TS3W[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

TS3W.exe
Size

13.8MB
MD5

4914240f50664a7ac6f715f58d0fd30b
SHA1

b76a9a965e93e911911f064c6ae6b6b4077b929f
SHA256

8ead50f94f60cc2b5160788c8a5573d2dfc0551ab7f3cf994a8833ecfe78d73d
SHA512

d7516370d6c0196bb7336e629737915d29f45d5320575c820fd2868a64b46a5bf7e66954cc921ed8d71bd8af8a62e29644267e65fd441fc60b8c41f7c1e4000f
SSDEEP

196608:pCBQwZGWbj3nErenhNksQd1/x+r6EBY84+WT/U3ytLOD:sQfWUuxrjy8hWT/U3ytA

Score

1^/10

Malware Config

Signatures

Files

TS3W.exe
.exe windows:4 windows x86 arch:x86

bea1e4b461aff8ed767fca5181ebc489

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

0c:61:8e:5c:55:72:5b:09:15:8b:62:14:9c:42:5b:a5
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

27/07/2011, 00:00

Not After

03/10/2014, 23:59

Subject

CN=Electronic Arts,OU=Digital ID Class 3 - Microsoft Software Validation v2+OU=Synthetic,O=Electronic Arts,L=Redwood City,ST=California,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

9b:7a:2c:39:d4:6f:33:01:19:bc:e8:93:07:97:32:fc:a8:10:d6:30
Signer

Actual PE Digest

9b:7a:2c:39:d4:6f:33:01:19:bc:e8:93:07:97:32:fc:a8:10:d6:30

Digest Algorithm

sha1

PE Digest Matches

false

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

c:\buildagent\slc1-build111\cmbuild\out\release\game_win32\Game_Win32.pdb

Imports

d3d9

Direct3DCreate9

d3dx9_31

D3DXGetShaderSize
D3DXFillVolumeTexture

ddraw

DirectDrawCreateEx

iphlpapi

GetAdaptersInfo
GetAdaptersAddresses

wininet

HttpAddRequestHeadersA
InternetErrorDlg
InternetSetOptionA
InternetReadFile
InternetCrackUrlA
InternetCloseHandle
InternetConnectA
HttpOpenRequestA
InternetGetConnectedState
InternetSetCookieA
InternetGetCookieW
HttpQueryInfoA
InternetQueryOptionA
HttpSendRequestA
InternetSetStatusCallback
InternetOpenA
HttpSendRequestExA
InternetWriteFile
HttpEndRequestA

