SetupHost[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

SetupHost.exe
Size

664KB
MD5

ed6da1611d817426e4b7de89fe458f76
SHA1

0c6f5672e2682e4d4a62f1275f39009ce0fa2801
SHA256

0cbab77ca7138dfe69e8a743156ff707c6d286acb2bce2dc544edf9d257bebfe
SHA512

c007aab0199efb04bba9f16ea82f2ba5a4c483f32099ba07329800ee496705886f3da2f61530f0de7b61a6bc555b743b42b62ea9c7093a481fd803f213e4e5a3
SSDEEP

12288:JXO1HWjplx567JwV5y3pxO7hCoGtGChM3gVVMR7yxph1hyGLov5IE/SHrS+TWj+d:JXO1YplPwwVF0oGtGChRiR7yHa+vJYwJ

Score

1^/10

Malware Config

Signatures

Files

SetupHost.exe
.exe windows:10 windows x86 arch:x86

830588fe7f62cea178dee53ecc55efc1

Code Sign

33:00:00:04:15:82:95:a1:a3:d8:2e:28:57:00:00:00:00:04:15
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

03/02/2023, 00:05

Not After

01/02/2024, 00:05

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

1b:8d:a8:e9:6b:58:f2:69:ec:44:68:3f:25:4c:b5:ab:7c:06:73:81:40:23:86:77:f1:ed:4d:cc:ac:7e:16:98
Signer

Actual PE Digest

1b:8d:a8:e9:6b:58:f2:69:ec:44:68:3f:25:4c:b5:ab:7c:06:73:81:40:23:86:77:f1:ed:4d:cc:ac:7e:16:98

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP
IMAGE_FILE_NET_RUN_FROM_SWAP

PDB Paths

SetupHost.pdb

Imports

msvcrt

_lock
?terminate@@YAXXZ
_wcmdln
_initterm
__setusermatherr
__p__fmode
_cexit
_exit
exit
__set_app_type
__wgetmainargs
_amsg_exit
__p__commode
_XcptFilter
__dllonexit
_open_osfhandle
memmove_s
strrchr
wcsrchr
_wtol
_wcsnicmp
strchr
setvbuf
strtol
wcschr
_vsnprintf_s
_errno
_set_errno
??0exception@@QAE@ABV0@@Z
??0exception@@QAE@XZ
??1exception@@UAE@XZ
_purecall
wcstoul
wcscpy_s
_wtof
_wtoi
_fdopen
strncpy_s
_wcsicmp
memcpy_s
_vsnwprintf
wprintf
_onexit
??1type_info@@UAE@XZ
_controlfp
__CxxFrameHandler3
_except_handler4_common
memcmp
__iob_func
wcsncmp
_vscwprintf
towupper
iswspace
swscanf_s
qsort
memcpy
memset
_CxxThrowException
_unlock
sprintf_s
memmove

rpcrt4

UuidToStringW
RpcStringFreeW
UuidCreate
UuidFromStringW
I_RpcMapWin32Status

wdscore

ConstructPartialMsgVW
WdsTerminate
WdsSetupLogMessageW
WdsInitialize
CurrentIP

ntdll

NtQueryInformationFile
NtCreateFile
RtlRaiseStatus
NtYieldExecution
DbgPrintEx
NtQueryInformationProcess
RtlInitializeResource
RtlAcquireResourceShared
RtlReleaseResource
RtlDeleteResource
RtlReAllocateHeap
RtlAcquireResourceExclusive
RtlFreeHeap
RtlNtStatusToDosError
NtSetInformationFile
VerSetConditionMask
RtlGetVersion
RtlAdjustPrivilege
NtPowerInformation
RtlDosPathNameToNtPathName_U
RtlAllocateHeap
NtClose

