2024-04-05_1c323d0e94ba33e2704f4b158672e474_avaddon_revil

Sharing

Copy URL Twitter E-mail

General

Target

2024-04-05_1c323d0e94ba33e2704f4b158672e474_avaddon_revil
Size

26.8MB
MD5

1c323d0e94ba33e2704f4b158672e474
SHA1

f5dbfbaa41a9c9d3946f6a7fc1a657b0ced37b71
SHA256

2121bff0cb87e0e29e0fbac84ab6f1a5ffe744dffa3aec5fbe5310764a502bc4
SHA512

128d76fddf424994f285dc5e67675efdbc994ccab616d7a086647f4018ea3a1efb6d8e719889d5741487461438e4db8344cf333b494fcb0c7d1804382d99ea83
SSDEEP

393216:KBiZqJCzCmqeAVzf/f/MsMsMsMsZ5Z5Z5Z5GmGmGmGmDjDjDjDjwQwQwQwQ9d9dY:hq5eAVUTlanQxab591Tdt7bCpN

Score

10^/10

Malware Config

Signatures

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Files

2024-04-05_1c323d0e94ba33e2704f4b158672e474_avaddon_revil
.exe windows:6 windows x86 arch:x86

7af2d9940f51310f5dee0a181c4c7d2c

Code Sign

01:ee:5f:16:9d:ff:97:35:2b:64:65:d6:6a
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

19/09/2018, 00:00

Not After

28/01/2028, 12:00

Subject

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

78:03:18:42:45:70:8a:41:cf:6f:01:b8:ee:b4:a9:54
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Not Before

28/07/2020, 00:00

Not After

18/03/2029, 00:00

Subject

CN=GlobalSign Code Signing Root R45,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

77:bd:0e:05:b7:59:0b:b6:1d:47:61:53:1e:3f:75:ed
Certificate

Issuer

CN=GlobalSign Code Signing Root R45,O=GlobalSign nv-sa,C=BE

Not Before

28/07/2020, 00:00

Not After

28/07/2030, 00:00

Subject

CN=GlobalSign GCC R45 EV CodeSigning CA 2020,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

47:07:d4:0b:50:82:fe:aa:6e:0a:5e:92
Certificate

Issuer

CN=GlobalSign GCC R45 EV CodeSigning CA 2020,O=GlobalSign nv-sa,C=BE

Not Before

13/07/2021, 08:55

Not After

10/10/2024, 08:23

Subject

SERIALNUMBER=1125476195459,CN=Atom Security LLC,O=Atom Security LLC,STREET=Prospect Akademika Koptyuga\, 4 office 158,L=Novosibirsk,ST=Novosibirskaya oblast,C=RU,1.3.6.1.4.1.311.60.2.1.2=#13154e6f766f7369626972736b617961206f626c617374,1.3.6.1.4.1.311.60.2.1.3=#13025255,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

01:9b:ea:de:c8:4d:6b:8f:f7:6c:3a:9f:2e:01:24:16
Certificate

Issuer

CN=GlobalSign Timestamping CA - SHA384 - G4,O=GlobalSign nv-sa,C=BE

Not Before

07/11/2023, 17:13

Not After

09/12/2034, 17:13

Subject

CN=Globalsign TSA for CodeSign1 - R6 - 202311,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

01:ec:1c:92:40:de:fd:2e:40:5d:7c:47:74
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R6,O=GlobalSign

Not Before

20/06/2018, 00:00

Not After

10/12/2034, 00:00

Subject

CN=GlobalSign Timestamping CA - SHA384 - G4,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

45:e6:bb:03:83:33:c3:85:65:48:e6:ff:45:51
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R6,O=GlobalSign

Not Before

10/12/2014, 00:00

Not After

10/12/2034, 00:00

Subject

CN=GlobalSign,OU=GlobalSign Root CA - R6,O=GlobalSign

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

93:9a:58:3b:51:ea:29:59:e9:10:f1:3a:da:05:a1:bc:06:3b:d4:91:43:b1:15:5c:30:07:05:b5:8c:29:a3:37
Signer