kernel32

GetProcAddress
GetModuleHandleA
GetLocaleInfoW
Sleep
SetLastError
EnumResourceNamesA
GetUserDefaultLCID
GetTickCount
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
CompareStringW
GetWindowsDirectoryW
LoadLibraryA
GetModuleFileNameW
FreeLibrary
GetModuleFileNameA
VirtualQuery
ResumeThread
SuspendThread
GetCurrentThreadId
CreateEventA
OutputDebugStringA
FormatMessageA
IsDebuggerPresent
FlushFileBuffers
GetCurrentProcessId
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetComputerNameA
GlobalMemoryStatusEx
GetSystemInfo
GetVersionExA
GetComputerNameExA
LocalFree
LocalAlloc
SystemTimeToFileTime
GetSystemTime
WaitForSingleObject
SetEvent
FindCloseChangeNotification
FindNextChangeNotification
WaitForMultipleObjects
FindFirstChangeNotificationW
CancelIo
GetLongPathNameW
WaitForMultipleObjectsEx
GetFileAttributesW
MoveFileExW
CopyFileW
CopyFileA
SetFileAttributesW
GetTempPathW
GetVolumeInformationW
GetDiskFreeSpaceExW
GetFullPathNameW
GetDriveTypeA
SleepEx
GlobalFree
GlobalAlloc
GetExitCodeThread
TlsAlloc
TlsSetValue
TlsGetValue
DuplicateHandle
SetThreadIdealProcessor
CreateMutexA
TryEnterCriticalSection
ReleaseMutex
InterlockedExchangeAdd
InterlockedCompareExchange
CreateSemaphoreA
InterlockedDecrement
ReleaseSemaphore
InterlockedExchange
TlsFree
RaiseException
QueueUserAPC
CreateThread
HeapAlloc
GetProcessHeap
SetThreadExecutionState
GetSystemTimeAsFileTime
InitializeCriticalSectionAndSpinCount
VirtualFree
VirtualAlloc
GlobalUnlock
GlobalLock
GlobalSize
GetVersion
GetModuleHandleW
SetEnvironmentVariableW
SetEnvironmentVariableA
LoadLibraryW
GetEnvironmentVariableW
GetACP
GetTimeZoneInformation
GetEnvironmentVariableA
GetDiskFreeSpaceExA
GetVolumeInformationA
DisconnectNamedPipe
ConnectNamedPipe
CreateNamedPipeW
SetProcessAffinityMask
GetProcessAffinityMask
CreateProcessW
DeviceIoControl
LockResource
LoadResource
SizeofResource
FindResourceA
FindResourceW
GetExitCodeProcess
CreateMutexW
GetFileAttributesExW
DebugBreak
GetWriteWatch
InterlockedIncrement
WaitForSingleObjectEx
GetFileType
GetVersionExW
GetCurrentDirectoryW
SetCurrentDirectoryW
GetFileSize
SetFileTime
GetStdHandle
CreatePipe
LockFile
UnlockFile
ResetEvent
OutputDebugStringW
CreateEventW
MapViewOfFile
CreateFileMappingA
UnmapViewOfFile
OpenMutexW
CreateSemaphoreW
OpenSemaphoreW
OpenEventW
OpenThread
ExitThread
GetComputerNameW
GetGeoInfoA
GetUserGeoID
GetUserDefaultLangID
GetLogicalDrives
CreateFileW
FindClose
RemoveDirectoryW
CreateDirectoryW
FindNextFileW
FindFirstFileW
WideCharToMultiByte
MoveFileW
MultiByteToWideChar
DeleteFileW
SetEndOfFile
SetFilePointer
GetLastError
GetCurrentDirectoryA
GetFileSizeEx
SetFilePointerEx
WriteFile
ReadFile
CloseHandle
CreateFileA
GetCurrentProcess
GetPriorityClass
GetCurrentThread
GetThreadPriority
SetPriorityClass
SetThreadPriority
QueryPerformanceCounter
HeapFree
QueryPerformanceFrequency
GetStartupInfoW
GetLogicalDriveStringsA

user32

LoadIconA
GetTopWindow
SetForegroundWindow
DialogBoxParamA
EndDialog
SetDlgItemTextW
LoadStringW
GetDesktopWindow
CreateIconIndirect
CreateIconFromResource
UnregisterDeviceNotification
RegisterDeviceNotificationA
WaitForInputIdle
MessageBoxW
GetMonitorInfoA
MapWindowPoints
ClipCursor
GetDoubleClickTime
wsprintfA
RegisterClassA
CreateWindowExA
SetClipboardViewer
SendMessageA
IsClipboardFormatAvailable
GetClipboardData
OpenClipboard
EmptyClipboard
SetClipboardData
CloseClipboard
ChangeClipboardChain
GetWindowThreadProcessId
GetCursorPos
GetKeyboardState
DefWindowProcA
PeekMessageA
SetWindowTextW
GetKeyboardLayout
LoadCursorA
RegisterClassExW
CreateWindowExW
SetWindowLongW
SetTimer
DefWindowProcW
SetCursor
SetCursorPos
SetWindowLongA
SetWindowPos
GetSystemMetrics
IntersectRect
ReleaseCapture
SetCapture
ScreenToClient
GetMenu
AdjustWindowRectEx
MoveWindow
BeginPaint
EndPaint
EnumDisplayMonitors
PeekMessageW
TranslateMessage
DispatchMessageW
ClientToScreen
KillTimer
DestroyWindow
UnregisterClassA
GetKeyState
GetAsyncKeyState
PostMessageA
ShowCursor
GetWindowLongA
GetWindowRect
PostQuitMessage
SystemParametersInfoA
MonitorFromWindow
IsZoomed
IsIconic
GetForegroundWindow
ShowWindow
IsWindowVisible
SetActiveWindow
GetActiveWindow
GetAncestor
GetDC
GetClientRect
FillRect
ReleaseDC
UpdateWindow
ValidateRect
InvalidateRect

