d9bde120d5d1fbf5d34dcae77698d22efcdae5db5cacbc32770e3592ab0d147e

Sharing

Copy URL Twitter E-mail

General

Target

d9bde120d5d1fbf5d34dcae77698d22efcdae5db5cacbc32770e3592ab0d147e
Size

665KB
MD5

5c8a5d1e34b1c71fb52cd4cae16e4713
SHA1

9b92007ae51d8704af4cd781faedc6bd3fa798dc
SHA256

d9bde120d5d1fbf5d34dcae77698d22efcdae5db5cacbc32770e3592ab0d147e
SHA512

c014afe26ed6d9b0d4aa006cff965f1c3ec072ec2a79279315fc90cbc462dcabdc3ae040144472a648e5171cb0d6d306ba4e20b598c1e54faa5b298ed253ade5
SSDEEP

12288:6DjsaQ03GDqlIy6kADs/L7+NeJOJLVGQEc:6DjsOUjG/L7+NeJOJLVGQEc

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
d9bde120d5d1fbf5d34dcae77698d22efcdae5db5cacbc32770e3592ab0d147e

Files

d9bde120d5d1fbf5d34dcae77698d22efcdae5db5cacbc32770e3592ab0d147e
.dll windows:5 windows x64 arch:x64

94acd5b073b09c89115d7481e2d9e16c

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

D:\Tool\my_winafl\dynamorio-release_9.0.1\build64\lib64\drinjectlib.pdb

Imports

ntdll

strrchr
NtOpenProcessToken
NtMapViewOfSection
LdrGetDllHandle
NtRaiseHardError
NtQuerySystemTime
RtlQueryEnvironmentVariable_U
NtQueryValueKey
RtlInitUnicodeString
LdrLoadDll
NtClose
NtSetContextThread
NtGetContextThread
NtWriteVirtualMemory
NtReadVirtualMemory
NtOpenKey
NtCreateFile
NtFreeVirtualMemory
NtAllocateVirtualMemory
NtCreateSection
NtQueryVirtualMemory
NtQueryInformationToken
NtQueryInformationProcess
NtReadFile
NtWaitForSingleObject
KiUserExceptionDispatcher
KiUserApcDispatcher
NtContinue
NtProtectVirtualMemory
LdrGetProcedureAddress

kernel32

HeapFree
WriteConsoleW
HeapReAlloc
HeapSize
GetFileSizeEx
SetFilePointerEx
SetStdHandle
FreeEnvironmentStringsW
GetEnvironmentStringsW
WideCharToMultiByte
GetCommandLineW
GetCommandLineA
GetCPInfo
GetOEMCP
GetACP
IsValidCodePage
FindNextFileW
FindFirstFileExW
FindClose
GetStringTypeW
GetConsoleMode
GetConsoleOutputCP
FlushFileBuffers
GetFileType
LCMapStringW
GetModuleFileNameW
GetModuleHandleExW
ExitProcess
RaiseException
LoadLibraryExW
FreeLibrary
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
SetLastError
InterlockedFlushSList
RtlUnwindEx
IsProcessorFeaturePresent
GetStartupInfoW
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
InitializeSListHead
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
WriteFile
GetStdHandle
MultiByteToWideChar
CreateFileW
ReadFile
SetFilePointer
ContinueDebugEvent
WaitForDebugEvent
DebugActiveProcess
DebugActiveProcessStop
CloseHandle
DuplicateHandle
GetLastError
HeapAlloc
GetProcessHeap
GetCurrentProcess
TerminateProcess
GetExitCodeProcess
CreateRemoteThread
ResumeThread
CreateProcessW
GetModuleHandleW
GetProcAddress
DebugSetProcessKillOnExit

