82d281163531416fabba9d879a852c10_NEIKI

Sharing

Copy URL Twitter E-mail

General

Target

82d281163531416fabba9d879a852c10_NEIKI
Size

668KB
MD5

82d281163531416fabba9d879a852c10
SHA1

3c5763e5815709913d0fc7a6e78cc091341cf71c
SHA256

48eb76a2851406fc5506a60bf41ad6445130bf96bbf918100be5655ee99a2397
SHA512

b586a4102a035f2993af61c8a4346b15f913b6db5b1a25fbc1b05d0e9ca4b51c99174c86601568d560dd58c4e7d878dbed1fd76c7d46433fb15d636e5ff3e5ca
SSDEEP

12288:eVDR/BfBdvxTDpZxdwxDKG89XLIKuNi+iLxxjUqoEyxLRAlajDPbWif5cWoXjuU:eDjjT1jdwxD789XMJNi+GxxvohlDzWnN

Score

3^/10

Malware Config

Signatures

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
82d281163531416fabba9d879a852c10_NEIKI
unpack001/uninst.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
sample	nsis_installer_1
sample	nsis_installer_2
static1/unpack001/uninst.exe	nsis_installer_1
static1/unpack001/uninst.exe	nsis_installer_2

Files

82d281163531416fabba9d879a852c10_NEIKI
.exe windows:4 windows x86 arch:x86

099c0646ea7282d232219f8807883be0

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

CompareFileTime
SearchPathA
GetShortPathNameA
GetFullPathNameA
MoveFileA
SetCurrentDirectoryA
GetFileAttributesA
GetLastError
CreateDirectoryA
SetFileAttributesA
Sleep
GetTickCount
CreateFileA
GetFileSize
GetModuleFileNameA
GetCurrentProcess
CopyFileA
ExitProcess
SetFileTime
GetTempPathA
GetCommandLineA
SetErrorMode
LoadLibraryA
lstrcpynA
GetDiskFreeSpaceA
GlobalUnlock
GlobalLock
CreateThread
CreateProcessA
RemoveDirectoryA
GetTempFileNameA
lstrlenA
lstrcatA
GetSystemDirectoryA
GetVersion
CloseHandle
lstrcmpiA
lstrcmpA
ExpandEnvironmentStringsA
GlobalFree
GlobalAlloc
WaitForSingleObject
GetExitCodeProcess
GetModuleHandleA
LoadLibraryExA
GetProcAddress
FreeLibrary
MultiByteToWideChar
WritePrivateProfileStringA
GetPrivateProfileStringA
WriteFile
ReadFile
MulDiv
SetFilePointer
FindClose
FindNextFileA
FindFirstFileA
DeleteFileA
GetWindowsDirectoryA

user32

EndDialog
ScreenToClient
GetWindowRect
EnableMenuItem
GetSystemMenu
SetClassLongA
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongA
SetCursor
LoadCursorA
CheckDlgButton
GetMessagePos
LoadBitmapA
CallWindowProcA
IsWindowVisible
CloseClipboard
SetClipboardData
EmptyClipboard
RegisterClassA
TrackPopupMenu
AppendMenuA
CreatePopupMenu
GetSystemMetrics
SetDlgItemTextA
GetDlgItemTextA
MessageBoxIndirectA
CharPrevA
DispatchMessageA
PeekMessageA
DestroyWindow
CreateDialogParamA
SetTimer
SetWindowTextA
PostQuitMessage
SetForegroundWindow
wsprintfA
SendMessageTimeoutA
FindWindowExA
SystemParametersInfoA
CreateWindowExA
GetClassInfoA
DialogBoxParamA
CharNextA
OpenClipboard
ExitWindowsEx
IsWindow
GetDlgItem
SetWindowLongA
LoadImageA
GetDC
EnableWindow
InvalidateRect
SendMessageA
DefWindowProcA
BeginPaint
GetClientRect
FillRect
DrawTextA
EndPaint
ShowWindow

gdi32

SetBkColor
GetDeviceCaps
DeleteObject
CreateBrushIndirect
CreateFontIndirectA
SetBkMode
SetTextColor
SelectObject