Actual PE Digest

93:9a:58:3b:51:ea:29:59:e9:10:f1:3a:da:05:a1:bc:06:3b:d4:91:43:b1:15:5c:30:07:05:b5:8c:29:a3:37

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

C:\BuildAgent\work\.build\agent_x32\relwithdebinfo\vmnetdrv32.pdb

Imports

advapi32

GetLengthSid
OpenServiceW
StartServiceCtrlDispatcherW
RegOpenKeyExW
InitializeAcl
InitializeSecurityDescriptor
AddAce
RegSetValueExW
IsValidSid
GetSecurityDescriptorOwner
InitializeSid
CopySid
GetSecurityDescriptorControl
RegCreateKeyExW
GetSidLengthRequired
GetSidSubAuthority
GetSecurityDescriptorGroup
OpenSCManagerW
CloseServiceHandle
GetAclInformation
RegCloseKey
GetSecurityDescriptorDacl
SetSecurityDescriptorDacl
GetSecurityDescriptorSacl
CryptGenRandom
CryptAcquireContextW
GetTokenInformation
MakeSelfRelativeSD
LookupAccountSidW
OpenThreadToken
GetSecurityDescriptorLength
RegQueryValueExW
CreateProcessAsUserW
OpenProcessToken
ConvertStringSidToSidW
SetTokenInformation
AdjustTokenPrivileges
LookupPrivilegeValueW
GetNamedSecurityInfoW
SetNamedSecurityInfoW
GetAce
RegDeleteValueW
RegEnumKeyExW
DuplicateToken
SetThreadToken
ConvertSidToStringSidW
CreateWellKnownSid
RegNotifyChangeKeyValue
CryptReleaseContext
CryptGetHashParam
CryptDestroyHash
CryptHashData
CryptCreateHash
RegDisablePredefinedCache
IsValidSecurityDescriptor
GetSidIdentifierAuthority
CryptAcquireContextA
RegEnumKeyW
RegGetValueW
RegOpenKeyW
GetSidSubAuthorityCount
SystemFunction036
CryptEnumProvidersW
DuplicateTokenEx
MakeAbsoluteSD
RegEnumValueW
ChangeServiceConfigW
QueryServiceConfigW
StartServiceW
EnumDependentServicesW
ControlService
DeleteService
ChangeServiceConfig2W
SetServiceStatus
QueryServiceStatus
CreateServiceW
RegisterServiceCtrlHandlerExW
RegDeleteKeyW
IsTextUnicode
DeregisterEventSource
RegisterEventSourceW
ReportEventW
CryptDestroyKey
CryptSetHashParam
CryptGetProvParam
CryptGetUserKey
CryptExportKey
CryptDecrypt
CryptSignHashW

gdi32

GetObjectW
GetEnhMetaFileBits
DeleteEnhMetaFile
CopyEnhMetaFileW
SetStretchBltMode
GetDIBits
StretchBlt
DeleteDC
CreateCompatibleDC
SelectObject
CreateCompatibleBitmap
BitBlt
CreateFontW
CreateSolidBrush
SetBkColor
SetTextColor
GetDeviceCaps
SetDIBColorTable
CreateDIBSection
DeleteObject

