3c22f114a4aa73c1a40e453600c11e16c3e59f16efcd87c06d3cf3a3459ccb00

Sharing

Copy URL Twitter E-mail

General

Target

3c22f114a4aa73c1a40e453600c11e16c3e59f16efcd87c06d3cf3a3459ccb00
Size

1.6MB
MD5

4cd4c6ae8b7a1e55906361ca26fecabe
SHA1

49c854fb1e3c946f224401c6cdd4ecd7924b8bb7
SHA256

3c22f114a4aa73c1a40e453600c11e16c3e59f16efcd87c06d3cf3a3459ccb00
SHA512

8998fd72ac00ea3c8a71e96a7206ddd05edaf42b6df2ad1051054a145633d566680f98ea9b9418b31b0cd326775c8d73c0f2dbc4a54ddda84ce420392bb0d7e5
SSDEEP

6144:SsY9VugqhhUv3F+Ju4/Os8faFJQ2VdmgQOgQezEeoyl3z2VrPnNszRFjmVg:hSVug8hUdCuIKIJMLzqO3SVbQRtmVg

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
3c22f114a4aa73c1a40e453600c11e16c3e59f16efcd87c06d3cf3a3459ccb00

Files

3c22f114a4aa73c1a40e453600c11e16c3e59f16efcd87c06d3cf3a3459ccb00
.exe windows:4 windows x86 arch:x86

46a81d3d51a31f5fa4eedba7599d0c22

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

d:\MRP\output\win32\unlimited\UninstallFB.pdb

Imports

ntdll

strcpy
strcmp
strrchr
wcsstr
wcsncpy
wcscat
wcstoul
wcschr
strncpy
ZwClose
ZwCreateFile
RtlInitUnicodeString
_chkstk
_alldiv
_allmul
NtLoadDriver
memcpy
NtUnloadDriver
_wcslwr
ZwQuerySymbolicLinkObject
ZwOpenSymbolicLinkObject
ZwQueryDirectoryObject
ZwOpenDirectoryObject
strstr
vsprintf
mbstowcs
strchr
strcat
wcstombs
labs
wcscmp
wcsrchr
wcslen
strlen
_wcsicmp
sprintf
atoi
_itow
_wtoi
_wcsnicmp
wcscpy
memset
ZwQueryVolumeInformationFile
_allshl

upgradeshow

PAGetGlobalDataObject

libcrypto-1_1

ERR_error_string
ERR_get_error

libssl-1_1

SSL_CTX_new
TLS_client_method
OPENSSL_init_ssl
SSL_free
SSL_new
SSL_set_fd
SSL_connect
SSL_get_error
SSL_write
SSL_read
SSL_shutdown
SSL_CTX_free

mfc80u

ord3204
ord283
ord3157
ord577
ord776
ord777
ord774
ord3198
ord860
ord3983
ord5638
ord2362
ord3281
ord3189
ord4238
ord5637
ord4117
ord3995
ord620
ord502
ord4535
ord3677
ord3327
ord4475
ord566
ord2832
ord757
ord5562
ord5209
ord5226
ord4562
ord3942
ord5222
ord5220
ord2925
ord1911
ord3826
ord5378
ord6215
ord5096
ord1007
ord3800
ord5579
ord2009
ord2054
ord4320
ord6274
ord3795
ord6272
ord4008
ord4032
ord3824
ord1049
ord5971
ord2011
ord2239
ord3176
ord4743
ord4256
ord6115
ord4314
ord4010
ord2648
ord5199
ord280
ord1392
ord5908
ord6089
ord6720
ord1785
ord3635
ord6086
ord1542
ord2651
ord1661
ord354
ord1662
ord605
ord4206
ord4884
ord5178
ord2086
ord3756
ord1582
ord4574
ord4234
ord4119
ord6161
ord4098
ord2159
ord3311
ord3155
ord2461
ord6063
ord741
ord2076
ord3156
ord1058
ord899
ord501
ord709
ord326
ord1006
ord3990
ord2713
ord1925
ord4101
ord4347
ord4100
ord2260
ord5485
ord896
ord772
ord3927
ord2121
ord1176
ord3395
ord753
ord722
ord745
ord6001
ord1416
ord6002
ord1472
ord1939
ord6700
ord282
ord1479
ord5710
ord5711
ord1198
ord764
ord265
ord762
ord266
ord572
ord2725
ord1536
ord2531
ord5196
ord587
ord1590
ord1646
ord1647
ord1955
ord5171
ord3417
ord1894
ord1353
ord4961
ord3339
ord6275
ord3796
ord6273
ord1513
ord2163
ord2169
ord2399
ord2381
ord3678
ord2379
ord2397
ord2409
ord2386
ord2402
ord347
ord2407
ord602
ord2390
ord1270
ord2392
ord2394
ord2388
ord2404
ord2384
ord931
ord927
ord929
ord925
ord1957
ord920
ord4109
ord5229
ord5231
ord5956
ord1591
ord4276
ord1079
ord894
ord4716
ord3397
ord6061
ord4255
ord4480
ord5210
ord3943
ord4179
ord2077
ord2638
ord6271
ord2985
ord3703
ord5067
ord3713
ord1899
ord3712
ord5148
ord2527
ord4226
ord3158
ord2640
ord293
ord2311
ord2895
ord1118
ord870
ord5727
ord1271
ord2361
ord6721
ord2829
ord2366
ord5911
ord4301
ord1611
ord2708
ord1608
ord2856
ord5609
ord3940
ord2534
ord1393

