IpVanish[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

IpVanish.exe
Size

1.1MB
MD5

b2b5115fdefea484b254ae356497b5ac
SHA1

0549b92d66281d5249f7a0c183e92bd3333e97e9
SHA256

efee84dc890ebfa998d30420e8a314383000f141802bebb7e5ce066544e4cc4f
SHA512

1eed54807fe8535b65595e557ee0cd2762b31cd78a220488c32300f6db37da1dd5d959c699e9428990f25b338f19e99d69df67a136f89dfc1623f5f4c0b1756a
SSDEEP

12288:C5XPjS8h8AQ5nItWx1T0jyI6yrzutUbziFYOfkqUO2pspZY+eas9TfDne9Do4xYD:QVQ5nS01TSyzdUbOFYCkqyFVTfDnebx

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
IpVanish.exe

Files

IpVanish.exe
.exe windows:6 windows x64 arch:x64

1265e461bb70e6f771b4dd8cba16314a

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\Ex\Desktop\Public Src\Build\IpVanish.pdb

Imports

d3d9

Direct3DCreate9Ex

kernel32

FindFirstFileW
GetFileAttributesExW
InitializeSListHead
GetSystemTimeAsFileTime
lstrcmpiA
GetCurrentThreadId
GetConsoleWindow
ExitProcess
GetStartupInfoA
GetCurrentProcessId
CreateThread
OutputDebugStringW
GetFileInformationByHandleEx
CloseHandle
Process32Next
CreateFileA
GetLastError
CreateToolhelp32Snapshot
GetCommandLineA
OpenProcess
VirtualAlloc
DeviceIoControl
GetStdHandle
GetCurrentProcess
SetConsoleTitleA
VirtualFree
GetFileSizeEx
FormatMessageA
WaitForMultipleObjects
ReadFile
GetFileType
SetConsoleTextAttribute
SetLastError
VirtualProtect
FindClose
GetEnvironmentVariableA
WaitForSingleObjectEx
MoveFileExA
GetTickCount
VerifyVersionInfoA
Process32First
IsDebuggerPresent
GetLocaleInfoEx
GetCurrentDirectoryW
CreateDirectoryW
AreFileApisANSI
SleepConditionVariableSRW
WakeAllConditionVariable
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
IsProcessorFeaturePresent
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
LocalFree
QueryFullProcessImageNameW
GetModuleHandleW
GetModuleFileNameW
GetModuleFileNameA
UnmapViewOfFile
MapViewOfFile
CreateFileMappingW
GetProcessHeap
HeapSize
HeapFree
HeapReAlloc
HeapAlloc
HeapDestroy
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
DeleteCriticalSection
SleepEx
PeekNamedPipe
QueryPerformanceCounter
FreeLibrary
VerSetConditionMask
GetProcAddress
QueryPerformanceFrequency
LoadLibraryA
GetModuleHandleA
GlobalUnlock
WideCharToMultiByte
GlobalLock
GlobalFree
GlobalAlloc
MultiByteToWideChar
Sleep
CreateFileW
GetSystemDirectoryA

user32

CloseClipboard
OpenClipboard
GetCursorPos
SetCursorPos
GetClientRect
SetCursor
GetForegroundWindow
GetClipboardData
ScreenToClient
LoadCursorA
GetKeyState
UpdateWindow
RegisterClassExA
FindWindowA
GetDesktopWindow
PeekMessageA
EmptyClipboard
ClientToScreen
LoadIconA
DestroyWindow
mouse_event
TranslateMessage
SetLayeredWindowAttributes
DefWindowProcA
EnumWindows
MessageBoxA
SetWindowLongA
GetWindowThreadProcessId
GetWindow
DispatchMessageA
GetWindowRect
GetAsyncKeyState
SetWindowPos
GetSystemMetrics
ShowWindow
SetClipboardData

advapi32

GetTokenInformation
CryptReleaseContext
CryptGetHashParam
CryptGenRandom
CryptCreateHash
CryptHashData
CryptDestroyHash
CryptDestroyKey
CryptImportKey
CryptEncrypt
AddAccessAllowedAce
GetLengthSid
InitializeAcl
IsValidSid
DuplicateTokenEx
ConvertSidToStringSidA
CopySid
SetSecurityInfo
SetThreadToken
RevertToSelf
CreateProcessAsUserA
PrivilegeCheck
SetTokenInformation
LookupPrivilegeValueA
OpenProcessToken
CryptAcquireContextA

oleaut32

VariantClear

imm32

ImmSetCandidateWindow
ImmGetContext
ImmReleaseContext
ImmSetCompositionWindow

dwmapi

DwmExtendFrameIntoClientArea

msvcp140

?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@PEBX@Z
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
?good@ios_base@std@@QEBA_NXZ
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?always_noconv@codecvt_base@std@@QEBA_NXZ
??Bid@locale@std@@QEAA_KXZ
?_Xbad_function_call@std@@YAXXZ
?_Syserror_map@std@@YAPEBDH@Z
?_Winerror_map@std@@YAHH@Z
??7ios_base@std@@QEBA_NXZ
?setf@ios_base@std@@QEAAHHH@Z
?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAADD@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Xlength_error@std@@YAXPEBD@Z
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?_Throw_Cpp_error@std@@YAXH@Z
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?uncaught_exception@std@@YA_NXZ
?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A
?_Xbad_alloc@std@@YAXXZ
?_Xout_of_range@std@@YAXPEBD@Z
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?id@?$ctype@D@std@@2V0locale@2@A
_Cnd_do_broadcast_at_thread_exit
_Thrd_detach
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ

