General

Malware Config

Signatures

Files

• Sig.exe

  .exe windows:5 windows x86 arch:x86

  b09ae28f41218932e854c078d2bf9050

  
  

  Code Sign

  7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b

  Certificate

  Issuer

  CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

  Not Before

  21-12-2012 00:00

  Not After

  30-12-2020 23:59

  Subject

  CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

  Extended Key Usages

  ExtKeyUsageTimeStamping

  Key Usages

  KeyUsageCertSign

  KeyUsageCRLSign

  0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50

  Certificate

  Issuer

  CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

  Not Before

  18-10-2012 00:00

  Not After

  29-12-2020 23:59

  Subject

  CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

  Extended Key Usages

  ExtKeyUsageTimeStamping

  Key Usages

  KeyUsageDigitalSignature

  4b:48:b2:7c:82:24:fe:37:b1:7a:6a:2e:d7:a8:1c:9f

  Certificate

  Issuer

  CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

  Not Before

  12-08-2015 00:00

  Not After

  10-10-2018 23:59

  Subject

  CN=Piriform Ltd,O=Piriform Ltd,L=London,ST=London,C=GB

  Extended Key Usages

  ExtKeyUsageCodeSigning

  Key Usages

  KeyUsageDigitalSignature

  3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a

  Certificate

  Issuer

  CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

  Not Before

  10-12-2013 00:00

  Not After

  09-12-2023 23:59

  Subject

  CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

  Extended Key Usages

  ExtKeyUsageClientAuth

  ExtKeyUsageCodeSigning

  Key Usages

  KeyUsageCertSign

  KeyUsageCRLSign

  4b:48:b2:7c:82:24:fe:37:b1:7a:6a:2e:d7:a8:1c:9f

  Certificate

  Issuer

  CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

  Not Before

  12-08-2015 00:00

  Not After

  10-10-2018 23:59

  Subject

  CN=Piriform Ltd,O=Piriform Ltd,L=London,ST=London,C=GB

  Extended Key Usages

  ExtKeyUsageCodeSigning

  Key Usages

  KeyUsageDigitalSignature

  3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a

  Certificate

  Issuer

  CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

  Not Before

  10-12-2013 00:00

  Not After

  09-12-2023 23:59

  Subject

  CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

  Extended Key Usages

  ExtKeyUsageClientAuth

  ExtKeyUsageCodeSigning

  Key Usages

  KeyUsageCertSign

  KeyUsageCRLSign

  70:a0:1c:f4:ea:ef:99:fd:46:6c:ed:16:30:c1:b0:1f

  Certificate

  Issuer

  CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

  Not Before

  11-06-2015 00:00

  Not After

  29-12-2020 23:59

  Subject

  CN=GeoTrust 2048-bit Timestamping Signer 4,O=GeoTrust Inc,C=US

  Extended Key Usages

  ExtKeyUsageTimeStamping

  Key Usages

  KeyUsageDigitalSignature

  Certificate

  Issuer

  CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

  Not Before

  01-01-1997 00:00

  Not After

  31-12-2020 23:59

  Subject

  CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

  7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b

  Certificate

  Issuer

  CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

  Not Before

  21-12-2012 00:00

  Not After

  30-12-2020 23:59

  Subject

  CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

  Extended Key Usages

  ExtKeyUsageTimeStamping

  Key Usages

  KeyUsageCertSign

  KeyUsageCRLSign

  0f:9a:21:0d:91:17:c5:61:b8:0c:65:88:55:70:bb:ea:4e:6d:07:0b:20:aa:0b:f2:e7:80:92:b1:c7:0e:7c:02

  Signer

  Actual PE Digest

  0f:9a:21:0d:91:17:c5:61:b8:0c:65:88:55:70:bb:ea:4e:6d:07:0b:20:aa:0b:f2:e7:80:92:b1:c7:0e:7c:02

