f4449b5a1056e5d0729463c005b49753a083392c25f33c367bf6edd256483966

Sharing

Copy URL Twitter E-mail

General

Target

f4449b5a1056e5d0729463c005b49753a083392c25f33c367bf6edd256483966
Size

488KB
MD5

5c4a7d6110fb7e6b26dfd2cb4766f8d3
SHA1

8446661a8d40fa8118a12e2af4b0d37be7d0cfa1
SHA256

f4449b5a1056e5d0729463c005b49753a083392c25f33c367bf6edd256483966
SHA512

7e1bdbd255bf802488e249916946051d1ad5d87a6ce60abda0c60f5043d95cae16e11387e582001f490bb8c578b1ec371fd26e3278bd7b64dfc3ae399bd96940
SSDEEP

12288:1IE8stXB5hpp2HA90cDpHSM9CiOlihSJY26y6bvj3WoJEPOR:1istXB5hpp2HA90cDpfFOlfJbdCjTR

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
f4449b5a1056e5d0729463c005b49753a083392c25f33c367bf6edd256483966

Files

f4449b5a1056e5d0729463c005b49753a083392c25f33c367bf6edd256483966
.dll windows:4 windows x86 arch:x86

35b96630b6ebab8af78df1ce6bc79d39

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

j:\data\交接项目（杨毅）\通用自动升级\rsprotect_nohookwin\RsProtect\NoECard\RsProtect.pdb

Imports

kernel32

SetErrorMode
InterlockedIncrement
lstrcmpW
GlobalFindAtomA
GlobalGetAtomNameA
WritePrivateProfileStringA
GetCurrentDirectoryA
GlobalFlags
GetCPInfo
GetOEMCP
ExitProcess
RtlUnwind
HeapFree
GetSystemTimeAsFileTime
HeapAlloc
VirtualProtect
VirtualAlloc
GetSystemInfo
VirtualQuery
GetCommandLineA
HeapReAlloc
ExitThread
HeapSize
QueryPerformanceCounter
GetTickCount
lstrcatA
HeapCreate
VirtualFree
IsBadWritePtr
SetUnhandledExceptionFilter
GetTimeZoneInformation
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
UnhandledExceptionFilter
GetDriveTypeA
IsBadReadPtr
IsBadCodePtr
SetStdHandle
SetEnvironmentVariableA
InterlockedDecrement
TlsFree
LocalReAlloc
TlsSetValue
TlsAlloc
TlsGetValue
EnterCriticalSection
GlobalHandle
GlobalReAlloc
LeaveCriticalSection
GlobalAddAtomA
GetCurrentThread
GlobalDeleteAtom
GetModuleHandleA
ConvertDefaultLocale
EnumResourceLanguagesA
SuspendThread
SetEvent
GetCurrentThreadId
SetThreadPriority
lstrcmpA
GetFullPathNameA
GetVolumeInformationA
lstrcpyA
DuplicateHandle
GetFileSize
SetEndOfFile
UnlockFile
LockFile
FlushFileBuffers
ReadFile
FreeLibrary
SetLastError
GlobalLock
GlobalUnlock
FormatMessageA
lstrcpynA
CompareStringW
CompareStringA
lstrcmpiA
GetVersion
GetPrivateProfileStringA
CopyFileA
MultiByteToWideChar
GlobalFree
GlobalAlloc
GetModuleFileNameA
GetWindowsDirectoryA
FindNextFileA
CreateEventA
WaitForSingleObject
TerminateThread
TerminateProcess
GetExitCodeProcess
ResumeThread
GetCurrentProcessId
Thread32First
OpenThread
Thread32Next
CreateThread
WaitForMultipleObjects
OutputDebugStringA
GetSystemDirectoryA
LoadLibraryA
GetProcAddress
GetFileTime
CreateFileA
SetFilePointer
WriteFile
FreeResource
CreateToolhelp32Snapshot
Process32First
Module32First
Module32Next
Process32Next
LocalAlloc
LocalFree
GetCurrentProcess
GetLastError
OpenProcess
CloseHandle
FileTimeToLocalFileTime
FileTimeToSystemTime
Sleep
DeleteFileA
MoveFileA
CreateDirectoryA
GetFileAttributesA
SetFileAttributesA
SetFileTime
FindFirstFileA
FindClose
WideCharToMultiByte
lstrlenA
FindResourceA
LoadResource
LockResource
SizeofResource
DeleteCriticalSection
InitializeCriticalSection
RaiseException
GetVersionExA
GetThreadLocale
GetLocaleInfoA
GetACP
HeapDestroy
InterlockedExchange

