0aa17ee66b8dae520e82a94388b1a1d603ec2aed20c464d6cac9a521d4167f24[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

0aa17ee66b8dae520e82a94388b1a1d603ec2aed20c464d6cac9a521d4167f24.zip
Size

115KB
MD5

ba7e3c3e3bccdeaab9ed6063f1488799
SHA1

a7400a87773d8fdeb37c821a379bdf0b98e2ddb4
SHA256

c4a366bfd8eb0f8e04420bf31a820407b7111bc216b54051a721d37da2b94e4a
SHA512

387fa4004d1ca6dbf2c84a9c16b5d2203a4997d24cceb30275825ab849b52d4677c9c0c22ad567a0d9fea1b6c5a09d5844841d7088ca9d6faba52bf81f67d87f
SSDEEP

3072:uXvdHV2e7dkO0kd3YcCDZg+Tnf1XRjoYCa9il:uXlV2e7dDkZvf1XQa4l

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/0aa17ee66b8dae520e82a94388b1a1d603ec2aed20c464d6cac9a521d4167f24

Files

0aa17ee66b8dae520e82a94388b1a1d603ec2aed20c464d6cac9a521d4167f24.zip
.zip

Password: infected
0aa17ee66b8dae520e82a94388b1a1d603ec2aed20c464d6cac9a521d4167f24
.exe windows:5 windows x86 arch:x86

6bb94f8d918f73478aee5a6db44ed3be

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

e:\Work\Thunder\xl8_client\thunder\src\BrowserSupport\pdb\ProductRelease\BrowserSupport.pdb

Imports

xlue

XLUE_AddXARSearchPath
XLUE_LoadXAR
XLUE_InitLoader

xlgraphic

XL_InitGraphicLib
XL_PrepareGraphicParam
XL_SetFreeTypeEnabled

xlluaruntime

luaL_checkinteger
lua_tonumber
lua_next
lua_settable
lua_createtable
XLLRT_RegisterClass
XLLRT_PushXLObject
lua_pushlstring
lua_toboolean
lua_tolstring
XLLRT_ReleaseRunTime
lua_tointeger
lua_pushnil
luaL_unref
lua_insert
lua_getfield
lua_remove
lua_isuserdata
lua_getmetatable
luaL_ref
lua_pushinteger
lua_rawgeti
lua_type
lua_pushstring
lua_pushboolean
XLLRT_RegisterGlobalObj
luaL_checkudata
luaL_checknumber
luaL_checklstring
lua_pushnumber
lua_settop
XLLRT_ReleaseEnv
lua_gettop
XLLRT_GetEnv
XLLRT_LuaCall
XLLRT_GetRuntime

xlfsio

XLFS_Init

ws2_32

WSAGetLastError
getpeername
ntohs
WSAAsyncGetHostByName
WSACancelAsyncRequest
WSAAsyncSelect
closesocket
connect
htons
send
recv
inet_addr
socket
getsockname
WSAStartup

version

VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW

kernel32

SetFileAttributesW
SetCurrentDirectoryW
GetCurrentDirectoryW
GetVolumeInformationW
GetDiskFreeSpaceExW
WriteFile
SystemTimeToFileTime
SetFileTime
GetSystemTimeAsFileTime
GetCurrentProcessId
GetTickCount
QueryPerformanceCounter
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RemoveDirectoryW
DeleteFileW
CreateMutexW
FreeLibrary
InterlockedIncrement
InterlockedDecrement
GetModuleHandleW
InitializeCriticalSection
LoadLibraryW
LeaveCriticalSection
GetModuleFileNameW
GetTempPathW
RaiseException
GetLastError
GetProcAddress
EnterCriticalSection
DeleteCriticalSection
GetCurrentThreadId
CloseHandle
FindFirstFileW
GetCurrentProcess
CreateDirectoryW
GetPrivateProfileStringW
WideCharToMultiByte
CopyFileW
GetVersionExW
MultiByteToWideChar
WritePrivateProfileStringW
MoveFileW
FindClose
Process32FirstW
Process32NextW
FindNextFileW
CreateToolhelp32Snapshot
FlushInstructionCache
SetLastError
VirtualQuery
IsBadCodePtr
GetFileAttributesW
lstrcatW
GetFileSizeEx
CreateFileW
GetFileAttributesExW
TerminateProcess
GetStartupInfoW
Sleep
InterlockedExchange
VirtualAlloc
VirtualFree
IsProcessorFeaturePresent
LoadLibraryA
HeapAlloc
GetProcessHeap
HeapFree
InterlockedCompareExchange
WaitForMultipleObjects
CreateThread
TerminateThread
WaitForSingleObject
SetEvent
CreateEventW
GetVersion

user32

SetTimer
KillTimer
CreateWindowExW
PostMessageW
SetWindowLongW
GetWindowLongW
UnregisterClassA
GetMonitorInfoW
MonitorFromPoint
GetCursorPos
GetKeyState
CallWindowProcW
PostQuitMessage
GetDesktopWindow
DestroyWindow
GetMessageW
LoadCursorW
FindWindowW
GetClassInfoExW
TranslateMessage
RegisterClassExW
PeekMessageW
SendMessageW
DispatchMessageW
IsWindow
DefWindowProcW
wsprintfW

advapi32

RegOpenKeyExW
RegCloseKey
RegQueryValueExW

shell32

SHCreateDirectoryExW
ShellExecuteW
SHGetSpecialFolderPathW

ole32

CoUninitialize
CoInitialize
CLSIDFromProgID
CoCreateInstance

oleaut32

SysFreeString
SysAllocStringLen

atl90

ord64
ord61
ord23
ord44
ord43

shlwapi

PathRemoveFileSpecW
PathAddBackslashW
PathCombineW
PathAppendW
PathFileExistsW
PathIsDirectoryW
SHGetValueW