  Digest Algorithm

  sha256

  PE Digest Matches

  false

  55:d0:2e:07:cc:a7:cb:c9:f0:99:1e:ee:fe:da:e0:8c:db:5c:58:5d

  Signer

  Actual PE Digest

  55:d0:2e:07:cc:a7:cb:c9:f0:99:1e:ee:fe:da:e0:8c:db:5c:58:5d

  Digest Algorithm

  sha1

  PE Digest Matches

  false

  Headers

  DLL Characteristics

  IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE

  IMAGE_DLLCHARACTERISTICS_NX_COMPAT

  IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

  File Characteristics

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_32BIT_MACHINE

  PDB Paths

  C:\vmagent_new\bin\joblist\513113\out\Release\DumpUper.pdb

  Imports

  kernel32

  GetModuleHandleW

  GetModuleHandleExW

  GetProcAddress

  LoadLibraryExW

  LoadResource

  LockResource

  SizeofResource

  FindResourceW

  LoadLibraryA

  LoadLibraryW

  GlobalMemoryStatus

  LocalAlloc

  LocalFree

  GetBinaryTypeW

  lstrcmpiW

  GetPrivateProfileIntW

  GetPrivateProfileStringW

  WritePrivateProfileStringW

  MoveFileExW

  ReadDirectoryChangesW

  GetComputerNameW

  FileTimeToSystemTime

  SystemTimeToFileTime

  GetSystemPowerStatus

  WTSGetActiveConsoleSessionId

  MultiByteToWideChar

  WideCharToMultiByte

  GetSystemDefaultUILanguage

  GetUserDefaultUILanguage

  CreateToolhelp32Snapshot

  Process32FirstW

  Process32NextW

  VerSetConditionMask

  VerifyVersionInfoW

  GetFileInformationByHandle

  GetFileType

  DuplicateHandle

  MapViewOfFile

  FileTimeToDosDateTime

  GetTempFileNameW

  GetTempPathW

  GlobalAlloc

  GlobalUnlock

  GlobalLock

  GlobalFree

  MulDiv

  GetCommandLineW

  GetFileSizeEx

  GetTempPathA

  RaiseException

  GetSystemWindowsDirectoryA

  GetCurrentThread

  GetEnvironmentVariableW

  ProcessIdToSessionId

  FlushInstructionCache

  CreateDirectoryA

  CreateFileA

  GetModuleHandleA

  GetFileAttributesA

  GetFileAttributesExA

  SetFileAttributesA

  GetNativeSystemInfo

  GetModuleFileNameA

  GetPrivateProfileIntA

  GetPrivateProfileStringA

  GetPrivateProfileSectionW

  GetPrivateProfileSectionNamesW

  GetACP

  CopyFileW

  AreFileApisANSI

  CreateProcessW

  ResumeThread

  GetExitCodeThread

  ExitProcess

  GetFullPathNameW

  InterlockedFlushSList

  RtlUnwind

  QueryPerformanceCounter

  GetStartupInfoW

  WaitForSingleObjectEx

  SetUnhandledExceptionFilter

  UnhandledExceptionFilter

  TlsFree

  TlsSetValue

  TlsGetValue

  TlsAlloc

  OpenThread

  HeapWalk

  HeapUnlock

  HeapLock

  SetFilePointerEx

  GetSystemTimeAsFileTime

  LocalFileTimeToFileTime

  CompareStringW

  GetLocaleInfoW

  FormatMessageW

  LCMapStringW

  GetStringTypeW

  LoadLibraryExA

  VirtualFree

  VirtualAlloc

  IsProcessorFeaturePresent

  InterlockedPushEntrySList

  InterlockedPopEntrySList

  InitializeSListHead

  DecodePointer

  EncodePointer

  OutputDebugStringW

  IsDebuggerPresent

  GetModuleFileNameW

  FreeResource

  FreeLibrary

  FindResourceExW

  PeekNamedPipe

  UnmapViewOfFile

  MapViewOfFileEx

  CreateFileMappingW

  TerminateThread

  GetCurrentThreadId

  CreateThread

  GetExitCodeProcess

  TerminateProcess

  GetCurrentProcessId

  GetVersionExW

  GetSystemWindowsDirectoryW

  GetWindowsDirectoryW

  GetSystemDirectoryW

  GetTickCount

  GetVersion

  GetLocalTime

  GetSystemTime

  GetSystemInfo

  GlobalMemoryStatusEx

  DeleteFileA

  OpenProcess

  GetCurrentProcess