kernel32

ResetEvent
QueueUserAPC
GetLocalTime
SwitchToThread
GetThreadId
GetFileSize
GlobalMemoryStatusEx
FreeLibrary
CopyFileW
SleepEx
SystemTimeToTzSpecificLocalTime
CreateFileMappingW
CreateIoCompletionPort
MapViewOfFileEx
OpenThread
LoadLibraryExW
IsDebuggerPresent
ConnectNamedPipe
FlushFileBuffers
GetExitCodeProcess
FindFirstFileW
FindNextFileW
FindClose
QueryDosDeviceW
GetVolumeInformationW
GetLogicalDrives
FindFirstVolumeW
lstrlenW
DeviceIoControl
FindVolumeClose
FindNextVolumeW
GetDriveTypeW
CreateDirectoryW
GetTempPathW
GetDiskFreeSpaceW
MoveFileExW
OpenEventW
VerSetConditionMask
VerifyVersionInfoW
OpenProcess
WaitForMultipleObjectsEx
SetWaitableTimer
CreateWaitableTimerW
CancelWaitableTimer
GetProcessTimes
GlobalSize
GlobalAlloc
GlobalFree
GlobalLock
GlobalUnlock
GetFileSizeEx
GetProcessId
Thread32Next
Thread32First
DuplicateHandle
CreateToolhelp32Snapshot
Process32NextW
Process32FirstW
GetSystemDirectoryW
GetComputerNameW
SystemTimeToFileTime
TlsAlloc
TlsFree
FormatMessageA
TlsSetValue
InitializeCriticalSectionAndSpinCount
GetModuleHandleA
TlsGetValue
RegisterWaitForSingleObject
UnregisterWaitEx
GetFileAttributesExW
GetVolumePathNamesForVolumeNameW
GetFullPathNameW
GetLocaleInfoW
GetUserDefaultLCID
RemoveDirectoryW
GetVersionExW
GetSystemTime
WaitNamedPipeW
GetStartupInfoW
RemoveDirectoryA
ReplaceFileA
GetFileAttributesExA
MoveFileA
CompareStringA
TerminateProcess
SetLastError
HeapCreate
UnhandledExceptionFilter
LCMapStringW
CompareStringW
GetCPInfo
GetStringTypeW
QueueUserWorkItem
FlushInstructionCache
InterlockedPushEntrySList
InterlockedPopEntrySList
InitializeSListHead
EncodePointer
LoadLibraryExA
VirtualQuery
VirtualProtect
PeekNamedPipe
GetEnvironmentVariableA
CompareFileTime
MoveFileExA
GetSystemDirectoryA
GetTempFileNameA
lstrlenA
CreateDirectoryA
FindFirstFileExA
lstrcmpW
ReleaseSemaphore
SetThreadAffinityMask
IsProcessorFeaturePresent
VirtualAlloc
VirtualFree
LockFileEx
CreateFileMappingA
UnlockFile
HeapCompact
GetVersionExA
CreateFileA
FlushViewOfFile
OutputDebugStringW
GetFileAttributesA
GetDiskFreeSpaceA
GetTempPathA
HeapValidate
UnlockFileEx
GetFullPathNameA
LockFile
GetSystemInfo
K32GetProcessImageFileNameW
GetConsoleOutputCP
InitializeCriticalSection
OutputDebugStringA
GetTimeZoneInformationForYear
GetDriveTypeA
WriteConsoleW
CreateThread
ExitProcess
GetFileInformationByHandleEx
CreateMutexA
AcquireSRWLockShared
QueryPerformanceFrequency
WakeConditionVariable
SleepConditionVariableSRW
GetOverlappedResult
SetHandleInformation
