2024-04-16_b0155388056f29d2a7fba9186b35310d_mafia

Sharing

Copy URL Twitter E-mail

General

Target

2024-04-16_b0155388056f29d2a7fba9186b35310d_mafia
Size

1.2MB
MD5

b0155388056f29d2a7fba9186b35310d
SHA1

2747400697143a2f3876f76a6a0c53bf4b3221d0
SHA256

e7ab6e9768e7d1e02c080567b7cfafbc393f43038b3636722137c00664fd859a
SHA512

f6da063ab5e0b59b572150ad8b0c9d40e21817c7d31bb5806c25f9c694df6bec949b8bf04bd48f24a731fc314a04dfb5aec3a9f177be85dc241d61e0b9ab5fc4
SSDEEP

24576:mffyiCVIaK86Y0VKEIvObMDKQ56akDrMGgQFsIlWlMEtJTVmZDd:em6YkKobMulTrMPQFsIifTcZDd

Score

1^/10

Malware Config

Signatures

Files

2024-04-16_b0155388056f29d2a7fba9186b35310d_mafia
.exe windows:5 windows x86 arch:x86

815cbc17d0d4d35726a5dfd10e8d9cef

Code Sign

d1:9d:b1:a5:42:ff:d3:d9:9b:83:20:8f:e9:e8:0f:e3
Certificate

Issuer

CN=Sectigo RSA Code Signing CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

10/12/2020, 00:00

Not After

10/12/2023, 23:59

Subject

CN=ZOHO Corporation Private Limited,O=ZOHO Corporation Private Limited,POSTALCODE=603202,STREET=Estancia IT Park\, GST Road,L=Chengalpattu,ST=Tamil Nadu,C=IN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

1d:a2:48:30:6f:9b:26:18:d0:82:e0:96:7d:33:d3:6a
Certificate

Issuer

CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US

Not Before

02/11/2018, 00:00

Not After

31/12/2030, 23:59

Subject

CN=Sectigo RSA Code Signing CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0c:4d:69:72:4b:94:fa:3c:2a:4a:3d:29:07:80:3d:5a
Certificate

Issuer

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Not Before

21/09/2022, 00:00

Not After

21/11/2033, 23:59

Subject

CN=DigiCert Timestamp 2022 - 2,O=DigiCert,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

23/03/2022, 00:00

Not After

22/03/2037, 23:59

Subject

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/08/2022, 00:00

Not After

09/11/2031, 23:59

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

38:38:88:71:d4:61:55:2d:fc:a4:ad:2d:86:d9:6a:e3:f3:9f:07:5b:c9:92:aa:2f:65:1c:f7:2d:77:ce:6d:f2
Signer

Actual PE Digest

38:38:88:71:d4:61:55:2d:fc:a4:ad:2d:86:d9:6a:e3:f3:9f:07:5b:c9:92:aa:2f:65:1c:f7:2d:77:ce:6d:f2

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

d:\Webhost\22-07-2023\WindowsBuilds\DC_NATIVE\6761007\desktopcentral\ONPREMISE\SA_SRC\native\agent\Release\uemsagentservice.pdb

Imports

advapi32

RegQueryValueExA
RegSetValueExA
RegQueryInfoKeyA
RevertToSelf
RegOpenCurrentUser
ImpersonateLoggedOnUser
RegOpenKeyExW
RegCreateKeyExW
RegEnumKeyExW
RegQueryValueExW
RegSetValueExW
CloseServiceHandle
CreateServiceW
OpenSCManagerW
DeleteService
OpenServiceW
SetServiceStatus
RegCreateKeyW
ChangeServiceConfigW
QueryServiceConfigW
StartServiceCtrlDispatcherW
CreateProcessAsUserW
LookupAccountSidW
GetTokenInformation
OpenProcessToken
RegisterServiceCtrlHandlerExW
RegNotifyChangeKeyValue
SetNamedSecurityInfoW
RegQueryInfoKeyW
RegEnumKeyW
RegDeleteValueW
RegEnumKeyA
RegOpenKeyA
RegCloseKey
LogonUserA
LookupPrivilegeValueA
GetSidSubAuthority
GetSidSubAuthorityCount
GetSidIdentifierAuthority
IsValidSid
LookupAccountNameA
LookupPrivilegeNameA
CryptGetHashParam
CryptDestroyHash
CryptHashData
CryptReleaseContext
CryptCreateHash
CryptAcquireContextA
CryptDestroyKey
CryptGenKey
CryptGetUserKey
ControlService
OpenServiceA
OpenSCManagerA
QueryServiceStatusEx
DeregisterEventSource
ReportEventA
RegisterEventSourceA
SetTokenInformation
DuplicateTokenEx
LookupAccountSidA
QueryServiceStatus
RegDeleteKeyA
RegCreateKeyExA
CreateProcessAsUserA
RegOpenKeyExA
RegDeleteValueA

