General

Malware Config

Signatures

Files

• c41745d8a3ead8489fba5d9ddbadbcc868194da360463eae2d63a0a09c07c19f

  .exe windows:6 windows x86 arch:x86

  50daf93fbd8aef383dbf1ae02f88939d

  
  

  Code Sign

  78:03:18:42:45:70:8a:41:cf:6f:01:b8:ee:b4:a9:54

  Certificate

  Issuer

  CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

  Not Before

  28-07-2020 00:00

  Not After

  18-03-2029 00:00

  Subject

  CN=GlobalSign Code Signing Root R45,O=GlobalSign nv-sa,C=BE

  Extended Key Usages

  ExtKeyUsageCodeSigning

  Key Usages

  KeyUsageDigitalSignature

  KeyUsageCertSign

  KeyUsageCRLSign

  77:bd:0e:05:b7:59:0b:b6:1d:47:61:53:1e:3f:75:ed

  Certificate

  Issuer

  CN=GlobalSign Code Signing Root R45,O=GlobalSign nv-sa,C=BE

  Not Before

  28-07-2020 00:00

  Not After

  28-07-2030 00:00

  Subject

  CN=GlobalSign GCC R45 EV CodeSigning CA 2020,O=GlobalSign nv-sa,C=BE

  Extended Key Usages

  ExtKeyUsageCodeSigning

  Key Usages

  KeyUsageDigitalSignature

  KeyUsageCertSign

  KeyUsageCRLSign

  07:c0:71:36:a8:f3:52:4e:17:fb:f4:ab

  Certificate

  Issuer

  CN=GlobalSign GCC R45 EV CodeSigning CA 2020,O=GlobalSign nv-sa,C=BE

  Not Before

  01-02-2024 15:34

  Not After

  17-03-2027 11:09

  Subject

  SERIALNUMBER=5218067,CN=netSkope\, Inc.,O=netSkope\, Inc.,STREET=2445 Augustine Drive\, Suite 301,L=Santa Clara,ST=California,C=US,1.2.840.113549.1.9.1=#0c166365727461646d696e406e6574736b6f70652e636f6d,1.3.6.1.4.1.311.60.2.1.2=#130844656c6177617265,1.3.6.1.4.1.311.60.2.1.3=#13025553,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

  Extended Key Usages

  ExtKeyUsageCodeSigning

  Key Usages

  KeyUsageDigitalSignature

  01:9b:ea:de:c8:4d:6b:8f:f7:6c:3a:9f:2e:01:24:16

  Certificate

  Issuer

  CN=GlobalSign Timestamping CA - SHA384 - G4,O=GlobalSign nv-sa,C=BE

  Not Before

  07-11-2023 17:13

  Not After

  09-12-2034 17:13

  Subject

  CN=Globalsign TSA for CodeSign1 - R6 - 202311,O=GlobalSign nv-sa,C=BE

  Extended Key Usages

  ExtKeyUsageTimeStamping

  Key Usages

  KeyUsageDigitalSignature

  01:ec:1c:92:40:de:fd:2e:40:5d:7c:47:74

  Certificate

  Issuer

  CN=GlobalSign,OU=GlobalSign Root CA - R6,O=GlobalSign

  Not Before

  20-06-2018 00:00

  Not After

  10-12-2034 00:00

  Subject

  CN=GlobalSign Timestamping CA - SHA384 - G4,O=GlobalSign nv-sa,C=BE

  Key Usages

  KeyUsageDigitalSignature

  KeyUsageCertSign

  KeyUsageCRLSign

  45:e6:bb:03:83:33:c3:85:65:48:e6:ff:45:51

  Certificate

  Issuer

  CN=GlobalSign,OU=GlobalSign Root CA - R6,O=GlobalSign

  Not Before

  10-12-2014 00:00

  Not After

  10-12-2034 00:00

  Subject

  CN=GlobalSign,OU=GlobalSign Root CA - R6,O=GlobalSign

  Key Usages

  KeyUsageCertSign

  KeyUsageCRLSign

  f4:3f:73:ed:b1:2c:02:5f:30:bc:10:ef:f5:89:19:46:b9:7d:cb:d4:54:da:65:64:c8:ca:1c:3a:58:77:7a:81

  Signer

  Actual PE Digest

  f4:3f:73:ed:b1:2c:02:5f:30:bc:10:ef:f5:89:19:46:b9:7d:cb:d4:54:da:65:64:c8:ca:1c:3a:58:77:7a:81

