injector_[unknowncheats[.]me]_[.]rar

Sharing

Copy URL Twitter E-mail

General

Target

injector_[unknowncheats.me]_.rar
Size

213KB
MD5

917c1fadbd50cebd34ef215f578fa58d
SHA1

97d0ab5300b26123ee21da39b42f6314f494b218
SHA256

9b2b5d69615d2ea1f7445456bfff78f119352e6bb834ad2ec5a4337698e3a9e9
SHA512

5e6941906f02db324e66ae31f1e8dfbe245924095a36a1a8a00cfff6063906f78fa778ff64a7b417fa5a52a054f3866d08a4b22a113cdce0da9ce6cffb1b74f0
SSDEEP

3072:aYHIMdRRCc5E+oJr1l3H7KzVJ48OncNQ/TTohsQtlQl8DsveDlxVcYMTBObGUP2v:a5MQcyRR7iVW80TT2NN68lxVcPI2vys5

Score

10^/10

Malware Config

Signatures

Nirsoft 1 IoCs

resource	yara_rule
static1/unpack001/syn_shluxy/winlister.exe	Nirsoft

Unsigned PE 3 IoCs

Checks for missing Authenticode signature.

resource
unpack001/syn_shluxy/DRW.sys
unpack001/syn_shluxy/kdmapper.exe
unpack001/syn_shluxy/loliInjector.exe

Files

injector_[unknowncheats.me]_.rar
.rar
syn_shluxy/DRW.sys
.sys windows:10 windows x64 arch:x64

54ce115727c14a5e3c109853ced2d821

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

DbgPrint
IoGetCurrentProcess
IoIs32bitProcess
PsAcquireProcessExitSynchronization
RtlGetVersion
MmUnmapIoSpace
MmMapIoSpaceEx
MmCopyMemory

Sections

.text
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 652B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 512B - Virtual size: 454B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
syn_shluxy/kdmapper.exe
.exe windows:6 windows x64 arch:x64

7d226c181fe162a6e2c645f58ba8faf8

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\Admin\Desktop\kdmapper\x64\Release\kdmapper.pdb

Imports

kernel32

GetCurrentThreadId
GetModuleHandleA
GetLastError
CloseHandle
CreateFileW
GetProcAddress
DeleteCriticalSection
GetCurrentProcessId
SetUnhandledExceptionFilter
GetTempPathW
OutputDebugStringW
InitializeSListHead
GetSystemTimeAsFileTime
InitializeCriticalSectionEx
VirtualAlloc
DeviceIoControl
VirtualFree
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
SetEvent
ResetEvent
WaitForSingleObjectEx
CreateEventW
GetModuleHandleW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
IsDebuggerPresent

advapi32

RegCloseKey
RegDeleteKeyW
RegCreateKeyW
RegOpenKeyW
RegSetKeyValueW

msvcp140

??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ
?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@K@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@_K@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
?_Getcat@?$ctype@_W@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?widen@?$ctype@_W@std@@QEBA_WD@Z
?always_noconv@codecvt_base@std@@QEBA_NXZ
??Bid@locale@std@@QEAA_KXZ
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@_JH@Z
?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA?AV?$fpos@U_Mbstatet@@@2@XZ
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@J@Z
?put@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@_W@Z
?widen@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBA_WD@Z
?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAA_JPEB_W_J@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?_Xlength_error@std@@YAXPEBD@Z
?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?id@?$ctype@_W@std@@2V0locale@2@A
?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A
?uncaught_exception@std@@YA_NXZ
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
??0_Lockit@std@@QEAA@H@Z
??1_Lockit@std@@QEAA@XZ
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z

shlwapi

StrStrA

ntdll

RtlInitUnicodeString
NtQuerySystemInformation

vcruntime140_1

__CxxFrameHandler4

vcruntime140

__current_exception_context
__current_exception
memcpy
_CxxThrowException
__C_specific_handler
__std_exception_destroy
__std_exception_copy
__std_terminate
memset
memmove

api-ms-win-crt-stdio-l1-1-0

fputc
fgetc
fflush
fclose
__p__commode
_set_fmode
fgetpos
_get_stream_buffer_pointers
_fseeki64
fread
fsetpos
ungetc
setvbuf
fwrite