shell32

SHGetPathFromIDListA
SHBrowseForFolderA
SHGetFileInfoA
ShellExecuteA
SHFileOperationA
SHGetSpecialFolderLocation

advapi32

RegQueryValueExA
RegSetValueExA
RegEnumKeyA
RegEnumValueA
RegOpenKeyExA
RegDeleteKeyA
RegDeleteValueA
RegCloseKey
RegCreateKeyExA

comctl32

ImageList_AddMasked
ImageList_Destroy
ord17
ImageList_Create

ole32

CoTaskMemFree
OleInitialize
OleUninitialize
CoCreateInstance

version

GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA

Sections

.text
Size: 23KB - Virtual size: 22KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 107KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.ndata
Size: - Virtual size: 60KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$PLUGINSDIR/modern-header.bmp
iconAnimate.exe
.exe windows:5 windows x86 arch:x86

12cef7068fc6baac4b938be8efb7baf5

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

19:6d:f8:a7
Certificate

Issuer

CN=Certification Authority of WoSign,O=WoSign eCommerce Services Limited,C=CN

Not Before

08/08/2012, 01:00

Not After

08/08/2027, 01:00

Subject

CN=WoSign Class 3 Code Signing CA,O=WoSign eCommerce Services Limited,C=CN

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

10:35:c2:9f:17:23:8d
Certificate

Issuer

CN=WoSign Class 3 Code Signing CA,O=WoSign eCommerce Services Limited,C=CN

Not Before

27/09/2013, 01:35

Not After

28/09/2014, 15:17

Subject

CN=上海三七玩网络科技有限公司,O=上海三七玩网络科技有限公司,L=上海市,ST=上海市,C=CN,1.2.840.113549.1.9.1=#0c137369676e617475726540333777616e2e636f6d

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageMicrosoftCommercialCodeSigning

Key Usages

KeyUsageDigitalSignature

3d
Certificate

Issuer

CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL

Not Before

01/03/2011, 01:00

Not After

01/03/2016, 01:00

Subject

CN=Certification Authority of WoSign,O=WoSign eCommerce Services Limited,C=CN

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

4c:83:8e:dd:09:42:16:cb:73:a3:ae:8b:4c:02:7a:16:62:56:81:a9
Signer

Actual PE Digest

4c:83:8e:dd:09:42:16:cb:73:a3:ae:8b:4c:02:7a:16:62:56:81:a9

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

E:\37wan项目\delphi项目\vcLander\xy_new\04代码\Bin\iconAnimate.pdb

Imports

kernel32

SetLastError
GetCurrentProcess
lstrlenA
CloseHandle
SetEvent
WriteFile
WaitForSingleObject
TerminateThread
OpenProcess
VirtualAllocEx
WriteProcessMemory
ReadProcessMemory
VirtualFreeEx
FlushFileBuffers
CreateFileA
WriteConsoleW
GetConsoleOutputCP
WriteConsoleA
SetStdHandle
GetConsoleMode
GetConsoleCP
SetFilePointer
InitializeCriticalSectionAndSpinCount
GetModuleHandleA
GetStringTypeA
GetLocaleInfoA
lstrcmpiW
GetSystemTimeAsFileTime
GetCurrentProcessId
QueryPerformanceCounter
GetStartupInfoA
GetFileType
SetHandleCount
GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW
IsValidCodePage
GetOEMCP
GetACP
GetModuleFileNameA
GetStdHandle
HeapCreate
HeapReAlloc
HeapSize
ExitProcess
TlsFree
TlsSetValue
TlsAlloc
TlsGetValue
LCMapStringW
LCMapStringA
GetCPInfo
CreateDirectoryW
ReleaseMutex
CreateMutexW
InterlockedIncrement
DeleteCriticalSection
InitializeCriticalSection
GetModuleFileNameW
LoadLibraryExW
FindResourceW
LoadResource
SizeofResource
MultiByteToWideChar
GetLastError
lstrlenW
GetModuleHandleW
GetProcAddress
FreeLibrary
RaiseException
GetCurrentThreadId
LeaveCriticalSection
EnterCriticalSection
ResumeThread
Sleep
GetTickCount
GetStringTypeW
RtlUnwind
GetStartupInfoW
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
TerminateProcess
CreateThread
ExitThread
InterlockedExchange
WideCharToMultiByte
VirtualAlloc
VirtualFree
LoadLibraryA
HeapAlloc
HeapFree
InterlockedDecrement