normaliz

IdnToAscii

wldap32

ord22
ord50
ord27
ord32
ord33
ord35
ord26
ord41
ord79
ord30
ord45
ord60
ord211
ord143
ord217
ord46
ord200
ord301

crypt32

CertGetCertificateChain
CertOpenStore
CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
CryptQueryObject
CertGetNameStringA
CertFindExtension
CertFreeCertificateChain
CryptDecodeObjectEx
PFXImportCertStore
CryptStringToBinaryA
CertFreeCertificateContext
CertFindCertificateInStore
CertEnumCertificatesInStore
CertCloseStore
CertAddCertificateContextToStore

ws2_32

WSACleanup
closesocket
recv
send
WSAGetLastError
bind
connect
getpeername
getsockname
getsockopt
htons
ntohs
setsockopt
socket
WSASetLastError
WSAIoctl
WSAStartup
recvfrom
accept
htonl
listen
ioctlsocket
__WSAFDIsSet
ntohl
gethostname
select
sendto
getaddrinfo
freeaddrinfo

shlwapi

PathFindFileNameW

rpcrt4

UuidCreate
RpcStringFreeA
UuidToStringA

psapi

GetModuleInformation

userenv

UnloadUserProfile

vcruntime140_1

__CxxFrameHandler4

vcruntime140

__std_terminate
strstr
strchr
__std_exception_destroy
__std_exception_copy
memcpy
memset
strrchr
memmove
memcmp
__C_specific_handler
__current_exception_context
__current_exception
_CxxThrowException
memchr

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vfprintf
__p__commode
fclose
fwrite
_popen
_pclose
_wfopen
_read
__stdio_common_vsprintf
fread
_write
_lseeki64
__stdio_common_vsscanf
fflush
ftell
_close
_set_fmode
feof
fputc
fputs
fopen
_open
_get_stream_buffer_pointers
_fseeki64
fsetpos
ungetc
fseek
setvbuf
fgetpos
fgets
__stdio_common_vsprintf_s
__stdio_common_vsnprintf_s
__acrt_iob_func
fgetc

api-ms-win-crt-utility-l1-1-0

rand
qsort

api-ms-win-crt-string-l1-1-0

_strdup
strncpy
isupper
tolower
strpbrk
strspn
strncmp
strcmp
strcspn
_stricmp

api-ms-win-crt-heap-l1-1-0

_callnewh
free
calloc
realloc
malloc
_set_new_mode

api-ms-win-crt-convert-l1-1-0

strtol
strtoul
atof
atoi
strtoll
strtod
strtoull

api-ms-win-crt-runtime-l1-1-0

_invalid_parameter_noinfo_noreturn
exit
_beginthreadex
system
terminate
abort
_errno
strerror
_getpid
__sys_nerr
_invalid_parameter_noinfo
_resetstkoflw
_register_thread_local_exe_atexit_callback
_c_exit
__p___argv
__p___argc
_exit
_initterm_e
_initterm
_get_initial_narrow_environment
_set_app_type
_seh_filter_exe
_cexit
_crt_atexit
_register_onexit_function
_initialize_onexit_table
_initialize_narrow_environment
_configure_narrow_argv

api-ms-win-crt-filesystem-l1-1-0

_access
_fstat64
_unlock_file
_lock_file
remove
_unlink
_stat64

api-ms-win-crt-time-l1-1-0

_localtime64
strftime
_time64
_gmtime64

api-ms-win-crt-locale-l1-1-0

_configthreadlocale
___lc_codepage_func
localeconv

api-ms-win-crt-math-l1-1-0

acosf
_dsign
_dclass
__setusermatherr
asin
atan2
ceilf
cosf
fmodf
powf
sinf
sqrtf
tanf

api-ms-win-crt-environment-l1-1-0

getenv

shell32

ShellExecuteA

Sections

.text
Size: 886KB - Virtual size: 886KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 185KB - Virtual size: 185KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 32KB - Virtual size: 31KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 464B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

1265e461bb70e6f771b4dd8cba16314a

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

d3d9

kernel32

user32

advapi32

oleaut32

imm32

dwmapi

msvcp140

normaliz

wldap32

crypt32

ws2_32

shlwapi

rpcrt4

psapi

userenv

vcruntime140_1

vcruntime140

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-environment-l1-1-0

shell32

Sections

.text Size: 886KB - Virtual size: 886KB

.rdata Size: 185KB - Virtual size: 185KB

.data Size: 5KB - Virtual size: 10KB

.pdata Size: 32KB - Virtual size: 31KB

_RDATA Size: 512B - Virtual size: 464B

.rsrc Size: 4KB - Virtual size: 4KB

.reloc Size: 2KB - Virtual size: 2KB

.text
Size: 886KB - Virtual size: 886KB

.rdata
Size: 185KB - Virtual size: 185KB

.data
Size: 5KB - Virtual size: 10KB

.pdata
Size: 32KB - Virtual size: 31KB

_RDATA
Size: 512B - Virtual size: 464B

.rsrc
Size: 4KB - Virtual size: 4KB

.reloc
Size: 2KB - Virtual size: 2KB