4ee70128c70d646c5c2a9a17ad05949cb1fbf1043e9d671998812b2dce75cf0f

Sharing

Copy URL Twitter E-mail

General

Target

4ee70128c70d646c5c2a9a17ad05949cb1fbf1043e9d671998812b2dce75cf0f
Size

2.7MB
MD5

5a782bc5f0d63540b666f6a07e116d81
SHA1

281bb0dadc789b89f7ae30d5f4bdeae57c66b0e1
SHA256

4ee70128c70d646c5c2a9a17ad05949cb1fbf1043e9d671998812b2dce75cf0f
SHA512

6e8c038304e51e11e12f46ee81a5e16f3687a11ac61c97a153caccba427c693ca4112977eca00b2ea9e965482689e98d8d49a6a71f1965637f7727c06990b857
SSDEEP

49152:4WoDnIQuVStaakknRDxKMQMjxKrj28BEdJII60KUvFMDZUxIqM/+1UzzZZBx+/EG:XoDIQshar5P56NEdK8KUtMdUxtX0BxSR

Score

3^/10

Malware Config

Signatures

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/pdh.dll
unpack001/pdhui_1.dll

Files

4ee70128c70d646c5c2a9a17ad05949cb1fbf1043e9d671998812b2dce75cf0f
.zip
bd6ql.yk
pdh.dll
.dll windows:10 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

pdh.pdb

Exports

Exports

PdhAdd009CounterA
PdhAdd009CounterW
PdhAddCounterA
PdhAddCounterW
PdhAddEnglishCounterA
PdhAddEnglishCounterW
PdhAddRelogCounter
PdhAddV1Counter
PdhAddV2Counter
PdhBindInputDataSourceA
PdhBindInputDataSourceW
PdhBrowseCountersA
PdhBrowseCountersHA
PdhBrowseCountersHW
PdhBrowseCountersW
PdhCalculateCounterFromRawValue
PdhCloseLog
PdhCloseQuery
PdhCollectQueryData
PdhCollectQueryDataEx
PdhCollectQueryDataWithTime
PdhComputeCounterStatistics
PdhConnectMachineA
PdhConnectMachineW
PdhCreateSQLTablesA
PdhCreateSQLTablesW
PdhEnumLogSetNamesA
PdhEnumLogSetNamesW
PdhEnumMachinesA
PdhEnumMachinesHA
PdhEnumMachinesHW
PdhEnumMachinesW
PdhEnumObjectItemsA
PdhEnumObjectItemsHA
PdhEnumObjectItemsHW
PdhEnumObjectItemsW
PdhEnumObjectsA
PdhEnumObjectsHA
PdhEnumObjectsHW
PdhEnumObjectsW
PdhExpandCounterPathA
PdhExpandCounterPathW
PdhExpandWildCardPathA
PdhExpandWildCardPathHA
PdhExpandWildCardPathHW
PdhExpandWildCardPathW
PdhFormatFromRawValue
PdhGetCounterInfoA
PdhGetCounterInfoW
PdhGetCounterTimeBase
PdhGetDataSourceTimeRangeA
PdhGetDataSourceTimeRangeH
PdhGetDataSourceTimeRangeW
PdhGetDefaultPerfCounterA
PdhGetDefaultPerfCounterHA
PdhGetDefaultPerfCounterHW
PdhGetDefaultPerfCounterW
PdhGetDefaultPerfObjectA
PdhGetDefaultPerfObjectHA
PdhGetDefaultPerfObjectHW
PdhGetDefaultPerfObjectW
PdhGetDllVersion
PdhGetExplainText
PdhGetFormattedCounterArrayA
PdhGetFormattedCounterArrayW
PdhGetFormattedCounterValue
PdhGetLogFileSize
PdhGetLogFileTypeA
PdhGetLogFileTypeW
PdhGetLogSetGUID
PdhGetRawCounterArrayA
PdhGetRawCounterArrayW
PdhGetRawCounterValue
PdhIsRealTimeQuery
PdhListLogFileHeaderA
PdhListLogFileHeaderW
PdhLookupPerfIndexByNameA
PdhLookupPerfIndexByNameW
PdhLookupPerfNameByIndexA
PdhLookupPerfNameByIndexW
PdhMakeCounterPathA
PdhMakeCounterPathW
PdhOpenLogA
PdhOpenLogW
PdhOpenQuery
PdhOpenQueryA
PdhOpenQueryH
PdhOpenQueryW
PdhParseCounterPathA
PdhParseCounterPathW
PdhParseInstanceNameA
PdhParseInstanceNameW
PdhReadRawLogRecord
PdhRelogA
PdhRelogW
PdhRemoveCounter
PdhResetRelogCounterValues
PdhSelectDataSourceA
PdhSelectDataSourceW
PdhSetCounterScaleFactor
PdhSetCounterValue
PdhSetDefaultRealTimeDataSource
PdhSetLogSetRunID
PdhSetQueryTimeRange
PdhTranslate009CounterA
PdhTranslate009CounterW
PdhTranslateLocaleCounterA
PdhTranslateLocaleCounterW
PdhUpdateLogA
PdhUpdateLogFileCatalog
PdhUpdateLogW
PdhValidatePathA
PdhValidatePathExA
PdhValidatePathExW
PdhValidatePathW
PdhVbAddCounter
PdhVbCreateCounterPathList
PdhVbGetCounterPathElements
PdhVbGetCounterPathFromList
PdhVbGetDoubleCounterValue
PdhVbGetLogFileSize
PdhVbGetOneCounterPath
PdhVbIsGoodStatus
PdhVbOpenLog
PdhVbOpenQuery
PdhVbUpdateLog
PdhVerifySQLDBA
PdhVerifySQLDBW
PdhWriteRelogSample

