733b6d7a13a3baa568f180755155debf99b272dd526ed374cbf3320c22bc522f[.]rar

Sharing

Copy URL

Twitter E-mail

General

Target

733b6d7a13a3baa568f180755155debf99b272dd526ed374cbf3320c22bc522f.rar
Size

9.2MB
MD5

1d1a0b04767f3cfb44cc39917317b315
SHA1

38eb7805ae13c6388ac537c3c5b800e1e98c465c
SHA256

532f92dc0529f9eeea4c71e9c75476de4ce4ef1a0051e87a79e5cb5c8ac81161
SHA512

1f0479041c30dffd325c1de57714ad49b94e4ac80fc144199437bf60595baf613dfa9555458e92cfa488ce21540fea79849868456078f6bfdd00e30501779f69
SSDEEP

196608:pv07bjyzVvJJxOQWbng665but7kJlLpUsDcKImZJ7Yg3045w1NP:907nYnJxOJzg6wK7w8KbZJ7Y5J1NP

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs
Checks for missing Authenticode signature.

Processes:

resource

unpack001/KeyScramblerIE.dll

resource
unpack001/KeyScramblerIE.dll

Files

733b6d7a13a3baa568f180755155debf99b272dd526ed374cbf3320c22bc522f.rar
.rar
KeyScramblerIE.dll
.dll windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
IMAGE_FILE_BYTES_REVERSED_HI

Exports

Exports

KSFFInit
KSFFUninit
KSInit
KSOptions
KSPromptForKey
KSSetKeyInfo
KSSetOption
KSUninit
KSUpdate
main

Sections

CODE
Size: 2.6MB - Virtual size: 2.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

DATA
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

BSS
Size: - Virtual size: 2KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 512B - Virtual size: 250B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 179KB - Virtual size: 178KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
KeyScramblerLogon.exe
.exe windows:5 windows x86 arch:x86

5007e16b49e5fb060b690c46cb9316e8

Code Sign

48:1b:6a:07:a9:42:4c:1e:aa:fe:f3:cd:f1:0f
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Not Before

15-06-2016 00:00

Not After

15-06-2024 00:00

Subject

CN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G3,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageOCSPSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

7a:f1:e5:b8:82:61:50:a7:8a:17:26:9c
Certificate

Issuer

CN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G3,O=GlobalSign nv-sa,C=BE

Not Before

15-10-2020 15:19

Not After

15-11-2023 15:19

Subject

SERIALNUMBER=P03000012052,CN=QFX Software Corporation,O=QFX Software Corporation,STREET=1573 Katie Cv,L=Sanford,ST=Florida,C=US,1.2.840.113549.1.9.1=#0c17716678736f667440716678736f6674776172652e636f6d,1.3.6.1.4.1.311.60.2.1.2=#1307466c6f72696461,1.3.6.1.4.1.311.60.2.1.3=#13025553,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

01:b2:8b:d4:cf:ee:ee:0d:be:d0:b3:0d:9b:f8:43:6a
Certificate

Issuer

CN=GlobalSign Timestamping CA - SHA384 - G4,O=GlobalSign nv-sa,C=BE

Not Before

06-04-2022 07:45

Not After

08-05-2033 07:45

Subject

CN=Globalsign TSA for CodeSign1 - R6,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

01:ec:1c:92:40:de:fd:2e:40:5d:7c:47:74
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R6,O=GlobalSign

Not Before

20-06-2018 00:00

Not After

10-12-2034 00:00

Subject

CN=GlobalSign Timestamping CA - SHA384 - G4,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

45:e6:bb:03:83:33:c3:85:65:48:e6:ff:45:51
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R6,O=GlobalSign

Not Before

10-12-2014 00:00

Not After

10-12-2034 00:00

Subject

CN=GlobalSign,OU=GlobalSign Root CA - R6,O=GlobalSign

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

ee:40:c1:84:d0:80:f6:fb:58:11:36:9b:1f:50:cc:5e:d9:15:88:a0:95:20:97:71:cc:f2:84:f7:81:12:63:06
Signer

