4bb3a985a8e056dbeaa75eabdbe64d997d2289ddab846af850bb6842b283415a

Sharing

Copy URL Twitter E-mail

General

Target

4bb3a985a8e056dbeaa75eabdbe64d997d2289ddab846af850bb6842b283415a
Size

1.4MB
MD5

1097a1acc390d311019b7df0ceaf91e4
SHA1

d43b7b686ad972848d02c1b1dac27175392f89d5
SHA256

4bb3a985a8e056dbeaa75eabdbe64d997d2289ddab846af850bb6842b283415a
SHA512

537f6716068b258ad456887a29b3380319d08feec70255c6c57e5897adc6c249aec623b8caa0d8ba196027a9d304380a26243a67de9ab8ac5e7a8a48dd3a369b
SSDEEP

24576:kqxYGm7rJ725NrQkUCFCOGr3WwJSaQa+abiW4oYzTxe44IrvmLcULzE7wHNNViuq:k2b6rJ725NrQkUCFCOGr3WwJSaQa+abG

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
4bb3a985a8e056dbeaa75eabdbe64d997d2289ddab846af850bb6842b283415a

Files

4bb3a985a8e056dbeaa75eabdbe64d997d2289ddab846af850bb6842b283415a
.exe windows:6 windows x64 arch:x64

766a65dcd6dc0e420d1ab246a70110dc

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

spoolsv.pdb

Imports

user32

DispatchMessageW
PeekMessageW
TranslateMessage
MsgWaitForMultipleObjects
UnregisterPowerSettingNotification
UnregisterDeviceNotification
RegisterDeviceNotificationW
SendNotifyMessageW
RegisterPowerSettingNotification

msvcrt

_initterm
_unlock
__dllonexit
_onexit
?terminate@@YAXXZ
wcsstr
strchr
wcschr
towlower
_cexit
__C_specific_handler
exit
towupper
__set_app_type
__getmainargs
_amsg_exit
_XcptFilter
??3@YAXPEAX@Z
_purecall
_fmode
_commode
_exit
_wcsnicmp
memmove
_stricmp
_wcsicmp
wcsncmp
_lock
_strnicmp
__CxxFrameHandler3
memcpy
??2@YAPEAX_K@Z
_vsnwprintf
__setusermatherr
memset

ntdll

RtlIpv4AddressToStringW
NtSetInformationThread
NtOpenProcessToken
NtClose
NtOpenThreadToken
RtlIpv4StringToAddressExW
RtlIpv6StringToAddressExW
EtwEventEnabled
RtlReportException
TpAllocPool
TpReleaseAlpcCompletion
TpWaitForAlpcCompletion
TpReleaseIoCompletion
TpWaitForIoCompletion
TpReleaseTimer
TpWaitForTimer
TpReleaseWait
TpWaitForWait
TpReleaseWork
TpWaitForWork
TpAllocAlpcCompletion
TpStartAsyncIoOperation
TpAllocIoCompletion
TpSetTimer
TpAllocTimer
TpAllocWait
TpPostWork
TpAllocWork
RtlNtStatusToDosError
TpSimpleTryPost
TpSetWait
TpCallbackMayRunLong
TpReleasePool
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
RtlValidRelativeSecurityDescriptor
EtwEventWrite
NtQuerySystemInformation
EtwGetTraceLoggerHandle
EtwUnregisterTraceGuids
EtwEventUnregister
EtwRegisterTraceGuidsW
EtwTraceMessage
WinSqmIsOptedIn
WinSqmSetDWORD
WinSqmAddToStreamEx
WinSqmIncrementDWORD
EtwEventRegister
EtwGetTraceEnableFlags
EtwGetTraceEnableLevel
RtlIpv6AddressToStringW

api-ms-win-core-synch-l1-2-0

WaitForSingleObject
AcquireSRWLockExclusive
InitializeSRWLock
EnterCriticalSection
CreateEventW
InitializeCriticalSection
LeaveCriticalSection
SetEvent
InitializeCriticalSectionAndSpinCount
CreateMutexW
Sleep
OpenEventW
ReleaseSRWLockExclusive
ReleaseMutex
ReleaseSRWLockShared
AcquireSRWLockShared

