2024-04-16_ce07a97b950b2b9a9b5205aa68d96a70_mafia

Sharing

Copy URL Twitter E-mail

General

Target

2024-04-16_ce07a97b950b2b9a9b5205aa68d96a70_mafia
Size

339KB
MD5

ce07a97b950b2b9a9b5205aa68d96a70
SHA1

26f0e78a51d0a7d3bea0d43f5ff36f45593db2c1
SHA256

e6caf005cda4ce3bcbbcf63add408e8c3f5f817942782d82601c9d70e96ef5da
SHA512

f5c1beeac9bfb6e8cac62ef3dc88e28c81ea1d49cb92fabd034790914484fd3b5352b25042a72280e50e769636f2b87eac74a0ff0070513b28ba11b0245dc1e1
SSDEEP

6144:c8vsCccZuUeZm7+GdSucunWmOrN/bXq2aNRqqDLuHJpKAj4Y:RvRdecPguZnjOrNjq2aNsqnu6Q

Score

1^/10

Malware Config

Signatures

Files

2024-04-16_ce07a97b950b2b9a9b5205aa68d96a70_mafia
.exe windows:5 windows x86 arch:x86

b6d0d6dba6dab94ca682d1415c8de60a

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

33:ab:23:85:dd:94:2a:55:03:51:28:ee:9e:a2:b6:3e
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

04/04/2014, 00:00

Not After

26/05/2015, 23:59

Subject

CN=AnchorFree Inc,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=AnchorFree Inc,L=Mountain View,ST=California,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

c6:e6:eb:64:47:66:f0:e3:2b:ab:47:33:cf:b8:ae:c8:99:8c:da:d5
Signer

Actual PE Digest

c6:e6:eb:64:47:66:f0:e3:2b:ab:47:33:cf:b8:ae:c8:99:8c:da:d5

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

LocalFree
Sleep
CloseHandle
WaitForSingleObject
GetSystemInfo
GetProcAddress
HeapFree
GetProcessHeap
TlsFree
HeapAlloc
TlsAlloc
CreateEventA
SetEvent
GetTickCount
CreateProcessA
SetUnhandledExceptionFilter
GetLastError
GetSystemTimeAsFileTime
LeaveCriticalSection
ExitThread
EnterCriticalSection
InterlockedDecrement
InterlockedIncrement
CreateWaitableTimerA
SetWaitableTimer
WaitForMultipleObjects
ResumeThread
ResetEvent
OpenEventA
ReleaseSemaphore
SetEnvironmentVariableA
CompareStringW
SetEndOfFile
WriteConsoleW
SetStdHandle
CreateFileA
GetConsoleMode
GetConsoleCP
IsValidLocale
EnumSystemLocalesA
GetLocaleInfoA
GetUserDefaultLCID
GetCurrentProcessId
QueryPerformanceCounter
GetStartupInfoW
GetFileType
SetHandleCount
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetModuleFileNameA
FormatMessageA
InterlockedExchange
FindResourceExW
FindResourceW
LoadResource
SizeofResource
CreateFileW
LockResource
DeleteFileW
GetFileSize
SetFilePointer
GetModuleHandleW
WriteFile
ReadFile
FlushFileBuffers
MultiByteToWideChar
WideCharToMultiByte
SystemTimeToFileTime
GetVolumeInformationW
GetStringTypeW
InterlockedCompareExchange
InitializeCriticalSection
DeleteCriticalSection
EncodePointer
DecodePointer
RaiseException
RtlUnwind
ExitProcess
GetCommandLineA
HeapSetInformation
GetTimeFormatA
GetDateFormatA
HeapReAlloc
LCMapStringW
GetCPInfo
IsProcessorFeaturePresent
TlsGetValue
TlsSetValue
SetLastError
GetCurrentThreadId
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
IsDebuggerPresent
GetStdHandle
GetModuleFileNameW
GetLocaleInfoW
GetTimeZoneInformation
InitializeCriticalSectionAndSpinCount
LoadLibraryW
HeapCreate
HeapDestroy
GetACP
GetOEMCP
IsValidCodePage
HeapSize
CreateThread

