2024-03-15_0afe3d816fb83dab8b33e68dde7d0a87_mafia

Sharing

Copy URL

Twitter E-mail

General

Target

2024-03-15_0afe3d816fb83dab8b33e68dde7d0a87_mafia
Size

4.4MB
MD5

0afe3d816fb83dab8b33e68dde7d0a87
SHA1

c15bac8712a7d910af03fa3385a967403b27d44f
SHA256

eeb82986e46895c45431ccca5eeaa4d8d67226a40579ccdb6361ba956c3a1949
SHA512

7f738b38db43c7e299589b59a77f18253c289d9f147cef6f506f3825c6ec05b5222ee21e611c2db93c5bb13f235081f0ada07ab25d01e4c50ec9cabb5fdc8c8f
SSDEEP

98304:4k+iHL5HWLxR8owzh+3GDTZXxhSlaLE67i2/6HL:p+iHFcxRNfGDTtxhKoW2iHL

Score

10^/10

Malware Config

Signatures

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

Files

2024-03-15_0afe3d816fb83dab8b33e68dde7d0a87_mafia
.exe windows:5 windows x86 arch:x86

9d1e754771f2787008b6829391d3b447

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

78:5a:f6:d5:21:f6:7e:13:2d:53:38:57:42:ce:9b:35
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

25/06/2013, 00:00

Not After

24/09/2015, 23:59

Subject

CN=Piriform Ltd,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Piriform Ltd,L=London,ST=London,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

