libcurl[.]zip | Triage

Sharing

Copy URL Twitter E-mail

General

Target

libcurl.zip
Size

1.9MB
MD5

648aa82d2d91f38c9b1cbc2c7c876af0
SHA1

09148f473bbfd981d560e60e916eec922c84fb62
SHA256

b1b67ea4d5390bdb2715de8171951c0aeb038adc64e170f26781f73f44b038ab
SHA512

89caa1e3948f9931feec5bcf799c87385e474b5b3bca13d1820a14d6bcbdf970e18a9bcca935e64ef0ee45dccbfc5a826121f82b883d144215518f0751b41fca
SSDEEP

49152:nHb54TBHGR6jOxAduIeo+EslPgitmF8TcFFqFLgEhHrY0pD1I:nHlgHGUeAOfEspkDFFqJrY0pD1I

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/ascentfn.exe

Files

libcurl.zip
.zip
ascentfn.exe
.exe windows:6 windows x64 arch:x64

a3d31abc8a019476805053d40036b990

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\wuemeli\source\repos\udtillbattlebus-external\build\ascentfn.pdb

Imports

d3d11

D3D11CreateDeviceAndSwapChain

dwmapi

DwmExtendFrameIntoClientArea

ntdll

RtlVirtualUnwind
RtlCaptureContext
RtlLookupFunctionEntry

ws2_32

ntohs
select
setsockopt
shutdown
WSAStartup
WSACleanup
WSASetLastError
WSAGetLastError
WSARecv
getpeername
bind
WSAStringToAddressW
ioctlsocket
closesocket
WSASocketW
WSAAddressToStringW
ntohl
listen
htons
getsockname
htonl
getsockopt
WSASend

kernel32

ReleaseSRWLockExclusive
AcquireSRWLockExclusive
WakeAllConditionVariable
SleepConditionVariableSRW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
IsProcessorFeaturePresent
IsDebuggerPresent
GetModuleHandleW
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
GetLocaleInfoEx
CreateFileA
CloseHandle
HeapAlloc
HeapFree
GetProcessHeap
DeviceIoControl
CreateEventA
WaitForMultipleObjects
GlobalAlloc
GlobalUnlock
GlobalLock
GlobalFree
MultiByteToWideChar
WideCharToMultiByte
QueryPerformanceCounter
QueryPerformanceFrequency
FreeLibrary
GetProcAddress
InitOnceBeginInitialize
GetLastError
SetLastError
CreateIoCompletionPort
GetQueuedCompletionStatus
PostQueuedCompletionStatus
CancelIoEx
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
SetEvent
ReleaseMutex
WaitForSingleObject
SleepEx
CreateMutexW
CreateEventW
SetWaitableTimer
Sleep
QueueUserAPC
GetCurrentProcessId
TerminateProcess
TerminateThread
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
OpenProcess
GetTickCount
VirtualProtect
VirtualQuery
LocalFree
FormatMessageA
lstrcmpiA
CreateWaitableTimerA
SetConsoleTitleA
GetConsoleWindow
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
Process32First
Process32Next
OutputDebugStringW
InitOnceComplete
LoadLibraryA
InitializeCriticalSectionEx
GetModuleHandleA

user32

EnumWindows
FindWindowA
GetDesktopWindow
SetWindowLongPtrA
GetWindowLongPtrA
SetWindowLongA
GetWindowLongA
GetWindowRect
GetWindowTextA
UpdateWindow
SetMenu
GetSystemMetrics
mouse_event
GetAsyncKeyState
SetWindowPos
ShowWindow
DestroyWindow
PeekMessageA
DispatchMessageA
TranslateMessage
GetWindowThreadProcessId
LoadCursorA
ScreenToClient
ClientToScreen
GetCursorPos
SetCursor
SetCursorPos
GetClientRect
GetForegroundWindow
GetKeyState
EmptyClipboard
GetClipboardData
GetClassNameA
SetClipboardData
CloseClipboard
OpenClipboard

