General

Malware Config

Signatures

Files

• clumsy.rar

  .rar
• AutoHotkey_2.0.2_setup.exe

  .exe windows:6 windows x86 arch:x86

  
  

  Headers

  File Characteristics

  IMAGE_FILE_RELOCS_STRIPPED

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_32BIT_MACHINE

  Sections

  UPX0

  Size: - Virtual size: 2.4MB

  IMAGE_SCN_CNT_UNINITIALIZED_DATA

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  UPX1

  Size: 2.7MB - Virtual size: 2.7MB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .rsrc

  Size: 36KB - Virtual size: 40KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

• clumsy hotkey.ahk

  .js
• clumsy/WinDivert.dll

  .dll windows:4 windows x64 arch:x64

  4b5b0fb09f29ed8e5306bbb27b5ae668

  
  

  Headers

  File Characteristics

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_LINE_NUMS_STRIPPED

  IMAGE_FILE_LOCAL_SYMS_STRIPPED

  IMAGE_FILE_LARGE_ADDRESS_AWARE

  IMAGE_FILE_DEBUG_STRIPPED

  IMAGE_FILE_DLL

  Imports

  advapi32

  CloseServiceHandle

  ControlService

  CreateServiceW

  DeleteService

  OpenSCManagerW

  OpenServiceW

  StartServiceW

  kernel32

  CloseHandle

  CreateEventW

  CreateFileW

  DeviceIoControl

  GetLastError

  GetModuleFileNameW

  GetOverlappedResult

  SetLastError

  TlsAlloc

  TlsFree

  TlsGetValue

  TlsSetValue

  msvcrt

  isalnum

  isspace

  isxdigit

  strcmp

  tolower

  Exports

  Exports

  DivertClose

  DivertGetParam

  DivertHelperCalcChecksums

  DivertHelperParseIPv4Address

  DivertHelperParseIPv6Address

  DivertHelperParsePacket

  DivertOpen

  DivertRecv

  DivertSend

  DivertSetParam

  WinDivertClose

  WinDivertDllEntry

  WinDivertGetParam

  WinDivertHelperCalcChecksums

  WinDivertHelperParseIPv4Address

  WinDivertHelperParseIPv6Address

  WinDivertHelperParsePacket

  WinDivertOpen

  WinDivertRecv

  WinDivertRecvEx

  WinDivertSend

  WinDivertSendEx

  WinDivertSetParam

  Sections

  .text

  Size: 8KB - Virtual size: 8KB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .data

  Size: 1024B - Virtual size: 992B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .rdata

  Size: 1024B - Virtual size: 1024B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .pdata

  Size: 512B - Virtual size: 360B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .xdata

  Size: 512B - Virtual size: 288B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .bss

  Size: - Virtual size: 16B

  IMAGE_SCN_CNT_UNINITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .edata

  Size: 1024B - Virtual size: 730B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .idata

  Size: 1024B - Virtual size: 1016B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .reloc

  Size: 512B - Virtual size: 132B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_DISCARDABLE

  IMAGE_SCN_MEM_READ

• clumsy/WinDivert64.sys

  .sys windows:6 windows x64 arch:x64

  5c9956100a10f17fd6cacca768f3c364

  
  

  Code Sign

  7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b

  Certificate

  Issuer

  CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

  Not Before

  21-12-2012 00:00

  Not After

  30-12-2020 23:59

  Subject

  CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

  Extended Key Usages

  ExtKeyUsageTimeStamping

  Key Usages

  KeyUsageCertSign

  KeyUsageCRLSign

  0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50

  Certificate

  Issuer

  CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

  Not Before

  18-10-2012 00:00

  Not After

  29-12-2020 23:59

  Subject

  CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

  Extended Key Usages

  ExtKeyUsageTimeStamping

  Key Usages

  KeyUsageDigitalSignature

  0a:42:f1:e3:68:68:b7:25:06:ea:50:77:bf:7b:bc:5b

  Certificate

  Issuer

  CN=DigiCert High Assurance Code Signing CA-1,OU=www.digicert.com,O=DigiCert Inc,C=US

  Not Before

  18-08-2014 00:00

  Not After

  09-09-2015 12:00

  Subject

  CN=Nemea Mjukvaruutveckling AB,O=Nemea Mjukvaruutveckling AB,L=Stockholm,ST=Vastra Gotaland,C=SE

