2024-05-24_6291e1432bd81f38cfd043d503936df8_avoslocker_cobalt-strike

Sharing

Copy URL Twitter E-mail

General

Target

2024-05-24_6291e1432bd81f38cfd043d503936df8_avoslocker_cobalt-strike
Size

841KB
MD5

6291e1432bd81f38cfd043d503936df8
SHA1

a0bc8ebe6cd695f7c6ad6a53cfca2f8dce7377e3
SHA256

64fb4bedc3150b4a78ea4a0f9bb936ac2b665d5e340f1d149b0a25392c9f14b0
SHA512

9f3bc63785216fdc2653201de6315ed482749a738dd3554049569fda3d71d62dbaa9d0c08922e0d245e9e06b50464b0b7a2accaf18bf3f3c972e255dc3dbd191
SSDEEP

24576:jZ00oB8fVjacxpN9FhYDDaxi3s+p5Y/lFD6M1x:xTtFODDao3Xp5wF6Mb

Score

1^/10

Malware Config

Signatures

Files

2024-05-24_6291e1432bd81f38cfd043d503936df8_avoslocker_cobalt-strike
.exe windows:6 windows x86 arch:x86

2d3ca316ed7cf4a0ebfc29bddae02933

Code Sign

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

29/04/2021, 00:00

Not After

28/04/2036, 23:59

Subject

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

09:0c:3a:aa:41:90:1d:6a:d3:21:fd:de:a9:1e:13:66
Certificate

Issuer

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Not Before

20/03/2023, 00:00

Not After

19/03/2026, 23:59

Subject

CN=Broadcom Inc,O=Broadcom Inc,L=San Jose,ST=California,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16
Certificate

Issuer

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Not Before

14/07/2023, 00:00

Not After

13/10/2034, 23:59

Subject

CN=DigiCert Timestamp 2023,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

23/03/2022, 00:00

Not After

22/03/2037, 23:59

Subject

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/08/2022, 00:00

Not After

09/11/2031, 23:59

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

17:3e:64:0d:f0:fe:d5:05:dc:b5:2c:a5:d8:64:d7:c4:87:22:04:7b:86:02:93:d4:c7:22:5b:70:c7:be:c1:55
Signer

Actual PE Digest

17:3e:64:0d:f0:fe:d5:05:dc:b5:2c:a5:d8:64:d7:c4:87:22:04:7b:86:02:93:d4:c7:22:5b:70:c7:be:c1:55

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

C:\see_build\workDir\build\win32\Release\PGPfsd.pdb

Imports

kernel32

lstrlenA
lstrlenW
GetComputerNameW
GetDateFormatW
GetTimeFormatW
GetCommandLineW
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
SetEvent
CreateEventW
OpenEventW
WaitForMultipleObjects
GetTickCount
LocalFree
PulseEvent
CompareFileTime
lstrcpyW
ResetEvent
Sleep
CreateThread
GetLogicalDrives
QueryDosDeviceW
InitializeCriticalSectionEx
RaiseException
DecodePointer
SetThreadAffinityMask
MapViewOfFile
CreateFileMappingW
ReleaseMutex
FormatMessageA
OutputDebugStringW
DebugBreak
GetFileAttributesW
lstrcatW
lstrcmpW
GetLocalTime
WaitForSingleObject
GetFileTime
WriteConsoleW
HeapSize
GetProcessHeap
GetDriveTypeW
CreateFileW
CreateDirectoryW
SetDllDirectoryW
CreateMutexW
SetEnvironmentVariableW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineA
GetCPInfo
GetOEMCP
IsValidCodePage
FindFirstFileExW
GetTimeZoneInformation
HeapReAlloc
ReadConsoleW
GetConsoleMode
GetConsoleOutputCP
EnumSystemLocalesW
GetUserDefaultLCID
GetLastError
GetLocaleInfoW
LCMapStringW
CompareStringW
GetCurrentDirectoryW
GetStringTypeW
HeapAlloc
HeapFree
GetModuleFileNameW
SetFilePointerEx
SetStdHandle
MoveFileExW
SystemTimeToTzSpecificLocalTime
PeekNamedPipe
GetFileType
GetFileInformationByHandle
GetModuleHandleExW
ExitProcess
EncodePointer
LoadLibraryExW
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
VirtualQuery
RtlUnwind
InitializeSListHead
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
GetStartupInfoW
IsDebuggerPresent
IsProcessorFeaturePresent
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RemoveDirectoryW
GetWindowsDirectoryW
GetSystemDirectoryW
SetLastError
SetFileAttributesW
SystemTimeToFileTime
FileTimeToSystemTime
WriteFile
SetFileTime
ReadFile
GetFileSize
GetDiskFreeSpaceExW
FlushFileBuffers
GetStdHandle
SetThreadPriority
GetCurrentThread
DeviceIoControl
GetLongPathNameW
ExpandEnvironmentStringsW
GetModuleHandleW
InitializeCriticalSectionAndSpinCount
LoadLibraryW
GetProcAddress
FreeLibrary
GetShortPathNameW
GetFullPathNameW
FindNextFileW
FindFirstFileW
FindClose
SetFilePointer
SetEndOfFile
UnlockFileEx
LockFileEx
GetFileSizeEx
DeleteFileW
WideCharToMultiByte
MultiByteToWideChar
GetACP
GetUserDefaultLangID
LoadLibraryA
DeleteCriticalSection
IsValidLocale
CloseHandle