winhttp

WinHttpSetOption
WinHttpQueryDataAvailable
WinHttpOpen
WinHttpConnect
WinHttpOpenRequest
WinHttpSetCredentials
WinHttpSendRequest
WinHttpReadData
WinHttpQueryHeaders
WinHttpGetDefaultProxyConfiguration
WinHttpGetProxyForUrl
WinHttpQueryAuthSchemes
WinHttpGetIEProxyConfigForCurrentUser
WinHttpReceiveResponse
WinHttpCloseHandle

oleaut32

SysFreeString
SysAllocString

fltlib

FilterSendMessage

cabinet

ord22
ord20
ord23

advapi32

RegQueryInfoKeyW
EventWriteTransfer
RegCloseKey
EventRegister
AllocateAndInitializeSid
RevertToSelf
CredFree
SetSecurityDescriptorDacl
RegCreateKeyExW
CopySid
ImpersonateLoggedOnUser
RegDeleteTreeW
RegSetValueExW
OpenProcessToken
FreeSid
InitializeSecurityDescriptor
InitializeAcl
RegOpenKeyExW
RegGetValueW
EventUnregister
GetLengthSid
InitiateSystemShutdownExW
AddAccessAllowedAce
OpenThreadToken
RegEnumValueW
RegQueryValueExW
GetTokenInformation
RegDeleteValueW
AdjustTokenPrivileges
UnregisterTraceGuids
RegisterTraceGuidsW
GetTraceEnableLevel
GetTraceEnableFlags
GetTraceLoggerHandle
CredReadW

kernel32

ResetEvent
WriteFile
SetFilePointer
GetCurrentDirectoryW
GetVolumePathNameW
GetFinalPathNameByHandleW
GetLongPathNameW
GetSystemInfo
CopyFileExW
DeleteFileW
SetFileInformationByHandle
GetFileInformationByHandle
SetFileAttributesW
DeviceIoControl
GetFileInformationByHandleEx
ReadFile
GetNativeSystemInfo
LCIDToLocaleName
GetEnvironmentVariableW
GetFileSizeEx
GetPrivateProfileStringW
FlushFileBuffers
GetPrivateProfileSectionW
OpenProcess
CreateDirectoryW
GetModuleFileNameA
PowerSetRequest
SetConsoleCtrlHandler
GetVersionExW
FindNextFileW
InitOnceBeginInitialize
FindFirstFileW
FindClose
GetOverlappedResult
CompareStringW
InitializeCriticalSection
CreateSemaphoreExW
HeapFree
SetLastError
EnterCriticalSection
GetCommandLineW
LocalAlloc
GetVolumeInformationW
GetFullPathNameW
GetCurrentProcess
SetFilePointerEx
GetStdHandle
ReleaseSemaphore
GetTickCount
GetModuleHandleExW
ExpandEnvironmentStringsW
SetEndOfFile
GetSystemDefaultUILanguage
LockFileEx
TerminateProcess
QueryPerformanceCounter
GetModuleFileNameW
SetUnhandledExceptionFilter
UnhandledExceptionFilter
UnlockFileEx
SetEnvironmentVariableW
GetHandleInformation
GetUserDefaultUILanguage
SleepConditionVariableSRW
GetProductInfo
WaitForMultipleObjects
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
WakeAllConditionVariable
GetStartupInfoW
CreateFileMappingW
Sleep
CreateMutexW
InitializeCriticalSectionEx
GetExitCodeProcess
MapViewOfFile
WaitForThreadpoolTimerCallbacks
WaitForSingleObject
IsDebuggerPresent
CreateFileW
GetFileAttributesW
LoadLibraryExW
GetCurrentThreadId
OpenEventW
UnmapViewOfFile
ReleaseMutex
DuplicateHandle
DosDateTimeToFileTime
GetVolumeNameForVolumeMountPointW
GetDriveTypeW
GetLogicalDriveStringsW
CreateEventW
MultiByteToWideChar
ProcessIdToSessionId
FormatMessageW
GetTimeZoneInformation
PowerCreateRequest
IsWow64Process
GetLastError
AttachConsole
AllocConsole
LocalFileTimeToFileTime
ReleaseSRWLockExclusive
OutputDebugStringW
SetFileTime
SetEvent
CloseThreadpoolTimer
GetCurrentThread
InitOnceComplete
AcquireSRWLockExclusive
WaitForSingleObjectEx
OpenSemaphoreW
GlobalFree
HeapReAlloc
CloseHandle
SetProcessPreferredUILanguages
SetThreadpoolTimer
ReleaseSRWLockShared
FreeConsole
GetSystemWindowsDirectoryW
PowerClearRequest
DebugBreak
CreateThreadpoolTimer
LoadLibraryW
CreateThread
HeapAlloc
GetSystemTime
GetProcessPreferredUILanguages
SetCurrentDirectoryW
GetProcAddress
GetSystemTimeAsFileTime
CreateMutexExW
SystemTimeToTzSpecificLocalTime
VerifyVersionInfoW
GetVolumePathNamesForVolumeNameW
AcquireSRWLockShared
WTSGetActiveConsoleSessionId
DeleteCriticalSection
ExitProcess
WideCharToMultiByte
GetCurrentProcessId
GetProcessHeap
CreateProcessW
GetModuleHandleW
FreeLibrary
CopyFileW
LocalFree