SetFilePointerEx
SetFileInformationByHandle
GetCommandLineW
GetEnvironmentStringsW
RtlCaptureContext
SetThreadStackGuarantee
ReleaseSRWLockShared
FreeEnvironmentStringsW
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
TryAcquireSRWLockExclusive
ReadConsoleW
ReadConsoleA
SetConsoleMode
GetConsoleMode
LoadLibraryW
LoadLibraryA
ConvertThreadToFiber
ConvertFiberToThread
GetFileType
GetEnvironmentVariableW
GetStdHandle
CreateFiber
DeleteFiber
SwitchToFiber
GetComputerNameA
FindNextFileA
FindFirstFileA
GetCurrentDirectoryW
DeleteFileA
FindFirstFileExW
WTSGetActiveConsoleSessionId
GetComputerNameExW
GetTempFileNameW
GetFileAttributesW
GetFileInformationByHandle
MapViewOfFile
SetUnhandledExceptionFilter
QueryPerformanceCounter
K32GetModuleInformation
K32GetModuleBaseNameW
K32GetModuleFileNameExA
RtlCaptureStackBackTrace
GetModuleHandleExW
GetACP
GetSystemDefaultLCID
GetOEMCP
GetDateFormatW
CreateSemaphoreW
GetTimeFormatW
FileTimeToLocalFileTime
K32EnumProcesses
K32GetModuleFileNameExW
TryEnterCriticalSection
ReadFile
GetTickCount
GetSystemTimeAsFileTime
WideCharToMultiByte
GetModuleHandleW
GetProcessHeap
GetCurrentProcessId
DeleteCriticalSection
LocalFree
GetProcAddress
HeapDestroy
DecodePointer
CreateTimerQueue
HeapAlloc
FindResourceW
LoadResource
FindResourceExW
RaiseException
CloseHandle
HeapReAlloc
DeleteFileW
LockResource
TerminateThread
GetLastError
FormatMessageW
Sleep
ProcessIdToSessionId
GetExitCodeThread
MultiByteToWideChar
PostQueuedCompletionStatus
HeapSize
GetCurrentThreadId
LocalAlloc
WaitForSingleObject
InitializeCriticalSectionEx
SetFilePointer
SetErrorMode
LeaveCriticalSection
SetEnvironmentVariableW
ExpandEnvironmentStringsW
WriteFile
GetCurrentProcess
EnterCriticalSection
HeapFree
SizeofResource
HeapSetInformation
GetThreadPriority
WaitForSingleObjectEx
GetCurrentThread
FileTimeToSystemTime
SetEvent
GetTimeZoneInformation
CreateEventW
DisconnectNamedPipe
UnmapViewOfFile
ResumeThread
ReleaseMutex
CreateFileW
CreateMutexW
EnumResourceNamesW
SetEndOfFile
GetQueuedCompletionStatus
SetThreadPriority
WaitForMultipleObjects
CreateNamedPipeW
AreFileApisANSI
GetModuleFileNameW
MulDiv
SignalObjectAndWait
GetLogicalProcessorInformation
CreateTimerQueueTimer
ChangeTimerQueueTimer
DeleteTimerQueueTimer
GetNumaHighestNodeNumber
GetProcessAffinityMask
UnregisterWait
GetThreadTimes
FreeLibraryAndExitThread
InterlockedFlushSList
QueryDepthSList
RtlUnwind
ExitThread
SetConsoleCtrlHandler
GetCommandLineA
IsValidLocale
EnumSystemLocalesW
IsValidCodePage
SetStdHandle

