General
-
Target
KeyRiggedNation.exe
-
Size
56.6MB
-
MD5
e83a9a569472b328826003b10b6b30b3
-
SHA1
3bb4077d91c43f20ea884dee3bee8820f78cbd43
-
SHA256
b825ba7a27339f12a147df50e010f6a3e16ccb059ce55e86b4ded24a7cb48fa6
-
SHA512
c5ed198ca8bc2a6b534c68fdcb2b8001225436ff0a11269ed29b76a84cd6ba3dfcd55d35d692543115715207b403155c36ab35d76ba5f5bce1c97b3a62e21963
-
SSDEEP
786432:GX7f9slTEI5P6LZtG6gtkOZmTv6lPThn4/n5bIZWBIX:GXbAiH2zGvqThn4/6o
Malware Config
Signatures
-
resource yara_rule sample themida -
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource KeyRiggedNation.exe
Files
-
KeyRiggedNation.exe.exe windows:6 windows x64 arch:x64
a1bdaa149aa4d1f75570bbe1cafa4417
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
Imports
advapi32
OpenProcessToken
GetLengthSid
GetTokenInformation
InitializeAcl
IsValidSid
SetSecurityInfo
CopySid
ConvertSidToStringSidA
CryptAcquireContextA
CryptReleaseContext
CryptGetHashParam
CryptGenRandom
AddAccessAllowedAce
CryptCreateHash
CryptHashData
CryptDestroyHash
CryptDestroyKey
CryptImportKey
CryptEncrypt
crypt32
CertCloseStore
CertEnumCertificatesInStore
CertFindCertificateInStore
CertFreeCertificateContext
CryptStringToBinaryA
PFXImportCertStore
CryptDecodeObjectEx
CertAddCertificateContextToStore
CertFindExtension
CertGetNameStringA
CryptQueryObject
CertCreateCertificateChainEngine
CertFreeCertificateChainEngine
CertGetCertificateChain
CertFreeCertificateChain
CertOpenStore
kernel32
HeapReAlloc
HeapFree
HeapSize
GetProcessHeap
InitializeCriticalSectionEx
DeleteCriticalSection
CreateFileMappingW
MapViewOfFile
UnmapViewOfFile
GetModuleFileNameA
QueryFullProcessImageNameW
FormatMessageA
LocalFree
EnterCriticalSection
LeaveCriticalSection
SleepEx
VerSetConditionMask
QueryPerformanceFrequency
GetSystemDirectoryA
FreeLibrary
VerifyVersionInfoA
QueryPerformanceCounter
MoveFileExA
WaitForSingleObjectEx
MultiByteToWideChar
GetEnvironmentVariableA
GetFileType
ReadFile
PeekNamedPipe
WaitForMultipleObjects
GetFileSizeEx
GetCurrentProcessId
GetLocaleInfoEx
TerminateProcess
CreateDirectoryW
FindClose
FindFirstFileW
HeapAlloc
HeapDestroy
GetThreadContext
CreateThread
GetCurrentThread
GetCurrentThreadId
OpenThread
GetFileAttributesExW
AreFileApisANSI
MoveFileExW
GetFileInformationByHandleEx
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
WakeAllConditionVariable
SleepConditionVariableSRW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
Process32Next
Process32First
Process32NextW
Process32FirstW
CreateToolhelp32Snapshot
SetConsoleTitleA
SetConsoleTextAttribute
LoadLibraryA
GetProcAddress
CreateFileW
GetModuleHandleW
GetModuleHandleA
OpenFileMappingW
ReadProcessMemory
VirtualProtect
GetTickCount
OpenProcess
GetCurrentProcess
Sleep
SetLastError
GetLastError
CloseHandle
Beep
OutputDebugStringA
DebugBreak
IsDebuggerPresent
SetFileAttributesA
CreateFileA
WideCharToMultiByte
GetStdHandle
OutputDebugStringW
InitializeSListHead
GetSystemTimeAsFileTime
msvcp140
?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
??0_Lockit@std@@QEAA@H@Z
??1_Lockit@std@@QEAA@XZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
??4?$_Iosb@H@std@@QEAAAEAV01@$$QEAV01@@Z
?do_encoding@?$codecvt@_SDU_Mbstatet@@@std@@MEBAHXZ
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
?_Xbad_function_call@std@@YAXXZ
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV?$basic_ios@DU?$char_traits@D@std@@@1@AEAV21@@Z@Z
?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?id@?$ctype@D@std@@2V0locale@2@A
?do_encoding@?$codecvt@_SDU_Mbstatet@@@std@@MEBAHXZ
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ
?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ
?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAPEAD0PEAH001@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?_Pnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBA_JXZ
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?_Gnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBA_JXZ
