e4f9896d5ec6329889fc9874dc3511458c047c7f7110e80c2c5bea2015ada9a1

Sharing

Copy URL Twitter E-mail

General

Target

e4f9896d5ec6329889fc9874dc3511458c047c7f7110e80c2c5bea2015ada9a1
Size

633KB
MD5

297e764e1ec4c645b28b1d1445d34fdf
SHA1

203a486641f7bf33f8ad42ed2694384295432a9a
SHA256

e4f9896d5ec6329889fc9874dc3511458c047c7f7110e80c2c5bea2015ada9a1
SHA512

27c7f5ed6410134d9bd1a22d09348cac3530e5426364ed0e441ff73b846ca3f03c2bb29aeb9094ce73e27457cc9ea3a5668fcc617d1779966c1b80f317fc72f8
SSDEEP

12288:Gacv0LQCx93AL3lr9gZYhUPH+iDsPwSYYRH+a6/n:GhHCxaL3lGZYGHJKe1/n

Score

1^/10

Malware Config

Signatures

Files

e4f9896d5ec6329889fc9874dc3511458c047c7f7110e80c2c5bea2015ada9a1
.exe windows:4 windows x86 arch:x86

22e376959ff7789891de9fc575918cc5

Code Sign

19:9d:f8:8e
Certificate

Issuer

CN=Certification Authority of WoSign,O=WoSign eCommerce Services Limited,C=CN

Not Before

08/08/2009, 01:00

Not After

08/08/2024, 01:00

Subject

CN=WoSign Class 3 Code Signing CA,O=WoSign eCommerce Services Limited,C=CN

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

22:48:de:c8:6f:fd:53
Certificate

Issuer

CN=WoSign Class 3 Code Signing CA,O=WoSign eCommerce Services Limited,C=CN

Not Before

20/11/2012, 22:30

Not After

22/11/2013, 10:54

Subject

CN=广东南方信息安全产业基地有限公司,O=广东南方信息安全产业基地有限公司,L=广州市,ST=广东省,C=CN,1.2.840.113549.1.9.1=#0c15737570706f7274406368696e612d6973692e636f6d

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageMicrosoftCommercialCodeSigning

Key Usages

KeyUsageDigitalSignature

3d
Certificate

Issuer

CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL

Not Before

01/03/2011, 01:00

Not After

01/03/2016, 01:00

Subject

CN=Certification Authority of WoSign,O=WoSign eCommerce Services Limited,C=CN

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

4b:5c:6e:ca:5f:99:70:9f:3b:a5:f0:7b:a5:64:70:60:11:f6:65:7c
Signer

Actual PE Digest

4b:5c:6e:ca:5f:99:70:9f:3b:a5:f0:7b:a5:64:70:60:11:f6:65:7c

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

d:\buildserver\wdatsec2\src\WDSOut\release\WDSReader2.pdb

Imports

filedisk

LoadISISafeBoxDriver
MountImageFile
UMountImageFile

wdsecdiskctrl

?StopSecDiskProtect@WDSendOutCtrl@@YAHXZ
?DeleteSecretProcess@WDSendOutCtrl@@YAHK@Z
?SetParentProcess@WDSendOutCtrl@@YAHK@Z
??0CSecDiskProcessNotify@WDSendOutCtrl@@QAE@XZ
??0CRedirectProcessNotify@WDSendOutCtrl@@QAE@XZ
?AddSecretProcess@WDSendOutCtrl@@YAHK@Z
?StartSecDiskProtect@WDSendOutCtrl@@YAHXZ
?SetSecDiskDrive@WDSendOutCtrl@@YAH_W@Z
?InstallWDSendOutDriver@WDSendOutCtrl@@YAKXZ
??1CSecDiskCtrl@WDSendOutCtrl@@UAE@XZ
??0CSecDiskCtrl@WDSendOutCtrl@@QAE@XZ

twbase2

?CurrentUserId@TSoftwareEnvironment@@SAABV?$TFileNameA@$0DI@@@XZ
??0TResult@@QAE@XZ
?GetStringFromId@CTWLang@@QAEPB_WPB_WAAH@Z
HashWithSHA1
?Construct@CTWLang@@QAEHABV?$TFileNameW@$0CAA@@@@Z
TWDebugStringOutput
??0CTWLang@@QAE@XZ
?CreateNewStore@StoreFactory@@SAPAVSourceStore@@PBEH@Z
?CreateNewStoreReadStream@StoreFactory@@SAPAVReadStream@@AAVSourceStore@@@Z
?ReturnReadStream@StoreFactory@@SAXPAVReadStream@@@Z
?ReturnSourceStore@StoreFactory@@SAXPAVSourceStore@@@Z
?CurrentUserName@TSoftwareEnvironment@@SAABV?$TFileNameW@$0CA@@@XZ
?CurrentGroupId@TSoftwareEnvironment@@SAABV?$TFileNameA@$0DI@@@XZ
TWReadFile
?CreateNewStore@StoreFactory@@SAPAVSourceStore@@XZ
?CreateNewStoreWriteStream@StoreFactory@@SAPAVWriteStream@@AAVSourceStore@@@Z
?ReturnWriteStream@StoreFactory@@SAXPAVWriteStream@@@Z
??1CTWLang@@UAE@XZ

