2024-06-09_994860f87c5c4f12488fc293fb3ec7ef_polyvice

Sharing

Copy URL Twitter E-mail

General

Target

2024-06-09_994860f87c5c4f12488fc293fb3ec7ef_polyvice
Size

40.6MB
MD5

994860f87c5c4f12488fc293fb3ec7ef
SHA1

2d42e4989a95f4f7a1bf6f8f6ba816e44fa40b9b
SHA256

994952b57b7a69d9d5b5b295acb42fe4c5f4c772263c8859a3fbd0ccc9cb642d
SHA512

8e949991e8f36d41eb4c07b0bb1f05103f7e74a21c3c0ac90d0b0f09675c5ee02dd05dd248cf87f58f7a7434df61e34e6b9302b4a31a80f3178c0c79f701f5ed
SSDEEP

393216:rzccFwyYpimlB2qi1gUbOYJ4kKPO5i2dm/:ccIoIB27gQ9KP6iJ/

Score

10^/10

Malware Config

Signatures

Detects executables containing URLs to raw contents of a Github gist 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL

Files

2024-06-09_994860f87c5c4f12488fc293fb3ec7ef_polyvice
.exe windows:6 windows x64 arch:x64

8b1299b19e062b501342c1b5b9879936

Code Sign

08:1d:e0:66:62:80:97:14:2d:00:f6:88
Certificate

Issuer

CN=GlobalSign GCC R45 EV CodeSigning CA 2020,O=GlobalSign nv-sa,C=BE

Not Before

07/07/2022, 16:19

Not After

07/07/2025, 16:19

Subject

SERIALNUMBER=5598711,CN=Confluent\, Inc.,O=Confluent\, Inc.,STREET=899 W Evelyn Ave,L=Mountain View,ST=California,C=US,1.2.840.113549.1.9.1=#0c1764617669642e6879646540636f6e666c75656e742e696f,1.3.6.1.4.1.311.60.2.1.2=#130844656c6177617265,1.3.6.1.4.1.311.60.2.1.3=#13025553,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

43:7f:84:76:3e:55:42:e6:4c:ab:53:0a:b7:6b:7e:13:1b:a9:5e:06
Signer

Actual PE Digest

43:7f:84:76:3e:55:42:e6:4c:ab:53:0a:b7:6b:7e:13:1b:a9:5e:06

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED

Imports

advapi32

CryptAcquireContextW
CryptGenRandom
CryptReleaseContext
DeregisterEventSource
RegisterEventSourceW
ReportEventW

crypt32

CertCloseStore
CertEnumCertificatesInStore
CertFreeCertificateContext
CertOpenStore

kernel32

AcquireSRWLockExclusive
AcquireSRWLockShared
AddVectoredExceptionHandler
CloseHandle
ConvertFiberToThread
ConvertThreadToFiber
CreateEventA
CreateEventW
CreateFiber
CreateFileA
CreateIoCompletionPort
CreateMutexW
CreateSemaphoreA
CreateThread
CreateWaitableTimerExW
DeleteCriticalSection
DeleteFiber
DuplicateHandle
EnterCriticalSection
ExitProcess
ExitThread
FindClose
FindFirstFileW
FindNextFileW
FormatMessageA
FormatMessageW
FreeEnvironmentStringsW
FreeLibrary
GetConsoleMode
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetEnvironmentStringsW
GetEnvironmentVariableA
GetEnvironmentVariableW
GetExitCodeThread
GetFileType
GetHandleInformation
GetLastError
GetModuleFileNameA
GetModuleHandleExA
GetModuleHandleExW
GetModuleHandleW
GetProcAddress
GetProcessAffinityMask
GetQueuedCompletionStatusEx
GetStartupInfoA
GetStdHandle
GetSystemDirectoryA
GetSystemInfo
GetSystemTime
GetSystemTimeAsFileTime
GetThreadContext
GetThreadId
GetThreadPriority
GetTickCount64
GetVersion
InitializeConditionVariable
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
InitializeSRWLock
IsDBCSLeadByteEx
IsDebuggerPresent
LeaveCriticalSection
LoadLibraryA
LoadLibraryW
MultiByteToWideChar
OpenProcess
OutputDebugStringA
PostQueuedCompletionStatus
QueryPerformanceCounter
QueryPerformanceFrequency
RaiseException
ReadConsoleA
ReadConsoleW
ReleaseMutex
ReleaseSRWLockExclusive
ReleaseSRWLockShared
ReleaseSemaphore
RemoveVectoredExceptionHandler
ResetEvent
ResumeThread
RtlVirtualUnwind
SetConsoleCtrlHandler
SetConsoleMode
SetErrorMode
SetEvent
SetLastError
SetProcessAffinityMask
SetProcessPriorityBoost
SetThreadContext
SetThreadPriority
SetUnhandledExceptionFilter
SetWaitableTimer
Sleep
SleepConditionVariableCS
SleepEx
SuspendThread
SwitchToFiber
SwitchToThread
SystemTimeToFileTime
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
TryEnterCriticalSection
VirtualAlloc
VirtualFree
VirtualProtect
VirtualQuery
WaitForMultipleObjects
WaitForSingleObject
WakeAllConditionVariable
WakeConditionVariable
WideCharToMultiByte
WriteConsoleW
WriteFile
__C_specific_handler

