rust_dave_sideload.pdb
Static task
static1
Behavioral task
behavioral1
Sample
g2m.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
g2m.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
utility.exe
Resource
win7-20240215-en
Behavioral task
behavioral4
Sample
utility.exe
Resource
win10v2004-20240412-en
General
-
Target
file2.zip
-
Size
617KB
-
MD5
15a581d5bfa829a5918660c871c45d82
-
SHA1
466803dab319f07ab791fb94544665e97116bf60
-
SHA256
4ef76b942e041c20fd58858d73b4180688c828608d42604eabf41821981ce997
-
SHA512
29a6f7a5bbae9457af7d0bffff5e4117907ee960a4a99d1d1a4d22ded70b12913a35911a7fa8383aa9e91e77854d9ea35735d3e34d9e68b5aa60279e748a3ee1
-
SSDEEP
12288:iNZgYft7Mz2HdVVZ6lZm+/g8fgpHM0EjGTG/Vid3KI9FsAxEJfLWx6X+UFF45Q:egYmz29rZCZm58fgq0EjR983KyFdOfLf
Malware Config
Signatures
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
Processes:
resource unpack001/g2m.dll
Files
-
file2.zip.zip
-
data.bin
-
g2m.dll.dll windows:6 windows x86 arch:x86
02c070dae0519c1a38259cfc7d6dc78e
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
PDB Paths
Imports
kernel32
GetNativeSystemInfo
VirtualQuery
VirtualFree
VirtualProtect
GetSystemInfo
CreateFileMappingW
MapViewOfFile
UnmapViewOfFile
HeapSize
GetProcAddress
FreeEnvironmentStringsW
GetLastError
SetThreadStackGuarantee
CreateWaitableTimerExW
SetWaitableTimer
WaitForSingleObject
Sleep
QueryPerformanceCounter
GetModuleHandleA
GetCurrentProcess
GetCurrentThread
RtlCaptureContext
ReleaseMutex
SetLastError
GetCurrentDirectoryW
GetEnvironmentStringsW
GetEnvironmentVariableW
GetStringTypeW
GetCommandLineW
FlushFileBuffers
SetFileInformationByHandle
SetFilePointerEx
SetStdHandle
GetConsoleOutputCP
WriteFile
GetCommandLineA
GetCPInfo
GetOEMCP
GetACP
IsValidCodePage
FindFirstFileExW
GetStdHandle
GetCurrentProcessId
SetHandleInformation
TerminateProcess
CloseHandle
VirtualAlloc
HeapFree
LCMapStringW
HeapReAlloc
WaitForSingleObjectEx
LoadLibraryA
lstrlenW
CreateMutexA
GetProcessHeap
HeapAlloc
FindNextFileW
FindClose
CreateFileW
GetFileInformationByHandle
GetFileInformationByHandleEx
ReadFile
GetModuleHandleExW
GetConsoleMode
GetFileType
LoadLibraryExW
FreeLibrary
InitializeCriticalSectionAndSpinCount
GetModuleHandleW
FormatMessageW
GetModuleFileNameW
ExitProcess
MultiByteToWideChar
WriteConsoleW
WideCharToMultiByte
ReadConsoleW
CreateThread
InitOnceBeginInitialize
TlsAlloc
InitOnceComplete
TlsFree
TlsGetValue
TlsSetValue
GetFullPathNameW
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
EncodePointer
InterlockedFlushSList
RaiseException
RtlUnwind
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoW
IsProcessorFeaturePresent
DecodePointer
ws2_32
listen
WSAStartup
getaddrinfo
WSASocketW
WSAGetLastError
closesocket
freeaddrinfo
bind
WSACleanup
api-ms-win-core-synch-l1-2-0
WakeByAddressSingle
WakeByAddressAll
WaitOnAddress
ntdll
RtlNtStatusToDosError
NtReadFile
NtWriteFile
Exports
Exports
DllMain
g2mchat_winmain
g2mcomm_winmain
g2mfeedback_winmain
g2mhost_winmain
g2minstaller_winmain
g2minsthigh_winmain
g2mlauncher_winmain
g2mmatchmaking_winmain
g2mmaterials_winmain
g2mpolling_winmain
g2mqanda_winmain
g2mrecorder_winmain
g2msessioncontrol_winmain
g2mstart_winmain
g2mtesting_winmain
g2mtranscoder_winmain
g2mui_winmain
g2muninstall_winmain
g2mvideoconference_winmain
g2mview_winmain
Sections
.text Size: 222KB - Virtual size: 221KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 75KB - Virtual size: 75KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 80KB - Virtual size: 82KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.reloc Size: 15KB - Virtual size: 14KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
-
utility.exe.exe windows:5 windows x86 arch:x86
6eb9cccf95968b8becec4c870f1101db
Code Sign
79:a2:a5:85:f9:d1:15:42:13:d9:b8:3e:f6:b6:8d:edCertificate
IssuerCN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=USNot Before01-05-2012 00:00Not After31-12-2012 23:59SubjectCN=Symantec Time Stamping Services Signer - G3,O=Symantec Corporation,C=USExtended Key Usages
ExtKeyUsageTimeStamping
Key Usages
KeyUsageDigitalSignature
47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate
IssuerCN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZANot Before04-12-2003 00:00Not After03-12-2013 23:59SubjectCN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=USExtended Key Usages
ExtKeyUsageTimeStamping
Key Usages
KeyUsageCertSign
KeyUsageCRLSign
5c:5f:2b:a5:c9:99:4b:e5:ef:25:4f:fe:51:12:88:e1Certificate
IssuerCN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=USNot Before30-04-2012 00:00Not After01-05-2014 23:59SubjectCN=Citrix Online,OU=Operations+OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Citrix Online,L=Fort Lauderdale,ST=Florida,C=USExtended Key Usages
ExtKeyUsageCodeSigning
Key Usages
KeyUsageDigitalSignature
52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate
IssuerCN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=USNot Before08-02-2010 00:00Not After07-02-2020 23:59SubjectCN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=USExtended Key Usages
ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning
Key Usages
KeyUsageCertSign
KeyUsageCRLSign
a9:67:63:96:99:c5:5b:7e:88:69:58:46:cb:9b:f7:d1:bb:bf:20:aaSigner
Actual PE Digesta9:67:63:96:99:c5:5b:7e:88:69:58:46:cb:9b:f7:d1:bb:bf:20:aaDigest Algorithmsha1PE Digest MatchestrueHeaders
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
PDB Paths
c:\p4builds\Products\GoToMeeting\v5.4_builds\output\G2M_Exe.pdb
Imports
g2m
g2mcomm_winmain
kernel32
GetModuleHandleW
GetCommandLineW
GetProcAddress
GetModuleHandleA
GetModuleFileNameA
GetStartupInfoW
ExitProcess
user32
MessageBoxA
Sections
.text Size: 1KB - Virtual size: 1KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 1024B - Virtual size: 684B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: - Virtual size: 4B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.CRT Size: 512B - Virtual size: 4B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.rsrc Size: 29KB - Virtual size: 29KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