Setup[.]exe | Triage

Resubmissions

11-04-2024 17:35

240411-v56xysbg2t 7

Sharing

Copy URL

Twitter E-mail

General

Target

Setup.exe
Size

3.2MB
MD5

cbd28dd5f9bdb848926726b172124751
SHA1

2854cf38e373a60a14927422c5a9de242695ce5b
SHA256

275be7d414498ed841232cee005cb97dfc1c22977b841b72d674959629d5ce02
SHA512

cc94dd7f248e0c539b75de318f5d9c2a25099e3d205beb437e426628c5170443ae68b275cab8870c042ea15d71367997633f592bbb761e9299a29a02f1b25fe3
SSDEEP

49152:9DWX6UQASeBylX01L6FXA3XcNd2rcX9gUKkDg3PsFNBwi4clntJlMKWr/SALAqWy:9uWA+X4cjXki4clntJiKWz7LArcz

Score

1^/10

Malware Config

Signatures

Files

Setup.exe
.exe windows:6 windows x64 arch:x64

6fe68d69ef96280313858fd1365b5cc1

Code Sign

48:fc:93:b4:60:55:94:8d:36:a7:c9:8a:89:d6:94:16
Certificate

Issuer

CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

25-05-2021 00:00

Not After

31-12-2028 23:59

Subject

CN=Sectigo Public Code Signing Root R46,O=Sectigo Limited,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:d7:08:a8:91:40:53:19:e2:a5:bb:d3:39:b9:ad:6e
Certificate

Issuer

CN=Sectigo Public Code Signing Root R46,O=Sectigo Limited,C=GB

Not Before

22-03-2021 00:00

Not After

21-03-2036 23:59

Subject

CN=Sectigo Public Code Signing CA EV R36,O=Sectigo Limited,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

1b:5c:84:93:b2:e5:5c:2c:eb:86:d4:ce:e9:16:ce:d4
Certificate

Issuer

CN=Sectigo Public Code Signing CA EV R36,O=Sectigo Limited,C=GB

Not Before

28-07-2021 00:00

Not After

27-07-2024 23:59

Subject

SERIALNUMBER=516426681,CN=ASOMAK LTD,O=ASOMAK LTD,L=Rishon Lezion,C=IL,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.3=#1302494c

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

39:4c:25:e1:7c:a0:6d:27:a8:65:e2:3b:d9:1d:22:d4
Certificate

Issuer

CN=Sectigo RSA Time Stamping CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

03-05-2023 00:00

Not After

02-08-2034 23:59

Subject

CN=Sectigo RSA Time Stamping Signer #4,O=Sectigo Limited,ST=Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9
Certificate

Issuer

CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US

Not Before

02-05-2019 00:00

Not After

18-01-2038 23:59

Subject

CN=Sectigo RSA Time Stamping CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

f1:80:05:43:d8:e9:44:5d:74:82:9d:be:7f:d6:e8:9b:5e:31:61:76:3f:2c:06:d8:2d:18:d1:df:98:61:e6:82
Signer

Actual PE Digest

f1:80:05:43:d8:e9:44:5d:74:82:9d:be:7f:d6:e8:9b:5e:31:61:76:3f:2c:06:d8:2d:18:d1:df:98:61:e6:82

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\Lior\programming\tagger\target\release\deps\GlobalUpdateMgr.pdb