gdi32

DeleteDC
CreateICA
CreateDCA
CreateBitmap
CreateDIBSection
GetDeviceCaps
DeleteObject
CreateSolidBrush

advapi32

GetEffectiveRightsFromAclW
RegCreateKeyExA
SetEntriesInAclW
SetNamedSecurityInfoW
GetNamedSecurityInfoW
FreeSid
CryptGetHashParam
CryptDecrypt
CryptCreateHash
CryptHashData
CryptDeriveKey
CryptEncrypt
CryptDestroyKey
CryptDestroyHash
CryptReleaseContext
CryptAcquireContextA
RegQueryInfoKeyA
RegEnumKeyExA
RegCreateKeyA
RegSetValueExW
RegQueryValueExW
BuildTrusteeWithSidW
GetLengthSid
CopySid
AllocateAndInitializeSid
RevertToSelf
ImpersonateLoggedOnUser
DuplicateToken
GetTokenInformation
OpenThreadToken
OpenProcessToken
LookupAccountSidW
CryptGenRandom
CryptImportKey
RegCloseKey
RegQueryValueExA
RegOpenKeyExA
GetUserNameA
RegSetValueExA
GetUserNameW
CryptVerifySignatureA

shell32

ShellExecuteExA
ShellExecuteExW
SHGetFolderPathW
ShellExecuteW

ole32

CoTaskMemRealloc
CoTaskMemAlloc
CoCreateGuid
CoTaskMemFree
CoCreateInstance
CoInitialize
IIDFromString
StringFromGUID2
CoUninitialize

oleaut32

SysStringLen
SysAllocStringLen
SysFreeString
VariantInit
VariantClear

msvcp80

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z
?length@?$char_traits@D@std@@SAIPBD@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z
?eof@?$char_traits@D@std@@SAHXZ
?eq_int_type@?$char_traits@D@std@@SA_NABH0@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHPBDH@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z
?uncaught_exception@std@@YA_NXZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ
?_Unlock@_Mutex@std@@QAEXXZ
?_Lock@_Mutex@std@@QAEXXZ
?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@PADH@Z
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z

msvcr80

_CIsin
_HUGE
modf
_get_osfhandle
_environ
strcmp
remove
_snprintf_s
strerror
abort
vprintf
_CIsqrt
_fstat64i32
bsearch
_atoi64
mbtowc
wctomb
___mb_cur_max_func
_setmode
_read
_write
_vswprintf_c_l
_controlfp_s
wcsncmp
_controlfp
_difftime64
towupper
_control87
srand
wcsrchr
wcscat_s
wcscpy_s
_wcsnicmp
rand
_atoflt
wcsstr
_set_purecall_handler
_set_invalid_parameter_handler
_set_abort_behavior
signal
_wtol
isupper
_CIfmod
swscanf
iswspace
isxdigit
_fcvt
_isnan
_finite
_strtoui64
wcstod
fputs
setvbuf
clearerr
_wfopen
_wrename
wcstombs
_wunlink
strcoll
frexp
ispunct
iscntrl
tmpnam
clock
_pclose
_CIcos
_vsnprintf_s
asctime
_unlock
__dllonexit
_encode_pointer
_lock
_onexit
_decode_pointer
_time32
_amsg_exit
__wgetmainargs
_cexit
_exit
_XcptFilter
_wcmdln
_initterm
_initterm_e
_configthreadlocale
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler4_common
?terminate@@YAXXZ
?_type_info_dtor_internal_method@type_info@@QAEXXZ
_invoke_watson
_mktemp
_crt_debugger_hook
_ecvt
_close
_open
_getcwd
_fileno
_lseek
_wsearchenv
_wspawnv
_getdrive
_wgetdcwd
strtok
printf
_wgetcwd
_stat64i32
_wstat64i32
_wutime64
_beginthreadex
_mktime64
puts
strftime
_except_handler3
_localtime64
_snprintf
_time64
strncat
islower
realloc
_vsnprintf
_CItan
_CIsinh
_CIcosh
_CItanh
_CIatan
_CIatan2
_CIexp
_CIlog
_CIlog10
strpbrk
fgets
_wctime64_s
ldexp
_wassert
fscanf
mbstowcs
feof
ungetc
getc
_popen
_ctime64
memcpy
_purecall
strchr
strrchr
memset
strncpy
sprintf
strstr
_aligned_malloc
_aligned_free
qsort
isspace
memmove
_stricmp
isalpha
_strnicmp
atol
isalnum
_CIacos
_CIasin
ceil
floor
_CIpow
isdigit
strtoul
__CxxFrameHandler3
tolower
strcspn
memchr
iswalpha
_ltoa
wcsncpy
strncmp
_setjmp3
exit
malloc
free
fread
fseek
fwrite
fclose
tmpfile
sscanf
getenv
longjmp
ferror
_errno
vsprintf
fflush
ftell
fprintf
fopen
__iob_func
_gmtime64
calloc
_setmbcp
setlocale
strtod
strtol
atoi
atof
isprint
toupper
wcspbrk
wcstoul
_wcsicmp
wcstol
_wcslwr
towlower
iswxdigit
iswdigit
wcschr