msvcr80

rand
srand
memmove_s
?what@exception@std@@UBEPBDXZ
wcsncpy_s
printf
??0exception@std@@QAE@ABQBD@Z
??0exception@std@@QAE@ABV01@@Z
??0exception@std@@QAE@XZ
??1exception@std@@UAE@XZ
_purecall
wcscat_s
fopen
fread
fclose
fwrite
wcscpy_s
malloc
_swprintf
_beginthreadex
memcpy_s
clearerr
_close
feof
_open
__iob_func
fflush
fgets
_read
fprintf
_fileno
ferror
_setmode
ftell
_lseek
_write
fseek
_vswprintf
__CxxFrameHandler3
_CxxThrowException
sprintf_s
_vsnwprintf
_vsnprintf
free
_vscprintf
_vscwprintf
vswprintf_s
vsprintf_s
_amsg_exit
_cexit
_exit
_XcptFilter
_wcmdln
_initterm
_initterm_e
_configthreadlocale
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
_encode_pointer
__set_app_type
_unlock
__dllonexit
_lock
_onexit
_decode_pointer
?terminate@@YAXXZ
_except_handler4_common
_invoke_watson
_controlfp_s
_crt_debugger_hook
wprintf
?_type_info_dtor_internal_method@type_info@@QAEXXZ
_invalid_parameter_noinfo
exit
__wgetmainargs

kernel32

GetLocaleInfoA
GetThreadLocale
GetVersionExA
HeapDestroy
HeapAlloc
HeapFree
HeapReAlloc
HeapSize
GetProcessHeap
RaiseException
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
GetACP
IsDebuggerPresent
UnhandledExceptionFilter
GetSystemTimeAsFileTime
GetCurrentProcessId
GetCurrentThreadId
GetTickCount
QueryPerformanceCounter
SetUnhandledExceptionFilter
GetStartupInfoW
InterlockedCompareExchange
InterlockedExchange
FindResourceExW
lstrlenA
SetLastError
FindFirstFileW
IsBadWritePtr
SetFilePointerEx
RemoveDirectoryW
GetFileSizeEx
FindNextFileW
IsBadReadPtr
SetFileAttributesW
LocalFree
FindClose
GetProcAddress
DeleteFileW
GetModuleHandleW
WritePrivateProfileStringA
CreateDirectoryW
GetCurrentThread
GetComputerNameW
TerminateThread
GetExitCodeProcess
CreatePipe
SetHandleInformation
OpenFileMappingW
OpenEventW
MapViewOfFile
SetEvent
UnmapViewOfFile
TerminateProcess
WaitForSingleObject
OutputDebugStringA
CreateDirectoryA
CreateFileA
GetLocalTime
GlobalMemoryStatusEx
WriteFile
GetCurrentProcess
GetVersionExW
GetSystemWindowsDirectoryW
GetVolumeNameForVolumeMountPointW
DeleteVolumeMountPointW
Sleep
SetVolumeMountPointW
FlushFileBuffers
DeviceIoControl
GetPrivateProfileStringA
GetModuleFileNameA
GetFileAttributesW
lstrcpyW
WinExec
CreateMutexW
CreateProcessW
CopyFileW
Process32NextW
Process32FirstW
CreateToolhelp32Snapshot
MoveFileExW
GetTempPathW
GetCommandLineW
GetLastError
GlobalFree
GlobalUnlock
GlobalLock
LockResource
FreeResource
GlobalAlloc
SizeofResource
LoadResource
FindResourceW
GetPrivateProfileIntW
GetPrivateProfileStringW
WritePrivateProfileStringW
GetModuleFileNameW
CloseHandle
CreateFileW
lstrlenW
GetFileSize
GetSystemTime
SetFilePointer
ReadFile
WideCharToMultiByte
MultiByteToWideChar
DeleteCriticalSection

user32

IsIconic
GetSystemMetrics
IsWindowVisible
LoadBitmapW
ScreenToClient
LoadIconW
PtInRect
SetCursor
DestroyCursor
IsWindow
DrawIcon
GetClientRect
ReleaseDC
GetDC
SendMessageW
DrawFrameControl
FillRect
GetParent
GetWindowRect
EnableWindow
CopyRect
InvalidateRect
wsprintfW
GetSysColor
SetWindowLongW
GetCursorPos
UnregisterClassA

gdi32

BitBlt
CreateCompatibleBitmap
SetTextColor
DeleteObject
SelectObject
GetTextMetricsW
CreateFontIndirectW
TextOutW
GetCurrentObject
DeleteDC
SetTextJustification
LineTo
MoveToEx
CreatePen
CreatePatternBrush
CreateFontW
GetStockObject
GetObjectW
GetTextExtentPoint32W
CreateSolidBrush
SetBkMode
SetBkColor
CreateCompatibleDC

