krampus[.]zip | Triage

Resubmissions

28/06/2024, 06:47

240628-hj7k5syfnj 8

28/06/2024, 06:11

240628-gxm8zsxeqj 8

28/06/2024, 06:07

240628-gvpn2avdjc 8

Sharing

Copy URL

Twitter E-mail

General

Target

krampus.zip
Size

7.8MB
MD5

83cdbe3b8a2b3482721be972ad3dd6a3
SHA1

1165e2704372c2e99f9d3e59c74511fe537ce077
SHA256

872e7634327043f9a37d890b226a35c2c415353a9c68b60ca7e1049a4d0020e4
SHA512

bf0a6209d4d5dd28d14d4de1994665637095f82fed964ab2423caad6f4ed9e47e5a83fab74a96b4ff532746cb4a4d95097bfd7f8b664580f5430502bb97a02da
SSDEEP

196608:sg2yaHCl833qpPEBA8LHc9zh+j4+/B9vUBPTeruLww:H21QeXw9zck+Z9vUBiKl

Score

3^/10

Malware Config

Signatures

Unsigned PE 8 IoCs

Checks for missing Authenticode signature.

resource
unpack001/krampus/krampus/KBDCZ1.DLL
unpack001/krampus/krampus/KBDDA.DLL
unpack001/krampus/krampus/KBDGAE.DLL
unpack001/krampus/krampus/KBDSL1.DLL
unpack001/krampus/krampus/KBDUGHR.DLL
unpack001/krampus/krampus/d2win.dll
unpack001/krampus/krampus/d32-fw.dll
unpack001/krampus/krampus/d3d10.dll

Files

krampus.zip
.zip
krampus/krampus/DismApi.dll
.dll windows:10 windows x64 arch:x64

58feba6d9611e712e7c23373d33a6225

Code Sign

33:00:00:02:66:bd:15:80:ef:a7:5c:d6:d3:00:00:00:00:02:66
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

04/03/2020, 18:30

Not After

03/03/2021, 18:30

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

87:51:d1:99:fc:26:4d:bd:d3:0c:a6:d7:bf:bb:60:3a:6b:1b:5f:53:5c:eb:79:f8:5a:f6:e5:cc:74:d5:c6:27
Signer

Actual PE Digest

87:51:d1:99:fc:26:4d:bd:d3:0c:a6:d7:bf:bb:60:3a:6b:1b:5f:53:5c:eb:79:f8:5a:f6:e5:cc:74:d5:c6:27

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP
IMAGE_FILE_NET_RUN_FROM_SWAP
IMAGE_FILE_DLL

PDB Paths

DismApi.pdb

Imports

msvcrt

feof
fgetws
_wfopen
wcstok_s
fclose
iswctype
toupper
strrchr
??0exception@@QEAA@XZ
_wcslwr_s
towlower
wcsstr
wcsrchr
_vsnwprintf
_wcsnicmp
memset
realloc
_errno
_onexit
__dllonexit
_unlock
_lock
??1type_info@@UEAA@XZ
?terminate@@YAXXZ
_initterm
_amsg_exit
_XcptFilter
_CxxThrowException
_callnewh
??0exception@@QEAA@AEBQEBDH@Z
wcscpy_s
_vscprintf
vsprintf_s
calloc
_vsnprintf
?what@exception@@UEBAPEBDXZ
??0exception@@QEAA@AEBV0@@Z
??1exception@@UEAA@XZ
??0exception@@QEAA@AEBQEBD@Z
iswspace
swscanf_s
_wtoi
wcschr
memmove
memcpy
memcmp
_wcstoui64
wcstoul
_purecall
_wcsicmp
iswalpha
malloc
free
vswprintf_s
_vscwprintf
memmove_s
memcpy_s
__C_specific_handler
__CxxFrameHandler3
wcscmp