  Digest Algorithm

  sha256

  PE Digest Matches

  true

  Headers

  DLL Characteristics

  IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE

  IMAGE_DLLCHARACTERISTICS_NX_COMPAT

  IMAGE_DLLCHARACTERISTICS_GUARD_CF

  IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

  File Characteristics

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_32BIT_MACHINE

  PDB Paths

  C:\jenkins\iad0-cisystem\workspace\client-hotfix-pipeline\client\stAgent\out\bin\winnt-x86-Release\stAgentSvc.pdb

  Imports

  crypt32

  CertEnumCertificatesInStore

  CertOpenStore

  CertDuplicateCertificateContext

  CertGetCertificateContextProperty

  CryptAcquireCertificatePrivateKey

  CertCreateCertificateContext

  CryptStringToBinaryA

  CertAddCertificateContextToStore

  CryptUnprotectData

  CryptProtectData

  CertGetCertificateChain

  CertFreeCertificateChain

  CertNameToStrA

  CryptFindOIDInfo

  CertStrToNameA

  CertFreeCertificateContext

  CertGetEnhancedKeyUsage

  CertGetNameStringA

  CertFindCertificateInStore

  CryptMsgGetParam

  CryptQueryObject

  CryptMsgClose

  CertOpenSystemStoreA

  CertGetIntendedKeyUsage

  CertCloseStore

  ws2_32

  WSAGetLastError

  inet_pton

  WSACleanup

  WSAStartup

  ntohl

  socket

  shutdown

  getaddrinfo

  freeaddrinfo

  htons

  ntohs

  getnameinfo

  htonl

  connect

  closesocket

  getsockopt

  __WSAFDIsSet

  ioctlsocket

  select

  inet_ntop

  getsockname

  bind

  send

  WSACloseEvent

  WSACreateEvent

  WSAEnumNetworkEvents

  WSAEventSelect

  WSAPoll

  WSAResetEvent

  WSAWaitForMultipleEvents

  inet_ntoa

  inet_addr

  gethostname

  getpeername

  sendto

  recvfrom

  recv

  listen

  accept

  WSAIoctl

  setsockopt

  WSASetLastError

  dbghelp

  MiniDumpWriteDump

  userenv

  DestroyEnvironmentBlock

  LoadUserProfileW

  UnloadUserProfile

  CreateEnvironmentBlock

  ExpandEnvironmentStringsForUserW

  advapi32

  OpenServiceA

  SetServiceObjectSecurity

  QueryServiceStatusEx

  QueryServiceObjectSecurity

  StartServiceCtrlDispatcherA

  SetServiceStatus

  RegisterServiceCtrlHandlerExA

  AllocateAndInitializeSid

  FreeSid

  CheckTokenMembership

  GetUserNameW

  CryptSignHashA

  LsaFreeMemory

  LsaQueryInformationPolicy

  LsaOpenPolicy

  LsaClose

  SetFileSecurityW

  CryptGetHashParam

  CryptEnumProvidersW

  CryptSignHashW

  CryptDestroyHash

  CryptCreateHash

  CryptDecrypt

  CryptExportKey

  CryptGetUserKey

  CryptGetProvParam

  ImpersonateLoggedOnUser

  CryptSetHashParam

  CryptDestroyKey

  ReportEventW

  RegisterEventSourceW

  DeregisterEventSource

  EnumServicesStatusExA

  QueryServiceConfigA

  RegCloseKey

  RegOpenCurrentUser

  RegGetValueA

  RegQueryValueExA

  RevertToSelf

  GetTokenInformation

  OpenThreadToken

  DuplicateToken

  OpenProcessToken

  CreateWellKnownSid

  CreateProcessAsUserA

  LookupAccountSidW

  EqualSid

  ConvertStringSecurityDescriptorToSecurityDescriptorA

  RegCreateKeyExA

  RegFlushKey

  CryptHashData

  GetSecurityDescriptorDacl

  BuildExplicitAccessWithNameW

  OpenSCManagerA

  CloseServiceHandle

  SetEntriesInAclW

  ChangeServiceConfig2A

  CreateServiceA

  ChangeServiceConfigA

  StartServiceA

  QueryServiceStatus

  ControlService

  DeleteService

  CryptReleaseContext

  CryptGenRandom

  CryptAcquireContextW

  DeleteAce

  GetNamedSecurityInfoW

  SetNamedSecurityInfoW

  GetAce

  ConvertSidToStringSidA

  GetAclInformation

  InitializeSecurityDescriptor

  SetSecurityDescriptorDacl

  RegEnumKeyExA

  RegDeleteValueA

  RegEnumValueA

  RegOpenKeyExA

  RegQueryInfoKeyA

  RegSetValueExA

  RegDeleteKeyExA

