Uninst[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Uninst.exe
Size

695KB
MD5

f6f83a6f503932dbcbc293d71873d16e
SHA1

e08ef6e90b54b4154e808099236fa53fceff8db4
SHA256

7afb739d9c4c3c79a991af2e6aa93c2d694fcaeebccbae921fc82666c7553d8c
SHA512

f487c429148e8e932a35e5d3158be9c00711bcbd964305dbd5e4eb69291889a9818d959db0c0fb5b3632177ffc241630e5ee04a31ae4b24812b07e5e6d7183a2
SSDEEP

12288:isU5s3hqhTzdOgkEc/cW08qqwTPIHk5bJPWR19XnFATlchpmNHkLL:SsAhl1kEpgkbJPE93uTyps2L

Score

1^/10

Malware Config

Signatures

Files

Uninst.exe
.exe windows:5 windows x86 arch:x86

de112b642994aa0364124c6dae72c614

Code Sign

77:bd:0e:05:b7:59:0b:b6:1d:47:61:53:1e:3f:75:ed
Certificate

Issuer

CN=GlobalSign Code Signing Root R45,O=GlobalSign nv-sa,C=BE

Not Before

28/07/2020, 00:00

Not After

28/07/2030, 00:00

Subject

CN=GlobalSign GCC R45 EV CodeSigning CA 2020,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

44:8a:bf:29:b0:45:82:3e:5d:6d:cc:0b
Certificate

Issuer

CN=GlobalSign GCC R45 EV CodeSigning CA 2020,O=GlobalSign nv-sa,C=BE

Not Before

05/01/2022, 09:58

Not After

06/01/2024, 09:58

Subject

SERIALNUMBER=911101026662879416,CN=Beijing Qihu Technology Co.\, Ltd.,O=Beijing Qihu Technology Co.\, Ltd.,STREET=朝阳区酒仙桥路6号院2号楼1至19层104号内8层801,L=Beijing,ST=Beijing,C=CN,1.3.6.1.4.1.311.60.2.1.2=#13074245494a494e47,1.3.6.1.4.1.311.60.2.1.3=#1302434e,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

01:c2:9c:7a:f4:7a:a6:02:58:0e:af:32:b1:23:b1:1d
Certificate

Issuer

CN=GlobalSign Timestamping CA - SHA384 - G4,O=GlobalSign nv-sa,C=BE

Not Before

06/04/2022, 07:44

Not After

08/05/2033, 07:44

Subject

CN=Globalsign TSA for Advanced - G4,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

01:ec:1c:92:40:de:fd:2e:40:5d:7c:47:74
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R6,O=GlobalSign

Not Before

20/06/2018, 00:00

Not After

10/12/2034, 00:00

Subject

CN=GlobalSign Timestamping CA - SHA384 - G4,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

01:f2:40:42:40:ce:fd:22:db:e9:6c:71:fc
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Not Before

20/02/2019, 00:00

Not After

18/03/2029, 10:00

Subject

CN=GlobalSign,OU=GlobalSign Root CA - R6,O=GlobalSign

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

04:00:00:00:00:01:21:58:53:08:a2
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Not Before

18/03/2009, 10:00

Not After

18/03/2029, 10:00

Subject

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

e5:5e:25:7f:33:f2:42:d7:a0:84:b3:14:35:fb:f6:d4:a5:c9:90:9f:b4:f9:89:74:31:89:81:98:6e:36:e4:56
Signer

Actual PE Digest

e5:5e:25:7f:33:f2:42:d7:a0:84:b3:14:35:fb:f6:d4:a5:c9:90:9f:b4:f9:89:74:31:89:81:98:6e:36:e4:56

