Aground[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Aground.exe
Size

22.5MB
MD5

6fa13f7c29ba9426582895aec231a870
SHA1

cf9e8356c8b964eaa0f014ec63e047e7bc907818
SHA256

1b3e0e6883c893906848ea7629e0b43a3c38f7fe90a7b324a6ff435d58946136
SHA512

db96880936558a1e469c08d3e01794b490d90d9571ba13849ad95f7431a4f493b715021b5172f62a6d1e003c1fd8766c8afe630456408a545dde478b65cda979
SSDEEP

196608:EDdRRRk4QeHowJDennA3N09kvn9sHnR0E2w+AHUyTr03/RQC/UCZTqN6O7l2Tqp4:oA2+OSsnqHZOWwIDW

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
Aground.exe

Files

Aground.exe
.exe windows:5 windows x86 arch:x86

456f09a243dd55c9df283bc0a89928f9

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

user32

MessageBoxA
GetKeyboardLayoutNameA

ws2_32

__WSAFDIsSet
accept
bind
closesocket
connect
ioctlsocket
getpeername
getsockname
htons
freeaddrinfo
getaddrinfo
WSAGetLastError
WSAStartup
gethostname
gethostbyname
socket
shutdown
setsockopt
sendto
send
select
recvfrom
recv
ntohs
listen
inet_ntoa
inet_addr

advapi32

CryptAcquireContextA
CryptGenRandom
CryptReleaseContext

crypt32

CertEnumCertificatesInStore
CertOpenSystemStoreA
CertCloseStore

galaxy

?Shutdown@api@galaxy@@YAXXZ
?ListenerRegistrar@api@galaxy@@YAPAVIListenerRegistrar@12@XZ
?Stats@api@galaxy@@YAPAVIStats@12@XZ
?User@api@galaxy@@YAPAVIUser@12@XZ
?Friends@api@galaxy@@YAPAVIFriends@12@XZ
?ProcessData@api@galaxy@@YAXXZ
?Init@api@galaxy@@YAXABUInitOptions@12@@Z
?Matchmaking@api@galaxy@@YAPAVIMatchmaking@12@XZ
?Networking@api@galaxy@@YAPAVINetworking@12@XZ
?GetError@api@galaxy@@YAPBVIError@12@XZ
?Utils@api@galaxy@@YAPAVIUtils@12@XZ

steam_api

SteamAPI_GetHSteamUser
SteamInternal_ContextInit
SteamInternal_FindOrCreateUserInterface
SteamAPI_RegisterCallback
SteamAPI_UnregisterCallback
SteamAPI_RegisterCallResult
SteamAPI_UnregisterCallResult
SteamAPI_RunCallbacks
SteamAPI_Init
SteamAPI_Shutdown
SteamAPI_RestartAppIfNecessary

kernel32

GetDateFormatEx
GetTimeFormatEx
OutputDebugStringW
FreeEnvironmentStringsW
GetEnvironmentStringsW
CompareStringEx
GetModuleFileNameA
SetEndOfFile
GetFileAttributesExW
GetConsoleCP
FlushFileBuffers
FileTimeToSystemTime
GetLocaleInfoEx
GetUserDefaultLocaleName
LCMapStringEx
IsValidLocaleName
EnumSystemLocalesEx
GetStringTypeW
SetEnvironmentVariableA
GetFileInformationByHandle
PeekNamedPipe
WriteConsoleW
SetEnvironmentVariableW
DeleteFileW
GetTickCount64
GetCurrentProcessId
GetDriveTypeW
FindFirstFileExW
FileTimeToLocalFileTime
LoadLibraryExW
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
SetUnhandledExceptionFilter
UnhandledExceptionFilter
QueryPerformanceCounter
GetSystemTime
SystemTimeToFileTime
TlsSetValue
TlsAlloc
CloseHandle
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
SetEvent
ResetEvent
WaitForSingleObject
CreateEventA
InterlockedIncrement
InterlockedDecrement
InterlockedCompareExchange
CreateThread
GetCurrentThreadId
GetProcAddress
LoadLibraryW
GetCommandLineA
LoadLibraryA
ReadFile
WriteFile
DuplicateHandle
CreatePipe
GetCurrentProcess
TerminateProcess
GetExitCodeProcess
CreateProcessW
RemoveDirectoryW
FormatMessageA
SetCurrentDirectoryW
GetCurrentDirectoryW
FindClose
FindFirstFileW
FindNextFileW
GetFileAttributesW
GetFullPathNameW
Sleep
GetModuleFileNameW
GetLastError
lstrlenW
MultiByteToWideChar
WideCharToMultiByte
HeapReAlloc
RtlUnwind
EncodePointer
DecodePointer
RaiseException
GetSystemTimeAsFileTime
ExitProcess
GetModuleHandleExW
AreFileApisANSI
HeapFree
HeapAlloc
SetStdHandle
GetFileType
InitializeCriticalSectionAndSpinCount
CreateDirectoryW
SetFilePointerEx
CreateFileW
GetModuleHandleW
GetProcessHeap
SetLastError
IsProcessorFeaturePresent
GetStdHandle
IsDebuggerPresent
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetConsoleMode
ReadConsoleW
SetFilePointer
InitOnceExecuteOnce
GetStartupInfoW
GetTimeZoneInformation
HeapSize

Exports

Exports

hx_cffi

Sections

.text
Size: 15.9MB - Virtual size: 15.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2.1MB - Virtual size: 2.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 644KB - Virtual size: 690KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

_RDATA
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3.8MB - Virtual size: 3.8MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.rsrc
Size: 174KB - Virtual size: 174KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

456f09a243dd55c9df283bc0a89928f9

Headers

DLL Characteristics

File Characteristics

Imports

user32

ws2_32

advapi32

crypt32

galaxy

steam_api

kernel32

Exports

Exports

Sections

.text Size: 15.9MB - Virtual size: 15.9MB

.rdata Size: 2.1MB - Virtual size: 2.1MB

.data Size: 644KB - Virtual size: 690KB

_RDATA Size: 2KB - Virtual size: 1KB

.reloc Size: 3.8MB - Virtual size: 3.8MB

.rsrc Size: 174KB - Virtual size: 174KB

.text
Size: 15.9MB - Virtual size: 15.9MB

.rdata
Size: 2.1MB - Virtual size: 2.1MB

.data
Size: 644KB - Virtual size: 690KB

_RDATA
Size: 2KB - Virtual size: 1KB

.reloc
Size: 3.8MB - Virtual size: 3.8MB

.rsrc
Size: 174KB - Virtual size: 174KB