user32

SetWindowPos
ShowWindow
UpdateWindow
LoadStringW
CopyRect
PostMessageW
LoadMenuW
GetSubMenu
SetLayeredWindowAttributes
SetWindowLongW
GetWindowLongW
DestroyMenu
DefWindowProcW
TrackPopupMenu
WindowFromPoint
DispatchMessageW
TranslateMessage
GetMessageW
PeekMessageW
CharNextW
DestroyWindow
LoadIconW
LoadCursorW
RegisterClassExW
SendMessageW
ClientToScreen
PostQuitMessage
RemoveMenu
GetWindowThreadProcessId
OffsetRect
GetWindow
FindWindowExW
FindWindowW
ReleaseDC
GetDC
EndPaint
BeginPaint
GetClientRect
SystemParametersInfoW
SetWindowTextW
LoadBitmapW
SetCursor
PtInRect
CreateWindowExW
UnregisterClassA

gdi32

StretchBlt
GetObjectW
DeleteDC
SelectObject
CreateCompatibleDC

advapi32

RegDeleteKeyW
RegQueryInfoKeyW
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
RegDeleteValueW
RegCreateKeyExW
RegSetValueExW
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey

shell32

SHGetSpecialFolderPathW
ShellExecuteW

ole32

CoUninitialize
OleUninitialize
OleInitialize
CoInitialize
CoCreateInstance
CoTaskMemAlloc
CoTaskMemRealloc
CoTaskMemFree

oleaut32

VarUI4FromStr

shlwapi

PathFileExistsW

comctl32

_TrackMouseEvent

msimg32

TransparentBlt

Sections

.text
Size: 89KB - Virtual size: 88KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 20KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 162KB - Virtual size: 162KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 13KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
iconTips.exe
.exe windows:5 windows x86 arch:x86

bd18726ee6fe4079a3ed305b77e1927e

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

19:6d:f8:a7
Certificate

Issuer

CN=Certification Authority of WoSign,O=WoSign eCommerce Services Limited,C=CN

Not Before

08/08/2012, 01:00

Not After

08/08/2027, 01:00

Subject

CN=WoSign Class 3 Code Signing CA,O=WoSign eCommerce Services Limited,C=CN

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

10:35:c2:9f:17:23:8d
Certificate

Issuer

CN=WoSign Class 3 Code Signing CA,O=WoSign eCommerce Services Limited,C=CN

Not Before

27/09/2013, 01:35

Not After

28/09/2014, 15:17

Subject

CN=上海三七玩网络科技有限公司,O=上海三七玩网络科技有限公司,L=上海市,ST=上海市,C=CN,1.2.840.113549.1.9.1=#0c137369676e617475726540333777616e2e636f6d

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageMicrosoftCommercialCodeSigning

Key Usages

KeyUsageDigitalSignature

3d
Certificate

Issuer

CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL

Not Before

01/03/2011, 01:00

Not After

01/03/2016, 01:00

Subject

CN=Certification Authority of WoSign,O=WoSign eCommerce Services Limited,C=CN

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

16:32:5e:24:24:32:60:9e:85:f7:5c:4a:8d:e2:4c:22:19:8c:77:e9
Signer

Actual PE Digest

16:32:5e:24:24:32:60:9e:85:f7:5c:4a:8d:e2:4c:22:19:8c:77:e9

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

E:\37wan项目\delphi项目\vcLander\xy_new\04代码\Bin\iconTips.pdb

Imports

kernel32

GetCurrentProcess
lstrlenA
CloseHandle
OpenProcess
VirtualAllocEx
WriteProcessMemory
ReadProcessMemory
VirtualFreeEx
CreateEventW
SetEvent
CreateFileW
WriteFile
WaitForSingleObject
TerminateThread
WritePrivateProfileStringW
GetPrivateProfileStringW
WideCharToMultiByte
GetSystemTimeAsFileTime
GetCurrentProcessId
QueryPerformanceCounter
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
TerminateProcess
GetStartupInfoW
InterlockedExchange
InterlockedCompareExchange
CreateDirectoryW
ReleaseMutex
CreateMutexW
InterlockedIncrement
GetModuleFileNameW
LoadLibraryExW
FindResourceW
LoadResource
SizeofResource
MultiByteToWideChar
GetLastError
lstrcmpiW
GetModuleHandleW
GetProcAddress
FreeLibrary
DeleteCriticalSection
InitializeCriticalSection
RaiseException
GetCurrentThreadId
LeaveCriticalSection
EnterCriticalSection
ResumeThread
Sleep
GetTickCount
InterlockedDecrement
DeleteFileW
lstrlenW

user32

UnregisterClassA
SetLayeredWindowAttributes
DefWindowProcW
LoadStringW
ShowWindow
SetWindowPos
PostMessageW
WindowFromPoint
UpdateWindow
CopyRect
SetWindowLongW
GetWindowLongW
PostQuitMessage
GetWindowThreadProcessId
OffsetRect
ClientToScreen
GetWindow
FindWindowExW
FindWindowW
ReleaseDC
GetDC
EndPaint
BeginPaint
GetClientRect
SetWindowTextW
LoadBitmapW
InflateRect
DrawTextW
RedrawWindow
SetCursor
PtInRect
CreateWindowExW
SendMessageW
SystemParametersInfoW
RegisterClassExW
DispatchMessageW
TranslateMessage
GetMessageW
PeekMessageW
CharNextW
DestroyWindow
LoadIconW
LoadCursorW

gdi32

CreateFontW
DeleteObject
GetObjectW
RestoreDC
SetTextColor
SetBkMode
SaveDC
DeleteDC
BitBlt
SelectObject
CreateCompatibleDC

advapi32

RegCreateKeyExW
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
IsTextUnicode
RegDeleteValueW
RegDeleteKeyW
RegSetValueExW
RegOpenKeyExW
RegEnumKeyExW
RegQueryInfoKeyW
RegCloseKey

shell32

SHGetSpecialFolderPathW
ShellExecuteW

ole32

CoTaskMemFree
CoTaskMemRealloc
CoTaskMemAlloc
CoCreateInstance
CoInitialize
OleInitialize
OleUninitialize
CoUninitialize
CoCreateGuid

oleaut32

VarUI4FromStr

shlwapi

PathFileExistsW

comctl32

_TrackMouseEvent

msimg32

TransparentBlt

msvcp90

??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
??$?H_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@ABV10@0@Z
??$?H_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@ABV10@PB_W@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@ABV01@@Z
?assign@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV12@PB_W@Z
?npos@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@2IB
??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@ABV01@@Z
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
??$?8_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@0@Z
?swap@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEXAAV12@@Z
?substr@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBE?AV12@II@Z
?find@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEIPB_WI@Z
??Y?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@PB_W@Z
??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@PB_W@Z
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z
??Y?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@ABV01@@Z
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_W@Z
??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBD@Z
?rfind@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEI_WI@Z

msvcr90

fclose
fread
_CxxThrowException
strstr
strncmp
_stricmp
_strnicmp
fopen
_invalid_parameter_noinfo
swprintf_s
wcsstr
exit
realloc
memmove
fseek
ftell
memset
_unlock
__dllonexit
_encode_pointer
_lock
_onexit
_decode_pointer
?terminate@@YAXXZ
__wgetmainargs
_cexit
_exit
_XcptFilter
_wcmdln
_initterm
_initterm_e
_configthreadlocale
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler4_common
_crt_debugger_hook
?_type_info_dtor_internal_method@type_info@@QAEXXZ
_invoke_watson
_controlfp_s
__CxxFrameHandler3
memcpy
_amsg_exit
??3@YAXPAX@Z
??_V@YAXPAX@Z
??2@YAPAXI@Z
_beginthreadex
_recalloc
memmove_s
??0exception@std@@QAE@ABV01@@Z
?what@exception@std@@UBEPBDXZ
??1exception@std@@UAE@XZ
??0exception@std@@QAE@ABQBD@Z
??0exception@std@@QAE@XZ
free
memcpy_s
wcsncpy_s
malloc

wininet

InternetCloseHandle
InternetReadFile
HttpQueryInfoW
HttpSendRequestW
HttpAddRequestHeadersW
HttpOpenRequestW
InternetConnectW
InternetOpenW
InternetCrackUrlW