ole32

CoInitializeSecurity
CoSetProxyBlanket
CoInitializeEx
CoUninitialize
StringFromGUID2
CoCreateInstance

oleaut32

SysAllocString
SysAllocStringByteLen
SafeArrayAccessData
SafeArrayGetLBound
SafeArrayGetUBound
SysStringLen
VariantClear
VariantInit
SysFreeString

psapi

EnumProcesses
GetModuleFileNameExW
EnumProcessModules
GetModuleBaseNameW

userenv

CreateEnvironmentBlock
LoadUserProfileW
UnloadUserProfile
DestroyEnvironmentBlock
LoadUserProfileA

crypt32

CertVerifyTimeValidity
CertNameToStrW
CertFreeCertificateContext
CertGetNameStringA
CertFindCertificateInStore
CryptMsgGetParam
CryptQueryObject
CertCloseStore
CertAddCertificateContextToStore
CertEnumCertificatesInStore
CertOpenStore
CryptStringToBinaryA
CertCreateCertificateContext
PFXImportCertStore
PFXVerifyPassword
CertDeleteCertificateFromStore

dcagenthttp

AgentSendRequestEx

wtsapi32

WTSEnumerateSessionsW
WTSFreeMemory
WTSQuerySessionInformationA
WTSEnumerateSessionsA
WTSQuerySessionInformationW

winhttp

WinHttpOpen
WinHttpConnect
WinHttpSetCredentials
WinHttpQueryOption
WinHttpWriteData
WinHttpSendRequest
WinHttpQueryDataAvailable
WinHttpOpenRequest
WinHttpAddRequestHeaders
WinHttpReadData
WinHttpSetStatusCallback
WinHttpCloseHandle
WinHttpReceiveResponse
WinHttpSetOption
WinHttpQueryHeaders

dclibxml2

xmlTextReaderAttributeCount
xmlTextReaderValue
xmlTextReaderDepth
xmlTextReaderGetAttribute
xmlParseMemory
xmlNodeListGetString
xmlFree
xmlParseFile
xmlDocGetRootElement
xmlStrcmp
xmlFreeTextReader
xmlFreeDoc
xmlCleanupParser
xmlTextReaderName
xmlTextReaderRead
xmlNewTextReaderFilename

setupapi

SetupDiDestroyDeviceInfoList
SetupDiGetClassDevsW
SetupDiGetDeviceInterfaceDetailW
SetupDiEnumDeviceInterfaces

shell32

SHCreateDirectoryExW
SHCreateDirectoryExA

shlwapi

PathIsDirectoryA
StrTrimA
StrStrIA
PathFileExistsW
PathFindExtensionA
StrStrIW

kernel32

PeekNamedPipe
GetFileInformationByHandle
HeapSetInformation
GetCommandLineA
RtlUnwind
DecodePointer
EncodePointer
InterlockedExchange
GetProcessHeap
HeapSize
HeapReAlloc
GetFileType
HeapAlloc
HeapDestroy
DeleteCriticalSection
RaiseException
MoveFileExA
GetModuleFileNameA
LocalLock
LocalUnlock
TlsFree
GetStringTypeW
IsProcessorFeaturePresent
HeapCreate
DuplicateHandle
GetDriveTypeA
FindFirstFileExA
ExitThread
ExitProcess
LCMapStringW
GetCPInfo
CompareStringW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetACP
GetOEMCP
TlsSetValue
TlsGetValue
TlsAlloc
HeapFree
SetHandleCount
GetStdHandle
GetStartupInfoW
FreeEnvironmentStringsW
SizeofResource
LockResource
LoadResource
FindResourceW
FindResourceExW
GetProcAddress
GetModuleHandleA
lstrlenA
MultiByteToWideChar
GetLastError
LocalFree
LocalAlloc
WideCharToMultiByte
ReadFile
CloseHandle
GetFileSizeEx
CreateFileW
WriteFile
CreateDirectoryW
DeleteFileW
Sleep
CreateDirectoryA
GetModuleHandleW
InterlockedIncrement
GetModuleFileNameW
LoadLibraryW
Process32NextW
Process32FirstW
CreateToolhelp32Snapshot
SystemTimeToFileTime
GetCurrentProcess
TerminateProcess
OpenProcess
CreateThread
lstrlenW
FormatMessageW
GetSystemTime
FreeConsole
GenerateConsoleCtrlEvent
GetExitCodeProcess
InterlockedDecrement
CreateFileA
WaitForSingleObject
CreateProcessW
GetCurrentProcessId
DeleteTimerQueue
CreateTimerQueueTimer
CreateTimerQueue
GetCurrentThreadId
FileTimeToLocalFileTime
GetSystemTimeAsFileTime
SetEvent
OpenEventA
DeleteTimerQueueTimer
GetTickCount
CreateEventW
SetConsoleCtrlHandler
TerminateThread
DeviceIoControl
GetDriveTypeW
LeaveCriticalSection
InitializeCriticalSection
EnterCriticalSection
MapViewOfFile
CreateFileMappingW
UnmapViewOfFile
GetLocalTime
ReleaseMutex
WaitForMultipleObjects
DeleteFileA
SetCurrentDirectoryA
GetCurrentDirectoryA
SetFilePointer
SetCurrentDirectoryW
CreateProcessA
Process32Next
SetLastError
SystemTimeToTzSpecificLocalTime
GetTimeZoneInformation
GetCurrentDirectoryW
ProcessIdToSessionId
Process32First
GetSystemDirectoryA
LoadLibraryA
CopyFileA
FindClose
FindNextFileA
FileTimeToSystemTime
FindFirstFileA
FreeLibrary
ExpandEnvironmentStringsA
QueryPerformanceCounter
GetSystemInfo
GetVersionExA
FormatMessageA
GetEnvironmentVariableA
GetComputerNameExW
GetFileSize
GetLocaleInfoA
FindFirstFileW
SetDllDirectoryA
FindNextFileW
GetEnvironmentVariableW
CreateMutexA
GetVersion
lstrcmpiA
GetNativeSystemInfo
GetFileAttributesExA
GetFullPathNameA
InitializeCriticalSectionAndSpinCount
FlushFileBuffers
CopyFileW
DisconnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
lstrcmpW
SuspendThread
ResumeThread
GetEnvironmentStringsW
GetConsoleCP
GetConsoleMode
SetStdHandle
GetUserDefaultLCID
GetLocaleInfoW
EnumSystemLocalesA
IsValidLocale
GetFileAttributesA
CreatePipe
WriteConsoleW
SetEndOfFile
VirtualQuery
SetEnvironmentVariableA
IsValidCodePage