Imports

ntdll

NtQueryInformationProcess
RtlGetVersion
NtDeviceIoControlFile
RtlVirtualUnwind
RtlLookupFunctionEntry
NtWriteFile
RtlNtStatusToDosError
RtlUnwindEx
NtQuerySystemInformation
RtlCaptureContext
RtlPcToFileHeader
NtCancelIoFileEx

kernel32

GetFullPathNameW
HeapFree
HeapCreate
ReadFile
AreFileApisANSI
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
TryEnterCriticalSection
DeleteCriticalSection
GetCurrentThreadId
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetTempPathA
FormatMessageW
WriteFile
GetDiskFreeSpaceA
SetHandleInformation
GetLastError
GetDiskFreeSpaceW
GetFileAttributesA
OutputDebugStringA
LockFile
GetFileAttributesExW
InitializeSListHead
OutputDebugStringW
FlushViewOfFile
SetFilePointer
CreateFileA
LoadLibraryA
WaitForSingleObjectEx
DeleteFileA
DeleteFileW
HeapReAlloc
GetSystemInfo
CreateIoCompletionPort
GetQueuedCompletionStatusEx
LoadLibraryW
PostQueuedCompletionStatus
TryAcquireSRWLockExclusive
HeapAlloc
GetFullPathNameA
IsDebuggerPresent
HeapCompact
GetProcessTimes
GetSystemTimes
GetProcessIoCounters
HeapDestroy
UnlockFile
VirtualQueryEx
ReadProcessMemory
GetProcAddress
LocalFree
LockFileEx
GetFileSize
GetCurrentProcessId
GetProcessHeap
SystemTimeToFileTime
FreeLibrary
WideCharToMultiByte
GlobalMemoryStatusEx
K32GetPerformanceInfo
GetSystemTimeAsFileTime
RaiseException
GetSystemTime
FormatMessageA
CreateFileMappingW
MapViewOfFile
QueryPerformanceCounter
SetEndOfFile
GetTickCount
UnlockFileEx
GetTempPathW
CreateMutexW
WaitForSingleObject
FlushFileBuffers
CreateFileW
LoadLibraryExW
EncodePointer
InitializeCriticalSectionAndSpinCount
TlsAlloc
GetFileAttributesW
UnmapViewOfFile
HeapValidate
IsProcessorFeaturePresent
TerminateProcess
OpenProcess
SleepConditionVariableSRW
LoadLibraryExA
CloseHandle
HeapSize
MultiByteToWideChar
GetModuleHandleA
ReleaseSRWLockExclusive
GetConsoleMode
SetConsoleMode
GetConsoleScreenBufferInfo
SetConsoleTextAttribute
Sleep
TlsGetValue
TzSpecificLocalTimeToSystemTime
SystemTimeToTzSpecificLocalTime
CreateMutexA
GetCurrentThread
lstrlenW
TlsSetValue
TlsFree
AcquireSRWLockExclusive
CreateThread
AddVectoredExceptionHandler
SetThreadStackGuarantee
SwitchToThread
CreateWaitableTimerExW
SetWaitableTimer
SetLastError
GetCurrentDirectoryW
GetEnvironmentVariableW
WriteConsoleW
SetFileInformationByHandle
GetStdHandle
WakeAllConditionVariable
WakeConditionVariable
QueryPerformanceFrequency
AcquireSRWLockShared
ReleaseSRWLockShared
ReleaseMutex
FindClose
GetFileInformationByHandle
GetFileInformationByHandleEx
CreateDirectoryW
FindFirstFileW
MoveFileExW
GetFinalPathNameByHandleW
GetFileType
GetModuleHandleW
GetModuleFileNameW

advapi32

GetLengthSid
SystemFunction036
CopySid
IsValidSid
GetTokenInformation
OpenProcessToken

ws2_32

send
recv
ioctlsocket
connect
WSASocketW
closesocket
setsockopt
WSAGetLastError
getaddrinfo
WSAStartup
WSACleanup
getsockopt
freeaddrinfo
select

iphlpapi

GetAdaptersAddresses

psapi

GetModuleFileNameExW
GetProcessMemoryInfo

shell32

CommandLineToArgvW
SHGetKnownFolderPath

pdh

PdhOpenQueryA
PdhCloseQuery
PdhCollectQueryData
PdhAddEnglishCounterW
PdhGetFormattedCounterValue
PdhRemoveCounter