advapi32

GetTokenInformation
RegCreateKeyExW
RegSetValueExW
AddAccessAllowedAce
OpenThreadToken
EqualSid
EventUnregister
EventProviderEnabled
EventRegister
EventWriteTransfer
CheckTokenMembership
FreeSid
OpenProcessToken
AllocateAndInitializeSid
RegDeleteKeyExW
InitializeAcl
SetSecurityDescriptorDacl
RegisterTraceGuidsW
GetTraceEnableLevel
GetTraceEnableFlags
GetTraceLoggerHandle
TraceEvent
UnregisterTraceGuids
RegCloseKey
RegOpenKeyExW
RegQueryValueExW
GetLengthSid
InitializeSecurityDescriptor

kernel32

TlsFree
FormatMessageA
CreateFileMappingW
MapViewOfFile
VirtualQuery
GetModuleFileNameA
WriteFile
TlsGetValue
GetVersionExW
GetProcAddress
GetModuleHandleW
InitializeCriticalSection
DeleteCriticalSection
RaiseException
EnterCriticalSection
LeaveCriticalSection
GetCurrentThreadId
GetCurrentProcessId
SizeofResource
LockResource
LoadResource
FindResourceExW
GetSystemInfo
GetLastError
GetCommandLineW
GetFileAttributesW
IsWow64Process
GetCurrentProcess
LoadLibraryExW
FreeLibrary
OutputDebugStringW
WaitForMultipleObjectsEx
WaitForSingleObject
FormatMessageW
LocalFree
FileTimeToLocalFileTime
FileTimeToSystemTime
CompareStringW
HeapFree
GetProcessHeap
GetModuleFileNameW
CreateMutexW
OutputDebugStringA
GetModuleHandleExW
WideCharToMultiByte
HeapSize
HeapReAlloc
HeapAlloc
HeapDestroy
GetEnvironmentVariableW
MultiByteToWideChar
Sleep
QueryPerformanceCounter
GetSystemTimeAsFileTime
GetTickCount
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
CreateMutexA
ReleaseMutex
GetVersion
CreateFileA
DeleteFileA
CreateFileMappingA
GetCurrentThread
FlushFileBuffers
CopyFileExW
DeleteFileW
SetFileInformationByHandle
GetFileInformationByHandle
SetFileAttributesW
FindClose
DeviceIoControl
FindNextFileW
FindFirstFileW
GetFileInformationByHandleEx
SetLastError
CloseHandle
CreateFileW
SetFilePointer
GetFullPathNameW
ReadFile
GetSystemWindowsDirectoryW
DebugBreak
LocalAlloc
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
GetWindowsDirectoryW
IsDebuggerPresent
ExitProcess
GetFileSize
GetLocalTime
TlsAlloc
UnmapViewOfFile
TlsSetValue
MoveFileExW
GetLocaleInfoEx
GetSystemTime
GetTimeFormatEx
SetErrorMode
CreateEventW
ResumeThread
DuplicateHandle
GetTempFileNameW
ResetEvent
CreateThread
SetEvent
CreateDirectoryW
GetFileSizeEx
SearchPathW
ExpandEnvironmentStringsW
GetThreadUILanguage

ole32

CoSetProxyBlanket
CoCreateInstance
StringFromGUID2
CoUninitialize
CoInitializeEx

user32

CharLowerBuffW

oleaut32

VariantTimeToSystemTime
SystemTimeToVariantTime
SysAllocStringLen
VarBstrCat
SysStringByteLen
SysAllocStringByteLen
SysAllocString
LoadTypeLi
LoadRegTypeLi
VariantClear
SafeArrayGetUBound
SafeArrayGetLBound
SafeArrayGetElemsize
SafeArrayGetDim
SafeArrayDestroy
SafeArrayUnaccessData
SafeArrayAccessData
SafeArrayCreate
GetErrorInfo
VarBstrCmp
SysStringLen
SysFreeString

ntdll

RtlRaiseStatus
NtOpenFile
NtYieldExecution
NtQueryInformationFile
RtlExpandEnvironmentStrings
NtClose
RtlReAllocateHeap
NtReadFile
RtlInitUnicodeString
NtWriteFile
RtlFreeHeap
RtlAllocateHeap
RtlDosPathNameToNtPathName_U_WithStatus
NtSetInformationFile
RtlNtStatusToDosError
RtlGetVersion
NtWaitForSingleObject

