03db53a0eb83247d0b21988022a0b346fe9ac764cf249a333b1c4c5519cfc30e

Sharing

Copy URL

Twitter E-mail

General

Target

03db53a0eb83247d0b21988022a0b346fe9ac764cf249a333b1c4c5519cfc30e
Size

296KB
MD5

39e6a9462c4b6af38a28a9ca7846f79b
SHA1

67f4f745cf1fa71a5762355ff71f7eea31243e94
SHA256

03db53a0eb83247d0b21988022a0b346fe9ac764cf249a333b1c4c5519cfc30e
SHA512

d92a71c697de2a5c09c328d473ccfcde53c9fd0f7c66c55d08cab0944ed7e5cdd8fc005a223849997bdab84deac6c9377e03894c0d070877a9caa62acd45f432
SSDEEP

6144:BL4JnySmcBzrVvq3hg5QXlHQR0vdzrx5zbzz:BL4sChERg5QHdz7z

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/c3pool/nssm.exe

Files

03db53a0eb83247d0b21988022a0b346fe9ac764cf249a333b1c4c5519cfc30e
.zip
.core.jsp
c3pool/WinRing0x64.sys
.sys windows:6 windows x64 arch:x64

d41fa95d4642dc981f10de36f4dc8cd7

Code Sign

01:00:00:00:00:01:15:37:24:21:a8
Certificate

Issuer

CN=GlobalSign ObjectSign CA,OU=ObjectSign CA,O=GlobalSign nv-sa,C=BE

Not Before

24-09-2007 10:50

Not After

24-09-2008 10:50

Subject

CN=Noriyuki MIYAZAKI,C=JP,1.2.840.113549.1.9.1=#0c196869796f6869796f406372797374616c6d61726b2e696e666f

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment
KeyUsageKeyEncipherment
KeyUsageDataEncipherment

04:00:00:00:00:00:f9:7f:aa:2e:1e
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

16-12-2003 13:00

Not After

27-01-2014 11:00

Subject

CN=GlobalSign RootSign Partners CA,OU=RootSign Partners CA,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

04:00:00:00:00:01:08:d9:61:1c:d6
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

28-01-1999 12:00

Not After

27-01-2014 11:00

Subject

CN=GlobalSign Primary Object Publishing CA,OU=Primary Object Publishing CA,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

04:00:00:00:00:01:10:92:eb:82:95
Certificate

Issuer

CN=GlobalSign RootSign Partners CA,OU=RootSign Partners CA,O=GlobalSign nv-sa,C=BE

Not Before

05-02-2007 09:00

Not After

27-01-2014 09:00

Subject

CN=GlobalSign Time Stamping Authority,O=GlobalSign,1.2.840.113549.1.9.1=#0c1c74696d657374616d70696e666f40676c6f62616c7369676e2e636f6d

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

04:00:00:00:00:01:08:d9:61:24:48
Certificate

Issuer

CN=GlobalSign Primary Object Publishing CA,OU=Primary Object Publishing CA,O=GlobalSign nv-sa,C=BE

Not Before

22-01-2004 09:00

Not After

27-01-2014 10:00

Subject

CN=GlobalSign ObjectSign CA,OU=ObjectSign CA,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

61:0b:7f:6b:00:00:00:00:00:19
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23-05-2006 17:00

Not After

23-05-2016 17:10

Subject

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

26:68:21:a3:91:74:d2:9f:6f:87:91:cf:9f:44:f1:a1:f3:43:9d:da
Signer

Actual PE Digest

26:68:21:a3:91:74:d2:9f:6f:87:91:cf:9f:44:f1:a1:f3:43:9d:da

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb

Imports

ntoskrnl.exe

IoDeleteSymbolicLink
RtlInitUnicodeString
IoDeleteDevice
IoCreateDevice
MmMapIoSpace
KeBugCheckEx
IoCreateSymbolicLink
MmUnmapIoSpace
IofCompleteRequest
__C_specific_handler

hal

HalSetBusDataByOffset
HalGetBusDataByOffset

Sections

.text
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 512B - Virtual size: 380B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 276B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 96B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 1024B - Virtual size: 546B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 960B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
c3pool/config.json
c3pool/config_background.json
c3pool/nssm.exe
.exe windows:5 windows x64 arch:x64

