based[.]exe | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

based.exe
Size

3.1MB
MD5

922eb65cdec50a4de64b1d1796d08d86
SHA1

4dbdf43f92efae2ad787c9a58326243026eb378f
SHA256

d0535bcaed2fe2aaa791978cd1cb807b81817a98eab3236f4084800a98359be3
SHA512

3308467bce27b2b761b367e9b5b2a868fd937ace7b9f4eb9b662d94e9d0e5171ebf56c56ce8a0c49d7cba82102d2b8c332d7129cf06ad00223ac03568a0e042e
SSDEEP

49152:mGtlqKbIU6iGoQwfqMjp2jQWCydBtKmANbbB9FDLIEoHjjmF8/8T6ogriPlItb78:++GzMjp2jQawtimCZrNtb

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
based.exe

Files

based.exe
.exe windows:6 windows x64 arch:x64

026a36aa7e4c0dcb421d7cdb154fffe0

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ws2_32

ntohs
WSAIoctl
WSAStartup
WSACleanup
accept
closesocket
recv
getnameinfo
gethostname
sendto
recvfrom
ntohl
freeaddrinfo
getaddrinfo
ioctlsocket
listen
htonl
socket
send
WSAGetLastError
htons
getsockopt
getsockname
getpeername
connect
bind
WSASetLastError
select
__WSAFDIsSet
inet_pton
setsockopt
shutdown

wldap32

ord22
ord26
ord27
ord32
ord33
ord35
ord50
ord30
ord200
ord301
ord60
ord211
ord46
ord143
ord41
ord79
ord45

crypt32

CertEnumCertificatesInStore
CertCloseStore
CertFindCertificateInStore
CertFreeCertificateContext
CryptStringToBinaryA
CertGetCertificateContextProperty
CertDuplicateCertificateContext
CertFreeCertificateChain
CertGetCertificateChain
CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
CryptQueryObject
CertGetNameStringA
CertAddCertificateContextToStore
CertOpenStore

advapi32

CryptEnumProvidersW
CryptSignHashW
CryptDecrypt
CryptExportKey
CryptGetUserKey
CryptGetProvParam
CryptSetHashParam
CryptDestroyKey
CryptAcquireContextW
ReportEventW
RegisterEventSourceW
DeregisterEventSource
CryptDestroyHash
CryptHashData
CryptCreateHash
CryptGenRandom
CryptGetHashParam
CryptReleaseContext
CryptAcquireContextA

dwmapi

DwmExtendFrameIntoClientArea

kernel32

TlsGetValue
TlsAlloc
GetCurrentThreadId
SystemTimeToFileTime
ReadConsoleW
TlsSetValue
SetConsoleMode
GetConsoleMode
GetEnvironmentVariableW
GetFileSizeEx
FormatMessageA
TlsFree
GetModuleHandleExW
GetSystemTime
FormatMessageW
WriteFile
GetModuleHandleW
GetCurrentProcessId
InitializeSListHead
GetSystemTimeAsFileTime
ReleaseSRWLockExclusive
SwitchToFiber
DeleteFiber
CreateFiber
LoadLibraryW
ConvertFiberToThread
ConvertThreadToFiber
FindClose
FindFirstFileW
FindNextFileW
ReadConsoleA
IsProcessorFeaturePresent
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlLookupFunctionEntry
RtlCaptureContext
SleepConditionVariableSRW
WakeAllConditionVariable
AcquireSRWLockExclusive
InitializeCriticalSectionAndSpinCount
RtlVirtualUnwind
IsDebuggerPresent
GlobalAlloc
GlobalFree
GlobalLock
GlobalUnlock
QueryPerformanceFrequency
QueryPerformanceCounter
MultiByteToWideChar
CreateFileA
WideCharToMultiByte
GetTickCount
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
DeleteCriticalSection
Sleep
SleepEx
VerSetConditionMask
GetSystemDirectoryA
FreeLibrary
GetModuleHandleA
GetProcAddress
LoadLibraryA
VerifyVersionInfoA
CloseHandle
WaitForSingleObjectEx
GetLastError
ExpandEnvironmentStringsA
GetStdHandle
GetFileType
ReadFile
PeekNamedPipe
WaitForMultipleObjects
SetLastError

user32

MessageBoxW
GetUserObjectInformationW
GetProcessWindowStation
GetWindow
DestroyWindow
DefWindowProcA
mouse_event
PostQuitMessage
GetKeyState
LoadCursorA
ScreenToClient
GetActiveWindow
GetCapture
ClientToScreen
SetCapture
SetCursor
GetClientRect
ReleaseCapture
SetCursorPos
SetClipboardData
GetCursorPos
OpenClipboard
CloseClipboard
EmptyClipboard
GetClipboardData