advapi32

RegDeleteValueW
RegSetValueExW
RegQueryValueExW
RegOpenKeyExW
RegCloseKey

Exports

Exports

decode
decode_eflags_usage
decode_first_opcode_byte
decode_from_copy
decode_memory_reference_size
decode_next_pc
decode_opcode_name
decode_sizeof
decode_sizeof_ex
dr_app_pc_as_jump_target
dr_app_pc_as_load_target
dr_get_isa_mode
dr_get_stderr_file
dr_get_stdin_file
dr_get_stdout_file
dr_inject_get_image_name
dr_inject_get_process_handle
dr_inject_get_process_id
dr_inject_print_stats
dr_inject_process_attach
dr_inject_process_create
dr_inject_process_exit
dr_inject_process_inject
dr_inject_process_run
dr_inject_use_late_injection
dr_inject_using_debug_key
dr_inject_wait_for_child
dr_set_isa_mode
get_register_name
get_x86_mode
instr_allocate_raw_bits
instr_build
instr_build_bits
instr_clear_label_callback
instr_clone
instr_cmovcc_to_jcc
instr_cmovcc_triggered
instr_compute_address
instr_compute_address_ex
instr_compute_address_ex_pos
instr_convert_short_meta_jmp_to_long
instr_create
instr_create_0dst_0src
instr_create_0dst_1src
instr_create_0dst_2src
instr_create_0dst_3src
instr_create_0dst_4src
instr_create_1dst_0src
instr_create_1dst_1src
instr_create_1dst_2src
instr_create_1dst_3src
instr_create_1dst_4src
instr_create_1dst_5src
instr_create_2dst_0src
instr_create_2dst_1src
instr_create_2dst_2src
instr_create_2dst_3src
instr_create_2dst_4src
instr_create_2dst_5src
instr_create_3dst_0src
instr_create_3dst_1src
instr_create_3dst_2src
instr_create_3dst_3src
instr_create_3dst_4src
instr_create_3dst_5src
instr_create_3dst_6src
instr_create_4dst_1src
instr_create_4dst_2src
instr_create_4dst_3src
instr_create_4dst_4src
instr_create_4dst_7src
instr_create_5dst_3src
instr_create_5dst_4src
instr_create_5dst_8src
instr_create_Ndst_Msrc_vardst
instr_create_Ndst_Msrc_varsrc
instr_create_popa
instr_create_pusha
instr_destroy
instr_encode
instr_encode_to_copy
instr_free
instr_free_raw_bits
instr_from_noalloc
instr_get_app_pc
instr_get_arith_flags
instr_get_branch_target_pc
instr_get_dst
instr_get_eflags
instr_get_interrupt_number
instr_get_isa_mode
instr_get_label_data_area
instr_get_next
instr_get_next_app
instr_get_note
instr_get_opcode
instr_get_opcode_eflags
instr_get_predicate
instr_get_prefix_flag
instr_get_prev
instr_get_prev_app
instr_get_raw_bits
instr_get_raw_byte
instr_get_raw_word
instr_get_rel_addr_dst_idx
instr_get_rel_addr_src_idx
instr_get_rel_addr_target
instr_get_rel_data_or_instr_target
instr_get_src
instr_get_target
instr_get_x86_mode
instr_has_allocated_bits
instr_has_encoding_hint
instr_has_rel_addr_reference
instr_init
instr_invert_cbr
instr_is_3DNow
instr_is_app
instr_is_call
instr_is_call_direct
instr_is_call_indirect
instr_is_cbr
instr_is_cti
instr_is_cti_loop
instr_is_cti_short
instr_is_cti_short_rewrite
instr_is_encoding_possible
instr_is_exclusive_load
instr_is_exclusive_store
instr_is_exit_cti
instr_is_far_abs_cti
instr_is_far_cti
instr_is_floating
instr_is_floating_ex
instr_is_gather
instr_is_interrupt
instr_is_label
instr_is_mbr
instr_is_meta
instr_is_meta_may_fault
instr_is_mmx
instr_is_mov
