0e79fb9c3bca00d8e27441e026f2d8b690d19a4000c6db570465f75010ff20fb

Sharing

Copy URL Twitter E-mail

General

Target

0e79fb9c3bca00d8e27441e026f2d8b690d19a4000c6db570465f75010ff20fb
Size

529KB
MD5

49bab2a4d42c1d679dfbd0bb4059b87b
SHA1

cf3fc4c134605b4cc0a0ff09bfd2743a60d5a40e
SHA256

0e79fb9c3bca00d8e27441e026f2d8b690d19a4000c6db570465f75010ff20fb
SHA512

d875a739efc61a3395cb5130002de2aa6a1d42892a124973b20fd5a4a8e7f7f3a555be48f7ee87db83516e0c513dfe42e29583a1c9fc718075e80fb09f9368bb
SSDEEP

12288:cykTR7VdQD397US7YA638hrFl5CLDqIvBu7jUICxm1:cf/dQDlYA6shZl5qDn5u4DI

Score

1^/10

Malware Config

Signatures

Files

0e79fb9c3bca00d8e27441e026f2d8b690d19a4000c6db570465f75010ff20fb
.dll windows:5 windows x86 arch:x86

46fc7687a62e4df87c36754b343a67bc

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

65:52:26:e1:b2:2e:18:e1:59:0f:29:85:ac:22:e7:5c
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

21/05/2009, 00:00

Not After

20/05/2019, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2009-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

30:7e:bb:09:21:bd:57:7d:f2:24:a5:7c:fd:c4:63:1d
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2009-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09,O=VeriSign\, Inc.,C=US

Not Before

20/07/2010, 00:00

Not After

12/08/2013, 23:59

Subject

CN=iAnywhere Solutions\, Inc.,OU=Digital ID Class 3 - Microsoft Software Validation v2+OU=SQL Anywhere Development,O=iAnywhere Solutions\, Inc.,L=Dublin,ST=California,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

8b:04:bf:4a:0f:13:d5:fb:43:ba:f3:e6:dd:e2:2f:e7:9d:4a:66:19
Signer

Actual PE Digest

8b:04:bf:4a:0f:13:d5:fb:43:ba:f3:e6:dd:e2:2f:e7:9d:4a:66:19

Digest Algorithm

sha1

PE Digest Matches

false

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

e:\obj\nt_ms_x86_p\msiscript.pdb

Imports

msi

ord73
ord144
ord160
ord159
ord31
ord49
ord103
ord124
ord17
ord117
ord8

advapi32

StartServiceA
GetKernelObjectSecurity
GetSecurityDescriptorDacl
GetLengthSid
InitializeAcl
AddAccessAllowedAce
AddAce
GetAce
EqualSid
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
SetKernelObjectSecurity
RegCloseKey
RegQueryValueExA
RegOpenKeyExA
FreeSid
RegEnumKeyExA
RegQueryInfoKeyA
ChangeServiceConfigA
CloseEventLog
ReadEventLogA
GetOldestEventLogRecord
RevertToSelf
AccessCheck
MapGenericMask
OpenThreadToken
ImpersonateSelf
GetFileSecurityA
OpenSCManagerA
OpenServiceA
QueryServiceConfigA
CloseServiceHandle
QueryServiceStatus
QueryServiceConfig2A
AllocateAndInitializeSid
DeleteService
CreateServiceA
ChangeServiceConfig2A
ControlService
RegEnumKeyA
RegCreateKeyExA
RegSetValueExA
RegDeleteKeyA
RegDeleteValueA
LsaClose
LsaEnumerateAccountRights
LsaFreeMemory
LsaOpenPolicy
LsaAddAccountRights
LsaRemoveAccountRights
OpenEventLogA

