2024-04-05_bbc6dfbb6119a38e370c28ff1c536546_mafia_revil

Sharing

Copy URL Twitter E-mail

General

Target

2024-04-05_bbc6dfbb6119a38e370c28ff1c536546_mafia_revil
Size

7.1MB
MD5

bbc6dfbb6119a38e370c28ff1c536546
SHA1

ec6842dd13d36492de170284dd98fdac817bbc64
SHA256

b7a6fd001e6461d1dbb46e03c1d42cb901e4549045e0806d420940e436bbfe52
SHA512

a7784ebb31bed76cdb239c9a0a5c261d35878e1191052a943cbe0c8b1be882e3f12fe0a2519d9309b8803e4a885701a2d05c91dc6144ac841e547ec2f3e2d0b5
SSDEEP

196608:NiRXFWE1Q71O766EqK5XvSdNkk0E+s9+YL3:3N6EqK5fSdNkk0Ex9pL3

Score

1^/10

Malware Config

Signatures

Files

2024-04-05_bbc6dfbb6119a38e370c28ff1c536546_mafia_revil
.exe windows:5 windows x86 arch:x86

e83be710889145e98968b01269f005e8

Code Sign

01:ee:5f:16:9d:ff:97:35:2b:64:65:d6:6a
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

19/09/2018, 00:00

Not After

28/01/2028, 12:00

Subject

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

78:03:18:42:45:70:8a:41:cf:6f:01:b8:ee:b4:a9:54
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Not Before

28/07/2020, 00:00

Not After

18/03/2029, 00:00

Subject

CN=GlobalSign Code Signing Root R45,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

77:bd:0e:03:a1:b7:08:f8:54:ab:06:72:10:d9:04:47
Certificate

Issuer

CN=GlobalSign Code Signing Root R45,O=GlobalSign nv-sa,C=BE

Not Before

28/07/2020, 00:00

Not After

28/07/2030, 00:00

Subject

CN=GlobalSign GCC R45 CodeSigning CA 2020,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

44:85:59:e8:d5:9f:e0:56:29:9e:6e:8f
Certificate

Issuer

CN=GlobalSign GCC R45 CodeSigning CA 2020,O=GlobalSign nv-sa,C=BE

Not Before

11/12/2023, 17:00

Not After

09/10/2026, 07:40

Subject

CN=ZOHO Corporation Private Limited,O=ZOHO Corporation Private Limited,L=Chennai,ST=Tamil Nadu,C=IN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16
Certificate

Issuer

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Not Before

14/07/2023, 00:00

Not After

13/10/2034, 23:59

Subject

CN=DigiCert Timestamp 2023,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

23/03/2022, 00:00

Not After

22/03/2037, 23:59

Subject

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/08/2022, 00:00

Not After

09/11/2031, 23:59

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

24:79:b2:a6:22:c9:b6:a8:e7:17:6e:df:32:5e:ce:56:9c:2b:bc:78:e3:5a:72:12:36:02:65:26:f4:31:09:24
Signer

Actual PE Digest

24:79:b2:a6:22:c9:b6:a8:e7:17:6e:df:32:5e:ce:56:9c:2b:bc:78:e3:5a:72:12:36:02:65:26:f4:31:09:24

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

d:\Webhost\18-03-2024\WindowsBuilds\DC_NATIVE\7998399\desktopcentral\ONPREMISE\SA_SRC\native\agent\Release\dcconfig.pdb

