2024-04-11_b05b41af476d602e07c7f7753c6c1d87_mafia_revil

Sharing

Copy URL Twitter E-mail

General

Target

2024-04-11_b05b41af476d602e07c7f7753c6c1d87_mafia_revil
Size

2.9MB
MD5

b05b41af476d602e07c7f7753c6c1d87
SHA1

d4d00d56f22523a80cb7cf9771b757873c7d44f4
SHA256

f17a5051a51cff44a1d77d7b0567ab471fbc9041e7cfdad284d8906903cb81bf
SHA512

a8962c14cd4a0d1091bf64f3fdac1aa74d391e02000715630948ab22dc04610cc76d3abf7242ea5c5fdaf0173375a4d0907a6f1d71659726c9b7a1cdb2256ee8
SSDEEP

49152:jW6AWBwMkKBSQlThBT4j8T7pt726vhQop0ARHYE73EpUJ619lnTvVsHBph9JcIev:jWJWBwMkKxlT68ZJvhQSyE7PJ619bsxR

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2024-04-11_b05b41af476d602e07c7f7753c6c1d87_mafia_revil

Files

2024-04-11_b05b41af476d602e07c7f7753c6c1d87_mafia_revil
.exe windows:5 windows x86 arch:x86

3944eae49aaec695ea76423d52dd0812

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

D:\DC_NATIVE_11_3_2400_12_1_meaap_crash\dc_native\native\agent\Release\dcondemand.pdb

Imports

advapi32

RegQueryValueExA
RegOpenKeyExA
RegCloseKey
RegCreateKeyExA
RegSetValueExW
RegSetValueExA
RegDeleteValueA
RegDeleteValueW
RegOpenKeyExW
RegQueryValueExW
RegDeleteKeyA
RegEnumKeyA
RegOpenKeyA
CryptDestroyKey
CryptReleaseContext
CryptGenKey
CryptGetUserKey
CryptGetHashParam
CryptAcquireContextA
ControlService
CloseServiceHandle
RevertToSelf
CryptSetHashParam
CryptExportKey
CryptAcquireContextW
CryptSignHashW
CryptEnumProvidersW
CryptGetProvParam
CryptDecrypt
CryptGenRandom
ImpersonateLoggedOnUser
CryptDestroyHash
CryptHashData
CryptCreateHash
DeregisterEventSource
ReportEventA
RegisterEventSourceA
ReportEventW
RegisterEventSourceW
LookupAccountSidA
GetTokenInformation
CreateProcessAsUserW
OpenProcessToken
LookupPrivilegeNameA
LookupPrivilegeValueA
CreateProcessAsUserA
LogonUserA
QueryServiceStatus
OpenServiceW
OpenSCManagerW

wsock32

getservbyport
WSAGetLastError
send
gethostbyname
gethostbyaddr
closesocket
WSASetLastError
getservbyname
socket
WSACleanup
connect
ntohs
htons
htonl
ioctlsocket
WSAStartup
inet_addr

crypt32

CertVerifyTimeValidity
CertDeleteCertificateFromStore
PFXVerifyPassword
PFXImportCertStore
CertCreateCertificateContext
CryptStringToBinaryA
CertOpenStore
CertEnumCertificatesInStore
CertAddCertificateContextToStore
CertNameToStrW
CryptMsgGetParam
CertGetNameStringA
CertCloseStore
CertFindCertificateInStore
CertFreeCertificateContext
CryptQueryObject
CertGetCertificateContextProperty
CertDuplicateCertificateContext

iphlpapi

NotifyAddrChange
GetAdaptersInfo

wtsapi32

WTSQuerySessionInformationA
WTSEnumerateSessionsA
WTSFreeMemory

netapi32

DsGetDcNameA
NetApiBufferFree
NetGetJoinInformation

winhttp

WinHttpReadData
WinHttpQueryDataAvailable
WinHttpSendRequest
WinHttpWriteData
WinHttpQueryOption
WinHttpQueryHeaders
WinHttpAddRequestHeaders
WinHttpSetStatusCallback
WinHttpOpenRequest
WinHttpConnect
WinHttpOpen
WinHttpSetOption
WinHttpReceiveResponse
WinHttpCloseHandle
WinHttpSetCredentials

