2024-05-23_07495ae6c4c07b12447fcac7b5a4ef9f_mafia

Sharing

Copy URL Twitter E-mail

General

Target

2024-05-23_07495ae6c4c07b12447fcac7b5a4ef9f_mafia
Size

2.2MB
MD5

07495ae6c4c07b12447fcac7b5a4ef9f
SHA1

39403339e5602a235dbfbb2c5c72a417c40e4d3b
SHA256

1b8d49317af775c09903d8755cdf9fa7a9e9149d51ac65e2040faaa6d8ee302d
SHA512

f16739507eb3ee1ce5e6cbec92b60a6a8975e62222648dfad7771ad1727fbb099ace8d4014c0b1af6a8a1dc2a65cca5f2614ed8fc385477564f5af7fabdef0e1
SSDEEP

49152:1nvgM/mA7qYr1RzWsCBolnZ7O+55gCM7vFY6LSNL8:NoMh1RisCBoj7O+fgCMz

Score

1^/10

Malware Config

Signatures

Files

2024-05-23_07495ae6c4c07b12447fcac7b5a4ef9f_mafia
.exe windows:5 windows x86 arch:x86

2d8ab49a3c59cc9c6695ffca652b75d1

Code Sign

79:a2:a5:85:f9:d1:15:42:13:d9:b8:3e:f6:b6:8d:ed
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

01/05/2012, 00:00

Not After

31/12/2012, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G3,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

72:69:eb:e2:99:6a:28:0c:c4:0d:e7:d2:a7:1b:08:8d
Certificate

Issuer

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Not Before

23/07/2012, 00:00

Not After

02/08/2014, 23:59

Subject

CN=Beijing Funshion Online Technologies Ltd.,OU=SECURE APPLICATION DEVELOPMENT,O=Beijing Funshion Online Technologies Ltd.,L=Beijing,ST=Beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageMicrosoftCommercialCodeSigning

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5e
Certificate

Issuer

CN=thawte Primary Root CA,OU=Certification Services Division+OU=(c) 2006 thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

d8:df:86:10:75:48:47:a6:24:c5:7e:72:55:e9:51:86:ef:94:50:fe
Signer

Actual PE Digest

d8:df:86:10:75:48:47:a6:24:c5:7e:72:55:e9:51:86:ef:94:50:fe

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

D:\build2.8.1\Funshion\Rel\symbols\FunshionService.pdb

Imports

advapi32

OpenProcessToken
LookupPrivilegeValueW
AdjustTokenPrivileges
RegQueryValueExW
RegOpenKeyExW
RegCloseKey

user32

DefWindowProcW
DispatchMessageW
UpdateWindow
CreateWindowExW
wsprintfW
ShowWindow
PeekMessageW
LoadIconW
RegisterClassExW
TranslateMessage
LoadCursorW
PostMessageW
DestroyWindow
FindWindowW

ws2_32

WSAGetOverlappedResult
bind
WSASend
WSARecv
WSASendTo
WSARecvFrom
WSASocketW
accept
send
WSAIoctl
getsockname
setsockopt
socket
closesocket
getsockopt
listen
inet_ntoa
WSAGetLastError
WSASetLastError
inet_addr
htonl
htons
recv
ioctlsocket
__WSAFDIsSet
select
connect
gethostbyname
ntohs
ntohl
WSAStartup
WSACleanup

quality

report_uninitialize
set_run_mode
report_udpt
report_tcp
report_initialize
report_task_state
report_playing_pausing
report_something
report_mem_info
report_task_detail
report_ms_flow

iphlpapi

GetNetworkParams

dnsapi

DnsFree
DnsQuery_A

gma

get_time_cost_mac_main
get_and_update_mac
get_time_cost_mac
get_mac_info
get_nic_description
GetCurrUsedIPUL
GetMACAddress

dump

upload_log
disable_output_log_to_file
enable_output_log_to_file
dump_initialize
init_config_center
dump_log
remove_log
lvalue
destroy_config_center
?dump_info@dump@@YAHABV?$basic_format@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@boost@@@Z
if_dump
dump
ulvalue_of
record_log_interface
lvalue_of
svalue
svalue_of