  Extended Key Usages

  ExtKeyUsageCodeSigning

  Key Usages

  KeyUsageDigitalSignature

  61:20:4d:b4:00:00:00:00:00:27

  Certificate

  Issuer

  CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

  Not Before

  15-04-2011 19:45

  Not After

  15-04-2021 19:55

  Subject

  CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

  Key Usages

  KeyUsageDigitalSignature

  KeyUsageCertSign

  KeyUsageCRLSign

  02:c4:d1:e5:8a:4a:68:0c:56:8d:a3:04:7e:7e:4d:5f

  Certificate

  Issuer

  CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

  Not Before

  11-02-2011 12:00

  Not After

  10-02-2026 12:00

  Subject

  CN=DigiCert High Assurance Code Signing CA-1,OU=www.digicert.com,O=DigiCert Inc,C=US

  Extended Key Usages

  ExtKeyUsageCodeSigning

  Key Usages

  KeyUsageDigitalSignature

  KeyUsageCertSign

  KeyUsageCRLSign

  97:da:76:ff:9a:56:81:d7:d7:9f:b8:81:15:69:91:15:f6:21:9c:00

  Signer

  Actual PE Digest

  97:da:76:ff:9a:56:81:d7:d7:9f:b8:81:15:69:91:15:f6:21:9c:00

  Digest Algorithm

  sha1

  PE Digest Matches

  true

  Headers

  File Characteristics

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_LARGE_ADDRESS_AWARE

  PDB Paths

  c:\windivert\install\WDDK\amd64\WinDivert64.pdb

  Imports

  ntoskrnl.exe

  RtlCopyUnicodeString

  KeBugCheckEx

  IoAllocateMdl

  MmMapLockedPagesSpecifyCache

  IoFreeMdl

  MmBuildMdlForNonPagedPool

  KeAcquireInStackQueuedSpinLock

  KeReleaseInStackQueuedSpinLock

  ExFreePoolWithTag

  ExUuidCreate

  ExAllocatePoolWithTag

  ndis.sys

  NdisAdvanceNetBufferDataStart

  NdisRetreatNetBufferDataStart

  NdisAllocateNetBufferListPool

  NdisGetDataBuffer

  NdisFreeNetBufferListPool

  fwpkclnt.sys

  FwpmCalloutDeleteByKey0

  FwpsInjectNetworkReceiveAsync0

  FwpmSubLayerAdd0

  FwpsCalloutUnregisterByKey0

  FwpsFreeCloneNetBufferList0

  FwpsQueryPacketInjectionState0

  FwpsFreeNetBufferList0

  FwpmEngineClose0

  FwpmTransactionBegin0

  FwpmFilterAdd0

  FwpmEngineOpen0

  FwpmTransactionAbort0

  FwpsCalloutRegister0

  FwpsInjectForwardAsync0

  FwpmFilterDeleteByKey0

  FwpmCalloutAdd0

  FwpsInjectNetworkSendAsync0

  FwpmTransactionCommit0

  FwpsInjectionHandleCreate0

  FwpsAllocateNetBufferAndNetBufferList0

  FwpsInjectionHandleDestroy0

  FwpmSubLayerDeleteByKey0

  wdfldr.sys

  WdfVersionBindClass

  WdfVersionUnbindClass

  WdfVersionBind

  WdfVersionUnbind

  Sections

  .text

  Size: 17KB - Virtual size: 16KB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .rdata

  Size: 5KB - Virtual size: 5KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .data

  Size: 1KB - Virtual size: 4KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .pdata

  Size: 1024B - Virtual size: 540B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  INIT

  Size: 2KB - Virtual size: 1KB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_DISCARDABLE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .rsrc

  Size: 1024B - Virtual size: 1008B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_DISCARDABLE

  IMAGE_SCN_MEM_READ

  .reloc

  Size: 512B - Virtual size: 246B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_DISCARDABLE

  IMAGE_SCN_MEM_READ

• clumsy/clumsy.exe

  .exe windows:4 windows x64 arch:x64

  5d9c5772d914b87ab12e184aaa7a18de

  
  