Imports

advapi32

RegDeleteValueA
RegEnumValueA
RegEnumKeyExA
RegQueryInfoKeyA
RegQueryValueExA
RegOpenKeyA
CloseServiceHandle
OpenServiceA
OpenSCManagerA
RevertToSelf
ImpersonateLoggedOnUser
ChangeServiceConfig2A
CreateServiceA
QueryServiceStatus
DeleteService
IsValidSid
FreeSid
LookupAccountNameW
LookupAccountNameA
GetUserNameA
CreateProcessAsUserA
GetTokenInformation
QueryServiceStatusEx
LookupAccountSidA
ConvertSidToStringSidA
RegSetValueExW
RegOpenKeyExW
RegDeleteKeyA
ControlService
OpenServiceW
OpenSCManagerW
CreateProcessAsUserW
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
EnumDependentServicesA
ChangeServiceConfigA
StartServiceA
QueryServiceConfigA
SetNamedSecurityInfoW
SetSecurityInfo
SetEntriesInAclW
GetNamedSecurityInfoW
GetSecurityInfo
SetEntriesInAclA
AllocateAndInitializeSid
RegEnumKeyW
CopySid
GetLengthSid
AddAce
GetAce
GetAclInformation
AddAccessAllowedAceEx
InitializeAcl
GetSecurityDescriptorDacl
RegGetKeySecurity
RegOpenCurrentUser
LogonUserA
RegDeleteKeyW
RegQueryValueExW
LogonUserW
OpenProcessToken
ConvertSidToStringSidW
RegLoadKeyA
RegSetValueExA
RegCloseKey
RegCreateKeyExA
RegEnumKeyExW
RegOpenKeyExA
CryptSetHashParam
CryptExportKey
RegDeleteValueW
RegEnumValueW
CryptDestroyKey
CryptReleaseContext
CryptGenKey
CryptGetUserKey
CryptAcquireContextA
CryptDestroyHash
RegisterEventSourceW
CryptHashData
CryptCreateHash
RegEnumKeyA
RegCreateKeyExW
AbortSystemShutdownA
AdjustTokenPrivileges
LookupPrivilegeValueA
GetSidSubAuthority
ReportEventW
CryptAcquireContextW
CryptSignHashW
CryptEnumProvidersW
CryptGetProvParam
CryptDecrypt
CryptGenRandom
RegisterEventSourceA
ReportEventA
DeregisterEventSource
ChangeServiceConfigW
QueryServiceConfigW
StartServiceW
RegQueryInfoKeyW
GetSidSubAuthorityCount
GetSidIdentifierAuthority
InitiateSystemShutdownW
CryptGetHashParam
LookupAccountSidW
LookupPrivilegeNameA
RegUnLoadKeyW

netapi32

NetApiBufferFree
NetServerGetInfo
DsGetDcNameA
NetWkstaUserGetInfo
NetGetJoinInformation
NetRemoteTOD

ole32

CoInitialize
StringFromGUID2
CoInitializeEx
CoUninitialize
CoSetProxyBlanket
CoInitializeSecurity
CoCreateInstance
CoCreateGuid
OleRun

oleaut32

SysAllocString
SysFreeString
VariantClear
VariantInit
SysStringLen
SysAllocStringByteLen
SafeArrayGetUBound
SafeArrayGetLBound
SafeArrayAccessData
VariantChangeType
SysStringByteLen

wsock32

closesocket
inet_addr
gethostbyname
WSAStartup
socket
htons
ioctlsocket
connect
WSAGetLastError
WSACleanup

psapi

GetModuleBaseNameA
GetModuleInformation
EnumProcessModules
GetModuleFileNameExA
GetProcessMemoryInfo

iphlpapi

GetAdaptersInfo
NotifyAddrChange
SendARP

winhttp

WinHttpWriteData
WinHttpSetStatusCallback
WinHttpQueryOption
WinHttpSetOption
WinHttpSetCredentials
WinHttpOpen
WinHttpCloseHandle
WinHttpReadData
WinHttpQueryDataAvailable
WinHttpQueryHeaders
WinHttpReceiveResponse
WinHttpSendRequest
WinHttpAddRequestHeaders
WinHttpOpenRequest
WinHttpConnect
WinHttpSetTimeouts

userenv

DestroyEnvironmentBlock
CreateEnvironmentBlock
GetUserProfileDirectoryA
UnloadUserProfile
LoadUserProfileA
DeleteProfileW
GetProfilesDirectoryA
ExpandEnvironmentStringsForUserW