Sections

.text
Size: 230KB - Virtual size: 229KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 45KB - Virtual size: 45KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 80B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.rddata
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
pdhui_1.dll
.dll windows:4 windows x64 arch:x64

7fe595265e45dde8d5a0737783f2fe12

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_DLL

Imports

msvcrt

_mbscmp
calloc
free
malloc
realloc
strcmp
wcscmp
wcslen

Exports

Exports

DllMain
GrayOleCharacter
PathDsUpper
RealizeTerminateRebootTable
TranslateCursorNotificationWave

Sections

.text
Size: 153KB - Virtual size: 152KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.pdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.xdata
Size: 1024B - Virtual size: 732B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 125KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 512B - Virtual size: 188B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 512B - Virtual size: 308B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 808B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.rddata
Size: 210B - Virtual size: 4KB

IMAGE_SCN_MEM_READ
wevtapi.dll
.dll windows:10 windows x64 arch:x64

63d8c736e489f394864a694158ebd752

Code Sign

33:00:00:01:c4:22:b2:f7:9b:79:3d:ac:b2:00:00:00:00:01:c4
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

03/07/2018, 20:45

Not After

26/07/2019, 20:45

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

4a:14:ff:97:fc:e6:a2:c7:4c:dc:4f:8a:81:e0:b2:35:59:55:12:15:c4:cf:00:69:6a:30:a7:86:9b:d0:84:ab
Signer

Actual PE Digest

4a:14:ff:97:fc:e6:a2:c7:4c:dc:4f:8a:81:e0:b2:35:59:55:12:15:c4:cf:00:69:6a:30:a7:86:9b:d0:84:ab