api-ms-win-crt-heap-l1-1-0

_set_new_mode
_callnewh
malloc
free

api-ms-win-crt-utility-l1-1-0

rand
srand

api-ms-win-crt-filesystem-l1-1-0

_unlock_file
_wremove
_lock_file

api-ms-win-crt-string-l1-1-0

_wcsicmp
_stricmp

api-ms-win-crt-time-l1-1-0

_time64

api-ms-win-crt-runtime-l1-1-0

_cexit
_seh_filter_exe
_set_app_type
_crt_atexit
_configure_wide_argv
_initialize_wide_environment
_get_initial_wide_environment
_initterm
_initterm_e
exit
_exit
__p___argc
__p___wargv
_c_exit
_register_thread_local_exe_atexit_callback
_register_onexit_function
_initialize_onexit_table
terminate
_invalid_parameter_noinfo_noreturn

api-ms-win-crt-math-l1-1-0

__setusermatherr

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

Sections

.text
Size: 54KB - Virtual size: 53KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 62KB - Virtual size: 62KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 488B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 188B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
syn_shluxy/loliInjector.exe
.exe windows:6 windows x64 arch:x64

4517ab1aee83568a8aca92a3242545b0

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

GetCurrentProcessId
ReadFile
VirtualFree
GetCurrentProcess
VirtualAlloc
LoadLibraryExA
CreateFileW
Sleep
LoadLibraryA
CloseHandle
LoadLibraryW
GetProcAddress
GetFileSize
FreeLibrary
WriteConsoleW
HeapSize
GetProcessHeap
SetStdHandle
SetEnvironmentVariableW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetOEMCP
GetACP
IsValidCodePage
FindNextFileW
FindFirstFileExW
WideCharToMultiByte
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
DeleteCriticalSection
EncodePointer
DecodePointer
MultiByteToWideChar
LCMapStringEx
GetStringTypeW
GetCPInfo
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
GetModuleHandleW
RtlUnwindEx
RtlPcToFileHeader
RaiseException
GetLastError
SetLastError
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
LoadLibraryExW
GetStdHandle
WriteFile
GetModuleFileNameW
ExitProcess
GetModuleHandleExW
GetCommandLineA
GetCommandLineW
HeapAlloc
HeapFree
CompareStringW
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
GetFileType
WaitForSingleObject
GetExitCodeProcess
CreateProcessW
GetFileAttributesExW
FlushFileBuffers
GetConsoleOutputCP
GetConsoleMode
GetFileSizeEx
SetFilePointerEx
ReadConsoleW
HeapReAlloc
FindClose
RtlUnwind

user32

FindWindowA
UnhookWindowsHookEx
GetWindowThreadProcessId
PostThreadMessageA
SetWindowsHookExA

ntdll

RtlImageNtHeader
NtQuerySystemInformation

Sections

.text
Size: 183KB - Virtual size: 183KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 78KB - Virtual size: 78KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 244B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 488B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
syn_shluxy/winlister.exe
.exe windows:4 windows x64 arch:x64

2b292941503159f46536548642e259e0

Code Sign

42:1a:f2:94:09:84:19:1f:52:0a:4b:c6:24:26:a7:4b
Certificate

Issuer

CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE

Not Before

07/06/2005, 08:09

Not After

30/05/2020, 10:48

Subject

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0b
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

31/12/2015, 00:00

Not After

09/07/2019, 18:40

Subject

CN=COMODO SHA-1 Time Stamping Signer,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

10:70:9d:4f:f5:54:08:d7:30:60:01:d8:ea:91:75:bb
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

24/08/2011, 00:00

Not After

30/05/2020, 10:48

Subject

CN=COMODO Code Signing CA 2,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

1a:f0:66:0e:83:7a:35:a2:cd:92:ec:61:3f:c1:5d:b8
Certificate

Issuer

CN=COMODO Code Signing CA 2,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

12/09/2014, 00:00

Not After

12/09/2019, 23:59

Subject

CN=Nir Sofer,O=Nir Sofer,POSTALCODE=52583,STREET=5 Hashoshanim st.,L=Ramat Gan,ST=Gush Dan,C=IL

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

bd:1b:1e:45:0b:bd:d5:df:88:67:8e:7d:da:22:3d:17
Certificate

Issuer

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

30/03/2016, 00:00

Not After

30/06/2019, 23:59

Subject

CN=Nir Sofer,O=Nir Sofer,POSTALCODE=52583,STREET=5 Hashoshanim st.,L=Ramat Gan,ST=Gush Dan,C=IL

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:af
Certificate

Issuer

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

09/05/2013, 00:00

Not After

08/05/2028, 23:59

Subject

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

4e:b0:87:8f:cc:24:35:36:b2:d8:c9:f7:bf:39:55:77
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