Sections

.text
Size: 55KB - Virtual size: 54KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 18KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 178KB - Virtual size: 178KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
lander.ini
uninst.exe
.exe windows:4 windows x86 arch:x86

7fa974366048f9c551ef45714595665e

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

CompareFileTime
SearchPathA
GetShortPathNameA
GetFullPathNameA
MoveFileA
SetCurrentDirectoryA
GetFileAttributesA
GetLastError
CreateDirectoryA
SetFileAttributesA
Sleep
GetTickCount
GetFileSize
GetModuleFileNameA
GetCurrentProcess
CopyFileA
ExitProcess
GetWindowsDirectoryA
SetFileTime
GetCommandLineA
SetErrorMode
LoadLibraryA
lstrcpynA
GetDiskFreeSpaceA
GlobalUnlock
GlobalLock
CreateThread
CreateProcessA
RemoveDirectoryA
CreateFileA
GetTempFileNameA
lstrlenA
lstrcatA
GetSystemDirectoryA
GetVersion
CloseHandle
lstrcmpiA
lstrcmpA
ExpandEnvironmentStringsA
GlobalFree
GlobalAlloc
WaitForSingleObject
GetExitCodeProcess
GetModuleHandleA
LoadLibraryExA
GetProcAddress
FreeLibrary
MultiByteToWideChar
WritePrivateProfileStringA
GetPrivateProfileStringA
WriteFile
ReadFile
MulDiv
SetFilePointer
FindClose
FindNextFileA
FindFirstFileA
DeleteFileA
GetTempPathA

user32

EndDialog
ScreenToClient
GetWindowRect
EnableMenuItem
GetSystemMenu
SetClassLongA
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongA
SetCursor
LoadCursorA
CheckDlgButton
GetMessagePos
LoadBitmapA
CallWindowProcA
IsWindowVisible
CloseClipboard
SetClipboardData
EmptyClipboard
RegisterClassA
TrackPopupMenu
AppendMenuA
CreatePopupMenu
GetSystemMetrics
SetDlgItemTextA
GetDlgItemTextA
MessageBoxIndirectA
CharPrevA
DispatchMessageA
PeekMessageA
DestroyWindow
CreateDialogParamA
SetTimer
SetWindowTextA
PostQuitMessage
SetForegroundWindow
wsprintfA
SendMessageTimeoutA
FindWindowExA
SystemParametersInfoA
CreateWindowExA
GetClassInfoA
DialogBoxParamA
CharNextA
OpenClipboard
ExitWindowsEx
IsWindow
GetDlgItem
SetWindowLongA
LoadImageA
GetDC
EnableWindow
InvalidateRect
SendMessageA
DefWindowProcA
BeginPaint
GetClientRect
FillRect
DrawTextA
EndPaint
ShowWindow

gdi32

SetBkColor
GetDeviceCaps
DeleteObject
CreateBrushIndirect
CreateFontIndirectA
SetBkMode
SetTextColor
SelectObject

shell32

SHGetPathFromIDListA
SHBrowseForFolderA
SHGetFileInfoA
ShellExecuteA
SHFileOperationA
SHGetSpecialFolderLocation

advapi32

RegQueryValueExA
RegSetValueExA
RegEnumKeyA
RegEnumValueA
RegOpenKeyExA
RegDeleteKeyA
RegDeleteValueA
RegCloseKey
RegCreateKeyExA

comctl32

ImageList_AddMasked
ImageList_Destroy
ord17
ImageList_Create

ole32

CoTaskMemFree
OleInitialize
OleUninitialize
CoCreateInstance

version

GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA

Sections

.text
Size: 23KB - Virtual size: 23KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 151KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.ndata
Size: - Virtual size: 60KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data
.rdata
.rsrc/1033/DIALOG/105
.rsrc/1033/DIALOG/106
.rsrc/1033/DIALOG/111
.rsrc/1033/GROUP_ICON/103
.rsrc/1033/ICON/1.ico
.rsrc/1033/ICON/2.ico
.rsrc/1033/ICON/3.ico
.rsrc/1033/ICON/4.ico
.rsrc/1033/MANIFEST/1
.xml
.rsrc/2052/version.txt
.text
[0]
xy.exe
.exe windows:5 windows x86 arch:x86