wtsapi32

WTSQuerySessionInformationW
WTSQueryUserToken
WTSQuerySessionInformationA
WTSEnumerateSessionsA
WTSFreeMemory
WTSEnumerateSessionsW

crypt32

CertGetNameStringA
CryptMsgGetParam
CryptQueryObject
CryptStringToBinaryA
CertCreateCertificateContext
CertCloseStore
CertGetCertificateContextProperty
CertAddCertificateContextToStore
CertEnumCertificatesInStore
CertOpenStore
PFXImportCertStore
PFXVerifyPassword
CertDeleteCertificateFromStore
CertVerifyTimeValidity
CertNameToStrA
CertFindCertificateInStore
CertFreeCertificateContext
CertDuplicateCertificateContext
CertNameToStrW

dcagenthttp

AgentSendRequestEx

winspool.drv

DeletePrinterConnectionW
EnumPrintersA
AddPrinterConnectionA
ord202
AddPrinterW
DeletePrinter
OpenPrinterA
GetPrinterA
GetPrinterDriverA
OpenPrinterW
ClosePrinter

version

GetFileVersionInfoA
GetFileVersionInfoSizeA
VerQueryValueA

mpr

WNetCancelConnection2A
WNetCancelConnection2W
WNetAddConnection2W

powrprof

EnumPwrSchemes
WriteGlobalPwrPolicy
CanUserWritePwrScheme
ReadGlobalPwrPolicy
GetActivePwrScheme

activeds

ord13
ord9
ord14
ord3

msi

ord243
ord237
ord178
ord141
ord175
ord169
ord246
ord244
ord238
ord78
ord88
ord245
ord150

dclibxml2

xmlTextReaderDepth
xmlTextReaderName
xmlStrcmp
xmlNewTextReaderFilename
xmlTextReaderValue
xmlNodeListGetString
xmlTextReaderAttributeCount
xmlTextReaderGetAttribute
xmlCleanupParser
xmlFreeTextReader
xmlParseMemory
xmlParseFile
xmlDocGetRootElement
xmlFree
xmlTextReaderRead
xmlFreeDoc

setupapi

SetupOpenInfFileA
SetupFindFirstLineA
SetupGetStringFieldA
SetupCloseInfFile
SetupGetLineTextA

