ecfbd676070a08c21835c1d7e992c8fc786bb1158f040c897b94542d853bf657

Sharing

Copy URL Twitter E-mail

General

Target

ecfbd676070a08c21835c1d7e992c8fc786bb1158f040c897b94542d853bf657
Size

4.4MB
MD5

9efc1b9ac95e1e908a2860b6e641de4b
SHA1

8c879ddf15b0d28163396b85469a9a86c3127a0a
SHA256

ecfbd676070a08c21835c1d7e992c8fc786bb1158f040c897b94542d853bf657
SHA512

f774592a9f3360c54af9f5d2f05dbe1fdbb1972cb52622e5edeb969528e61b0a81b40293039cba83d6472a3803126cea3113ebe2b89cadedde43ecda8990e559
SSDEEP

49152:D8o8bZjyJVD0s9Mr3XIfRviWkgEOaxfCbCMcXGtSgvZPOQ5Q7SghLOJXn+lr:D8o8VOUs9joRbMc2tSW62E

Score

10^/10

Malware Config

Signatures

Detects executables containing bas64 encoded gzip files 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File

Files

ecfbd676070a08c21835c1d7e992c8fc786bb1158f040c897b94542d853bf657
.exe windows:6 windows x86 arch:x86

7aa58492bf5691114c98568704d048cd

Code Sign

25:22:95:89:59
Certificate

Issuer

CN=MeshCentralRoot-b32868,O=unknown,C=unknown

Not Before

31/12/2017, 23:00

Not After

30/12/2049, 23:00

Subject

CN=un-configured-605cab

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

22:93:39:66:15
Certificate

Issuer

CN=MeshCentralRoot-b32868,O=unknown,C=unknown

Not Before

31/12/2017, 23:00

Not After

30/12/2049, 23:00

Subject

CN=MeshCentralRoot-b32868,O=unknown,C=unknown

Key Usages

KeyUsageCertSign

39:4c:25:e1:7c:a0:6d:27:a8:65:e2:3b:d9:1d:22:d4
Certificate

Issuer

CN=Sectigo RSA Time Stamping CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

03/05/2023, 00:00

Not After

02/08/2034, 23:59

Subject

CN=Sectigo RSA Time Stamping Signer #4,O=Sectigo Limited,ST=Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9
Certificate

Issuer

CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US

Not Before

02/05/2019, 00:00

Not After

18/01/2038, 23:59

Subject

CN=Sectigo RSA Time Stamping CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

Signer

Actual PE Digest

Digest Algorithm

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

C:\MeshAgent\MeshAgent\Release\MeshService.pdb

Imports

comctl32

InitCommonControlsEx

crypt32

CryptEncodeObject
CertDuplicateCertificateContext
CertEnumCertificatesInStore
CertDeleteCertificateFromStore
CryptAcquireCertificatePrivateKey
CertAddEncodedCertificateToStore
CryptMsgClose
CryptMsgUpdate
CryptExportPublicKeyInfo
CertCreateSelfSignCertificate
CertFreeCertificateContext
CryptMsgOpenToEncode
CertAddCertificateContextToStore
CryptMsgOpenToDecode
CryptMsgControl
CertStrToNameW
CertOpenStore
CryptMsgCalculateEncodedLength
CertFindCertificateInStore
CertSetCertificateContextProperty
CertGetCertificateContextProperty
CryptMsgGetParam
CertStrToNameA
CertCloseStore
CryptSignAndEncodeCertificate
PFXExportCertStore

ncrypt

NCryptCreatePersistedKey
BCryptGetProperty
BCryptOpenAlgorithmProvider
NCryptOpenStorageProvider
BCryptCreateHash
NCryptSetProperty
BCryptHashData
NCryptFreeObject
NCryptFinalizeKey
BCryptDestroyHash
BCryptCloseAlgorithmProvider
BCryptFinishHash
BCryptGenRandom

dbghelp

SymInitialize
SymFromAddr
MiniDumpWriteDump
SymGetModuleBase64
SymGetLineFromAddr64
SymFunctionTableAccess64
StackWalk64

iphlpapi

GetAdaptersAddresses
SendARP
ConvertLengthToIpv4Mask
GetAdaptersInfo

ws2_32

__WSAFDIsSet
htons
htonl
gethostname
ntohs
ntohl
WSAGetLastError
ioctlsocket
recv
send
gethostbyname
getaddrinfo
freeaddrinfo
getnameinfo
WSASetLastError
getsockname
WSASocketW
listen
closesocket
bind
accept
WSACleanup
FreeAddrInfoW
select
WSACloseEvent
WSACreateEvent
WSAStartup
WSAEventSelect
WSAResetEvent
GetAddrInfoW
WSAIoctl
shutdown
connect
recvfrom
getsockopt
sendto
socket
setsockopt