Actual PE Digest

ee:40:c1:84:d0:80:f6:fb:58:11:36:9b:1f:50:cc:5e:d9:15:88:a0:95:20:97:71:cc:f2:84:f7:81:12:63:06

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

C:\Users\qzwang\Documents\workspace\InputSafe\winsrc\browser\InputSafeOmni\Release\KeyScrambler.pdb

Imports

keyscramblerie

KSOptions
KSPromptForKey
KSSetKeyInfo
KSUpdate
KSSetOption
KSInit
KSUninit

kernel32

GetModuleHandleExW
OpenEventW
FlushInstructionCache
GetCurrentThreadId
lstrlenW
GetModuleHandleW
InterlockedIncrement
InterlockedDecrement
lstrcmpiW
SetLastError
MultiByteToWideChar
SizeofResource
LoadResource
FindResourceW
LoadLibraryExW
GetModuleFileNameW
CreateFileW
MoveFileExW
FindClose
FindNextFileW
FindFirstFileW
ResetEvent
SetEvent
Sleep
CreateEventW
SetEndOfFile
CreateFileA
SetStdHandle
GetProcAddress
IsValidLocale
EnumSystemLocalesA
GetLocaleInfoA
GetUserDefaultLCID
GetStringTypeW
IsValidCodePage
GetOEMCP
DeleteCriticalSection
GetSystemTimeAsFileTime
GetCurrentProcessId
GetTickCount
QueryPerformanceCounter
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetLocaleInfoW
LoadLibraryW
SetConsoleCtrlHandler
SetFilePointer
ReadFile
FlushFileBuffers
GetConsoleMode
GetConsoleCP
FatalAppExitA
GetFileType
SetHandleCount
HeapSize
HeapReAlloc
GetStdHandle
WriteFile
GetCurrentProcess
FreeLibrary
OpenProcess
WaitForSingleObject
CloseHandle
DeleteFileW
WriteConsoleW
LocalFree
InitializeCriticalSectionAndSpinCount
GetLastError
LeaveCriticalSection
VirtualAlloc
EnterCriticalSection
RaiseException
InterlockedPopEntrySList
InterlockedExchange
InitializeCriticalSection
EncodePointer
DecodePointer
RtlUnwind
GetCurrentThread
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
HeapDestroy
HeapCreate
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
TerminateProcess
GetCPInfo
LCMapStringW
WideCharToMultiByte
GetStartupInfoW
HeapSetInformation
ExitProcess
GetACP
InterlockedCompareExchange
InterlockedPushEntrySList
HeapFree
GetProcessHeap
HeapAlloc
IsProcessorFeaturePresent
VirtualFree
GetCommandLineW

user32

GetClassInfoExW
LoadCursorW
DefWindowProcW
SetWindowLongW
LoadBitmapW
UpdateWindow
SetWindowRgn
MessageBoxW
BroadcastSystemMessageW
EndPaint
BeginPaint
CallWindowProcW
GetParent
GetWindow
GetWindowRect
MonitorFromWindow
GetMonitorInfoW
GetClientRect
MapWindowPoints
SetWindowPos
KillTimer
SetTimer
PostMessageW
GetWindowLongW
RegisterClassExW
CreateWindowExW
DestroyWindow
CharNextW
PeekMessageW
GetMessageW
TranslateMessage
DispatchMessageW
UnregisterClassA

gdi32

BitBlt
SelectObject
CreateCompatibleDC
DeleteObject
GetObjectW
CreateRoundRectRgn
DeleteDC

advapi32

RegOpenKeyExW
GetSecurityDescriptorSacl
RegEnumKeyExW
RegQueryInfoKeyW
RegSetValueExW
RegCloseKey
RegDeleteValueW
RegDeleteKeyW
RegCreateKeyExW
ConvertStringSecurityDescriptorToSecurityDescriptorW
SetSecurityInfo

