UAC[.]rar | Triage

Sharing

Copy URL Twitter E-mail

General

Target

UAC.rar
Size

1.9MB
MD5

ff33566151ffcc9d41bfad343b30684c
SHA1

3e297c2da9eea1c61b1cfdac569d13d088a31a88
SHA256

702854666ed56295d2e5d5d5396747898c314122e4293e40db4f69e26d6b17a0
SHA512

2bde08759101dd50eb7e9cbf7fdc3832fbf255b5a13c60ae2ed900e9497e2ee8193ed1ab048e4ebf1e201dca2abd45f7ae8a0d5bca5b612f221c06c2d3aadac9
SSDEEP

49152:f4doOfd0ei3LM4L82em56lQ749zCTVL+4:fK0TutmpKzCZLb

Score

3^/10

Malware Config

Signatures

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/Permanent Spoofer Cracked By Arctic/Permanent Spoofer/Permanent Spoofer.exe
unpack001/Permanent Spoofer Cracked By Arctic/Permanent Spoofer/TMACv6.0.7_Setup.exe

Files

UAC.rar
.rar
Permanent Spoofer Cracked By Arctic/Permanent Spoofer/Permanent Spoofer.exe
.exe windows:6 windows x64 arch:x64

7d861bbd0b2546617f45758f389c6591

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\admin\Desktop\Beatware.xyz\sources\Beatware Perm Spoofer src\x64\Release\BW-Perm.pdb

Imports

kernel32

IsDebuggerPresent
IsProcessorFeaturePresent
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
SleepConditionVariableSRW
WakeAllConditionVariable
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
WideCharToMultiByte
GetCurrentProcessId
CreateFileA
WaitForMultipleObjects
PeekNamedPipe
ReadFile
GetFileType
GetEnvironmentVariableA
MultiByteToWideChar
WaitForSingleObjectEx
MoveFileExA
GetTickCount
QueryPerformanceCounter
VerifyVersionInfoA
LoadLibraryA
GetProcAddress
FreeLibrary
GetSystemDirectoryA
QueryPerformanceFrequency
VerSetConditionMask
SleepEx
LeaveCriticalSection
EnterCriticalSection
LocalFree
FormatMessageA
SetLastError
QueryFullProcessImageNameW
GetModuleHandleW
UnmapViewOfFile
MapViewOfFile
CreateFileMappingW
VirtualProtect
CreateThread
DeleteCriticalSection
InitializeCriticalSectionEx
HeapSize
HeapReAlloc
HeapDestroy
GetLastError
CreateFileW
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
OutputDebugStringW
K32EnumProcessModules
GetConsoleWindow
HeapFree
K32GetModuleFileNameExA
Sleep
GetLogicalDriveStringsW
GetStdHandle
GetCurrentProcess
SetConsoleTitleA
SetConsoleTextAttribute
GetConsoleScreenBufferInfo
GetModuleFileNameA
CloseHandle
Process32Next
CreateToolhelp32Snapshot
GetModuleHandleA
Process32First
GetProcessHeap
HeapAlloc
GetFileSizeEx

user32

ShowWindow
BlockInput
MessageBoxW
MessageBoxA

advapi32

CryptEncrypt
OpenProcessToken
AddAccessAllowedAce
GetLengthSid
GetTokenInformation
InitializeAcl
IsValidSid
SetSecurityInfo
CopySid
ConvertSidToStringSidA
CryptAcquireContextA
CryptReleaseContext
CryptGetHashParam
CryptGenRandom
RegCreateKeyExA
RegCloseKey
RegSetValueExA
CryptCreateHash
CryptImportKey
CryptDestroyKey
CryptDestroyHash
CryptHashData

shell32

ShellExecuteA

msvcp140

??0?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAA@PEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z
??1?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
?_Lock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAAXXZ
?showmanyc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JXZ
?uflow@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAGXZ
?xsgetn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JPEA_W_J@Z
?xsputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JPEB_W_J@Z
?setbuf@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAPEAV12@PEA_W_J@Z
?sync@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAHXZ
?imbue@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAXAEBVlocale@2@@Z
??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
??1?$basic_ostream@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@H@Z
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
??Bid@locale@std@@QEAA_KXZ
?_Xbad_function_call@std@@YAXXZ
_Xtime_get_ticks
??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IEAA@XZ
_Query_perf_counter
_Thrd_sleep
_Cnd_do_broadcast_at_thread_exit
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?uncaught_exception@std@@YA_NXZ
?_Xout_of_range@std@@YAXPEBD@Z
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
?_Xlength_error@std@@YAXPEBD@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAADD@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
??0?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAA@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Random_device@std@@YAIXZ
?id@?$ctype@D@std@@2V0locale@2@A
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?good@ios_base@std@@QEBA_NXZ
_Query_perf_frequency
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?_Throw_Cpp_error@std@@YAXH@Z
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z

