2024-04-23_d6c1bdc7bdbc4712a4b7c25900f27030_mafia

Sharing

Copy URL Twitter E-mail

General

Target

2024-04-23_d6c1bdc7bdbc4712a4b7c25900f27030_mafia
Size

1.2MB
MD5

d6c1bdc7bdbc4712a4b7c25900f27030
SHA1

1e3bd0f7fbd80b8d6f09b2e68263fa7dd52f291b
SHA256

fdc5c46199ebbc251e27fe0dfd4fe1f29d788c7bdba07fa3cedd27ff85728f75
SHA512

ff8416f0610e7b38a458c64096eb579ac7ecaf4131f5ef0bdb8005d65c078de9ad847311c71be2d0dbd8f2364b1abf962fbff738159ea8498f62ac794aff86c7
SSDEEP

24576:UJQfkPkCZ6DYHthFhxvAnMPbBS97LnwTQ8zXmVYCxPAdaHgbUKb+5q0TrnOlarZ8:UJXcCUkJvAMN0wTQ8zXmVYCBAdaHg4sb

Score

1^/10

Malware Config

Signatures

Files

2024-04-23_d6c1bdc7bdbc4712a4b7c25900f27030_mafia
.exe windows:5 windows x86 arch:x86

4c231b8ff4b3203dd495590ed065b25b

Code Sign

d1:9d:b1:a5:42:ff:d3:d9:9b:83:20:8f:e9:e8:0f:e3
Certificate

Issuer

CN=Sectigo RSA Code Signing CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

10/12/2020, 00:00

Not After

10/12/2023, 23:59

Subject

CN=ZOHO Corporation Private Limited,O=ZOHO Corporation Private Limited,POSTALCODE=603202,STREET=Estancia IT Park\, GST Road,L=Chengalpattu,ST=Tamil Nadu,C=IN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

1d:a2:48:30:6f:9b:26:18:d0:82:e0:96:7d:33:d3:6a
Certificate

Issuer

CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US

Not Before

02/11/2018, 00:00

Not After

31/12/2030, 23:59

Subject

CN=Sectigo RSA Code Signing CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16
Certificate

Issuer

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Not Before

14/07/2023, 00:00

Not After

13/10/2034, 23:59

Subject

CN=DigiCert Timestamp 2023,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

23/03/2022, 00:00

Not After

22/03/2037, 23:59

Subject

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/08/2022, 00:00

Not After

09/11/2031, 23:59

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

f6:17:20:67:ad:3a:40:49:13:1e:5c:78:b4:51:a3:9e:bf:b2:cf:df:36:84:62:fb:b8:61:8e:18:1e:63:b7:54
Signer

Actual PE Digest

f6:17:20:67:ad:3a:40:49:13:1e:5c:78:b4:51:a3:9e:bf:b2:cf:df:36:84:62:fb:b8:61:8e:18:1e:63:b7:54

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

d:\Webhost\29-11-2023\WindowsBuilds\DC_NATIVE\7410513\desktopcentral\CLOUD_PRODUCTION\SA_SRC\native\agent\Release\dsAD.pdb

Imports

netapi32

DsGetDcNameA
NetGetJoinInformation
NetApiBufferFree
DsGetDcNameW

activeds

ord9
ord13
ord7

winhttp

WinHttpSetOption
WinHttpQueryOption
WinHttpAddRequestHeaders
WinHttpReadData
WinHttpOpenRequest
WinHttpOpen
WinHttpQueryDataAvailable
WinHttpSetStatusCallback
WinHttpQueryHeaders
WinHttpCloseHandle
WinHttpReceiveResponse
WinHttpSendRequest
WinHttpConnect

wtsapi32

WTSQuerySessionInformationA
WTSFreeMemory
WTSEnumerateSessionsA

ws2_32

WSAStartup
WSACleanup
WSAGetLastError

iphlpapi

GetAdaptersInfo

userenv

LoadUserProfileA
CreateEnvironmentBlock
DestroyEnvironmentBlock
UnloadUserProfile