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

wevtapi.pdb

Imports

msvcp_win

?_Xlength_error@std@@YAXPEBD@Z
?_Xout_of_range@std@@YAXPEBD@Z

api-ms-win-crt-string-l1-1-0

wcscmp
memset

api-ms-win-crt-runtime-l1-1-0

_initterm_e
_initterm

api-ms-win-crt-private-l1-1-0

_o__errno
_o__execute_onexit_table
_o__i64tow_s
_o__initialize_narrow_environment
_o__initialize_onexit_table
_o__invalid_parameter_noinfo
_o__invalid_parameter_noinfo_noreturn
_o__itow_s
_o__purecall
_o__register_onexit_function
_o__seh_filter_dll
memmove
_o__ui64tow_s
_o__ultow_s
_o__wcsicmp
_o__wcsnicmp
_o__wcstoi64
_o__wcstoui64
_o__wtof
_o__wtoi
_o__wtoi64
_o__wtol
_o_free
_o_iswalnum
_o_iswalpha
_o_iswdigit
_o_iswspace
_o_terminate
_o_toupper
_o_wcscpy_s
_o_wcsncpy_s
__C_specific_handler
_o___stdio_common_vsnwprintf_s
_o___std_type_info_destroy_list
_o__crt_atexit
_o__configure_narrow_argv
_o__cexit
wcschr
wcsrchr
__std_terminate
__CxxFrameHandler3
_o___stdio_common_vswscanf
_o___stdio_common_vswprintf_s
_o___stdio_common_vswprintf
_CxxThrowException
memcmp
memcpy

ntdll

EtwGetTraceEnableFlags
EtwGetTraceLoggerHandle
EtwGetTraceEnableLevel
EtwRegisterTraceGuidsW
RtlCaptureContext
EtwTraceMessage
RtlLookupFunctionEntry
RtlVirtualUnwind
RtlNtStatusToDosError
NtSetInformationFile
RtlSetLastWin32ErrorAndNtStatusFromNtStatus
RtlComputeCrc32
NtWriteFile
NtReadFile
EtwUnregisterTraceGuids
RtlSetLastWin32Error

api-ms-win-core-synch-l1-1-0

AcquireSRWLockExclusive
ReleaseMutex
WaitForSingleObjectEx
OpenSemaphoreW
WaitForSingleObject
ReleaseSRWLockShared
ReleaseSemaphore
CreateSemaphoreExW
DeleteCriticalSection
ResetEvent
CreateMutexExW
AcquireSRWLockShared
InitializeCriticalSectionEx
SetEvent
LeaveCriticalSection
CreateEventW
EnterCriticalSection
ReleaseSRWLockExclusive

api-ms-win-core-heap-l1-1-0

HeapAlloc
HeapFree
GetProcessHeap

api-ms-win-core-localization-l1-2-0

GetLocaleInfoW
GetThreadUILanguage
FormatMessageW
GetThreadLocale

api-ms-win-eventing-provider-l1-1-0

EventSetInformation
EventUnregister
EventRegister
EventProviderEnabled
EventWriteTransfer

api-ms-win-core-errorhandling-l1-1-0

SetLastError
UnhandledExceptionFilter
GetLastError
SetUnhandledExceptionFilter

api-ms-win-core-file-l1-1-0

SetFilePointerEx
DeleteFileW
GetDiskFreeSpaceExW
FlushFileBuffers
GetFullPathNameW
GetFileSizeEx
SetEndOfFile
GetTempFileNameW
GetFileAttributesW
CreateFileW
ReadFile
GetFileInformationByHandle

api-ms-win-core-processthreads-l1-1-0

TlsGetValue
TlsSetValue
GetCurrentProcessId
TerminateProcess
TlsAlloc
TlsFree
GetCurrentThreadId
GetCurrentProcess

api-ms-win-core-libraryloader-l1-2-0

GetModuleFileNameA
GetModuleHandleExW
GetProcAddress
FreeLibrary
GetModuleHandleW

api-ms-win-security-base-l1-1-0

GetLengthSid
IsValidSid

api-ms-win-core-threadpool-l1-2-0

CreateThreadpoolCleanupGroup
CloseThreadpoolTimer
SetThreadpoolTimer
CreateThreadpoolTimer
CloseThreadpoolWait
WaitForThreadpoolTimerCallbacks
SetThreadpoolWait
WaitForThreadpoolWaitCallbacks
CloseThreadpoolWork
FreeLibraryWhenCallbackReturns
CloseThreadpoolCleanupGroup
CreateThreadpoolWait
CreateThreadpoolWork
SubmitThreadpoolWork

api-ms-win-core-synch-l1-2-0

WakeAllConditionVariable
InitOnceComplete
SleepConditionVariableCS
InitOnceBeginInitialize
InitializeConditionVariable
Sleep