?_Xlength_error@std@@YAXPEBD@Z
?_Xout_of_range@std@@YAXPEBD@Z
?uncaught_exceptions@std@@YAHXZ
?_Gninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
_Xtime_get_ticks
_Query_perf_counter
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
_Query_perf_frequency
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
?width@ios_base@std@@QEAA_J_J@Z
?width@ios_base@std@@QEBA_JXZ
?flags@ios_base@std@@QEBAHXZ
?good@ios_base@std@@QEBA_NXZ
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?always_noconv@codecvt_base@std@@QEBA_NXZ
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
??Bid@locale@std@@QEAA_KXZ
?_Winerror_map@std@@YAHH@Z
?_Syserror_map@std@@YAPEBDH@Z
?_Throw_Cpp_error@std@@YAXH@Z
_Cnd_do_broadcast_at_thread_exit
_Thrd_sleep
normaliz
IdnToAscii
psapi
GetModuleInformation
rpcrt4
RpcStringFreeA
UuidToStringA
UuidCreate
shell32
ShellExecuteA
user32
MessageBoxA
FindWindowA
FindWindowW
GetAsyncKeyState
userenv
UnloadUserProfile
vcruntime140
__current_exception_context
memcmp
memcpy
_CxxThrowException
__std_exception_destroy
__std_exception_copy
__std_terminate
_local_unwind
strstr
memcpy
memchr
strchr
memset
strrchr
__current_exception
__C_specific_handler
vcruntime140_1
__CxxFrameHandler4
wldap32
ldap_memfreeA
ber_free
ldap_get_dnA
ldap_value_freeW
ldap_next_attributeA
ldap_sslinitA
ldap_first_attributeA
ldap_get_values_lenA
ldap_next_entry
ldap_unbind_s
ldap_set_optionA
ldap_simple_bind_sA
ldap_bind_sA
ldap_first_entry
ldap_search_sA
ldap_msgfree
ldap_err2stringA
ldap_initA
ws2_32
WSASetLastError
WSAIoctl
WSAStartup
setsockopt
accept
htonl
listen
ioctlsocket
__WSAFDIsSet
select
getaddrinfo
FreeAddrInfoW
recvfrom
sendto
gethostname
htonl
htons
htons
getsockopt
getsockname
getpeername
connect
bind
send
recv
closesocket
socket
WSACleanup
WSAGetLastError
ucrtbase
atoi
strtod
strtol
strtoul
_strtoui64
_strtoi64
_fstat64
_unlink
_access
_stat64
_lock_file
_unlock_file
remove
_set_new_mode
realloc
free
_callnewh
malloc
calloc
___lc_codepage_func
_configthreadlocale
localeconv
__setusermatherr
_dclass
_invalid_parameter_noinfo_noreturn
terminate
exit
system
_getpid
strerror
_errno
_configure_narrow_argv
_initialize_narrow_environment
_initialize_onexit_table
_register_onexit_function
_crt_atexit
__sys_nerr
_invalid_parameter_noinfo
_resetstkoflw
_register_thread_local_exe_atexit_callback
_c_exit
__p___argv
__p___argc
_cexit
_Exit
_initterm_e
_initterm
_get_initial_narrow_environment
_beginthreadex
_set_app_type
_seh_filter_exe
setvbuf
_write
_close
_open
_read
__p__commode
__stdio_common_vfprintf
__acrt_iob_func
_get_stream_buffer_pointers
fclose
fgets
_pclose
fflush
_lseeki64
_popen
__stdio_common_vsprintf
fgetc
fgetpos
ftell
fseek
feof
fputc
fread
__stdio_common_vsscanf
fputs
fopen
fsetpos
_fseeki64
ungetc
_set_fmode
fwrite
strncpy
_wcsicmp
strncmp
tolower
strpbrk
_mbsdup
strcmp
strcspn
strspn
isupper
_time64
_gmtime64
qsort
Sections
.text Size: 470KB - Virtual size: 472KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 105KB - Virtual size: 116KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.data Size: 2KB - Virtual size: 8KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.pdata Size: 19KB - Virtual size: 20KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Size: 165KB - Virtual size: 168KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Size: 2KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
.imports Size: 2KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.tls Size: 512B - Virtual size: 4KB
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 165KB - Virtual size: 168KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.themida Size: 34.8MB - Virtual size: 34.8MB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.boot Size: 20.9MB - Virtual size: 20.9MB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 4KB
IMAGE_SCN_MEM_READ
.SCY Size: 13KB - Virtual size: 16KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE