f602b81f95c847afb8eb42a0877eaddb03ddad77400228bd7ae68d90f15c75c9

Sharing

Copy URL

Twitter E-mail

General

Target

f602b81f95c847afb8eb42a0877eaddb03ddad77400228bd7ae68d90f15c75c9
Size

324KB
MD5

b104c2ab440369ebeb4d0c28144574fa
SHA1

5a355e7536a8bb140c45ed1cc4be06a16e951dec
SHA256

f602b81f95c847afb8eb42a0877eaddb03ddad77400228bd7ae68d90f15c75c9
SHA512

1e5c8bc9b637abae4d0b658b8cce1ba7a2e17bff94f986d05ca25ae9684a0b1baff9633beb89b0a92f263a364c1ce003afbc40f35fee720f2c119ea78755add7
SSDEEP

6144:tiNWNQOE4iaeAEDryDuxagDSL+GY9Tg4Moyg+hPCVdx1p/nLO25IyLEzSNkr:tiNWNQO5iaayDpgOadZ/y2WyNGr

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
f602b81f95c847afb8eb42a0877eaddb03ddad77400228bd7ae68d90f15c75c9

Files

f602b81f95c847afb8eb42a0877eaddb03ddad77400228bd7ae68d90f15c75c9
.dll regsvr32 windows:4 windows x86 arch:x86

41ba8857f8d66527af9dc70f2ab82123

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

c:\Development\Altiris\Products\HotFixes\31946\Source\AeXNSCore\Server\Components\AltirisNativeHelper\ReleaseU\AltirisNativeHelper.pdb

Imports

netapi32

NetQueryDisplayInformation
NetUserGetLocalGroups
NetLocalGroupEnum
NetLocalGroupGetMembers
NetGroupGetUsers
NetGroupEnum
NetLocalGroupDelMembers
NetGroupDelUser
NetLocalGroupAddMembers
NetGroupAddUser
NetLocalGroupDel
NetGroupDel
NetLocalGroupAdd
NetGroupAdd
DsGetDcNameW
NetShareGetInfo
NetShareAdd
NetShareSetInfo
NetApiBufferFree

mpr

WNetGetLastErrorW
WNetOpenEnumW
WNetEnumResourceW

kernel32

MoveFileW
DeleteFileW
FindClose
FindNextFileW
FindFirstFileW
GetFileSize
CreateFileW
GetTickCount
ReleaseMutex
lstrlenA
GetCurrentProcess
HeapReAlloc
SetLastError
GetFileAttributesW
LoadLibraryA
ReadFile
SetFileAttributesW
CopyFileW
GetLocalTime
TerminateProcess
GetCurrentThreadId
FindResourceExW
Sleep
VerifyVersionInfoW
VerSetConditionMask
CreateEventW
GetComputerNameExW
GetCurrentDirectoryW
GetDriveTypeW
CompareStringW
CompareStringA
GetDriveTypeA
SetEndOfFile
FlushFileBuffers
SetStdHandle
GetStringTypeW
GetStringTypeA
SetFilePointer
WriteFile
CreateDirectoryW
GetEnvironmentVariableW
LoadLibraryW
GetProcAddress
GetCurrentProcessId
OpenProcess
FileTimeToSystemTime
GetProcessHeap
HeapAlloc
HeapFree
ExpandEnvironmentStringsW
WideCharToMultiByte
GetComputerNameW
LockResource
GlobalAlloc
GetModuleHandleW
LoadLibraryExW
FindResourceW
LoadResource
SizeofResource
FreeLibrary
lstrcatW
lstrcpynW
GetModuleFileNameW
CreateProcessW
WaitForSingleObject
GetExitCodeProcess
IsBadWritePtr
CloseHandle
lstrcmpiW
DeleteCriticalSection
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
RaiseException
lstrcpyW
CreateMutexW
lstrcmpW
LocalFree
InterlockedIncrement
MultiByteToWideChar
GetComputerNameA
GetLastError
GetThreadLocale
GetLocaleInfoA
GetACP
InterlockedExchange
GetVersionExW
FormatMessageW
lstrlenW
LocalAlloc
InterlockedDecrement
SetEnvironmentVariableA
VirtualFree
HeapCreate
SetUnhandledExceptionFilter
GetModuleFileNameA
QueryPerformanceCounter
TlsGetValue
TlsSetValue
TlsFree
TlsAlloc
GetModuleHandleA
GetCommandLineA
VirtualQuery
GetSystemInfo
VirtualAlloc
VirtualProtect
GetSystemTimeAsFileTime
GetTimeZoneInformation
FileTimeToLocalFileTime
ExitProcess
RtlUnwind
HeapSize
HeapDestroy
GetCurrentThread
GetCPInfo
GetOEMCP
IsBadCodePtr
IsBadReadPtr
UnhandledExceptionFilter
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsA
GetStartupInfoA
GetFileType
GetStdHandle
SetHandleCount
LCMapStringW
LCMapStringA
GetCurrentDirectoryA
GetFullPathNameW
GetVersionExA