kernel32

WriteConsoleW
LCMapStringA
LCMapStringW
GetWindowsDirectoryA
GetTempPathA
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
GetProcessHeap
CompareStringA
CompareStringW
SetEvent
GetConsoleOutputCP
WriteConsoleA
GetSystemDirectoryA
GetModuleFileNameA
GetProcAddress
GetModuleHandleA
GetExitCodeProcess
WaitForSingleObject
CreateProcessA
GetStdHandle
CloseHandle
IsDBCSLeadByte
GetSystemInfo
GetVersion
GetVersionExA
GetCurrentProcess
GetFullPathNameA
CreateFileA
LocalFree
GetCurrentThread
GetLastError
GetFileAttributesA
FlushFileBuffers
SetEndOfFile
SetFilePointer
GetTimeZoneInformation
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
LoadLibraryA
FreeLibrary
CreateDirectoryA
SetCurrentDirectoryA
LocalAlloc
MapViewOfFile
UnmapViewOfFile
WaitForMultipleObjects
CreateFileMappingA
SetLastError
CreateEventA
GetCurrentProcessId
GetCurrentDirectoryA
MultiByteToWideChar
GetACP
GetSystemDefaultLangID
IsBadReadPtr
VirtualQuery
WideCharToMultiByte
GetEnvironmentVariableA
Sleep
IsDebuggerPresent
DebugBreak
GetSystemTimeAsFileTime
GetTimeFormatA
GetDateFormatA
GetCurrentThreadId
GetCommandLineA
HeapFree
SetStdHandle
GetFileType
ReadFile
WriteFile
GetConsoleCP
GetConsoleMode
FileTimeToSystemTime
FileTimeToLocalFileTime
GetFileInformationByHandle
PeekNamedPipe
FindClose
GetDriveTypeA
FindFirstFileA
SetEnvironmentVariableA
RtlUnwind
HeapAlloc
HeapReAlloc
GetModuleHandleW
ExitProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
SetHandleCount
GetStartupInfoA
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
InterlockedDecrement
GetCPInfo
GetOEMCP
IsValidCodePage
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
HeapCreate
HeapDestroy
VirtualFree
QueryPerformanceCounter
GetTickCount
HeapSize
RaiseException
VirtualAlloc
InitializeCriticalSectionAndSpinCount

user32

CharUpperA
CharLowerA
MessageBoxA
GetForegroundWindow
IsCharAlphaA

shell32

SHGetFolderPathA
ShellExecuteExA
ord680

version

VerQueryValueA
GetFileVersionInfoA
GetFileVersionInfoSizeA

Exports

Exports

_CAD_HonourFlush@4
_CAD_SetupVSPackageInstall@4
_CAD_SetupVSPackageUninstall@4
_CAD_writeStrings@4
_CreateSCDir@4
_HonourFlush@4
_ModifyConfigFile@4
_SetupVSPackageInstall@4
_SetupVSPackageUninstall@4
_writeStrings@4

Sections

.text
Size: 171KB - Virtual size: 171KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 38KB - Virtual size: 37KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 102KB - Virtual size: 114KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 17KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

46fc7687a62e4df87c36754b343a67bc

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

65:52:26:e1:b2:2e:18:e1:59:0f:29:85:ac:22:e7:5cCertificate

Extended Key Usages

Key Usages

30:7e:bb:09:21:bd:57:7d:f2:24:a5:7c:fd:c4:63:1dCertificate

Extended Key Usages

Key Usages

8b:04:bf:4a:0f:13:d5:fb:43:ba:f3:e6:dd:e2:2f:e7:9d:4a:66:19Signer

Headers

File Characteristics

PDB Paths

Imports

msi

advapi32

kernel32

user32

shell32

version

Exports

Exports

Sections

.text Size: 171KB - Virtual size: 171KB

.rdata Size: 38KB - Virtual size: 37KB

.data Size: 102KB - Virtual size: 114KB

.rsrc Size: 4KB - Virtual size: 4KB

.reloc Size: 17KB - Virtual size: 16KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

65:52:26:e1:b2:2e:18:e1:59:0f:29:85:ac:22:e7:5c
Certificate

30:7e:bb:09:21:bd:57:7d:f2:24:a5:7c:fd:c4:63:1d
Certificate

8b:04:bf:4a:0f:13:d5:fb:43:ba:f3:e6:dd:e2:2f:e7:9d:4a:66:19
Signer

.text
Size: 171KB - Virtual size: 171KB

.rdata
Size: 38KB - Virtual size: 37KB

.data
Size: 102KB - Virtual size: 114KB

.rsrc
Size: 4KB - Virtual size: 4KB

.reloc
Size: 17KB - Virtual size: 16KB