486303637bc6ec8cd38f2967cc02503d

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

psapi

GetModuleFileNameExW

shlwapi

PathQuoteSpacesW
PathUnquoteSpacesW
PathFindExtensionW

kernel32

SystemTimeToFileTime
GetFileInformationByHandle
ReadFile
FlushFileBuffers
SetHandleInformation
CreatePipe
GetStdHandle
GetCommandLineW
TlsAlloc
GetModuleFileNameW
GetCurrentThread
GetProcessTimes
OpenProcess
Thread32Next
Thread32First
CreateToolhelp32Snapshot
GenerateConsoleCtrlEvent
SetConsoleCtrlHandler
Process32NextW
Process32FirstW
SetCurrentDirectoryW
GetCurrentDirectoryW
GetWindowsDirectoryW
DeleteCriticalSection
UnregisterWait
SetWaitableTimer
ResumeThread
SetProcessAffinityMask
RegisterWaitForSingleObject
CreateWaitableTimerW
InitializeCriticalSection
SetConsoleOutputCP
GetConsoleOutputCP
WideCharToMultiByte
CompareFileTime
WriteConsoleW
WriteConsoleA
HeapSize
GetLocaleInfoA
GetStringTypeW
GetStringTypeA
LCMapStringW
LCMapStringA
GetConsoleMode
GetConsoleCP
HeapReAlloc
GetTickCount
QueryPerformanceCounter
HeapCreate
HeapSetInformation
SetStdHandle
RtlPcToFileHeader
RaiseException
InitializeCriticalSectionAndSpinCount
LoadLibraryA
GetModuleFileNameA
GetOEMCP
FlsAlloc
GetCurrentThreadId
SetLastError
FlsFree
FlsSetValue
CopyFileW
FileTimeToSystemTime
Sleep
SetFilePointer
MoveFileW
GetSystemTime
CreateFileW
SetFilePointerEx
SetEndOfFile
WriteFile
DuplicateHandle
FreeLibrary
GetProcAddress
LoadLibraryW
EnterCriticalSection
LeaveCriticalSection
CreateThread
GetExitCodeThread
WaitForSingleObject
GetSystemTimeAsFileTime
CloseHandle
GetExitCodeProcess
GetCurrentProcess
GetProcessAffinityMask
GetEnvironmentVariableW
FindResourceExW
LoadResource
GetModuleHandleW
LocalFree
TlsGetValue
LocalAlloc
TlsSetValue
GetUserDefaultLangID
FormatMessageW
CreateProcessW
TerminateProcess
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
ExpandEnvironmentStringsW
AllocConsole
GetConsoleWindow
GetCurrentProcessId
FreeConsole
GetComputerNameW
GetLastError
HeapFree
GetProcessHeap
HeapAlloc
CreateFileA
IsValidCodePage
MultiByteToWideChar
FlsGetValue
DecodePointer
ExitProcess
RtlLookupFunctionEntry
RtlUnwindEx
SetHandleCount
GetFileType
GetStartupInfoA
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlCaptureContext
GetCPInfo
GetACP
EncodePointer

user32

GetProcessWindowStation
LoadImageW
SetWindowLongPtrW
GetMessageW
IsDialogMessageW
TranslateMessage
DispatchMessageW
PostQuitMessage
DestroyWindow
GetWindowLongPtrW
SetFocus
ShowWindow
CheckRadioButton
PostMessageW
SetDlgItemInt
SendMessageW
GetDlgItemTextW
SetDlgItemTextW
GetDlgItemInt
SendDlgItemMessageW
GetWindowRect
GetDesktopWindow
MoveWindow
GetDlgItem
EnableWindow
CreateDialogIndirectParamW
MessageBoxW
MessageBoxIndirectW
GetWindowThreadProcessId
PostThreadMessageW
EnumWindows
SetWindowPos
GetSystemMetrics