msvcp140

??Bios_base@std@@QEBA_NXZ
?good@ios_base@std@@QEBA_NXZ
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
_Query_perf_counter
?_Random_device@std@@YAIXZ
?_Xbad_alloc@std@@YAXXZ
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Xbad_function_call@std@@YAXXZ
?_Xlength_error@std@@YAXPEBD@Z
_Query_perf_frequency
?uncaught_exceptions@std@@YAHXZ

imm32

ImmGetContext
ImmReleaseContext
ImmSetCompositionWindow

d3d9

Direct3DCreate9Ex

bcrypt

BCryptGenRandom

vcruntime140_1

__CxxFrameHandler4

vcruntime140

__std_exception_copy
_CxxThrowException
__current_exception_context
__current_exception
__C_specific_handler
wcsstr
memchr
memcmp
memmove
strrchr
strchr
memset
__std_terminate
strstr
memcpy
__std_exception_destroy

api-ms-win-crt-convert-l1-1-0

strtoull
strtoll
strtod
strtol
strtoul
atoi

api-ms-win-crt-locale-l1-1-0

localeconv
_configthreadlocale

api-ms-win-crt-runtime-l1-1-0

_register_thread_local_exe_atexit_callback
_c_exit
__p___argv
__sys_nerr
exit
_initterm_e
_errno
_beginthreadex
strerror
_initterm
signal
strerror_s
_get_initial_narrow_environment
_exit
_invalid_parameter_noinfo_noreturn
raise
_set_app_type
_seh_filter_exe
terminate
__p___argc
_configure_narrow_argv
_initialize_narrow_environment
_initialize_onexit_table
_register_onexit_function
_crt_atexit
_cexit

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vfprintf
fwrite
__stdio_common_vswprintf
_wfopen
fread
setbuf
clearerr
_set_fmode
_setmode
_fileno
ferror
feof
__stdio_common_vsscanf
__stdio_common_vsprintf_s
__p__commode
fputs
_read
_write
_close
_open
_lseeki64
setvbuf
fgets
__stdio_common_vsprintf
fopen
ftell
__acrt_iob_func
fflush
fclose
fseek
fputc

api-ms-win-crt-string-l1-1-0

strcmp
strncpy
isprint
strpbrk
_strdup
_stricmp
tolower
strncmp
isupper
strcspn
_strnicmp
isspace
strspn

api-ms-win-crt-utility-l1-1-0

qsort

api-ms-win-crt-heap-l1-1-0

free
calloc
malloc
_set_new_mode
realloc
_callnewh

api-ms-win-crt-time-l1-1-0

_time64
_gmtime64_s
_gmtime64

api-ms-win-crt-filesystem-l1-1-0

_stat64
_access
_stat64i32
_fstat64
_fstat64i32

api-ms-win-crt-environment-l1-1-0

getenv

api-ms-win-crt-math-l1-1-0

sinf
__setusermatherr
_dclass
ceilf
cosf
floorf
fmodf
sqrtf

Sections

.text
Size: 2.2MB - Virtual size: 2.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 701KB - Virtual size: 701KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 25KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 90KB - Virtual size: 90KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 30KB - Virtual size: 30KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 488B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 25KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

026a36aa7e4c0dcb421d7cdb154fffe0

Headers

DLL Characteristics

File Characteristics

Imports

ws2_32

wldap32

crypt32

advapi32

dwmapi

kernel32

user32

msvcp140

imm32

d3d9

bcrypt

vcruntime140_1

vcruntime140

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-environment-l1-1-0

api-ms-win-crt-math-l1-1-0

Sections

.text Size: 2.2MB - Virtual size: 2.2MB

.rdata Size: 701KB - Virtual size: 701KB

.data Size: 25KB - Virtual size: 44KB

.pdata Size: 90KB - Virtual size: 90KB

_RDATA Size: 30KB - Virtual size: 30KB

.rsrc Size: 512B - Virtual size: 488B

.reloc Size: 25KB - Virtual size: 25KB

.text
Size: 2.2MB - Virtual size: 2.2MB

.rdata
Size: 701KB - Virtual size: 701KB

.data
Size: 25KB - Virtual size: 44KB

.pdata
Size: 90KB - Virtual size: 90KB

_RDATA
Size: 30KB - Virtual size: 30KB

.rsrc
Size: 512B - Virtual size: 488B

.reloc
Size: 25KB - Virtual size: 25KB