user32

MessageBoxA
CharUpperW
RegisterClassW
PostQuitMessage
PostThreadMessageW
UnregisterDeviceNotification
RegisterDeviceNotificationW
DispatchMessageW
TranslateMessage
CreateWindowExW
SendMessageW
LoadStringW
DefWindowProcW
CharNextW
IsWindow
GetActiveWindow
FindWindowW
GetForegroundWindow
RegisterWindowMessageW
MessageBoxW
GetMessageW

advapi32

LookupAccountNameW
GetTokenInformation
OpenProcessToken
RegQueryValueExW
RegOpenKeyExW
RegCloseKey
GetUserNameW
RegOpenKeyExA
RegQueryValueExA
DecryptFileW
IsValidSid

shell32

SHGetSpecialFolderPathW
SHChangeNotify
SHGetFolderPathW
CommandLineToArgvW
ShellExecuteW

pgpsdknl

PGPGetSocketOptions
PGPSocketsEstablishTLSSession
PGPOpenSocket
PGPHostToNetShort
PGPSelect
PGPtlsSetLocalPrivateKey
PGPDottedToInternetAddress
PGPGetHostByName
PGPConnect
PGPSend
PGPCloseSocket
PGPReceive
PGPQueryKeyServer
PGPKeyServerClose
PGPKeyServerOpen
PGPSetKeyServerEventHandler
PGPFreeKeyServer
PGPNewKeyServer
PGPKeyServerCleanup
PGPKeyServerInit
PGPKeyServerDisposeThreadStorage
PGPKeyServerCreateThreadStorage
PGPOKeyServerAccessType
PGPOKeyServerKeyStoreDN
PGPOKeyServerProtocol
PGPONetHostName
PGPtlsClose
PGPFreeTLSSession
PGPNewTLSSession
PGPtlsGetRemoteAuthenticatedKey
PGPtlsIsReusedSession
PGPsdkNetworkLibCleanup
PGPsdkNetworkLibInit
PGPSocketsCleanup
PGPSocketsInit
PGPFreeTLSContext
PGPNewTLSContext

