConsoleHandler@@QAEX_K@Z
?updateConsoleConfiguration@IDlpeConsoleHandler@@QAEXPAUDlpeConsoleConfig@@@Z
?closeConsole@IDlpeConsoleHandler@@IAEXXZ
?getScanInfo@IDlpeConsoleHandler@@QAEPAUScanInfo@@W4ScanInfoType@@@Z
??0IDlpeConsoleHandler@@QAE@XZ
??1IDlpeConsoleHandler@@QAE@XZ
?startNotificationUI@McTrayPluginHelper@@QAEXPAVNotificationDlgParams@@@Z
?sendChallengeDlgResult@McTrayPluginHelper@@QAEXPAVChallengeResponseDlgParams@@@Z
?startChallengeResponseUI@McTrayPluginHelper@@QAEXPAVChallengeResponseDlgParams@@@Z
?deleteUIParams@McTrayPluginHelper@@QAEXPAVUIParams@@@Z
?allocateUIParams@McTrayPluginHelper@@QAEPAVUIParams@@W4McTrayPluginUIRequestType@@@Z
?setStringValue@McTrayPluginHelper@@QAEXAAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@0@Z
?insertSetValues@McTrayPluginHelper@@QAEXAAV?$set@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@U?$less@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@2@V?$allocator@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@2@@std@@0@Z
?startBusinessJustificationUI@McTrayPluginHelper@@QAEXPAVJustificationDlgParams@@@Z
??0HistoryNotification@@QAE@AAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@W4IconType@@_J@Z
??1HistoryNotification@@QAE@XZ
?openConsole@IDlpeConsoleHandler@@QAEXW4DLPE_CONSOLE_PAGE_INDEX@@@Z
?close@McTrayPluginHelper@@QAEXXZ
?create@McTrayPluginHelper@@QAEHXZ
?changeBypass@IDlpeConsoleHandler@@QAEX_JH@Z
??0McTrayPluginUICallback@@QAE@XZ
??0McTrayPluginHelper@@QAE@XZ
??1McTrayPluginHelper@@UAE@XZ
??0HistoryNotification@@QAE@AAU0@@Z
?addRecordList@ScanInfo@@QAEXAAUDiscoveryRecord@@@Z
?updateScansInfo@IDlpeConsoleHandler@@QAEXW4ScanInfoType@@@Z
?recordListSize@ScanInfo@@QAEHXZ
?reset@ScanInfo@@QAEXXZ
?newScanRecord@IDlpeConsoleHandler@@QAEXW4ScanInfoType@@@Z

ws2_32

ioctlsocket
connect
getsockopt
gethostbyname
WSACleanup
recvfrom
recv
sendto
send
inet_ntoa
getpeername
WSAStartup
htonl
ntohs
socket
setsockopt
listen
closesocket
bind
__WSAFDIsSet
select
WSAGetLastError
WSAEventSelect
ntohl
accept
WSAEnumNetworkEvents
shutdown
WSARecvFrom
WSARecv
WSASendTo
htons
WSASend
gethostbyaddr
getservbyname
gethostname
getsockname
inet_addr

mswsock

AcceptEx
GetAcceptExSockaddrs
TransmitFile

netapi32

DsGetDcNameW
NetShareEnum
NetApiBufferFree
NetDfsGetInfo

shlwapi

UrlUnescapeW
PathGetArgsW
SHCopyKeyW
PathFileExistsW

secur32

GetUserNameExW

psapi

GetProcessMemoryInfo
EnumProcessModules
GetModuleBaseNameW
GetProcessImageFileNameW

gdiplus

GdipCloneImage
GdipSaveImageToFile
GdipGetImageEncodersSize
GdipGetImageEncoders
GdiplusShutdown
GdiplusStartup
GdipFree
GdipAlloc
GdipLoadImageFromFile
GdipLoadImageFromFileICM
GdipDisposeImage
GdipCreateBitmapFromHBITMAP

