2024-06-24_7aac7601ad3bab90828813163a4300c0_mafia_revil

Sharing

Copy URL

Twitter E-mail

General

Target

2024-06-24_7aac7601ad3bab90828813163a4300c0_mafia_revil
Size

2.9MB
MD5

7aac7601ad3bab90828813163a4300c0
SHA1

c6f4e30355c9d4fa1746b9bb8eb2d243ffeb0d30
SHA256

c0b0e165f3f3a0c12f6724558490f9dac3300c38dec09577e49ab7b720aa1116
SHA512

b5c28ae9213ffcb80cb260a32a9f3a301727bd0509880f9a947aa213f2a3138161177d42aebeb172d8e3b35e35d40a1f232dbff9aa76275de03cbe18b2e920d5
SSDEEP

49152:TIB3Ha4ZB0yaWJ4OmyY80a52MPXgdCjNloBA5pqb+sSst8xjuTUnfcEpSQph9aBA:TIB3Ha4ZB05WJ9w2PXll95peSst81vf9

Score

1^/10

Malware Config

Signatures

Files

2024-06-24_7aac7601ad3bab90828813163a4300c0_mafia_revil
.exe windows:5 windows x86 arch:x86

d1914929ef054d7b72ff503914a5ff98

Code Sign

01:ee:5f:16:9d:ff:97:35:2b:64:65:d6:6a
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

19/09/2018, 00:00

Not After

28/01/2028, 12:00

Subject

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

78:03:18:42:45:70:8a:41:cf:6f:01:b8:ee:b4:a9:54
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Not Before

28/07/2020, 00:00

Not After

18/03/2029, 00:00

Subject

CN=GlobalSign Code Signing Root R45,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

77:bd:0e:03:a1:b7:08:f8:54:ab:06:72:10:d9:04:47
Certificate

Issuer

CN=GlobalSign Code Signing Root R45,O=GlobalSign nv-sa,C=BE

Not Before

28/07/2020, 00:00

Not After

28/07/2030, 00:00

Subject

CN=GlobalSign GCC R45 CodeSigning CA 2020,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

44:85:59:e8:d5:9f:e0:56:29:9e:6e:8f
Certificate

Issuer

CN=GlobalSign GCC R45 CodeSigning CA 2020,O=GlobalSign nv-sa,C=BE

Not Before

11/12/2023, 17:00

Not After

09/10/2026, 07:40

Subject

CN=ZOHO Corporation Private Limited,O=ZOHO Corporation Private Limited,L=Chennai,ST=Tamil Nadu,C=IN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16
Certificate

Issuer

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Not Before

14/07/2023, 00:00

Not After

13/10/2034, 23:59

Subject

CN=DigiCert Timestamp 2023,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

23/03/2022, 00:00

Not After

22/03/2037, 23:59

Subject

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/08/2022, 00:00

Not After

09/11/2031, 23:59

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

01:7c:6d:ad:f8:ce:d9:37:44:44:bc:0c:bc:3b:53:90:72:d7:dd:c7:b1:40:b4:3b:4a:24:30:c7:23:63:2f:8c
Signer

Actual PE Digest

01:7c:6d:ad:f8:ce:d9:37:44:44:bc:0c:bc:3b:53:90:72:d7:dd:c7:b1:40:b4:3b:4a:24:30:c7:23:63:2f:8c

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

d:\Webhost\02-04-2024\WindowsBuilds\DC_NATIVE\8086518\desktopcentral\ONPREMISE\SA_SRC\native\agent\Release\dcondemand.pdb