version

GetFileVersionInfoSizeExW
GetFileVersionInfoExW
VerQueryValueW

Exports

Exports

DismAddCapability
DismAddDriver
DismAddPackage
DismApplyUnattend
DismCheckImageHealth
DismCleanupMountpoints
DismCloseSession
DismCommitImage
DismDelete
DismDisableFeature
DismEnableFeature
DismGetCapabilities
DismGetCapabilityInfo
DismGetDriverInfo
DismGetDrivers
DismGetFeatureInfo
DismGetFeatureParent
DismGetFeatures
DismGetImageInfo
DismGetLastErrorMessage
DismGetMountedImageInfo
DismGetPackageInfo
DismGetPackageInfoEx
DismGetPackages
DismGetReservedStorageState
DismInitialize
DismMountImage
DismOpenSession
DismRemountImage
DismRemoveCapability
DismRemoveDriver
DismRemovePackage
DismRestoreImageHealth
DismSetReservedStorageState
DismShutdown
DismUnmountImage
_DismAddCapabilityEx
_DismAddDriverEx
_DismAddPackage2
_DismAddPackageFamilyToUninstallBlocklist
_DismAddProvisionedAppxPackage
_DismApplyCustomDataImage
_DismApplyFfuImage
_DismApplyProvisioningPackage
_DismCleanImage
_DismEnableDisableFeature
_DismExportDriver
_DismExportSource
_DismExportSourceEx
_DismGetCapabilitiesEx
_DismGetCapabilityInfoEx
_DismGetCurrentEdition
_DismGetDriversEx
_DismGetEffectiveSystemUILanguage
_DismGetFeaturesEx
_DismGetInstallLanguage
_DismGetKCacheBinaryValue
_DismGetKCacheDwordValue
_DismGetKCacheStringValue
_DismGetLastCBSSessionID
_DismGetNonRemovableAppsPolicy
_DismGetOSUninstallWindow
_DismGetOsInfo
_DismGetProductKeyInfo
_DismGetProvisionedAppxPackages
_DismGetProvisioningPackageInfo
_DismGetRegistryMountPoint
_DismGetStateFromCBSSessionID
_DismGetTargetCompositionEditions
_DismGetTargetEditions
_DismGetTargetVirtualEditions
_DismGetUsedSpace
_DismInitiateOSUninstall
_DismOptimizeImage
_DismOptimizeProvisionedAppxPackages
_DismRemoveOSUninstall
_DismRemovePackageFamilyFromUninstallBlocklist
_DismRemoveProvisionedAppxPackage
_DismRemoveProvisionedAppxPackageAllUsers
_DismRevertPendingActions
_DismSetAllIntlSettings
_DismSetAppXProvisionedDataFile
_DismSetEdition
_DismSetEdition2
_DismSetFirstBootCommandLine
_DismSetMachineName
_DismSetOSUninstallWindow
_DismSetProductKey
_DismSetSkuIntlDefaults
_DismSplitFfuImage
_DismStage
_DismSysprepCleanup
_DismSysprepGeneralize
_DismSysprepSpecialize
_DismValidateProductKey

Sections

.text
Size: 670KB - Virtual size: 670KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 316KB - Virtual size: 316KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 9KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 20KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
krampus/krampus/KBDCZ1.DLL
.dll windows:10 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

kbdcz1.pdb

Exports

Exports

KbdLayerDescriptor

Sections

.text
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 216B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
krampus/krampus/KBDDA.DLL
.dll windows:10 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

wkbdda.pdb

Exports

Exports

KbdLayerDescriptor

Sections

.data
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 172B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
krampus/krampus/KBDGAE.DLL
.dll windows:10 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

kbdgae.pdb

Exports

Exports

KbdLayerDescriptor

Sections

.text
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 164B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
krampus/krampus/KBDSL1.DLL
.dll windows:10 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

kbdsl1.pdb

Exports

Exports

KbdLayerDescriptor

Sections

.text
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 216B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
krampus/krampus/KBDUGHR.DLL
.dll windows:10 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

wkbdughr.pdb

Exports

Exports

KbdLayerDescriptor

Sections

.data
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 180B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
krampus/krampus/d2win.dll
.dll windows:4 windows x86 arch:x86