pgpsdk

PGPFreeFilter
PGPNewKeyDBObjDataFilter
PGPEME2Decrypt
PGPEME2Encrypt
PGPInitEME2
PGPFreeEME2Context
PGPNewEME2Context
PGPEMEDecrypt
PGPEMEEncrypt
PGPInitEME
PGPFreeEMEContext
PGPNewEMEContext
PGPSymmetricCipherDecrypt
PGPSymmetricCipherEncrypt
PGPInitSymmetricCipher
PGPFreeSymmetricCipherContext
PGPNewSymmetricCipherContext
PGPOKeyFlags
PGPOEncryptToKeySet
PGPODiscardOutput
PGPUnionFilters
PGPContinueHMAC
PGPFreeHMACContext
PGPNewHMACContext
PGPNewKeyIDFromStringU16
PGPGetKeyDBObjDataProperty
PGPGetKeyIDStringU16
PGPCompareKeyIDs
PGPGetKeyIDBytes
PGPNewKeyID
PGPCopyKeys
PGPGetKeyID
PGPPeekKeyDBRootKeySet
PGPPeekContextMemoryMgr
PGPCountAdditionalRecipientRequests
PGPGetPrimaryUserIDNameU16
PGPGetKeyDBObjAllocatedDataPropertyU16
PGPOPassphraseU16
PGPGetStdTimeFromPGPTime
PGPContextReserveRandomBytes
PGPContextGetRandomBytes
PGPFinalizeHMAC
PGPNewKeyIterFromKeySet
PGPNewKeyIter
PGPFreeKeyList
PGPOrderKeySet
PGPPassphraseIsValid
PGPImport
PGPPeekKeyDBObjKey
PGPGetTokenInfoBooleanProperty
PGPDeleteKeyDBObj
PGPCopyKeyDBObj
PGPKeyIterNextKeyDBObj
PGPCheckKeyRingSigs
PGPGetKeyDBObjNumericProperty
PGPPeekKeySetKeyDB
PGPIncKeySetRefCount
PGPCountKeysInKeyDB
PGPOpenKeyDBFile
PGPNewKeyDB
PGPDecode
PGPEncode
PGPOInputFormat
PGPOKeyDBRef
PGPOEventHandler
PGPODetachedSig
PGPOCachePassphrase
PGPOSignWithKey
PGPOAllocatedOutputBuffer
PGPOInputBuffer
PGPOInputFile
PGPONullOption
PGPFreeOptionList
PGPAppendOptionList
PGPNewOptionList
PGPGetHashSize
PGPFinalizeHash
PGPContinueHash
PGPFreeHashContext
PGPNewHashContext
PGPGlobalRandomPoolHasMinimumEntropy
PGPGlobalRandomPoolAddSystemState
PGPNewFileSpecFromFullPathU16
PGPFreeFileSpec
PGPSyncTokenKeys
PGPGetKeyForUsage
PGPAddKey
PGPCountKeys
PGPNewEmptyKeySet
PGPIncKeyDBRefCount
PGPFreeContext
PGPNewContext
PGPsdkCleanup
PGPsdkInit
PGPPurgePassphraseCache
PGPPurgeKeyDBCache
PGPReallocData
PGPValidateMemoryMgr
PGPFreeMemoryMgr
PGPNewMemoryMgr
PGPGetDefaultMemoryMgr
PGPNewSecureData
PGPNewData
PGPGetTime
PGPNewKeyIDFromString
PGPOPassphraseBufferU8
PGPGetKeyDBObjBooleanProperty
PGPFindKeyByKeyID
PGPOPasskeyBuffer
PGPOLastOption
PGPAddJobOptions
PGPPeekKeyDBObjKeyDB
PGPPeekKeyDBObjContext
PGPFreeKeySet
PGPNewOneKeySet
PGPFreeKeyDB
PGPFreeData
PGPResetHash
PGPNewKeyIterFromKeyDB
PGPFreeKeyIter
PGPPeekKeyDBContext
PGPGetKeyIDString
PGPOAllowBareESKs
PGPOOutputFile
PGPOAppendOutput
PGPOPassphraseBuffer
PGPOSessionKey
PGPCopyOptionList
PGPBuildOptionList
PGPOPassphrase
PGPGetErrorString
PGPGetIndexedAdditionalRecipientRequestKey