user32

SetWindowTextA
ClientToScreen
GrayStringA
DrawTextExA
DrawTextA
TabbedTextOutA
RegisterWindowMessageA
WinHelpA
GetCapture
CreateWindowExA
GetClassLongA
GetClassInfoExA
GetClassNameA
SetPropA
GetPropA
RemovePropA
GetWindowTextA
GetForegroundWindow
GetDlgItem
GetTopWindow
DestroyWindow
GetMessageTime
GetMessagePos
LoadIconA
MapWindowPoints
SetForegroundWindow
GetClientRect
GetMenu
UnregisterClassA
SendMessageA
FindWindowA
ExitWindowsEx
PeekMessageA
PostThreadMessageA
SetTimer
AdjustWindowRectEx
GetClassInfoA
RegisterClassA
GetDlgCtrlID
DefWindowProcA
CallWindowProcA
SetWindowLongA
SetWindowPos
SystemParametersInfoA
IsIconic
GetWindowPlacement
GetWindowRect
CopyRect
PtInRect
GetWindow
LoadCursorA
GetDC
ReleaseDC
GetSysColor
GetSysColorBrush
UnhookWindowsHookEx
SetMenuItemBitmaps
GetFocus
ModifyMenuA
EnableMenuItem
CheckMenuItem
ShowWindow
GetMenuCheckMarkDimensions
LoadBitmapA
DestroyMenu
CharUpperA
GetSubMenu
GetMenuItemCount
GetMenuItemID
GetMenuState
DispatchMessageA
PostMessageA
EnableWindow
GetSystemMetrics
MessageBoxA
GetParent
GetWindowLongA
GetLastActivePopup
IsWindowEnabled
SetCursor
PostQuitMessage
SetWindowsHookExA
CallNextHookEx
GetMessageA
TranslateMessage
GetActiveWindow
IsWindowVisible
GetKeyState
GetCursorPos
ValidateRect
wsprintfA

gdi32

GetStockObject
DeleteDC
SetViewportExtEx
ScaleWindowExtEx
SetWindowExtEx
RestoreDC
OffsetViewportOrgEx
SetViewportOrgEx
SelectObject
Escape
ExtTextOutA
TextOutA
RectVisible
PtVisible
DeleteObject
SetMapMode
GetDeviceCaps
CreateBitmap
GetClipBox
SetTextColor
SetBkColor
SaveDC
ScaleViewportExtEx

comdlg32

GetFileTitleA

winspool.drv

DocumentPropertiesA
OpenPrinterA
ClosePrinter

advapi32

RegCloseKey
RegOpenKeyExA
RegQueryValueA
RegEnumKeyA
RegDeleteKeyA
RegOpenKeyA
RegDeleteValueA
CreateProcessAsUserA
CreateServiceA
ChangeServiceConfigA
StartServiceA
QueryServiceStatus
ControlService
DeleteService
OpenSCManagerA
OpenServiceA
CloseServiceHandle
GetKernelObjectSecurity
GetSecurityDescriptorDacl
GetUserNameA
BuildExplicitAccessWithNameA
SetEntriesInAclA
MakeAbsoluteSD
SetSecurityDescriptorDacl
SetKernelObjectSecurity
LookupPrivilegeValueA
OpenProcessToken
AdjustTokenPrivileges
RegSetValueExA
RegQueryValueExA
RegCreateKeyExA

shell32

SHGetSpecialFolderPathA
ShellExecuteA

comctl32

ord17

shlwapi

PathIsUNCA
StrStrIA
PathFileExistsA
PathFindExtensionA
PathFindFileNameA
PathRemoveFileSpecA
PathStripToRootA

oleaut32

SystemTimeToVariantTime
VariantClear
VariantChangeType
VariantInit

ws2_32

WSACleanup
WSAStartup
WSCDeinstallProvider
closesocket
shutdown
WSACloseEvent
WSAGetOverlappedResult
WSAResetEvent
WSAGetLastError
WSARecv
WSAWaitForMultipleEvents
WSACreateEvent
WSASend
getsockopt
select
connect
ioctlsocket
socket
htons
inet_addr
recv
accept
listen
bind

psapi

EnumProcessModules
GetModuleFileNameExA
GetModuleBaseNameA

Exports

Exports

ProtectStartShell

Sections

.text
Size: 164KB - Virtual size: 163KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 32KB - Virtual size: 31KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 256KB - Virtual size: 254KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 24KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

35b96630b6ebab8af78df1ce6bc79d39

Headers

File Characteristics

PDB Paths

Imports

kernel32

user32

gdi32

comdlg32

winspool.drv

advapi32

shell32

comctl32

shlwapi

oleaut32

ws2_32

psapi

Exports

Exports

Sections

.text Size: 164KB - Virtual size: 163KB

.rdata Size: 32KB - Virtual size: 31KB

.data Size: 8KB - Virtual size: 22KB

.rsrc Size: 256KB - Virtual size: 254KB

.reloc Size: 24KB - Virtual size: 20KB

.text
Size: 164KB - Virtual size: 163KB

.rdata
Size: 32KB - Virtual size: 31KB

.data
Size: 8KB - Virtual size: 22KB

.rsrc
Size: 256KB - Virtual size: 254KB

.reloc
Size: 24KB - Virtual size: 20KB