gdiplus

GdipCloneImage
GdipAlloc
GdiplusStartup
GdiplusShutdown
GdipDisposeImage
GdipLoadImageFromStreamICM
GdipFree
GdipGetImageEncodersSize
GdipSaveImageToStream
GdipLoadImageFromStream
GdipGetImageEncoders

kernel32

InterlockedPushEntrySList
InterlockedFlushSList
RtlUnwind
EnterCriticalSection
GetFullPathNameW
GetStdHandle
WriteFile
LoadLibraryExA
GetModuleFileNameW
GetSystemPowerStatus
OpenProcess
MultiByteToWideChar
Sleep
GetLastError
CloseHandle
GetCurrentDirectoryW
SetCurrentDirectoryW
GetProcAddress
SetEnvironmentVariableA
CreateProcessW
FreeLibrary
WideCharToMultiByte
GetCurrentThreadId
GetModuleHandleA
WaitForSingleObjectEx
CreateThread
QueueUserAPC
OpenThread
ReadFile
LoadLibraryA
SleepEx
SetSystemPowerState
GetCurrentProcess
SetThreadExecutionState
HeapFree
HeapAlloc
GetProcessHeap
SystemTimeToFileTime
GetSystemTime
FileTimeToSystemTime
LeaveCriticalSection
SystemTimeToTzSpecificLocalTime
QueryPerformanceCounter
ReleaseSemaphore
WaitForSingleObject
CreateSemaphoreA
CancelIo
FindFirstFileW
FindNextFileW
RemoveDirectoryW
GetFinalPathNameByHandleW
GetDriveTypeA
SetFilePointer
FindFirstVolumeA
FindClose
CreateFileW
GetVolumePathNamesForVolumeNameA
GetFileAttributesExW
ReadDirectoryChangesW
FindNextVolumeA
FindVolumeClose
GetDiskFreeSpaceExA
CreateEventA
GetModuleHandleExA
WaitForMultipleObjectsEx
CreateNamedPipeA
DisconnectNamedPipe
CreateFileA
CancelIoEx
LocalFree
ConnectNamedPipe
SetConsoleMode
GetConsoleMode
GetStartupInfoW
IsDebuggerPresent
TerminateProcess
GetTempPathW
CancelSynchronousIo
SetEvent
ResetEvent
GetThreadId
GetCurrentProcessId
GetEnvironmentStrings
FreeEnvironmentStringsA
CopyFileW
MoveFileW
RtlCaptureContext
SuspendThread
ResumeThread
DuplicateHandle
ExitThread
GetTickCount64
GetCurrentThread
DeleteFileA
GetOverlappedResult
GetThreadContext
WTSGetActiveConsoleSessionId
GetExitCodeProcess
SetEndOfFile
DeleteFileW
SetFilePointerEx
SetConsoleCtrlHandler
FreeConsole
LoadLibraryExW
SetLastError
GetFileType
GetModuleHandleW
FormatMessageW
SwitchToFiber
DeleteFiber
CreateFiber
GetSystemTimeAsFileTime
ConvertFiberToThread
ConvertThreadToFiber
GetEnvironmentVariableW
ReadConsoleA
ReadConsoleW
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
ExitProcess
GetModuleHandleExW
CreateProcessA
HeapValidate
GetSystemInfo
CreateDirectoryW
GetConsoleCP
MoveFileExW
SetEnvironmentVariableW
SetCurrentDirectoryA
GetCurrentDirectoryA
GetTimeZoneInformation
SetStdHandle
GetDriveTypeW
PeekNamedPipe
GetModuleFileNameA
GetCommandLineA
GetCommandLineW
GetACP
RaiseException
GetDateFormatW
GetTimeFormatW
CompareStringW
LCMapStringW
InitializeSListHead
UnhandledExceptionFilter
SetUnhandledExceptionFilter
SetConsoleOutputCP
IsProcessorFeaturePresent
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
FlushFileBuffers
HeapReAlloc
HeapSize
HeapQueryInformation
GetStringTypeW
WriteConsoleW
GetCPInfo
GetFullPathNameA
OutputDebugStringA
OutputDebugStringW
FindFirstFileExA
FindFirstFileExW
FindNextFileA
IsValidCodePage
GetOEMCP
GetEnvironmentStringsW
FreeEnvironmentStringsW
EncodePointer
QueryPerformanceFrequency
DecodePointer