iphlpapi

GetAdaptersInfo
GetBestInterface
GetIfEntry

dnsapi

DnsFree
DnsQuery_W

fcagsec

?validateResponse@ChallengeResponse@@QAEHPBD0AAI@Z
?setLowSecurityMode@ChallengeResponse@@QAEXH@Z
?appendEncryptData@DlpEncryptionAlg@@QAEHAAVDlpCryptoContext@@AAVACE_Message_Block@@@Z
?initEncryptData@DlpEncryptionAlg@@QAEHAAVDlpCryptoContext@@AAVACE_Message_Block@@@Z
?appendLastEncryptData@DlpEncryptionAlg@@QAEHAAVDlpCryptoContext@@AAVACE_Message_Block@@@Z
?getEncryptData@DlpEncryptionAlg@@QAEXAAVDlpCryptoContext@@AAVACE_Message_Block@@@Z
??0Aes256CryptoAlg@@QAE@XZ
?decryptData@Aes256CryptoAlg@@QAEHPAEI00AAII@Z
??1Aes256CryptoAlg@@QAE@XZ
CheckDLPEncryptSignature
?appendDecryptData@DlpDecryptionAlg@@QAEHAAVDlpCryptoContext@@AAVACE_Message_Block@@@Z
?finishDecryptData@DlpDecryptionAlg@@QAEHAAVDlpCryptoContext@@@Z
?getDecryptData@DlpDecryptionAlg@@QAEXAAVDlpCryptoContext@@AAVACE_Message_Block@@@Z
?initDecryptData@DlpDecryptionAlg@@QAEHAAVDlpCryptoContext@@PAE@Z
?updateDigest@IShaHashAlg@@QAEHPAEI@Z
?finishDigest@IShaHashAlg@@QAEHPAEI@Z
?initDigest@IShaHashAlg@@QAEHXZ
??1DlpCryptoContext@@QAE@XZ
??0DlpCryptoContext@@QAE@XZ
?generateKeyFromSeed@CryptoUtils@@YAHPAE0I@Z
?setDecryptorKey@DlpDecryptionAlg@@QAEHPAE@Z
?setEncryptorKey@DlpEncryptionAlg@@QAEHPAE@Z
?addDecryptorKey@DlpDecryptionAlg@@QAEHPAE@Z
??1DlpEncryptionAlg@@QAE@XZ
??1DlpDecryptionAlg@@QAE@XZ
??1ChallengeResponse@@UAE@XZ
??0ChallengeResponse@@QAE@XZ
?setSecureKey@ChallengeResponse@@QAEXPAE@Z
?getLastCryptoError@CryptoUtils@@YAPADXZ
?generateChallenge@ChallengeResponse@@QAEHPADAAI@Z
?validateResponse@ChallengeResponse@@QAEHPBDAAI@Z
??1Sha224HashAlg@@QAE@XZ
??0DlpDecryptionAlg@@QAE@XZ
??0DlpEncryptionAlg@@QAE@XZ
??0Sha224HashAlg@@QAE@XZ
?open@DlpEncryptionAlg@@QAEHXZ
?digest@IShaHashAlg@@QAEHPAEI0I@Z
GetCurrentThreadUserName

mpr

WNetGetConnectionW

userenv

ExpandEnvironmentStringsForUserW

msi

ord109
ord195

wtsapi32

WTSEnumerateProcessesW
WTSFreeMemory

version

VerQueryValueW
GetFileVersionInfoSizeW
GetFileVersionInfoW

wininet

InternetReadFile
HttpSendRequestA
HttpQueryInfoW
HttpAddRequestHeadersA
InternetCrackUrlA
InternetConnectA
HttpOpenRequestA
InternetCloseHandle
InternetOpenA
InternetSetStatusCallbackW
InternetSetOptionW
InternetErrorDlg

fshelperlibrary

IFSHelperIsProtectedFromByteW
IFSHelperInitializeW
IFSHelperTerminateW
IFSHelperProtectW
IFSHelperIsSupportedFileW

prnscrmonintegrator

IPrnScrPreRegisterHotKey
IPrnScrPrintScreenKeyPressed
IPrnScrTerminate
IPrnScrInitialize
IPrnScrPostRegisterHotKey
IPrnScrIsDCInstalled

gdi32

BitBlt
CreateCompatibleBitmap
CreateCompatibleDC
GetStockObject
DeleteObject
DeleteDC
SelectObject

winspool.drv

EnumPrintersW

oleaut32

SysAllocStringLen
SystemTimeToVariantTime
SysStringLen
VariantCopy
GetErrorInfo
VariantInit
VariantClear
SysAllocString
SysStringByteLen
SysAllocStringByteLen
SysFreeString
VariantChangeType
VariantTimeToSystemTime

Sections

.text
Size: 6.9MB - Virtual size: 6.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2.2MB - Virtual size: 2.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 196KB - Virtual size: 196KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 24KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 340KB - Virtual size: 340KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

110113115e0146d05b03333113a1076d

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

shell32

ole32

fcregex

fcagui

ws2_32

mswsock

netapi32

shlwapi

secur32

psapi

gdiplus

iphlpapi

dnsapi

fcagsec

mpr

userenv

msi

wtsapi32

version

wininet

fshelperlibrary

prnscrmonintegrator

gdi32

winspool.drv

oleaut32

Sections

.text Size: 6.9MB - Virtual size: 6.9MB

.rdata Size: 2.2MB - Virtual size: 2.2MB

.data Size: 196KB - Virtual size: 196KB

.rsrc Size: 24KB - Virtual size: 24KB

.reloc Size: 340KB - Virtual size: 340KB

.text
Size: 6.9MB - Virtual size: 6.9MB

.rdata
Size: 2.2MB - Virtual size: 2.2MB

.data
Size: 196KB - Virtual size: 196KB

.rsrc
Size: 24KB - Virtual size: 24KB

.reloc
Size: 340KB - Virtual size: 340KB