shell32

SHGetFolderPathW
ShellExecuteW

ole32

CoCreateInstance
CoTaskMemFree
CoUninitialize
CoInitialize
CoTaskMemRealloc
CoTaskMemAlloc

oleaut32

SysFreeString
VarUI4FromStr

shlwapi

PathCombineW
PathRemoveFileSpecW

comctl32

InitCommonControlsEx

Sections

.text
Size: 192KB - Virtual size: 191KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 36KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 245KB - Virtual size: 245KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
test.txt

Sharing

General

Malware Config

Signatures

Files

Headers

File Characteristics

Exports

Exports

Sections

CODE Size: 2.6MB - Virtual size: 2.6MB

DATA Size: 1KB - Virtual size: 1KB

BSS Size: - Virtual size: 2KB

.idata Size: 3KB - Virtual size: 2KB

.edata Size: 512B - Virtual size: 250B

.reloc Size: 179KB - Virtual size: 178KB

.rsrc Size: 5KB - Virtual size: 5KB

5007e16b49e5fb060b690c46cb9316e8

Code Sign

48:1b:6a:07:a9:42:4c:1e:aa:fe:f3:cd:f1:0fCertificate

Extended Key Usages

Key Usages

7a:f1:e5:b8:82:61:50:a7:8a:17:26:9cCertificate

Extended Key Usages

Key Usages

01:b2:8b:d4:cf:ee:ee:0d:be:d0:b3:0d:9b:f8:43:6aCertificate

Extended Key Usages

Key Usages

01:ec:1c:92:40:de:fd:2e:40:5d:7c:47:74Certificate

Key Usages

45:e6:bb:03:83:33:c3:85:65:48:e6:ff:45:51Certificate

Key Usages

ee:40:c1:84:d0:80:f6:fb:58:11:36:9b:1f:50:cc:5e:d9:15:88:a0:95:20:97:71:cc:f2:84:f7:81:12:63:06Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

keyscramblerie

kernel32

user32

gdi32

advapi32

shell32

ole32

oleaut32

shlwapi

comctl32

Sections

.text Size: 192KB - Virtual size: 191KB

.rdata Size: 36KB - Virtual size: 35KB

.data Size: 6KB - Virtual size: 14KB

.rsrc Size: 245KB - Virtual size: 245KB

.reloc Size: 10KB - Virtual size: 10KB

CODE
Size: 2.6MB - Virtual size: 2.6MB

DATA
Size: 1KB - Virtual size: 1KB

BSS
Size: - Virtual size: 2KB

.idata
Size: 3KB - Virtual size: 2KB

.edata
Size: 512B - Virtual size: 250B

.reloc
Size: 179KB - Virtual size: 178KB

.rsrc
Size: 5KB - Virtual size: 5KB

48:1b:6a:07:a9:42:4c:1e:aa:fe:f3:cd:f1:0f
Certificate

7a:f1:e5:b8:82:61:50:a7:8a:17:26:9c
Certificate

01:b2:8b:d4:cf:ee:ee:0d:be:d0:b3:0d:9b:f8:43:6a
Certificate

01:ec:1c:92:40:de:fd:2e:40:5d:7c:47:74
Certificate

45:e6:bb:03:83:33:c3:85:65:48:e6:ff:45:51
Certificate

ee:40:c1:84:d0:80:f6:fb:58:11:36:9b:1f:50:cc:5e:d9:15:88:a0:95:20:97:71:cc:f2:84:f7:81:12:63:06
Signer

.text
Size: 192KB - Virtual size: 191KB

.rdata
Size: 36KB - Virtual size: 35KB

.data
Size: 6KB - Virtual size: 14KB

.rsrc
Size: 245KB - Virtual size: 245KB

.reloc
Size: 10KB - Virtual size: 10KB