normaliz

IdnToAscii

wldap32

ord217
ord46
ord211
ord60
ord200
ord143
ord33
ord35
ord79
ord32
ord45
ord301
ord27
ord26
ord50
ord30
ord41
ord22

crypt32

CertEnumCertificatesInStore
CertFindCertificateInStore
CertFreeCertificateContext
CertFreeCertificateChain
CertGetCertificateChain
CertCloseStore
CertAddCertificateContextToStore
CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
CryptQueryObject
CertGetNameStringA
CertFindExtension
CryptStringToBinaryA
CryptDecodeObjectEx
PFXImportCertStore
CertOpenStore

ws2_32

htons
getsockname
setsockopt
getpeername
WSASetLastError
WSAIoctl
WSAStartup
connect
WSACleanup
accept
htonl
listen
ioctlsocket
__WSAFDIsSet
bind
select
getaddrinfo
freeaddrinfo
recvfrom
WSAGetLastError
sendto
gethostname
ntohl
send
recv
closesocket
getsockopt
socket
ntohs

rpcrt4

UuidToStringA
UuidCreate
RpcStringFreeA

psapi

GetModuleInformation

userenv

UnloadUserProfile

vcruntime140_1

__CxxFrameHandler4

vcruntime140

memset
strrchr
memcpy
memcmp
memchr
_CxxThrowException
strstr
__std_terminate
__std_exception_copy
__std_exception_destroy
strchr
__current_exception
__current_exception_context
memmove
__C_specific_handler

api-ms-win-crt-heap-l1-1-0

malloc
realloc
calloc
free
_callnewh
_set_new_mode

api-ms-win-crt-multibyte-l1-1-0

_mbsstr

api-ms-win-crt-utility-l1-1-0

rand
srand
qsort

api-ms-win-crt-string-l1-1-0

_strdup
strncmp
isupper
tolower
strncpy
strpbrk
strspn
strcmp
strcspn

api-ms-win-crt-stdio-l1-1-0

_lseeki64
__acrt_iob_func
fwrite
ftell
fseek
feof
__stdio_common_vsscanf
fputs
fopen
fputc
_set_fmode
__p__commode
_read
_write
fclose
__stdio_common_vsprintf
_popen
_pclose
fgets
fflush
_open
_close
fread

api-ms-win-crt-runtime-l1-1-0

_errno
system
terminate
_wsystem
__sys_nerr
_invalid_parameter_noinfo
_beginthreadex
_register_thread_local_exe_atexit_callback
_c_exit
__p___argv
__p___argc
_resetstkoflw
_exit
_initterm_e
_initterm
_get_initial_narrow_environment
strerror
_set_app_type
_seh_filter_exe
_cexit
_crt_atexit
_register_onexit_function
_initialize_onexit_table
_initialize_narrow_environment
_configure_narrow_argv
exit
_invalid_parameter_noinfo_noreturn
_getpid

api-ms-win-crt-time-l1-1-0

_gmtime64
_time64

api-ms-win-crt-filesystem-l1-1-0

remove
_access
_unlink
_stat64
_fstat64

api-ms-win-crt-convert-l1-1-0

strtoull
atoi
strtod
strtol
strtoll
strtoul

api-ms-win-crt-locale-l1-1-0

_configthreadlocale
localeconv

api-ms-win-crt-math-l1-1-0

_dclass
__setusermatherr

Sections

.text
Size: 530KB - Virtual size: 529KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 126KB - Virtual size: 126KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 19KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 488B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Permanent Spoofer Cracked By Arctic/Permanent Spoofer/TMACv6.0.7_Setup.exe
.exe windows:4 windows x86 arch:x86

