a97632747b842f8a41d39fadf513271eefa87179de88b7717f8b046a598cdeb2

Sharing

Copy URL Twitter E-mail

General

Target

a97632747b842f8a41d39fadf513271eefa87179de88b7717f8b046a598cdeb2
Size

3.5MB
MD5

fbcf77541feea4a2c6c2e3a37c9c68b2
SHA1

59a22a2577d2d05b2dc99932287686bf5460c6bc
SHA256

a97632747b842f8a41d39fadf513271eefa87179de88b7717f8b046a598cdeb2
SHA512

f495e28edc0778261898b5949be161da5a7fd836a15ab1b6e22275b97b16b3ca33a98cba04505d8c47fcc8f3bf4226a31e544a7cb8b6b9d7187036aeff234de7
SSDEEP

49152:vCvw3jp+lQpjt/CHgo7KxP50CeMtFnZFQJeHv+xP/pi5GYNz027h:6vwzOQr/CAoexdZFQJy+Bpi5G

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
a97632747b842f8a41d39fadf513271eefa87179de88b7717f8b046a598cdeb2

Files

a97632747b842f8a41d39fadf513271eefa87179de88b7717f8b046a598cdeb2
.dll windows:6 windows x86 arch:x86

95f0a92592bf3edbc784daa19b373810

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

D:\sase2\sase-client-pack\windows\SASENsisPlugin\Release\SASENsisPlugin.pdb

Imports

ws2_32

WSACleanup
htonl
send
WSACloseEvent
WSACreateEvent
WSAEnumNetworkEvents
WSAEventSelect
WSAResetEvent
WSAWaitForMultipleEvents
closesocket
WSAGetLastError
recv
bind
connect
getpeername
getsockname
getsockopt
htons
ntohs
setsockopt
socket
WSASetLastError
WSAIoctl
__WSAFDIsSet
gethostname
select
accept
listen
getaddrinfo
freeaddrinfo
recvfrom
sendto
ioctlsocket
shutdown
getnameinfo
GetAddrInfoW
WSASocketW
WSASend
FreeAddrInfoW
WSAStartup

kernel32

LoadLibraryA
DeleteFileW
RaiseException
LoadLibraryW
DecodePointer
WTSGetActiveConsoleSessionId
RemoveDirectoryA
DeleteCriticalSection
VerSetConditionMask
GetModuleHandleW
VerifyVersionInfoW
SystemTimeToTzSpecificLocalTime
MapViewOfFile
OpenMutexW
GetTickCount
GetExitCodeProcess
SetLastError
FormatMessageW
EnterCriticalSection
LeaveCriticalSection
SleepEx
QueryPerformanceFrequency
QueryPerformanceCounter
WaitForSingleObjectEx
CompareFileTime
UnmapViewOfFile
GetEnvironmentVariableA
GetStdHandle
GetFileType
ReadFile
PeekNamedPipe
WaitForMultipleObjects
GetModuleHandleA
GetSystemDirectoryW
OpenFileMappingW
GetCurrentThreadId
GetFileAttributesW
CreateFileW
InitializeCriticalSectionEx
GetModuleFileNameW
RemoveDirectoryW
DeviceIoControl
WriteFile
FindNextFileW
GetFileSizeEx
FindFirstFileW
CreateDirectoryW
lstrcpyW
GlobalFree
GlobalAlloc
MultiByteToWideChar
lstrcpynW
FindResourceW
FileTimeToSystemTime
LoadResource
LockResource
SizeofResource
WideCharToMultiByte
CreateSymbolicLinkA
CreateMutexA
GetNativeSystemInfo
MoveFileExW
SetEvent
OpenEventW
ProcessIdToSessionId
Sleep
CreateEventW
GetCommandLineW
LocalFree
CopyFileA
GetTempPathA
Process32NextW
GetLastError
WaitForSingleObject
TerminateProcess
OpenProcess
Process32FirstW
GetCurrentProcessId
CreateToolhelp32Snapshot
DeleteFileA
CloseHandle
GetCurrentProcess
lstrcmpiA
ExpandEnvironmentStringsA
SetEnvironmentVariableW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineA
GetOEMCP
GetACP
IsValidCodePage
FindFirstFileExW
FlushFileBuffers
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetLocaleInfoW
LCMapStringW
CompareStringW
GetTimeFormatW
GetDateFormatW
SetStdHandle
GetFullPathNameW
GetConsoleOutputCP
ExitProcess
SetConsoleCtrlHandler
SetFilePointerEx
FreeLibraryAndExitThread
ExitThread
FindClose
FindNextFileA
GetExitCodeThread
FindFirstFileA
GetSystemDirectoryA
FreeLibrary
GetProcAddress
GetProcessHeap
HeapAlloc
HeapFree
HeapReAlloc
CreateThread
TzSpecificLocalTimeToSystemTime
SetFileTime
GetFileInformationByHandle
GetDriveTypeW
GetFileAttributesExW
SetEndOfFile
LoadLibraryExW
CreateFileA
MoveFileExA
OutputDebugStringW
GetFileAttributesA
GetTickCount64
GetTimeZoneInformation
SetFileAttributesW
FindResourceExW
InterlockedFlushSList
RtlUnwind
AllocConsole
WriteConsoleW
HeapSize
HeapDestroy
GetSystemTimeAsFileTime
LockFileEx
UnlockFile
GetCurrentDirectoryW
SwitchToThread
SetConsoleTextAttribute
GetConsoleScreenBufferInfo
InitializeSListHead
GetStartupInfoW
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
ResetEvent
GetLocaleInfoEx
GetCPInfo
CompareStringEx
LCMapStringEx
EncodePointer
SleepConditionVariableSRW
SleepConditionVariableCS
WakeAllConditionVariable
WakeConditionVariable
InitializeConditionVariable
FlsFree
FlsSetValue
FlsAlloc
GetStringTypeW
FormatMessageA
TryEnterCriticalSection
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
InitializeSRWLock
InitOnceComplete
InitOnceBeginInitialize
IsDebuggerPresent
ConvertThreadToFiber
ConvertFiberToThread
GetModuleHandleExW
CreateFiber
GetSystemTime
SystemTimeToFileTime
GetEnvironmentVariableW
GetConsoleMode
SetConsoleMode
ReadConsoleA
ReadConsoleW
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
SwitchToFiber
DeleteFiber