advapi32

RegOpenKeyExA
RegEnumKeyExA
RegCloseKey
SetSecurityDescriptorDacl
InitializeSecurityDescriptor

af_proxy

??0server@proxy@af@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@II0ABV?$vector@HV?$allocator@H@std@@@4@_N0H000021I02II222@Z
?run@server@proxy@af@@QAEXH@Z
?obfuscate@header@proxy@af@@SAXPAEI@Z
?set_proxy_list_idle_grow@server@proxy@af@@QAEXH@Z
?add_header@http_client@proxy@af@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0@Z
?set_follow_redirect@http_client@proxy@af@@QAEX_N@Z
?set_proxy@http_client@proxy@af@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@H@Z
?upload@http_client@proxy@af@@QAEHABVaf_stringW@@_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z
?download@http_client@proxy@af@@QAEHABVaf_stringW@@_N@Z
?is_running@http_client@proxy@af@@QAE_NXZ
?get_error_code@http_client@proxy@af@@QAEHXZ
?result@http_client@proxy@af@@QAEABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ
?get_error_msg@http_client@proxy@af@@QAEPBDXZ
?apply@ua_in_filter@proxy@af@@UAEPAVfilter_rule@23@PAVhttp_msg@23@@Z
?apply@in_filter@proxy@af@@UAEPAVfilter_rule@23@PAVhttp_msg@23@@Z
?add_rule@filter_rule_list@proxy@af@@UAEXAAVfilter_rule@23@@Z
??1http_client@proxy@af@@QAE@XZ
??0logger@proxy@af@@QAE@PBDW4log_level_enum@012@_N@Z
??0http_client@proxy@af@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@I_N0I@Z

ws2_32

gethostname
WSACleanup
WSAStartup

shlwapi

PathFileExistsW
PathBuildRootW
PathAddBackslashW

iphlpapi

GetAdaptersInfo

Exports

Exports

??0filter@proxy@af@@QAE@XZ
??0in_filter@proxy@af@@QAE@XZ
??0in_filter_base@proxy@af@@QAE@XZ
??0unblock_in_filter@proxy@af@@QAE@XZ
??1filter@proxy@af@@UAE@XZ
??1in_filter@proxy@af@@UAE@XZ
??1in_filter_base@proxy@af@@UAE@XZ
??1localdomain_in_filter@proxy@af@@UAE@XZ
??1localhost_in_filter@proxy@af@@UAE@XZ
??1localip_in_filter@proxy@af@@UAE@XZ
??1ua_in_filter@proxy@af@@UAE@XZ
??1unblock_in_filter@proxy@af@@UAE@XZ
??_Flogger@proxy@af@@QAEXXZ

Sections

.text
Size: 229KB - Virtual size: 228KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 62KB - Virtual size: 62KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 2B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 26KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

b6d0d6dba6dab94ca682d1415c8de60a

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

33:ab:23:85:dd:94:2a:55:03:51:28:ee:9e:a2:b6:3eCertificate

Extended Key Usages

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

c6:e6:eb:64:47:66:f0:e3:2b:ab:47:33:cf:b8:ae:c8:99:8c:da:d5Signer

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

advapi32

af_proxy

ws2_32

shlwapi

iphlpapi

Exports

Exports

Sections

.text Size: 229KB - Virtual size: 228KB

.rdata Size: 62KB - Virtual size: 62KB

.data Size: 12KB - Virtual size: 21KB

.tls Size: 512B - Virtual size: 2B

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 26KB - Virtual size: 26KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

33:ab:23:85:dd:94:2a:55:03:51:28:ee:9e:a2:b6:3e
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

c6:e6:eb:64:47:66:f0:e3:2b:ab:47:33:cf:b8:ae:c8:99:8c:da:d5
Signer

.text
Size: 229KB - Virtual size: 228KB

.rdata
Size: 62KB - Virtual size: 62KB

.data
Size: 12KB - Virtual size: 21KB

.tls
Size: 512B - Virtual size: 2B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 26KB - Virtual size: 26KB