Imports

advapi32

RegQueryValueExA
RegOpenKeyExA
RegCloseKey
RegCreateKeyExA
RegSetValueExW
RegSetValueExA
RegDeleteValueA
RegDeleteValueW
RegOpenKeyExW
RegQueryValueExW
RegDeleteKeyA
RegEnumKeyA
RegOpenKeyA
CryptDestroyKey
CryptReleaseContext
CryptGenKey
CryptGetUserKey
CryptGetHashParam
CryptAcquireContextA
ControlService
CloseServiceHandle
RevertToSelf
CryptSetHashParam
CryptExportKey
CryptAcquireContextW
CryptSignHashW
CryptEnumProvidersW
CryptGetProvParam
CryptDecrypt
CryptGenRandom
ImpersonateLoggedOnUser
CryptDestroyHash
CryptHashData
CryptCreateHash
DeregisterEventSource
ReportEventA
RegisterEventSourceA
ReportEventW
RegisterEventSourceW
LookupAccountSidA
GetTokenInformation
CreateProcessAsUserW
OpenProcessToken
LookupPrivilegeNameA
LookupPrivilegeValueA
CreateProcessAsUserA
LogonUserA
QueryServiceStatus
OpenServiceW
OpenSCManagerW

wsock32

getservbyport
WSAGetLastError
send
gethostbyname
gethostbyaddr
closesocket
WSASetLastError
getservbyname
socket
WSACleanup
connect
ntohs
htons
htonl
ioctlsocket
WSAStartup
inet_addr

crypt32

CertVerifyTimeValidity
CertDeleteCertificateFromStore
PFXVerifyPassword
PFXImportCertStore
CertCreateCertificateContext
CryptStringToBinaryA
CertOpenStore
CertEnumCertificatesInStore
CertAddCertificateContextToStore
CertNameToStrW
CryptMsgGetParam
CertGetNameStringA
CertCloseStore
CertFindCertificateInStore
CertFreeCertificateContext
CryptQueryObject
CertGetCertificateContextProperty
CertDuplicateCertificateContext

iphlpapi

NotifyAddrChange
GetAdaptersInfo

wtsapi32

WTSQuerySessionInformationA
WTSEnumerateSessionsA
WTSFreeMemory

netapi32

DsGetDcNameA
NetApiBufferFree
NetGetJoinInformation

winhttp

WinHttpReadData
WinHttpQueryDataAvailable
WinHttpSendRequest
WinHttpWriteData
WinHttpQueryOption
WinHttpQueryHeaders
WinHttpAddRequestHeaders
WinHttpSetStatusCallback
WinHttpOpenRequest
WinHttpConnect
WinHttpOpen
WinHttpSetOption
WinHttpReceiveResponse
WinHttpCloseHandle
WinHttpSetCredentials

dcagenthttp

AgentSendRequestEx

userenv

DestroyEnvironmentBlock
LoadUserProfileA
CreateEnvironmentBlock
UnloadUserProfile

dclibxml2

xmlTextReaderAttributeCount
xmlTextReaderDepth
xmlParseMemory
xmlDocGetRootElement
xmlTextReaderRead
xmlTextReaderGetAttribute
xmlTextReaderName
xmlFreeTextReader
xmlTextReaderValue
xmlFreeDoc
xmlFree
xmlNodeListGetString
xmlNewTextReaderFilename
xmlStrcmp
xmlParseFile
xmlCleanupParser

ws2_32

WSACloseEvent
WSAResetEvent
WSAWaitForMultipleEvents
WSAGetOverlappedResult
WSASend
WSARecv
recv
WSACreateEvent

wsclientsocket

?setProxyHostName@SocketAdapter@ClientSocket@SocketUtils@@UAEXV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z
?setProxyDetails@SocketAdapter@ClientSocket@SocketUtils@@UAEXAAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@H00@Z
?setProxyPort@SocketAdapter@ClientSocket@SocketUtils@@UAEXH@Z
?setProxyUserName@SocketAdapter@ClientSocket@SocketUtils@@UAEXV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z
?setProxyPassword@SocketAdapter@ClientSocket@SocketUtils@@UAEXV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z
?setCustomheaders@SocketAdapter@ClientSocket@SocketUtils@@UAEXV?$map@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@V?$allocator@U?$pair@$$CBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@@std@@@2@@std@@@Z
??1SocketAdapter@ClientSocket@SocketUtils@@UAE@XZ
??1AsyncSocket@ClientSocket@SocketUtils@@UAE@XZ
?setServerHostName@SocketAdapter@ClientSocket@SocketUtils@@UAEXV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z
?setServerPort@SocketAdapter@ClientSocket@SocketUtils@@UAEXH@Z
?setConnectionMode@SocketAdapter@ClientSocket@SocketUtils@@UAEX_N@Z
?setConnectionDetails@SocketAdapter@ClientSocket@SocketUtils@@UAEXV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@H_N0H00@Z
?setProxySwitch@SocketAdapter@ClientSocket@SocketUtils@@UAEX_N@Z