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent
OutputDebugStringW
DebugBreak

api-ms-win-core-handle-l1-1-0

DuplicateHandle
CloseHandle

api-ms-win-core-processthreads-l1-1-1

IsProcessorFeaturePresent

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetTickCount64
GetTickCount
GetSystemTimeAsFileTime

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead

api-ms-win-eventing-classicprovider-l1-1-0

TraceMessage

api-ms-win-core-heap-l2-1-0

LocalAlloc
LocalFree

api-ms-win-core-string-l1-1-0

WideCharToMultiByte
MultiByteToWideChar

api-ms-win-core-processenvironment-l1-1-0

ExpandEnvironmentStringsW

api-ms-win-core-timezone-l1-1-0

SystemTimeToFileTime
FileTimeToSystemTime

bcrypt

BCryptDestroyHash
BCryptFinishHash
BCryptHashData
BCryptGetProperty
BCryptOpenAlgorithmProvider
BCryptCreateHash
BCryptCloseAlgorithmProvider

api-ms-win-core-file-l2-1-0

MoveFileExW

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Exports

Exports

EvtArchiveExportedLog
EvtCancel
EvtClearLog
EvtClose
EvtCreateBookmark
EvtCreateRenderContext
EvtExportLog
EvtFormatMessage
EvtGetChannelConfigProperty
EvtGetEventInfo
EvtGetEventMetadataProperty
EvtGetExtendedStatus
EvtGetLogInfo
EvtGetObjectArrayProperty
EvtGetObjectArraySize
EvtGetPublisherMetadataProperty
EvtGetQueryInfo
EvtIntAssertConfig
EvtIntCreateBinXMLFromCustomXML
EvtIntCreateLocalLogfile
EvtIntGetClassicLogDisplayName
EvtIntRenderResourceEventTemplate
EvtIntReportAuthzEventAndSourceAsync
EvtIntReportEventAndSourceAsync
EvtIntRetractConfig
EvtIntSysprepCleanup
EvtIntWriteXmlEventToLocalLogfile
EvtNext
EvtNextChannelPath
EvtNextEventMetadata
EvtNextPublisherId
EvtOpenChannelConfig
EvtOpenChannelEnum
EvtOpenEventMetadataEnum
EvtOpenLog
EvtOpenPublisherEnum
EvtOpenPublisherMetadata
EvtOpenSession
EvtQuery
EvtRender
EvtSaveChannelConfig
EvtSeek
EvtSetChannelConfigProperty
EvtSubscribe
EvtUpdateBookmark

Sections

.text
Size: 276KB - Virtual size: 275KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 86KB - Virtual size: 86KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 14KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 120B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
zabbix_agentd.exe
.exe windows:5 windows x64 arch:x64

c0012f202e9ee5f7f90562fbb60d42fa

Code Sign

04:00:00:00:00:01:21:58:53:08:a2
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Not Before

18/03/2009, 10:00

Not After

18/03/2029, 10:00

Subject

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

01:f2:40:42:40:ce:fd:22:db:e9:6c:71:fc
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Not Before

20/02/2019, 00:00

Not After

18/03/2029, 10:00

Subject

CN=GlobalSign,OU=GlobalSign Root CA - R6,O=GlobalSign

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

e4:27:04:95:f6:8c:91:d6:d0:ec:7b:49:4e:a4:df:1c
Certificate

Issuer

CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Not Before

11/09/2018, 09:26

Not After

11/09/2023, 09:26

Subject

CN=SSL.com Root Certification Authority RSA,O=SSL Corporation,L=Houston,ST=Texas,C=US

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

01:ec:1c:92:40:de:fd:2e:40:5d:7c:47:74
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R6,O=GlobalSign

Not Before

20/06/2018, 00:00

Not After

10/12/2034, 00:00

Subject

CN=GlobalSign Timestamping CA - SHA384 - G4,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

01:84:d3:a8:ce:37:81:eb:57:f4:fd:87:7b:83:ae:b2
Certificate

Issuer

CN=GlobalSign Timestamping CA - SHA384 - G4,O=GlobalSign nv-sa,C=BE

Not Before

27/05/2021, 10:00

Not After

28/06/2032, 10:00

Subject

CN=Globalsign TSA for MS Authenticode Advanced - G4,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