usermidware2

?GetMainLoginUserInfo@AuthenMidware@@SAHAAV?$TFileNameA@$0DI@@@AAV?$TFileNameW@$0CA@@@AAH2AAV?$TFileNameW@$0EA@@@301@Z
?Close@UserMidware@@UAEXXZ
?GetUserInfo@UserMidware@@QAEHHQBV?$TFileNameA@$0DI@@@QAVTUserInformation@@QAVTResult@@@Z
??0TUserInformation@@QAE@XZ
?Initialize@UserMidware@@QAEHXZ
??1UserMidware@@UAE@XZ
??0UserMidware@@QAE@XZ

docpencrypt

?CheckEncryptingFile@DOCPEncrypt@@QAEHABV?$TFileNameW@$0CAA@@@AAV?$TFileNameA@$0EA@@@AAV?$TFileNameA@$0BEA@@@@Z
??0DOCPEncrypt@@QAE@XZ
?EncryptFileDone@DOCPEncryptHelper@@QAEHAAV?$TFileNameA@$0EA@@@@Z
?EncryptBlock@DOCPEncryptHelper@@QAEHAAH0H@Z
?SetEncryptingFile@DOCPEncryptHelper@@QAEHABV?$TFileNameW@$0CAA@@@0ABV?$TFileNameA@$0EA@@@ABV?$TFileNameA@$0BEA@@@ABV?$TFileNameA@$0CA@@@@Z
??1DOCPEncryptHelper@@QAE@XZ
??0DOCPEncryptHelper@@QAE@XZ
??1DOCPEncrypt@@QAE@XZ

ekmidware

??1EServiceMidware@@UAE@XZ
?Initialize@EServiceMidware@@QAEHXZ
?Close@EServiceMidware@@UAEXXZ
?GetEKObject@EServiceMidware@@QAEHAAV?$TFileNameA@$0EA@@@AAV?$TFileNameA@$0CA@@@@Z
??0EServiceMidware@@QAE@XZ

configmidware2

?GetUserProfile@ConfigSysMidwareEx@@QAE?AVConfigReturnItem@1@ABVTConfigQueryObject@@H@Z
?Initialize@ConfigSysMidwareEx@@QAEHH@Z
??1ConfigSysMidwareEx@@UAE@XZ
??1ConfigReturnItem@ConfigSysMidwareEx@@QAE@XZ
?Close@ConfigSysMidwareEx@@QAEXXZ
??0TConfigQueryObject@@QAE@XZ
??0ConfigSysMidwareEx@@QAE@XZ