crypt32

CertFreeCertificateContext
CertCreateCertificateContext
CertDeleteCertificateFromStore
CertNameToStrW
CryptStringToBinaryA
CertOpenStore
PFXVerifyPassword
CertAddCertificateContextToStore
CertFindCertificateInStore
CertCloseStore
PFXImportCertStore
CertEnumCertificatesInStore

wldap32

ord218
ord13
ord88
ord219

kernel32

lstrlenA
GetLastError
DeleteFileA
CreateDirectoryA
FindFirstFileA
FindClose
FindNextFileA
GetSystemTime
InterlockedDecrement
FormatMessageA
CloseHandle
LocalFree
GetCurrentThreadId
GetLocalTime
ReleaseMutex
WaitForSingleObject
Sleep
CreateMutexA
SuspendThread
ResumeThread
GetModuleHandleA
GetCurrentProcessId
CreateFileA
GetFileSize
Process32First
GetTickCount
WriteFile
OpenProcess
GetExitCodeProcess
SetDllDirectoryA
TerminateProcess
ReadFile
LoadLibraryA
Process32Next
CreateToolhelp32Snapshot
GetVersionExA
RtlUnwind
SystemTimeToTzSpecificLocalTime
CreateDirectoryW
CopyFileW
CreateFileW
lstrlenW
FlushFileBuffers
DeleteFileW
GetLocaleInfoA
FreeLibrary
CreateProcessA
GetTimeZoneInformation
FileTimeToLocalFileTime
SetCurrentDirectoryA
CopyFileA
GetSystemInfo
GetCurrentDirectoryA
CreateThread
GetFileSizeEx
CreateTimerQueue
CreateTimerQueueTimer
DeleteTimerQueue
GetComputerNameExW
FormatMessageW
GlobalFree
GlobalAlloc
SetFilePointer
LoadLibraryW
GetSystemDirectoryA
GetCurrentDirectoryW
SetLastError
ProcessIdToSessionId
SetCurrentDirectoryW
GetModuleFileNameA
GetFullPathNameA
GetFileAttributesExA
LocalAlloc
QueryPerformanceCounter
GetThreadTimes
GetCurrentThread
ExitProcess
ExitThread
FindFirstFileExA
GetDriveTypeA
LockResource
LCMapStringW
GetCPInfo
GetStringTypeW
InterlockedExchange
CompareStringW
MultiByteToWideChar
FileTimeToSystemTime
SizeofResource
WideCharToMultiByte
SystemTimeToFileTime
LoadResource
FindResourceW
FindResourceExW
GetProcAddress
GetModuleHandleW
GetCurrentProcess
GetFileInformationByHandle
PeekNamedPipe
GetFileType
UnhandledExceptionFilter
SetUnhandledExceptionFilter
EncodePointer
IsDebuggerPresent
GetEnvironmentVariableA
SetHandleCount
GetStdHandle
GetStartupInfoW
IsProcessorFeaturePresent
HeapCreate
GetConsoleCP
GetConsoleMode
InterlockedCompareExchange
InterlockedIncrement
GetACP
GetOEMCP
IsValidCodePage
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetModuleFileNameW
GetLocaleInfoW
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetStdHandle
GetUserDefaultLCID
EnumSystemLocalesA
IsValidLocale
WriteConsoleW
GetDriveTypeW
SetEndOfFile
VirtualQuery
SetEnvironmentVariableA
MoveFileExA
LocalLock
LocalUnlock
FindFirstFileW
HeapSetInformation
GetCommandLineA
GetSystemTimeAsFileTime
GetProcessHeap
HeapSize
HeapReAlloc
HeapFree
HeapAlloc
HeapDestroy
InitializeCriticalSectionAndSpinCount
RaiseException
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
InitializeCriticalSection
DecodePointer

