3b7604f4fb4b025364aa9abe102af50ee91540d6f942e046b86f1bdbb82b3bb6

Sharing

Copy URL Twitter E-mail

General

Target

3b7604f4fb4b025364aa9abe102af50ee91540d6f942e046b86f1bdbb82b3bb6
Size

521KB
MD5

682062e6a2274e9f7d1be97a7fe5797a
SHA1

c5556401fed82b2ce3166e86f8508e0adfac2bc2
SHA256

3b7604f4fb4b025364aa9abe102af50ee91540d6f942e046b86f1bdbb82b3bb6
SHA512

5ecb7b0d5137799881bf471952cf16339a6627f4f7c4e3959dac0394f5c0c4e75c405abd7ee4973e728be8656c72ed628cbde4dacddebcf9f7313d63b0fd1b2a
SSDEEP

12288:ldStvqzD6iaAGI5XqpqhaOmvBT8kFIQ/wIs:KtvqzDLUEZqT8kFlop

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
3b7604f4fb4b025364aa9abe102af50ee91540d6f942e046b86f1bdbb82b3bb6

Files

3b7604f4fb4b025364aa9abe102af50ee91540d6f942e046b86f1bdbb82b3bb6
.dll windows:4 windows x86 arch:x86

0a5a0d3399a61c3d5371e78ebb9f00d3

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

f:\1.8patch(误删长期使用)\basic\KVOutput\binrelease\ad.pdb

Imports

drivermanager

GetDriverManager
UninitDriverManager
InitDriverManager

bdmbase

??0CBDMWin64Helper@BDMBase@@QAE@XZ
??1CBDMWin64Helper@BDMBase@@QAE@XZ
?Is64BitWindows@CBDMWin64Helper@BDMBase@@QAEHXZ
_BDMGetFileMD5_2@8
?SafeLoadLibrary@BDMSafeLoadLibrary@@YGPAUHINSTANCE__@@PB_WH@Z

kernel32

WideCharToMultiByte
MultiByteToWideChar
ReadFile
GetFileSize
CreateFileA
CreateFileMappingW
MapViewOfFile
UnmapViewOfFile
Sleep
lstrlenW
DeleteFileW
GetTempPathW
IsBadReadPtr
IsBadWritePtr
SetFilePointer
GetCurrentProcess
DeviceIoControl
InitializeCriticalSectionAndSpinCount
CreateIoCompletionPort
QueueUserAPC
WaitForMultipleObjects
DeleteCriticalSection
FreeLibrary
GetProcAddress
GetWindowsDirectoryW
GetModuleFileNameW
OpenProcess
GetModuleHandleW
ProcessIdToSessionId
InitializeCriticalSection
ResetEvent
Process32NextW
CreateToolhelp32Snapshot
lstrcmpiW
Process32FirstW
OutputDebugStringW
CreateMutexW
OpenMutexW
SleepEx
CreateProcessW
FindFirstFileW
GetLogicalDrives
GetDriveTypeW
FindClose
FindNextFileW
SetProcessShutdownParameters
DisableThreadLibraryCalls
CreateEventW
CreateWaitableTimerW
TlsAlloc
TlsFree
InterlockedExchange
TlsSetValue
SetWaitableTimer
InterlockedExchangeAdd
EnterCriticalSection
SetEvent
PostQueuedCompletionStatus
HeapFree
GetQueuedCompletionStatus
InterlockedCompareExchange
LeaveCriticalSection
CreateEventA
HeapAlloc
TlsGetValue
GetCurrentThreadId
InterlockedIncrement
InterlockedDecrement
GetProcessHeap
GetFileAttributesW
MoveFileW
WaitForSingleObject
CreateFileW
TerminateThread
CloseHandle
WriteFile
GetTickCount
GetLocalTime
GetLastError
CopyFileW
X��̯�
�_ U��t}n�_��
\��_^��ZD�W�p�X�zIk�~�??��lw�@�^'{H�e<zr�T�^.O�B�A�ޫ�ڴ��IV`.�I��#�Π�Ao��C ��ڨo��M|��[ �8��s� ��=��2�4Mn��Z��1�u.�7�
lw�@�^'{H�e<zr�T�^.O�B�A�ޫ�ڴ��IV`.�I��#�Π�Ao��C ��ڨo��M|��[ �8��s� ��=��2�4Mn��Z��1�u.�7�
^.O�B�A�ޫ�ڴ��IV`.�I��#�Π�Ao��C ��ڨo��M|��[ �8��s� ��=��2�4Mn��Z��1�u.�7�
��#�Π�Ao��C ��ڨo��M|��[ �8��s� ��=��2�4Mn��Z��1�u.�7�
��ڨo��M|��[ �8��s� ��=��2�4Mn��Z��1�u.�7�
�8��s� ��=��2�4Mn��Z��1�u.�7�
��2�4Mn��Z��1�u.�7�
�1�u.�7�
SetLastError
۷��ꌕ��J>�o�wk�a{m��+�b)�E? x��^�+��m��4��U��nu3R��8$~I'��W�=��]��o��*
o�wk�a{m��+�b)�E? x��^�+��m��4��U��nu3R��8$~I'��W�=��]��o��*
? x��^�+��m��4��U��nu3R��8$~I'��W�=��]��o��*
U��nu3R��8$~I'��W�=��]��o��*
��o��*