275166971efb2bc698e39305554c19f0

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

19:6d:f8:a7
Certificate

Issuer

CN=Certification Authority of WoSign,O=WoSign eCommerce Services Limited,C=CN

Not Before

08/08/2012, 01:00

Not After

08/08/2027, 01:00

Subject

CN=WoSign Class 3 Code Signing CA,O=WoSign eCommerce Services Limited,C=CN

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

10:35:c2:9f:17:23:8d
Certificate

Issuer

CN=WoSign Class 3 Code Signing CA,O=WoSign eCommerce Services Limited,C=CN

Not Before

27/09/2013, 01:35

Not After

28/09/2014, 15:17

Subject

CN=上海三七玩网络科技有限公司,O=上海三七玩网络科技有限公司,L=上海市,ST=上海市,C=CN,1.2.840.113549.1.9.1=#0c137369676e617475726540333777616e2e636f6d

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageMicrosoftCommercialCodeSigning

Key Usages

KeyUsageDigitalSignature

3d
Certificate

Issuer

CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL

Not Before

01/03/2011, 01:00

Not After

01/03/2016, 01:00

Subject

CN=Certification Authority of WoSign,O=WoSign eCommerce Services Limited,C=CN

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

4d:06:99:6a:89:6b:9a:2e:e4:1a:4a:38:79:b2:fc:16:b5:33:20:20
Signer

Actual PE Digest

4d:06:99:6a:89:6b:9a:2e:e4:1a:4a:38:79:b2:fc:16:b5:33:20:20

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

e:\37wan项目\delphi项目\vcLander\xy_new\04代码\bin\lander.pdb

Imports

kernel32

CreateDirectoryW
GetPrivateProfileStringW
WritePrivateProfileStringW
GetPrivateProfileIntW
GetTempPathW
WideCharToMultiByte
CreateEventW
CloseHandle
SetEvent
CreateFileW
WriteFile
Sleep
WaitForSingleObject
DeleteFileW
TerminateThread
GetTickCount
GetVersionExW
ReadFile
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
GetProcessAffinityMask
SetProcessAffinityMask
SetPriorityClass
DeviceIoControl
GetSystemInfo
SetEnvironmentVariableA
CompareStringW
CompareStringA
SetEndOfFile
CreateFileA
GetLocaleInfoW
SetStdHandle
WriteConsoleW
GetConsoleOutputCP
WriteConsoleA
InitializeCriticalSectionAndSpinCount
GetModuleHandleA
GetStringTypeA
IsValidLocale
EnumSystemLocalesA
GetLocaleInfoA
GetUserDefaultLCID
LoadLibraryExW
lstrcmpiW
GetEnvironmentStringsW
FreeEnvironmentStringsW
FlushFileBuffers
SetFilePointer
GetConsoleMode
GetConsoleCP
GetDateFormatA
GetTimeFormatA
IsValidCodePage
GetOEMCP
GetACP
GetTimeZoneInformation
GetStartupInfoA
GetFileType
SetHandleCount
TlsFree
TlsSetValue
TlsAlloc
TlsGetValue
GetModuleFileNameA
GetStdHandle
ExitProcess
HeapCreate
GetStringTypeW
GetCPInfo
LCMapStringW
LCMapStringA
RtlUnwind
GetStartupInfoW
CreateThread
ExitThread
GetSystemTimeAsFileTime
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
TerminateProcess
VirtualQuery
VirtualProtect
HeapSize
HeapReAlloc
HeapDestroy
VirtualAlloc
VirtualFree
IsProcessorFeaturePresent
LoadLibraryA
HeapAlloc
GetProcessHeap
HeapFree
InterlockedCompareExchange
GetCurrentProcessId
MultiByteToWideChar
GlobalFree
GetModuleHandleW
GetProcAddress
FreeLibrary
GetCommandLineW
CreateProcessW
FindResourceExW
lstrcmpW
MulDiv
FlushInstructionCache
GetCurrentProcess
SetLastError
RaiseException
GetCurrentThreadId
InitializeCriticalSection
DeleteCriticalSection
GetLastError
lstrlenW
GetModuleFileNameW
IsBadWritePtr
InterlockedIncrement
InterlockedDecrement
EnterCriticalSection
GlobalUnlock
GlobalLock
GlobalAlloc
SizeofResource
LockResource
FreeResource
LoadResource
FindResourceW
InterlockedExchange
LeaveCriticalSection
QueryPerformanceCounter