63fe0f403102ae0ac27d237181b45251

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

d2cmp

ord10040
ord10055
ord10046
ord10039
ord10038
ord10037
ord10036
ord10024
ord10051
ord10032
ord10054
ord10052
ord10053
ord10004

d2gfx

ord10025
ord10046
ord10048
ord10035
ord10028
ord10049
ord10036
ord10038
ord10037
ord10047
ord10044
ord10026
ord10033
ord10032
ord10024
ord10023
ord10000
ord10041
ord10075
ord10055
ord10073
ord10003
ord10074
ord10027
ord10058
ord10056
ord10045
ord10031
ord10030
ord10052
ord10072

d2lang

?strncpy@Unicode@@SIPAU1@PAU1@PBU1@H@Z
ord10003
?sprintf@Unicode@@SAXHPAU1@PBU1@ZZ
?isLineBreak@Unicode@@SIHPBU1@I@Z
?strnicmp@Unicode@@SIHPBU1@0I@Z
ord10007
ord10004
?unicode2Win@Unicode@@SIPADPADPBU1@H@Z
??_FUnicode@@QAEXXZ
?strcpy@Unicode@@SIPAU1@PAU1@PBU1@@Z
?strcat@Unicode@@SIPAU1@PAU1@PBU1@@Z
?win2Unicode@Unicode@@SIPAU1@PAU1@PBDH@Z
?strlen@Unicode@@SIHPBU1@@Z
?toUnicode@Unicode@@SIPAU1@PAU1@PBDH@Z

fog

ord10039
ord10209
ord10207
ord10045
ord10210
ord10208
ord10215
ord10211
ord10025
ord10227
ord10117
ord10116
gdwInvBitMasks
ord10029
ord10109
ord10107
ord10026
ord10105
ord10104
ord10043
gdwBitMasks
ord10102
ord10103
ord10042
ord10023
ord10024

storm

ord403
ord416
ord513
ord414
ord503
ord401
ord501
ord415
ord276
ord252
ord266
ord514
ord515
ord512
ord511
ord412
ord417

ijl11

ord5
ord3
ord2

kernel32

QueryPerformanceFrequency
GetLocalTime
GetCommandLineA
GetCPInfo
HeapAlloc
HeapFree
VirtualFree
SetEnvironmentVariableA
CompareStringW
CompareStringA
CloseHandle
GetTickCount
GetFileAttributesA
GlobalUnlock
GlobalLock
GlobalAlloc
GlobalFree
ExitProcess
QueryPerformanceCounter
DeleteFileA
GetLastError
Sleep
GetModuleFileNameA
lstrcpyA
lstrcatA
GetDriveTypeA
GetLogicalDriveStringsA
FlushFileBuffers
SetStdHandle
RtlUnwind
LoadLibraryA
HeapReAlloc
VirtualAlloc
GetOEMCP
GetACP
SetFilePointer
GetStringTypeW
GetStringTypeA
LCMapStringW
LCMapStringA
MultiByteToWideChar
GetProcAddress
InterlockedIncrement
WriteFile
HeapCreate
GetModuleHandleA
GetEnvironmentVariableA
GetEnvironmentStringsW
GetVersionExA
TerminateProcess
GetCurrentProcess
GetTimeZoneInformation
GetSystemTime
TlsSetValue
TlsAlloc
GetVersion
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
InterlockedDecrement
HeapDestroy
SetHandleCount
GetCurrentThreadId
GetStdHandle
WideCharToMultiByte
TlsFree
SetLastError
TlsGetValue
FreeEnvironmentStringsW
GetEnvironmentStrings
GetFileType
GetStartupInfoA
FreeEnvironmentStringsA

user32

SetClipboardData
PostQuitMessage
DefWindowProcA
SetCursorPos
PtInRect
PeekMessageA
GetMessageA
TranslateMessage
DispatchMessageA
GetKeyState
EmptyClipboard
IsClipboardFormatAvailable
OpenClipboard
GetClipboardData
CloseClipboard
MessageBoxA
SetRect
wsprintfA