comdlg32

GetOpenFileNameW

advapi32

CreateServiceW
StartServiceW
ControlService
QueryServiceStatusEx
SetServiceStatus
DeleteService
QueryServiceConfig2W
ChangeServiceConfig2W
CloseServiceHandle
ChangeServiceConfigW
QueryServiceConfigW
OpenServiceW
GetServiceDisplayNameW
GetServiceKeyNameW
EnumServicesStatusExW
OpenSCManagerW
QueryServiceStatus
RegDeleteKeyW
RegQueryValueExW
RegCloseKey
RegEnumValueW
RegSetValueExW
RegCreateKeyExW
RegOpenKeyExW
OpenThreadToken
ImpersonateSelf
LookupPrivilegeValueW
AdjustTokenPrivileges
StartServiceCtrlDispatcherW
AllocateAndInitializeSid
CheckTokenMembership
RegDeleteValueW
IsTextUnicode
RegisterEventSourceW
ReportEventW
DeregisterEventSource
LsaEnumerateAccountRights
LsaAddAccountRights
FreeSid
LsaLookupSids
LsaClose
LsaLookupNames
LsaFreeMemory
IsValidSid
GetSidSubAuthorityCount
GetSidLengthRequired
GetSidIdentifierAuthority
InitializeSid
GetSidSubAuthority
LsaOpenPolicy
LsaNtStatusToWinError
RegisterServiceCtrlHandlerExW

shell32

ShellExecuteExW

Sections

.text
Size: 145KB - Virtual size: 144KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 37KB - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 208KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 159KB - Virtual size: 159KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
c3pool/xmrig.log
rCrcyAhuO0M5vVAxylfM3e581fmOKx4D

Sharing

General

Malware Config

Signatures

Files

d41fa95d4642dc981f10de36f4dc8cd7

Code Sign

01:00:00:00:00:01:15:37:24:21:a8Certificate

Key Usages

04:00:00:00:00:00:f9:7f:aa:2e:1eCertificate

Key Usages

04:00:00:00:00:01:08:d9:61:1c:d6Certificate

Key Usages

04:00:00:00:00:01:10:92:eb:82:95Certificate

Extended Key Usages

Key Usages

04:00:00:00:00:01:08:d9:61:24:48Certificate

Key Usages

61:0b:7f:6b:00:00:00:00:00:19Certificate

Key Usages

26:68:21:a3:91:74:d2:9f:6f:87:91:cf:9f:44:f1:a1:f3:43:9d:daSigner

Headers

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

hal

Sections

.text Size: 2KB - Virtual size: 1KB

.rdata Size: 512B - Virtual size: 380B

.data Size: 512B - Virtual size: 276B

.pdata Size: 512B - Virtual size: 96B

INIT Size: 1024B - Virtual size: 546B

.rsrc Size: 1024B - Virtual size: 960B

486303637bc6ec8cd38f2967cc02503d

Headers

DLL Characteristics

File Characteristics

Imports

psapi

shlwapi

kernel32

user32

comdlg32

advapi32

shell32

Sections

.text Size: 145KB - Virtual size: 144KB

.rdata Size: 37KB - Virtual size: 36KB

.data Size: 8KB - Virtual size: 208KB

.pdata Size: 9KB - Virtual size: 8KB

.rsrc Size: 159KB - Virtual size: 159KB

01:00:00:00:00:01:15:37:24:21:a8
Certificate

04:00:00:00:00:00:f9:7f:aa:2e:1e
Certificate

04:00:00:00:00:01:08:d9:61:1c:d6
Certificate

04:00:00:00:00:01:10:92:eb:82:95
Certificate

04:00:00:00:00:01:08:d9:61:24:48
Certificate

61:0b:7f:6b:00:00:00:00:00:19
Certificate

26:68:21:a3:91:74:d2:9f:6f:87:91:cf:9f:44:f1:a1:f3:43:9d:da
Signer

.text
Size: 2KB - Virtual size: 1KB

.rdata
Size: 512B - Virtual size: 380B

.data
Size: 512B - Virtual size: 276B

.pdata
Size: 512B - Virtual size: 96B

INIT
Size: 1024B - Virtual size: 546B

.rsrc
Size: 1024B - Virtual size: 960B

.text
Size: 145KB - Virtual size: 144KB

.rdata
Size: 37KB - Virtual size: 36KB

.data
Size: 8KB - Virtual size: 208KB

.pdata
Size: 9KB - Virtual size: 8KB

.rsrc
Size: 159KB - Virtual size: 159KB