Spotify[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Spotify.exe
Size

32.5MB
MD5

e51d4669aa3cdb112afeeb21f0b5e917
SHA1

1f2cc075c2d09d1fb52c37f82ee10687b4d3af66
SHA256

6269817634e4beb815197f04c7a6692923fa832664b6a7452bac0a8787d47cb4
SHA512

dee3b42639d724ab2188085216a14db74bac19626fa33cf52dbeff143a583d9cadb8e1479559e5da5938d56ce3f48175e62a80459b23dfe3487a2e7d82123679
SSDEEP

196608:RpIspvAJeNecTwqsmVm+7Hg5cENHsAHgvlTOh5XdMn3yc0voQvu2KIwgHGXVuXz1:P/BmcNM5XE3yqQ22KIw14XzDk246Zcy

Score

1^/10

Malware Config

Signatures

Files

Spotify.exe
.exe windows:6 windows x64 arch:x64

30d9f75ca35f5bc5db97887ecff35576

Code Sign

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

29/04/2021, 00:00

Not After

28/04/2036, 23:59

Subject

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0f:ab:67:0a:61:bf:4b:7d:af:d5:59:35:6b:5b:cc:ff
Certificate

Issuer

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Not Before

04/10/2023, 00:00

Not After

03/10/2024, 23:59

Subject

SERIALNUMBER=556703-7485,CN=Spotify AB,O=Spotify AB,L=Stockholm,C=SE,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.3=#13025345

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16
Certificate

Issuer

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Not Before

14/07/2023, 00:00

Not After

13/10/2034, 23:59

Subject

CN=DigiCert Timestamp 2023,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

23/03/2022, 00:00

Not After

22/03/2037, 23:59

Subject

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/08/2022, 00:00

Not After

09/11/2031, 23:59

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

91:e5:9f:08:b9:29:41:0f:2c:13:65:2e:19:24:b1:d2:eb:69:bc:48:91:cc:be:6d:6a:be:57:a3:eb:8d:ac:a2
Signer

Actual PE Digest

91:e5:9f:08:b9:29:41:0f:2c:13:65:2e:19:24:b1:d2:eb:69:bc:48:91:cc:be:6d:6a:be:57:a3:eb:8d:ac:a2

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\src\desktop\shell\build\desktop\Release\Spotify.pdb

Imports

ws2_32

WSACreateEvent
inet_addr
gethostbyname
getprotobyname
WSASetEvent
sendto
send
recvfrom
recv
freeaddrinfo
getaddrinfo
getpeername
WSARecvFrom
WSARecv
WSAIoctl
WSAEventSelect
WSAEnumNetworkEvents
WSAWaitForMultipleEvents
socket
closesocket
WSASetLastError
WSACleanup
listen
WSAGetLastError
WSACloseEvent
WSAStartup
getsockopt
inet_ntoa
gethostbyaddr
getservbyport
getsockname
WSASend
shutdown
WSASendTo
WSASocketW
getservbyname
ioctlsocket
htonl
WSAAddressToStringW
htons
ntohl
ntohs
select
setsockopt
WSAStringToAddressW
connect
bind
accept
__WSAFDIsSet

gdiplus

GdipDeleteFontFamily
GdipCreateFontFamilyFromName
GdipFillEllipse
GdipSetTextRenderingHint
GdipSetSmoothingMode
GdipDeleteGraphics
GdipCreateHICONFromBitmap
GdipCreateHBITMAPFromBitmap
GdipCreateBitmapFromScan0
GdipGetImageHeight
GdipGetImageWidth
GdipGetImageGraphicsContext
GdipDisposeImage
GdipCloneImage
GdipLoadImageFromStream
GdipCreateSolidFill
GdipDeleteFont
GdipStringFormatGetGenericDefault
GdipFree
GdipDeleteStringFormat
GdipDeleteBrush
GdipCloneStringFormat
GdipSetStringFormatAlign
GdipSetStringFormatLineAlign
GdipCreateBitmapFromStream
GdipBitmapLockBits
GdipAlloc
GdipBitmapUnlockBits
GdipSetInterpolationMode
GdipDrawImageRectRectI
GdipCloneBrush
GdipCreateFont
GdipGetGenericFontFamilySansSerif
GdiplusShutdown
GdiplusStartup
GdipDrawString

dbghelp

SymGetLineFromAddr64
SymCleanup
SymSetOptions
SymInitialize
SymSetSearchPathW
SymFromAddr
SymGetSearchPathW

ntdll

RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
RtlUnwindEx
RtlPcToFileHeader
RtlUnwind
VerSetConditionMask
RtlInitUnicodeString
RtlCaptureStackBackTrace

oleaut32

SysFreeString
SysAllocString
VariantClear
SysStringLen
SysAllocStringByteLen
SetErrorInfo
GetErrorInfo

