DemonInternal[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

DemonInternal.exe
Size

760KB
MD5

32c0cb61784f8d5f4f77d31908635b69
SHA1

fee82c2235edc3258b79daed2b9b03d30a5b9fb0
SHA256

d267ec23424f3521345da7f86c8ceffbae066a5cdf24c55a55c9f8ce9a3bb281
SHA512

eee1379d17d0852221d43c4da0ff1ec265c7bca5b7ac1f69920360c70e3ca515f50883cbc819c401bf66715872838ae812cd3e6e195e3a0b9a0c50becf49f998
SSDEEP

12288:UKx1vJ56O+ESUg5rWxQsWqlxOW4J+ThxU1ZB3aHG+j2c:US1SOPSpWQsWql4poVx8B3am

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
DemonInternal.exe

Files

DemonInternal.exe
.exe windows:6 windows x64 arch:x64

afdfd038e5056da837ac87a8f5aa6a96

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

D:\files\visual\project\cheat\injector\DW-Kernel\x64\Release\DemonInternal.pdb

Imports

kernel32

SetLastError
FormatMessageA
LocalFree
EnterCriticalSection
LeaveCriticalSection
SleepEx
VerSetConditionMask
QueryPerformanceFrequency
GetSystemDirectoryA
FreeLibrary
GetProcAddress
VerifyVersionInfoA
QueryPerformanceCounter
GetTickCount
MoveFileExA
WaitForSingleObjectEx
MultiByteToWideChar
GetEnvironmentVariableA
GetFileType
PeekNamedPipe
WaitForMultipleObjects
CreateFileA
GetFileSizeEx
WideCharToMultiByte
GetLocaleInfoEx
GetCurrentDirectoryW
CreateDirectoryW
FindClose
FindFirstFileW
QueryFullProcessImageNameW
GetModuleHandleW
GetModuleFileNameW
GetModuleFileNameA
UnmapViewOfFile
MapViewOfFile
CreateFileMappingW
VirtualProtect
CreateThread
GetFileAttributesExW
AreFileApisANSI
GetFileInformationByHandleEx
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
WakeAllConditionVariable
SleepConditionVariableSRW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
InitializeCriticalSectionEx
GetProcessHeap
HeapSize
HeapFree
HeapReAlloc
HeapAlloc
HeapDestroy
GetLastError
GetExitCodeProcess
Sleep
WaitForSingleObject
GetStdHandle
DeviceIoControl
SetConsoleTitleA
SetConsoleTextAttribute
GetFileSize
K32GetModuleInformation
Process32FirstW
LoadLibraryA
Process32NextW
CreateToolhelp32Snapshot
GetModuleHandleA
VirtualAlloc
OutputDebugStringW
InitializeSListHead
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
GetCurrentProcess
VirtualFree
ReadFile
CloseHandle
CreateFileW
DeleteCriticalSection

user32

UnhookWinEvent
EnumWindows
GetWindowThreadProcessId
MessageBoxA
SetWinEventHook

shell32

ShellExecuteA
ShellExecuteExA

msvcp140

??1_Lockit@std@@QEAA@XZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAADD@Z
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD0@Z
?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?setf@ios_base@std@@QEAAHHH@Z
??Bid@locale@std@@QEAA_KXZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
??Bios_base@std@@QEBA_NXZ
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
??0_Lockit@std@@QEAA@H@Z
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?uncaught_exception@std@@YA_NXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?_Xout_of_range@std@@YAXPEBD@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
?_Syserror_map@std@@YAPEBDH@Z
?_Xlength_error@std@@YAXPEBD@Z
?id@?$ctype@D@std@@2V0locale@2@A
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Xbad_function_call@std@@YAXXZ
?_Winerror_map@std@@YAHH@Z

urlmon

URLDownloadToFileW

normaliz

IdnToAscii

wldap32

ord30
ord32
ord79
ord35
ord301
ord200
ord143
ord27
ord217
ord26
ord46
ord211
ord60
ord45
ord50
ord41
ord22
ord33

crypt32

CertOpenStore
CertFindExtension
PFXImportCertStore
CertAddCertificateContextToStore
CertCloseStore
CertEnumCertificatesInStore
CertFindCertificateInStore
CertFreeCertificateContext
CertGetNameStringA
CryptDecodeObjectEx
CryptQueryObject
CertCreateCertificateChainEngine
CertFreeCertificateChainEngine
CertGetCertificateChain
CertFreeCertificateChain
CryptStringToBinaryA

