2024-06-03_59594a57761861b61e355cfd79dc75d4_avoslocker_revil

Sharing

Copy URL Twitter E-mail

General

Target

2024-06-03_59594a57761861b61e355cfd79dc75d4_avoslocker_revil
Size

2.4MB
MD5

59594a57761861b61e355cfd79dc75d4
SHA1

56be8b10d42e99531c8d511abc9e0b7d7a807b56
SHA256

1b46901d235d70ee9f4a7dc1b83afc063597dedc5354982a09d79518a97df5b4
SHA512

9237aff1450b830329eecfcea902859b606f18883885315442d924f7ca8e69f7e2d4a0ca2f83a7f966b90fbc56b438cae4ee872695da2bf3bf117914ac89c13b
SSDEEP

49152:i/wR52GcRQ/h5J4NNm83efnGQ+4Vllc2GZh2DTI+54Fsqz:i/bGcRQDmfmlfnGQ+Slc2GD2DT14Zz

Score

1^/10

Malware Config

Signatures

Files

2024-06-03_59594a57761861b61e355cfd79dc75d4_avoslocker_revil
.exe windows:6 windows x86 arch:x86

4d7ad5413435e52a381507fcf82a2962

Code Sign

70:c9:22:a8:a4:17:4d:8c:5b:09:b6:16:65:da:60:a5
Certificate

Issuer

CN=COMODO RSA Extended Validation Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

05/02/2020, 00:00

Not After

04/02/2021, 23:59

Subject

SERIALNUMBER=2189074,CN=Intel Corporation,O=Intel Corporation,POSTALCODE=95054,STREET=2200 Mission College Blvd,L=Santa Clara,ST=California,C=US,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.2=#130844656c6177617265,1.3.6.1.4.1.311.60.2.1.3=#13025553

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

6d:d4:72:eb:02:ae:04:06:e3:dd:84:3f:5f:e1:45:e1
Certificate

Issuer

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

03/12/2014, 00:00

Not After

02/12/2029, 23:59

Subject

CN=COMODO RSA Extended Validation Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

69:b2:d1:cc:f0:2e:20:dc:c9:5c:62:89:4f:7f:9e:5f:5f:c0:57:bf
Certificate

Issuer

CN=QuoVadis Root Certification Authority,OU=Root Certification Authority,O=QuoVadis Limited,C=BM

Not Before

30/05/2014, 16:35

Not After

17/03/2021, 18:33

Subject

CN=QuoVadis Issuing CA G4,O=QuoVadis Limited,C=BM

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

3c:a5:d5:25:1f:75:29:a5:ba:3c:73:b4:49:6f:a2:c1:b0:c5:6c:9f
Certificate

Issuer

CN=QuoVadis Issuing CA G4,O=QuoVadis Limited,C=BM

Not Before

20/04/2018, 16:52

Not After

17/03/2021, 18:33

Subject

CN=timestamp.intel.com,OU=Thales TSS ESN:0E37-9649-08C5,O=Intel Corporation,L=Santa Clara,ST=CA,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

e0:89:71:6d:15:5a:a8:54:6c:f4:0b:80:95:3a:35:80:92:36:03:7f
Signer

Actual PE Digest

e0:89:71:6d:15:5a:a8:54:6c:f4:0b:80:95:3a:35:80:92:36:03:7f

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

C:\GitLab-Runner\builds\4d0d0d81\0\BCPD\Manageability\EMA\bcp_eng-woodfordcreek_agent\Agent\MeshManageability\Release\MeshConsole.pdb

Imports

dbghelp

StackWalk64
SymInitialize
SymGetModuleBase64
SymFunctionTableAccess64
SymGetLineFromAddr64
SymFromAddr
SymSetOptions

iphlpapi

GetAdaptersAddresses
GetAdaptersInfo
SendARP

ws2_32

htonl
htons
WSAStartup
ntohs
getsockopt
sendto
__WSAFDIsSet
recv
recvfrom
accept
ntohl
gethostbyname
WSACleanup
gethostname
WSAGetLastError
inet_ntoa
socket
WSAIoctl
inet_ntop
inet_addr
setsockopt
ioctlsocket
bind
closesocket
listen
send
shutdown
getservbyname
getservbyport
gethostbyaddr
connect
WSASocketW
select
WSASetLastError
getsockname