advapi32

BuildExplicitAccessWithNameW
RegQueryInfoKeyW
RegGetKeySecurity
LookupPrivilegeValueW
RegSetKeySecurity
RegDeleteValueW
RegEnumKeyExW
RegFlushKey
RegEnumValueW
SetSecurityInfo
ConvertStringSecurityDescriptorToSecurityDescriptorW
RegCreateKeyExW
RegDeleteKeyW
RegSetValueExW
SetNamedSecurityInfoW
SetEntriesInAclW
ConvertStringSidToSidW
RegOpenKeyA
RegQueryValueExA
RegUnLoadKeyW
RegLoadKeyW
OpenProcessToken
AdjustTokenPrivileges
RegOpenKeyW
RegQueryValueExW
RegCloseKey
RegQueryValueW
RegOpenKeyExW
ConvertSecurityDescriptorToStringSecurityDescriptorW

shell32

CommandLineToArgvW
SHGetFolderPathW
ShellExecuteW

comctl32

InitCommonControlsEx
_TrackMouseEvent

shlwapi

PathFindFileNameW
PathFileExistsW
PathFindExtensionW

msvcp80

?insert@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV12@IPB_W@Z
??Y?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@ABV01@@Z
?find_last_of@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z
?find@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEIPB_WI@Z
?substr@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBE?AV12@II@Z
?npos@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@2IB
?find_last_of@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEIPB_WI@Z
?resize@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEXI@Z
?swap@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEXAAV12@@Z
??Y?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@PB_W@Z
?clear@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXXZ
?compare@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEHIIPBD@Z
?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@ABV01@@Z
??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@PB_W@Z
??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@ABV01@@Z
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?clear@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEXXZ
??$?MDU?$char_traits@D@std@@V?$allocator@D@1@@std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z
?empty@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBE_NXZ
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBD@Z
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z
?c_str@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEPB_WXZ
??$?8DU?$char_traits@D@std@@V?$allocator@D@1@@std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z
?append@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV12@PB_W@Z
?size@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEIXZ
?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z
?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z
?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIDI@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z
??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z
?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z
?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
??0?$allocator@_W@std@@QAE@XZ
??0?$allocator@D@std@@QAE@XZ
?deallocate@?$allocator@_W@std@@QAEXPA_WI@Z
??0?$allocator@_W@std@@QAE@ABV01@@Z
?allocate@?$allocator@D@std@@QAEPADI@Z
?deallocate@?$allocator@D@std@@QAEXPADI@Z
?max_size@?$allocator@_W@std@@QBEIXZ
??0?$allocator@D@std@@QAE@ABV01@@Z
?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_WI@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDI@Z
?max_size@?$allocator@D@std@@QBEIXZ
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_W@Z
??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ
?allocate@?$allocator@_W@std@@QAEPA_WI@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z

ole32

CreateStreamOnHGlobal

ws2_32

gethostbyname
WSAStartup
socket
send
recv
htons
bind
inet_addr
connect
listen
accept
closesocket
WSACleanup
WSAGetLastError

gdiplus

GdipGetImageWidth
GdiplusStartup
GdiplusShutdown
GdipDrawImageRectRect
GdipDrawImagePointRectI
GdipReleaseDC
GdipCloneImage
GdipLoadImageFromStream
GdipLoadImageFromStreamICM
GdipDeleteGraphics
GdipCreateFromHDC
GdipDisposeImage
GdipAlloc
GdipFree
GdipGetImageHeight

rpcrt4

UuidCreate

winhttp

WinHttpQueryHeaders
WinHttpReceiveResponse
WinHttpAddRequestHeaders
WinHttpSendRequest
WinHttpOpen
WinHttpOpenRequest
WinHttpWriteData
WinHttpConnect
WinHttpCloseHandle
WinHttpSetOption

Exports

Exports

GetObjGAHelp
GetObjGATrackingData
GetObjGoogleAnalytics
OPENSSL_Applink

Sections

.text
Size: 244KB - Virtual size: 243KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 92KB - Virtual size: 90KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 12KB - Virtual size: 1.0MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1.3MB - Virtual size: 1.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

46a81d3d51a31f5fa4eedba7599d0c22

Headers

File Characteristics

PDB Paths

Imports

ntdll

upgradeshow

libcrypto-1_1

libssl-1_1

mfc80u

msvcr80

kernel32

user32

gdi32

advapi32

shell32

comctl32

shlwapi

msvcp80

ole32

ws2_32

gdiplus

rpcrt4

winhttp

Exports

Exports

Sections

.text Size: 244KB - Virtual size: 243KB

.rdata Size: 92KB - Virtual size: 90KB

.data Size: 12KB - Virtual size: 1.0MB

.rsrc Size: 1.3MB - Virtual size: 1.3MB

.text
Size: 244KB - Virtual size: 243KB

.rdata
Size: 92KB - Virtual size: 90KB

.data
Size: 12KB - Virtual size: 1.0MB

.rsrc
Size: 1.3MB - Virtual size: 1.3MB