a8fd72e864d14b8484dd49e800fd3a36

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvbvm60

__vbaStrI2
_CIcos
_adj_fptan
__vbaStrI4
__vbaAryMove
__vbaFreeVar
__vbaLenBstr
__vbaStrVarMove
__vbaPut3
__vbaFreeVarList
__vbaEnd
_adj_fdiv_m64
__vbaFreeObjList
_adj_fprem1
__vbaRecAnsiToUni
ord519
__vbaCopyBytes
__vbaStrCat
__vbaLsetFixstr
__vbaRecDestruct
__vbaSetSystemError
__vbaHresultCheckObj
_adj_fdiv_m32
__vbaAryVar
__vbaAryDestruct
ord669
__vbaExitProc
ord593
ord594
__vbaObjSet
__vbaOnError
ord595
ord596
_adj_fdiv_m16i
__vbaObjSetAddref
_adj_fdivr_m16i
ord598
ord305
__vbaStrTextCmp
__vbaEraseKeepData
_CIsin
ord631
__vbaErase
ord709
ord525
__vbaChkstk
__vbaFileClose
EVENT_SINK_AddRef
__vbaGenerateBoundsError
ord529
__vbaStrCmp
__vbaAryConstruct2
__vbaGet4
__vbaPutOwner3
__vbaI2I4
DllFunctionCall
__vbaFpUI1
__vbaCastObjVar
__vbaRedimPreserve
_adj_fpatan
__vbaFixstrConstruct
__vbaLateIdCallLd
__vbaRedim
__vbaStrR8
__vbaRecUniToAnsi
EVENT_SINK_Release
ord600
__vbaUI1I2
_CIsqrt
__vbaObjIs
ord311
EVENT_SINK_QueryInterface
__vbaStr2Vec
__vbaUI1I4
__vbaStrUI1
__vbaExceptHandler
ord711
ord313
ord712
__vbaPrintFile
__vbaStrToUnicode
ord606
_adj_fprem
_adj_fdivr_m64
ord714
ord531
__vbaFPException
ord717
ord532
__vbaUbound
__vbaGetOwner3
__vbaStrVarVal
__vbaVarCat
ord537
__vbaFileSeek
ord645
_CIlog
__vbaErrorOverflow
__vbaFileOpen
__vbaInStr
__vbaVar2Vec
ord570
__vbaNew2
ord648
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaStrCopy
__vbaFreeStrList
ord576
_adj_fdivr_m32
__vbaPowerR8
_adj_fdiv_r
ord685
ord100
ord579
__vbaAryLock
__vbaVarAdd
__vbaVarDup
__vbaStrToAnsi
ord613
__vbaFpI2
ord616
_CIatan
__vbaCastObj
ord618
__vbaAryCopy
__vbaStrMove
_allmul
__vbaLateIdSt
_CItan
__vbaAryUnlock
__vbaUI1Var
_CIexp
ord580
__vbaRecAssign
__vbaFreeObj
__vbaFreeStr

Sections

.text
Size: 164KB - Virtual size: 163KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 12KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Permanent Spoofer Cracked By Arctic/Permanent Spoofer/instructions.txt

Sharing

General

Malware Config

Signatures

Files

7d861bbd0b2546617f45758f389c6591

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

advapi32

shell32

msvcp140

normaliz

wldap32

crypt32

ws2_32

rpcrt4

psapi

userenv

vcruntime140_1

vcruntime140

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-multibyte-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-math-l1-1-0

Sections

.text Size: 530KB - Virtual size: 529KB

.rdata Size: 126KB - Virtual size: 126KB

.data Size: 3KB - Virtual size: 10KB

.pdata Size: 19KB - Virtual size: 19KB

.rsrc Size: 512B - Virtual size: 488B

.reloc Size: 1KB - Virtual size: 1KB

a8fd72e864d14b8484dd49e800fd3a36

Headers

File Characteristics

Imports

msvbvm60

Sections

.text Size: 164KB - Virtual size: 163KB

.data Size: 4KB - Virtual size: 7KB

.rsrc Size: 12KB - Virtual size: 8KB

.text
Size: 530KB - Virtual size: 529KB

.rdata
Size: 126KB - Virtual size: 126KB

.data
Size: 3KB - Virtual size: 10KB

.pdata
Size: 19KB - Virtual size: 19KB

.rsrc
Size: 512B - Virtual size: 488B

.reloc
Size: 1KB - Virtual size: 1KB

.text
Size: 164KB - Virtual size: 163KB

.data
Size: 4KB - Virtual size: 7KB

.rsrc
Size: 12KB - Virtual size: 8KB