  kernel32

  DuplicateHandle

  GetCurrentProcess

  CreateSemaphoreA

  HeapAlloc

  WaitForMultipleObjectsEx

  GetEnvironmentVariableA

  GetTickCount

  GetModuleHandleA

  GetProcAddress

  GetSystemDirectoryA

  GetSystemWow64DirectoryA

  GetShortPathNameA

  GetCurrentDirectoryA

  GetModuleFileNameA

  SetCurrentDirectoryA

  WaitForMultipleObjects

  WaitForSingleObject

  OpenProcess

  TerminateProcess

  GetExitCodeProcess

  ResetEvent

  QueryPerformanceCounter

  Thread32Next

  GetSystemPowerStatus

  Thread32First

  CreateToolhelp32Snapshot

  ProcessIdToSessionId

  K32GetModuleFileNameExA

  K32GetProcessMemoryInfo

  LoadLibraryA

  GetProcessIoCounters

  K32EnumProcesses

  GlobalMemoryStatusEx

  FreeLibrary

  GetProcessTimes

  GetSystemTimes

  GetVolumeInformationA

  GetLogicalDriveStringsA

  GetDiskFreeSpaceExA

  FormatMessageA

  VerifyVersionInfoA

  VerSetConditionMask

  GetTickCount64

  ReleaseSRWLockExclusive

  AcquireSRWLockExclusive

  SetLastError

  FormatMessageW

  EnterCriticalSection

  LeaveCriticalSection

  QueryPerformanceFrequency

  MultiByteToWideChar

  WideCharToMultiByte

  MoveFileExA

  CompareFileTime

  GetStdHandle

  GetFileType

  ReadFile

  PeekNamedPipe

  SleepEx

  VerifyVersionInfoW

  RtlUnwind

  ExpandEnvironmentStringsA

  GetEnvironmentVariableW

  CreateFileW

  Wow64RevertWow64FsRedirection

  DeleteFileA

  DeleteFileW

  LocalFree

  CopyFileW

  FlushFileBuffers

  GetNativeSystemInfo

  Process32First

  WriteFile

  QueryFullProcessImageNameA

  CreateFileA

  Process32Next

  GetOverlappedResult

  CreateProcessW

  CreateProcessA

  HeapFree

  LocalAlloc

  GetComputerNameExA

  LoadLibraryExW

  GetComputerNameExW

  GetConsoleMode

  SetConsoleMode

  ReadConsoleA

  ReadConsoleW

  GetModuleHandleExW

  InitializeCriticalSectionAndSpinCount

  TlsAlloc

  TlsGetValue

  TlsSetValue

  TlsFree

  GetModuleHandleW

  SwitchToFiber

  DeleteFiber

  CreateFiber

  ConvertFiberToThread

  ConvertThreadToFiber

  LoadLibraryW

  FindClose

  FindFirstFileW

  FindNextFileW

  GetSystemTime

  SystemTimeToFileTime

  InitializeCriticalSection

  OutputDebugStringA

  GetModuleFileNameW

  SetErrorMode

  CreateMutexA

  ReleaseMutex

  GetLocalTime

  AddVectoredExceptionHandler

  GetErrorMode

  SetUnhandledExceptionFilter

  GetWindowsDirectoryW

  GetFileAttributesW

  OutputDebugStringW

  DeviceIoControl

  GetCurrentThread

  WTSGetActiveConsoleSessionId

  GlobalAlloc

  GlobalFree

  InterlockedPushEntrySList

  GetStartupInfoW

  IsDebuggerPresent

  InitializeSListHead

  IsProcessorFeaturePresent

  UnhandledExceptionFilter

  AreFileApisANSI

  GetProcessHeap

  OpenEventW

  GetConsoleCP

  ExitThread

  FreeLibraryAndExitThread

  WriteConsoleW

  GetDriveTypeW

  SystemTimeToTzSpecificLocalTime

  LCMapStringW

  MoveFileExW

  SetFilePointerEx

  SetEndOfFile

  RemoveDirectoryW

  FileTimeToSystemTime

  SetConsoleCtrlHandler

  ExitProcess

  GetTimeZoneInformation

  GetCommandLineA

  GetCommandLineW

  GetDateFormatW

  Sleep

  DecodePointer

  DeleteCriticalSection

  InitializeCriticalSectionEx

  GetLastError

  RaiseException

  GetSystemTimeAsFileTime

  ReleaseSemaphore

  GetCurrentProcessId

  GetCurrentThreadId

  WaitForSingleObjectEx

  SetEvent

  CreateEventA

  CloseHandle

  GetStringTypeExA

  GetUserDefaultLCID

  LCMapStringA

  GetFullPathNameW

  GetFileInformationByHandle

  GetFileAttributesExW

  CreateDirectoryW

  GetCurrentDirectoryW

  CreateWaitableTimerA

  ResumeThread

  SetWaitableTimer

  OpenEventA

  GetLocaleInfoEx

  GetCPInfo