36:24:74:c6:96:09:8e:b0:46:21:13:1f:a6:c1:8c:bc:a5:ee:87:6e
Signer

Actual PE Digest

36:24:74:c6:96:09:8e:b0:46:21:13:1f:a6:c1:8c:bc:a5:ee:87:6e

Digest Algorithm

sha1

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

H:\Piriform\CCleaner\trunk\bin\CCleaner\Release\CCleaner.pdb

Imports

rpcrt4

UuidFromStringA

kernel32

HeapDestroy
GetFileAttributesA
HeapCreate
HeapValidate
HeapSize
LockFileEx
GetDiskFreeSpaceW
CreateFileMappingA
CreateFileMappingW
GetDiskFreeSpaceA
GetFileAttributesExW
GetCurrentProcessId
GetTempPathA
AreFileApisANSI
DeleteFileA
SetFileTime
RtlCaptureContext
SetUnhandledExceptionFilter
VirtualQueryEx
TerminateThread
ReleaseSemaphore
CreateSemaphoreW
ResumeThread
CreateThread
WaitNamedPipeW
TransactNamedPipe
SetNamedPipeHandleState
WaitForMultipleObjects
GetTimeFormatA
FormatMessageA
UnlockFileEx
SetEnvironmentVariableA
WriteConsoleW
SetStdHandle
IsValidLocale
GetTickCount
GetLocaleInfoA
GetUserDefaultLCID
GetConsoleMode
GetConsoleCP
GetFileType
SetHandleCount
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetStringTypeW
IsValidCodePage
GetOEMCP
GetACP
GetStdHandle
GetCPInfo
LCMapStringW
RtlUnwind
IsDebuggerPresent
UnhandledExceptionFilter
GetLogicalDrives
ExitThread
HeapSetInformation
ExitProcess
VirtualQuery
VirtualProtect
CreateWaitableTimerA
SetWaitableTimer
TlsSetValue
OpenEventA
TlsGetValue
TlsFree
TlsAlloc
InterlockedPopEntrySList
IsProcessorFeaturePresent
InterlockedPushEntrySList
BackupSeek
BackupRead
GetCompressedFileSizeW
CreateDirectoryW
VirtualFree
VirtualAlloc
SetFilePointerEx
GetDiskFreeSpaceExW
LocalAlloc
OutputDebugStringW
LockFile
UnlockFile
InterlockedCompareExchange
UnmapViewOfFile
MapViewOfFile
CreateFileA
HeapReAlloc
GetFullPathNameA
CompareFileTime
lstrcmpA
SetProcessWorkingSetSize
SetEndOfFile
lstrlenA
MoveFileExW
SystemTimeToFileTime
GetSystemTime
DeviceIoControl
MoveFileW
LoadLibraryA
SystemTimeToTzSpecificLocalTime
GetTimeZoneInformation
GetPrivateProfileSectionNamesW
GetPrivateProfileSectionW
WritePrivateProfileStringW
SetThreadPriority
GetVolumeInformationW
GetDriveTypeW
FileTimeToSystemTime
FileTimeToLocalFileTime
GetShortPathNameW
IsBadStringPtrW
CopyFileW
GetTempFileNameW
GetTempPathW
RemoveDirectoryW
SetFileAttributesW
GetEnvironmentVariableW
ExpandEnvironmentStringsW
GetSystemDirectoryW
GetCurrentThread
FindNextFileW
FindFirstFileW
GetFullPathNameW
FindClose
GetUserDefaultLangID
GetTimeFormatW
GetDateFormatW
GetNumberFormatW
GetLocaleInfoW
GetSystemTimeAsFileTime
OutputDebugStringA
InitializeCriticalSection
GetLocalTime
GetModuleFileNameA
VerifyVersionInfoW
VerSetConditionMask
GlobalMemoryStatus
GetSystemInfo
GetVersionExA
GetWindowsDirectoryW
GetProcessTimes
GetLongPathNameW
SetFilePointer
GetFileSize
ReadFile
GetVersion
CompareStringW
Sleep
GetPrivateProfileStringW
DeleteFileW
LocalFree
FormatMessageW
lstrcpynW
GetVersionExW
GetFileAttributesW
SetCurrentDirectoryW
GetCurrentDirectoryW
QueryPerformanceCounter
QueryPerformanceFrequency
MulDiv
GetCommandLineW
CreateProcessW
GetStartupInfoW
SetErrorMode
InterlockedIncrement
InterlockedDecrement
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
LoadLibraryExW
lstrcmpiW
GetProcAddress
MultiByteToWideChar
lstrcpyW
FreeLibrary
LoadLibraryW
GlobalAlloc
GlobalLock
GlobalUnlock
GlobalFree
InterlockedExchange
GetModuleHandleW
WriteFile
FlushFileBuffers
CreateFileW
WideCharToMultiByte
CreateMutexW
GetModuleFileNameW
GetLastError
lstrlenW
SetLastError
RaiseException
GetCurrentThreadId
EnterCriticalSection
LeaveCriticalSection
FindResourceExW
FindResourceW
LoadResource
LockResource
SizeofResource
CreateEventA
CloseHandle
HeapAlloc
HeapFree
GetProcessHeap
ResetEvent
SetEvent
CreateEventW
OpenProcess
TerminateProcess
WaitForSingleObject
FlushInstructionCache
GetCurrentProcess
EnumSystemLocalesA
GetDateFormatA

user32

GetClipboardData
OpenClipboard
IsClipboardFormatAvailable
SetMenuDefaultItem
LockWindowUpdate
PostQuitMessage
IsZoomed
IsDialogMessageW
FindWindowExW
LoadIconW
GetComboBoxInfo
AdjustWindowRectEx
GetWindowRect
SetWindowPos
GetWindowLongW
UnregisterClassA
GetParent
GetWindow
GetDesktopWindow
GetClientRect
MapWindowPoints
CloseClipboard
GetDlgItem
SetWindowTextW
PostMessageW
EndDialog
CheckDlgButton
IsDlgButtonChecked
GetWindowTextW
SendMessageW
GetClassNameW
RegisterWindowMessageW
GetMenu
SetLayeredWindowAttributes
DeleteMenu
UnhookWindowsHookEx
SetWindowsHookExW
CallNextHookEx
SetScrollPos
GetScrollInfo
ScrollWindowEx
SetScrollInfo
AppendMenuW
SetDlgItemTextW
GetNextDlgTabItem
GetDlgItemInt
GetForegroundWindow
GetSystemMetrics
SystemParametersInfoA
GetMenuItemID
GetMonitorInfoW
MonitorFromWindow
GetWindowThreadProcessId
ExitWindowsEx
WaitForInputIdle
EnumDisplaySettingsW
EmptyClipboard
SendMessageTimeoutW
DrawFrameControl
LoadStringW
DrawTextExW
UnregisterClassW
CharLowerW
CharLowerA
GetDlgItemTextW
SetClipboardData
LoadBitmapW
SetWindowLongW
GetScrollPos
GetMessagePos
CreateDialogParamW
IsChild
ChildWindowFromPoint
SetRectEmpty
SetCursorPos
InsertMenuW
TrackPopupMenu
DestroyMenu
GetCursorPos
CreatePopupMenu
EnableMenuItem
GetSystemMenu
EnableWindow
BringWindowToTop
ShowWindow
IsWindowVisible
OpenIcon
GetWindowPlacement
SetForegroundWindow
FindWindowW
EnumWindows
IsIconic
SetFocus
GetActiveWindow
DialogBoxParamW
LoadImageW
SetRect
CreateWindowExW
InvalidateRect
BeginPaint
EndPaint
GetCapture
SetCapture
RedrawWindow
ClientToScreen
WindowFromPoint
ReleaseCapture
UpdateWindow
SystemParametersInfoW
GetDlgCtrlID
KillTimer
SetTimer
IsWindowEnabled
DispatchMessageA
GetMessageA
IsWindowUnicode
MsgWaitForMultipleObjects
GetSysColorBrush
MoveWindow
DestroyWindow
MessageBoxW
PeekMessageW
PtInRect
SetCursor
GetMessageW
TranslateMessage
DispatchMessageW
RegisterClassW
GetClassInfoW
CharNextW
GetClassInfoExW
RegisterClassExW
DrawEdge
DrawFocusRect
DrawStateW
FrameRect
FillRect
ScreenToClient
GetWindowTextLengthW
GetDC
CopyRect
GetFocus
GetKeyState
GetSysColor
GetIconInfo
IsWindow
LoadCursorW
DrawTextW
DefWindowProcW
CallWindowProcW
DestroyCursor
DestroyIcon
GetClassLongW
OffsetRect
InflateRect
ReleaseDC
GetWindowDC