31/12/2015, 00:00

Not After

09/07/2019, 18:40

Subject

CN=COMODO SHA-256 Time Stamping Signer,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

7f:46:d8:f3:17:2b:84:0d:d0:d4:74:c8:78:e2:70:f9:12:57:81:b2:08:47:52:e9:56:ea:46:ca:ec:78:8c:ba
Signer

Actual PE Digest

7f:46:d8:f3:17:2b:84:0d:d0:d4:74:c8:78:e2:70:f9:12:57:81:b2:08:47:52:e9:56:ea:46:ca:ec:78:8c:ba

Digest Algorithm

sha256

PE Digest Matches

true

7b:bf:2e:42:07:38:0b:f6:60:75:a1:48:e8:ba:c0:a7:56:d5:57:b7
Signer

Actual PE Digest

7b:bf:2e:42:07:38:0b:f6:60:75:a1:48:e8:ba:c0:a7:56:d5:57:b7

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

c:\Projects\VS2005\WinLister\x64\Release\WinLister.pdb

Imports

msvcrt

_c_exit
_exit
_cexit
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_commode
_fmode
__set_app_type
strrchr
_XcptFilter
_itoa
_strcmpi
strcmp
_snprintf
free
_memicmp
modf
_mbsicmp
__C_specific_handler
_onexit
__dllonexit
_mbschr
memcmp
strtoul
malloc
??2@YAPEAX_K@Z
??3@YAXPEAX@Z
strlen
memcpy
strcpy
memset
strncat
sprintf
strcat

comctl32

CreateToolbarEx
ImageList_ReplaceIcon
ImageList_AddMasked
ImageList_Create
ImageList_SetImageCount
ord6
ord17

version

GetFileVersionInfoA
VerQueryValueA
GetFileVersionInfoSizeA

kernel32

GetStartupInfoA
WritePrivateProfileStringA
GetPrivateProfileIntA
GetPrivateProfileStringA
Process32Next
Process32First
CreateToolhelp32Snapshot
GetCurrentProcessId
DeleteFileA
WriteFile
GetFileSize
ReadFile
GetVersionExA
GetModuleFileNameA
TerminateProcess
CloseHandle
GetWindowsDirectoryA
OpenProcess
GetProcAddress
LoadLibraryA
FreeLibrary
GetTempPathA
GlobalLock
GetTempFileNameA
LocalFree
GlobalAlloc
GetModuleHandleA
lstrcpyA
lstrlenA
WideCharToMultiByte
LoadLibraryExA
GlobalUnlock
FormatMessageA
GetLastError
CreateFileA

user32

GetSubMenu
TranslateAcceleratorA
UpdateWindow
KillTimer
LoadAcceleratorsA
GetWindowPlacement
GetMessageA
GetWindowTextA
SetMenu
GetWindowThreadProcessId
LoadMenuA
RegisterClassA
SetTimer
DispatchMessageA
DeferWindowPos
PostQuitMessage
TrackPopupMenu
BeginDeferWindowPos
EnumWindows
SetCursor
EndDialog
GetDlgItem
SetDlgItemTextA
DialogBoxParamA
SendMessageA
LoadCursorA
GetSysColorBrush
SetWindowTextA
ChildWindowFromPoint
GetWindowLongA
SetForegroundWindow
MessageBoxA
IsWindowVisible
PostMessageA
ShowWindow
SetWindowPos
GetClassLongA
SendMessageTimeoutA
LoadIconA
SetDlgItemInt
SendDlgItemMessageA
SetFocus
GetDlgItemInt
InvalidateRect
GetMenu
EmptyClipboard
EnableMenuItem
ReleaseDC
GetDC
SetClipboardData
EnableWindow
GetMenuStringA
LoadImageA
GetCursorPos
GetWindowRect
MoveWindow
ScreenToClient
GetSysColor
DefWindowProcA
GetSystemMetrics
GetClientRect
GetClassNameA
CheckMenuItem
CloseClipboard
OpenClipboard
EndDeferWindowPos
DestroyWindow
DestroyIcon
TranslateMessage
CreateWindowExA

gdi32

SetBkColor
GetDeviceCaps
CreateFontIndirectA
SetBkMode
DeleteObject
SetTextColor

comdlg32

GetSaveFileNameA

advapi32

RegDeleteKeyA

shell32

ShellExecuteExA
ExtractIconExA
ShellExecuteA

Sections

.text
Size: 28KB - Virtual size: 27KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

