21a25147d592a2d3c31edafb4f1acf0f7823485042fb639c934e6faeaac7432c

Sharing

Copy URL Twitter E-mail

General

Target

21a25147d592a2d3c31edafb4f1acf0f7823485042fb639c934e6faeaac7432c
Size

877KB
MD5

0bc00a6d42a70df0ba5bfae899d52ec5
SHA1

be23cb322b2f2b3dd3648c17a405cf7d984e21df
SHA256

21a25147d592a2d3c31edafb4f1acf0f7823485042fb639c934e6faeaac7432c
SHA512

b4373a5a6d21ca97f2aaa2237a51b8bdb3a6a7749f144711f9b34818164c31e79956df8b5d9b71246b309a348a3fb177aad69fa7b16687053acc01159bcd50ae
SSDEEP

12288:P8J/PphUzKqQpDNNRSDUk3BTguyYlIVYolUdjs5xmkW5DkAslFV5kT:kJgKtppNRSDp31gCfsZW5DalFV5A

Score

1^/10

Malware Config

Signatures

Files

21a25147d592a2d3c31edafb4f1acf0f7823485042fb639c934e6faeaac7432c
.dll windows:10 windows x64 arch:x64

8c13c89d9b2658da5d94355c8a2139dc

Code Sign

33:00:00:04:60:cf:42:a9:12:31:5f:6f:b3:00:00:00:00:04:60
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

16/11/2023, 19:20

Not After

14/11/2024, 19:20

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

d8:ea:4a:49:59:39:ca:51:3f:b5:de:dc:10:1f:89:4e:1e:c4:ab:71:b9:ce:55:c8:61:c9:0b:96:76:92:99:67
Signer

Actual PE Digest

d8:ea:4a:49:59:39:ca:51:3f:b5:de:dc:10:1f:89:4e:1e:c4:ab:71:b9:ce:55:c8:61:c9:0b:96:76:92:99:67

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

AeMareBackup.pdb

Imports

msvcrt

iswspace
_wcslwr
__CxxFrameHandler3
_wtoi64
tolower
wcstol
_errno
swprintf_s
wcstoul
_wcstoui64
_wcsnicmp
_wtof
memcpy
memmove
_wtoi
wcsrchr
strcspn
iswcntrl
_wsetlocale
islower
isspace
localeconv
fwrite
fgetpos
_fseeki64
fsetpos
__uncaught_exception
fflush
__mb_cur_max
??0bad_cast@@QEAA@PEBD@Z
??1bad_cast@@UEAA@XZ
??0bad_cast@@QEAA@AEBV0@@Z
localtime
strftime
_vscwprintf
??0exception@@QEAA@AEBQEBD@Z
wcsstr
setlocale
___mb_cur_max_func
?what@exception@@UEBAPEBDXZ
ungetwc
ungetc
___lc_handle_func
fputwc
fgetwc
fgetc
_wcsicmp
fwprintf_s
_wfopen_s
towlower
wcschr
fclose
___lc_codepage_func
__CxxFrameHandler4
_ismbblead
_Getmonths
wcscpy_s
_W_Getdays
sprintf_s
__pctype_func
strchr
isupper
_W_Getmonths
realloc
calloc
__crtLCMapStringW
__crtLCMapStringA
_CxxThrowException
??0exception@@QEAA@AEBQEBDH@Z
strncmp
_vsnprintf
?terminate@@YAXXZ
wcscat_s
strcpy_s
fseek
_wfsopen
ldexp
memset
___lc_collate_cp_func
isdigit
isalnum
memchr
wcsncmp
time
_Strftime
_Gettnames
_wsplitpath_s
memcmp
??1type_info@@UEAA@XZ
_onexit
abort
__dllonexit
_unlock
_lock
_initterm
_wcsdup
malloc
__crtCompareStringW
free
setvbuf
__crtCompareStringA
_amsg_exit
_XcptFilter
__C_specific_handler
_Wcsftime
_W_Gettnames
_vsnwprintf_s
memmove_s
_vsnprintf_s
??0exception@@QEAA@AEBV0@@Z
??0exception@@QEAA@XZ
??1exception@@UEAA@XZ
_purecall
memcpy_s
_vsnwprintf
_Getdays
wcscmp

