General

Malware Config

Signatures

Files

• PS.zip

  .zip
• PS/NvSmart.hlp
• PS/RsTray.exe

  .exe windows:4 windows x86 arch:x86

  10747c74b9b459b104ccbf5e1b70bf14

  
  

  Code Sign

  38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5

  Certificate

  Issuer

  CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

  Not Before

  15-06-2007 00:00

  Not After

  14-06-2012 23:59

  Subject

  CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

  Extended Key Usages

  ExtKeyUsageTimeStamping

  Key Usages

  KeyUsageDigitalSignature

  KeyUsageContentCommitment

  47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4

  Certificate

  Issuer

  CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

  Not Before

  04-12-2003 00:00

  Not After

  03-12-2013 23:59

  Subject

  CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

  Extended Key Usages

  ExtKeyUsageTimeStamping

  Key Usages

  KeyUsageCertSign

  KeyUsageCRLSign

  65:52:26:e1:b2:2e:18:e1:59:0f:29:85:ac:22:e7:5c

  Certificate

  Issuer

  OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

  Not Before

  21-05-2009 00:00

  Not After

  20-05-2019 23:59

  Subject

  CN=VeriSign Class 3 Code Signing 2009-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09,O=VeriSign\, Inc.,C=US

  Extended Key Usages

  ExtKeyUsageClientAuth

  ExtKeyUsageCodeSigning

  Key Usages

  KeyUsageCertSign

  KeyUsageCRLSign

  61:0c:12:06:00:00:00:00:00:1b

  Certificate

  Issuer

  CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

  Not Before

  23-05-2006 17:01

  Not After

  23-05-2016 17:11

  Subject

  OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

  Key Usages

  KeyUsageDigitalSignature

  KeyUsageCertSign

  KeyUsageCRLSign

  48:4d:09:d5:0f:29:97:42:52:72:b7:97:aa:28:a5:57

  Certificate

  Issuer

  CN=VeriSign Class 3 Code Signing 2009-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09,O=VeriSign\, Inc.,C=US

  Not Before

  23-06-2009 00:00

  Not After

  22-07-2012 23:59

  Subject

  CN=Beijing Rising Information Technology Corporation Limited,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Beijing Rising Information Technology Corporation Limited,L=Beijing,ST=Beijing,C=CN