setupapi

SetupDiGetClassDevsExW
SetupDiSetClassInstallParamsW
SetupDiCallClassInstaller
SetupDiEnumDeviceInfo
SetupDiClassNameFromGuidExW
SetupDiEnumDeviceInterfaces
SetupDiOpenDevRegKey
CM_Reenumerate_DevNode
CM_Locate_DevNodeW
SetupCopyOEMInfA
SetupDiGetDeviceRegistryPropertyA
SetupDiRemoveDevice
SetupDiDestroyDeviceInfoList
SetupDiGetClassDevsA
CM_Locate_DevNode_ExW
CM_Get_Device_ID_ExW
CM_Reenumerate_DevNode_Ex
CM_Get_DevNode_Status_Ex
CM_Enumerate_Classes
SetupDiGetClassDescriptionExW
SetupDiGetDeviceInterfaceDetailW
SetupDiGetClassDevsW
SetupDiGetDeviceRegistryPropertyW

crypt32

CryptSignAndEncodeCertificate
PFXExportCertStore
CryptMsgControl
CryptMsgOpenToDecode
CertAddCertificateContextToStore
CryptMsgOpenToEncode
CertFreeCertificateContext
CertCreateSelfSignCertificate
CryptExportPublicKeyInfo
CryptMsgUpdate
CryptMsgClose
CertAddEncodedCertificateToStore
CryptAcquireCertificatePrivateKey
CertDeleteCertificateFromStore
CryptEncodeObject
CertGetCertificateContextProperty
CertDuplicateCertificateContext
CryptMsgGetParam
CertEnumCertificatesInStore
CertStrToNameW
CertSetCertificateContextProperty
CertFindCertificateInStore
CryptMsgCalculateEncodedLength
CertCloseStore
CertOpenStore

wintrust

WinVerifyTrust
WTHelperGetProvCertFromChain
WTHelperGetProvSignerFromChain
WTHelperProvDataFromStateData