56:7a:5f:bc:29:b0:c5:8e:07:7b:6f:6d:94:b8:88:3a
Certificate

Issuer

CN=SSL.com Code Signing Intermediate CA RSA R1,O=SSL Corp,L=Houston,ST=Texas,C=US

Not Before

17/06/2021, 22:27

Not After

17/06/2022, 22:27

Subject

CN=Zabbix SIA,O=Zabbix SIA,L=Riga,C=LV

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

64:33:51:d3:c7:38:9f:08
Certificate

Issuer

CN=SSL.com Root Certification Authority RSA,O=SSL Corporation,L=Houston,ST=Texas,C=US

Not Before

24/06/2016, 20:44

Not After

24/06/2031, 20:44

Subject

CN=SSL.com Code Signing Intermediate CA RSA R1,O=SSL Corp,L=Houston,ST=Texas,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

b3:3a:41:a1:c1:0e:0d:b8:a6:98:2a:bb:fc:05:a3:b5:61:05:b8:00:e8:7a:64:fb:39:93:0d:3a:1e:9f:0d:9b
Signer

Actual PE Digest

b3:3a:41:a1:c1:0e:0d:b8:a6:98:2a:bb:fc:05:a3:b5:61:05:b8:00:e8:7a:64:fb:39:93:0d:3a:1e:9f:0d:9b

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\ZABBIX\build-agents-web\zabbix-5.4.4\bin\win64\zabbix_agentd.pdb

Imports

ws2_32

accept
getservbyname
closesocket
connect
ioctlsocket
getpeername
bind
__WSAFDIsSet
getservbyport
gethostbyname
getsockopt
htonl
htons
inet_addr
inet_ntoa
listen
ntohs
WSAStartup
recv
recvfrom
select
send
sendto
setsockopt
gethostbyaddr
socket
WSASetLastError
WSACleanup
gethostname
WSAAddressToStringA
WSASocketW
WSAGetLastError
shutdown

psapi

GetModuleFileNameExW
GetProcessMemoryInfo

pdh

PdhMakeCounterPathW
PdhCollectQueryData
PdhValidatePathW
PdhLookupPerfNameByIndexW
PdhEnumObjectsW
PdhCalculateCounterFromRawValue
PdhCloseQuery
PdhRemoveCounter
PdhAddCounterW
PdhOpenQueryW
PdhParseCounterPathW
PdhEnumObjectItemsW
PdhGetRawCounterValue

advapi32

DeregisterEventSource
CryptReleaseContext
CryptGenRandom
ConvertSidToStringSidW
ReadEventLogW
OpenEventLogW
GetOldestEventLogRecord
GetNumberOfEventLogRecords
CloseEventLog
StartServiceW
StartServiceCtrlDispatcherW
SetServiceStatus
RegisterServiceCtrlHandlerW
DeleteService
CreateServiceW
ControlService
ChangeServiceConfig2W
RegSetValueExW
RegDeleteKeyW
RegCreateKeyExW
RegQueryValueExW
RegOpenKeyExW
RegCloseKey
QueryServiceStatus
QueryServiceConfig2W
QueryServiceConfigW
OpenServiceW
OpenSCManagerW
GetServiceKeyNameW
EnumServicesStatusExW
CloseServiceHandle
LookupAccountSidW
GetTokenInformation
OpenProcessToken
ReportEventW
RegisterEventSourceW
CryptAcquireContextW

iphlpapi

GetIpAddrTable
GetIfTable
GetIfEntry
GetTcpTable

dnsapi

DnsFree
DnsQuery_W

user32

GetProcessWindowStation
GetUserObjectInformationW
MessageBoxW

ole32

CoCreateInstance
CoInitializeSecurity
CoInitializeEx
CoUninitialize
CoSetProxyBlanket

oleaut32

SysAllocString
SysFreeString
SafeArrayGetDim
SafeArrayGetElemsize
SafeArrayGetUBound
SafeArrayGetLBound
VariantChangeType
VariantCopy
VariantClear
VariantInit
SafeArrayGetVartype
SafeArrayGetElement