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleW
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleExW
FreeLibrary
GetModuleHandleExA
LoadLibraryExW
GetProcAddress

ntdll

RtlInitUnicodeStringEx
ZwMapViewOfSection
ZwQueryValueKey
RtlSecondsSince1970ToTime
ZwQueryInformationFile
LdrResSearchResource
RtlGetNativeSystemInformation
ZwOpenKey
RtlxAnsiStringToUnicodeSize
RtlFreeUnicodeString
ZwCreateSection
RtlDosPathNameToNtPathName_U_WithStatus
RtlUpcaseUnicodeChar
RtlTimeToTimeFields
RtlAppendUnicodeToString
EtwTraceMessage
RtlAppendUnicodeStringToString
ZwUnmapViewOfSection
ZwQuerySystemInformation
RtlImageDirectoryEntryToData
RtlAnsiStringToUnicodeString
ZwClose
EtwEventRegister
EtwEventWrite
EtwEventUnregister
RtlLeaveCriticalSection
RtlInitializeCriticalSection
ZwEnumerateKey
RtlMultiByteToUnicodeN
RtlInitAnsiString
RtlEnterCriticalSection
RtlEqualString
RtlDeleteCriticalSection
RtlGetDeviceFamilyInfoEnum
RtlAllocateAndInitializeSid
RtlNtStatusToDosError
RtlFreeSid
WinSqmIsOptedInEx
ZwCreateFile
LdrGetProcedureAddress
LdrGetDllHandle
RtlDosPathNameToRelativeNtPathName_U_WithStatus
RtlInitUnicodeString
NtClose
NtQueryInformationFile
RtlInitString
NtCreateFile
RtlAllocateHeap
RtlFreeHeap
RtlVerifyVersionInfo

api-ms-win-core-synch-l1-1-0

CreateMutexExW
OpenSemaphoreW
ReleaseSRWLockExclusive
LeaveCriticalSection
SetEvent
AcquireSRWLockShared
CreateMutexW
CreateEventW
InitializeSRWLock
OpenWaitableTimerW
SetWaitableTimer
DeleteCriticalSection
CreateSemaphoreExW
ReleaseSRWLockShared
EnterCriticalSection
WaitForSingleObjectEx
ReleaseSemaphore
ReleaseMutex
TryAcquireSRWLockExclusive
InitializeCriticalSectionEx
WaitForSingleObject
CreateEventExW
AcquireSRWLockExclusive
InitializeCriticalSection

api-ms-win-core-heap-l1-1-0

HeapReAlloc
HeapFree
HeapAlloc
GetProcessHeap

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
UnhandledExceptionFilter
RaiseException
GetLastError
SetLastError

api-ms-win-core-threadpool-l1-2-0

WaitForThreadpoolTimerCallbacks
CreateThreadpoolTimer
CloseThreadpoolTimer
SetThreadpoolTimer

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcess
GetCurrentThreadId
GetCurrentProcessId
TerminateProcess
ExitProcess
GetCurrentThread

api-ms-win-core-localization-l1-2-0

GetLocaleInfoW
FormatMessageW

api-ms-win-core-debug-l1-1-0

DebugBreak
IsDebuggerPresent
OutputDebugStringW
OutputDebugStringA

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-string-l1-1-0

MultiByteToWideChar
GetStringTypeW
WideCharToMultiByte

api-ms-win-core-synch-l1-2-0

WakeAllConditionVariable
InitOnceComplete
SignalObjectAndWait
InitOnceBeginInitialize
SleepConditionVariableSRW
Sleep

api-ms-win-core-rtlsupport-l1-1-0

RtlVirtualUnwind
RtlCaptureContext
RtlLookupFunctionEntry

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetSystemDirectoryW
GetTickCount
GetSystemTimeAsFileTime