imm32

ImmGetCompositionStringW
ImmSetCompositionStringW
ImmNotifyIME
ImmSetOpenStatus
ImmGetContext
ImmGetOpenStatus
ImmReleaseContext
ImmGetCandidateListW

usp10

ScriptItemize
ScriptBreak

dbghelp

SymLoadModule64
SymCleanup
UnDecorateSymbolName
SymInitialize
SymSetOptions
SymGetLineFromAddr64
SymGetSymFromAddr64

psapi

GetModuleInformation

version

GetFileVersionInfoA
VerQueryValueA
GetFileVersionInfoSizeA

netapi32

Netbios

ws2_32

getprotobyname
WSASocketW
WSACreateEvent
WSACloseEvent
WSAWaitForMultipleEvents
WSAGetOverlappedResult
WSAGetLastError
WSASetEvent
WSAResetEvent
WSARecvFrom
inet_addr
inet_ntoa
gethostbyname
gethostname
closesocket
WSAIoctl
WSASocketA
WSAStartup
WSACleanup
ntohs
socket
bind
shutdown
getpeername
ioctlsocket
select
__WSAFDIsSet
getsockopt
setsockopt
recvfrom
sendto
recv
send
listen
connect
accept
getsockname
htons
htonl
ntohl
gethostbyaddr
WSARecv

setupapi

SetupDiGetClassDevsA
SetupDiDestroyDeviceInfoList
SetupDiGetDeviceInterfaceDetailA
SetupDiEnumDeviceInterfaces

dsound

ord1
ord9

winmm

timeBeginPeriod
timeEndPeriod
timeGetTime

Exports

Exports

SecuROM

Sections

.text
Size: 11.6MB - Virtual size: 11.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.7MB - Virtual size: 1.7MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 424KB - Virtual size: 952KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 4KB - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 144KB - Virtual size: 141KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

bea1e4b461aff8ed767fca5181ebc489

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

0c:61:8e:5c:55:72:5b:09:15:8b:62:14:9c:42:5b:a5Certificate

Extended Key Usages

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

9b:7a:2c:39:d4:6f:33:01:19:bc:e8:93:07:97:32:fc:a8:10:d6:30Signer

Headers

File Characteristics

PDB Paths

Imports

d3d9

d3dx9_31

ddraw

iphlpapi

wininet

kernel32

user32

gdi32

advapi32

shell32

ole32

oleaut32

msvcp80

msvcr80

imm32

usp10

dbghelp

psapi

version

netapi32

ws2_32

setupapi

dsound

winmm

Exports

Exports

Sections

.text Size: 11.6MB - Virtual size: 11.6MB

.rdata Size: 1.7MB - Virtual size: 1.7MB

.data Size: 424KB - Virtual size: 952KB

.tls Size: 4KB - Virtual size: 9B

.rsrc Size: 144KB - Virtual size: 141KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

0c:61:8e:5c:55:72:5b:09:15:8b:62:14:9c:42:5b:a5
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

9b:7a:2c:39:d4:6f:33:01:19:bc:e8:93:07:97:32:fc:a8:10:d6:30
Signer

.text
Size: 11.6MB - Virtual size: 11.6MB

.rdata
Size: 1.7MB - Virtual size: 1.7MB

.data
Size: 424KB - Virtual size: 952KB

.tls
Size: 4KB - Virtual size: 9B

.rsrc
Size: 144KB - Virtual size: 141KB