1[.]6[.]3[.]49012[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

1.6.3.49012.exe
Size

704KB
MD5

b6d0bc4c81c6cfcab12a93537ff044c8
SHA1

0e6922e246438c08f8e40692bdce695c7aeccd37
SHA256

fa887ae923b050f6d9191ac508d0083dcd67fca457cc9e2b8251ef4583294133
SHA512

8ee584f15852d88185ccff389a1792372a00031d55122201858401d42d786c39cf0119c8512c0291c6b585bfb5fdf390d84f9a8319872ba01f7f64b485be5fbe
SSDEEP

12288:LcIyTivaanv0rAtXyC3v9v+GEhwPETQFDen6L7e5BJ:LcIyTiSy7X1vQGOwETkfeXJ

Score

1^/10

Malware Config

Signatures

Files

1.6.3.49012.exe
.exe windows:5 windows x86 arch:x86

282c38911da10b534bd5e5acdd7a7c14

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

71:a0:b7:36:95:dd:b1:af:c2:3b:2b:9a:18:ee:54:cb
Certificate

Issuer

CN=thawte Primary Root CA,OU=Certification Services Division+OU=(c) 2006 thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=US

Not Before

10/12/2013, 00:00

Not After

09/12/2023, 23:59

Subject

CN=thawte SHA256 Code Signing CA,O=thawte\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

69:4e:21:5b:8d:f6:f1:77:f5:00:12:fe:bd:09:bd:a6
Certificate

Issuer

CN=thawte SHA256 Code Signing CA,O=thawte\, Inc.,C=US

Not Before

11/10/2016, 00:00

Not After

11/10/2019, 23:59

Subject

CN=Roblox Corporation,O=Roblox Corporation,L=San Mateo,ST=California,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

e2:45:5e:20:d0:7c:33:c2:27:f8:53:ca:f0:4a:e3:92:67:a4:a0:9d
Signer

Actual PE Digest

e2:45:5e:20:d0:7c:33:c2:27:f8:53:ca:f0:4a:e3:92:67:a4:a0:9d

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

D:\BuildAgent\work\Trunk2012\build.msvc\Win32\Installer-Release\BootstrapperRccService\Roblox.pdb

Imports

kernel32

InitializeCriticalSectionAndSpinCount
SetEvent
SetEndOfFile
WriteConsoleW
OutputDebugStringW
SetStdHandle
SetFilePointer
ReadConsoleW
GetOEMCP
GetACP
IsValidCodePage
GetConsoleMode
GetConsoleCP
FlushFileBuffers
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetFileType
GetStdHandle
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
CreateEventA
GetModuleHandleW
CloseHandle
GetLocaleInfoW
LCMapStringW
GetStartupInfoW
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetCPInfo
WaitForSingleObject
GetProcAddress
LocalFree
FormatMessageA
LockResource
FreeLibrary
GetLastError
LoadResource
SizeofResource
LoadLibraryW
FindResourceW
FindResourceExW
CreateDirectoryW
CreateFileW
GetFileAttributesW
GetVersionExW
MultiByteToWideChar
WideCharToMultiByte
GetFileSizeEx
GetSystemTime
GetTempPathW
GetFileAttributesExW
DeleteFileW
VerSetConditionMask
InterlockedIncrement
InterlockedDecrement
OpenProcess
GetCurrentProcess
TerminateProcess
RaiseException
GetCurrentThread
GetCurrentThreadId
DeleteCriticalSection
ReleaseMutex
Sleep
FindClose
CompareFileTime
GetTickCount
MapViewOfFile
UnmapViewOfFile
lstrlenW
CreateMutexW
CreateEventW
CreateFileMappingW
GetModuleFileNameW
CreateProcessW
GetDiskFreeSpaceExW
RemoveDirectoryW
SetFileAttributesW
FindFirstFileW
FindNextFileW
VerifyVersionInfoW
GetGeoInfoW
GetUserGeoID
GetSystemTimeAsFileTime
CreateSemaphoreA
WaitForSingleObjectEx
ReleaseSemaphore
DuplicateHandle
GetModuleHandleA
GetProcessHeap
HeapAlloc
HeapFree
FormatMessageW
InterlockedExchange
InterlockedExchangeAdd
InterlockedCompareExchange
TerminateThread
SetLastError
CreateIoCompletionPort
GetQueuedCompletionStatus
PostQueuedCompletionStatus
QueueUserAPC
EnterCriticalSection
LeaveCriticalSection
WaitForMultipleObjects
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
SleepEx
SetWaitableTimer
GetShortPathNameW
WriteFile
GetFileTime
SetFileTime
LocalFileTimeToFileTime
DosDateTimeToFileTime
lstrcmpiW
lstrcpyW
lstrcatW
OpenEventA
WaitForMultipleObjectsEx
GetCurrentProcessId
ResetEvent
ResumeThread
SystemTimeToFileTime
CreateWaitableTimerW
GetExitCodeProcess
DebugBreak
QueryPerformanceCounter
QueryPerformanceFrequency
GlobalAlloc
GlobalLock
GlobalUnlock
GlobalFree
HeapDestroy
HeapReAlloc
HeapSize
EncodePointer
DecodePointer
GetStringTypeW
RtlUnwind
GetCommandLineW
ExitProcess
GetModuleHandleExW
AreFileApisANSI
CreateThread
ExitThread
LoadLibraryExW
ReadFile
IsDebuggerPresent
IsProcessorFeaturePresent
SetFilePointerEx