advapi32

RegFlushKey
ControlService
CreateServiceW
OpenServiceW
DeleteService
CloseServiceHandle
StartServiceW
OpenProcessToken
AdjustTokenPrivileges
ChangeServiceConfig2W
RegDeleteValueW
RegCreateKeyExW
OpenSCManagerW
RegDeleteKeyW
RegSetValueExW
RegNotifyChangeKeyValue
CreateProcessAsUserW
DuplicateTokenEx
GetTokenInformation
RegCloseKey
RegOpenKeyExW
RegOpenKeyW
RegQueryValueExW
QueryServiceStatus
LookupPrivilegeValueW

msvcp80

?uncaught_exception@std@@YA_NXZ
?_Unlock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEXXZ
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z
??0?$basic_stringstream@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@H@Z
?_Lock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEXXZ
??_D?$basic_stringstream@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEXXZ
??$?H_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@ABV10@PB_W@Z
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z
?resize@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEXI@Z
??A?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAA_WI@Z
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@ABV01@@Z
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_W@Z
?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
??$?M_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@0@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@@Z
??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@PB_W@Z
?npos@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@2IB
?rfind@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEI_WI@Z
?erase@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV12@II@Z
??Y?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@PB_W@Z
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_WI@Z
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z
?clear@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEXXZ
?swap@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEXAAV12@@Z
?clear@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXXZ
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHPBDH@Z
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEXXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEXXZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z
?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z
?rfind@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEIPB_WI@Z
?assign@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV12@PB_W@Z
??Y?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@ABV01@@Z
??Y?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@_W@Z
?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEHPB_WH@Z
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ
?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEXXZ
??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ
??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@ABV01@@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@I@Z
?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ
ԕ��,. 4hX�g�)K��P8 ��۷}�G'��u]��(��<�4�
��^.�峷ڷ$�:f�m�aƽ�>��x��|��8�i��k��d6�H7#J�I?��?�i�G�[�@r��:�tT�ӛ-.��ܢ�8��F��>g�\��
�ӛ-.��ܢ�8��F��>g�\��

shlwapi

PathRemoveFileSpecW

wininet

HttpOpenRequestW
HttpQueryInfoW
InternetReadFile
InternetCrackUrlW
HttpSendRequestW
InternetCloseHandle
InternetOpenW
InternetConnectW

��r��et��\��s_�~ޮ.v�?��:鱊��06�,8 ��0��w�_>�/z�i��]clqf�>�+h�)��8*y��k�>�o{[r��/�zѽ5\��u��3)�ԩ��w�'�n�׽}+��

