2024-04-25_16c96251204383bffd06b99ae5aef043_mafia_revil

Sharing

Copy URL Twitter E-mail

General

Target

2024-04-25_16c96251204383bffd06b99ae5aef043_mafia_revil
Size

6.3MB
MD5

16c96251204383bffd06b99ae5aef043
SHA1

b675c2eaf78dd2b703a940daca185574369aa285
SHA256

4a00b4bc00687566b4f74064dab9c3395ccd4ccf012b4b89d9721e643334592d
SHA512

7596c66942d2715cc202cd50d8bd5d21f980f196a325c450107efe3dbb56841aad386688aa9301c572fd6add65329ab1b8ef63d70d4a7a48941a082780f2c39e
SSDEEP

196608:ASMLS3TadMotxTAsxqZBHC7OZMiBT8p89ll/5Cc+9dnK/If/tqDnM734Nmj0ZS/r:A1WadMotxTAsxqZBHC7OZMih/5Cc+3nh

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2024-04-25_16c96251204383bffd06b99ae5aef043_mafia_revil

Files

2024-04-25_16c96251204383bffd06b99ae5aef043_mafia_revil
.exe windows:5 windows x86 arch:x86

daef6f375564b0b9fa0d82d8f93168b1

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

d:\Webhost\25-04-2024\WindowsBuilds\OSD_NATIVE\8222343\osdeployer\ONPREMISE\OSD_SRC\agent\Release\ImageReplicator.pdb

Imports

wimgapi

WIMUnmountImage
WIMMountImage

iphlpapi

GetExtendedUdpTable
GetAdaptersInfo

ws2_32

recv
send
shutdown
listen
bind
accept
sendto
closesocket
htons
recvfrom
WSAPoll
getsockname
getpeername
setsockopt
getsockopt
socket
ioctlsocket
freeaddrinfo
getaddrinfo
ntohl
WSASetLastError
connect
ntohs
WSAStartup
inet_addr
WSAGetLastError
WSACleanup

netapi32

NetLocalGroupGetMembers
DsRoleGetPrimaryDomainInformation
NetApiBufferFree
DsGetDcNameW
NetLocalGroupEnum
DsRoleFreeMemory
NetGetJoinInformation

ntdsapi

DsUnBindW
DsFreeDomainControllerInfoW
DsGetDomainControllerInfoW
DsBindW

kernel32

GetTimeZoneInformation
SetCurrentDirectoryW
FindFirstFileW
lstrcmpW
RemoveDirectoryW
FindNextFileW
FindClose
GetFileTime
GetFileSizeEx
SetConsoleCtrlHandler
GetModuleFileNameW
InterlockedDecrement
WriteFile
SetFilePointer
LocalFree
FormatMessageW
GetFileSize
GetSystemTimeAsFileTime
CreateEventA
WaitForSingleObjectEx
HeapAlloc
GetProcessHeap
HeapFree
GetCurrentThreadId
VirtualAlloc
ReleaseMutex
CreateMutexW
VirtualFree
GetStdHandle
GetCurrentProcessId
FindFirstFileA
SetFileAttributesA
DeleteFileA
FindNextFileA
RemoveDirectoryA
SetFileAttributesW
CreateFileA
GetSystemWindowsDirectoryW
SystemTimeToFileTime
GlobalMemoryStatusEx
GetComputerNameExW
GetSystemFirmwareTable
GetComputerNameW
GetFirmwareEnvironmentVariableW
FileTimeToSystemTime
CreateFileMappingW
OpenFileMappingW
UnmapViewOfFile
MapViewOfFile
GetLocalTime
CompareFileTime
GetFileAttributesExA
InterlockedIncrement
TlsAlloc
IsValidCodePage
GetOEMCP
GetACP
LoadLibraryW
Sleep
SystemTimeToTzSpecificLocalTime
GetFileAttributesA
GetLogicalDriveStringsW
DeviceIoControl
CreateFileW
GetDriveTypeW
GetDiskFreeSpaceW
GetVolumeInformationW
lstrlenA
WideCharToMultiByte
lstrlenW
GetCurrentProcess
CopyFileW
GetWindowsDirectoryW
GetExitCodeProcess
WaitForSingleObject
CloseHandle
CreateProcessW
Wow64EnableWow64FsRedirection
GetLastError
CreateDirectoryW
MultiByteToWideChar
DeleteFileW
GetFileAttributesW
FindResourceExW
FindResourceW
LoadResource
LockResource
SizeofResource
TlsGetValue
GetExitCodeThread
TlsFree
SetLastError
GetCurrentThread
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
CompareStringW
GetUserDefaultLCID
GetLocaleInfoA
EnumSystemLocalesA
IsValidLocale
FlushFileBuffers
GetConsoleMode
SetEnvironmentVariableA
GetConsoleCP
FindFirstFileExA
GetDriveTypeA
FileTimeToLocalFileTime
GetStartupInfoW
GetFileType
SetHandleCount
GetLocaleInfoW
HeapCreate
IsProcessorFeaturePresent
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
LCMapStringW
RtlUnwind
GetDateFormatA
GetTimeFormatA
GetCPInfo
HeapSetInformation
GetCommandLineW
ExitProcess
DecodePointer
EncodePointer
GetStringTypeW
InterlockedExchange
InterlockedCompareExchange
InitializeCriticalSectionAndSpinCount
RaiseException
GetSystemTime
GetFullPathNameA
MoveFileW
WriteConsoleW
PeekNamedPipe
VirtualQuery
HeapSize
HeapReAlloc
HeapDestroy
SetEndOfFile
LoadLibraryA
CreateSemaphoreA
GetDiskFreeSpaceExW
ReleaseSemaphore
DuplicateHandle
GetModuleHandleA
WaitForMultipleObjectsEx
FormatMessageA
GetFullPathNameW
GetFileInformationByHandle
GetFileAttributesExW
MoveFileExW
AreFileApisANSI
SetWaitableTimer
OpenEventA
CreateWaitableTimerA
IsDBCSLeadByteEx
GetDateFormatW
GetTimeFormatW
GetCurrencyFormatW
FoldStringW
CreateThread
SetStdHandle
SetConsoleMode
ReadConsoleW
ReadConsoleA
ConvertFiberToThread
ConvertThreadToFiber
DeleteFiber
SwitchToFiber
CreateFiber
InterlockedExchangeAdd
GetModuleHandleExW
GetThreadTimes
WaitForMultipleObjects
GetVersionExA
GetVersionExW
GetNativeSystemInfo
GetTickCount
GetCurrentDirectoryW
GetModuleHandleW
GetEnvironmentVariableW
ReadFile
GetVersion
DeleteCriticalSection
CreateEventW
InitializeCriticalSection
SetEvent
LeaveCriticalSection
ResetEvent
EnterCriticalSection
TerminateProcess
OpenProcess
FreeLibrary
TlsSetValue
GetProcAddress