ole32

CoInitializeEx
CLSIDFromString
WriteClassStg
StringFromGUID2
CoUninitialize
CoCreateInstance
CoFreeUnusedLibraries
CoTaskMemFree
CoSetProxyBlanket
CoInitializeSecurity
StgCreateDocfile
CoInitialize
CoTaskMemAlloc
CreatePointerMoniker
PropVariantClear
CreateBindCtx

oleaut32

VariantInit
SysFreeString
SysAllocString
VariantChangeType
VariantClear

user32

DispatchMessageW
DestroyIcon
DestroyMenu
TranslateMessage
LoadIconW
AppendMenuW
GetClassInfoExW
SetForegroundWindow
GetCursorPos
GetWindowLongW
GetWindow
GetWindowRect
DestroyWindow
SetWindowPos
MonitorFromWindow
SetWindowTextW
LoadStringW
DefWindowProcW
GetMessageW
GetWindowTextW
SystemParametersInfoW
GetForegroundWindow
IsWindowVisible
GetWindowTextLengthW
SetWindowsHookExW
UnhookWindowsHookEx
PostThreadMessageA
CallNextHookEx
GetLastInputInfo
GetMonitorInfoW
SetDlgItemTextW
MapWindowPoints
KillTimer
SetClipboardData
TrackPopupMenu
RegisterClassExW
PostMessageW
EnumChildWindows
SetWindowLongW
GetClientRect
PostQuitMessage
GetParent
RegisterDeviceNotificationW
GetClipboardSequenceNumber
LoadCursorW
GetClipboardData
EmptyClipboard
UnregisterDeviceNotification
CharUpperBuffW
CloseClipboard
SetTimer
OpenClipboard
GetPriorityClipboardFormat
CreateWindowExW
GetProcessWindowStation
GetUserObjectInformationW
MessageBoxW
CreatePopupMenu
CopyImage
GetClipboardOwner
CallWindowProcW
GetWindowThreadProcessId
UnhookWinEvent
SetWinEventHook
PostThreadMessageW
GetSystemMetrics
CharLowerBuffW
GetKeyNameTextW
MapVirtualKeyExW
GetGUIThreadInfo
GetClassNameW
GetKeyboardLayout
PeekMessageW
UnregisterClassW
IsWindow
WindowFromPoint
MsgWaitForMultipleObjects
GetFocus
GetKeyState
ActivateKeyboardLayout
ToUnicodeEx
GetKeyboardLayoutList
GetKeyboardLayoutNameW
IsIconic
SendMessageW
FindWindowExW
ReleaseDC
GetDC
SendInput
mouse_event
LoadKeyboardLayoutW
keybd_event
MapVirtualKeyW
VkKeyScanExW
GetClassLongW
EnumWindows
IsDialogMessageW
ShowWindow
CreateDialogParamW
GetDlgItem
GetDesktopWindow
GetIconInfo
SetThreadDesktop
CloseDesktop
GetCursorInfo
OpenInputDesktop
DrawIconEx
DdeAccessData
DdeUnaccessData
DdeCreateStringHandleW
DdeConnect
DdeGetLastError
DdeInitializeW
DdeUninitialize
DdeClientTransaction
DdeFreeDataHandle
DdeDisconnect
DdeFreeStringHandle
RedrawWindow
GetDlgCtrlID
GetSysColor
SetDlgItemInt
InvalidateRect
ExitWindowsEx
MessageBeep
FlashWindow
SetFocus
SetCapture

winspool.drv

OpenPrinterW
SetPrinterW
GetPrinterW
GetJobW
EnumPrintProcessorDatatypesW
FreePrinterNotifyInfo
SetJobW
FindNextPrinterChangeNotification
FindClosePrinterChangeNotification
EnumPrintersW
EnumJobsW
ClosePrinter
FindFirstPrinterChangeNotification

ws2_32

accept
bind
WSAIoctl
closesocket
WSASend
gethostbyname
select
ntohl
shutdown
listen
WSASetLastError
WSAStringToAddressW
WSASocketW
getpeername
ntohs
connect
WSAAddressToStringW
getservbyname
WSARecv
__WSAFDIsSet
gethostname
WSAWaitForMultipleEvents
WSAResetEvent
WSAEventSelect
WSAEnumNetworkEvents
WSACreateEvent
WSACloseEvent
sendto
getnameinfo
freeaddrinfo
getaddrinfo
inet_addr
socket
recvfrom
recv
send
inet_ntoa
getsockopt
htons
ioctlsocket
WSAGetLastError
htonl
WSACleanup
WSAStartup
getsockname
setsockopt

rpcrt4

UuidCreate
RpcStringFreeW
UuidToStringW

version

GetFileVersionInfoSizeW
VerQueryValueW
GetFileVersionInfoW

dbghelp

ImageNtHeader
MiniDumpWriteDump

wldap32

ord27
ord26
ord22
ord35
ord50
ord45
ord60
ord211
ord41
ord33
ord46
ord79
ord30
ord301
ord32
ord200
ord143
ord217