_>�/Z�i��]ClqF�>�+H�)��8*y��k�>�O{[R��/�zѽ5\��u��3)�Ԩ��W�'�n�׽}+��
??3@YAXPAX@Z
_beginthreadex
wcscpy_s
_snwprintf
??0exception@std@@QAE@ABV01@@Z
_purecall
_invalid_parameter_noinfo
??_V@YAXPAX@Z
??2@YAPAXI@Z
?what@exception@std@@UBEPBDXZ
??1exception@std@@UAE@XZ
??0exception@std@@QAE@XZ
??0exception@std@@QAE@ABQBD@Z
??0exception@std@@QAE@ABQBDH@Z
??8type_info@@QBE_NABV0@@Z
_snwprintf_s
wcsncpy_s
free
malloc
wcsncat_s
_time64
srand
wcsrchr
rand
strerror
_errno
_ftelli64
_fseeki64
fopen
fread
ferror
fwrite
ftell
fseek
fclose
memmove
_vsnprintf_s
sscanf_s
fprintf
fopen_s
strncmp
strchr
tolower
isspace
isalpha
isalnum
wcsncpy
swprintf_s
_wcsupr
wcsstr
__RTDynamicCast
memmove_s
_vsnwprintf
_wstat64i32
wcsc
��s_�~ޮ.V�?��:鱊��06�,8 ��0��W�_>�/Z�i��]ClqF�>�+H�)��8*y��k�>�O{[R��/�zѽ5\��u��3)�Ԩ��W�'�n�׽}+��
��06�,8 ��0��W�_>�/Z�i��]ClqF�>�+H�)��8*y��k�>�O{[R��/�zѽ5\��u��3)�Ԩ��W�'�n�׽}+��
�,8 ��0��W�_>�/Z�i��]ClqF�>�+H�)��8*y��k�>�O{[R��/�zѽ5\��u��3)�Ԩ��W�'�n�׽}+��
�� D[��S�iK��Hល2�<� O�� I%J*�M$��Յ��\��"��g�-�{[ȧ��
+H�)��8*y��k�>�O{[R��/�zѽ5\��u��3)�Ԩ��W�'�n�׽}+��
y��k�>�O{[R��/�zѽ5\��u��3)�Ԩ��W�'�n�׽}+��
{[R��/�zѽ5\��u��3)�Ԩ��W�'�n�׽}+��
u��3)�Ԩ��W�'�n�׽}+��
��
�U��䁿7R��݄.�=o��OQ�.��q4�HE�Ϳo�+�~�uu��UN��E��ܸ?��L5�:��ǎryk��{��NxG��]��~]Eڂ��
�=o��OQ�.��q4�HE�Ϳo�+�~�uu��UN��E��ܸ?��L5�:��ǎryk��{��NxG��]��~]Eڂ��
q4�HE�Ϳo�+�~�uu��UN��E��ܸ?��L5�:��ǎryk��{��NxG��]��~]Eڂ��
~�uu��UN��E��ܸ?��L5�:��ǎryk��{��NxG��]��~]Eڂ��
�E��ܸ?��L5�:��ǎryk��{��NxG��]��~]Eڂ��
��L5�:��ǎryk��{��NxG��]��~]Eڂ��
yk��{��NxG��]��~]Eڂ��
]Eڂ��
�'��?��R��@�j i@��\�~}��C��?�:�>ސ��
~}��C��?�:�>ސ��
@��؟q6�m�� D[��S�iK��Hល2�<� O�� I%J*�M$��Յ��\��"��g�-�{[ȧ��
Vh�B}L�X~eWփ�@��؟q6�m�� D[��S�iK��Hល2�<� O�� I%J*�M$��Յ��\��"��g�-�{[ȧ��
|�~V;ƺ��Vh�B}L�X~eWփ�@��؟q6�m�� D[��S�iK��Hល2�<� O�� I%J*�M$��Յ��\��"��g�-�{[ȧ��
�+�>��o�|�~V;ƺ��Vh�B}L�X~eWփ�@��؟q6�m�� D[��S�iK��Hល2�<� O�� I%J*�M$��Յ��\��"��g�-�{[ȧ��
��UH�D��(\�<��+�>��o�|�~V;ƺ��Vh�B}L�X~eWփ�@��؟q6�m�� D[��S�iK��Hល2�<� O�� I%J*�M$��Յ��\��"��g�-�{[ȧ��
}:�g��T�AK��UH�D��(\�<��+�>��o�|�~V;ƺ��Vh�B}L�X~eWփ�@��؟q6�m�� D[��S�iK��Hល2�<� O�� I%J*�M$��Յ��\��"��g�-�{[ȧ��

��y?zg��z��(zm]t�

ord14
ord8
ord115
ord116

��x�u�

ZM]t�

߳�s�)��

�I��k�-� ��B6�߳�S�)��

9�f�

��`��hρ�}6al�t��'��l��p#�m��ۋ#� �κ�1cc��j��"%o��
��`��hρ�}6al�t��'��l��p#�m��ۋ#� �κ�1cc��j��"%o��

��

��hΡ�}6al�t��'��l��P#�M��ۋ#� �Κ�1CC��j��"%O��
��1CC��j��"%O��
'��l��P#�M��ۋ#� �Κ�1CC��j��"%O��

Sections

.text
Size: 324KB - Virtual size: 320KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 124KB - Virtual size: 121KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 16KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 4KB - Virtual size: 2B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 36KB - Virtual size: 33KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

0a5a0d3399a61c3d5371e78ebb9f00d3

Headers

File Characteristics

PDB Paths

Imports

drivermanager

bdmbase

kernel32

advapi32

msvcp80

shlwapi

wininet

��r���et��\�����s_�~ޮ.v�?��:鱊��� 06�,8 ���0��w�_>�/z�i���]clqf�>�+h�)��8*y���k�>�o{[r���/�zѽ5\���u��3)�ԩ��w�'�n�׽}+��

��y?zg��z��(zm]t�

��x�u �

߳�s�)��

9�f�

��

Sections

.text Size: 324KB - Virtual size: 320KB

.rdata Size: 124KB - Virtual size: 121KB

.data Size: 16KB - Virtual size: 20KB

.tls Size: 4KB - Virtual size: 2B

.rsrc Size: 4KB - Virtual size: 1KB

.reloc Size: 36KB - Virtual size: 33KB

��r��et��\��s_�~ޮ.v�?��:鱊��06�,8 ��0��w�_>�/z�i��]clqf�>�+h�)��8*y��k�>�o{[r��/�zѽ5\��u��3)�ԩ��w�'�n�׽}+��

��y?zg��z��(zm]t�

��x�u�

߳�s�)��

��

.text
Size: 324KB - Virtual size: 320KB

.rdata
Size: 124KB - Virtual size: 121KB

.data
Size: 16KB - Virtual size: 20KB

.tls
Size: 4KB - Virtual size: 2B

.rsrc
Size: 4KB - Virtual size: 1KB

.reloc
Size: 36KB - Virtual size: 33KB