ole32

CoTaskMemFree
CoTaskMemAlloc
CoCreateInstance
CoInitialize
CoUninitialize
CoEnableCallCancellation
CoDisableCallCancellation
CoCancelCall
RoGetAgileReference
CoReleaseMarshalData
CoGetInterfaceAndReleaseStream
CoCreateGuid
CoGetClassObject
CoInitializeEx
PropVariantClear

ext-ms-win-session-wtsapi32-l1-1-0

WTSFreeMemory
WTSEnumerateSessionsW
WTSQueryUserToken

aepic

ord101
ord109
ord100
ord104
ord102
ord103
ord107
ord105
ord106
ord108

psapi

GetDeviceDriverBaseNameW
EnumDeviceDrivers

api-ms-win-eventing-provider-l1-1-0

EventWriteTransfer
EventSetInformation
EventUnregister
EventRegister

api-ms-win-core-libraryloader-l1-2-1

LoadLibraryW

api-ms-win-core-kernel32-legacy-l1-1-1

VerifyVersionInfoW

api-ms-win-core-sysinfo-l1-2-0

VerSetConditionMask

api-ms-win-core-registry-l1-1-0

RegEnumKeyExW
RegOpenKeyExW
RegLoadAppKeyW
RegDeleteTreeW
RegSetValueExW
RegGetValueW
RegCloseKey
RegCreateKeyExW
RegEnumValueW
RegQueryInfoKeyW
RegQueryValueExW
RegDeleteValueW

rpcrt4

UuidCreate

api-ms-win-core-heap-l2-1-0

GlobalFree
LocalFree
LocalAlloc

api-ms-win-core-synch-l1-2-1

WaitForMultipleObjects
CreateSemaphoreW
CreateWaitableTimerW

api-ms-win-security-base-l1-1-0

ImpersonateLoggedOnUser
InitializeSecurityDescriptor
RevertToSelf
SetSecurityDescriptorDacl
IsWellKnownSid

api-ms-win-security-provider-l1-1-0

SetEntriesInAclW

api-ms-win-core-memory-l1-1-0

CreateFileMappingW
UnmapViewOfFile
MapViewOfFile
OpenFileMappingW

api-ms-win-core-registry-l2-1-0

RegOpenKeyW

api-ms-win-core-version-l1-1-0

VerQueryValueW

api-ms-win-core-version-l1-1-1

GetFileVersionInfoW
GetFileVersionInfoSizeW

api-ms-win-core-file-l1-1-0

QueryDosDeviceW
GetLogicalDriveStringsW
GetVolumeInformationByHandleW
CreateFileW
FindClose
GetLongPathNameW
FindNextFileW
FindFirstFileW
CreateDirectoryW
GetFileAttributesW
CompareFileTime
GetFileAttributesExW
WriteFile

api-ms-win-core-processenvironment-l1-1-0

GetCommandLineW
ExpandEnvironmentStringsW
GetCurrentDirectoryW

api-ms-win-core-registry-l1-1-1

RegSetKeyValueW

api-ms-win-security-sddl-l1-1-0

ConvertStringSidToSidW

api-ms-win-core-winrt-l1-1-0

RoUninitialize
RoInitialize

api-ms-win-core-threadpool-legacy-l1-1-0

DeleteTimerQueueTimer
CreateTimerQueueTimer

api-ms-win-shcore-taskpool-l1-1-0

SHTaskPoolQueueTask

winhttp

WinHttpGetIEProxyConfigForCurrentUser
WinHttpOpen
WinHttpConnect
WinHttpGetProxyForUrl
WinHttpGetDefaultProxyConfiguration
WinHttpSetOption
WinHttpOpenRequest
WinHttpCloseHandle
WinHttpQueryAuthSchemes
WinHttpSetCredentials
WinHttpReadData
WinHttpQueryDataAvailable
WinHttpSendRequest
WinHttpQueryHeaders
WinHttpReceiveResponse