nspr4

PR_GetError
PR_Cleanup
PR_Init
PR_ErrorToString

nss3

CERT_AsciiToName
CERT_GetCommonName
PK11_FreeSlot
PK11_ImportCert
CERT_DestroyCertificate
CERT_GetDefaultCertDB
PK11_FindCertFromDERCert
CERT_DecodeTrustString
NSS_NoDB_Init
PORT_ZAlloc
PK11_GetInternalKeySlot
CERT_DestroyName
NSS_Initialize
CERT_GetOrgName
CERT_ChangeCertTrust
PORT_Free
NSS_Shutdown

smime3

CERT_DecodeCertFromPackage

shlwapi

PathFindFileNameW
PathRemoveExtensionW
PathIsDirectoryW
UrlEscapeA
StrCmpIW
ord219
SHCreateStreamOnFileEx
PathMatchSpecW
PathStripPathW
PathAppendW
PathFileExistsW
PathAddExtensionW
PathRemoveFileSpecW
PathStripPathA
StrToInt64ExA
PathCombineW
StrStrIW
StrToIntA
PathCanonicalizeW
PathFindExtensionW
SHDeleteKeyW
PathIsRootW
PathStripToRootW
PathIsUNCW

userenv

UnloadUserProfile
CreateEnvironmentBlock
ExpandEnvironmentStringsForUserW
DestroyEnvironmentBlock

gdiplus

GdiplusShutdown
GdipSaveImageToFile
GdipCreateBitmapFromScan0
GdipGetImageEncodersSize
GdipFree
GdipDisposeImage
GdipCreateBitmapFromHBITMAP
GdipAlloc
GdipCloneImage
GdipGetImageHeight
GdipImageRotateFlip
GdipBitmapUnlockBits
GdipGetImagePixelFormat
GdipBitmapLockBits
GdipGetImageWidth
GdiplusStartup
GdipGetImageEncoders

pdh

PdhOpenQueryW
PdhCloseQuery
PdhCollectQueryData
PdhRemoveCounter
PdhGetFormattedCounterValue
PdhGetRawCounterValue
PdhLookupPerfNameByIndexW
PdhAddCounterW

wtsapi32

WTSQuerySessionInformationW
WTSFreeMemory
WTSEnumerateSessionsW
WTSLogoffSession
WTSQueryUserToken

setupapi

SetupDiGetClassDevsW
SetupDiGetDeviceInterfaceDetailW
CM_Get_DevNode_Status
CM_Enable_DevNode
SetupDiEnumDeviceInterfaces
CM_Get_Device_ID_Size_Ex
CM_Get_Device_ID_ExW
CM_Get_Sibling
CM_Get_Child
CM_Disable_DevNode
CMP_WaitNoPendingInstallEvents
CM_Get_Parent_Ex
SetupDiEnumDeviceInfo
SetupDiGetDeviceRegistryPropertyW
CM_Get_DevNode_Registry_Property_ExW
CM_Get_Parent
SetupDiDestroyDeviceInfoList

fltlib

FilterGetMessage
FilterReplyMessage
FilterGetDosName
FilterVolumeFindNext
FilterSendMessage
FilterConnectCommunicationPort
FilterLoad
FilterVolumeFindClose
FilterVolumeFindFirst
FilterUnload

activeds

ord9

oleacc

AccessibleObjectFromWindow
AccessibleChildren

wintrust

WinVerifyTrust

secur32

LsaGetLogonSessionData
LsaFreeReturnBuffer

netapi32

DsRoleFreeMemory
DsRoleGetPrimaryDomainInformation
NetApiBufferFree
NetWkstaGetInfo
DsGetDcNameW