instr_is_mov_constant
instr_is_mov_imm_to_tos
instr_is_near_call_direct
instr_is_near_ubr
instr_is_nop
instr_is_opmask
instr_is_predicated
instr_is_prefetch
instr_is_rep_string_op
instr_is_return
instr_is_scatter
instr_is_sse
instr_is_sse2
instr_is_sse3
instr_is_sse41
instr_is_sse42
instr_is_sse4A
instr_is_sse_or_sse2
instr_is_ssse3
instr_is_string_op
instr_is_syscall
instr_is_ubr
instr_is_undefined
instr_is_wow64_syscall
instr_is_xsave
instr_jcc_taken
instr_length
instr_make_persistent
instr_mem_usage
instr_memory_reference_size
instr_needs_encoding
instr_noalloc_init
instr_num_dsts
instr_num_srcs
instr_ok_to_emit
instr_ok_to_mangle
instr_opcode_valid
instr_operands_valid
instr_predicate_is_cond
instr_predicate_triggered
instr_raw_bits_valid
instr_reads_from_exact_reg
instr_reads_from_reg
instr_reads_memory
instr_reg_in_dst
instr_reg_in_src
instr_remove_dsts
instr_remove_srcs
instr_replace_reg_resize
instr_replace_src_opnd
instr_reset
instr_reuse
instr_same
instr_set_app
instr_set_branch_target_pc
instr_set_dst
instr_set_encoding_hint
instr_set_isa_mode
instr_set_label_callback
instr_set_meta
instr_set_meta_may_fault
instr_set_meta_no_translation
instr_set_next
instr_set_note
instr_set_num_opnds
instr_set_ok_to_emit
instr_set_ok_to_mangle
instr_set_opcode
instr_set_operands_valid
instr_set_predicate
instr_set_prefix_flag
instr_set_prev
instr_set_raw_bits
instr_set_raw_bits_valid
instr_set_raw_byte
instr_set_raw_bytes
instr_set_raw_word
instr_set_src
instr_set_target
instr_set_translation
instr_set_x86_mode
instr_shrink_to_16_bits
instr_shrink_to_32_bits
instr_uses_fp_reg
instr_uses_reg
instr_valid
instr_writes_memory
instr_writes_to_exact_reg
instr_writes_to_reg
instr_zeroes_ymmh
instr_zeroes_zmmh
instrlist_append
instrlist_clear
instrlist_clear_and_destroy
instrlist_clone
instrlist_create
instrlist_cut
instrlist_destroy
instrlist_encode
instrlist_encode_to_copy
instrlist_first
instrlist_first_app
instrlist_first_nonlabel
instrlist_get_auto_predicate
instrlist_get_translation_target
instrlist_init
instrlist_insert_mov_immed_ptrsz
instrlist_insert_mov_instr_addr
instrlist_insert_push_immed_ptrsz
instrlist_insert_push_instr_addr
instrlist_last
instrlist_last_app
instrlist_meta_append
instrlist_meta_postinsert
instrlist_meta_preinsert
instrlist_postinsert
instrlist_preinsert
instrlist_prepend
instrlist_remove
instrlist_replace
instrlist_set_auto_predicate
instrlist_set_fall_through_target
instrlist_set_return_target
instrlist_set_translation_target
opnd_add_flags
opnd_compute_address
opnd_create_abs_addr
opnd_create_base_disp
opnd_create_base_disp_ex
opnd_create_far_abs_addr
opnd_create_far_base_disp
opnd_create_far_base_disp_ex
opnd_create_far_instr
opnd_create_far_pc
opnd_create_far_rel_addr
opnd_create_immed_float
opnd_create_immed_int
opnd_create_immed_int64
opnd_create_immed_uint
opnd_create_instr
opnd_create_instr_ex
opnd_create_mem_instr
opnd_create_null
opnd_create_pc
opnd_create_reg
opnd_create_reg_ex
opnd_create_reg_partial
opnd_create_rel_addr
opnd_defines_use
opnd_get_addr
opnd_get_base
opnd_get_disp