user32

SendMessageW
SetWindowPos
SetWindowLongW
GetWindowLongW
UnregisterClassA
UpdateLayeredWindow
ReleaseDC
SystemParametersInfoW
GetClientRect
GetDC
LoadStringW
ShowWindow
ClientToScreen
ReleaseCapture
PostQuitMessage
DefWindowProcW
UpdateWindow
IsChild
LoadMenuW
GetSubMenu
RemoveMenu
DestroyMenu
CheckMenuItem
TrackPopupMenu
MessageBoxW
GetCursorPos
LoadIconW
CallWindowProcW
RegisterClassExW
LoadCursorW
DestroyAcceleratorTable
GetDesktopWindow
InvalidateRect
InvalidateRgn
FillRect
SetCapture
MoveWindow
ScreenToClient
GetParent
CreateAcceleratorTableW
DestroyWindow
CreateWindowExW
GetClassInfoExW
RedrawWindow
CharNextW
GetSysColor
GetClassNameW
IsWindow
GetDlgItem
GetWindow
LoadBitmapW
InflateRect
DrawTextW
SetCursor
PtInRect
IsWindowVisible
PeekMessageW
GetMessageW
TranslateMessage
DispatchMessageW
SetForegroundWindow
GetKeyState
PostMessageW
SetLayeredWindowAttributes
RegisterWindowMessageW
GetWindowTextLengthW
GetWindowTextW
SetWindowTextW
BeginPaint
EndPaint
GetFocus
SetFocus

gdi32

RestoreDC
SetTextColor
SetBkMode
SaveDC
CreateSolidBrush
BitBlt
GetStockObject
GetDeviceCaps
CreateCompatibleBitmap
GetObjectW
SetDIBColorTable
SelectObject
GetDIBColorTable
StretchBlt
DeleteObject
CreateDIBSection
CreateCompatibleDC
DeleteDC
CreateFontW

advapi32

RegOpenKeyExW
RegCreateKeyExW
RegEnumKeyExW
RegQueryInfoKeyW
RegDeleteKeyW
RegDeleteValueW
RegSetValueExW
RegCreateKeyW
RegCloseKey
RegQueryValueExW

shell32

SHGetSpecialFolderPathW
ShellExecuteW
Shell_NotifyIconW

ole32

StringFromGUID2
OleLockRunning
CoCreateInstance
CoGetClassObject
CLSIDFromProgID
CLSIDFromString
OleInitialize
CoInitialize
CoUninitialize
CoTaskMemFree
CoTaskMemRealloc
CoCreateGuid
CoTaskMemAlloc
OleUninitialize
CreateStreamOnHGlobal

oleaut32

SysStringLen
VariantInit
SysAllocString
VariantClear
VarUI4FromStr
SysAllocStringLen
OleCreateFontIndirect
DispCallFunc
LoadTypeLi
LoadRegTypeLi
SysFreeString

shlwapi

PathFileExistsW

comctl32

_TrackMouseEvent

msimg32

AlphaBlend
TransparentBlt

gdiplus

GdipGetImageHeight
GdiplusShutdown
GdiplusStartup
GdipBitmapUnlockBits
GdipBitmapLockBits
GdipCreateBitmapFromScan0
GdipCreateBitmapFromStream
GdipGetImagePalette
GdipGetImagePaletteSize
GdipGetImagePixelFormat
GdipAlloc
GdipGetImageWidth
GdipCloneImage
GdipDrawImageI
GdipDeleteGraphics
GdipGetImageGraphicsContext
GdipDisposeImage
GdipFree

