3702e49dfbd7d2f1146aa7130dcc5b09fc7390d9a8f6de925375710eed3509e0

Sharing

Copy URL Twitter E-mail

General

Target

3702e49dfbd7d2f1146aa7130dcc5b09fc7390d9a8f6de925375710eed3509e0
Size

3.0MB
MD5

a9b39d1e32a1b9fe4063408ab0c8da38
SHA1

dc1f76b5a1dc9e33fe3b8a0080af8acaea79916d
SHA256

3702e49dfbd7d2f1146aa7130dcc5b09fc7390d9a8f6de925375710eed3509e0
SHA512

3efefa15f13c85636393ad2ef660597421a9c8b785c091145cb0f127715a753472b75c58901c6fc9f9e585252878b238d6fc6e0ee413c7efe1f90f0df82f923b
SSDEEP

49152:1Te8t9tb7WmdVLIPWiBjx9ziAWh0Sf2T5TaTRXWzXpfOXaRIHYf:tbtremdVLXL6fOXJ4f

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
3702e49dfbd7d2f1146aa7130dcc5b09fc7390d9a8f6de925375710eed3509e0

Files

3702e49dfbd7d2f1146aa7130dcc5b09fc7390d9a8f6de925375710eed3509e0
.exe windows:6 windows x86 arch:x86

ee5f2d17a4a055c9783424f44d67265d

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

D:\pipeLine\workspace\1b933092-cdf3-423a-81ef-e90a809abc29\build\RelWithDebInfo\baidunetdiskhost.pdb

Imports

crypt32

CertGetNameStringW

advapi32

RegEnumKeyExW
RegisterEventSourceW
ConvertStringSecurityDescriptorToSecurityDescriptorW
InitializeAcl
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
SystemFunction036
OpenProcessToken
GetTokenInformation
ConvertSidToStringSidW
RegCloseKey
RegCreateKeyExW
RegDeleteKeyExW
RegDeleteValueW
ReportEventW
RegEnumValueW
RegNotifyChangeKeyValue
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryValueExW
RegSetValueExW
GetSidSubAuthority
GetSidSubAuthorityCount
BuildSecurityDescriptorW
BuildExplicitAccessWithNameW
DeregisterEventSource

setupapi

SetupDiEnumDeviceInfo
SetupDiGetClassDevsW
CM_Get_Device_IDW

ole32

CoRegisterInitializeSpy
CoRevokeInitializeSpy
PropVariantClear
CoTaskMemFree
CoInitializeEx
CoUninitialize
CoTaskMemAlloc

propsys

InitPropVariantFromCLSID

winmm

timeBeginPeriod
timeGetTime
timeEndPeriod

version

VerQueryValueW
GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA
GetFileVersionInfoSizeW
GetFileVersionInfoW

