2024-05-30_b5d1b359845754d462b5bd3f0b914352_mafia

Sharing

Copy URL Twitter E-mail

General

Target

2024-05-30_b5d1b359845754d462b5bd3f0b914352_mafia
Size

553KB
MD5

b5d1b359845754d462b5bd3f0b914352
SHA1

d6804a87fc598321529771f369d6204d0ea45985
SHA256

b145edd55663009b8406fbdfd5a3029d34aadda77fc03614f2821948abc94e09
SHA512

9f3e6f90f184f04d30c76fc3c41374fcdcebe0e36fae4b45acff516d630b9b2222d36b5bf41fafb7538c4972eec3bd0cd5d3131b645bc241d8e831bb9eea347a
SSDEEP

6144:9kryTHH7rWrMW/ypO67rKl0mH0MUJzAQqXgKnMNc33eBWWqIWt0/d+gHC8PinEVl:urPwOwrKlfH0MU4WmIWYW+/m7JbYI

Score

1^/10

Malware Config

Signatures

NSIS installer 1 IoCs

installer

resource	yara_rule
sample	nsis_installer_2

Files

2024-05-30_b5d1b359845754d462b5bd3f0b914352_mafia
.exe windows:5 windows x86 arch:x86

3851333aa1cc74621e7af90a9faef2c4

Code Sign

47:8a:8e:fb:59:e1:d8:3f:0c:e1:42:d2:a2:87:07:be
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

10/05/2010, 00:00

Not After

10/05/2015, 23:59

Subject

CN=COMODO Time Stamping Signer,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fd
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

08/11/2006, 00:00

Not After

07/11/2021, 23:59

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageServerAuth
ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning
ExtKeyUsageNetscapeServerGatedCrypto

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

4c:c6:dd:c6:c5:57:cb:4e:4a:33:6c:8c:05:6f:ba:83
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

08/08/2013, 00:00

Not After

08/08/2015, 23:59

Subject

CN=Beijing Sogou Information Service Co.\, Ltd.,OU=Digital ID Class 3 - Microsoft Software Validation v2+OU=Search business Division,O=Beijing Sogou Information Service Co.\, Ltd.,L=Beijing,ST=Beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

db:0e:8e:5f:f5:9f:70:eb:b2:66:b6:8e:9d:a1:e1:25:57:ee:9d:bd
Signer

Actual PE Digest

db:0e:8e:5f:f5:9f:70:eb:b2:66:b6:8e:9d:a1:e1:25:57:ee:9d:bd

Digest Algorithm

sha1

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

D:\codes\VS2010\SogouDownLoad\Src\MiniDownLoad\Release\MiniDownLoad.pdb

Imports

kernel32

WriteFile
SizeofResource
CreateFileW
lstrlenW
CloseHandle
GetCommandLineW
GetTempPathW
CompareStringW
GetModuleHandleW
InterlockedDecrement
InterlockedIncrement
GetTimeZoneInformation
GetProcessHeap
SetEndOfFile
GetCurrentDirectoryW
PeekNamedPipe
GetFileInformationByHandle
GetFullPathNameW
FindFirstFileExW
GetDriveTypeW
FileTimeToLocalFileTime
FileTimeToSystemTime
LoadResource
FindResourceW
GetEnvironmentVariableW
CreateFileA
lstrlenA
lstrcmpW
GetPrivateProfileStringW
GetSystemDirectoryW
DeviceIoControl
DeleteFileW
RaiseException
EnterCriticalSection
LeaveCriticalSection
GetLastError
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
HeapSetInformation
GetStartupInfoW
HeapFree
EncodePointer
DecodePointer
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
HeapAlloc
GetProcAddress
ExitProcess
GetStdHandle
GetModuleFileNameW
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
GetFileType
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
SetLastError
GetCurrentThreadId
HeapCreate
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
IsProcessorFeaturePresent
HeapReAlloc
HeapSize
Sleep
SetFilePointer
WideCharToMultiByte
GetConsoleCP
GetConsoleMode
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
MultiByteToWideChar
RtlUnwind
FreeLibrary
InterlockedExchange
LoadLibraryW
GetLocaleInfoW
SetStdHandle
WriteConsoleW
LCMapStringW
GetStringTypeW
FlushFileBuffers
GetUserDefaultLCID
GetLocaleInfoA
EnumSystemLocalesA
IsValidLocale
CreateDirectoryW
CreateProcessW
WaitForSingleObject
CreateMutexW
ReleaseMutex
InitializeCriticalSection
GetVersionExW
lstrcpynW
lstrcpyW
GetFileSize
FindFirstFileW
CopyFileW
ReadFile
FindClose
SetEnvironmentVariableA

user32

LoadStringW
SendMessageTimeoutW
FindWindowW
wsprintfW

advapi32

RegQueryValueExA
RegOpenKeyExA
RegCloseKey
RegOpenKeyExW

shell32

ShellExecuteW
SHGetSpecialFolderPathW
ShellExecuteExW

shlwapi

PathAppendW
PathFileExistsW
PathIsDirectoryW
StrCpyW
SHGetValueW

wininet

InternetOpenW
InternetReadFile
InternetQueryDataAvailable
InternetSetOptionW
HttpQueryInfoW
InternetCloseHandle
InternetConnectW
HttpOpenRequestW
InternetCrackUrlW
HttpSendRequestW

version

GetFileVersionInfoSizeW
GetFileVersionInfoW
VerQueryValueW

netapi32

NetApiBufferFree
NetWkstaTransportEnum
Netbios

ole32

CoInitialize
CoUninitialize
CoCreateGuid

Sections

.text
Size: 159KB - Virtual size: 158KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 27KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 7KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 340KB - Virtual size: 339KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 18KB - Virtual size: 51KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

sayojsu
Size: - Virtual size: 4KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

3851333aa1cc74621e7af90a9faef2c4

Code Sign

47:8a:8e:fb:59:e1:d8:3f:0c:e1:42:d2:a2:87:07:beCertificate

Extended Key Usages

Key Usages

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fdCertificate

Extended Key Usages

Key Usages

4c:c6:dd:c6:c5:57:cb:4e:4a:33:6c:8c:05:6f:ba:83Certificate

Extended Key Usages

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

db:0e:8e:5f:f5:9f:70:eb:b2:66:b6:8e:9d:a1:e1:25:57:ee:9d:bdSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

advapi32

shell32

shlwapi

wininet

version

netapi32

ole32

Sections

.text Size: 159KB - Virtual size: 158KB

.rdata Size: 27KB - Virtual size: 27KB

.data Size: 7KB - Virtual size: 15KB

.rsrc Size: 340KB - Virtual size: 339KB

.reloc Size: 18KB - Virtual size: 51KB

sayojsu Size: - Virtual size: 4KB

47:8a:8e:fb:59:e1:d8:3f:0c:e1:42:d2:a2:87:07:be
Certificate

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fd
Certificate

4c:c6:dd:c6:c5:57:cb:4e:4a:33:6c:8c:05:6f:ba:83
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

db:0e:8e:5f:f5:9f:70:eb:b2:66:b6:8e:9d:a1:e1:25:57:ee:9d:bd
Signer

.text
Size: 159KB - Virtual size: 158KB

.rdata
Size: 27KB - Virtual size: 27KB

.data
Size: 7KB - Virtual size: 15KB

.rsrc
Size: 340KB - Virtual size: 339KB

.reloc
Size: 18KB - Virtual size: 51KB

sayojsu
Size: - Virtual size: 4KB