dbghelp

SymSetOptions
SymGetOptions
SymCleanup
SymInitialize
StackWalk64

kernel32

SystemTimeToTzSpecificLocalTime
WriteConsoleW
GetModuleFileNameW
ExitProcess
FindFirstFileExW
GetCommandLineA
GetCommandLineW
HeapFree
OutputDebugStringW
GetStringTypeW
HeapAlloc
HeapReAlloc
CompareStringW
LCMapStringW
FileTimeToSystemTime
GetCurrentDirectoryW
GetConsoleCP
SetEndOfFile
FlushFileBuffers
DeleteFileW
MoveFileExW
GetFileSizeEx
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
GetProcessHeap
HeapSize
VirtualProtect
ExitThread
GetTimeZoneInformation
SetStdHandle
SetFilePointerEx
CreateThread
DuplicateHandle
FreeLibraryAndExitThread
SetConsoleCtrlHandler
RaiseException
RtlPcToFileHeader
RtlUnwindEx
VirtualQuery
LoadLibraryExA
WaitForMultipleObjectsEx
IsDebuggerPresent
InitializeSListHead
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlLookupFunctionEntry
RtlCaptureContext
SystemTimeToFileTime
GetSystemTime
ReadConsoleW
ReadConsoleA
SetConsoleMode
GetConsoleMode
LoadLibraryW
RtlVirtualUnwind
ConvertThreadToFiber
ConvertFiberToThread
GetSystemTimeAsFileTime
CreateFiber
DeleteFiber
SwitchToFiber
WriteFile
GetFileType
GetEnvironmentVariableW
QueryPerformanceCounter
QueryPerformanceFrequency
MultiByteToWideChar
WideCharToMultiByte
lstrcmpiA
VerSetConditionMask
SetHandleInformation
GetLastError
GetSystemDirectoryA
FreeLibrary
GetProcAddress
LoadLibraryA
FormatMessageW
VerifyVersionInfoW
FindClose
FindFirstFileW
FindNextFileW
GetModuleHandleW
CloseHandle
ReleaseMutex
WaitForSingleObject
CreateMutexW
GetCurrentProcessId
QueueUserAPC
GetCurrentThreadId
GetExitCodeThread
GetStdHandle
ReadFile
CreatePipe
PeekNamedPipe
Sleep
TerminateProcess
GetExitCodeProcess
ResumeThread
CreateProcessW
GetStartupInfoW
CreateJobObjectW
AssignProcessToJobObject
TerminateJobObject
CreateFileW
GetFileInformationByHandle
GetCompressedFileSizeW
GetFileAttributesW
GetNativeSystemInfo
FindFirstVolumeW
FindNextVolumeW
FindVolumeClose
GetDiskFreeSpaceExW
GetDriveTypeW
GetLogicalDriveStringsW
GetVolumeInformationW
GetVolumePathNamesForVolumeNameW
GlobalMemoryStatus
GetProcessTimes
OpenProcess
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
SetEvent
CreateEventW
TerminateThread
GetSystemInfo
GetVersionExW
GetComputerNameW
SleepEx
ExpandEnvironmentStringsW
LoadLibraryExW
LocalFree
GetVolumePathNameW
SetErrorMode
GetCurrentProcess
GetCurrentThread
GetDiskFreeSpaceW
GetFullPathNameW
GetModuleHandleExW
SetLastError
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree

Sections

.text
Size: 2.2MB - Virtual size: 2.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 735KB - Virtual size: 735KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 47KB - Virtual size: 89KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 81KB - Virtual size: 80KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 148B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Headers