msvcp140

?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?id@?$ctype@D@std@@2V0locale@2@A
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?_LogWorkItemCompleted@_TaskEventLogger@details@Concurrency@@QEAAXXZ
?_LogWorkItemStarted@_TaskEventLogger@details@Concurrency@@QEAAXXZ
?_LogTaskExecutionCompleted@_TaskEventLogger@details@Concurrency@@QEAAXXZ
?_LogTaskCompleted@_TaskEventLogger@details@Concurrency@@QEAAXXZ
?_LogCancelTask@_TaskEventLogger@details@Concurrency@@QEAAXXZ
?_LogScheduleTask@_TaskEventLogger@details@Concurrency@@QEAAX_N@Z
??0task_continuation_context@Concurrency@@AEAA@XZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?_Capture@_ContextCallback@details@Concurrency@@AEAAXXZ
?_Reset@_ContextCallback@details@Concurrency@@AEAAXXZ
?_CallInContext@_ContextCallback@details@Concurrency@@QEBAXV?$function@$$A6AXXZ@std@@_N@Z
?GetCurrentThreadId@platform@details@Concurrency@@YAJXZ
?_ReportUnobservedException@details@Concurrency@@YAXXZ
?_Release_chore@details@Concurrency@@YAXPEAU_Threadpool_chore@12@@Z
?_Schedule_chore@details@Concurrency@@YAHPEAU_Threadpool_chore@12@@Z
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
?gcount@?$basic_istream@DU?$char_traits@D@std@@@std@@QEBA_JXZ
?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@PEBX@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@I@Z
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?imbue@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAA?AVlocale@2@AEBV32@@Z
?_Xlength_error@std@@YAXPEBD@Z
?_Xbad_function_call@std@@YAXXZ
?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
??0_Lockit@std@@QEAA@H@Z
??1_Lockit@std@@QEAA@XZ
?_Xinvalid_argument@std@@YAXPEBD@Z
?_Xout_of_range@std@@YAXPEBD@Z
?uncaught_exceptions@std@@YAHXZ
?__ExceptionPtrCreate@@YAXPEAX@Z
?__ExceptionPtrDestroy@@YAXPEAX@Z
?__ExceptionPtrCopy@@YAXPEAXPEBX@Z
?__ExceptionPtrAssign@@YAXPEAXPEBX@Z
?__ExceptionPtrToBool@@YA_NPEBX@Z
?__ExceptionPtrCurrentException@@YAXPEAX@Z
?__ExceptionPtrRethrow@@YAXPEBX@Z
?__ExceptionPtrCopyException@@YAXPEAXPEBX1@Z
_Query_perf_counter
_Query_perf_frequency
_Thrd_detach
_Thrd_join
_Thrd_yield
_Thrd_hardware_concurrency
_Thrd_id
_Mtx_lock
_Mtx_unlock
_Cnd_init_in_situ
_Cnd_destroy_in_situ
_Cnd_wait
_Cnd_broadcast
_Cnd_register_at_thread_exit
_Cnd_unregister_at_thread_exit
_Cnd_do_broadcast_at_thread_exit
?_Throw_Cpp_error@std@@YAXH@Z
?_Syserror_map@std@@YAPEBDH@Z
?_Winerror_map@std@@YAHH@Z
??Bid@locale@std@@QEAA_KXZ
?classic@locale@std@@SAAEBV12@XZ
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
?toupper@?$ctype@D@std@@QEBADD@Z
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
??Bios_base@std@@QEBA_NXZ
??7ios_base@std@@QEBA_NXZ
?good@ios_base@std@@QEBA_NXZ
?flags@ios_base@std@@QEBAHXZ
?setf@ios_base@std@@QEAAHHH@Z
?width@ios_base@std@@QEBA_JXZ
?width@ios_base@std@@QEAA_J_J@Z
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?_Gninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?_Gnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBA_JXZ
?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD0@Z
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?_Pnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBA_JXZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAPEAD0PEAH001@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ
?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@G@Z

imm32

ImmGetContext
ImmSetCompositionWindow
ImmReleaseContext
ImmSetCandidateWindow

d3dcompiler_47

D3DCompile

mswsock

AcceptEx
GetAcceptExSockaddrs

libcurl

curl_easy_perform
curl_easy_strerror
curl_slist_append
curl_global_cleanup
curl_global_init
curl_easy_cleanup
curl_easy_getinfo
curl_easy_setopt
curl_easy_init

vcruntime140

__current_exception_context
__current_exception
__C_specific_handler
_CxxThrowException
__std_exception_destroy
__std_type_info_compare
_purecall
memchr
strstr
__std_terminate
memset
memmove
memcpy
memcmp
__std_exception_copy