agentd

ord1
ord2
ord3

lsv

ord1
ord2

ptv

?get_ptvisitor@nsptv@@YAPAVi_ptvisitor@1@XZ
?release_ptvisitor@nsptv@@YAXXZ

ttv

ord1
ord2

kernel32

SetStdHandle
HeapReAlloc
IsValidLocale
EnumSystemLocalesA
GetLocaleInfoA
GetUserDefaultLCID
GetTimeZoneInformation
LoadLibraryW
GetConsoleMode
GetConsoleCP
IsValidCodePage
GetOEMCP
GetACP
HeapSize
GetLocaleInfoW
CompareStringW
HeapDestroy
HeapCreate
SetLastError
InitializeCriticalSectionAndSpinCount
SetHandleCount
GetEnvironmentStringsW
FreeEnvironmentStringsW
ExitProcess
GetModuleHandleW
LCMapStringW
RtlUnwind
GetCPInfo
RaiseException
GetStdHandle
GetFileType
WriteConsoleW
GetLocalTime
IsProcessorFeaturePresent
HeapValidate
DebugBreak
SetEnvironmentVariableA
CreateThread
ExitThread
TerminateProcess
IsDebuggerPresent
UnhandledExceptionFilter
GetStartupInfoW
HeapSetInformation
GetCommandLineW
CreateWaitableTimerA
SetWaitableTimer
WaitForMultipleObjects
SystemTimeToFileTime
TlsSetValue
OpenEventA
TlsGetValue
TlsFree
TlsAlloc
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
InitializeCriticalSection
DecodePointer
EncodePointer
GetStringTypeW
GetModuleHandleA
SetEndOfFile
GetFileAttributesExW
RemoveDirectoryW
FlushFileBuffers
GetFileAttributesW
SetFilePointerEx
GlobalMemoryStatus
lstrcpyA
lstrcpyW
ReleaseMutex
CreateFileMappingW
UnmapViewOfFile
MapViewOfFile
CreateMutexW
ReadFile
SetFilePointer
GetFileSize
GetDiskFreeSpaceExW
FindNextFileW
FindClose
MoveFileW
FindFirstFileW
ResetEvent
ResumeThread
CreateIoCompletionPort
PostQueuedCompletionStatus
GetQueuedCompletionStatus
GetTickCount
GetProcessHeap
GetCurrentThreadId
HeapAlloc
CreateEventA
CloseHandle
HeapFree
WaitForSingleObject
SetEvent
GetSystemTimeAsFileTime
Sleep
GetCurrentProcess
GetLastError
GetPrivateProfileIntW
InterlockedExchange
InterlockedExchangeAdd
ExpandEnvironmentStringsW
QueueUserWorkItem
GetPrivateProfileStringW
QueryPerformanceCounter
QueryPerformanceFrequency
CreateEventW
WideCharToMultiByte
MultiByteToWideChar
InterlockedIncrement
InterlockedDecrement
InterlockedCompareExchange
CreateProcessW
GetVersionExW
GetModuleFileNameW
CreateFileW
GetProcAddress
lstrcmpiW
SetUnhandledExceptionFilter
GetCurrentProcessId
FindResourceExW
FindResourceW
LoadResource
WriteFile
SizeofResource
LockResource
DeleteFileW
GlobalAlloc
GlobalFree

urlmon

UrlMkGetSessionOption

dbghelp

MiniDumpWriteDump

shell32

ord51
SHGetSpecialFolderPathW
ord165
SHCreateDirectoryExW
ShellExecuteW
SHFileOperationW
SHGetFolderPathW

shlwapi

PathAddBackslashW
PathCombineW
PathRemoveBackslashW
PathAppendW
PathIsRelativeW
PathRemoveFileSpecW
PathFileExistsW

wininet

HttpQueryInfoA
InternetOpenUrlW
InternetReadFile
InternetSetOptionA
HttpQueryInfoW
InternetGetConnectedState
InternetOpenA
InternetCloseHandle

Sections

.text
Size: 1.7MB - Virtual size: 1.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 346KB - Virtual size: 345KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 22KB - Virtual size: 802KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 2B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 27KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 82KB - Virtual size: 82KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

2d8ab49a3c59cc9c6695ffca652b75d1

Code Sign

79:a2:a5:85:f9:d1:15:42:13:d9:b8:3e:f6:b6:8d:edCertificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

72:69:eb:e2:99:6a:28:0c:c4:0d:e7:d2:a7:1b:08:8dCertificate

Extended Key Usages

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5eCertificate

Extended Key Usages

Key Usages

d8:df:86:10:75:48:47:a6:24:c5:7e:72:55:e9:51:86:ef:94:50:feSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

advapi32

user32

ws2_32

quality

iphlpapi

dnsapi

gma

dump

agentd

lsv

ptv

ttv

kernel32

urlmon

dbghelp

shell32

shlwapi

wininet

Sections

.text Size: 1.7MB - Virtual size: 1.7MB

.rdata Size: 346KB - Virtual size: 345KB

.data Size: 22KB - Virtual size: 802KB

.tls Size: 512B - Virtual size: 2B

.rsrc Size: 27KB - Virtual size: 27KB

.reloc Size: 82KB - Virtual size: 82KB

79:a2:a5:85:f9:d1:15:42:13:d9:b8:3e:f6:b6:8d:ed
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

72:69:eb:e2:99:6a:28:0c:c4:0d:e7:d2:a7:1b:08:8d
Certificate

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5e
Certificate

d8:df:86:10:75:48:47:a6:24:c5:7e:72:55:e9:51:86:ef:94:50:fe
Signer

.text
Size: 1.7MB - Virtual size: 1.7MB

.rdata
Size: 346KB - Virtual size: 345KB

.data
Size: 22KB - Virtual size: 802KB

.tls
Size: 512B - Virtual size: 2B

.rsrc
Size: 27KB - Virtual size: 27KB

.reloc
Size: 82KB - Virtual size: 82KB