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleW
DisableThreadLibraryCalls

api-ms-win-core-registry-l1-1-0

RegSetKeySecurity
RegDisablePredefinedCacheEx
RegDeleteTreeW
RegSetValueExW
RegEnumValueW
RegQueryValueExW
RegGetValueW
RegDeleteKeyExW
RegCloseKey
RegOpenCurrentUser
RegOpenKeyExW
RegGetKeySecurity
RegQueryInfoKeyW
RegCreateKeyExW
RegEnumKeyExW
RegDeleteValueW

api-ms-win-core-processthreads-l1-1-2

GetCurrentThreadId
GetCurrentProcessId
ExitThread
SetProcessMitigationPolicy
TlsGetValue
SetThreadToken
OpenProcessToken
GetCurrentThread
SetPriorityClass
ExitProcess
TerminateProcess
OpenThreadToken
TlsSetValue
TlsFree
GetCurrentProcess
CreateProcessAsUserW
CreateThread
TlsAlloc
OpenProcess

api-ms-win-core-errorhandling-l1-1-1

SetLastError
GetErrorMode
GetLastError
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RaiseException
SetErrorMode

api-ms-win-core-handle-l1-1-0

DuplicateHandle
CloseHandle

api-ms-win-service-core-l1-1-1

SetServiceStatus
RegisterServiceCtrlHandlerExW
StartServiceCtrlDispatcherW

api-ms-win-core-sysinfo-l1-2-1

GetTickCount
GetVersionExW
GetSystemTimeAsFileTime
GetSystemWindowsDirectoryW
GetSystemTime

api-ms-win-core-heap-l1-2-0

HeapDestroy
HeapSetInformation
HeapCreate
GetProcessHeap

api-ms-win-core-debug-l1-1-1

DebugBreak
IsDebuggerPresent
OutputDebugStringW

rpcrt4

RpcAsyncAbortCall
RpcBindingFromStringBindingW
I_RpcExceptionFilter
RpcServerSubscribeForNotification
RpcServerUnsubscribeForNotification
RpcServerTestCancel
RpcSsContextLockExclusive
RpcStringBindingComposeW
RpcBindingSetAuthInfoExW
Ndr64AsyncClientCall
RpcServerInterfaceGroupDeactivate
NdrClientCall3
RpcServerInterfaceGroupActivate
RpcBindingServerFromClient
RpcServerInterfaceGroupCreateW
RpcRevertToSelf
RpcBindingInqAuthClientW
RpcServerInqBindingHandle
RpcServerInqCallAttributesW
I_RpcBindingInqTransportType
I_RpcSessionStrictContextHandle
RpcRevertToSelfEx
RpcRaiseException
RpcBindingFree
I_RpcBindingIsClientLocal
RpcBindingToStringBindingW
RpcStringBindingParseW
RpcObjectSetType
RpcServerRegisterAuthInfoW
RpcBindingVectorFree
RpcEpRegisterW
RpcServerInqBindings
RpcServerRegisterIf
RpcServerRegisterIf2
RpcSmDestroyClientContext
NdrAsyncServerCall
NdrServerCall2
Ndr64AsyncServerCallAll
NdrServerCallAll
RpcServerInqDefaultPrincNameW
RpcAsyncCompleteCall
RpcStringFreeW
RpcMgmtSetServerStackSize
RpcImpersonateClient

api-ms-win-security-base-l1-2-0

AddAccessDeniedAceEx
GetLengthSid
AddAce
ImpersonateLoggedOnUser
RevertToSelf
GetSecurityDescriptorDacl
InitializeAcl
DuplicateTokenEx
GetAce
IsWellKnownSid
InitializeSecurityDescriptor
SetTokenInformation
GetAclInformation
AddAccessAllowedAceEx
CreateWellKnownSid
CheckTokenMembership
GetSidSubAuthority
GetSidSubAuthorityCount
EqualSid
GetTokenInformation
SetSecurityDescriptorDacl
DuplicateToken
FreeSid
AllocateAndInitializeSid
CopySid

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

kernel32

HeapAlloc
DeleteCriticalSection
HeapFree
ResetEvent
LocalAlloc
GetModuleHandleExW
SetThreadpoolTimer
AddVectoredExceptionHandler
FreeLibrary
LoadLibraryExW
LocalFree
LoadLibraryW
GetComputerNameW
lstrcmpiW
QueueUserWorkItem
ResolveDelayLoadedAPI
GetProcAddress
CreateThreadpoolTimer
WaitForThreadpoolTimerCallbacks
GetTickCount64
CloseThreadpoolTimer