user32

CharNextW
wsprintfW

advapi32

OpenProcessToken
ConvertStringSidToSidW
ConvertSidToStringSidW
SetSecurityDescriptorOwner
InitializeSid
MakeAbsoluteSD
GetSecurityDescriptorOwner
GetSecurityDescriptorGroup
GetSecurityDescriptorSacl
GetSecurityDescriptorLength
GetSecurityDescriptorControl
MakeSelfRelativeSD
IsValidSid
ControlService
QueryServiceStatus
StartServiceW
EnumDependentServicesW
OpenSCManagerW
OpenServiceW
CloseServiceHandle
QueryServiceStatusEx
OpenThreadToken
RegisterServiceCtrlHandlerW
SetServiceStatus
LsaClose
GetSidSubAuthority
LsaAddAccountRights
LsaRemoveAccountRights
LookupAccountNameW
LsaOpenPolicy
LsaNtStatusToWinError
LookupPrivilegeValueW
AdjustTokenPrivileges
GetSidSubAuthorityCount
GetSidLengthRequired
CopySid
GetSecurityDescriptorDacl
GetAclInformation
AddAce
GetAce
GetTokenInformation
EqualSid
LookupAccountSidW
RegQueryValueExW
RegisterEventSourceW
ReportEventW
DeregisterEventSource
CryptGetHashParam
CryptAcquireContextA
CryptCreateHash
CryptHashData
CryptDestroyHash
CryptReleaseContext
AllocateAndInitializeSid
GetLengthSid
InitializeAcl
FreeSid
RegEnumKeyExW
RegQueryInfoKeyW
RegSetValueExW
RegOpenKeyExW
RegCreateKeyExW
RegCloseKey
RegDeleteValueW
RegDeleteKeyW
InitializeSecurityDescriptor
SetSecurityDescriptorDacl

ole32

CoCreateInstance
CLSIDFromProgID
OleRun
CoTaskMemAlloc
CoTaskMemFree
CoTaskMemRealloc
ProgIDFromCLSID
CLSIDFromString
StringFromGUID2

oleaut32

VariantClear
SysFreeString
SysAllocString
SysAllocStringByteLen
SysStringByteLen
SysStringLen
SysAllocStringLen
VariantInit
GetErrorInfo
VariantCopy
VariantChangeType
LoadTypeLi
UnRegisterTypeLi
RegisterTypeLi
VarUI4FromStr
VarBstrCat
CreateErrorInfo

shlwapi

PathFindExtensionW

wsock32

WSACleanup
WSAStartup
gethostbyname

Exports

Exports

?GetResourceGuidFromXmlExport@@YAXPAUIDispatch@@PAGPAPAG@Z
?GetResourceIdFromGuidExport@@YAJPAUIDispatch@@PAG@Z
?GetResourceXmlFromBasicInventoryExport@@YAXPAG0PAPAG@Z
?GetResourceXmlFromBasicInventoryExportEx@@YAHPBG0PAGPAK@Z
AddMemberToGlobalGroup
AddMemberToLocalGroup
AeXReportEvent
AeXReportGetInstalling
AeXReportSetInstalling
AeXSetUserPrivilege
CompressData
CreateAllAccessEvent
CreateGlobalGroup
CreateLocalGroup
CreateNamedMutex
DecompressData
DefinePackageShare
DefinePackageShareEveryone
DeleteGlobalGroup
DeleteLocalGroup
DeleteMemberFromGlobalGroup
DeleteMemberFromLocalGroup
DeletePackageServers
DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer
EnablePrivilege
GetBuiltinAdministratorsBySid
GetBuiltinGuestsBySid
GetBuiltinSystemBySid
GetBuiltinUsersBySid
GetComConnection
GetDomain
GetGlobalGroupMembers
GetGlobalGroupsByName
GetGroupsByName
GetGroupsBySidFromToken
GetIfValidSid
GetIfWin2kDomain
GetLocalGroupMembers
GetLocalGroupMembersByNameAndSid
GetLocalGroupMemberships
GetLocalGroupsByName
GetPackageCodebases
GetPackageServers
GetPackageSnapshot
GetPackageVersion
GetResourceGuidFromXml
GetResourceIdFromGuid
GetResourceXmlFromBasicInventory
GetResourceXmlFromBasicInventoryEx
GetUserBySidFromToken
GetUsersByName
GetWellKnownSid
IsCompressedData
IsLMSupportSSL
IsUserLocalAdmin
LookupNameFromSid
LookupSidFromName
RefreshPackageSnapshot
RestartService
SetPackageServers
SetTheServiceStatus
SetTrusteePrivilege
StartProcess
UnHiddenFolderFile
ValidateDomain
ValidateDomainEx

Sections

.text
Size: 224KB - Virtual size: 221KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 56KB - Virtual size: 52KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 280KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 28KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

41ba8857f8d66527af9dc70f2ab82123

Headers

File Characteristics

PDB Paths

Imports

netapi32

mpr

kernel32

user32

advapi32

ole32

oleaut32

shlwapi

wsock32

Exports

Exports

Sections

.text Size: 224KB - Virtual size: 221KB

.rdata Size: 56KB - Virtual size: 52KB

.data Size: 8KB - Virtual size: 280KB

.rsrc Size: 4KB - Virtual size: 2KB

.reloc Size: 28KB - Virtual size: 25KB

.text
Size: 224KB - Virtual size: 221KB

.rdata
Size: 56KB - Virtual size: 52KB

.data
Size: 8KB - Virtual size: 280KB

.rsrc
Size: 4KB - Virtual size: 2KB

.reloc
Size: 28KB - Virtual size: 25KB