gdi32

BitBlt
SelectObject
DeleteDC
CreateCompatibleDC
DeleteObject
PolylineTo
CreateDIBSection
SetDIBColorTable
StretchBlt
ExtTextOutW
GetDIBColorTable
SetViewportOrgEx
CreateCompatibleBitmap
SetBkMode
SetTextColor
TextOutW
Ellipse
GetTextMetricsW
GetClipBox
CreatePatternBrush
CreateBitmap
PatBlt
RestoreDC
SaveDC
GetDeviceCaps
GetStockObject
GetTextExtentPoint32W
CreateRectRgnIndirect
StrokeAndFillPath
EndPath
BeginPath
ExcludeClipRect
SelectClipRgn
GetClipRgn
SetBkColor
LineTo
MoveToEx
CreatePen
CreateFontIndirectW
CreateSolidBrush
CreateRectRgn
CombineRgn
GetObjectW

comdlg32

GetOpenFileNameW
GetSaveFileNameW

advapi32

RegCloseKey
RegDeleteKeyW
SetEntriesInAclW
CryptGenRandom
CryptReleaseContext
CryptAcquireContextA
CloseEventLog
ClearEventLogW
OpenEventLogW
LookupPrivilegeNameW
RegUnLoadKeyW
RegLoadKeyW
RegNotifyChangeKeyValue
RegEnumValueW
AccessCheck
MapGenericMask
DuplicateToken
GetFileSecurityW
AdjustTokenPrivileges
LookupPrivilegeValueW
GetUserNameW
LookupAccountNameW
CopySid
GetLengthSid
LookupAccountSidW
FreeSid
EqualSid
OpenThreadToken
AllocateAndInitializeSid
GetSidSubAuthority
RegQueryInfoKeyW
RegEnumKeyExW
RegOpenKeyExW
RegSetValueExW
RegCreateKeyExW
RegDeleteValueW
RegQueryValueExW
OpenProcessToken
GetTokenInformation
IsValidSid
GetSidIdentifierAuthority
GetSidSubAuthorityCount
SetNamedSecurityInfoW

ole32

CoSetProxyBlanket
CLSIDFromString
CoInitializeEx
CoUninitialize
CoInitialize
PropVariantClear
CoInitializeSecurity
DoDragDrop
RegisterDragDrop
RevokeDragDrop
OleDuplicateData
ReleaseStgMedium
OleUninitialize
OleInitialize
CoCreateInstance
CoTaskMemAlloc
CoTaskMemRealloc
CoTaskMemFree
CreateStreamOnHGlobal

oleaut32

VarBstrFromR8
VariantInit
SysStringLen
VariantClear
VariantTimeToSystemTime
VariantChangeType
SysAllocString
SysFreeString
VarUI4FromStr
SysAllocStringLen