wininet

HttpOpenRequestW
InternetCloseHandle
InternetReadFile
HttpQueryInfoW
HttpSendRequestW
HttpAddRequestHeadersW
FindFirstUrlCacheEntryW
InternetConnectW
InternetOpenW
InternetCrackUrlW
FindCloseUrlCache
FindNextUrlCacheEntryW
DeleteUrlCacheEntryW

iphlpapi

GetAdaptersInfo

Sections

.text
Size: 268KB - Virtual size: 267KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 52KB - Virtual size: 52KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 486KB - Virtual size: 486KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 21KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

099c0646ea7282d232219f8807883be0

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

shell32

advapi32

comctl32

ole32

version

Sections

.text Size: 23KB - Virtual size: 22KB

.rdata Size: 4KB - Virtual size: 4KB

.data Size: 1024B - Virtual size: 107KB

.ndata Size: - Virtual size: 60KB

.rsrc Size: 20KB - Virtual size: 19KB

12cef7068fc6baac4b938be8efb7baf5

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

19:6d:f8:a7Certificate

Key Usages

10:35:c2:9f:17:23:8dCertificate

Extended Key Usages

Key Usages

3dCertificate

Key Usages

4c:83:8e:dd:09:42:16:cb:73:a3:ae:8b:4c:02:7a:16:62:56:81:a9Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

gdi32

advapi32

shell32

ole32

oleaut32

shlwapi

comctl32

msimg32

Sections

.text Size: 89KB - Virtual size: 88KB

.rdata Size: 20KB - Virtual size: 20KB

.data Size: 6KB - Virtual size: 14KB

.rsrc Size: 162KB - Virtual size: 162KB

.reloc Size: 13KB - Virtual size: 12KB

bd18726ee6fe4079a3ed305b77e1927e

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

19:6d:f8:a7Certificate

Key Usages

10:35:c2:9f:17:23:8dCertificate

Extended Key Usages

Key Usages

3dCertificate

Key Usages

16:32:5e:24:24:32:60:9e:85:f7:5c:4a:8d:e2:4c:22:19:8c:77:e9Signer

Headers

DLL Characteristics

File Characteristics

.text
Size: 23KB - Virtual size: 22KB

.rdata
Size: 4KB - Virtual size: 4KB

.data
Size: 1024B - Virtual size: 107KB

.ndata
Size: - Virtual size: 60KB

.rsrc
Size: 20KB - Virtual size: 19KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

19:6d:f8:a7
Certificate

10:35:c2:9f:17:23:8d
Certificate

3d
Certificate

4c:83:8e:dd:09:42:16:cb:73:a3:ae:8b:4c:02:7a:16:62:56:81:a9
Signer

.text
Size: 89KB - Virtual size: 88KB

.rdata
Size: 20KB - Virtual size: 20KB

.data
Size: 6KB - Virtual size: 14KB

.rsrc
Size: 162KB - Virtual size: 162KB

.reloc
Size: 13KB - Virtual size: 12KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

19:6d:f8:a7
Certificate

10:35:c2:9f:17:23:8d
Certificate

3d
Certificate

16:32:5e:24:24:32:60:9e:85:f7:5c:4a:8d:e2:4c:22:19:8c:77:e9
Signer

.text
Size: 55KB - Virtual size: 54KB

.rdata
Size: 18KB - Virtual size: 18KB

.data
Size: 2KB - Virtual size: 3KB

.rsrc
Size: 178KB - Virtual size: 178KB

.reloc
Size: 7KB - Virtual size: 7KB

.text
Size: 23KB - Virtual size: 23KB

.rdata
Size: 5KB - Virtual size: 4KB

.data
Size: 1024B - Virtual size: 151KB

.ndata
Size: - Virtual size: 60KB

.rsrc
Size: 20KB - Virtual size: 19KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

19:6d:f8:a7
Certificate

10:35:c2:9f:17:23:8d
Certificate

3d
Certificate

4d:06:99:6a:89:6b:9a:2e:e4:1a:4a:38:79:b2:fc:16:b5:33:20:20
Signer