d2sound

ord10069
ord10065
ord10034
ord10070
ord10039
ord10066

Sections

.text
Size: 112KB - Virtual size: 109KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 24KB - Virtual size: 705KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 12KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
krampus/krampus/d32-fw.dll
.dll windows:4 windows x86 arch:x86

d392806bdd24330f8861142035de5089

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

user32

SetWindowLongA
PostMessageA
DefWindowProcA
DispatchMessageA
TranslateMessage
DestroyWindow
PeekMessageA
GetMessageA
CreateWindowExA
LoadCursorA
RegisterClassA
UnregisterClassA
GetWindowLongA
PostQuitMessage

gdi32

GetStockObject

wsock32

WSAAsyncGetHostByName
WSACleanup
bind
inet_ntoa
setsockopt
send
select
recv
ntohl
ioctlsocket
gethostbyname
WSAAsyncSelect
htons
connect
WSAGetLastError
WSAStartup
socket
closesocket

advapi32

RegOpenKeyExA
RegQueryValueExA
RegCloseKey

kernel32

SetEvent
lstrcatA
HeapFree
EnterCriticalSection
WaitForSingleObject
SetHandleCount
RtlUnwind
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
SetFilePointer
SetStdHandle
FlushFileBuffers
LoadLibraryA
WriteFile
WideCharToMultiByte
GetEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsW
FreeEnvironmentStringsA
GetOEMCP
GetACP
GetCPInfo
GetModuleFileNameA
GetStartupInfoA
GetFileType
GetStdHandle
HeapAlloc
TlsFree
TlsAlloc
SetLastError
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
LeaveCriticalSection
TlsGetValue
CreateThread
lstrcpyA
lstrlenA
CloseHandle
CreateEventA
GetCommandLineA
DeleteCriticalSection
InitializeCriticalSection
GetProcAddress
GetModuleHandleA
VirtualAlloc
GetLastError
ResumeThread
GetCurrentThreadId
TlsSetValue
ExitThread
VirtualFree
GetVersion
HeapDestroy
HeapCreate
ExitProcess

Exports

Exports

fw_abort
fw_async_connect
fw_bind
fw_close
fw_connect
fw_get_info
fw_get_skt
fw_listen
fw_open
fw_select
fw_upcall
fw_yield

Sections

.text
Size: 25KB - Virtual size: 24KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 10KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 860B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
krampus/krampus/d3d10.dll
.dll windows:10 windows x86 arch:x86

bf17303866baf24e463e4d049300293c

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

d3d10.pdb

Imports

d3d10core

D3D10CoreGetVersion
D3D10CoreRegisterLayers

msvcrt

_except_handler4_common
?terminate@@YAXXZ
??1type_info@@UAE@XZ
_initterm
_amsg_exit
_XcptFilter
_callnewh
strstr
__CxxFrameHandler3
malloc
modf
_purecall
isalnum
isxdigit
atof
free
setlocale
_strdup
_strnicmp
_fpclass
_isnan
_stricmp
isalpha
atoi
memset
tolower
_finite
strchr
_clearfp
_controlfp
_vsnprintf
isdigit
_CIacos
_CIasin
_CIatan
_CIatan2
_CIcos
_CIcosh
_CIexp
_CIfmod
_CIlog
_CIpow
_CIsin
_CIsinh
_CIsqrt
_CItan
_CItanh
_CxxThrowException
_ftol2
_ftol2_sse
ceil
floor
memcmp
memcpy
memmove

api-ms-win-core-libraryloader-l1-2-0

GetModuleFileNameA
LoadLibraryExW
GetModuleHandleExW
FreeLibrary
DisableThreadLibraryCalls
GetProcAddress

api-ms-win-core-debug-l1-1-0

OutputDebugStringA

api-ms-win-core-registry-l1-1-0

RegOpenKeyExW
RegEnumKeyExA
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
RegGetValueW

api-ms-win-core-synch-l1-1-0

EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSection
OpenSemaphoreW

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-file-l1-1-0

GetFullPathNameA
GetFileSize
CreateFileA

api-ms-win-core-errorhandling-l1-1-0

UnhandledExceptionFilter
SetUnhandledExceptionFilter

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcessId
GetCurrentProcess
GetCurrentThreadId
TerminateProcess