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

C:\vmagent_new\bin\joblist\740223\out\Release\Uninst.pdb

Imports

version

GetFileVersionInfoSizeW
GetFileVersionInfoW
VerQueryValueW

kernel32

AreFileApisANSI
ReadProcessMemory
Module32NextW
Module32FirstW
Process32NextW
Process32FirstW
GetWindowsDirectoryW
WriteFile
GetPrivateProfileIntW
GetFileAttributesExW
FindNextFileW
Sleep
InterlockedCompareExchange
CreateDirectoryW
CopyFileW
lstrlenA
InterlockedIncrement
DebugBreak
OutputDebugStringW
TlsSetValue
TlsGetValue
DeleteFileW
GetLongPathNameW
GetModuleFileNameW
GetTempPathW
GetACP
CreateProcessW
GetExitCodeProcess
WaitForSingleObject
RemoveDirectoryW
SetFileAttributesW
GetFileAttributesW
ExpandEnvironmentStringsW
GetCommandLineW
lstrcmpW
CreateMutexW
TerminateProcess
MoveFileW
MoveFileExW
GetPrivateProfileSectionW
GetTimeZoneInformation
FileTimeToLocalFileTime
GetFileTime
SetFilePointer
DeviceIoControl
InitializeCriticalSection
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
GetShortPathNameW
SetCurrentDirectoryW
GetCurrentDirectoryW
InterlockedExchange
CreateThread
RaiseException
lstrcpyW
CompareStringW
FlushInstructionCache
lstrcmpiW
GetCurrentThreadId
SizeofResource
LoadResource
FindResourceW
Thread32Next
GetSystemDirectoryW
FlushFileBuffers
SetStdHandle
CreateFileA
GetLocaleInfoW
WideCharToMultiByte
InitializeCriticalSectionAndSpinCount
IsValidLocale
EnumSystemLocalesA
GetLocaleInfoA
GetUserDefaultLCID
GetDateFormatA
GetTimeFormatA
GetStringTypeW
GetStringTypeA
GetConsoleMode
GetConsoleCP
QueryPerformanceCounter
GetEnvironmentStringsW
FreeEnvironmentStringsW
LCMapStringA
GetStartupInfoA
GetFileType
SetHandleCount
LCMapStringW
HeapSize
GetModuleFileNameA
GetStdHandle
ExitProcess
HeapReAlloc
FatalAppExitA
HeapDestroy
HeapCreate
GetCurrentThread
TlsAlloc
IsValidCodePage
GetOEMCP
GetCPInfo
GetStartupInfoW
ExitThread
RtlUnwind
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetSystemTimeAsFileTime
VirtualAlloc
VirtualFree
IsProcessorFeaturePresent
LoadLibraryA
HeapAlloc
GetProcessHeap
HeapFree
GetConsoleOutputCP
WriteConsoleW
SetEndOfFile
CompareStringA
FindFirstFileW
SetEnvironmentVariableA
QueryDosDeviceW
LoadLibraryExW
LocalFileTimeToFileTime
SetFilePointerEx
GetFileSizeEx
GetVersion
MultiByteToWideChar
InterlockedDecrement
GetLogicalDriveStringsW
GetDriveTypeW
HeapUnlock
HeapLock
HeapWalk
LockResource
FreeResource
GetDiskFreeSpaceExW
FindClose
GetTickCount
GetCurrentProcessId
ProcessIdToSessionId
GetModuleHandleA
GetProcAddress
GetCurrentProcess
CreateMutexA
GetLastError
ReleaseMutex
lstrlenW
GetPrivateProfileStringW
WritePrivateProfileSectionW
WritePrivateProfileStringW
GetModuleHandleW
OpenProcess
SetEnvironmentVariableW
FileTimeToSystemTime
SystemTimeToFileTime
GlobalMemoryStatus
ResumeThread
CreateToolhelp32Snapshot
Thread32First
OpenThread
SetConsoleCtrlHandler
FreeLibrary
TlsFree
CreateFileW
GetFileSize
ReadFile
CloseHandle
GetVersionExW
SuspendThread
SetLastError
WriteConsoleA

user32

IsWindowEnabled
SetCapture
GetDlgCtrlID
CallWindowProcW
UnregisterClassA
SetCursor
GetCursorPos
GetSysColor
BeginPaint
EndPaint
ClientToScreen
GetWindowRgn
MoveWindow
RegisterClassExW
LoadCursorW
FillRect
UpdateWindow
GetCapture
ReleaseCapture
PtInRect
CreateDialogParamW
SetRectEmpty
DestroyCursor
DefWindowProcW
PeekMessageW
GetMessageW
TranslateMessage
LoadImageW
GetClassNameW
CreateCursor
OffsetRect
ExitWindowsEx
PostQuitMessage
DrawTextW
GetWindow
MapWindowPoints
AdjustWindowRectEx
IsDialogMessageW
GetDlgItem
GetParent
ChildWindowFromPoint
SetDlgItemTextW
SetFocus
EnableWindow
KillTimer
SetTimer
InvalidateRect
ReleaseDC
GetWindowDC
GetDC
ScreenToClient
GetMenu
GetWindowTextLengthW
GetWindowTextW
SetWindowTextW
GetWindowLongW
CreateWindowExW
SetWindowLongW
SendMessageW
DestroyWindow
GetClientRect
IsWindow
PostMessageW
MessageBoxW
CharLowerBuffW
EnumThreadWindows
CharNextW
CharLowerW
ShowWindow
WaitForInputIdle
LoadStringW
FindWindowW
SendMessageTimeoutW
GetWindowRect
BringWindowToTop
SetForegroundWindow
SwitchToThisWindow
SetWindowPos
wvsprintfW
SystemParametersInfoW
GetSystemMetrics
WindowFromPoint
DispatchMessageW

