2024-05-31_090cb8dd9e9a798edc177742e11a8e94_mafia

Sharing

Copy URL

Twitter E-mail

General

Target

2024-05-31_090cb8dd9e9a798edc177742e11a8e94_mafia
Size

22.9MB
MD5

090cb8dd9e9a798edc177742e11a8e94
SHA1

ae1dd86cfdcf6b3f390011effa73ecda29f29977
SHA256

64b4aa13f315873d2ee4664804b0493e4b76ed9ddd5c389c789dd5e349713750
SHA512

1fc795d544fc24e6c333ad2c57a50ffb340f1bfd62bdf67727717fe258c0b67b2e6be869b5d66f119f71fead74641092dd09a5a036ce4210572b520317f83a26
SSDEEP

393216:GIL0rZQnldpF/R1+sDcHSSzou7IaUAgVQ10JD8co9jYITKeAcMI3Vj5:EZQnldpBR1zDKSN/QGJwpdWcMI3Vj5

Score

10^/10

Malware Config

Signatures

UPX dump on OEP (original entry point) 1 IoCs

resource	yara_rule
sample	UPX

Files

2024-05-31_090cb8dd9e9a798edc177742e11a8e94_mafia
.exe windows:5 windows x86 arch:x86

7405f0c420906595fb06a5aef82863ec

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13/04/2011, 10:00

Not After

13/04/2019, 10:00

Subject

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

11:21:35:b7:01:15:e2:57:5f:94:88:41:50:97:5b:04:c3:64
Certificate

Issuer

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

16/01/2013, 10:33

Not After

16/04/2016, 10:33

Subject

CN=Soluto,O=Soluto,ST=Tel-Aviv,C=IL,1.2.840.113549.1.9.1=#0c0f696e666f40736f6c75746f2e636f6d

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

c7:9e:10:d2:36:6a:4b:6e:d8:ef:19:2e:d1:97:e5:d8:ff:11:67:3f
Signer

Actual PE Digest

c7:9e:10:d2:36:6a:4b:6e:d8:ef:19:2e:d1:97:e5:d8:ff:11:67:3f

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

C:\ninite\Output\pdbs\Release\MultiGet.pdb

Imports

kernel32

WriteProcessMemory
GetCurrentThread
CreateFileMappingW
CreateMutexW
BeginUpdateResourceW
UpdateResourceW
EndUpdateResourceW
ReleaseSemaphore
CreateSemaphoreW
CopyFileExW
WaitNamedPipeW
OpenJobObjectW
lstrcpynW
MulDiv
FlushInstructionCache
PeekNamedPipe
CreatePipe
IsDebuggerPresent
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeW
SetProcessAffinityMask
WritePrivateProfileStringW
UnmapViewOfFile
SetEnvironmentVariableA
WriteConsoleW
SetEndOfFile
SetStdHandle
QueryPerformanceCounter
GetEnvironmentStringsW
FreeEnvironmentStringsW
IsValidLocale
EnumSystemLocalesA
GetLocaleInfoA
GetUserDefaultLCID
FlushFileBuffers
GetConsoleMode
GetConsoleCP
GetTimeZoneInformation
CreateFileA
MapViewOfFile
GetFileType
SetHandleCount
IsValidCodePage
GetOEMCP
GetACP
UnhandledExceptionFilter
CompareStringW
GetCPInfo
LCMapStringW
RtlUnwind
GetStartupInfoW
HeapSetInformation
ExitThread
HeapCreate
ExitProcess
GetDateFormatA
GetTimeFormatA
DeleteFileA
CreateProcessA
MoveFileA
GetSystemInfo
VirtualProtect
DecodePointer
EncodePointer
InitializeCriticalSection
GetStringTypeW
InterlockedExchange
InterlockedDecrement
InterlockedIncrement
InterlockedPopEntrySList
VirtualAlloc
VirtualFree
IsProcessorFeaturePresent
InterlockedPushEntrySList
InterlockedCompareExchange
HeapSize
HeapReAlloc
HeapFree
HeapAlloc
HeapDestroy
OpenFileMappingW
GetExitCodeProcess
GetCurrentThreadId
AssignProcessToJobObject
ResumeThread
CreateJobObjectW
CreateIoCompletionPort
SetCurrentDirectoryW
ReleaseMutex
OpenMutexW
CreateProcessW
GetQueuedCompletionStatus
SystemTimeToFileTime
GetSystemTime
SetFilePointer
SetFilePointerEx
GetOverlappedResult
CancelIo
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
SetProcessShutdownParameters
GetProcessShutdownParameters
GetExitCodeThread
CreateThread
ResetEvent
WaitForMultipleObjects
RaiseException
SetEvent
CreateEventW
GetSystemWindowsDirectoryW
SetEnvironmentVariableW
GetPrivateProfileStringW
GetUserDefaultUILanguage
GetLocaleInfoW
GetCommandLineW
GetComputerNameW
SetLastError
TlsGetValue
TlsSetValue
TlsFree
TlsAlloc
SetUnhandledExceptionFilter
CloseHandle
VirtualQuery
FormatMessageW
LoadLibraryW
GetStdHandle
SetFileTime
lstrlenW
GetVersionExW
GetSystemTimeAsFileTime
GetFileSizeEx
CreateFileW
ReadFile
WriteFile
GetFileAttributesExW
CreateDirectoryW
MoveFileExW
CopyFileW
MoveFileW
RemoveDirectoryW
FindClose
FindNextFileW
FindFirstFileW
DeleteFileW
SetFileAttributesW
GetFileAttributesW
GetModuleFileNameW
GetEnvironmentVariableW
ExpandEnvironmentStringsW
GetCurrentDirectoryW
GetShortPathNameW
GetLongPathNameW
GetTempPathW
GetTickCount
LeaveCriticalSection
EnterCriticalSection
Sleep
GetModuleFileNameA
LoadLibraryA
FormatMessageA
FreeLibrary
WideCharToMultiByte
MultiByteToWideChar
GetCurrentProcessId
DuplicateHandle
LocalFree
LocalAlloc
IsProcessInJob
GetProcessId
WaitForSingleObject
SetInformationJobObject
QueryInformationJobObject
TerminateJobObject
TerminateProcess
GetModuleHandleW
GetProcAddress
OpenProcess
GetCurrentProcess
FindResourceExW
FindResourceW
LoadResource
LockResource
SizeofResource
GetLastError
GetFileAttributesA