user32

GetUserObjectInformationW
GetProcessWindowStation
wsprintfW
MessageBoxW
MessageBoxA

advapi32

RegCreateKeyExW
CopySid
RegSetValueExW
GetLengthSid
CryptEnumProvidersW
CryptSignHashW
CryptDecrypt
CryptExportKey
CryptGetProvParam
CryptSetHashParam
CryptDestroyKey
ReportEventW
RegisterEventSourceW
OpenProcessToken
GetTokenInformation
RegOpenKeyExA
RegEnumKeyExA
RegQueryValueExA
RegDeleteKeyA
RegCloseKey
DeregisterEventSource
RegCreateKeyExA
RevertToSelf
CryptAcquireContextW
QueryServiceStatus
EqualSid
CloseServiceHandle
OpenSCManagerW
AllocateAndInitializeSid
CryptCreateHash
CryptGetUserKey
ImpersonateLoggedOnUser
CryptDestroyHash
FreeSid
RegEnumValueA
OpenServiceW
RegDeleteValueA
LookupAccountSidW
RegQueryValueExW
CryptReleaseContext
RegOpenKeyExW
ConvertSidToStringSidW
RegSetValueExA

shell32

ord680
ShellExecuteExA
SHGetSpecialFolderPathA
SHGetFolderPathA
SHGetSpecialFolderPathW
ShellExecuteExW
CommandLineToArgvW

shlwapi

PathRemoveFileSpecW
PathFileExistsW
PathAppendA
StrStrIW
StrCmpIW
PathFindFileNameW
PathIsDirectoryA
PathFileExistsA
PathRemoveBackslashW

crypt32

CertCloseStore
CertEnumCertificatesInStore
CertGetEnhancedKeyUsage
CertGetIntendedKeyUsage
CertOpenSystemStoreW
CertOpenStore
CertFindCertificateInStore
CertDuplicateCertificateContext
CertGetCertificateContextProperty
CertFreeCertificateContext

wtsapi32

WTSQueryUserToken

bcrypt

BCryptGenRandom

wldap32

ord127
ord167
ord142
ord27
ord133
ord147
ord26
ord117
ord41
ord208
ord216
ord14
ord301
ord46
ord219
ord79
ord145

Exports

Exports

CheckCSASDevTag
CleanCSASRegistry
CleanSASEMSI
CleanSASERegistry
ClearBootDeleteFlag
CloseSASEGuard
CopyWlanDll
CreateInstallMutex
CreateUninstallMutex
DeleteOldVersionDir
DeleteSASEUserDataDirs
ExitCSAS
ExitSASE
ExtractCorpNameFromIns
HasUninstallPermission
InstallCheck
SetUninstallFinishEvent
UninstallCheck
UninstallFinish
UninstallOldVersion
WriteLocalDance
WuYingVersionCheck

Sections

.text
Size: 2.2MB - Virtual size: 2.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 37KB - Virtual size: 58KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 248B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 108KB - Virtual size: 107KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

95f0a92592bf3edbc784daa19b373810

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ws2_32

kernel32

user32

advapi32

shell32

shlwapi

crypt32

wtsapi32

bcrypt

wldap32

Exports

Exports

Sections

.text Size: 2.2MB - Virtual size: 2.2MB

.rdata Size: 1.1MB - Virtual size: 1.1MB

.data Size: 37KB - Virtual size: 58KB

.rsrc Size: 512B - Virtual size: 248B

.reloc Size: 108KB - Virtual size: 107KB

.text
Size: 2.2MB - Virtual size: 2.2MB

.rdata
Size: 1.1MB - Virtual size: 1.1MB

.data
Size: 37KB - Virtual size: 58KB

.rsrc
Size: 512B - Virtual size: 248B

.reloc
Size: 108KB - Virtual size: 107KB