  GetProcessTimes

  WaitForMultipleObjects

  Sleep

  CreateEventW

  OpenMutexW

  CreateMutexW

  WaitForSingleObject

  ReleaseMutex

  ResetEvent

  SetEvent

  DeleteCriticalSection

  InitializeCriticalSectionAndSpinCount

  LeaveCriticalSection

  EnterCriticalSection

  InitializeCriticalSection

  GetOverlappedResult

  DeviceIoControl

  GetProcessHeap

  HeapSize

  HeapFree

  HeapReAlloc

  HeapAlloc

  HeapDestroy

  SetLastError

  GetLastError

  CloseHandle

  WriteFile

  UnlockFile

  SetFileTime

  SetFilePointer

  SetFileAttributesW

  SetEndOfFile

  RemoveDirectoryW

  ReadFile

  QueryDosDeviceW

  LockFile

  GetShortPathNameW

  GetLogicalDriveStringsW

  GetFileSize

  GetFileAttributesExW

  GetFileAttributesW

  GetDriveTypeW

  GetDiskFreeSpaceExW

  FlushFileBuffers

  FindNextFileW

  FindFirstFileW

  FindClose

  FileTimeToLocalFileTime

  DeleteFileW

  CreateFileW

  GetLongPathNameW

  ExpandEnvironmentStringsW

  user32

  GetParent

  GetWindowLongW

  SetWindowTextW

  EnableWindow

  KillTimer

  GetMonitorInfoW

  IsWindow

  PostMessageW

  ExitWindowsEx

  SetTimer

  IsDlgButtonChecked

  IsWindowVisible

  GetSystemMetrics

  LoadStringW

  GetWindow

  MonitorFromWindow

  RegisterWindowMessageW

  CheckDlgButton

  GetDlgItemTextW

  GetDlgItem

  EndDialog

  RegisterClassExW

  GetClassInfoExW

  SetWindowPos

  ShowWindow

  SendMessageW

  SetWindowLongW

  CreateWindowExW

  GetClientRect

  MapWindowPoints

  GetActiveWindow

  CharNextW

  DialogBoxParamW

  DestroyWindow

  UnregisterClassW

  DefWindowProcW

  wsprintfW

  EnumWindows

  GetWindowThreadProcessId

  OpenClipboard

  CloseClipboard

  SetClipboardData

  GetClipboardData

  EmptyClipboard

  GetDC

  GetWindowDC

  ReleaseDC

  GetWindowRect

  OffsetRect

  SystemParametersInfoW

  MonitorFromRect

  EnumDisplayMonitors

  gdi32

  DeleteDC

  DeleteObject

  CreateCompatibleBitmap

  BitBlt

  GetDeviceCaps

  SelectObject

  CreateDIBSection

  CreateFontW

  GetStockObject

  CreateCompatibleDC

  SetBkMode

  advapi32

  SetNamedSecurityInfoW

  SetEntriesInAclW

  StartServiceW

  QueryServiceStatusEx

  QueryServiceStatus

  OpenServiceW

  OpenSCManagerW

  DeleteService

  CreateServiceW

  ControlService

  CloseServiceHandle

  ChangeServiceConfigW

  ConvertStringSidToSidW

  ConvertSidToStringSidW

  CryptDestroyHash

  CryptDecrypt

  CryptEncrypt

  CryptImportKey

  CryptGetKeyParam

  CryptDestroyKey

  CryptReleaseContext

  CryptAcquireContextW

  RegUnLoadKeyW

  RegSetValueExW

  RegQueryValueExW

  RegOpenKeyExW

  RegOpenKeyW

  RegNotifyChangeKeyValue

  RegLoadKeyW

  RegEnumValueW

  RegEnumKeyExW

  RegDeleteValueW

  RegDeleteKeyW

  RegCreateKeyExW

  RegCreateKeyW

  RegCloseKey

  LookupPrivilegeValueW

  LookupAccountSidW

  ReadEventLogW

  OpenEventLogW

  CloseEventLog

  SetTokenInformation

  GetTokenInformation

  GetSidSubAuthority

  GetLengthSid

  FreeSid

  EqualSid

  DuplicateTokenEx

  AllocateAndInitializeSid

  AdjustTokenPrivileges

  OpenProcessToken

  CreateProcessAsUserW

  GetUserNameW

  RegQueryInfoKeyW

  RegCreateKeyExA

  RegOpenKeyExA

  RegQueryValueExA

  RegSetValueExA

  SystemFunction036

  ImpersonateSelf

  RevertToSelf

  GetNamedSecurityInfoW

  shell32

  ShellExecuteExW

  SHGetFileInfoW

  ShellExecuteW

  CommandLineToArgvW