kernel32

InterlockedExchange
CompareStringA
GetLocaleInfoW
lstrcmpA
EnumResourceLanguagesW
ConvertDefaultLocale
GetCurrentThread
FreeResource
GlobalFree
GlobalUnlock
lstrlenW
SetLastError
InterlockedDecrement
MulDiv
FormatMessageW
GlobalAddAtomW
GetVersionExA
LoadLibraryA
CompareStringW
GlobalFindAtomW
GetModuleHandleA
FileTimeToLocalFileTime
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
GlobalFlags
TlsGetValue
GlobalReAlloc
GlobalHandle
TlsAlloc
TlsSetValue
LocalReAlloc
TlsFree
InterlockedIncrement
lstrlenA
GetThreadLocale
ReadFile
SetFilePointer
FlushFileBuffers
LockFile
UnlockFile
SetEndOfFile
GetFullPathNameW
GetFileTime
SetErrorMode
HeapFree
HeapAlloc
GetProcessHeap
GetStartupInfoW
ExitProcess
GetSystemTimeAsFileTime
UnhandledExceptionFilter
GlobalLock
RtlUnwind
HeapReAlloc
RaiseException
HeapSize
SetStdHandle
GetFileType
VirtualProtect
VirtualAlloc
GetSystemInfo
VirtualQuery
GetStdHandle
GetModuleFileNameA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineA
SetHandleCount
GetStartupInfoA
HeapDestroy
HeapCreate
VirtualFree
QueryPerformanceCounter
GetCPInfo
GetACP
GetOEMCP
LCMapStringA
LCMapStringW
GetTimeZoneInformation
GetConsoleCP
GetConsoleMode
GetLocaleInfoA
GetStringTypeA
GetStringTypeW
GetCurrentDirectoryA
GetDriveTypeA
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
CreateFileA
SetEnvironmentVariableA
GetDriveTypeW
TerminateThread
WinExec
GetSystemWow64DirectoryW
GetSystemDirectoryW
ExpandEnvironmentStringsW
OutputDebugStringW
DuplicateHandle
LocalFree
LocalAlloc
SetEvent
CreateEventW
GetVolumeInformationW
lstrcmpW
GlobalAlloc
GlobalDeleteAtom
lstrcpyW
GetVersion
IsDebuggerPresent
GetModuleHandleW
GetLogicalDriveStringsW
WriteFile
SetFileAttributesW
CopyFileW
FreeLibrary
GetProcAddress
LoadLibraryW
WaitForSingleObject
Process32NextW
Process32FirstW
CreateToolhelp32Snapshot
CreateDirectoryW
GetLocalTime
GetNativeSystemInfo
GetProcessId
TerminateProcess
Sleep
GetFileAttributesW
FileTimeToSystemTime
GetFileInformationByHandle
MultiByteToWideChar
GetFileSize
CreateThread
GetTickCount
OpenProcess
GetVersionExW
FindClose
FindNextFileW
FindFirstFileW
WideCharToMultiByte
GetPrivateProfileStringW
GetModuleFileNameW
FindResourceW
LoadResource
LockResource
SizeofResource
WritePrivateProfileStringW
GetCommandLineW
GetCurrentDirectoryW
CreateSemaphoreW
GetWindowsDirectoryW
GetLastError
SetUnhandledExceptionFilter
CloseHandle
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
CreateFileW

user32

CharNextW
CopyAcceleratorTableW
IsRectEmpty
SetRect
InvalidateRect
InvalidateRgn
GetNextDlgGroupItem
MessageBeep
UnregisterClassW
CharUpperW
RegisterClipboardFormatW
PostThreadMessageW
GetMenu
CreateWindowExW
GetClassInfoExW
GetClassInfoW
RegisterClassW
GetSysColor
AdjustWindowRectEx
EqualRect
PtInRect
DefWindowProcW
CallWindowProcW
OffsetRect
IntersectRect
SystemParametersInfoA
GetWindowPlacement
GetWindowRect
GetLastActivePopup
SetCursor
CallNextHookEx
GetMessageW
TranslateMessage
DispatchMessageW
GetKeyState
PeekMessageW
ValidateRect
SetMenuItemBitmaps
GetMenuCheckMarkDimensions
LoadBitmapW
ModifyMenuW
CheckMenuItem
GetMenuState
GetMenuItemID
GetSysColorBrush
GetMenuItemCount
UnhookWindowsHookEx
GetWindowTextLengthW
GetWindowTextW
GetFocus
SetFocus
MoveWindow
SetWindowLongW
GetDlgCtrlID
SetWindowTextW
IsDialogMessageW
SendDlgItemMessageW
ReleaseDC
GetDC
CopyRect
GetWindow
SetWindowContextHelpId
MapDialogRect
SetWindowPos
GetDesktopWindow
GetActiveWindow
SetActiveWindow
CreateDialogIndirectParamW
DestroyWindow
GetDlgItem
IsWindowEnabled
GetParent
GetNextDlgTabItem
EndDialog
PostQuitMessage
TrackPopupMenu
SetMenuDefaultItem
IsWindowVisible
IsWindow
RegisterWindowMessageW
SetForegroundWindow
SetWindowsHookExW
PostMessageW
EnableWindow
SendMessageW
EnumWindows
EnableMenuItem
GetSubMenu
LoadMenuW
GetCursorPos
CloseClipboard
GetWindowThreadProcessId
DestroyIcon
DrawIcon
GetClientRect
GetSystemMetrics
IsIconic
ShowWindow
LoadImageW
LoadIconW
wsprintfW
EmptyClipboard
OpenClipboard
MessageBoxW
ReleaseCapture
LoadCursorW
SetCapture
DestroyMenu
EndPaint
BeginPaint
GetWindowDC
ClientToScreen
GrayStringW
DrawTextExW
DrawTextW
TabbedTextOutW
SendDlgItemMessageA
WinHelpW
IsChild
GetCapture
GetClassLongW
GetClassNameW
SetPropW
GetPropW
RemovePropW
GetForegroundWindow
GetTopWindow
GetMessageTime
GetMessagePos
MapWindowPoints
UpdateWindow
GetWindowLongW
UnregisterClassA