  Headers

  DLL Characteristics

  IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA

  IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE

  IMAGE_DLLCHARACTERISTICS_NX_COMPAT

  File Characteristics

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_LINE_NUMS_STRIPPED

  IMAGE_FILE_LARGE_ADDRESS_AWARE

  Imports

  advapi32

  AllocateAndInitializeSid

  CheckTokenMembership

  FreeSid

  GetTokenInformation

  GetUserNameA

  OpenProcessToken

  comctl32

  ImageList_Add

  ImageList_BeginDrag

  ImageList_Create

  ImageList_Destroy

  ImageList_DragEnter

  ImageList_DragLeave

  ImageList_DragMove

  ImageList_DragShowNolock

  ImageList_EndDrag

  ImageList_GetIconSize

  ImageList_GetImageCount

  InitCommonControlsEx

  LBItemFromPt

  MakeDragList

  comdlg32

  ChooseColorA

  ChooseFontA

  GetOpenFileNameA

  GetSaveFileNameA

  gdi32

  Arc

  BeginPath

  BitBlt

  CreateBitmap

  CreateCompatibleBitmap

  CreateCompatibleDC

  CreateDIBSection

  CreateFontA

  CreatePatternBrush

  CreatePen

  CreateRectRgn

  CreateRectRgnIndirect

  CreateSolidBrush

  DeleteDC

  DeleteObject

  EndPath

  ExcludeClipRect

  FillPath

  GetDeviceCaps

  GetEnhMetaFileBits

  GetMetaFileBitsEx

  GetObjectA

  GetObjectType

  GetStockObject

  GetTextExtentPoint32A

  GetTextMetricsA

  MaskBlt

  PatBlt

  Pie

  Polygon

  Polyline

  SelectClipRgn

  SelectObject

  SetBkColor

  SetBkMode

  SetDCBrushColor

  SetPixelV

  SetTextAlign

  SetTextColor

  TextOutA

  kernel32

  CloseHandle

  CreateDirectoryA

  CreateFileA

  CreateMutexA

  CreateThread

  DeleteCriticalSection

  EnterCriticalSection

  FormatMessageA

  FreeLibrary

  GetCPInfoExA

  GetCommandLineA

  GetComputerNameA

  GetConsoleWindow

  GetCurrentDirectoryA

  GetCurrentProcess

  GetCurrentThreadId

  GetFileAttributesA

  GetLastError

  GetModuleFileNameA

  GetModuleHandleA

  GetProcAddress

  GetStartupInfoA

  GetSystemDefaultUILanguage

  GetSystemInfo

  GetTickCount

  GetVersionExA

  GlobalAlloc

  GlobalFree

  GlobalLock

  GlobalSize

  GlobalUnlock

  InitializeCriticalSection

  IsDBCSLeadByteEx

  IsWow64Process

  LeaveCriticalSection

  LoadLibraryA

  LocalFree

  MulDiv

  MultiByteToWideChar

  ReleaseMutex

  SetCurrentDirectoryA

  SetUnhandledExceptionFilter

  Sleep

  TlsGetValue

  VirtualProtect

  VirtualQuery

  WaitForMultipleObjects

  WaitForSingleObject

  WideCharToMultiByte

  WriteFile

  __C_specific_handler

  msvcrt

  ___lc_codepage_func

  ___mb_cur_max_func

  __argc

  __argv

  __getmainargs

  __initenv

  __iob_func

  __set_app_type

  __setusermatherr

  _acmdln

  _amsg_exit

  _cexit

  _commode

  _errno

  _fmode

  _initterm

  _lock

  _onexit

  _setjmp

  _time64

  _unlock

  _vsnprintf

  abort

  atof

  atoi

  calloc

  exit

  fclose

  fopen

  fprintf

  fputc

  fread

  free

  fwrite

  getenv

  isalnum

  isalpha

  isspace

  localeconv

  longjmp

  malloc

  memcmp

  memcpy

  memmove

  memset

  printf

  realloc

  rand

  signal

  sprintf

  srand

  sscanf

  strcat

  strchr

  strcmp

  strcpy

  strcspn

  strerror

  strlen

  strncmp

  strncpy

  strrchr

  strstr

  strtok

  tolower

  toupper

  vfprintf

  wcslen

  ole32

  CoInitializeEx

  CoLockObjectExternal

  CoTaskMemAlloc

  CoTaskMemFree

  CoUninitialize

  DoDragDrop

  OleInitialize

  OleUninitialize

  RegisterDragDrop

  ReleaseStgMedium

  RevokeDragDrop

  shell32

  DragAcceptFiles

  DragFinish

  DragQueryFileA

  DragQueryPoint

  SHBrowseForFolderA

  SHGetPathFromIDListA

  ShellExecuteA

  ShellExecuteExA

  Shell_NotifyIconA

  user32

  BeginPaint

  CallNextHookEx

  CallWindowProcA

  CheckMenuItem

  CheckMenuRadioItem

  ClientToScreen

  CloseClipboard

  CreateIconIndirect

  CreateMDIWindowA

  CreateMenu

  CreatePopupMenu

  CreateWindowExA

  CreateWindowExW

  DefFrameProcA

  DefMDIChildProcA

  DefWindowProcA

  DestroyCursor

  DestroyIcon

  DestroyMenu

  DestroyWindow

  DispatchMessageA

  DragDetect

  DrawEdge

  DrawFocusRect

  DrawFrameControl

  DrawMenuBar

  DrawTextA