kernel32

InterlockedExchange
EncodePointer
GetStringTypeW
MoveFileExA
DecodePointer
InitializeCriticalSection
GetLocaleInfoW
RaiseException
HeapDestroy
HeapAlloc
HeapFree
HeapReAlloc
HeapSize
GetProcessHeap
LocalLock
GetCommandLineA
HeapSetInformation
RtlUnwind
GetFileInformationByHandle
PeekNamedPipe
GetDriveTypeA
FindFirstFileExA
ExitThread
GetCPInfo
CompareStringW
LCMapStringW
UnhandledExceptionFilter
IsDebuggerPresent
ExitProcess
GetACP
GetOEMCP
IsValidCodePage
HeapCreate
LocalUnlock
GetModuleFileNameW
IsProcessorFeaturePresent
CreateFileA
GetFileSize
FindResourceExW
FindResourceW
SetHandleCount
SystemTimeToTzSpecificLocalTime
SystemTimeToFileTime
WriteFile
WideCharToMultiByte
SizeofResource
ReadFile
GetTimeZoneInformation
GetEnvironmentVariableA
MultiByteToWideChar
FindFirstFileA
GetLastError
FindClose
LockResource
GetModuleFileNameA
GetVersionExA
CloseHandle
GetSystemTime
DeleteFileA
InterlockedIncrement
InterlockedDecrement
SetUnhandledExceptionFilter
GetCurrentProcess
SetEvent
SetConsoleMode
GetProcAddress
LoadLibraryA
SetConsoleCtrlHandler
SetProcessShutdownParameters
WaitForSingleObject
CreateEventA
CreateThread
GetEnvironmentVariableW
FreeLibrary
TerminateThread
GetSystemDirectoryA
CopyFileA
GetExitCodeThread
GetCurrentThreadId
Sleep
GetLocalTime
FindNextFileA
DeleteTimerQueue
CreateTimerQueue
ReleaseMutex
GetFileSizeEx
CreateTimerQueueTimer
CreateDirectoryA
GetModuleHandleA
Process32Next
TerminateProcess
GetExitCodeProcess
OpenProcess
Process32First
CreateToolhelp32Snapshot
GetTickCount
SetDllDirectoryA
CreateMutexA
FileTimeToSystemTime
GetLocaleInfoA
CreateProcessA
SetCurrentDirectoryA
GetCurrentDirectoryA
GetSystemInfo
FindNextFileW
FindFirstFileW
GetComputerNameExW
LocalFree
FormatMessageA
FormatMessageW
GlobalFree
GlobalAlloc
GetCurrentProcessId
GetFileAttributesExA
GetFullPathNameA
lstrlenW
lstrlenA
DeleteFileW
FlushFileBuffers
CreateDirectoryW
CopyFileW
CreateFileW
LoadLibraryW
ProcessIdToSessionId
SetCurrentDirectoryW
SetFilePointer
QueryPerformanceCounter
SuspendThread
ResumeThread
DisconnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
lstrcmpW
SetLastError
GetCurrentDirectoryW
FileTimeToLocalFileTime
LocalAlloc
GetVersion
GetModuleHandleExW
TlsGetValue
InterlockedCompareExchange
TlsSetValue
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
EnterCriticalSection
InterlockedExchangeAdd
DeleteCriticalSection
TlsAlloc
TlsFree
CreateFiber
SwitchToFiber
DeleteFiber
GetModuleHandleW
GetStdHandle
GetFileType
GetSystemTimeAsFileTime
ConvertThreadToFiber
ConvertFiberToThread
ReadConsoleA
ReadConsoleW
GetConsoleMode
GetStartupInfoW
SetStdHandle
GetConsoleCP
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetUserDefaultLCID
EnumSystemLocalesA
IsValidLocale
WriteConsoleW
SetEndOfFile
GetDriveTypeW
VirtualQuery
SetEnvironmentVariableA
LoadResource