version

GetFileVersionInfoW
VerQueryValueA

wtsapi32

WTSSendMessageW
WTSFreeMemory
WTSEnumerateSessionsW

kernel32

InitializeSListHead
RtlUnwind
EncodePointer
LoadLibraryExW
ExitProcess
FreeLibraryAndExitThread
SetStdHandle
SetConsoleCtrlHandler
GetDriveTypeW
GetFileInformationByHandle
PeekNamedPipe
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
GetModuleFileNameW
GetCommandLineA
GetCommandLineW
GetDateFormatW
GetTimeFormatW
CompareStringW
LCMapStringW
SetFilePointerEx
GetConsoleCP
GetFileSizeEx
GetCPInfo
GetCurrentDirectoryW
FindFirstFileExW
IsValidCodePage
GetACP
GetOEMCP
GetEnvironmentStringsW
SetConsoleTextAttribute
GetStdHandle
GetLastError
SystemTimeToFileTime
GetSystemTime
Sleep
GetCurrentThreadId
GetVersionExW
LoadLibraryW
CreateThread
GetProcAddress
FreeLibrary
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
DeleteCriticalSection
ReadFile
WaitNamedPipeA
CreateNamedPipeA
GetCurrentProcess
WriteFile
OutputDebugStringA
TerminateProcess
WaitForMultipleObjectsEx
GetEnvironmentVariableA
WaitForSingleObject
DuplicateHandle
CreateEventW
CreateFileA
SetEvent
CloseHandle
CancelIoEx
ResetEvent
QueueUserAPC
GetStartupInfoW
CreateProcessA
GetExitCodeProcess
GetModuleFileNameA
SetPriorityClass
SetCurrentDirectoryA
FormatMessageA
OpenProcess
GetTimeZoneInformation
GetFileAttributesA
K32GetModuleBaseNameA
K32EnumProcesses
K32EnumProcessModules
VerSetConditionMask
VerifyVersionInfoW
MoveFileA
MultiByteToWideChar
CopyFileA
AreFileApisANSI
TryEnterCriticalSection
HeapCreate
HeapFree
GetFullPathNameW
GetDiskFreeSpaceW
LockFile
SetFilePointer
GetFullPathNameA
SetEndOfFile
UnlockFileEx
GetTempPathW
CreateMutexW
CreateFileW
GetFileAttributesW
IsProcessorFeaturePresent
HeapValidate
HeapSize
GetTempPathA
FormatMessageW
GetDiskFreeSpaceA
GetFileAttributesExW
OutputDebugStringW
FlushViewOfFile
LoadLibraryA
WaitForSingleObjectEx
DeleteFileA
DeleteFileW
HeapReAlloc
GetSystemInfo
HeapAlloc
HeapCompact
HeapDestroy
UnlockFile
LocalFree
LockFileEx
GetFileSize
GetCurrentProcessId
GetProcessHeap
WideCharToMultiByte
GetSystemTimeAsFileTime
CreateFileMappingW
MapViewOfFile
QueryPerformanceCounter
GetTickCount
FlushFileBuffers
ExitThread
GetCurrentThread
GetSystemDirectoryA
GetModuleHandleW
SleepEx
OpenThread
IsDebuggerPresent
DeviceIoControl
GetConsoleScreenBufferInfo
SetConsoleScreenBufferSize
Wow64DisableWow64FsRedirection
SetConsoleWindowInfo
GetSystemDirectoryW
Wow64RevertWow64FsRedirection
FillConsoleOutputCharacterW
ReadConsoleOutputW
TerminateThread
FreeConsole
WriteConsoleInputW
FillConsoleOutputAttribute
CreateProcessW
GetConsoleWindow
SetUnhandledExceptionFilter
AllocConsole
SetSystemPowerState
FindFirstFileExA
FindNextFileA
FindClose
GetVolumeInformationA
GetLogicalDriveStringsA
RemoveDirectoryA
SetThreadExecutionState
CreateDirectoryA
InitializeCriticalSectionEx
CreateToolhelp32Snapshot
Process32NextW
K32GetModuleBaseNameW
K32GetProcessMemoryInfo
Process32FirstW
RaiseException
DecodePointer
GetPriorityClass
WaitForMultipleObjects
GetCommTimeouts
GetCurrentDirectoryA
WaitCommEvent
GetCommState
SetCommMask
SetCommTimeouts
SetCommState
GetModuleHandleA
SetConsoleTitleW
SetLastError
GetModuleHandleExW
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
SwitchToFiber
DeleteFiber
CreateFiber
FindFirstFileW
FindNextFileW
GetFileType
ConvertFiberToThread
ConvertThreadToFiber
GetEnvironmentVariableW
GetConsoleMode
SetConsoleMode
ReadConsoleA
ReadConsoleW
UnhandledExceptionFilter
UnmapViewOfFile
FreeEnvironmentStringsW
SetEnvironmentVariableW
GetStringTypeW
WriteConsoleW
GetOverlappedResult
SetConsoleCursorPosition

user32

GetUserObjectInformationA
CloseWindowStation
EnumDisplayMonitors
SendMessageW
GetSystemMetrics
SetThreadDesktop
GetThreadDesktop
CloseDesktop
GetDC
SetProcessWindowStation
OpenInputDesktop
FindWindowW
OpenDesktopW
OpenWindowStationW
MapVirtualKeyW
GetForegroundWindow
SetForegroundWindow
SendInput
MessageBoxW
GetUserObjectInformationW
GetProcessWindowStation
GetSystemMenu
FindWindowExW
SetWindowPos
DeleteMenu
GetMessageA
DispatchMessageA
PostMessageA
SetWindowLongA
GetWindowLongA
ReleaseDC
MessageBoxA
DefWindowProcA
CreateWindowExA
RegisterClassExA
LoadImageW
GetActiveWindow
MessageBeep
ExitWindowsEx
GetMessageW
UnhookWinEvent
ShowWindow
DispatchMessageW
VkKeyScanW
TranslateMessage
PostThreadMessageW
SetWinEventHook
GetMonitorInfoW

gdi32

CreateCompatibleDC
StretchBlt
CreateCompatibleBitmap
BitBlt
DeleteObject
GetDIBits
DeleteDC
SetStretchBltMode
SelectObject