gdi32

DeleteObject
GetObjectW
SetTextColor
SetBkMode
BitBlt
CreateCompatibleDC
CreateCompatibleBitmap
SelectObject
StretchBlt
DeleteDC
CreateFontIndirectW
PtInRegion
CreateRectRgn
CreateDIBSection
GetStockObject
SetStretchBltMode

advapi32

RegQueryValueExW
OpenProcessToken
RegQueryValueExA
FreeSid
IsValidSid
EqualSid
RegCreateKeyExW
RegSetValueExW
RegOpenKeyExW
RegQueryInfoKeyW
RegCloseKey
RegDeleteValueW
GetUserNameW
RegCreateKeyW
AdjustTokenPrivileges
LookupPrivilegeValueW
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
RegDeleteKeyW
RegEnumKeyExW
GetTokenInformation
AllocateAndInitializeSid

shell32

SHFileOperationW
SHGetSpecialFolderLocation
SHGetPathFromIDListW
SHGetFolderPathW
CommandLineToArgvW
SHChangeNotify
ShellExecuteW
ShellExecuteExW
SHGetSpecialFolderPathW

ole32

CoCreateInstance
CoUninitialize
CoInitialize
CoTaskMemFree
CoTaskMemAlloc
CoTaskMemRealloc

oleaut32

SysFreeString
VarUI4FromStr
SysAllocString

shlwapi

SHDeleteValueW
SHDeleteKeyW
StrCmpNIW
PathAddBackslashW
PathRemoveFileSpecW
PathFileExistsW
StrCmpNW
SHSetValueW
PathIsDirectoryW
SHGetValueW
StrStrIW
PathAppendW
PathFindFileNameW
PathCombineW

comctl32

_TrackMouseEvent
ImageList_Destroy
InitCommonControlsEx
ImageList_GetIconSize

wintrust

WinVerifyTrust
WTHelperProvDataFromStateData

crypt32

CertGetNameStringW

wininet

InternetCloseHandle
InternetReadFile
InternetOpenUrlW
InternetOpenW

msimg32

AlphaBlend

Sections

.text
Size: 549KB - Virtual size: 548KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 100KB - Virtual size: 99KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 14KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 19KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

de112b642994aa0364124c6dae72c614

Code Sign

77:bd:0e:05:b7:59:0b:b6:1d:47:61:53:1e:3f:75:edCertificate

Extended Key Usages

Key Usages

44:8a:bf:29:b0:45:82:3e:5d:6d:cc:0bCertificate

Extended Key Usages

Key Usages

01:c2:9c:7a:f4:7a:a6:02:58:0e:af:32:b1:23:b1:1dCertificate

Extended Key Usages

Key Usages

01:ec:1c:92:40:de:fd:2e:40:5d:7c:47:74Certificate

Key Usages

01:f2:40:42:40:ce:fd:22:db:e9:6c:71:fcCertificate

Key Usages

04:00:00:00:00:01:21:58:53:08:a2Certificate

Key Usages

e5:5e:25:7f:33:f2:42:d7:a0:84:b3:14:35:fb:f6:d4:a5:c9:90:9f:b4:f9:89:74:31:89:81:98:6e:36:e4:56Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

version

kernel32

user32

gdi32

advapi32

shell32

ole32

oleaut32

shlwapi

comctl32

wintrust

crypt32

wininet

msimg32

Sections

.text Size: 549KB - Virtual size: 548KB

.rdata Size: 100KB - Virtual size: 99KB

.data Size: 14KB - Virtual size: 27KB

.rsrc Size: 19KB - Virtual size: 19KB

77:bd:0e:05:b7:59:0b:b6:1d:47:61:53:1e:3f:75:ed
Certificate

44:8a:bf:29:b0:45:82:3e:5d:6d:cc:0b
Certificate

01:c2:9c:7a:f4:7a:a6:02:58:0e:af:32:b1:23:b1:1d
Certificate

01:ec:1c:92:40:de:fd:2e:40:5d:7c:47:74
Certificate

01:f2:40:42:40:ce:fd:22:db:e9:6c:71:fc
Certificate

04:00:00:00:00:01:21:58:53:08:a2
Certificate

e5:5e:25:7f:33:f2:42:d7:a0:84:b3:14:35:fb:f6:d4:a5:c9:90:9f:b4:f9:89:74:31:89:81:98:6e:36:e4:56
Signer

.text
Size: 549KB - Virtual size: 548KB

.rdata
Size: 100KB - Virtual size: 99KB

.data
Size: 14KB - Virtual size: 27KB

.rsrc
Size: 19KB - Virtual size: 19KB