api-ms-win-core-string-l1-1-0

WideCharToMultiByte
CompareStringW

api-ms-win-core-file-l1-2-1

DeleteFileW
GetTempFileNameW
ReadFile
CreateFileW

api-ms-win-core-file-l2-1-1

MoveFileExW

dsrole

DsRoleGetPrimaryDomainInformation
DsRoleFreeMemory

api-ms-win-core-console-l1-1-0

SetConsoleCtrlHandler

dnsapi

DnsFree
DnsQuery_W

api-ms-win-power-base-l1-1-0

GetPwrCapabilities

powrprof

PowerDeterminePlatformRole

Exports

Exports

GetSpoolerTlsIndexes
PrvAbortPrinter
PrvAddFormW
PrvAddJobW
PrvAddMonitorW
PrvAddPerMachineConnectionW
PrvAddPortExW
PrvAddPortW
PrvAddPrintProcessorW
PrvAddPrintProvidorW
PrvAddPrinterConnectionW
PrvAddPrinterDriverExW
PrvAddPrinterDriverW
PrvAddPrinterExW
PrvAddPrinterW
PrvAdjustPointers
PrvAdjustPointersInStructuresArray
PrvAlignKMPtr
PrvAlignRpcPtr
PrvAllocSplStr
PrvAllowRemoteCalls
PrvAppendPrinterNotifyInfoData
PrvBuildOtherNamesFromMachineName
PrvCacheAddName
PrvCacheCreateAndAddNode
PrvCacheCreateAndAddNodeWithIPAddresses
PrvCacheDeleteNode
PrvCacheIsNameCluster
PrvCacheIsNameInNodeList
PrvCallDrvDevModeConversion
PrvCallRouterFindFirstPrinterChangeNotification
PrvCheckLocalCall
PrvClosePrinter
PrvConfigurePortW
PrvCreatePrinterIC
PrvDeleteFormW
PrvDeleteMonitorW
PrvDeletePerMachineConnectionW
PrvDeletePortW
PrvDeletePrintProcessorW
PrvDeletePrintProvidorW
PrvDeletePrinter
PrvDeletePrinterConnectionW
PrvDeletePrinterDataExW
PrvDeletePrinterDataW
PrvDeletePrinterDriverExW
PrvDeletePrinterDriverW
PrvDeletePrinterIC
PrvDeletePrinterKeyW
PrvDllAllocSplMem
PrvDllAllocSplStr
PrvDllFreeSplMem
PrvDllFreeSplStr
PrvDllReallocSplMem
PrvDllReallocSplStr
PrvEndDocPrinter
PrvEndPagePrinter
PrvEnumFormsW
PrvEnumJobsW
PrvEnumMonitorsW
PrvEnumPerMachineConnectionsW
PrvEnumPortsW
PrvEnumPrintProcessorDatatypesW
PrvEnumPrintProcessorsW
PrvEnumPrinterDataExW
PrvEnumPrinterDataW
PrvEnumPrinterDriversW
PrvEnumPrinterKeyW
PrvEnumPrintersW
PrvFindClosePrinterChangeNotification
PrvFlushPrinter
PrvFormatPrinterForRegistryKey
PrvFormatRegistryKeyForPrinter
PrvFreeOtherNames
PrvGetFormW
PrvGetJobAttributes
PrvGetJobAttributesEx
PrvGetJobW
PrvGetNetworkId
PrvGetPrintProcessorDirectoryW
PrvGetPrinterDataExW
PrvGetPrinterDataW
PrvGetPrinterDriverDirectoryW
PrvGetPrinterDriverExW
PrvGetPrinterDriverW
PrvGetPrinterW
PrvGetServerPolicy
PrvGetShrinkedSize
PrvGetSpoolerTlsIndexes
PrvImpersonatePrinterClient
PrvInitializeRouter
PrvIsNameTheLocalMachineOrAClusterSpooler
PrvIsNamedPipeRpcCall
PrvMIDL_user_allocate
PrvMIDL_user_allocate1
PrvMIDL_user_free
PrvMIDL_user_free1
PrvMarshallDownStructure
PrvMarshallDownStructuresArray
PrvMarshallUpStructure
PrvMarshallUpStructuresArray
PrvOldGetPrinterDriverW
PrvOpenPrinter2W
PrvOpenPrinterExW
PrvOpenPrinterPort2W
PrvOpenPrinterW
PrvPackStrings
PrvPartialReplyPrinterChangeNotification
PrvPlayGdiScriptOnPrinterIC
PrvPrinterHandleRundown
PrvPrinterMessageBoxW
PrvProvidorFindClosePrinterChangeNotification
PrvProvidorFindFirstPrinterChangeNotification
PrvReadPrinter
PrvReallocSplMem
PrvReallocSplStr
PrvRemoteFindFirstPrinterChangeNotification
PrvReplyClosePrinter
PrvReplyOpenPrinter
PrvReplyPrinterChangeNotification
PrvReplyPrinterChangeNotificationEx
PrvReportJobProcessingProgress
PrvResetPrinterW
PrvRevertToPrinterSelf
PrvRouterAddPrinterConnection2
PrvRouterAllocBidiMem
PrvRouterAllocBidiResponseContainer
PrvRouterAllocPrinterNotifyInfo
PrvRouterBroadcastMessage
PrvRouterCorePrinterDriverInstalled
PrvRouterCreatePrintAsyncNotificationChannel
PrvRouterDeletePrinterDriverPackage
PrvRouterFindCompatibleDriver
PrvRouterFindFirstPrinterChangeNotification
PrvRouterFindNextPrinterChangeNotification
PrvRouterFreeBidiMem
PrvRouterFreeBidiResponseContainer
PrvRouterFreePrinterNotifyInfo
PrvRouterGetCorePrinterDrivers
PrvRouterGetPrintClassObject
PrvRouterGetPrinterDriverPackagePath
PrvRouterInstallPrinterDriverFromPackage
PrvRouterInstallPrinterDriverPackageFromConnection
PrvRouterInternalGetPrinterDriver
PrvRouterRefreshPrinterChangeNotification
PrvRouterRegisterForPrintAsyncNotifications
PrvRouterReplyPrinter
PrvRouterSpoolerSetPolicy
PrvRouterUnregisterForPrintAsyncNotifications
PrvRouterUploadPrinterDriverPackage
PrvScheduleJob
PrvSeekPrinter
PrvSendRecvBidiData
PrvSetFormW
PrvSetJobW
PrvSetPortW
PrvSetPrinterDataExW
PrvSetPrinterDataW
PrvSetPrinterW
PrvSplCloseSpoolFileHandle
PrvSplCommitSpoolData
PrvSplDriverUnloadComplete
PrvSplGetClientUserHandle
PrvSplGetSpoolFileInfo
PrvSplGetUserSidStringFromToken
PrvSplInitializeWinSpoolDrv
PrvSplIsSessionZero
PrvSplIsUpgrade
PrvSplProcessPnPEvent
PrvSplProcessSessionEvent
PrvSplPromptUIInUsersSession
PrvSplQueryUserInfo
PrvSplReadPrinter
PrvSplRegisterForDeviceEvents
PrvSplRegisterForSessionEvents
PrvSplShutDownRouter
PrvSplUnregisterForDeviceEvents
PrvSplUnregisterForSessionEvents
PrvSpoolerFindClosePrinterChangeNotification
PrvSpoolerFindFirstPrinterChangeNotification
PrvSpoolerFindNextPrinterChangeNotification
PrvSpoolerFreePrinterNotifyInfo
PrvSpoolerHasInitialized
PrvSpoolerInit
PrvSpoolerRefreshPrinterChangeNotification
PrvStartDocPrinterW
PrvStartPagePrinter
PrvUndoAlignKMPtr
PrvUndoAlignRpcPtr
PrvUpdateBufferSize
PrvUpdatePrinterRegAll
PrvUpdatePrinterRegUser
PrvWaitForPrinterChange
PrvWaitForSpoolerInitialization
PrvWritePrinter
PrvXcvDataW
PrvbGetDevModePerUser
PrvbSetDevModePerUser
RouterLogJobInfoForBranchOffice
ServerGetPrintClassObject
SplUalCollectData
YAbortPrinter
YAddJob
YDriverUnloadComplete
YEndDocPrinter
YEndPagePrinter
YFlushPrinter
YGetPrinter
YGetPrinterDriver2
YGetPrinterDriverDirectory
YReadPrinter
YSeekPrinter
YSetJob
YSetPort
YSetPrinter
YSplReadPrinter
YStartDocPrinter
YStartPagePrinter
YWritePrinter

