2024-07-08_10c43feb8b300d6cc77787488ddcb1fa_mafia

Sharing

Copy URL

Twitter E-mail

General

Target

2024-07-08_10c43feb8b300d6cc77787488ddcb1fa_mafia
Size

421KB
MD5

10c43feb8b300d6cc77787488ddcb1fa
SHA1

6bbee2d321da9cdeab913a0017139a74f66729bc
SHA256

f4332e22af528bdecbb5ee48b2eec637a48e395ba32266c522bba1f02059679b
SHA512

057543d5beef69befa5215d03f593abcd74fed5c7f5d9ef8377303f64a094afb58f69d972b75bec973b15623461889723c267fcf5024e53f7fb01b35e97f1f4b
SSDEEP

12288:uJsEbr43kXNlZQh5PDpb+vUioC0+oqMpUkmIw8kxfBT:uGEbU3jhxcP0FqSXM8kxJT

Score

1^/10

Malware Config

Signatures

Files

2024-07-08_10c43feb8b300d6cc77787488ddcb1fa_mafia
.exe windows:5 windows x86 arch:x86

fefdfa7bf3da43290b81d90c90b5805a

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

33:65:50:08:79:ad:73:e2:30:b9:e0:1d:0d:7f:ac:91
Certificate

Issuer

CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA,1.2.840.113549.1.9.1=#0c197072656d69756d2d736572766572407468617774652e636f6d

Not Before

17/11/2006, 00:00

Not After

30/12/2020, 23:59

Subject

CN=thawte Primary Root CA,OU=Certification Services Division+OU=(c) 2006 thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=US

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

46:1c:e4:36:56:4e:23:cc:d9:fb:ab:16:de:4b:92:7d
Certificate

Issuer

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Not Before

26/10/2013, 00:00

Not After

26/10/2015, 23:59

Subject

CN=杭州如杰网络科技有限公司,OU=IT部门,O=杭州如杰网络科技有限公司,L=杭州,ST=浙江,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageMicrosoftCommercialCodeSigning

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5e
Certificate

Issuer

CN=thawte Primary Root CA,OU=Certification Services Division+OU=(c) 2006 thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

af:11:e7:b6:8e:62:bb:cc:d5:58:25:00:38:d0:78:18:09:82:14:42
Signer

Actual PE Digest

af:11:e7:b6:8e:62:bb:cc:d5:58:25:00:38:d0:78:18:09:82:14:42

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

D:\b5m-client-search\ruyiso\RYSProject\bin\Release\NaMsgHost\pdb\B5MRysNaMsgHost.pdb

Imports

kernel32

WriteFile
Sleep
ReadFile
DisconnectNamedPipe
CreateNamedPipeW
CreateEventW
CreateThread
CreateProcessW
SetEndOfFile
ConnectNamedPipe
SetEvent
WaitForSingleObject
CloseHandle
GetLocalTime
GlobalFree
GetProcAddress
GetLastError
lstrlenW
MultiByteToWideChar
LoadLibraryW
WideCharToMultiByte
GetModuleHandleW
OutputDebugStringW
FreeLibrary
FlushFileBuffers
CreateMutexW
LocalFree
lstrlenA
DeviceIoControl
SetEnvironmentVariableA
CompareStringW
CreateFileW
SetStdHandle
SetFilePointer
GetConsoleMode
GetConsoleCP
HeapReAlloc
IsValidLocale
EnumSystemLocalesA
GetLocaleInfoA
GetUserDefaultLCID
GetCurrentProcessId
QueryPerformanceCounter
InterlockedIncrement
InterlockedDecrement
InterlockedCompareExchange
InterlockedExchange
GetStringTypeW
EncodePointer
DecodePointer
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
DeleteFileA
GetCurrentProcess
WTSGetActiveConsoleSessionId
CreateFileA
OutputDebugStringA
TerminateProcess
GetExitCodeProcess
GetModuleFileNameW
GetVersionExW
FindClose
FindFirstFileW
GetTickCount
FindFirstFileA
CopyFileA
GetSystemTime
HeapFree
HeapAlloc
GetSystemTimeAsFileTime
ExitProcess
ExitThread
GetCurrentThreadId
GetCommandLineW
HeapSetInformation
GetCPInfo
RaiseException
RtlUnwind
LCMapStringW
WriteConsoleW
GetFileType
GetStdHandle
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetACP
GetOEMCP
IsValidCodePage
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
SetLastError
GetTimeZoneInformation
IsProcessorFeaturePresent
HeapCreate
HeapSize
InitializeCriticalSectionAndSpinCount
GetLocaleInfoW
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
GetStartupInfoW
GetProcessHeap

user32

FindWindowW
wsprintfW
SendMessageW

advapi32

SetSecurityDescriptorDacl
InitializeSecurityDescriptor
RegCloseKey
RegOpenKeyExW
RegQueryValueExW

shell32

SHCreateDirectoryExA
SHGetFolderLocation
SHGetPathFromIDListW
ord155
ShellExecuteExW

winhttp

WinHttpSendRequest
WinHttpReceiveResponse
WinHttpSetTimeouts
WinHttpSetOption
WinHttpWriteData
WinHttpConnect
WinHttpCloseHandle
WinHttpQueryHeaders
WinHttpGetIEProxyConfigForCurrentUser
WinHttpOpenRequest
WinHttpOpen
WinHttpAddRequestHeaders
WinHttpReadData
WinHttpCrackUrl
WinHttpQueryDataAvailable
WinHttpGetProxyForUrl

psapi

GetModuleBaseNameA

wtsapi32

WTSQueryUserToken

ole32

CoTaskMemFree
CoInitialize
CoCreateInstance
CoSetProxyBlanket
CoInitializeSecurity

oleaut32

SysFreeString
VariantInit
VariantClear
SysAllocString

Sections

.text
Size: 327KB - Virtual size: 326KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 53KB - Virtual size: 52KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 824B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 24KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

fefdfa7bf3da43290b81d90c90b5805a

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

33:65:50:08:79:ad:73:e2:30:b9:e0:1d:0d:7f:ac:91Certificate

Key Usages

46:1c:e4:36:56:4e:23:cc:d9:fb:ab:16:de:4b:92:7dCertificate

Extended Key Usages

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5eCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

af:11:e7:b6:8e:62:bb:cc:d5:58:25:00:38:d0:78:18:09:82:14:42Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

advapi32

shell32

winhttp

psapi

wtsapi32

ole32

oleaut32

Sections

.text Size: 327KB - Virtual size: 326KB

.rdata Size: 53KB - Virtual size: 52KB

.data Size: 8KB - Virtual size: 18KB

.rsrc Size: 1024B - Virtual size: 824B

.reloc Size: 24KB - Virtual size: 24KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

33:65:50:08:79:ad:73:e2:30:b9:e0:1d:0d:7f:ac:91
Certificate

46:1c:e4:36:56:4e:23:cc:d9:fb:ab:16:de:4b:92:7d
Certificate

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5e
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

af:11:e7:b6:8e:62:bb:cc:d5:58:25:00:38:d0:78:18:09:82:14:42
Signer

.text
Size: 327KB - Virtual size: 326KB

.rdata
Size: 53KB - Virtual size: 52KB

.data
Size: 8KB - Virtual size: 18KB

.rsrc
Size: 1024B - Virtual size: 824B

.reloc
Size: 24KB - Virtual size: 24KB