user32

EndDialog
SetWindowTextW
GetWindowPlacement
ShowWindow
GetDlgCtrlID
SetWindowPlacement
SetWindowTextA
IsDlgButtonChecked
GetDlgItem
CheckDlgButton
DialogBoxParamW
EnableWindow
MessageBeep
ExitWindowsEx
GetUserObjectInformationA
EnumDisplayMonitors
GetSystemMetrics
SetThreadDesktop
GetThreadDesktop
CloseDesktop
BlockInput
GetMonitorInfoA
OpenInputDesktop
GetKeyState
GetMessageA
GetWindowRect
SendMessageW
LoadCursorA
DestroyWindow
GetDC
PostMessageA
GetIconInfo
CallNextHookEx
GetCursorInfo
SetWindowsHookExA
MapVirtualKeyA
GetForegroundWindow
UnhookWindowsHookEx
DefWindowProcA
CreateWindowExA
TranslateMessage
UnregisterClassA
DrawIconEx
SetWinEventHook
RegisterClassExA
UnhookWinEvent
SetForegroundWindow
ReleaseDC
SendInput
SetProcessDPIAware
GetProcessWindowStation
GetUserObjectInformationW
DispatchMessageA
CreateWindowExW
MessageBoxW
GetMessageExtraInfo

gdi32

DeleteObject
GetDIBits
CreateCompatibleDC
SelectObject
CreateCompatibleBitmap
SetStretchBltMode
DeleteDC
StretchBlt
BitBlt
GetObjectA
CreateSolidBrush
SetBkColor
SetBkMode
SetTextColor
GetStockObject

advapi32

RegOpenKeyExA
RegCloseKey
CryptEnumProvidersW
CryptSignHashW
CryptDestroyHash
CryptCreateHash
CryptDecrypt
CryptExportKey
CryptGetUserKey
CryptGetProvParam
CryptSetHashParam
CryptAcquireContextW
ReportEventW
RegisterEventSourceW
DeregisterEventSource
StartServiceCtrlDispatcherA
QueryServiceStatus
CloseServiceHandle
AllocateAndInitializeSid
SetServiceStatus
OpenSCManagerA
RegisterServiceCtrlHandlerExA
FreeSid
CheckTokenMembership
OpenServiceA
SetTokenInformation
CreateProcessAsUserW
DuplicateTokenEx
SetSecurityDescriptorDacl
SetEntriesInAclA
InitializeSecurityDescriptor
CryptDestroyKey
RegQueryValueExA
RegSetValueExW
RegOpenKeyExW
RegQueryValueExW
CryptReleaseContext
AdjustTokenPrivileges
LookupPrivilegeValueA
InitiateSystemShutdownA
RegCreateKeyW
RegSetValueExA
RegDeleteKeyA
OpenProcessToken

shell32

ShellExecuteExW

ole32

CoCreateInstance
CreateStreamOnHGlobal
CoInitializeEx
CoUninitialize

oleaut32

SysAllocString
SysFreeString
SysStringLen

Sections

.text
Size: 2.3MB - Virtual size: 2.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 502KB - Virtual size: 502KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 579KB - Virtual size: 742KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gfids
Size: 512B - Virtual size: 372B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 136KB - Virtual size: 135KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 95KB - Virtual size: 94KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

7aa58492bf5691114c98568704d048cd

Code Sign

25:22:95:89:59Certificate

Extended Key Usages

Key Usages

22:93:39:66:15Certificate

Key Usages

39:4c:25:e1:7c:a0:6d:27:a8:65:e2:3b:d9:1d:22:d4Certificate

Extended Key Usages

Key Usages

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9Certificate

Extended Key Usages

Key Usages

Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

comctl32

crypt32

ncrypt

dbghelp

iphlpapi

ws2_32

gdiplus

kernel32

user32

gdi32

advapi32

shell32

ole32

oleaut32

Sections

.text Size: 2.3MB - Virtual size: 2.3MB

.rdata Size: 502KB - Virtual size: 502KB

.data Size: 579KB - Virtual size: 742KB

.gfids Size: 512B - Virtual size: 372B

.rsrc Size: 136KB - Virtual size: 135KB

.reloc Size: 95KB - Virtual size: 94KB

25:22:95:89:59
Certificate

22:93:39:66:15
Certificate

39:4c:25:e1:7c:a0:6d:27:a8:65:e2:3b:d9:1d:22:d4
Certificate

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9
Certificate

.text
Size: 2.3MB - Virtual size: 2.3MB

.rdata
Size: 502KB - Virtual size: 502KB

.data
Size: 579KB - Virtual size: 742KB

.gfids
Size: 512B - Virtual size: 372B

.rsrc
Size: 136KB - Virtual size: 135KB

.reloc
Size: 95KB - Virtual size: 94KB