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetSystemInfo
GetSystemTimeAsFileTime
GetTickCount

d3d11

D3D11CreateDeviceAndSwapChain

api-ms-win-core-memory-l1-1-0

UnmapViewOfFile
VirtualFree
VirtualAlloc

gdi32

DeleteObject

Exports

Exports

D3D10CompileEffectFromMemory
D3D10CompileShader
D3D10CreateBlob
D3D10CreateDevice
D3D10CreateDeviceAndSwapChain
D3D10CreateEffectFromMemory
D3D10CreateEffectPoolFromMemory
D3D10CreateStateBlock
D3D10DisassembleEffect
D3D10DisassembleShader
D3D10GetGeometryShaderProfile
D3D10GetInputAndOutputSignatureBlob
D3D10GetInputSignatureBlob
D3D10GetOutputSignatureBlob
D3D10GetPixelShaderProfile
D3D10GetShaderDebugInfo
D3D10GetVersion
D3D10GetVertexShaderProfile
D3D10PreprocessShader
D3D10ReflectShader
D3D10RegisterLayers
D3D10StateBlockMaskDifference
D3D10StateBlockMaskDisableAll
D3D10StateBlockMaskDisableCapture
D3D10StateBlockMaskEnableAll
D3D10StateBlockMaskEnableCapture
D3D10StateBlockMaskGetSetting
D3D10StateBlockMaskIntersect
D3D10StateBlockMaskUnion

Sections

.text
Size: 985KB - Virtual size: 984KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 1008B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 27KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
krampus/krampus/krampus.exe
.exe windows:5 windows x64 arch:x64

0b5552dccd9d0a834cea55c0c8fc05be

Code Sign

33:00:00:04:48:4a:ab:a9:ca:f4:ee:80:15:00:00:00:00:04:48
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/08/2023, 18:38

Not After

07/08/2024, 18:38

Subject

CN=Microsoft Windows Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

ae:4e:76:7a:c3:8b:ed:1d:a8:b0:c0:d1:ba:8b:0d:94:42:f7:65:55:f4:d9:0a:95:8c:e4:cd:1d:e3:08:31:93
Signer

Actual PE Digest

ae:4e:76:7a:c3:8b:ed:1d:a8:b0:c0:d1:ba:8b:0d:94:42:f7:65:55:f4:d9:0a:95:8c:e4:cd:1d:e3:08:31:93

Digest Algorithm

sha256

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

user32

CreateWindowExW
MessageBoxW
MessageBoxA
SystemParametersInfoW
DestroyIcon
SetWindowLongPtrW
GetWindowLongPtrW
GetClientRect
InvalidateRect
ReleaseDC
GetDC
DrawTextW
GetDialogBaseUnits
EndDialog
DialogBoxIndirectParamW
MoveWindow
SendMessageW

comctl32

ord380

kernel32

GetStringTypeW
GetFileAttributesExW
HeapReAlloc
FlushFileBuffers
GetCurrentDirectoryW
IsValidCodePage
GetACP
GetModuleHandleW
MulDiv
GetLastError
SetDllDirectoryW
GetModuleFileNameW
GetProcAddress
GetCommandLineW
GetEnvironmentVariableW
GetOEMCP
ExpandEnvironmentStringsW
CreateDirectoryW
GetTempPathW
WaitForSingleObject
Sleep
GetExitCodeProcess
CreateProcessW
GetStartupInfoW
FreeLibrary
LoadLibraryExW
SetConsoleCtrlHandler
FindClose
FindFirstFileExW
CloseHandle
GetCurrentProcess
LocalFree
FormatMessageW
MultiByteToWideChar
WideCharToMultiByte
GetCPInfo
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetProcessHeap
GetTimeZoneInformation
HeapSize
WriteConsoleW
SetEnvironmentVariableW
RtlUnwindEx
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
SetEndOfFile
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
EncodePointer
RaiseException
RtlPcToFileHeader
GetCommandLineA
CreateFileW
GetDriveTypeW
GetFileInformationByHandle
GetFileType
PeekNamedPipe
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
GetFullPathNameW
RemoveDirectoryW
FindNextFileW
SetStdHandle
DeleteFileW
ReadFile
GetStdHandle
WriteFile
ExitProcess
GetModuleHandleExW
HeapFree
GetConsoleMode
ReadConsoleW
SetFilePointerEx
GetConsoleOutputCP
GetFileSizeEx
HeapAlloc
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
CompareStringW
LCMapStringW