user32

wsprintfW
MessageBoxA

advapi32

RegDeleteValueW
LookupAccountSidA
GetTokenInformation
LookupPrivilegeNameA
CryptGetHashParam
LookupPrivilegeValueA
CreateProcessAsUserW
OpenProcessToken
CreateProcessAsUserA
CryptHashData
CryptDestroyHash
RevertToSelf
CryptCreateHash
RegSetValueExW
RegEnumKeyA
RegOpenKeyA
RegOpenKeyExW
RegDeleteValueA
RegCreateKeyExA
RegDeleteKeyA
RegQueryValueExW
CryptGetUserKey
CryptDestroyKey
CryptGenKey
CryptAcquireContextA
CryptReleaseContext
RegSetValueExA
ControlService
OpenSCManagerA
CloseServiceHandle
OpenServiceA
ConvertSidToStringSidW
RegCloseKey
RegOpenKeyExA
RegQueryValueExA

shell32

SHCreateDirectoryExW
SHGetSpecialFolderPathA
SHCreateDirectoryExA

ole32

CoSetProxyBlanket
CoInitializeEx
CoCreateInstance
CoUninitialize
CoInitialize

oleaut32

SysAllocString
SafeArrayGetLBound
VariantClear
VariantTimeToSystemTime
SafeArrayAccessData
VariantInit
SystemTimeToVariantTime
VariantChangeType
SafeArrayUnaccessData
SysFreeString
SafeArrayGetUBound
SysStringLen
SysAllocStringByteLen

odbc32

ord49
ord36
ord29
ord9
ord41
ord31
ord1
ord2
ord20
ord16
ord12
ord19
ord3
ord48
ord72
ord26
ord13
ord4
ord8
ord18
ord11
ord43
ord39

shlwapi

StrTrimA
PathFindExtensionA
StrStrIA

dclibxml2

xmlTextReaderAttributeCount
xmlTextReaderGetAttribute
xmlNewTextReaderFilename
xmlParseMemory
xmlTextReaderValue
xmlStrcmp
xmlTextReaderName
xmlTextReaderDepth
xmlFree
xmlFreeTextReader
xmlTextReaderRead
xmlNodeListGetString
xmlParseFile
xmlDocGetRootElement
xmlFreeDoc
xmlCleanupParser

Sections

.text
Size: 935KB - Virtual size: 934KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 199KB - Virtual size: 199KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 60KB - Virtual size: 73KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 776B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 58KB - Virtual size: 58KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

4c231b8ff4b3203dd495590ed065b25b

Code Sign

d1:9d:b1:a5:42:ff:d3:d9:9b:83:20:8f:e9:e8:0f:e3Certificate

Extended Key Usages

Key Usages

1d:a2:48:30:6f:9b:26:18:d0:82:e0:96:7d:33:d3:6aCertificate

Extended Key Usages

Key Usages

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16Certificate

Extended Key Usages

Key Usages

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5bCertificate

Extended Key Usages

Key Usages

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5aCertificate

Key Usages

f6:17:20:67:ad:3a:40:49:13:1e:5c:78:b4:51:a3:9e:bf:b2:cf:df:36:84:62:fb:b8:61:8e:18:1e:63:b7:54Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

netapi32

activeds

winhttp

wtsapi32

ws2_32

iphlpapi

userenv

crypt32

wldap32

kernel32

user32

advapi32

shell32

ole32

oleaut32

odbc32

shlwapi

dclibxml2

Sections

.text Size: 935KB - Virtual size: 934KB

.rdata Size: 199KB - Virtual size: 199KB

.data Size: 60KB - Virtual size: 73KB

.rsrc Size: 1024B - Virtual size: 776B

.reloc Size: 58KB - Virtual size: 58KB

d1:9d:b1:a5:42:ff:d3:d9:9b:83:20:8f:e9:e8:0f:e3
Certificate

1d:a2:48:30:6f:9b:26:18:d0:82:e0:96:7d:33:d3:6a
Certificate

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16
Certificate

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

f6:17:20:67:ad:3a:40:49:13:1e:5c:78:b4:51:a3:9e:bf:b2:cf:df:36:84:62:fb:b8:61:8e:18:1e:63:b7:54
Signer

.text
Size: 935KB - Virtual size: 934KB

.rdata
Size: 199KB - Virtual size: 199KB

.data
Size: 60KB - Virtual size: 73KB

.rsrc
Size: 1024B - Virtual size: 776B

.reloc
Size: 58KB - Virtual size: 58KB