msvcrt

___lc_codepage_func
___mb_cur_max_func
__getmainargs
__initenv
__iob_func
__set_app_type
__setusermatherr
_acmdln
_amsg_exit
_beginthread
_beginthreadex
_cexit
_chsize
_commode
_endthreadex
_errno
_exit
_fdopen
_fileno
_fmode
_ftime64_s
_gmtime64
_initterm
_lock
_onexit
_setjmp
_setmode
_snwprintf
_sopen
_stat64
_strdup
_strdup
_stricmp
_strnicmp
_ultoa
_time64
_unlock
_vscprintf
_vsnprintf
_vsnprintf_s
_vsnwprintf
_wassert
_wfopen
abort
atoi
bsearch
calloc
exit
fclose
feof
ferror
fflush
fgets
fopen
fprintf
fputc
fputs
fread
free
fseek
ftell
fwrite
getc
getenv
islower
isprint
isspace
isupper
isxdigit
localeconv
longjmp
malloc
mbstowcs_s
memchr
memcmp
memcpy
memmove
memset
printf
qsort
raise
rand
realloc
signal
srand
strcat
strchr
strcmp
strcpy
strcspn
strerror
strlen
strncmp
strncpy
strrchr
strspn
strstr
strtol
strtoul
tolower
toupper
ungetc
vfprintf
wcscpy
wcslen
wcsstr
wcstombs

secur32

AcquireCredentialsHandleW
DecryptMessage
DeleteSecurityContext
EncryptMessage
FreeContextBuffer
FreeCredentialsHandle
InitializeSecurityContextW
QueryContextAttributesW
QueryCredentialsAttributesA

user32

GetProcessWindowStation
GetUserObjectInformationW
MessageBoxW

ws2_32

WSACleanup
WSACloseEvent
WSACreateEvent
WSAEnumNetworkEvents
WSAEventSelect
WSAGetLastError
WSAPoll
WSASetLastError
WSAStartup
WSAWaitForMultipleEvents
accept
bind
closesocket
connect
freeaddrinfo
getaddrinfo
gethostbyname
getnameinfo
getsockname
getsockopt
htonl
ioctlsocket
listen
ntohl
ntohs
recv
send
setsockopt
shutdown
socket