advapi32

OpenProcessToken
GetTokenInformation
ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertSidToStringSidW

gdi32

SelectObject
DeleteObject
CreateFontIndirectW

Sections

.text
Size: 162KB - Virtual size: 162KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 75KB - Virtual size: 74KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 64KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 348B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
stub-o.pyc

Resubmissions

Sharing

General

Malware Config

Signatures

Files

58feba6d9611e712e7c23373d33a6225

Code Sign

33:00:00:02:66:bd:15:80:ef:a7:5c:d6:d3:00:00:00:00:02:66Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

87:51:d1:99:fc:26:4d:bd:d3:0c:a6:d7:bf:bb:60:3a:6b:1b:5f:53:5c:eb:79:f8:5a:f6:e5:cc:74:d5:c6:27Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

advapi32

kernel32

ole32

user32

oleaut32

ntdll

version

Exports

Exports

Sections

.text Size: 670KB - Virtual size: 670KB

.rdata Size: 316KB - Virtual size: 316KB

.data Size: 9KB - Virtual size: 12KB

.pdata Size: 20KB - Virtual size: 20KB

.rsrc Size: 12KB - Virtual size: 12KB

.reloc Size: 2KB - Virtual size: 2KB

Headers

DLL Characteristics

File Characteristics

PDB Paths

Exports

Exports

Sections

.text Size: 512B - Virtual size: 24B

.data Size: 5KB - Virtual size: 4KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 216B

Headers

DLL Characteristics

File Characteristics

PDB Paths

Exports

Exports

Sections

.data Size: 4KB - Virtual size: 3KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 172B

Headers

DLL Characteristics

File Characteristics

PDB Paths

Exports

Exports

Sections

.text Size: 512B - Virtual size: 24B

.data Size: 4KB - Virtual size: 3KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 164B

Headers

DLL Characteristics

File Characteristics

PDB Paths

Exports

Exports

Sections

.text Size: 512B - Virtual size: 24B

.data Size: 5KB - Virtual size: 4KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 216B

Headers

DLL Characteristics

33:00:00:02:66:bd:15:80:ef:a7:5c:d6:d3:00:00:00:00:02:66
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

87:51:d1:99:fc:26:4d:bd:d3:0c:a6:d7:bf:bb:60:3a:6b:1b:5f:53:5c:eb:79:f8:5a:f6:e5:cc:74:d5:c6:27
Signer

.text
Size: 670KB - Virtual size: 670KB

.rdata
Size: 316KB - Virtual size: 316KB

.data
Size: 9KB - Virtual size: 12KB

.pdata
Size: 20KB - Virtual size: 20KB

.rsrc
Size: 12KB - Virtual size: 12KB

.reloc
Size: 2KB - Virtual size: 2KB

.text
Size: 512B - Virtual size: 24B

.data
Size: 5KB - Virtual size: 4KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 216B

.data
Size: 4KB - Virtual size: 3KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 172B

.text
Size: 512B - Virtual size: 24B

.data
Size: 4KB - Virtual size: 3KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 164B

.text
Size: 512B - Virtual size: 24B

.data
Size: 5KB - Virtual size: 4KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 216B

.data
Size: 4KB - Virtual size: 3KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 180B

.text
Size: 112KB - Virtual size: 109KB

.rdata
Size: 8KB - Virtual size: 7KB

.data
Size: 24KB - Virtual size: 705KB

.reloc
Size: 12KB - Virtual size: 10KB

.text
Size: 25KB - Virtual size: 24KB

.rdata
Size: 2KB - Virtual size: 1KB

.data
Size: 10KB - Virtual size: 15KB

.idata
Size: 2KB - Virtual size: 2KB

.rsrc
Size: 1024B - Virtual size: 860B

.reloc
Size: 2KB - Virtual size: 1KB