advapi32

CryptGetHashParam
LookupPrivilegeValueW
DeregisterEventSource
RegisterEventSourceW
RegCreateKeyW
RegOpenKeyExW
CryptDestroyHash
RegSetValueExA
RegSetValueExW
CryptGetProvParam
CryptGenKey
ReportEventW
CryptHashData
CryptCreateHash
CryptGenRandom
RegQueryValueExA
CryptAcquireContextW
RegCloseKey
CryptDestroyKey
OpenProcessToken
OpenServiceW
OpenSCManagerW
CloseServiceHandle
CryptSetHashParam
CryptGetUserKey
CryptExportKey
CryptDecrypt
CryptSignHashW
CryptEnumProvidersW
CryptReleaseContext
AdjustTokenPrivileges
QueryServiceStatus
InitiateSystemShutdownW

shell32

SHGetSpecialFolderPathA
SHGetFolderPathA
Shell_NotifyIconA
SHFileOperationA

ole32

CoUninitialize
CLSIDFromString
CoInitializeEx
StringFromGUID2
CoInitializeSecurity
CoSetProxyBlanket
CoTaskMemFree
CLSIDFromProgID
CreateStreamOnHGlobal
CoCreateInstance

oleaut32

SysStringLen
SysAllocString
SysFreeString
VariantClear
SysAllocStringLen
SafeArrayDestroy
SafeArrayGetUBound

gdiplus

GdiplusStartup
GdiplusShutdown
GdipGetImageEncoders
GdipCloneImage
GdipAlloc
GdipDisposeImage
GdipFree
GdipGetImageEncodersSize
GdipSaveImageToStream
GdipLoadImageFromStream

userenv

DestroyEnvironmentBlock

propsys

PSGetPropertyDescriptionByName

bcrypt

BCryptGenRandom

Sections

.text
Size: 1.8MB - Virtual size: 1.8MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 448KB - Virtual size: 447KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 112KB - Virtual size: 205KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 22KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 72KB - Virtual size: 72KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

4d7ad5413435e52a381507fcf82a2962

Code Sign

70:c9:22:a8:a4:17:4d:8c:5b:09:b6:16:65:da:60:a5Certificate

Extended Key Usages

Key Usages

6d:d4:72:eb:02:ae:04:06:e3:dd:84:3f:5f:e1:45:e1Certificate

Extended Key Usages

Key Usages

69:b2:d1:cc:f0:2e:20:dc:c9:5c:62:89:4f:7f:9e:5f:5f:c0:57:bfCertificate

Key Usages

3c:a5:d5:25:1f:75:29:a5:ba:3c:73:b4:49:6f:a2:c1:b0:c5:6c:9fCertificate

Extended Key Usages

Key Usages

e0:89:71:6d:15:5a:a8:54:6c:f4:0b:80:95:3a:35:80:92:36:03:7fSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

dbghelp

iphlpapi

ws2_32

setupapi

crypt32

wintrust

version

wtsapi32

kernel32

user32

gdi32

advapi32

shell32

ole32

oleaut32

gdiplus

userenv

propsys

bcrypt

Sections

.text Size: 1.8MB - Virtual size: 1.8MB

.rdata Size: 448KB - Virtual size: 447KB

.data Size: 112KB - Virtual size: 205KB

.rsrc Size: 22KB - Virtual size: 22KB

.reloc Size: 72KB - Virtual size: 72KB

70:c9:22:a8:a4:17:4d:8c:5b:09:b6:16:65:da:60:a5
Certificate

6d:d4:72:eb:02:ae:04:06:e3:dd:84:3f:5f:e1:45:e1
Certificate

69:b2:d1:cc:f0:2e:20:dc:c9:5c:62:89:4f:7f:9e:5f:5f:c0:57:bf
Certificate

3c:a5:d5:25:1f:75:29:a5:ba:3c:73:b4:49:6f:a2:c1:b0:c5:6c:9f
Certificate

e0:89:71:6d:15:5a:a8:54:6c:f4:0b:80:95:3a:35:80:92:36:03:7f
Signer

.text
Size: 1.8MB - Virtual size: 1.8MB

.rdata
Size: 448KB - Virtual size: 447KB

.data
Size: 112KB - Virtual size: 205KB

.rsrc
Size: 22KB - Virtual size: 22KB

.reloc
Size: 72KB - Virtual size: 72KB