shlwapi

StrRetToStrW
PathFindFileNameW
PathIsRelativeW
PathCreateFromUrlW
PathIsURLW
PathIsUNCW
PathStripPathA
PathUnquoteSpacesW
PathRemoveArgsW
PathFindExtensionW
PathStripPathW
SHStrDupW
PathCombineW
PathRemoveExtensionA
PathRemoveFileSpecW
PathRemoveExtensionW
PathAddExtensionW
PathStripToRootW
PathSkipRootW
PathRemoveBackslashW
PathGetDriveNumberW
PathCompactPathW
PathIsDirectoryW
PathFileExistsW
PathAppendW
PathMatchSpecW
PathIsDirectoryEmptyW

comctl32

ImageList_SetIconSize
ImageList_Replace
ImageList_GetImageInfo
ImageList_Remove
ImageList_GetIconSize
ImageList_Draw
_TrackMouseEvent
ImageList_Duplicate
ImageList_LoadImageW
ImageList_GetIcon
ImageList_GetImageCount
ImageList_ReplaceIcon
ImageList_Create
ImageList_Destroy
InitCommonControlsEx

gdiplus

GdiplusShutdown
GdiplusStartup
GdipCreateBitmapFromStream
GdipGetImagePixelFormat
GdipGetImageHeight
GdipGetImageWidth
GdipGetImagePaletteSize
GdipGetImagePalette
GdipBitmapLockBits
GdipBitmapUnlockBits
GdipCreateBitmapFromScan0
GdipCloneImage
GdipAlloc
GdipFree
GdipGetImageGraphicsContext
GdipDeleteGraphics
GdipDrawImageI
GdipDisposeImage

wtsapi32

WTSFreeMemory
WTSQuerySessionInformationW

netapi32

NetLocalGroupGetMembers
NetApiBufferFree

crypt32

CryptDecodeObject
CertGetNameStringW
CertFreeCertificateContext
CryptQueryObject
CryptMsgGetParam
CertCloseStore
CryptMsgClose
CertFindCertificateInStore

wintrust

WinVerifyTrust

esent

JetBeginSession
JetInit2
JetCreateInstance2
JetSetSystemParameter
JetCreateDatabase2
JetEndSession
JetCloseDatabase
JetCloseTable
JetGetDatabaseFileInfo
JetAttachDatabase2
JetOpenDatabase
JetOpenTable
JetSetCurrentIndex4
JetMove
JetEnumerateColumns
JetBeginTransaction
JetCommitTransaction
JetDelete
JetRollback
JetTerm2
JetDeleteTable

version

VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW

Sections

.text
Size: 2.4MB - Virtual size: 2.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 669KB - Virtual size: 669KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 166KB - Virtual size: 188KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 2B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 945KB - Virtual size: 945KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 223KB - Virtual size: 222KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

9d1e754771f2787008b6829391d3b447

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

78:5a:f6:d5:21:f6:7e:13:2d:53:38:57:42:ce:9b:35Certificate

Extended Key Usages

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

36:24:74:c6:96:09:8e:b0:46:21:13:1f:a6:c1:8c:bc:a5:ee:87:6eSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

rpcrt4

kernel32

user32

gdi32

comdlg32

advapi32

ole32

oleaut32

shlwapi

comctl32

gdiplus

wtsapi32

netapi32

crypt32

wintrust

esent

version

Sections

.text Size: 2.4MB - Virtual size: 2.4MB

.rdata Size: 669KB - Virtual size: 669KB

.data Size: 166KB - Virtual size: 188KB

.tls Size: 512B - Virtual size: 2B

.rsrc Size: 945KB - Virtual size: 945KB

.reloc Size: 223KB - Virtual size: 222KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

78:5a:f6:d5:21:f6:7e:13:2d:53:38:57:42:ce:9b:35
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

36:24:74:c6:96:09:8e:b0:46:21:13:1f:a6:c1:8c:bc:a5:ee:87:6e
Signer

.text
Size: 2.4MB - Virtual size: 2.4MB

.rdata
Size: 669KB - Virtual size: 669KB

.data
Size: 166KB - Virtual size: 188KB

.tls
Size: 512B - Virtual size: 2B

.rsrc
Size: 945KB - Virtual size: 945KB

.reloc
Size: 223KB - Virtual size: 222KB