gdi32

GetWindowExtEx
DeleteObject
SetMapMode
RestoreDC
SaveDC
PtVisible
RectVisible
TextOutW
ExtTextOutW
Escape
SelectObject
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
SetWindowExtEx
ScaleWindowExtEx
GetViewportExtEx
ExtSelectClipRgn
DeleteDC
GetStockObject
GetBkColor
GetTextColor
GetRgnBox
GetMapMode
GetObjectW
SetBkColor
SetTextColor
GetClipBox
CreateBitmap
GetDeviceCaps
CreateRectRgnIndirect

comdlg32

GetFileTitleW

winspool.drv

DocumentPropertiesW
OpenPrinterW
ClosePrinter

advapi32

RegSetValueExW
RegCreateKeyExW
RegCloseKey
RegQueryValueExW
RegOpenKeyExW
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
RegDeleteKeyW
RegOpenKeyW
RegEnumKeyW
RegQueryValueW

shell32

SHGetFileInfoW
ShellExecuteExW
SHBrowseForFolderW
SHGetPathFromIDListW
SHGetMalloc
SHGetSpecialFolderLocation
SHGetFolderPathW
Shell_NotifyIconW
ShellExecuteW

comctl32

InitCommonControlsEx

shlwapi

PathGetDriveNumberW
PathFindFileNameW
PathRemoveFileSpecW
PathIsNetworkPathW
UrlUnescapeW
PathStripToRootW
PathIsUNCW
PathFindExtensionW

oledlg

OleUIBusyW

ole32

CoGetClassObject
StgOpenStorageOnILockBytes
StgCreateDocfileOnILockBytes
CreateILockBytesOnHGlobal
OleUninitialize
CoFreeUnusedLibraries
CoTaskMemAlloc
CoRevokeClassObject
OleIsCurrentClipboard
OleFlushClipboard
CoRegisterMessageFilter
CoTaskMemFree
OleInitialize
CLSIDFromProgID
CLSIDFromString

oleaut32

VariantCopy
VarDateFromStr
SysAllocString
SafeArrayDestroy
SystemTimeToVariantTime
OleCreateFontIndirect
VariantInit
VariantChangeType
VariantClear
SysStringLen
SysAllocStringLen
SysFreeString
VariantTimeToSystemTime

dbghelp

MiniDumpWriteDump

psapi

GetModuleBaseNameW
EnumProcesses

version

GetFileVersionInfoW
GetFileVersionInfoSizeW
VerQueryValueW

ws2_32

socket
htonl
setsockopt
WSACleanup
WSAStartup
htons
sendto
recvfrom
closesocket
ntohl
inet_addr

wininet

InternetOpenUrlW
InternetCanonicalizeUrlW
InternetQueryOptionW
InternetSetOptionExW
InternetReadFile
InternetWriteFile
InternetSetFilePointer
InternetSetStatusCallbackW
InternetOpenW
InternetGetLastResponseInfoW
InternetCloseHandle
HttpQueryInfoW
InternetQueryDataAvailable
InternetCrackUrlW

Sections

.text
Size: 348KB - Virtual size: 347KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 88KB - Virtual size: 85KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 16KB - Virtual size: 42KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 172KB - Virtual size: 168KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

22e376959ff7789891de9fc575918cc5

Code Sign

19:9d:f8:8eCertificate

Key Usages

22:48:de:c8:6f:fd:53Certificate

Extended Key Usages

Key Usages

3dCertificate

Key Usages

4b:5c:6e:ca:5f:99:70:9f:3b:a5:f0:7b:a5:64:70:60:11:f6:65:7cSigner

Headers

File Characteristics

PDB Paths

Imports

filedisk

wdsecdiskctrl

twbase2

usermidware2

docpencrypt

ekmidware

configmidware2

kernel32

user32

gdi32

comdlg32

winspool.drv

advapi32

shell32

comctl32

shlwapi

oledlg

ole32

oleaut32

dbghelp

psapi

version

ws2_32

wininet

Sections

.text Size: 348KB - Virtual size: 347KB

.rdata Size: 88KB - Virtual size: 85KB

.data Size: 16KB - Virtual size: 42KB

.rsrc Size: 172KB - Virtual size: 168KB

19:9d:f8:8e
Certificate

22:48:de:c8:6f:fd:53
Certificate

3d
Certificate

4b:5c:6e:ca:5f:99:70:9f:3b:a5:f0:7b:a5:64:70:60:11:f6:65:7c
Signer

.text
Size: 348KB - Virtual size: 347KB

.rdata
Size: 88KB - Virtual size: 85KB

.data
Size: 16KB - Virtual size: 42KB

.rsrc
Size: 172KB - Virtual size: 168KB