user32

wsprintfW
GetUserObjectInformationW
MessageBoxW
GetProcessWindowStation
MessageBoxA

shell32

SHCreateDirectoryExW
SHCreateDirectoryExA

odbc32

ord49
ord48
ord72
ord26
ord13
ord4
ord8
ord18
ord11
ord43
ord39
ord29
ord36
ord9
ord41
ord31
ord2
ord20
ord16
ord12
ord19
ord3
ord1

shlwapi

StrTrimA
PathFindExtensionA
StrStrIA

ole32

CoInitializeEx
CoUninitialize
CoSetProxyBlanket
CoCreateInstance

oleaut32

VariantInit
SafeArrayGetLBound
SafeArrayGetUBound
SysAllocStringByteLen
SysFreeString
SysStringLen
SysAllocString
VariantClear
SafeArrayAccessData

Exports

Exports

??0AsyncSocket@ClientSocket@SocketUtils@@QAE@ABV012@@Z
??0SocketAdapter@ClientSocket@SocketUtils@@QAE@ABV012@@Z
??4AsyncSocket@ClientSocket@SocketUtils@@QAEAAV012@ABV012@@Z
??4SocketAdapter@ClientSocket@SocketUtils@@QAEAAV012@ABV012@@Z
??_7AsyncSocket@ClientSocket@SocketUtils@@6B@
??_7SocketAdapter@ClientSocket@SocketUtils@@6B@

Sections

.text
Size: 2.1MB - Virtual size: 2.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 576KB - Virtual size: 575KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 67KB - Virtual size: 89KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 504B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 139KB - Virtual size: 138KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

d1914929ef054d7b72ff503914a5ff98

Code Sign

01:ee:5f:16:9d:ff:97:35:2b:64:65:d6:6aCertificate

Key Usages

78:03:18:42:45:70:8a:41:cf:6f:01:b8:ee:b4:a9:54Certificate

Extended Key Usages

Key Usages

77:bd:0e:03:a1:b7:08:f8:54:ab:06:72:10:d9:04:47Certificate

Extended Key Usages

Key Usages

44:85:59:e8:d5:9f:e0:56:29:9e:6e:8fCertificate

Extended Key Usages

Key Usages

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16Certificate

Extended Key Usages

Key Usages

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5bCertificate

Extended Key Usages

Key Usages

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5aCertificate

Key Usages

01:7c:6d:ad:f8:ce:d9:37:44:44:bc:0c:bc:3b:53:90:72:d7:dd:c7:b1:40:b4:3b:4a:24:30:c7:23:63:2f:8cSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

advapi32

wsock32

crypt32

iphlpapi

wtsapi32

netapi32

winhttp

dcagenthttp

userenv

dclibxml2

ws2_32

wsclientsocket

kernel32

user32

shell32

odbc32

shlwapi

ole32

oleaut32

Exports

Exports

Sections

.text Size: 2.1MB - Virtual size: 2.1MB

.rdata Size: 576KB - Virtual size: 575KB

.data Size: 67KB - Virtual size: 89KB

.rsrc Size: 512B - Virtual size: 504B

.reloc Size: 139KB - Virtual size: 138KB

01:ee:5f:16:9d:ff:97:35:2b:64:65:d6:6a
Certificate

78:03:18:42:45:70:8a:41:cf:6f:01:b8:ee:b4:a9:54
Certificate

77:bd:0e:03:a1:b7:08:f8:54:ab:06:72:10:d9:04:47
Certificate

44:85:59:e8:d5:9f:e0:56:29:9e:6e:8f
Certificate

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16
Certificate

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

01:7c:6d:ad:f8:ce:d9:37:44:44:bc:0c:bc:3b:53:90:72:d7:dd:c7:b1:40:b4:3b:4a:24:30:c7:23:63:2f:8c
Signer

.text
Size: 2.1MB - Virtual size: 2.1MB

.rdata
Size: 576KB - Virtual size: 575KB

.data
Size: 67KB - Virtual size: 89KB

.rsrc
Size: 512B - Virtual size: 504B

.reloc
Size: 139KB - Virtual size: 138KB