Exports

Exports

_cgo_dummy_export
cJSON_AddArrayToObject
cJSON_AddBoolToObject
cJSON_AddFalseToObject
cJSON_AddItemReferenceToArray
cJSON_AddItemReferenceToObject
cJSON_AddItemToArray
cJSON_AddItemToObject
cJSON_AddItemToObjectCS
cJSON_AddNullToObject
cJSON_AddNumberToObject
cJSON_AddObjectToObject
cJSON_AddRawToObject
cJSON_AddStringToObject
cJSON_AddTrueToObject
cJSON_Compare
cJSON_CreateArray
cJSON_CreateArrayReference
cJSON_CreateBool
cJSON_CreateDoubleArray
cJSON_CreateFalse
cJSON_CreateFloatArray
cJSON_CreateIntArray
cJSON_CreateNull
cJSON_CreateNumber
cJSON_CreateObject
cJSON_CreateObjectReference
cJSON_CreateRaw
cJSON_CreateString
cJSON_CreateStringArray
cJSON_CreateStringReference
cJSON_CreateTrue
cJSON_Delete
cJSON_DeleteItemFromArray
cJSON_DeleteItemFromObject
cJSON_DeleteItemFromObjectCaseSensitive
cJSON_DetachItemFromArray
cJSON_DetachItemFromObject
cJSON_DetachItemFromObjectCaseSensitive
cJSON_DetachItemViaPointer
cJSON_Duplicate
cJSON_GetArrayItem
cJSON_GetArraySize
cJSON_GetErrorPtr
cJSON_GetNumberValue
cJSON_GetObjectItem
cJSON_GetObjectItemCaseSensitive
cJSON_GetStringValue
cJSON_HasObjectItem
cJSON_InitHooks
cJSON_InsertItemInArray
cJSON_IsArray
cJSON_IsBool
cJSON_IsFalse
cJSON_IsInvalid
cJSON_IsNull
cJSON_IsNumber
cJSON_IsObject
cJSON_IsRaw
cJSON_IsString
cJSON_IsTrue
cJSON_Minify
cJSON_Parse
cJSON_ParseWithLength
cJSON_ParseWithLengthOpts
cJSON_ParseWithOpts
cJSON_Print
cJSON_PrintBuffered
cJSON_PrintPreallocated
cJSON_PrintUnformatted
cJSON_ReplaceItemInArray
cJSON_ReplaceItemInObject
cJSON_ReplaceItemInObjectCaseSensitive
cJSON_ReplaceItemViaPointer
cJSON_SetNumberHelper
cJSON_SetValuestring
cJSON_Version
cJSON_free
cJSON_malloc

Sections

.text
Size: 21.2MB - Virtual size: 21.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1.0MB - Virtual size: 1.0MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 17.8MB - Virtual size: 17.8MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.pdata
Size: 162KB - Virtual size: 161KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.xdata
Size: 153KB - Virtual size: 153KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 477KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 104B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 307KB - Virtual size: 306KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

8b1299b19e062b501342c1b5b9879936

Code Sign

08:1d:e0:66:62:80:97:14:2d:00:f6:88Certificate

Extended Key Usages

Key Usages

43:7f:84:76:3e:55:42:e6:4c:ab:53:0a:b7:6b:7e:13:1b:a9:5e:06Signer

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

crypt32

kernel32

msvcrt

secur32

user32

ws2_32

Exports

Exports

Sections

.text Size: 21.2MB - Virtual size: 21.2MB

.data Size: 1.0MB - Virtual size: 1.0MB

.rdata Size: 17.8MB - Virtual size: 17.8MB

.pdata Size: 162KB - Virtual size: 161KB

.xdata Size: 153KB - Virtual size: 153KB

.bss Size: - Virtual size: 477KB

.edata Size: 2KB - Virtual size: 2KB

.idata Size: 10KB - Virtual size: 10KB

.CRT Size: 512B - Virtual size: 104B

.tls Size: 512B - Virtual size: 16B

.reloc Size: 307KB - Virtual size: 306KB

08:1d:e0:66:62:80:97:14:2d:00:f6:88
Certificate

43:7f:84:76:3e:55:42:e6:4c:ab:53:0a:b7:6b:7e:13:1b:a9:5e:06
Signer

.text
Size: 21.2MB - Virtual size: 21.2MB

.data
Size: 1.0MB - Virtual size: 1.0MB

.rdata
Size: 17.8MB - Virtual size: 17.8MB

.pdata
Size: 162KB - Virtual size: 161KB

.xdata
Size: 153KB - Virtual size: 153KB

.bss
Size: - Virtual size: 477KB

.edata
Size: 2KB - Virtual size: 2KB

.idata
Size: 10KB - Virtual size: 10KB

.CRT
Size: 512B - Virtual size: 104B

.tls
Size: 512B - Virtual size: 16B

.reloc
Size: 307KB - Virtual size: 306KB