crypt32

CertFreeCertificateChain
CertGetCertificateChain
CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
CryptQueryObject
CertGetNameStringA
CertOpenStore
CertCloseStore
CertEnumCertificatesInStore
CertFindCertificateInStore
CertDuplicateCertificateContext
CertFreeCertificateContext
CertGetCertificateContextProperty
CertAddEncodedCertificateToStore
CryptBinaryToStringA
CryptStringToBinaryA
CertFindExtension
CertGetEnhancedKeyUsage
CertGetIntendedKeyUsage
CertOpenSystemStoreA
CryptDecodeObjectEx
CertAddCertificateContextToStore
PFXImportCertStore

bcrypt

BCryptGenRandom
BCryptOpenAlgorithmProvider
BCryptCloseAlgorithmProvider

Exports

Exports

AddInLog
GetMAPIModule

Sections

.text
Size: 19.2MB - Virtual size: 19.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5.9MB - Virtual size: 5.9MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 383KB - Virtual size: 1.8MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 25KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1.2MB - Virtual size: 1.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

7af2d9940f51310f5dee0a181c4c7d2c

Code Sign

01:ee:5f:16:9d:ff:97:35:2b:64:65:d6:6aCertificate

Key Usages

78:03:18:42:45:70:8a:41:cf:6f:01:b8:ee:b4:a9:54Certificate

Extended Key Usages

Key Usages

77:bd:0e:05:b7:59:0b:b6:1d:47:61:53:1e:3f:75:edCertificate

Extended Key Usages

Key Usages

47:07:d4:0b:50:82:fe:aa:6e:0a:5e:92Certificate

Extended Key Usages

Key Usages

01:9b:ea:de:c8:4d:6b:8f:f7:6c:3a:9f:2e:01:24:16Certificate

Extended Key Usages

Key Usages

01:ec:1c:92:40:de:fd:2e:40:5d:7c:47:74Certificate

Key Usages

45:e6:bb:03:83:33:c3:85:65:48:e6:ff:45:51Certificate

Key Usages

93:9a:58:3b:51:ea:29:59:e9:10:f1:3a:da:05:a1:bc:06:3b:d4:91:43:b1:15:5c:30:07:05:b5:8c:29:a3:37Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

advapi32

gdi32

kernel32

ole32

oleaut32

user32

winspool.drv

ws2_32

rpcrt4

version

dbghelp

wldap32

nspr4

nss3

smime3

shlwapi

userenv

gdiplus

pdh

wtsapi32

setupapi

fltlib

activeds

oleacc

wintrust

secur32

netapi32

crypt32

bcrypt

Exports

Exports

Sections

.text Size: 19.2MB - Virtual size: 19.2MB

.rdata Size: 5.9MB - Virtual size: 5.9MB

.data Size: 383KB - Virtual size: 1.8MB

.rsrc Size: 25KB - Virtual size: 25KB

.reloc Size: 1.2MB - Virtual size: 1.2MB

01:ee:5f:16:9d:ff:97:35:2b:64:65:d6:6a
Certificate

78:03:18:42:45:70:8a:41:cf:6f:01:b8:ee:b4:a9:54
Certificate

77:bd:0e:05:b7:59:0b:b6:1d:47:61:53:1e:3f:75:ed
Certificate

47:07:d4:0b:50:82:fe:aa:6e:0a:5e:92
Certificate

01:9b:ea:de:c8:4d:6b:8f:f7:6c:3a:9f:2e:01:24:16
Certificate

01:ec:1c:92:40:de:fd:2e:40:5d:7c:47:74
Certificate

45:e6:bb:03:83:33:c3:85:65:48:e6:ff:45:51
Certificate

93:9a:58:3b:51:ea:29:59:e9:10:f1:3a:da:05:a1:bc:06:3b:d4:91:43:b1:15:5c:30:07:05:b5:8c:29:a3:37
Signer

.text
Size: 19.2MB - Virtual size: 19.2MB

.rdata
Size: 5.9MB - Virtual size: 5.9MB

.data
Size: 383KB - Virtual size: 1.8MB

.rsrc
Size: 25KB - Virtual size: 25KB

.reloc
Size: 1.2MB - Virtual size: 1.2MB