userenv

CreateAppContainerProfile
DeriveAppContainerSidFromAppContainerName

api-ms-win-core-profile-l1-1-0

QueryPerformanceFrequency
QueryPerformanceCounter

api-ms-win-core-processthreads-l1-1-0

DeleteProcThreadAttributeList
InitializeProcThreadAttributeList
GetProcessTimes
CreateRemoteThread
GetCurrentThreadId
GetCurrentProcessId
CreateProcessW
GetExitCodeProcess
ResumeThread
GetStartupInfoW
GetThreadId
SetThreadPriority
UpdateProcThreadAttribute
ExitThread
GetExitCodeThread
SwitchToThread
GetCurrentThread
TerminateProcess
ExitProcess
GetCurrentProcess
QueueUserAPC
TlsAlloc
CreateThread
TlsGetValue
TlsSetValue
TerminateThread
TlsFree

api-ms-win-core-sysinfo-l1-1-0

GetSystemDirectoryA
GetTickCount64
GetSystemTime
GetSystemInfo
GetVersionExW
GetSystemTimeAsFileTime
GetVersion
GetWindowsDirectoryW
GetLocalTime
GetTickCount

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead
InterlockedPushEntrySList

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent
OutputDebugStringA
OutputDebugStringW
DebugBreak

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
UnhandledExceptionFilter
SetLastError
GetLastError
RaiseException

api-ms-win-core-processthreads-l1-1-1

SetProcessMitigationPolicy
GetProcessHandleCount
GetCurrentProcessorNumber
GetProcessMitigationPolicy
IsProcessorFeaturePresent
OpenProcess

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleW
FreeLibrary
GetModuleHandleA
LoadResource
LockResource
SizeofResource
SetDefaultDllDirectories
GetModuleHandleExW
FreeLibraryAndExitThread
LoadLibraryExA
GetModuleFileNameW
LoadLibraryExW
GetProcAddress
LoadStringW

api-ms-win-core-synch-l1-1-0

AcquireSRWLockShared
WaitForMultipleObjectsEx
CreateEventA
AcquireSRWLockExclusive
InitializeCriticalSectionEx
CreateMutexW
ReleaseSRWLockShared
ReleaseSRWLockExclusive
OpenMutexW
InitializeCriticalSection
SetEvent
OpenEventA
WaitForSingleObject
SleepEx
InitializeCriticalSectionAndSpinCount
ReleaseMutex
EnterCriticalSection
InitializeSRWLock
WaitForSingleObjectEx
ResetEvent
TryAcquireSRWLockExclusive
DeleteCriticalSection
ReleaseSemaphore
LeaveCriticalSection
CreateEventExW
SetWaitableTimer
CreateEventW
CreateMutexA

api-ms-win-core-util-l1-1-0

EncodePointer
DecodePointer

api-ms-win-core-processenvironment-l1-1-0

ExpandEnvironmentStringsW
GetStdHandle
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetCurrentDirectoryW
SetCurrentDirectoryW
GetCommandLineW
GetCommandLineA
SetEnvironmentVariableW
SetStdHandle
GetEnvironmentVariableW

api-ms-win-core-file-l1-1-0

LockFile
FindFirstFileW
GetFileSize
GetVolumePathNameW
GetDiskFreeSpaceExW
GetFileType
GetFileInformationByHandle
GetFullPathNameW
GetFileTime
SetEndOfFile
GetFileAttributesW
FindNextFileW
FindFirstFileExW
SetFileAttributesW
FindClose
WriteFile
GetLongPathNameW
UnlockFile
GetTempFileNameW
FlushFileBuffers
RemoveDirectoryW
GetDriveTypeW
GetFileSizeEx
SetFilePointerEx
ReadFile
GetFileAttributesExW
CreateFileW
DeleteFileW
CreateDirectoryW

api-ms-win-core-heap-l1-1-0

HeapDestroy
HeapReAlloc
HeapSize
GetProcessHeap
HeapFree
HeapSetInformation
HeapAlloc
GetProcessHeaps

api-ms-win-core-localization-l1-2-0

GetUserDefaultLocaleName
GetLocaleInfoEx
GetACP
GetUserDefaultLangID
FormatMessageA
FormatMessageW
LCMapStringW
GetOEMCP
IsValidCodePage
GetCPInfo
LCMapStringEx
EnumSystemLocalesW
GetUserDefaultLCID
GetLocaleInfoW
IsValidLocale

api-ms-win-core-string-l1-1-0

WideCharToMultiByte
CompareStringW
GetStringTypeW
MultiByteToWideChar
CompareStringEx