  ExtractIconW

  ord165

  SHBindToParent

  ord680

  SHGetDataFromIDListW

  SHGetFolderPathW

  ExtractIconExW

  SHGetSpecialFolderPathW

  SHParseDisplayName

  ole32

  CreateStreamOnHGlobal

  CoTaskMemFree

  CLSIDFromProgID

  CoCreateInstance

  CoTaskMemAlloc

  CoTaskMemRealloc

  CoUninitialize

  CoInitialize

  oleaut32

  CreateErrorInfo

  VarUI4FromStr

  VariantClear

  VariantInit

  SysFreeString

  SysAllocString

  GetErrorInfo

  VariantChangeType

  SetErrorInfo

  shlwapi

  StrChrW

  StrCmpNW

  StrCmpNIW

  StrStrIA

  StrStrIW

  StrCatW

  StrCmpIW

  StrCpyW

  wnsprintfW

  PathAddBackslashW

  PathAppendW

  PathCombineW

  PathFileExistsW

  PathFindExtensionW

  PathFindFileNameW

  PathIsDirectoryW

  PathRemoveExtensionW

  PathRemoveFileSpecW

  PathUnquoteSpacesW

  SHDeleteKeyW

  SHDeleteValueW

  SHGetValueA

  SHGetValueW

  SHSetValueW

  PathFileExistsA

  ColorRGBToHLS

  ColorHLSToRGB

  PathFindFileNameA

  PathRemoveBackslashA

  AssocQueryStringW

  comctl32

  InitCommonControlsEx

  wininet

  InternetOpenUrlW

  InternetCloseHandle

  InternetSetOptionW

  HttpQueryInfoW

  InternetReadFile

  InternetOpenW

  DeleteUrlCacheEntryW

  InternetGetConnectedState

  urlmon

  URLDownloadToFileW

  psapi

  GetModuleFileNameExW

  EnumProcessModules

  EnumProcesses

  version

  GetFileVersionInfoW

  VerQueryValueW

  GetFileVersionInfoSizeW

  setupapi

  SetupIterateCabinetW

  userenv

  DestroyEnvironmentBlock

  GetUserProfileDirectoryW

  CreateEnvironmentBlock

  powrprof

  GetPwrCapabilities

  wintrust

  WinVerifyTrust

  CryptCATAdminAcquireContext

  CryptCATAdminReleaseContext

  CryptCATAdminReleaseCatalogContext

  CryptCATAdminEnumCatalogFromHash

  CryptCATAdminCalcHashFromFileHandle

  CryptCATCatalogInfoFromContext

  WTHelperProvDataFromStateData

  wtsapi32

  WTSFreeMemory

  WTSQuerySessionInformationW

  gdiplus

  GdipDrawImagePointRectI

  GdipDrawImageRectRectI

  GdipGetImageEncodersSize

  GdipGetImageEncoders

  GdipCreatePath

  GdipSetInterpolationMode

  GdipSetPixelOffsetMode

  GdipSetSmoothingMode

  GdipDeleteGraphics

  GdipCreateBitmapFromHBITMAP

  GdipCreateBitmapFromScan0

  GdipCreateBitmapFromFileICM

  GdipDeletePath

  GdipAddPathLine

  GdipAddPathLine2

  GdipAddPathArc

  GdipAddPathPie

  GdipGetPathWorldBoundsI

  GdipCloneBrush

  GdipFillPath

  GdipCreateSolidFill

  GdipCreatePathGradientFromPath

  GdipSetPathGradientCenterColor

  GdipSetPathGradientSurroundColorsWithCount

  GdipSetPathGradientCenterPoint

  GdipGetPathGradientPointCount

  GdipSetPathGradientGammaCorrection

  GdipCreatePen2

  GdipDeletePen

  GdipCloneImage

  GdipDisposeImage

  GdipSaveImageToFile

  GdipGetImageGraphicsContext

  GdipGetImageWidth

  GdipGetImageHeight

  GdipGetImagePixelFormat

  GdipCreateBitmapFromStream

  GdipCreateBitmapFromFile

  GdipAlloc

  GdipDrawImageRectI

  GdipFillRectangleI

  GdipDeleteBrush

  GdipDrawPath

  GdipFree

  GdipCreateBitmapFromStreamICM

  crypt32

  CryptProtectData

  CryptUnprotectData

  CertGetNameStringW

  rasapi32

  RasGetConnectStatusW

  RasEnumConnectionsW

  msvcrt

  wcsspn

  wcstok

  _wcsicmp

  _wcsnicmp

  strcspn

  _stricmp

  strlen

  strncmp

  _wrename

  fgetwc

  ungetwc

  _wfopen

  _ismbcspace

  fclose

  fflush

  fgetc

  fgetpos

  fread

  fsetpos

  fseek

  setvbuf