user32

EnumWindows
EnumChildWindows
GetWindowThreadProcessId
PostMessageW
IsWindow
GetClassInfoExW
CreateWindowExW
CreateDialogParamW
DialogBoxParamW
EndDialog
GetSubMenu
DefWindowProcW
LoadAcceleratorsW
TranslateAcceleratorW
SetTimer
SetFocus
GetSysColor
KillTimer
GetWindow
MonitorFromWindow
WaitForInputIdle
IsWindowEnabled
GetClientRect
GetClassNameW
GetMenuItemCount
RemoveMenu
GetMenuItemInfoW
SetMenuItemInfoW
GetActiveWindow
SendMessageW
GetMonitorInfoW
GetParent
SystemParametersInfoW
TrackPopupMenu
LoadMenuW
GetDC
MapWindowPoints
GetMessagePos
GetWindowLongW
GetDlgCtrlID
IsWindowVisible
LoadStringW
GetKeyState
InvalidateRect
SetWindowTextW
PtInRect
MoveWindow
PostQuitMessage
DestroyWindow
ShowWindow
DispatchMessageW
TranslateMessage
SetCursor
LoadCursorW
GetMessageW
PeekMessageW
UnregisterClassA
GetWindowRect
SetWindowPos
SetWindowLongW
GetDlgItem
ScreenToClient
OffsetRect
RedrawWindow
GetWindowTextLengthW
EnableWindow
DrawTextW
DrawFrameControl
GetWindowTextW
RegisterClassExW
GetMenu
AdjustWindowRectEx
IsDialogMessageW
GetProcessWindowStation
GetUserObjectInformationW
CloseDesktop
CloseWindowStation
DestroyCursor
DestroyMenu
CallWindowProcW
EndPaint
BeginPaint
SwitchDesktop
LoadImageW
MessageBoxW
GetAsyncKeyState
SetProcessWindowStation
CreateWindowStationW
SetUserObjectSecurity
GetUserObjectSecurity
OpenWindowStationW
GetSystemMetrics
CreateDesktopW
GetDesktopWindow
UserHandleGrantAccess
SetThreadDesktop
GetThreadDesktop
OpenDesktopW

gdi32

DPtoLP
GetDeviceCaps
CreateFontIndirectW
SetTextColor
DeleteDC
CreateCompatibleDC
CreateCompatibleBitmap
SelectObject
Rectangle
SetBkColor
DeleteObject
ExtTextOutW
GetStockObject
CreateSolidBrush
SetBkMode