cryptnet

CryptGetObjectUrl

ws2_32

send
WSASetLastError
recv
getnameinfo

kernel32

HeapSize
RtlUnwind
DuplicateHandle
GetCPInfo
HeapReAlloc
GetTimeFormatA
GetDateFormatA
GetDriveTypeA
HeapDestroy
FindFirstFileExA
GetCommandLineA
HeapSetInformation
GetFileInformationByHandle
PeekNamedPipe
ExitThread
ExitProcess
SetConsoleCtrlHandler
LCMapStringW
DecodePointer
UnhandledExceptionFilter
IsDebuggerPresent
IsProcessorFeaturePresent
HeapCreate
GetACP
GetOEMCP
IsValidCodePage
EncodePointer
SetHandleCount
GetStartupInfoW
GetConsoleCP
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetUserDefaultLCID
EnumSystemLocalesA
IsValidLocale
WriteConsoleW
SetEnvironmentVariableA
GetDriveTypeW
SetEndOfFile
SetEnvironmentVariableW
VirtualQuery
GetStringTypeW
InterlockedExchange
LocalLock
CompareStringW
SetConsoleMode
GetConsoleMode
ReadConsoleW
ReadConsoleA
ConvertFiberToThread
DeleteFiber
TlsFree
TlsAlloc
InterlockedExchangeAdd
TlsSetValue
InterlockedCompareExchange
TlsGetValue
DeviceIoControl
GetFileAttributesExW
GetModuleHandleExW
GetFileType
GetCurrentThread
LoadLibraryExA
SetErrorMode
UnmapViewOfFile
OpenFileMappingW
MapViewOfFile
GetLogicalDrives
CompareFileTime
MoveFileExW
lstrcmpW
GetFullPathNameA
QueryPerformanceCounter
SetLastError
ExpandEnvironmentStringsA
GetEnvironmentVariableW
QueryDosDeviceA
GetProcessTimes
GetLocaleInfoA
SetDllDirectoryA
GetDiskFreeSpaceExA
GetSystemWindowsDirectoryW
GetWindowsDirectoryW
GetLocaleInfoW
SetFilePointer
GetDiskFreeSpaceExW
GetComputerNameExW
GetCurrentDirectoryW
SetCurrentDirectoryW
GlobalFree
HeapValidate
CreateNamedPipeW
GetFirmwareEnvironmentVariableA
GlobalAlloc
LocalUnlock
SetSystemTime
ResetEvent
CreateEventA
GetFileSizeEx
GetTempPathA
SetFileAttributesA
CreateDirectoryW
RemoveDirectoryW
FindFirstFileW
FindNextFileW
MoveFileW
SetFileAttributesW
GetFileAttributesW
SizeofResource
LockResource
LoadResource
FindResourceW
FindResourceExW
GetProcAddress
GetModuleHandleA
WideCharToMultiByte
MultiByteToWideChar
GetLastError
CreateTimerQueue
DeleteTimerQueue
FreeLibrary
CreateTimerQueueTimer
GetModuleFileNameW
GetModuleHandleW
lstrlenW
LoadLibraryW
GetSystemTime
InitializeCriticalSection
FormatMessageW
GetLocalTime
LeaveCriticalSection
EnterCriticalSection
InterlockedDecrement
Thread32Next
GetCurrentProcessId
OpenThread
GetCurrentThreadId
CloseHandle
Thread32First
CreateToolhelp32Snapshot
GetTickCount
GetThreadTimes
GetSystemTimes
Process32Next
Process32First
ResumeThread
SuspendThread
Sleep
DeleteFileA
MoveFileA
FindClose
FindNextFileA
FindFirstFileA
GetSystemDirectoryA
MoveFileExA
RaiseException
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
LoadLibraryA
GetExitCodeProcess
WaitForSingleObject
CreateProcessW
TerminateProcess
OpenProcess
GetSystemTimeAsFileTime
DisconnectNamedPipe
FlushFileBuffers
ReadFile
ConnectNamedPipe
CreateNamedPipeA
WriteFile
CreateFileA
CreateFileW
InterlockedIncrement
FileTimeToLocalFileTime
RemoveDirectoryA
CopyFileA
GetFileAttributesA
CopyFileW
CreateDirectoryA
GetWindowsDirectoryA
DeleteFileW
CreateThread
LocalFree
GetSystemInfo
ProcessIdToSessionId
GetCurrentProcess
SystemTimeToFileTime
LocalAlloc
lstrlenA
FormatMessageA
GetFileSize
HeapFree
SetStdHandle
GetStdHandle
CreatePipe
HeapAlloc
GetProcessHeap
GetSystemWindowsDirectoryA
SetCurrentDirectoryA
GetCurrentDirectoryA
GetModuleFileNameA
CreateProcessA
SystemTimeToTzSpecificLocalTime
Process32NextW
Process32FirstW
CreateEventW
SetEvent
FileTimeToSystemTime
GetFileTime
TerminateThread
GetEnvironmentVariableA
SetProcessShutdownParameters
CreateMutexW
SetUnhandledExceptionFilter
GetFileAttributesExA
GetVersion
GetTimeZoneInformation
ReleaseMutex
CreateMutexA
GetNativeSystemInfo
lstrcmpiA
GetVersionExA
AreFileApisANSI

user32

MessageBoxA
wsprintfW
GetProcessWindowStation
MessageBoxW
GetUserObjectInformationW
GetSystemMetrics
GetLastInputInfo
CharLowerW
wsprintfA
PostMessageA
GetDesktopWindow

gdi32

RemoveFontResourceA
AddFontResourceA
AddFontResourceW

shell32

SHFileOperationA
SHGetPathFromIDListA
SHGetFolderPathA
SHGetMalloc
SHCreateDirectoryExW
SHCreateDirectoryExA
SHGetSpecialFolderLocation