dcagenthttp

AgentSendRequestEx

userenv

DestroyEnvironmentBlock
LoadUserProfileA
CreateEnvironmentBlock
UnloadUserProfile

dclibxml2

xmlTextReaderAttributeCount
xmlTextReaderDepth
xmlParseMemory
xmlDocGetRootElement
xmlTextReaderRead
xmlTextReaderGetAttribute
xmlTextReaderName
xmlFreeTextReader
xmlTextReaderValue
xmlFreeDoc
xmlFree
xmlNodeListGetString
xmlNewTextReaderFilename
xmlStrcmp
xmlParseFile
xmlCleanupParser

ws2_32

WSACloseEvent
WSAResetEvent
WSAWaitForMultipleEvents
WSAGetOverlappedResult
WSASend
WSARecv
recv
WSACreateEvent

wsclientsocket

?setProxyHostName@SocketAdapter@ClientSocket@SocketUtils@@UAEXV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z
?setProxyDetails@SocketAdapter@ClientSocket@SocketUtils@@UAEXAAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@H00@Z
?setProxyPort@SocketAdapter@ClientSocket@SocketUtils@@UAEXH@Z
?setProxyUserName@SocketAdapter@ClientSocket@SocketUtils@@UAEXV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z
?setProxyPassword@SocketAdapter@ClientSocket@SocketUtils@@UAEXV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z
?setCustomheaders@SocketAdapter@ClientSocket@SocketUtils@@UAEXV?$map@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@V?$allocator@U?$pair@$$CBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@@std@@@2@@std@@@Z
??1SocketAdapter@ClientSocket@SocketUtils@@UAE@XZ
??1AsyncSocket@ClientSocket@SocketUtils@@UAE@XZ
?setServerHostName@SocketAdapter@ClientSocket@SocketUtils@@UAEXV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z
?setServerPort@SocketAdapter@ClientSocket@SocketUtils@@UAEXH@Z
?setConnectionMode@SocketAdapter@ClientSocket@SocketUtils@@UAEX_N@Z
?setConnectionDetails@SocketAdapter@ClientSocket@SocketUtils@@UAEXV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@H_N0H00@Z
?setProxySwitch@SocketAdapter@ClientSocket@SocketUtils@@UAEX_N@Z

kernel32

InterlockedExchange
EncodePointer
GetStringTypeW
MoveFileExA
DecodePointer
InitializeCriticalSection
GetLocaleInfoW
RaiseException
HeapDestroy
HeapAlloc
HeapFree
HeapReAlloc
HeapSize
GetProcessHeap
LocalLock
GetCommandLineA
HeapSetInformation
RtlUnwind
GetFileInformationByHandle
PeekNamedPipe
GetDriveTypeA
FindFirstFileExA
ExitThread
GetCPInfo
CompareStringW
LCMapStringW
UnhandledExceptionFilter
IsDebuggerPresent
ExitProcess
GetACP
GetOEMCP
IsValidCodePage
HeapCreate
LocalUnlock
GetModuleFileNameW
IsProcessorFeaturePresent
CreateFileA
GetFileSize
FindResourceExW
FindResourceW
SetHandleCount
SystemTimeToTzSpecificLocalTime
SystemTimeToFileTime
WriteFile
WideCharToMultiByte
SizeofResource
ReadFile
GetTimeZoneInformation
GetEnvironmentVariableA
MultiByteToWideChar
FindFirstFileA
GetLastError
FindClose
LockResource
GetModuleFileNameA
GetVersionExA
CloseHandle
GetSystemTime
DeleteFileA
InterlockedIncrement
InterlockedDecrement
SetUnhandledExceptionFilter
GetCurrentProcess
SetEvent
SetConsoleMode
GetProcAddress
LoadLibraryA
SetConsoleCtrlHandler
SetProcessShutdownParameters
WaitForSingleObject
CreateEventA
CreateThread
GetEnvironmentVariableW
FreeLibrary
TerminateThread
GetSystemDirectoryA
CopyFileA
GetExitCodeThread
GetCurrentThreadId
Sleep
GetLocalTime
FindNextFileA
DeleteTimerQueue
CreateTimerQueue
ReleaseMutex
GetFileSizeEx
CreateTimerQueueTimer
CreateDirectoryA
GetModuleHandleA
Process32Next
TerminateProcess
GetExitCodeProcess
OpenProcess
Process32First
CreateToolhelp32Snapshot
GetTickCount
SetDllDirectoryA
CreateMutexA
FileTimeToSystemTime
GetLocaleInfoA
CreateProcessA
SetCurrentDirectoryA
GetCurrentDirectoryA
GetSystemInfo
FindNextFileW
FindFirstFileW
GetComputerNameExW
LocalFree
FormatMessageA
FormatMessageW
GlobalFree
GlobalAlloc
GetCurrentProcessId
GetFileAttributesExA
GetFullPathNameA
lstrlenW
lstrlenA
DeleteFileW
FlushFileBuffers
CreateDirectoryW
CopyFileW
CreateFileW
LoadLibraryW
ProcessIdToSessionId
SetCurrentDirectoryW
SetFilePointer
DisconnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
lstrcmpW
QueryPerformanceCounter
SuspendThread
ResumeThread
SetLastError
GetCurrentDirectoryW
FileTimeToLocalFileTime
LocalAlloc
GetVersion
GetModuleHandleExW
TlsGetValue
InterlockedCompareExchange
TlsSetValue
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
EnterCriticalSection
InterlockedExchangeAdd
DeleteCriticalSection
TlsAlloc
TlsFree
CreateFiber
SwitchToFiber
DeleteFiber
GetModuleHandleW
GetStdHandle
GetFileType
GetSystemTimeAsFileTime
ConvertThreadToFiber
ConvertFiberToThread
ReadConsoleA
ReadConsoleW
GetConsoleMode
GetStartupInfoW
SetStdHandle
GetConsoleCP
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetUserDefaultLCID
EnumSystemLocalesA
IsValidLocale
WriteConsoleW
SetEndOfFile
GetDriveTypeW
VirtualQuery
SetEnvironmentVariableA
LoadResource