powrprof

CallNtPowerInformation

ole32

CoTaskMemFree

oleaut32

GetErrorInfo
SysFreeString
SysStringLen

bcrypt

BCryptGenRandom

api-ms-win-crt-string-l1-1-0

strcpy_s
strlen
strcspn
strncmp
wcsncmp
wcslen
strcmp

api-ms-win-crt-heap-l1-1-0

malloc
_msize
realloc
calloc
free
_set_new_mode

api-ms-win-crt-time-l1-1-0

_localtime64_s

api-ms-win-crt-runtime-l1-1-0

_initterm
_initterm_e
exit
_exit
_initialize_narrow_environment
_set_app_type
__p___argv
_cexit
_c_exit
_register_thread_local_exe_atexit_callback
_seh_filter_exe
_get_initial_narrow_environment
_configure_narrow_argv
_initialize_onexit_table
_register_onexit_function
_endthreadex
_crt_atexit
terminate
abort
_beginthreadex
__p___argc

api-ms-win-crt-math-l1-1-0

__setusermatherr
pow

api-ms-win-crt-stdio-l1-1-0

__p__commode
_set_fmode

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

Sections

.text
Size: 2.4MB - Virtual size: 2.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 624KB - Virtual size: 624KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 14KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 106KB - Virtual size: 106KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 500B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 14KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Resubmissions

Sharing

General

Malware Config

Signatures

Files

6fe68d69ef96280313858fd1365b5cc1

Code Sign

48:fc:93:b4:60:55:94:8d:36:a7:c9:8a:89:d6:94:16Certificate

Extended Key Usages

Key Usages

33:d7:08:a8:91:40:53:19:e2:a5:bb:d3:39:b9:ad:6eCertificate

Extended Key Usages

Key Usages

1b:5c:84:93:b2:e5:5c:2c:eb:86:d4:ce:e9:16:ce:d4Certificate

Extended Key Usages

Key Usages

39:4c:25:e1:7c:a0:6d:27:a8:65:e2:3b:d9:1d:22:d4Certificate

Extended Key Usages

Key Usages

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9Certificate

Extended Key Usages

Key Usages

f1:80:05:43:d8:e9:44:5d:74:82:9d:be:7f:d6:e8:9b:5e:31:61:76:3f:2c:06:d8:2d:18:d1:df:98:61:e6:82Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ntdll

kernel32

advapi32

ws2_32

iphlpapi

psapi

shell32

pdh

powrprof

ole32

oleaut32

bcrypt

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-locale-l1-1-0

Sections

.text Size: 2.4MB - Virtual size: 2.4MB

.rdata Size: 624KB - Virtual size: 624KB

.data Size: 14KB - Virtual size: 17KB

.pdata Size: 106KB - Virtual size: 106KB

_RDATA Size: 512B - Virtual size: 500B

.reloc Size: 14KB - Virtual size: 13KB

48:fc:93:b4:60:55:94:8d:36:a7:c9:8a:89:d6:94:16
Certificate

33:d7:08:a8:91:40:53:19:e2:a5:bb:d3:39:b9:ad:6e
Certificate

1b:5c:84:93:b2:e5:5c:2c:eb:86:d4:ce:e9:16:ce:d4
Certificate

39:4c:25:e1:7c:a0:6d:27:a8:65:e2:3b:d9:1d:22:d4
Certificate

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9
Certificate

f1:80:05:43:d8:e9:44:5d:74:82:9d:be:7f:d6:e8:9b:5e:31:61:76:3f:2c:06:d8:2d:18:d1:df:98:61:e6:82
Signer

.text
Size: 2.4MB - Virtual size: 2.4MB

.rdata
Size: 624KB - Virtual size: 624KB

.data
Size: 14KB - Virtual size: 17KB

.pdata
Size: 106KB - Virtual size: 106KB

_RDATA
Size: 512B - Virtual size: 500B

.reloc
Size: 14KB - Virtual size: 13KB