based[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

based.exe
Size

3.2MB
MD5

26aafddc2f6f193b16f2687e9ad7ed28
SHA1

40ca1f88e59478c0647d7eec2fd3dcef3dc0fe6f
SHA256

76feea70d9a65b017d8dcd626aa924ca3c2d50cb25d3ab8fceba70819621ae1f
SHA512

55c4b6b50bb8caa0c97a0654489d4ffd90212034e21c5f29ba7d24bf481d01d86bd83dfe1bcee5c7bc81dc28899e4e94a12ab7ff955abdfc8c04fa794774dd73
SSDEEP

49152:cGtlqtzIU6iqovaPrzdpW9JH9vgYNyZaF0vmEzMW9FxT6XHJ6iP5mIiujn:v+qoCPrzdp4hEs3J6OmI

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
based.exe

Files

based.exe
.exe windows:6 windows x64 arch:x64

33fe85ebb288b72a43db7b93b9f91e6a

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ws2_32

ntohs
htons
getsockopt
WSAIoctl
WSAStartup
WSACleanup
accept
closesocket
shutdown
getnameinfo
WSAGetLastError
gethostname
sendto
recvfrom
ntohl
freeaddrinfo
getaddrinfo
recv
send
socket
htonl
listen
getsockname
getpeername
connect
bind
WSASetLastError
ioctlsocket
select
__WSAFDIsSet
inet_pton
setsockopt

wldap32

ord41
ord22
ord26
ord27
ord32
ord33
ord35
ord79
ord30
ord200
ord301
ord45
ord211
ord46
ord143
ord50
ord60

crypt32

CryptQueryObject
CertGetCertificateContextProperty
CertDuplicateCertificateContext
CertFreeCertificateChain
CertGetCertificateChain
CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
CertGetNameStringA
CertAddCertificateContextToStore
CryptStringToBinaryA
CertFreeCertificateContext
CertFindCertificateInStore
CertEnumCertificatesInStore
CertCloseStore
CertOpenStore

advapi32

CryptEnumProvidersW
CryptSignHashW
CryptDecrypt
CryptExportKey
CryptGetUserKey
CryptGetProvParam
CryptSetHashParam
CryptDestroyKey
CryptAcquireContextW
ReportEventW
RegisterEventSourceW
DeregisterEventSource
CryptDestroyHash
CryptHashData
CryptCreateHash
CryptGenRandom
CryptGetHashParam
CryptReleaseContext
CryptAcquireContextA
RegCloseKey
RegGetValueA
RegSetValueExA
RegOpenKeyExW
RegCreateKeyW
RegDeleteValueA

dwmapi

DwmExtendFrameIntoClientArea

kernel32

FormatMessageW
WriteFile
GetModuleHandleW
GetSystemTimeAsFileTime
RtlVirtualUnwind
SwitchToFiber
FindNextFileW
GetModuleHandleExW
CreateFiber
LoadLibraryW
ConvertThreadToFiber
FindClose
FindFirstFileW
TlsFree
SystemTimeToFileTime
GetEnvironmentVariableW
GetConsoleMode
SetConsoleMode
ReadConsoleA
RtlCaptureContext
GetSystemTime
InitializeCriticalSectionAndSpinCount
GetCurrentThreadId
TlsAlloc
TlsGetValue
DeleteFiber
TlsSetValue
RtlLookupFunctionEntry
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
WakeAllConditionVariable
InitializeSListHead
SleepConditionVariableSRW
ReadConsoleW
ConvertFiberToThread
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
CreateMutexA
WaitForSingleObject
ReleaseMutex
CreateToolhelp32Snapshot
GetTickCount64
Process32Next
CloseHandle
GetCurrentProcessId
MultiByteToWideChar
GlobalAlloc
GlobalFree
GlobalLock
WideCharToMultiByte
GlobalUnlock
GetModuleHandleA
LoadLibraryA
QueryPerformanceFrequency
GetProcAddress
VerSetConditionMask
FreeLibrary
QueryPerformanceCounter
GetTickCount
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
DeleteCriticalSection
Sleep
SleepEx
GetSystemDirectoryA
VerifyVersionInfoA
WaitForSingleObjectEx
GetLastError
ExpandEnvironmentStringsA
GetStdHandle
GetFileType
ReadFile
PeekNamedPipe
WaitForMultipleObjects
SetLastError
FormatMessageA
CreateFileA
GetFileSizeEx
IsDebuggerPresent

user32

SetCursorPos
GetClientRect
SetCursor
GetForegroundWindow
ClientToScreen
ScreenToClient
LoadCursorA
GetKeyState
SendInput
FindWindowA
EnumDisplaySettingsA
GetProcessWindowStation
GetUserObjectInformationW
MessageBoxW
GetCursorPos
MessageBoxA
SetClipboardData
GetClipboardData
EmptyClipboard
CloseClipboard
OpenClipboard