  EmptyClipboard

  EnableMenuItem

  EnableScrollBar

  EnableWindow

  EndDialog

  EndPaint

  EnumDisplayMonitors

  EnumWindows

  FillRect

  FrameRect

  GetActiveWindow

  GetAsyncKeyState

  GetCapture

  GetCaretPos

  GetClassInfoA

  GetClientRect

  GetClipboardData

  GetClipboardFormatNameA

  GetComboBoxInfo

  GetCursorPos

  GetDC

  GetDesktopWindow

  GetDlgItem

  GetFocus

  GetForegroundWindow

  GetKeyState

  GetKeyboardLayout

  GetMenuInfo

  GetMenuItemID

  GetMenuItemInfoA

  GetMenuState

  GetMessageA

  GetMessageExtraInfo

  GetParent

  GetScrollInfo

  GetSubMenu

  GetSysColor

  GetSystemMetrics

  GetWindow

  GetWindowInfo

  GetWindowLongA

  GetWindowLongPtrA

  GetWindowRect

  GetWindowTextA

  GetWindowTextLengthA

  InflateRect

  InsertMenuItemA

  InvalidateRect

  IsClipboardFormatAvailable

  IsIconic

  IsMenu

  IsWindowEnabled

  IsWindowVisible

  IsZoomed

  KillTimer

  LoadCursorA

  LoadIconA

  LoadImageA

  MapVirtualKeyA

  MessageBoxA

  MessageBoxIndirectA

  OpenClipboard

  PeekMessageA

  PostMessageA

  PostQuitMessage

  PtInRect

  RedrawWindow

  RegisterClassA

  RegisterClipboardFormatA

  RegisterWindowMessageA

  ReleaseCapture

  ReleaseDC

  RemoveMenu

  ScreenToClient

  SendInput

  SendMessageA

  SetCapture

  SetClipboardData

  SetCursor

  SetCursorPos

  SetFocus

  SetForegroundWindow

  SetMenu

  SetMenuInfo

  SetMenuItemBitmaps

  SetMenuItemInfoA

  SetParent

  SetRect

  SetScrollInfo

  SetScrollPos

  SetTimer

  SetWindowLongA

  SetWindowLongPtrA

  SetWindowPos

  SetWindowTextA

  SetWindowsHookExA

  ShowCursor

  ShowScrollBar

  ShowWindow

  SystemParametersInfoA

  TrackMouseEvent

  TrackPopupMenu

  TranslateMessage

  UnhookWindowsHookEx

  UnregisterClassA

  winmm

  timeBeginPeriod

  timeEndPeriod

  timeGetTime

  windivert

  WinDivertClose

  WinDivertHelperCalcChecksums

  WinDivertHelperParsePacket

  WinDivertOpen

  WinDivertRecv

  WinDivertSend

  WinDivertSetParam

  Sections

  .text

  Size: 371KB - Virtual size: 371KB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .data

  Size: 17KB - Virtual size: 17KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .rdata

  Size: 43KB - Virtual size: 42KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .pdata

  Size: 2KB - Virtual size: 2KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .xdata

  Size: 2KB - Virtual size: 1KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .bss

  Size: - Virtual size: 340KB

  IMAGE_SCN_CNT_UNINITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .idata

  Size: 13KB - Virtual size: 12KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .CRT

  Size: 512B - Virtual size: 96B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .tls

  Size: 512B - Virtual size: 16B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .rsrc

  Size: 363KB - Virtual size: 363KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .reloc

  Size: 2KB - Virtual size: 1KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_DISCARDABLE

  IMAGE_SCN_MEM_READ

  /4

  Size: 3KB - Virtual size: 2KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_DISCARDABLE

  IMAGE_SCN_MEM_READ

  /19

  Size: 153KB - Virtual size: 152KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_DISCARDABLE

  IMAGE_SCN_MEM_READ

  /31

  Size: 23KB - Virtual size: 22KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_DISCARDABLE

  IMAGE_SCN_MEM_READ

  /45

  Size: 46KB - Virtual size: 45KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_DISCARDABLE

  IMAGE_SCN_MEM_READ

  /57

  Size: 16KB - Virtual size: 15KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_DISCARDABLE

  IMAGE_SCN_MEM_READ

  /70

  Size: 5KB - Virtual size: 4KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_DISCARDABLE

  IMAGE_SCN_MEM_READ

  /81

  Size: 92KB - Virtual size: 92KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_DISCARDABLE

  IMAGE_SCN_MEM_READ

  /92

  Size: 7KB - Virtual size: 7KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_DISCARDABLE

  IMAGE_SCN_MEM_READ

• clumsy/config.txt