api-ms-win-security-credentials-l1-1-0

CredReadW
CredFree

api-ms-win-core-kernel32-legacy-l1-1-0

WTSGetActiveConsoleSessionId

api-ms-win-core-realtime-l1-1-0

QueryThreadCycleTime

api-ms-win-core-path-l1-1-0

PathCchRemoveFileSpec
PathCchCanonicalizeEx

api-ms-win-core-io-l1-1-0

DeviceIoControl

api-ms-win-core-timezone-l1-1-0

FileTimeToSystemTime

api-ms-win-core-shlwapi-legacy-l1-1-0

PathUnExpandEnvStringsW
PathFileExistsW

api-ms-win-shcore-path-l1-1-0

ord170

api-ms-win-core-commandlinetoargv-l1-1-0

CommandLineToArgvW

api-ms-win-core-util-l1-1-0

DecodePointer
EncodePointer

api-ms-win-security-cryptoapi-l1-1-0

CryptAcquireContextW
CryptGetHashParam
CryptCreateHash
CryptHashData
CryptDestroyHash
CryptReleaseContext

api-ms-win-core-sidebyside-l1-1-0

QueryActCtxW
ReleaseActCtx
CreateActCtxW

api-ms-win-eventing-classicprovider-l1-1-0

TraceEvent

Exports

Exports

BackupMareDataTC2

Sections

.text
Size: 656KB - Virtual size: 655KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 160KB - Virtual size: 156KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 28KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

8c13c89d9b2658da5d94355c8a2139dc

Code Sign

33:00:00:04:60:cf:42:a9:12:31:5f:6f:b3:00:00:00:00:04:60Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

d8:ea:4a:49:59:39:ca:51:3f:b5:de:dc:10:1f:89:4e:1e:c4:ab:71:b9:ce:55:c8:61:c9:0b:96:76:92:99:67Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

api-ms-win-core-libraryloader-l1-2-0

ntdll

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

ole32

ext-ms-win-session-wtsapi32-l1-1-0

aepic

psapi

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-core-kernel32-legacy-l1-1-1

api-ms-win-core-sysinfo-l1-2-0

api-ms-win-core-registry-l1-1-0

rpcrt4

api-ms-win-core-heap-l2-1-0

api-ms-win-core-synch-l1-2-1

api-ms-win-security-base-l1-1-0

api-ms-win-security-provider-l1-1-0

api-ms-win-core-memory-l1-1-0

api-ms-win-core-registry-l2-1-0

api-ms-win-core-version-l1-1-0

api-ms-win-core-version-l1-1-1

api-ms-win-core-file-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-registry-l1-1-1

api-ms-win-security-sddl-l1-1-0

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-threadpool-legacy-l1-1-0

api-ms-win-shcore-taskpool-l1-1-0

winhttp

api-ms-win-security-credentials-l1-1-0

api-ms-win-core-kernel32-legacy-l1-1-0

api-ms-win-core-realtime-l1-1-0

api-ms-win-core-path-l1-1-0

api-ms-win-core-io-l1-1-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-shlwapi-legacy-l1-1-0

api-ms-win-shcore-path-l1-1-0

api-ms-win-core-commandlinetoargv-l1-1-0

api-ms-win-core-util-l1-1-0

api-ms-win-security-cryptoapi-l1-1-0

api-ms-win-core-sidebyside-l1-1-0

api-ms-win-eventing-classicprovider-l1-1-0

Exports

Exports

Sections

.text Size: 656KB - Virtual size: 655KB

.rdata Size: 160KB - Virtual size: 156KB

.data Size: 12KB - Virtual size: 14KB

.pdata Size: 28KB - Virtual size: 25KB

.rsrc Size: 4KB - Virtual size: 1KB

33:00:00:04:60:cf:42:a9:12:31:5f:6f:b3:00:00:00:00:04:60
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

d8:ea:4a:49:59:39:ca:51:3f:b5:de:dc:10:1f:89:4e:1e:c4:ab:71:b9:ce:55:c8:61:c9:0b:96:76:92:99:67
Signer

.text
Size: 656KB - Virtual size: 655KB

.rdata
Size: 160KB - Virtual size: 156KB

.data
Size: 12KB - Virtual size: 14KB

.pdata
Size: 28KB - Virtual size: 25KB

.rsrc
Size: 4KB - Virtual size: 1KB

.reloc
Size: 4KB - Virtual size: 2KB