54ce115727c14a5e3c109853ced2d821

Headers

DLL Characteristics

File Characteristics

Imports

ntoskrnl.exe

Sections

.text Size: 6KB - Virtual size: 6KB

.rdata Size: 1024B - Virtual size: 652B

.data Size: - Virtual size: 1KB

INIT Size: 512B - Virtual size: 454B

7d226c181fe162a6e2c645f58ba8faf8

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

advapi32

msvcp140

shlwapi

ntdll

vcruntime140_1

vcruntime140

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-locale-l1-1-0

Sections

.text Size: 54KB - Virtual size: 53KB

.rdata Size: 62KB - Virtual size: 62KB

.data Size: 1024B - Virtual size: 3KB

.pdata Size: 3KB - Virtual size: 2KB

.rsrc Size: 512B - Virtual size: 488B

.reloc Size: 512B - Virtual size: 188B

4517ab1aee83568a8aca92a3242545b0

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

ntdll

Sections

.text Size: 183KB - Virtual size: 183KB

.rdata Size: 78KB - Virtual size: 78KB

.data Size: 5KB - Virtual size: 11KB

.pdata Size: 9KB - Virtual size: 9KB

_RDATA Size: 512B - Virtual size: 244B

.rsrc Size: 512B - Virtual size: 488B

.reloc Size: 2KB - Virtual size: 2KB

2b292941503159f46536548642e259e0

Code Sign

42:1a:f2:94:09:84:19:1f:52:0a:4b:c6:24:26:a7:4bCertificate

Key Usages

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0bCertificate

Extended Key Usages

Key Usages

10:70:9d:4f:f5:54:08:d7:30:60:01:d8:ea:91:75:bbCertificate

Extended Key Usages

Key Usages

1a:f0:66:0e:83:7a:35:a2:cd:92:ec:61:3f:c1:5d:b8Certificate

Extended Key Usages

Key Usages

bd:1b:1e:45:0b:bd:d5:df:88:67:8e:7d:da:22:3d:17Certificate

Extended Key Usages

Key Usages

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:afCertificate

Extended Key Usages

Key Usages

.text
Size: 6KB - Virtual size: 6KB

.rdata
Size: 1024B - Virtual size: 652B

.data
Size: - Virtual size: 1KB

INIT
Size: 512B - Virtual size: 454B

.text
Size: 54KB - Virtual size: 53KB

.rdata
Size: 62KB - Virtual size: 62KB

.data
Size: 1024B - Virtual size: 3KB

.pdata
Size: 3KB - Virtual size: 2KB

.rsrc
Size: 512B - Virtual size: 488B

.reloc
Size: 512B - Virtual size: 188B

.text
Size: 183KB - Virtual size: 183KB

.rdata
Size: 78KB - Virtual size: 78KB

.data
Size: 5KB - Virtual size: 11KB

.pdata
Size: 9KB - Virtual size: 9KB

_RDATA
Size: 512B - Virtual size: 244B

.rsrc
Size: 512B - Virtual size: 488B

.reloc
Size: 2KB - Virtual size: 2KB

42:1a:f2:94:09:84:19:1f:52:0a:4b:c6:24:26:a7:4b
Certificate

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0b
Certificate

10:70:9d:4f:f5:54:08:d7:30:60:01:d8:ea:91:75:bb
Certificate

1a:f0:66:0e:83:7a:35:a2:cd:92:ec:61:3f:c1:5d:b8
Certificate

bd:1b:1e:45:0b:bd:d5:df:88:67:8e:7d:da:22:3d:17
Certificate

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:af
Certificate

4e:b0:87:8f:cc:24:35:36:b2:d8:c9:f7:bf:39:55:77
Certificate

7f:46:d8:f3:17:2b:84:0d:d0:d4:74:c8:78:e2:70:f9:12:57:81:b2:08:47:52:e9:56:ea:46:ca:ec:78:8c:ba
Signer

7b:bf:2e:42:07:38:0b:f6:60:75:a1:48:e8:ba:c0:a7:56:d5:57:b7
Signer

.text
Size: 28KB - Virtual size: 27KB

.rdata
Size: 10KB - Virtual size: 10KB

.data
Size: 1024B - Virtual size: 3KB

.pdata
Size: 1KB - Virtual size: 1KB

.rsrc
Size: 9KB - Virtual size: 9KB