DLL Characteristics

File Characteristics

PDB Paths

Exports

Exports

Sections

.text Size: 230KB - Virtual size: 229KB

.rdata Size: 45KB - Virtual size: 45KB

.data Size: 512B - Virtual size: 3KB

.pdata Size: 7KB - Virtual size: 6KB

.rsrc Size: 6KB - Virtual size: 6KB

.reloc Size: 512B - Virtual size: 80B

.rddata Size: 5KB - Virtual size: 5KB

7fe595265e45dde8d5a0737783f2fe12

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

Exports

Exports

Sections

.text Size: 153KB - Virtual size: 152KB

.rdata Size: 512B - Virtual size: 16B

.pdata Size: 1KB - Virtual size: 1KB

.xdata Size: 1024B - Virtual size: 732B

.bss Size: - Virtual size: 125KB

.edata Size: 512B - Virtual size: 188B

.idata Size: 512B - Virtual size: 308B

.rsrc Size: 1024B - Virtual size: 808B

.reloc Size: 512B - Virtual size: 12B

.rddata Size: 210B - Virtual size: 4KB

63d8c736e489f394864a694158ebd752

Code Sign

33:00:00:01:c4:22:b2:f7:9b:79:3d:ac:b2:00:00:00:00:01:c4Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

4a:14:ff:97:fc:e6:a2:c7:4c:dc:4f:8a:81:e0:b2:35:59:55:12:15:c4:cf:00:69:6a:30:a7:86:9b:d0:84:abSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcp_win

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-private-l1-1-0

ntdll

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-interlocked-l1-1-0

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-timezone-l1-1-0

bcrypt

api-ms-win-core-file-l2-1-0

api-ms-win-core-delayload-l1-1-1

.text
Size: 230KB - Virtual size: 229KB

.rdata
Size: 45KB - Virtual size: 45KB

.data
Size: 512B - Virtual size: 3KB

.pdata
Size: 7KB - Virtual size: 6KB

.rsrc
Size: 6KB - Virtual size: 6KB

.reloc
Size: 512B - Virtual size: 80B

.rddata
Size: 5KB - Virtual size: 5KB

.text
Size: 153KB - Virtual size: 152KB

.rdata
Size: 512B - Virtual size: 16B

.pdata
Size: 1KB - Virtual size: 1KB

.xdata
Size: 1024B - Virtual size: 732B

.bss
Size: - Virtual size: 125KB

.edata
Size: 512B - Virtual size: 188B

.idata
Size: 512B - Virtual size: 308B

.rsrc
Size: 1024B - Virtual size: 808B

.reloc
Size: 512B - Virtual size: 12B

.rddata
Size: 210B - Virtual size: 4KB

33:00:00:01:c4:22:b2:f7:9b:79:3d:ac:b2:00:00:00:00:01:c4
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

4a:14:ff:97:fc:e6:a2:c7:4c:dc:4f:8a:81:e0:b2:35:59:55:12:15:c4:cf:00:69:6a:30:a7:86:9b:d0:84:ab
Signer

.text
Size: 276KB - Virtual size: 275KB

.rdata
Size: 86KB - Virtual size: 86KB

.data
Size: 1024B - Virtual size: 3KB

.pdata
Size: 14KB - Virtual size: 13KB

.didat
Size: 512B - Virtual size: 120B

.rsrc
Size: 5KB - Virtual size: 5KB

.reloc
Size: 1KB - Virtual size: 1KB

04:00:00:00:00:01:21:58:53:08:a2
Certificate

01:f2:40:42:40:ce:fd:22:db:e9:6c:71:fc
Certificate

e4:27:04:95:f6:8c:91:d6:d0:ec:7b:49:4e:a4:df:1c
Certificate

01:ec:1c:92:40:de:fd:2e:40:5d:7c:47:74
Certificate

01:84:d3:a8:ce:37:81:eb:57:f4:fd:87:7b:83:ae:b2
Certificate

56:7a:5f:bc:29:b0:c5:8e:07:7b:6f:6d:94:b8:88:3a
Certificate

64:33:51:d3:c7:38:9f:08
Certificate

b3:3a:41:a1:c1:0e:0d:b8:a6:98:2a:bb:fc:05:a3:b5:61:05:b8:00:e8:7a:64:fb:39:93:0d:3a:1e:9f:0d:9b
Signer

.text
Size: 2.2MB - Virtual size: 2.2MB

.rdata
Size: 735KB - Virtual size: 735KB

.data
Size: 47KB - Virtual size: 89KB

.pdata
Size: 81KB - Virtual size: 80KB

_RDATA
Size: 512B - Virtual size: 148B

.rsrc
Size: 1KB - Virtual size: 1KB