  CompareStringEx

  GetTimeFormatW

  CompareStringW

  GetLocaleInfoW

  IsValidLocale

  EnumSystemLocalesW

  GetFileSizeEx

  ReadConsoleInputW

  SetStdHandle

  HeapReAlloc

  HeapSize

  FindFirstFileExW

  CreateThread

  LocalSize

  LCMapStringEx

  EncodePointer

  GetStringTypeW

  GetExitCodeThread

  GetConsoleScreenBufferInfo

  SetConsoleTextAttribute

  SleepConditionVariableSRW

  SleepConditionVariableCS

  WakeAllConditionVariable

  WakeConditionVariable

  InitializeConditionVariable

  TryEnterCriticalSection

  InitializeSRWLock

  CreateEventW

  GetFileAttributesA

  IsValidCodePage

  GetACP

  GetOEMCP

  GetEnvironmentStringsW

  FreeEnvironmentStringsW

  SetEnvironmentVariableW

  lstrcmpW

  lstrlenW

  Wow64DisableWow64FsRedirection

  GetDynamicTimeZoneInformation

  WriteConsoleA

  Wow64EnableWow64FsRedirection

  user32

  RegisterPowerSettingNotification

  LoadStringA

  MessageBoxW

  GetUserObjectInformationW

  GetProcessWindowStation

  shell32

  SHCreateDirectoryExW

  SHGetFolderPathW

  SHGetKnownFolderPath

  ord680

  SHGetFolderPathA

  ole32

  CoCreateInstance

  CoUninitialize

  CoSetProxyBlanket

  CoInitializeSecurity

  CoInitializeEx

  CoInitialize

  CoTaskMemFree

  oleaut32

  SysStringLen

  SysFreeString

  VariantInit

  SysAllocStringByteLen

  SysAllocString

  VariantClear

  SysStringByteLen

  iphlpapi

  GetAdaptersAddresses

  GetExtendedTcpTable

  GetBestRoute2

  SetPerTcpConnectionEStats

  GetExtendedUdpTable

  GetPerTcpConnectionEStats

  Icmp6ParseReplies

  NotifyRouteChange2

  Icmp6SendEcho2

  IcmpSendEcho2Ex

  IcmpCloseHandle

  Icmp6CreateFile

  IcmpCreateFile

  CancelMibChangeNotify2

  NotifyIpInterfaceChange

  GetIfEntry2

  IcmpParseReplies

  NotifyUnicastIpAddressChange

  wldap32

  ord211

  ord60

  ord46

  ord217

  ord45

  ord50

  ord41

  ord22

  ord26

  ord27

  ord32

  ord33

  ord35

  ord301

  ord200

  ord30

  ord79

  ord143

  wtsapi32

  WTSFreeMemory

  WTSEnumerateSessionsA

  WTSCloseServer

  WTSQuerySessionInformationA

  WTSQuerySessionInformationW

  WTSQueryUserToken

  WTSOpenServerA

  psapi

  EnumProcesses

  shlwapi

  PathAppendA

  PathFileExistsA

  pdh

  PdhAddCounterA

  PdhGetFormattedCounterValue

  PdhCollectQueryData

  PdhOpenQueryA

  PdhCloseQuery

  PdhAddEnglishCounterA

  bcrypt

  BCryptFinishHash

  BCryptCloseAlgorithmProvider

  BCryptDestroyHash

  BCryptOpenAlgorithmProvider

  BCryptGetProperty

  BCryptCreateHash

  BCryptHashData

  BCryptGenRandom

  version

  VerQueryValueA

  GetFileVersionInfoA

  GetFileVersionInfoSizeA

  wintrust

  WinVerifyTrust

  powrprof

  CallNtPowerInformation

  msi

  ord93

  ord71

  ord267

  ord8

  wevtapi

  EvtRender

  EvtNext

  EvtQuery

  EvtClose

  winhttp

  WinHttpOpen

  WinHttpCloseHandle

  WinHttpGetIEProxyConfigForCurrentUser

  WinHttpGetProxyForUrl

  WinHttpSetTimeouts

  secur32

  CompleteAuthToken

  FreeCredentialsHandle

  GetUserNameExA

  AcquireCredentialsHandleA

  InitializeSecurityContextA

  DeleteSecurityContext

  ncrypt

  NCryptSignHash

  NCryptFreeObject

  Sections

  .text

  Size: 4.9MB - Virtual size: 4.9MB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .rdata

  Size: 1.1MB - Virtual size: 1.1MB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .data

  Size: 88KB - Virtual size: 120KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .rsrc

  Size: 1KB - Virtual size: 1KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .reloc

  Size: 252KB - Virtual size: 252KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_DISCARDABLE

  IMAGE_SCN_MEM_READ