ws2_32

WSASetLastError
WSAIoctl
WSAStartup
setsockopt
accept
htonl
listen
ioctlsocket
__WSAFDIsSet
select
getaddrinfo
freeaddrinfo
recvfrom
ntohs
htons
sendto
gethostname
ntohl
getsockopt
getsockname
getpeername
connect
bind
WSAGetLastError
send
recv
closesocket
socket
WSACleanup

shlwapi

PathFindFileNameW

rpcrt4

RpcStringFreeA
UuidToStringA
UuidCreate

psapi

GetModuleInformation

userenv

UnloadUserProfile

vcruntime140_1

__CxxFrameHandler4

vcruntime140

__C_specific_handler
__current_exception
strstr
_CxxThrowException
memchr
memcmp
memcpy
memmove
memset
strchr
__std_exception_copy
__std_exception_destroy
strrchr
__current_exception_context
__std_terminate

api-ms-win-crt-stdio-l1-1-0

_read
_write
_set_fmode
_open
_pclose
_popen
_close
fgets
__stdio_common_vsprintf
fflush
_get_stream_buffer_pointers
_fseeki64
fread
fsetpos
ungetc
setvbuf
fgetpos
fwrite
fputc
__stdio_common_vfprintf
__acrt_iob_func
fgetc
_lseeki64
fclose
fopen
__p__commode
fputs
__stdio_common_vsscanf
ftell
fseek
feof

api-ms-win-crt-heap-l1-1-0

realloc
malloc
free
_callnewh
calloc
_set_new_mode

api-ms-win-crt-math-l1-1-0

_dclass
__setusermatherr

api-ms-win-crt-convert-l1-1-0

strtoul
strtoll
strtod
strtoull
atoi
strtol

api-ms-win-crt-time-l1-1-0

strftime
_gmtime64
_time64
_localtime64

api-ms-win-crt-runtime-l1-1-0

_resetstkoflw
_beginthreadex
_getpid
system
abort
_errno
terminate
__sys_nerr
_initialize_narrow_environment
_initialize_onexit_table
_register_onexit_function
_invalid_parameter_noinfo_noreturn
_crt_atexit
strerror
_cexit
_seh_filter_exe
_invalid_parameter_noinfo
_set_app_type
_configure_narrow_argv
_get_initial_narrow_environment
_initterm
_initterm_e
_exit
__p___argc
_register_thread_local_exe_atexit_callback
_c_exit
__p___argv
exit

api-ms-win-crt-filesystem-l1-1-0

_stat64
_unlock_file
_fstat64
_unlink
_access
_lock_file

api-ms-win-crt-locale-l1-1-0

localeconv
_configthreadlocale
___lc_codepage_func

api-ms-win-crt-environment-l1-1-0

getenv

api-ms-win-crt-string-l1-1-0

strpbrk
tolower
isupper
strncmp
_strdup
strcmp
strcspn
strspn
strncpy

api-ms-win-crt-utility-l1-1-0

qsort

advapi32

CryptReleaseContext
CryptDestroyHash
CryptDestroyKey
CryptImportKey
CryptEncrypt
CryptCreateHash
OpenProcessToken
AddAccessAllowedAce
GetLengthSid
GetTokenInformation
InitializeAcl
IsValidSid
SetSecurityInfo
CopySid
ConvertSidToStringSidA
CryptAcquireContextA
CryptGetHashParam
CryptGenRandom
CryptHashData

Sections

.text
Size: 461KB - Virtual size: 461KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 110KB - Virtual size: 110KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 165KB - Virtual size: 168KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 19KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 488B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

afdfd038e5056da837ac87a8f5aa6a96

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

shell32

msvcp140

urlmon

normaliz

wldap32

crypt32

ws2_32

shlwapi

rpcrt4

psapi

userenv

vcruntime140_1

vcruntime140

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-environment-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-utility-l1-1-0

advapi32

Sections

.text Size: 461KB - Virtual size: 461KB

.rdata Size: 110KB - Virtual size: 110KB

.data Size: 165KB - Virtual size: 168KB

.pdata Size: 19KB - Virtual size: 19KB

.rsrc Size: 512B - Virtual size: 488B

.reloc Size: 1KB - Virtual size: 1KB

.text
Size: 461KB - Virtual size: 461KB

.rdata
Size: 110KB - Virtual size: 110KB

.data
Size: 165KB - Virtual size: 168KB

.pdata
Size: 19KB - Virtual size: 19KB

.rsrc
Size: 512B - Virtual size: 488B

.reloc
Size: 1KB - Virtual size: 1KB