user32

TranslateMessage
ChangeWindowMessageFilterEx
DefWindowProcW
LoadCursorW
GetMessageW
RegisterClassW
CreateWindowExW
SetWindowLongW
SetTimer
PostQuitMessage
IsCharAlphaW
DispatchMessageW
ShutdownBlockReasonDestroy
UpdateWindow
LoadImageW
DestroyWindow
ShowWindow
SetWindowTextW
ShutdownBlockReasonCreate
MessageBoxW
SendMessageW
GetWindowLongW
CharNextW
CharUpperW

wtsapi32

WTSEnumerateSessionsW
WTSUnRegisterSessionNotification
WTSQueryUserToken
WTSFreeMemory
WTSRegisterSessionNotification

shell32

CommandLineToArgvW
Shell_NotifyIconW

ole32

CoInitializeEx
CoTaskMemFree
CoUninitialize
CoCreateInstance
CoInitializeSecurity

version

GetFileVersionInfoSizeExW
VerQueryValueW
GetFileVersionInfoExW

bcrypt

BCryptDestroyHash
BCryptFinishHash
BCryptCloseAlgorithmProvider
BCryptHashData
BCryptCreateHash
BCryptGetProperty
BCryptOpenAlgorithmProvider

Sections

.text
Size: 567KB - Virtual size: 567KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 50KB - Virtual size: 49KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 23KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

830588fe7f62cea178dee53ecc55efc1

Code Sign

33:00:00:04:15:82:95:a1:a3:d8:2e:28:57:00:00:00:00:04:15Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

1b:8d:a8:e9:6b:58:f2:69:ec:44:68:3f:25:4c:b5:ab:7c:06:73:81:40:23:86:77:f1:ed:4d:cc:ac:7e:16:98Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

rpcrt4

wdscore

ntdll

winhttp

oleaut32

fltlib

cabinet

advapi32

kernel32

user32

wtsapi32

shell32

ole32

version

bcrypt

Sections

.text Size: 567KB - Virtual size: 567KB

.data Size: 3KB - Virtual size: 14KB

.idata Size: 10KB - Virtual size: 9KB

.rsrc Size: 50KB - Virtual size: 49KB

.reloc Size: 23KB - Virtual size: 23KB

33:00:00:04:15:82:95:a1:a3:d8:2e:28:57:00:00:00:00:04:15
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

1b:8d:a8:e9:6b:58:f2:69:ec:44:68:3f:25:4c:b5:ab:7c:06:73:81:40:23:86:77:f1:ed:4d:cc:ac:7e:16:98
Signer

.text
Size: 567KB - Virtual size: 567KB

.data
Size: 3KB - Virtual size: 14KB

.idata
Size: 10KB - Virtual size: 9KB

.rsrc
Size: 50KB - Virtual size: 49KB

.reloc
Size: 23KB - Virtual size: 23KB