comdlg32

GetSaveFileNameW
GetOpenFileNameW

advapi32

GetSecurityDescriptorDacl
GetSecurityDescriptorSacl
GetSecurityDescriptorLength
GetSecurityDescriptorControl
MakeSelfRelativeSD
GetKernelObjectSecurity
DuplicateTokenEx
StartServiceW
CreateServiceW
EnumServicesStatusW
StartServiceCtrlDispatcherW
RegisterServiceCtrlHandlerExW
SetServiceStatus
DeleteService
GetTokenInformation
LsaFreeMemory
LsaClose
LsaQueryInformationPolicy
LsaNtStatusToWinError
LsaOpenPolicy
RegEnumKeyW
RegEnumValueW
GetSecurityDescriptorGroup
RegDeleteKeyW
CryptGenRandom
CryptAcquireContextW
CryptReleaseContext
QueryServiceStatus
OpenServiceW
OpenSCManagerW
RegDeleteValueW
RegCreateKeyExW
RegSetValueExW
RegOpenKeyExW
RegCloseKey
RegQueryValueExW
GetSidLengthRequired
InitializeSid
GetSidSubAuthority
IsValidSid
GetLengthSid
CopySid
CheckTokenMembership
LookupPrivilegeValueW
AdjustTokenPrivileges
OpenProcessToken
RegEnumKeyExW
CloseServiceHandle
GetSecurityInfo
GetSecurityDescriptorOwner
SetTokenInformation
CreateProcessAsUserW
ImpersonateSelf
SetKernelObjectSecurity
MakeAbsoluteSD
InitializeSecurityDescriptor
InitializeAcl
AddAce
SetSecurityDescriptorDacl
GetAclInformation
GetAce
EqualSid
IsTokenRestricted
OpenThreadToken
LsaEnumerateAccountRights
RevertToSelf
SetThreadToken

shell32

ShellExecuteExW
SHGetFolderPathW
SHGetSpecialFolderPathW
CommandLineToArgvW
ord680
SHChangeNotify
ShellExecuteW

ole32

CoSetProxyBlanket
CoCreateInstance
CoUninitialize
CoInitialize

oleaut32

SysFreeString
VariantInit
SysAllocString
VariantClear
SysAllocStringLen

comctl32

ImageList_Create
ImageList_Add
ImageList_Replace
ImageList_GetIconSize
ImageList_GetImageCount
ImageList_SetBkColor
ImageList_ReplaceIcon
InitCommonControlsEx

userenv

UnloadUserProfile
CreateEnvironmentBlock
DestroyEnvironmentBlock

psapi

EnumProcessModules
EnumProcesses
GetModuleFileNameExW

wintrust

WinVerifyTrust

crypt32

CryptMsgClose
CertCloseStore
CertGetNameStringW
CertFindCertificateInStore
CryptMsgGetParam
CryptQueryObject
CertFreeCertificateContext

version

GetFileVersionInfoW
VerQueryValueW
GetFileVersionInfoSizeW

uxtheme

DrawThemeBackground
CloseThemeData
IsThemeActive
IsAppThemed
SetWindowTheme
OpenThemeData
DrawThemeEdge

urlmon

ObtainUserAgentString

activeds

ord3

wininet

InternetCrackUrlW
InternetSetOptionW
InternetOpenW
InternetConnectW
HttpOpenRequestW
InternetQueryOptionW
HttpSendRequestW
HttpQueryInfoW
InternetReadFile
InternetOpenUrlW
InternetCloseHandle

rpcrt4

UuidToStringW
UuidCreateSequential
RpcStringFreeW

wtsapi32

WTSQueryUserToken
WTSFreeMemory
WTSQuerySessionInformationW
WTSEnumerateSessionsW

mpr

WNetCloseEnum
WNetEnumResourceW
WNetOpenEnumW
WNetCancelConnection2W
WNetAddConnection2W

Sections

.text
Size: 1.0MB - Virtual size: 1.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 288KB - Virtual size: 287KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 29KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 319KB - Virtual size: 318KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 68KB - Virtual size: 68KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

7405f0c420906595fb06a5aef82863ec

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

04:00:00:00:00:01:2f:4e:e1:35:5cCertificate

Extended Key Usages

Key Usages

11:21:35:b7:01:15:e2:57:5f:94:88:41:50:97:5b:04:c3:64Certificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

c7:9e:10:d2:36:6a:4b:6e:d8:ef:19:2e:d1:97:e5:d8:ff:11:67:3fSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

gdi32

comdlg32

advapi32

shell32

ole32

oleaut32

comctl32

userenv

psapi

wintrust

crypt32

version

uxtheme

urlmon

activeds

wininet

rpcrt4

wtsapi32

mpr

Sections

.text Size: 1.0MB - Virtual size: 1.0MB

.rdata Size: 288KB - Virtual size: 287KB

.data Size: 20KB - Virtual size: 29KB

.rsrc Size: 319KB - Virtual size: 318KB

.reloc Size: 68KB - Virtual size: 68KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

11:21:35:b7:01:15:e2:57:5f:94:88:41:50:97:5b:04:c3:64
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

c7:9e:10:d2:36:6a:4b:6e:d8:ef:19:2e:d1:97:e5:d8:ff:11:67:3f
Signer

.text
Size: 1.0MB - Virtual size: 1.0MB

.rdata
Size: 288KB - Virtual size: 287KB

.data
Size: 20KB - Virtual size: 29KB

.rsrc
Size: 319KB - Virtual size: 318KB

.reloc
Size: 68KB - Virtual size: 68KB