d3d11

D3D11CreateDeviceAndSwapChain

msvcp140

?good@ios_base@std@@QEBA_NXZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
_Query_perf_counter
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?uncaught_exceptions@std@@YAHXZ
_Query_perf_frequency
?_Xlength_error@std@@YAXPEBD@Z
?_Xbad_function_call@std@@YAXXZ

d3dcompiler_47

D3DCompile

imm32

ImmSetCompositionWindow
ImmReleaseContext
ImmSetCandidateWindow
ImmGetContext

bcrypt

BCryptGenRandom

vcruntime140_1

__CxxFrameHandler4

vcruntime140

__current_exception_context
__C_specific_handler
__std_exception_copy
_local_unwind
_CxxThrowException
wcsstr
memchr
memcmp
memmove
strrchr
strchr
memset
memcpy
strstr
__std_terminate
__std_exception_destroy
__current_exception

api-ms-win-crt-multibyte-l1-1-0

_mbscmp

api-ms-win-crt-stdio-l1-1-0

fread
_wfopen
fwrite
__stdio_common_vswprintf
_set_fmode
_read
fflush
__stdio_common_vfprintf
fseek
__stdio_common_vsprintf_s
setvbuf
__p__commode
clearerr
__stdio_common_vsscanf
__acrt_iob_func
_write
_close
_open
_setmode
fputs
fgets
fputc
setbuf
_fileno
__stdio_common_vsprintf
fopen
ferror
ftell
feof
_lseeki64
fclose

api-ms-win-crt-convert-l1-1-0

strtoull
strtoll
strtod
strtol
atoi
strtoul

api-ms-win-crt-locale-l1-1-0

localeconv
_configthreadlocale

api-ms-win-crt-runtime-l1-1-0

_errno
_invalid_parameter_noinfo_noreturn
terminate
_beginthreadex
strerror
_register_thread_local_exe_atexit_callback
_c_exit
__p___argv
signal
strerror_s
__sys_nerr
_exit
exit
raise
_initterm_e
_initterm
_get_initial_narrow_environment
_set_app_type
_configure_narrow_argv
_initialize_narrow_environment
_initialize_onexit_table
_register_onexit_function
_crt_atexit
_cexit
_seh_filter_exe
__p___argc

api-ms-win-crt-utility-l1-1-0

qsort

api-ms-win-crt-string-l1-1-0

strpbrk
isupper
strncmp
strcmp
_stricmp
_strdup
_strnicmp
strncpy
isspace
strcspn
strspn
tolower

api-ms-win-crt-heap-l1-1-0

_set_new_mode
calloc
free
_callnewh
realloc
malloc

api-ms-win-crt-time-l1-1-0

_time64
_gmtime64_s
_gmtime64

api-ms-win-crt-filesystem-l1-1-0

_stat64i32
_fstat64
_access
_stat64
_fstat64i32

api-ms-win-crt-environment-l1-1-0

getenv

api-ms-win-crt-math-l1-1-0

sqrtf
sinf
__setusermatherr
cosf
ceilf
acosf
fmodf

Sections

.text
Size: 2.3MB - Virtual size: 2.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 713KB - Virtual size: 712KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 24KB - Virtual size: 45KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 93KB - Virtual size: 92KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 30KB - Virtual size: 30KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 488B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 25KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

33fe85ebb288b72a43db7b93b9f91e6a

Headers

DLL Characteristics

File Characteristics

Imports

ws2_32

wldap32

crypt32

advapi32

dwmapi

kernel32

user32

d3d11

msvcp140

d3dcompiler_47

imm32

bcrypt

vcruntime140_1

vcruntime140

api-ms-win-crt-multibyte-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-environment-l1-1-0

api-ms-win-crt-math-l1-1-0

Sections

.text Size: 2.3MB - Virtual size: 2.3MB

.rdata Size: 713KB - Virtual size: 712KB

.data Size: 24KB - Virtual size: 45KB

.pdata Size: 93KB - Virtual size: 92KB

_RDATA Size: 30KB - Virtual size: 30KB

.rsrc Size: 512B - Virtual size: 488B

.reloc Size: 25KB - Virtual size: 25KB

.text
Size: 2.3MB - Virtual size: 2.3MB

.rdata
Size: 713KB - Virtual size: 712KB

.data
Size: 24KB - Virtual size: 45KB

.pdata
Size: 93KB - Virtual size: 92KB

_RDATA
Size: 30KB - Virtual size: 30KB

.rsrc
Size: 512B - Virtual size: 488B

.reloc
Size: 25KB - Virtual size: 25KB