  ungetc

  fabs

  pow

  frexp

  ldexp

  memset

  ??0exception@@QAE@ABQBD@Z

  ??0exception@@QAE@ABV0@@Z

  ??1exception@@UAE@XZ

  ?what@exception@@UBEPBDXZ

  setlocale

  localeconv

  wcsncpy

  wcsncmp

  wcslen

  wcscspn

  wcscpy

  _time64

  _CxxThrowException

  ??3@YAXPAX@Z

  strcat

  strcpy

  strncpy

  atoi

  cos

  sin

  sqrt

  floor

  _wtoi

  strrchr

  strstr

  _localtime64

  fopen

  srand

  rand

  strncat

  wcsftime

  feof

  ftell

  _chsize

  _close

  strpbrk

  modf

  ??0exception@@QAE@XZ

  __uncaught_exception

  ___mb_cur_max_func

  __pctype_func

  ___lc_codepage_func

  ___lc_handle_func

  _wfsopen

  _fsopen

  realloc

  _CIpow

  _Getdays

  _Getmonths

  wcscmp

  _Gettnames

  _Strftime

  wcscat

  wcsstr

  _amsg_exit

  __getmainargs

  __wgetmainargs

  _environ

  _wenviron

  __setusermatherr

  memmove

  __p__commode

  _tzset

  _strlwr

  _strnicmp

  _wcslwr

  _itoa

  __CxxFrameHandler

  __DestructExceptionObject

  ?raw_name@type_info@@QBEPBDXZ

  wcsrchr

  _wcsupr

  _iob

  _wgetenv

  _wputenv

  __doserrno

  atof

  getenv

  _putenv

  getwc

  _wfreopen

  _wtmpnam

  __wcserror

  _strerror

  _wasctime

  _wctime64

  asctime

  _ctime64

  _gmtime64

  _mktime64

  _waccess

  _wfindfirst64

  _wfindnext64

  _wsopen

  _access

  _umask

  _findfirst64

  _findnext64

  _lseeki64

  _sopen

  clearerr

  freopen

  getc

  tmpnam

  _fstat64

  _ftime64

  _lock

  _unlock

  _assert

  _daylight

  _dstbias

  _timezone

  _tzname

  _sys_errlist

  _sys_nerr

  _ismbblead

  __crtLCMapStringA

  _wcstoui64

  wcspbrk

  _wfullpath

  _getdrive

  memcpy

  memcmp

  memchr

  tolower

  _msize

  __set_app_type

  _acmdln

  _wcmdln

  _itow

  _ltow

  _ultow

  _i64tow

  _ui64tow

  _wsplitpath

  _wsearchenv

  _ltoa

  _ultoa

  _i64toa

  _ui64toa

  _ecvt

  _fcvt

  _gcvt

  _splitpath

  _searchenv

  _controlfp

  _control87

  _wmktemp

  _mktemp

  _wstrtime

  _strtime

  tmpfile

  _cgets

  _cgetws

  _XcptFilter

  _pwctype

  __lc_collate_cp

  _fmode

  _isctype

  _isatty

  _fileno

  mbtowc

  wctomb

  _ismbbkana

  _ismbbprint

  _ismbbtrail

  wcschr

  _CIlog10

  ceil

  _clearfp

  ?terminate@@YAXXZ

  mktime

  _open

  _wctime

  ctime

  gmtime

  localtime

  _ftime

  iswctype

  toupper

  isalnum

  isspace

  isxdigit

  isdigit

  towlower

  iswspace

  iswalnum

  wcstombs

  mbstowcs

  strtoul

  strtol

  strtod

  abs

  abort

  wcstol

  malloc

  free

  calloc

  _errno

  ??_V@YAXPAX@Z

  ??_U@YAPAXI@Z

  ??2@YAPAXI@Z

  _strtoui64

  fputc

  fwrite

  fputwc

  strchr

  _initterm

  _beginthreadex

  msvcp60

  mbsrtowcs

  _Mbrtowc

  _Strxfrm

  _Strcoll

  _Getcoll

  _Wcrtomb

  _Toupper

  _Tolower

  _Getctype

  ntdll

  NtCreateFile

  RtlFreeUnicodeString

  NtClose

  RtlAdjustPrivilege

  RtlNtStatusToDosError

  RtlDetermineDosPathNameType_U

  RtlDosPathNameToNtPathName_U

  NtSetInformationFile

  Sections

  .text

  Size: 1.0MB - Virtual size: 1.0MB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .rdata

  Size: 251KB - Virtual size: 252KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .data

  Size: 12KB - Virtual size: 284KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .rsrc

  Size: 835KB - Virtual size: 834KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