api-ms-win-core-file-l1-2-0

GetTempPathW

api-ms-win-core-fibers-l1-1-0

FlsAlloc
FlsFree
FlsSetValue
FlsGetValue

api-ms-win-core-datetime-l1-1-0

GetDateFormatW
GetTimeFormatW

api-ms-win-core-console-l1-1-0

SetConsoleCtrlHandler
GetConsoleMode
GetConsoleOutputCP
ReadConsoleW
ReadConsoleA
SetConsoleMode
WriteConsoleW
AllocConsole
WriteConsoleA

api-ms-win-core-handle-l1-1-0

SetHandleInformation
DuplicateHandle
CloseHandle

api-ms-win-core-heap-l2-1-0

GlobalAlloc
LocalFree
GlobalFree
LocalAlloc

api-ms-win-core-file-l2-1-0

ReplaceFileW
CopyFileExW
MoveFileExW
ReadDirectoryChangesW
CreateDirectoryExW

api-ms-win-core-com-l1-1-0

StringFromCLSID
CoSetProxyBlanket
CLSIDFromString
CoUninitialize
CoTaskMemFree
CoTaskMemAlloc
CoCreateFreeThreadedMarshaler
CoGetObjectContext
PropVariantClear
CoInitializeEx
CoCreateInstance
CoGetApartmentType
CoInitializeSecurity

api-ms-win-core-timezone-l1-1-0

FileTimeToSystemTime
SystemTimeToFileTime
GetTimeZoneInformation
SystemTimeToTzSpecificLocalTime

api-ms-win-core-io-l1-1-0

CreateIoCompletionPort
CancelIoEx
PostQueuedCompletionStatus
GetQueuedCompletionStatus
DeviceIoControl

api-ms-win-core-synch-l1-2-1

CreateWaitableTimerW
WaitForMultipleObjects

api-ms-win-core-synch-l1-2-0

WakeAllConditionVariable
SleepConditionVariableSRW
InitializeConditionVariable
WakeConditionVariable
InitOnceComplete
InitOnceBeginInitialize
Sleep

mswsock

GetAcceptExSockaddrs
AcceptEx

api-ms-win-core-io-l1-1-1

CancelIo

api-ms-win-core-libraryloader-l1-2-1

LoadLibraryA
FindResourceW
LoadLibraryW

bcrypt

BCryptCloseAlgorithmProvider
BCryptOpenAlgorithmProvider
BCryptGenRandom

api-ms-win-core-toolhelp-l1-1-0

Process32FirstW
CreateToolhelp32Snapshot
Process32NextW

api-ms-win-core-kernel32-legacy-l1-1-0

RegisterWaitForSingleObject
UnregisterWait
CreateFileMappingA
GetComputerNameW
GetSystemPowerStatus
MoveFileW

api-ms-win-core-psapi-l1-1-0

K32GetProcessMemoryInfo
K32GetModuleFileNameExW
K32GetModuleInformation

api-ms-win-ntuser-sysparams-l1-1-0

SystemParametersInfoW
GetSystemMetrics

api-ms-win-core-localization-obsolete-l1-2-0

GetUserDefaultUILanguage

api-ms-win-core-sysinfo-l1-2-0

GetProductInfo
GetNativeSystemInfo

api-ms-win-core-kernel32-legacy-l1-1-1

VerifyVersionInfoW

api-ms-win-core-heap-obsolete-l1-1-0

GlobalLock
GlobalSize
GlobalUnlock

api-ms-win-core-file-l1-2-2

GetTempPathA
AreFileApisANSI

api-ms-win-core-memory-l1-1-0

WriteProcessMemory
VirtualFreeEx
CreateFileMappingW
VirtualProtect
MapViewOfFile
VirtualProtectEx
VirtualFree
VirtualQuery
ReadProcessMemory
VirtualAllocEx
UnmapViewOfFile

api-ms-win-core-synch-ansi-l1-1-0

OpenMutexA
CreateSemaphoreA

api-ms-win-core-kernel32-legacy-l1-1-2

OpenFileMappingA

api-ms-win-core-console-l1-2-0

AttachConsole

api-ms-win-core-console-l3-2-0

GetCurrentConsoleFont

api-ms-win-core-job-l2-1-0

SetInformationJobObject
CreateJobObjectW
AssignProcessToJobObject

crypt32

CertEnumCertificatesInStore
CertFindCertificateInStore
CertGetNameStringA
CertFreeCertificateContext
CertGetCertificateContextProperty
CertCloseStore
CertOpenStore
CertDuplicateCertificateContext

wintrust

WTHelperProvDataFromStateData
WTHelperGetProvCertFromChain
WTHelperGetProvSignerFromChain
WinVerifyTrust

api-ms-win-core-fibers-l2-1-0

DeleteFiber
SwitchToFiber
ConvertFiberToThread

api-ms-win-core-fibers-l2-1-1

ConvertThreadToFiberEx
CreateFiberEx

iphlpapi

GetAdaptersAddresses

winhttp

WinHttpCloseHandle
WinHttpGetIEProxyConfigForCurrentUser
WinHttpGetProxyForUrl
WinHttpSetTimeouts
WinHttpOpen