kernel32

VirtualProtect
LoadLibraryExA
InitializeSListHead
IsDBCSLeadByteEx
IsValidCodePage
AreFileApisANSI
CreateDirectoryExW
DeviceIoControl
GetFullPathNameW
UnhandledExceptionFilter
IsProcessorFeaturePresent
FindFirstFileW
CreateWaitableTimerA
GetLogicalProcessorInformation
ResumeThread
OpenEventA
WaitForMultipleObjectsEx
ReleaseSemaphore
GetCPInfo
CompareStringEx
GetStringTypeW
LCMapStringEx
GetLastError
FormatMessageA
FormatMessageW
WideCharToMultiByte
LocalFree
CreateEventA
SetEvent
GetCurrentThreadId
WaitForSingleObjectEx
WaitForSingleObject
WaitForMultipleObjects
CloseHandle
PostQueuedCompletionStatus
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
QueueUserAPC
TerminateThread
TlsAlloc
TlsGetValue
TlsFree
CreateEventW
SleepEx
GetProcessHeap
HeapAlloc
HeapFree
VerSetConditionMask
SetLastError
CreateIoCompletionPort
GetQueuedCompletionStatus
InitializeCriticalSectionAndSpinCount
SetWaitableTimer
TlsSetValue
VerifyVersionInfoW
Sleep
GetTickCount
GetVersionExW
VirtualQuery
FreeLibrary
GetModuleFileNameA
GetProcAddress
LoadLibraryA
CreateFileW
ConnectNamedPipe
CreateNamedPipeW
GetCurrentProcessId
ReleaseSRWLockExclusive
TryAcquireSRWLockExclusive
DuplicateHandle
GetCurrentProcess
ReadFile
WriteFile
CancelIo
WaitNamedPipeW
GetCommandLineW
LoadLibraryExW
GetCurrentDirectoryW
DeleteFileW
OutputDebugStringA
GetLocalTime
GetModuleFileNameW
GetEnvironmentVariableW
SetEnvironmentVariableW
GetModuleHandleW
GetModuleHandleExW
LoadLibraryW
ResetEvent
AcquireSRWLockExclusive
CreateFileMappingW
MapViewOfFile
TerminateProcess
GetProcessTimes
GetExitCodeProcess
SetPriorityClass
GetPriorityClass
OpenProcess
UnmapViewOfFile
GetDiskFreeSpaceExW
GlobalMemoryStatusEx
GetProcessId
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
GetThreadId
SetInformationJobObject
IsDebuggerPresent
RaiseException
CreateThread
GetCurrentThread
SetThreadPriority
GetThreadPriority
IsWow64Process
ProcessIdToSessionId
K32EnumProcessModules
SetCurrentDirectoryW
CreateDirectoryW
GetFileAttributesW
GetFileAttributesExW
GetFinalPathNameByHandleW
GetLogicalDriveStringsW
GetLongPathNameW
GetVolumeInformationW
GetVolumePathNameW
QueryDosDeviceW
RemoveDirectoryW
SetFileAttributesW
GetTempPathW
GetModuleHandleA
CopyFileW
MoveFileW
MoveFileExW
ReplaceFileW
CreateHardLinkW
QueryPerformanceCounter
QueryPerformanceFrequency
GetSystemTimeAsFileTime
QueryThreadCycleTime
SystemTimeToTzSpecificLocalTime
TzSpecificLocalTimeToSystemTime
FileTimeToSystemTime
SystemTimeToFileTime
VirtualAlloc
VirtualFree
FlushViewOfFile
GetNativeSystemInfo
GetProductInfo
GetSystemInfo
GetProcessIoCounters
K32GetPerformanceInfo
MultiByteToWideChar
ExpandEnvironmentStringsW
FlushFileBuffers
GetFileInformationByHandle
GetFileSizeEx
LockFileEx
SetEndOfFile
SetFileInformationByHandle
SetFilePointerEx
SetFileTime
UnlockFileEx
FindClose
FindFirstFileExW
FindNextFileW
GetSystemDirectoryW
GetWindowsDirectoryW
GetUserDefaultLangID
UnregisterWaitEx
RegisterWaitForSingleObject
lstrcmpiA
GetModuleHandleExA
HeapSetInformation
RtlCaptureStackBackTrace
SetUnhandledExceptionFilter
LoadResource
LockResource
SizeofResource
FindResourceW
CreateThreadpool
SetThreadpoolThreadMaximum
SetThreadpoolThreadMinimum
CloseThreadpool
CallbackMayRunLong
CreateThreadpoolWork
SubmitThreadpoolWork
WaitForThreadpoolWorkCallbacks
CloseThreadpoolWork
InitializeConditionVariable
WakeConditionVariable
WakeAllConditionVariable
SleepConditionVariableSRW
WriteProcessMemory
GetStdHandle
GetVersion
GetExitCodeThread
WerRegisterRuntimeExceptionModule
VirtualProtectEx
AddVectoredExceptionHandler
VirtualAllocEx
CreateProcessW
FlushInstructionCache
GetFileType
TryEnterCriticalSection
OutputDebugStringW
SetNamedPipeHandleState
TransactNamedPipe
ReadProcessMemory
VirtualQueryEx
InitializeCriticalSection
GetNamedPipeInfo
GetFileTime
GetStartupInfoW
DecodePointer
EncodePointer
GetLocaleInfoEx
InitializeCriticalSectionEx
InitOnceComplete
InitOnceBeginInitialize

dbghelp

SymInitialize
SymFromAddr
StackWalk64
SymSetSearchPathW
SymGetLineFromAddr64
SymFunctionTableAccess64
SymCleanup
SymSetOptions
SymGetSearchPathW
SymGetModuleBase64

api-ms-win-crt-runtime-l1-1-0

strerror
_initterm_e
_initterm
_get_initial_narrow_environment
exit
_set_app_type
_seh_filter_exe
_beginthreadex
_set_new_handler
__p___argc
terminate
_cexit
_crt_at_quick_exit
__p___argv
_crt_atexit
_exit
signal
_set_abort_behavior
_execute_onexit_table
_invalid_parameter_noinfo_noreturn
_register_onexit_function
_initialize_onexit_table
_c_exit
_errno
_initialize_narrow_environment
_configure_narrow_argv
_seh_filter_dll
_register_thread_local_exe_atexit_callback
_invoke_watson
raise
_controlfp_s
abort
_invalid_parameter_noinfo