advapi32

RegFlushKey
OpenProcessToken
OpenThreadToken
IsValidSid
GetSidLengthRequired
InitializeSid
GetSidSubAuthority
GetLengthSid
RegCloseKey
RegCreateKeyExW
RegSetValueExW
GetTokenInformation
CryptDestroyHash
CryptHashData
CryptCreateHash
CryptGetHashParam
CryptReleaseContext
CryptAcquireContextW
RegQueryValueExW
RegOpenKeyExW
CopySid
RegEnumKeyExW
RegDeleteValueW
RegDeleteKeyW
CheckTokenMembership
DuplicateToken

ole32

CoCreateInstance
CoUninitialize
CoInitialize
CoCreateGuid
CreateStreamOnHGlobal

oleaut32

RegisterTypeLi

shlwapi

PathAddBackslashW
PathFileExistsW
StrCmpNW
SHDeleteKeyW
StrDupW
StrRChrW
StrCpyW

version

GetFileVersionInfoW
GetFileVersionInfoSizeW
VerQueryValueW

sensapi

IsNetworkAlive

userenv

UnloadUserProfile

ws2_32

socket
closesocket
connect
ioctlsocket
getsockopt
select
setsockopt
sendto
WSAStartup
WSACleanup
WSASetLastError
WSAGetLastError
WSARecv
WSASend
WSASocketW
getaddrinfo
freeaddrinfo
htons
gethostbyname

wininet

HttpAddRequestHeadersW
HttpOpenRequestW
InternetQueryDataAvailable
HttpSendRequestW
InternetReadFile
InternetCloseHandle
InternetOpenW
HttpSendRequestExW
HttpEndRequestW
InternetSetOptionW
InternetWriteFile
InternetConnectW
HttpQueryInfoW

psapi

EnumProcesses
GetProcessImageFileNameW

comctl32

_TrackMouseEvent
InitCommonControlsEx

gdiplus

GdipFree
GdipCreateHBITMAPFromBitmap
GdipCreateBitmapFromStreamICM
GdipCreateBitmapFromStream
GdipDisposeImage
GdipCloneImage
GdiplusShutdown
GdipAlloc
GdiplusStartup

iphlpapi

GetAdaptersInfo

user32

GetMessageW
TranslateMessage
DispatchMessageW
PostThreadMessageW
SetWindowPos
CharUpperW
CharNextW
SetFocus
LoadAcceleratorsW
TranslateAcceleratorW
SetWindowTextW
MessageBoxW
EnumWindows
GetWindowThreadProcessId
PostMessageW
IsWindowVisible
SetForegroundWindow
GetWindowTextW
SendMessageW
CallWindowProcW
RegisterClassW
CreateWindowExW
DestroyWindow
ShowWindow
GetDlgItem
SetTimer
KillTimer
EnableWindow
GetSystemMetrics
GetWindowLongW
SetWindowLongW
LoadIconW
LoadBitmapW

gdi32

CreateSolidBrush
DeleteObject

shell32

SHGetFolderPathAndSubDirW
ShellExecuteExW

Sections

.text
Size: 404KB - Virtual size: 404KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 133KB - Virtual size: 133KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 40KB - Virtual size: 369KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 2B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 78KB - Virtual size: 77KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 41KB - Virtual size: 40KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

282c38911da10b534bd5e5acdd7a7c14

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

71:a0:b7:36:95:dd:b1:af:c2:3b:2b:9a:18:ee:54:cbCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

69:4e:21:5b:8d:f6:f1:77:f5:00:12:fe:bd:09:bd:a6Certificate

Extended Key Usages

Key Usages

e2:45:5e:20:d0:7c:33:c2:27:f8:53:ca:f0:4a:e3:92:67:a4:a0:9dSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

advapi32

ole32

oleaut32

shlwapi

version

sensapi

userenv

ws2_32

wininet

psapi

comctl32

gdiplus

iphlpapi

user32

gdi32

shell32

Sections

.text Size: 404KB - Virtual size: 404KB

.rdata Size: 133KB - Virtual size: 133KB

.data Size: 40KB - Virtual size: 369KB

.tls Size: 512B - Virtual size: 2B

.rsrc Size: 78KB - Virtual size: 77KB

.reloc Size: 41KB - Virtual size: 40KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

71:a0:b7:36:95:dd:b1:af:c2:3b:2b:9a:18:ee:54:cb
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

69:4e:21:5b:8d:f6:f1:77:f5:00:12:fe:bd:09:bd:a6
Certificate

e2:45:5e:20:d0:7c:33:c2:27:f8:53:ca:f0:4a:e3:92:67:a4:a0:9d
Signer

.text
Size: 404KB - Virtual size: 404KB

.rdata
Size: 133KB - Virtual size: 133KB

.data
Size: 40KB - Virtual size: 369KB

.tls
Size: 512B - Virtual size: 2B

.rsrc
Size: 78KB - Virtual size: 77KB

.reloc
Size: 41KB - Virtual size: 40KB