pgpcl

_PGPclLockClientLibXMLPrefRef@4
_PGPclReleaseClientLibXMLPrefRef@8
PGPFreeKeyServerEntry
PGPOvidServerNewGroup
PGPPeekOvidServerGroupMemberKeyDB
PGPPeekOvidServerGroupMemberDN
PGPPeekOvidServerGroupDN
PGPPeekOvidServerGroupMembers
PGPOvidServerGetGroupMembersEmails
PGPOvidServerGetGroupMembersKeys
PGPOvidServerGetGroupMembership
PGPOvidServerAuthenticateInternalPassphrase
PGPOvidServerAuthenticateInternal
PGPOvidServerConnectProxy
PGPOvidServerConnect
PGPOvidServerSOAPSetProxyUsernamePassword
PGPOvidServerSOAPSetEventHandler
PGPFreeOvidServerSOAPContext
PGPNewOvidServerSOAPContext
PGPCheckAuthenticationCertHashByNameOrIP
PGPGetAdminPrefStringAlloc
PGPGetAdminPrefBoolean
PGPSetXMLPrefArrayStringValues
PGPGetXMLPrefArrayStringValues
PGPGetXMLPrefKeyRawByteValue
PGPGetXMLPrefKeyIntegerValue
PGPGetXMLPrefKeyBooleanValue
PGPFreeXMLPrefs
PGPMergeXMLPrefs
PGPSaveXMLPrefFile
PGPOpenXMLPrefFile
PGPprefParseConfigurationBinding
PGPGetXMLPrefChildKeyFromDict
PGPGetXMLPrefSiblingKeyByName
PGPGetXMLPrefKeyStringValue
PGPGetRootXMLPrefNode
_PGPclGetKeyPhrase@36
_PGPclGetCachedDecryptionPhrase@60
_PGPclLogOvidString@8
PGPclLogString
PGPFreeOvidServerGroup

mpr

WNetGetConnectionW
WNetGetResourceInformationW

netapi32

NetApiBufferFree
NetDfsGetClientInfo

shlwapi

PathCompactPathExW

crypt32

CryptUnprotectData

userenv

ExpandEnvironmentStringsForUserW

wsock32

socket
send
ioctlsocket
WSAStartup
shutdown
ntohl
select
gethostbyname
accept
__WSAFDIsSet
connect
recv
htons
setsockopt
WSAGetLastError
inet_ntoa
closesocket
recvfrom
getsockopt
sendto

Sections

.text
Size: 625KB - Virtual size: 625KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 133KB - Virtual size: 133KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 36KB - Virtual size: 40KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 26KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

2d3ca316ed7cf4a0ebfc29bddae02933

Code Sign

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9Certificate

Extended Key Usages

Key Usages

09:0c:3a:aa:41:90:1d:6a:d3:21:fd:de:a9:1e:13:66Certificate

Extended Key Usages

Key Usages

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16Certificate

Extended Key Usages

Key Usages

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5bCertificate

Extended Key Usages

Key Usages

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5aCertificate

Key Usages

17:3e:64:0d:f0:fe:d5:05:dc:b5:2c:a5:d8:64:d7:c4:87:22:04:7b:86:02:93:d4:c7:22:5b:70:c7:be:c1:55Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

advapi32

shell32

pgpsdknl

pgpsdk

pgpcl

mpr

netapi32

shlwapi

crypt32

userenv

wsock32

Sections

.text Size: 625KB - Virtual size: 625KB

.rdata Size: 133KB - Virtual size: 133KB

.data Size: 36KB - Virtual size: 40KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 26KB - Virtual size: 25KB

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9
Certificate

09:0c:3a:aa:41:90:1d:6a:d3:21:fd:de:a9:1e:13:66
Certificate

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16
Certificate

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

17:3e:64:0d:f0:fe:d5:05:dc:b5:2c:a5:d8:64:d7:c4:87:22:04:7b:86:02:93:d4:c7:22:5b:70:c7:be:c1:55
Signer

.text
Size: 625KB - Virtual size: 625KB

.rdata
Size: 133KB - Virtual size: 133KB

.data
Size: 36KB - Virtual size: 40KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 26KB - Virtual size: 25KB