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vsscanf
ungetc
setvbuf
fwrite
_fseeki64
fsetpos
fread
fputc
fgetpos
fgetc
fflush
fclose
_get_stream_buffer_pointers
__stdio_common_vsnwprintf_s
__acrt_iob_func
_write
feof
ferror
fseek
__stdio_common_vsprintf_s
_wfsopen
_fileno
ftell
_chsize
__stdio_common_vswprintf
_close
_set_fmode
_get_osfhandle
__stdio_common_vsnprintf_s
__stdio_common_vsprintf
_open_osfhandle
__p__commode
__stdio_common_vfprintf
_fsopen

api-ms-win-crt-string-l1-1-0

__strncnt
isupper
islower
_wcsdup
strncpy
_strnicmp
tolower
_wcsicmp
strcspn
isspace
iswspace
isalpha
wcsnlen
isalnum
_strdup

api-ms-win-crt-utility-l1-1-0

rand

api-ms-win-crt-math-l1-1-0

floor
ldexp
_dclass
_fdopen
_except1
ceil
_libm_sse2_pow_precise
frexp
__setusermatherr

api-ms-win-crt-heap-l1-1-0

malloc
calloc
free
_aligned_free
_set_new_mode
_aligned_malloc
_callnewh
realloc

api-ms-win-crt-locale-l1-1-0

___lc_codepage_func
__initialize_lconv_for_unsigned_char
localeconv
___lc_collate_cp_func
___mb_cur_max_func
___lc_locale_name_func
__pctype_func
_configthreadlocale
_lock_locales
setlocale
_unlock_locales

api-ms-win-crt-convert-l1-1-0

strtoull
strtol
strtoul
strtoll
atoi
strtof
strtod

api-ms-win-crt-filesystem-l1-1-0

_wstat64
_unlock_file
_lock_file
_wfullpath

api-ms-win-crt-time-l1-1-0

_W_Getdays
_localtime64_s
_mktime64
_time64
_Strftime
_Gettnames
_Wcsftime
_Getmonths
_Getdays
_W_Getmonths
_W_Gettnames

shlwapi

ord437
PathMatchSpecW

ws2_32

WSACleanup
ioctlsocket
WSAStartup

wintrust

WTHelperProvDataFromStateData
WTHelperGetProvCertFromChain
WTHelperGetProvSignerFromChain
WinVerifyTrust

user32

DestroyWindow
CharUpperW
TranslateMessage
DispatchMessageW
PeekMessageW
PostMessageW
PostQuitMessage
GetQueueStatus
MsgWaitForMultipleObjectsEx
SetTimer
KillTimer
GetThreadDesktop
GetUserObjectInformationW
GetSystemMetrics
SetPropW
RemovePropW
SetProcessDPIAware
DefWindowProcW
MessageBoxW
UnregisterClassW
FindWindowExW
SetWindowLongW
GetWindowLongW
RegisterClassExW
CreateWindowExW
GetProcessWindowStation

shell32

SHGetFolderPathW
CommandLineToArgvW
SHGetKnownFolderPath

vcruntime140

memcmp
__uncaught_exception
__std_type_info_destroy_list
_purecall
__std_terminate
__std_exception_copy
__std_exception_destroy
_CxxThrowException
__CxxFrameHandler3
memcpy
memmove
memset
__std_type_info_compare
__std_type_info_name
memchr
wcschr
__current_exception
__current_exception_context
_except_handler4_common
wcsstr

Exports

Exports

GetHandleVerifier

Sections

.text
Size: 1.9MB - Virtual size: 1.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 916KB - Virtual size: 915KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 45KB - Virtual size: 56KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

minATL
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 158KB - Virtual size: 160KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

ee5f2d17a4a055c9783424f44d67265d

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

crypt32

advapi32

setupapi

ole32

propsys

winmm

version

kernel32

dbghelp

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-time-l1-1-0

shlwapi

ws2_32

wintrust

user32

shell32

vcruntime140

Exports

Exports

Sections

.text Size: 1.9MB - Virtual size: 1.9MB

.rdata Size: 916KB - Virtual size: 915KB

.data Size: 45KB - Virtual size: 56KB

minATL Size: 512B - Virtual size: 12B

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 158KB - Virtual size: 160KB

.text
Size: 1.9MB - Virtual size: 1.9MB

.rdata
Size: 916KB - Virtual size: 915KB

.data
Size: 45KB - Virtual size: 56KB

minATL
Size: 512B - Virtual size: 12B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 158KB - Virtual size: 160KB