odbc32

ord18
ord8
ord43
ord39
ord29
ord36
ord4
ord13
ord9
ord41
ord31
ord1
ord2
ord20
ord16
ord12
ord19
ord3
ord49
ord48
ord72
ord11
ord26

shlwapi

SHDeleteKeyA
PathFindFileNameA
StrStrIA
PathFindExtensionA
StrStrIW
PathFileExistsW
StrStrA
PathFileExistsA
PathIsDirectoryEmptyA
PathIsDirectoryA
ord487
PathRemoveExtensionA
PathRenameExtensionA
StrStrW
PathIsNetworkPathW
PathIsDirectoryW
SHDeleteKeyW
StrTrimA
SHCopyKeyW

gdiplus

GdipSaveImageToFile
GdipGetImageEncodersSize
GdipGetImageEncoders
GdipCloneImage
GdiplusShutdown
GdiplusStartup
GdipDisposeImage
GdipFree
GdipAlloc
GdipLoadImageFromFile

rpcrt4

UuidToStringA

ntdsapi

DsCrackNamesW
DsFreeNameResultW

Exports

Exports

CreateSoftwareCataloglist
DeleteModule
LoadDatadictionaryAndLogging
ProcessSoftwareCatalogInstall
RaiseSoftwareRequest
UnLoadDatadictionaryAndLogging

Sections

.text
Size: 4.9MB - Virtual size: 4.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.7MB - Virtual size: 1.7MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 76KB - Virtual size: 113KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 397KB - Virtual size: 397KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

e83be710889145e98968b01269f005e8

Code Sign

01:ee:5f:16:9d:ff:97:35:2b:64:65:d6:6aCertificate

Key Usages

78:03:18:42:45:70:8a:41:cf:6f:01:b8:ee:b4:a9:54Certificate

Extended Key Usages

Key Usages

77:bd:0e:03:a1:b7:08:f8:54:ab:06:72:10:d9:04:47Certificate

Extended Key Usages

Key Usages

44:85:59:e8:d5:9f:e0:56:29:9e:6e:8fCertificate

Extended Key Usages

Key Usages

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16Certificate

Extended Key Usages

Key Usages

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5bCertificate

Extended Key Usages

Key Usages

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5aCertificate

Key Usages

24:79:b2:a6:22:c9:b6:a8:e7:17:6e:df:32:5e:ce:56:9c:2b:bc:78:e3:5a:72:12:36:02:65:26:f4:31:09:24Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

advapi32

netapi32

ole32

oleaut32

wsock32

psapi

iphlpapi

winhttp

userenv

wtsapi32

crypt32

dcagenthttp

winspool.drv

version

mpr

powrprof

activeds

msi

dclibxml2

setupapi

cryptnet

ws2_32

kernel32

user32

gdi32

shell32

odbc32

shlwapi

gdiplus

rpcrt4

ntdsapi

Exports

Exports

Sections

.text Size: 4.9MB - Virtual size: 4.9MB

.rdata Size: 1.7MB - Virtual size: 1.7MB

.data Size: 76KB - Virtual size: 113KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 397KB - Virtual size: 397KB

01:ee:5f:16:9d:ff:97:35:2b:64:65:d6:6a
Certificate

78:03:18:42:45:70:8a:41:cf:6f:01:b8:ee:b4:a9:54
Certificate

77:bd:0e:03:a1:b7:08:f8:54:ab:06:72:10:d9:04:47
Certificate

44:85:59:e8:d5:9f:e0:56:29:9e:6e:8f
Certificate

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16
Certificate

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

24:79:b2:a6:22:c9:b6:a8:e7:17:6e:df:32:5e:ce:56:9c:2b:bc:78:e3:5a:72:12:36:02:65:26:f4:31:09:24
Signer

.text
Size: 4.9MB - Virtual size: 4.9MB

.rdata
Size: 1.7MB - Virtual size: 1.7MB

.data
Size: 76KB - Virtual size: 113KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 397KB - Virtual size: 397KB