comctl32

InitCommonControlsEx

msvcp90

?rfind@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIDI@Z
?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIDI@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHPBDH@Z
?uncaught_exception@std@@YA_NXZ
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UAE@XZ
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ
??0strstreambuf@std@@QAE@PBDH@Z
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??_7?$basic_ios@DU?$char_traits@D@std@@@std@@6B@
??_7ios_base@std@@6B@
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z
?length@?$char_traits@D@std@@SAIPBD@Z
??_D?$basic_ostringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXXZ
?str@?$basic_ostringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@2@XZ
??$?9_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@0@Z
??$?M_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@0@Z
??A?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEAB_WI@Z
?reserve@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEXI@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@G@Z
??$?6DU?$char_traits@D@std@@V?$allocator@D@1@@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z
??0?$basic_ostringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@H@Z
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@K@Z
??_7?$basic_istream@DU?$char_traits@D@std@@@std@@6B@
??1strstreambuf@std@@UAE@XZ
?_Ios_base_dtor@ios_base@std@@CAXPAV12@@Z
?rfind@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z
?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z
?_Lock@_Mutex@std@@QAEXXZ
?_Unlock@_Mutex@std@@QAEXXZ
?find_last_not_of@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z
?find_first_not_of@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z
?insert@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@IID@Z
?get@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@AAD@Z
?unget@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ
??$getline@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@YAAAV?$basic_istream@DU?$char_traits@D@std@@@0@AAV10@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@D@Z
?get@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEHXZ
?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@PADH@Z
?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z
?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE?AV?$fpos@H@2@XZ
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@@Z
?clear@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXXZ
?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXID@Z
??$?HDU?$char_traits@D@std@@V?$allocator@D@1@@std@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ
??$?H_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@ABV10@PB_W@Z
??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_W@Z
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ
??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@ABV01@@Z
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@ABV01@@Z
??Y?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@PB_W@Z
??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@PB_W@Z
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
??$?8DU?$char_traits@D@std@@V?$allocator@D@1@@std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z
?npos@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@2IB
?substr@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBE?AV12@II@Z
?find@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEI_WI@Z
?find@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEIPB_WI@Z
?replace@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV12@IIPB_W@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ
??$?MDU?$char_traits@D@std@@V?$allocator@D@1@@std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z
?rfind@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEI_WI@Z
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_WI@Z
?resize@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEXI@Z
??A?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAA_WI@Z
?erase@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@II@Z
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
?erase@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV12@II@Z
?assign@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV12@PB_WI@Z
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z
??$?8_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@PB_W@Z
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z
??$?8DU?$char_traits@D@std@@V?$allocator@D@1@@std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ID@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDI@Z
?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z
?clear@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEXXZ
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z
?reserve@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBD@Z
??$?HDU?$char_traits@D@std@@V?$allocator@D@1@@std@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z
??Y?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@_W@Z

msvcr90

free
_recalloc
??_V@YAXPAX@Z
__wargv
exit
??2@YAPAXI@Z
wcschr
_wcsicmp
?what@exception@std@@UBEPBDXZ
??1exception@std@@UAE@XZ
??0exception@std@@QAE@XZ
fseek
??0exception@std@@QAE@ABV01@@Z
_invalid_parameter_noinfo
wcsncat
wcsrchr
__CxxFrameHandler3
memset
_CxxThrowException
_purecall
tolower
strstr
?terminate@@YAXXZ
_unlock
__dllonexit
_encode_pointer
_lock
_onexit
_decode_pointer
_amsg_exit
__wgetmainargs
_cexit
_exit
_XcptFilter
_wcmdln
_initterm
_initterm_e
_configthreadlocale
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler4_common
_crt_debugger_hook
?_type_info_dtor_internal_method@type_info@@QAEXXZ
_invoke_watson
_controlfp_s
memmove_s
swprintf_s
??3@YAXPAX@Z
fgetwc
getc
feof
fwrite
fwprintf
toupper
_beginthreadex
_swprintf
_wfopen
fread
ferror
fclose
memcpy
strcmp
_wstat64i32
strftime
_gmtime64
??0exception@std@@QAE@ABQBD@Z
swscanf
_atoi64
_wtoi64
_ui64tow
_ui64toa
_ultow
_stricmp
sscanf
strncmp
atol
strlen
_strnicmp
atoi

wininet

InternetCloseHandle
InternetOpenUrlA
InternetOpenW

Sections

.text
Size: 118KB - Virtual size: 118KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 46KB - Virtual size: 45KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 33KB - Virtual size: 33KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

6bb94f8d918f73478aee5a6db44ed3be

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

xlue

xlgraphic

xlluaruntime

xlfsio

ws2_32

version

kernel32

user32

advapi32

shell32

ole32

oleaut32

atl90

shlwapi

comctl32

msvcp90

msvcr90

wininet

Sections

.text Size: 118KB - Virtual size: 118KB

.rdata Size: 46KB - Virtual size: 45KB

.data Size: 4KB - Virtual size: 5KB

.rsrc Size: 33KB - Virtual size: 33KB

.reloc Size: 16KB - Virtual size: 15KB

.text
Size: 118KB - Virtual size: 118KB

.rdata
Size: 46KB - Virtual size: 45KB

.data
Size: 4KB - Virtual size: 5KB

.rsrc
Size: 33KB - Virtual size: 33KB

.reloc
Size: 16KB - Virtual size: 15KB