user32

GetSystemMetrics
GetUserObjectInformationW
GetProcessWindowStation
MessageBoxW

advapi32

CryptAcquireContextA
CryptSetHashParam
CryptExportKey
CryptSignHashW
CryptEnumProvidersW
CryptGetProvParam
CryptDestroyKey
CryptDecrypt
CryptGetUserKey
CryptGenRandom
SetNamedSecurityInfoW
LookupAccountSidW
ConvertStringSidToSidW
ConvertSidToStringSidW
RegDeleteValueW
RegDeleteKeyW
RegQueryValueExA
RegOpenKeyExA
QueryServiceStatusEx
CloseServiceHandle
OpenServiceW
OpenSCManagerW
CryptGetHashParam
CryptDestroyHash
CryptHashData
CryptReleaseContext
CryptCreateHash
CryptAcquireContextW
DeregisterEventSource
ReportEventW
RegisterEventSourceW
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
AdjustTokenPrivileges
LookupPrivilegeValueW
RegEnumValueW
RegEnumKeyExW
RegQueryInfoKeyW
RegQueryValueExW
RegOpenKeyExW
RegCloseKey
RegSetValueExW
RegCreateKeyExW
RegLoadKeyW
RegUnLoadKeyW
OpenProcessToken

shell32

SHCreateDirectoryExW
SHFileOperationW

ole32

CoUninitialize
CoInitializeEx
CoInitializeSecurity
CoSetProxyBlanket
CoInitialize
CoCreateInstance

oleaut32

SysStringByteLen
SysAllocStringByteLen
VariantClear
SysAllocString
VariantInit
SysStringLen
SysFreeString

shlwapi

PathFileExistsW
PathFindFileNameW
PathRemoveFileSpecW
PathStripToRootW
PathFindExtensionW
PathAppendW
PathCombineW

msi

ord163
ord125
ord160
ord158
ord32
ord8
ord186
ord24
ord20
ord159
ord92

mpr

WNetAddConnection2W
WNetCancelConnection2W

setupapi

SetupFindNextLine
SetupFindFirstLineW
SetupGetStringFieldW
SetupCloseInfFile
SetupOpenInfFileW

psapi

GetModuleBaseNameW
EnumProcesses
GetModuleFileNameExW

urlmon

URLDownloadToFileW

winhttp

WinHttpSendRequest
WinHttpReadData
WinHttpWriteData
WinHttpSetOption
WinHttpOpen
WinHttpConnect
WinHttpOpenRequest
WinHttpReceiveResponse
WinHttpQueryHeaders
WinHttpAddRequestHeaders
WinHttpQueryOption
WinHttpSetCredentials
WinHttpSetStatusCallback
WinHttpCloseHandle
WinHttpQueryDataAvailable

version

GetFileVersionInfoSizeW
GetFileVersionInfoW
VerQueryValueW

crypt32

CertEnumCertificatesInStore
CertGetNameStringA
CryptStringToBinaryA
CertCreateCertificateContext
CertDeleteCertificateFromStore
CertAddCertificateContextToStore
CertOpenStore
CertCloseStore
CertGetCertificateContextProperty
CertDuplicateCertificateContext
PFXImportCertStore
PFXVerifyPassword
CertFreeCertificateContext
CertGetNameStringW
CertFindCertificateInStore
CryptMsgGetParam
CryptQueryObject

Sections

.text
Size: 4.5MB - Virtual size: 4.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.4MB - Virtual size: 1.4MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 78KB - Virtual size: 107KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 2B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 504B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 357KB - Virtual size: 356KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

daef6f375564b0b9fa0d82d8f93168b1

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

wimgapi

iphlpapi

ws2_32

netapi32

ntdsapi

kernel32

user32

advapi32

shell32

ole32

oleaut32

shlwapi

msi

mpr

setupapi

psapi

urlmon

winhttp

version

crypt32

Sections

.text Size: 4.5MB - Virtual size: 4.5MB

.rdata Size: 1.4MB - Virtual size: 1.4MB

.data Size: 78KB - Virtual size: 107KB

.tls Size: 512B - Virtual size: 2B

.rsrc Size: 512B - Virtual size: 504B

.reloc Size: 357KB - Virtual size: 356KB

.text
Size: 4.5MB - Virtual size: 4.5MB

.rdata
Size: 1.4MB - Virtual size: 1.4MB

.data
Size: 78KB - Virtual size: 107KB

.tls
Size: 512B - Virtual size: 2B

.rsrc
Size: 512B - Virtual size: 504B

.reloc
Size: 357KB - Virtual size: 356KB