Sections

.text
Size: 698KB - Virtual size: 698KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 29KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 376B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 57KB - Virtual size: 56KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 580KB - Virtual size: 584KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

766a65dcd6dc0e420d1ab246a70110dc

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

user32

msvcrt

ntdll

api-ms-win-core-synch-l1-2-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-processthreads-l1-1-2

api-ms-win-core-errorhandling-l1-1-1

api-ms-win-core-handle-l1-1-0

api-ms-win-service-core-l1-1-1

api-ms-win-core-sysinfo-l1-2-1

api-ms-win-core-heap-l1-2-0

api-ms-win-core-debug-l1-1-1

rpcrt4

api-ms-win-security-base-l1-2-0

api-ms-win-core-profile-l1-1-0

kernel32

api-ms-win-core-string-l1-1-0

api-ms-win-core-file-l1-2-1

api-ms-win-core-file-l2-1-1

dsrole

api-ms-win-core-console-l1-1-0

dnsapi

api-ms-win-power-base-l1-1-0

powrprof

Exports

Exports

Sections

.text Size: 698KB - Virtual size: 698KB

.data Size: 9KB - Virtual size: 9KB

.pdata Size: 29KB - Virtual size: 28KB

.idata Size: 11KB - Virtual size: 11KB

.didat Size: 512B - Virtual size: 376B

.rsrc Size: 57KB - Virtual size: 56KB

.reloc Size: 580KB - Virtual size: 584KB

.text
Size: 698KB - Virtual size: 698KB

.data
Size: 9KB - Virtual size: 9KB

.pdata
Size: 29KB - Virtual size: 28KB

.idata
Size: 11KB - Virtual size: 11KB

.didat
Size: 512B - Virtual size: 376B

.rsrc
Size: 57KB - Virtual size: 56KB

.reloc
Size: 580KB - Virtual size: 584KB