user32

wsprintfW
GetUserObjectInformationW
MessageBoxW
GetProcessWindowStation
MessageBoxA

shell32

SHCreateDirectoryExW
SHCreateDirectoryExA

odbc32

ord49
ord48
ord72
ord26
ord13
ord4
ord8
ord18
ord11
ord43
ord39
ord29
ord36
ord9
ord41
ord31
ord2
ord20
ord16
ord12
ord19
ord3
ord1

shlwapi

StrTrimA
PathFindExtensionA
StrStrIA

ole32

CoInitializeEx
CoUninitialize
CoSetProxyBlanket
CoCreateInstance

oleaut32

VariantInit
SafeArrayGetLBound
SafeArrayGetUBound
SysAllocStringByteLen
SysFreeString
SysStringLen
SysAllocString
VariantClear
SafeArrayAccessData

Exports

Exports

??0AsyncSocket@ClientSocket@SocketUtils@@QAE@ABV012@@Z
??0SocketAdapter@ClientSocket@SocketUtils@@QAE@ABV012@@Z
??4AsyncSocket@ClientSocket@SocketUtils@@QAEAAV012@ABV012@@Z
??4SocketAdapter@ClientSocket@SocketUtils@@QAEAAV012@ABV012@@Z
??_7AsyncSocket@ClientSocket@SocketUtils@@6B@
??_7SocketAdapter@ClientSocket@SocketUtils@@6B@

Sections

.text
Size: 2.1MB - Virtual size: 2.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 576KB - Virtual size: 576KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 67KB - Virtual size: 89KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 504B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 139KB - Virtual size: 138KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

3944eae49aaec695ea76423d52dd0812

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

advapi32

wsock32

crypt32

iphlpapi

wtsapi32

netapi32

winhttp

dcagenthttp

userenv

dclibxml2

ws2_32

wsclientsocket

kernel32

user32

shell32

odbc32

shlwapi

ole32

oleaut32

Exports

Exports

Sections

.text Size: 2.1MB - Virtual size: 2.1MB

.rdata Size: 576KB - Virtual size: 576KB

.data Size: 67KB - Virtual size: 89KB

.rsrc Size: 512B - Virtual size: 504B

.reloc Size: 139KB - Virtual size: 138KB

.text
Size: 2.1MB - Virtual size: 2.1MB

.rdata
Size: 576KB - Virtual size: 576KB

.data
Size: 67KB - Virtual size: 89KB

.rsrc
Size: 512B - Virtual size: 504B

.reloc
Size: 139KB - Virtual size: 138KB