  Extended Key Usages

  ExtKeyUsageCodeSigning

  Key Usages

  KeyUsageDigitalSignature

  c7:29:f7:72:53:73:2c:7f:30:b1:14:dd:9a:4c:32:54:15:0f:6a:fd

  Signer

  Actual PE Digest

  c7:29:f7:72:53:73:2c:7f:30:b1:14:dd:9a:4c:32:54:15:0f:6a:fd

  Digest Algorithm

  sha1

  PE Digest Matches

  true

  Headers

  File Characteristics

  IMAGE_FILE_RELOCS_STRIPPED

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_LINE_NUMS_STRIPPED

  IMAGE_FILE_LOCAL_SYMS_STRIPPED

  IMAGE_FILE_32BIT_MACHINE

  PDB Paths

  C:\DistributedAutoLink\Temp\CompileOutputDir\RSTray.pdb

  Imports

  kernel32

  FreeLibrary

  GetProcAddress

  GetModuleHandleA

  GetCurrentThreadId

  ResetEvent

  WaitForMultipleObjects

  GetModuleFileNameA

  LoadLibraryA

  lstrcatA

  lstrcpyA

  SetEvent

  InterlockedIncrement

  LeaveCriticalSection

  EnterCriticalSection

  CloseHandle

  GetPrivateProfileIntA

  GetFileAttributesA

  GetWindowsDirectoryA

  GetPrivateProfileStringA

  lstrcpynA

  lstrlenW

  MultiByteToWideChar

  GetLastError

  WideCharToMultiByte

  SizeofResource

  LoadResource

  FindResourceA

  LoadLibraryExA

  lstrcmpiA

  IsDBCSLeadByte

  GetSystemDirectoryA

  GetTickCount

  CreateEventA

  SetCurrentDirectoryA

  GetSystemInfo

  SetUnhandledExceptionFilter

  FormatMessageA

  GetCurrentProcess

  GetCurrentProcessId

  SuspendThread

  WriteFile

  VirtualQuery

  GetCurrentThread

  OutputDebugStringA

  GetProcessWorkingSetSize

  GlobalMemoryStatus

  GetLocalTime

  CreateFileA

  LockResource

  FindResourceExA

  FlushFileBuffers

  SetStdHandle

  ReadFile

  SetFilePointer

  IsBadCodePtr

  IsBadReadPtr

  LCMapStringW

  LCMapStringA

  GetFileType

  SetHandleCount

  GetEnvironmentStringsW

  FreeEnvironmentStringsW

  GetEnvironmentStrings

  FreeEnvironmentStringsA

  GetStdHandle

  UnhandledExceptionFilter

  TerminateProcess

  IsBadWritePtr

  VirtualFree

  DebugBreak

  InterlockedDecrement

  lstrlenA

  DeleteCriticalSection

  InitializeCriticalSection

  RaiseException

  GetVersionExA

  GetThreadLocale

  GetLocaleInfoA

  GetACP

  HeapCreate

  GetStringTypeW

  GetStringTypeA

  TlsGetValue

  TlsSetValue

  TlsFree

  SetLastError

  TlsAlloc

  GetCPInfo

  GetOEMCP

  GetSystemTimeAsFileTime

  QueryPerformanceCounter

  GetCommandLineA

  GetStartupInfoA

  InterlockedExchange

  VirtualAlloc

  VirtualProtect

  CreateThread

  ExitThread

  HeapDestroy

  HeapAlloc

  HeapFree

  HeapReAlloc

  HeapSize

  GetProcessHeap

  ExitProcess

  RtlUnwind

  user32

  GetWindowLongA

  SetWindowLongA

  DispatchMessageA

  PostMessageA

  wvsprintfA

  CharNextA

  UnregisterClassA

  DestroyWindow

  DestroyIcon

  PeekMessageA

  GetMessageA

  TranslateMessage

  CharUpperA

  LoadStringA

  LoadIconA

  LoadCursorA

  RegisterClassExA

  CreateWindowExA

  ShowWindow

  LoadImageA

  PostQuitMessage

  DefWindowProcA

  advapi32

  RegDeleteValueA

  RegSetValueExA

  RegEnumKeyExA

  RegQueryInfoKeyA

  RegCloseKey

  RegCreateKeyExA

  RegDeleteKeyA

  RegOpenKeyExA

  RegQueryValueExA

  ole32

  CoRegisterClassObject

  CoTaskMemAlloc

  CoInitialize

  CoTaskMemFree

  CoCreateInstance

  CoUninitialize

  CoTaskMemRealloc

  CoRevokeClassObject

  oleaut32

  VarUI4FromStr

  shlwapi

  PathRemoveExtensionA

  comctl32

  InitCommonControlsEx

  version

  GetFileVersionInfoA

  VerQueryValueA

  GetFileVersionInfoSizeA

  Sections

  .text

  Size: 88KB - Virtual size: 86KB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .rdata

  Size: 20KB - Virtual size: 17KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .data

  Size: 4KB - Virtual size: 10KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .rsrc

  Size: 52KB - Virtual size: 48KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

• PS/comserv.dll

  .dll regsvr32 windows:5 windows x86 arch:x86

  505bf054eb5ead16958a0242eb39448d

  
  

  Headers

  DLL Characteristics

  IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE

  IMAGE_DLLCHARACTERISTICS_NX_COMPAT

  IMAGE_DLLCHARACTERISTICS_NO_SEH

  File Characteristics

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_32BIT_MACHINE

  IMAGE_FILE_DLL

  Imports

  kernel32

  Sleep

  ReadFile

  GetModuleFileNameW

  CreateFileW

  GetLastError

  VirtualAlloc

  lstrcatW

  GetSystemTime

  Exports

  Exports

  DllCanUnloadNow

  DllGetClassObject

  DllRegisterServer

  DllUnregisterServer

  Sections

  .text

  Size: 512B - Virtual size: 223B

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .rdata

  Size: 512B - Virtual size: 420B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .data

  Size: - Virtual size: 8KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .reloc

  Size: 512B - Virtual size: 100B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_DISCARDABLE

  IMAGE_SCN_MEM_READ

• PS/comserv.dll.url