api-ms-win-core-processthreads-l1-1-3

SetThreadDescription

api-ms-win-core-console-l2-1-0

SetConsoleTextAttribute
GetConsoleScreenBufferInfo

api-ms-win-core-localization-l1-2-1

EnumSystemLocalesEx

api-ms-win-core-threadpool-legacy-l1-1-0

UnregisterWaitEx

api-ms-win-core-processthreads-l1-1-2

SetThreadInformation

api-ms-win-core-wow64-l1-1-0

IsWow64Process

api-ms-win-core-processtopology-obsolete-l1-1-0

SetThreadAffinityMask

api-ms-win-mm-time-l1-1-0

timeGetTime

kernel32

RegisterApplicationRestart
QueryDosDeviceW
TerminateJobObject
K32EnumProcessModules
PowerClearRequest
PowerCreateRequest
PowerSetRequest
QueryInformationJobObject

dsound

ord11
ord2

avrt

AvSetMmThreadPriority
AvRevertMmThreadCharacteristics
AvSetMmThreadCharacteristicsW

api-ms-win-core-namedpipe-l1-1-0

PeekNamedPipe

api-ms-win-core-threadpool-l1-2-0

FreeLibraryWhenCallbackReturns
TrySubmitThreadpoolCallback
CreateThreadpoolWork
SubmitThreadpoolWork
CloseThreadpoolWork

Exports

Exports

GetHandleVerifier
IsSandboxedProcess

Sections

.text
Size: 19.0MB - Virtual size: 19.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4.7MB - Virtual size: 4.7MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 7.4MB - Virtual size: 7.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1001KB - Virtual size: 1001KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 348B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 72KB - Virtual size: 71KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 264KB - Virtual size: 263KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

30d9f75ca35f5bc5db97887ecff35576

Code Sign

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9Certificate

Extended Key Usages

Key Usages

0f:ab:67:0a:61:bf:4b:7d:af:d5:59:35:6b:5b:cc:ffCertificate

Extended Key Usages

Key Usages

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16Certificate

Extended Key Usages

Key Usages

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5bCertificate

Extended Key Usages

Key Usages

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5aCertificate

Key Usages

91:e5:9f:08:b9:29:41:0f:2c:13:65:2e:19:24:b1:d2:eb:69:bc:48:91:cc:be:6d:6a:be:57:a3:eb:8d:ac:a2Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ws2_32

gdiplus

dbghelp

ntdll

oleaut32

userenv

api-ms-win-core-profile-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-interlocked-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-util-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-file-l1-2-0

api-ms-win-core-fibers-l1-1-0

api-ms-win-core-datetime-l1-1-0

api-ms-win-core-console-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-file-l2-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-io-l1-1-0

api-ms-win-core-synch-l1-2-1

api-ms-win-core-synch-l1-2-0

mswsock

api-ms-win-core-io-l1-1-1

api-ms-win-core-libraryloader-l1-2-1

bcrypt

api-ms-win-core-toolhelp-l1-1-0

api-ms-win-core-kernel32-legacy-l1-1-0

api-ms-win-core-psapi-l1-1-0

api-ms-win-ntuser-sysparams-l1-1-0

api-ms-win-core-localization-obsolete-l1-2-0

api-ms-win-core-sysinfo-l1-2-0

api-ms-win-core-kernel32-legacy-l1-1-1

api-ms-win-core-heap-obsolete-l1-1-0

api-ms-win-core-file-l1-2-2

api-ms-win-core-memory-l1-1-0

api-ms-win-core-synch-ansi-l1-1-0

api-ms-win-core-kernel32-legacy-l1-1-2

api-ms-win-core-console-l1-2-0

api-ms-win-core-console-l3-2-0

api-ms-win-core-job-l2-1-0

crypt32

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9
Certificate

0f:ab:67:0a:61:bf:4b:7d:af:d5:59:35:6b:5b:cc:ff
Certificate

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16
Certificate

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

91:e5:9f:08:b9:29:41:0f:2c:13:65:2e:19:24:b1:d2:eb:69:bc:48:91:cc:be:6d:6a:be:57:a3:eb:8d:ac:a2
Signer

.text
Size: 19.0MB - Virtual size: 19.0MB

.rdata
Size: 4.7MB - Virtual size: 4.7MB

.data
Size: 7.4MB - Virtual size: 7.6MB

.pdata
Size: 1001KB - Virtual size: 1001KB

_RDATA
Size: 512B - Virtual size: 348B

.rsrc
Size: 72KB - Virtual size: 71KB

.reloc
Size: 264KB - Virtual size: 263KB