user32

UnregisterDeviceNotification
wsprintfW
wsprintfA
RegisterDeviceNotificationW
MessageBoxA

odbc32

ord39
ord43
ord11
ord18
ord8
ord13
ord26
ord72
ord48
ord49
ord9
ord36
ord4
ord29
ord41
ord31
ord1
ord2
ord20
ord16
ord12
ord19
ord3

ws2_32

WSAStartup
WSAGetLastError
WSACleanup

netapi32

NetGetJoinInformation
NetWkstaUserGetInfo
NetApiBufferFree

Sections

.text
Size: 825KB - Virtual size: 824KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 247KB - Virtual size: 247KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 52KB - Virtual size: 62KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 504B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 72KB - Virtual size: 71KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

815cbc17d0d4d35726a5dfd10e8d9cef

Code Sign

d1:9d:b1:a5:42:ff:d3:d9:9b:83:20:8f:e9:e8:0f:e3Certificate

Extended Key Usages

Key Usages

1d:a2:48:30:6f:9b:26:18:d0:82:e0:96:7d:33:d3:6aCertificate

Extended Key Usages

Key Usages

0c:4d:69:72:4b:94:fa:3c:2a:4a:3d:29:07:80:3d:5aCertificate

Extended Key Usages

Key Usages

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5bCertificate

Extended Key Usages

Key Usages

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5aCertificate

Key Usages

38:38:88:71:d4:61:55:2d:fc:a4:ad:2d:86:d9:6a:e3:f3:9f:07:5b:c9:92:aa:2f:65:1c:f7:2d:77:ce:6d:f2Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

advapi32

ole32

oleaut32

psapi

userenv

crypt32

dcagenthttp

wtsapi32

winhttp

dclibxml2

setupapi

shell32

shlwapi

kernel32

user32

odbc32

ws2_32

netapi32

Sections

.text Size: 825KB - Virtual size: 824KB

.rdata Size: 247KB - Virtual size: 247KB

.data Size: 52KB - Virtual size: 62KB

.rsrc Size: 512B - Virtual size: 504B

.reloc Size: 72KB - Virtual size: 71KB

d1:9d:b1:a5:42:ff:d3:d9:9b:83:20:8f:e9:e8:0f:e3
Certificate

1d:a2:48:30:6f:9b:26:18:d0:82:e0:96:7d:33:d3:6a
Certificate

0c:4d:69:72:4b:94:fa:3c:2a:4a:3d:29:07:80:3d:5a
Certificate

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

38:38:88:71:d4:61:55:2d:fc:a4:ad:2d:86:d9:6a:e3:f3:9f:07:5b:c9:92:aa:2f:65:1c:f7:2d:77:ce:6d:f2
Signer

.text
Size: 825KB - Virtual size: 824KB

.rdata
Size: 247KB - Virtual size: 247KB

.data
Size: 52KB - Virtual size: 62KB

.rsrc
Size: 512B - Virtual size: 504B

.reloc
Size: 72KB - Virtual size: 71KB