opnd_get_flags
opnd_get_immed_float
opnd_get_immed_int
opnd_get_immed_int64
opnd_get_index
opnd_get_instr
opnd_get_mem_instr_disp
opnd_get_pc
opnd_get_reg
opnd_get_reg_used
opnd_get_scale
opnd_get_segment
opnd_get_segment_selector
opnd_get_shift
opnd_get_size
opnd_is_abs_addr
opnd_is_base_disp
opnd_is_disp_encode_zero
opnd_is_disp_force_full
opnd_is_disp_short_addr
opnd_is_far_abs_addr
opnd_is_far_base_disp
opnd_is_far_instr
opnd_is_far_memory_reference
opnd_is_far_pc
opnd_is_far_rel_addr
opnd_is_immed
opnd_is_immed_float
opnd_is_immed_int
opnd_is_immed_int64
opnd_is_instr
opnd_is_mem_instr
opnd_is_memory_reference
opnd_is_near_abs_addr
opnd_is_near_base_disp
opnd_is_near_instr
opnd_is_near_memory_reference
opnd_is_near_pc
opnd_is_near_rel_addr
opnd_is_null
opnd_is_pc
opnd_is_reg
opnd_is_reg_32bit
opnd_is_reg_64bit
opnd_is_reg_partial
opnd_is_reg_pointer_sized
opnd_is_rel_addr
opnd_is_vsib
opnd_num_regs_used
opnd_replace_reg
opnd_replace_reg_resize
opnd_same
opnd_same_address
opnd_set_disp
opnd_set_disp_ex
opnd_set_flags
opnd_set_size
opnd_share_reg
opnd_shrink_to_16_bits
opnd_shrink_to_32_bits
opnd_size_from_bytes
opnd_size_in_bits
opnd_size_in_bytes
opnd_uses_reg
proc_get_vendor
proc_restore_fpstate
proc_save_fpstate
proc_set_vendor
reg_32_to_16
reg_32_to_64
reg_32_to_8
reg_32_to_opsz
reg_64_to_32
reg_get_bits
reg_get_size
reg_get_value
reg_get_value_ex
reg_is_32bit
reg_is_64bit
reg_is_avx512_extended
reg_is_bnd
reg_is_extended
reg_is_fp
reg_is_gpr
reg_is_mmx
reg_is_opmask
reg_is_pointer_sized
reg_is_segment
reg_is_simd
reg_is_stolen
reg_is_strictly_xmm
reg_is_strictly_ymm
reg_is_strictly_zmm
reg_is_vector_simd
reg_is_xmm
reg_is_ymm
reg_overlap
reg_parameter_num
reg_resize_to_opsz
reg_set_value
reg_set_value_ex
reg_to_pointer_sized
set_x86_mode
using_debugger_key_injection

Sections

.text
Size: 204KB - Virtual size: 204KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 422KB - Virtual size: 421KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 77KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.nspdata
Size: 512B - Virtual size: 4B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

_RDATA
Size: 512B - Virtual size: 348B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 22KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

94acd5b073b09c89115d7481e2d9e16c

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ntdll

kernel32

advapi32

Exports

Exports

Sections

.text Size: 204KB - Virtual size: 204KB

.rdata Size: 422KB - Virtual size: 421KB

.data Size: 3KB - Virtual size: 77KB

.pdata Size: 9KB - Virtual size: 9KB

.nspdata Size: 512B - Virtual size: 4B

_RDATA Size: 512B - Virtual size: 348B

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 22KB - Virtual size: 22KB

.text
Size: 204KB - Virtual size: 204KB

.rdata
Size: 422KB - Virtual size: 421KB

.data
Size: 3KB - Virtual size: 77KB

.pdata
Size: 9KB - Virtual size: 9KB

.nspdata
Size: 512B - Virtual size: 4B

_RDATA
Size: 512B - Virtual size: 348B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 22KB - Virtual size: 22KB