vcruntime140_1

__CxxFrameHandler4

api-ms-win-crt-stdio-l1-1-0

fread
fflush
fclose
_wfopen
__stdio_common_vsnprintf_s
fgetc
__acrt_iob_func
__stdio_common_vsprintf
__stdio_common_vswprintf_s
ungetc
fseek
_get_stream_buffer_pointers
_set_fmode
_popen
_pclose
_fseeki64
fsetpos
fputc
__stdio_common_vsscanf
__p__commode
fwrite
setvbuf
fgets
fgetpos
__stdio_common_vfprintf
ftell

api-ms-win-crt-runtime-l1-1-0

abort
_seh_filter_exe
exit
_register_thread_local_exe_atexit_callback
_c_exit
__p___argv
__p___argc
_exit
_initterm_e
_initterm
_get_initial_narrow_environment
_set_app_type
_cexit
system
terminate
_crt_atexit
_register_onexit_function
_beginthreadex
signal
_initialize_onexit_table
_initialize_narrow_environment
_errno
_invalid_parameter_noinfo_noreturn
_configure_narrow_argv

api-ms-win-crt-math-l1-1-0

ceilf
acosf
powf
__setusermatherr
tanf
atan2
asin
cosf
sinf
sqrtf

api-ms-win-crt-heap-l1-1-0

_set_new_mode
free
malloc
_callnewh
_aligned_malloc
_aligned_free

api-ms-win-crt-string-l1-1-0

strncmp
strcspn
tolower
strcmp
toupper

api-ms-win-crt-utility-l1-1-0

srand
rand
qsort

api-ms-win-crt-convert-l1-1-0

strtod
strtoll
strtoull

api-ms-win-crt-filesystem-l1-1-0

remove
_lock_file
_unlock_file
_stat64i32

api-ms-win-crt-time-l1-1-0

_gmtime64_s
_time64
strftime

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

Exports

Exports

interception_create_context
interception_destroy_context
interception_get_filter
interception_get_hardware_id
interception_get_precedence
interception_is_invalid
interception_is_keyboard
interception_is_mouse
interception_receive
interception_send
interception_set_filter
interception_set_precedence
interception_wait
interception_wait_with_timeout

Sections

.text
Size: 569KB - Virtual size: 568KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 132KB - Virtual size: 131KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 181KB - Virtual size: 183KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 24KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 488B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
libcurl.dll
.dll windows:6 windows x64 arch:x64

f005c3f78e8420e502da59527e185b97

Code Sign

21:05:fc:25:c2:a4:7d:bd:fd:de:47:cc:23:77:50:00:1d:5b:5b:b2
Certificate

Issuer

CN=curl-for-win Root CA 2024

Not Before

31/03/2024, 22:02

Not After

31/03/2029, 22:02

Subject

CN=curl-for-win Root CA 2024

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

3f:ce:36:e2:7d:57:32:82:a8:5f:00:c4:17:99:d6:70:39:63:34:cb
Certificate

Issuer

CN=curl-for-win Root CA 2024

Not Before

31/03/2024, 22:02

Not After

31/03/2027, 22:02

Subject

CN=curl-for-win Code Signing Authority

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

04:77:44:4a:41:de:d5:4f:24:77:81:5a:11:a7:71:8a:c5:f0:f9:05:3a:56:0e:6b:03:11:a9:e9:96:1a:93:12:98:b6:57:ec:e4:1a:46:77:52:2e:9b:74:e0:05:28:92:11:ea:b1:fd:9c:0c:73:0e:99:6d:26:53:30:b4:32:65
Signer

Actual PE Digest

04:77:44:4a:41:de:d5:4f:24:77:81:5a:11:a7:71:8a:c5:f0:f9:05:3a:56:0e:6b:03:11:a9:e9:96:1a:93:12:98:b6:57:ec:e4:1a:46:77:52:2e:9b:74:e0:05:28:92:11:ea:b1:fd:9c:0c:73:0e:99:6d:26:53:30:b4:32:65

Digest Algorithm

sha512

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

bcrypt

BCryptGenRandom

crypt32

CertCloseStore
CertEnumCertificatesInStore
CertFreeCertificateContext
CertGetEnhancedKeyUsage
CertGetIntendedKeyUsage
CertOpenSystemStoreA

kernel32

AcquireSRWLockExclusive
CancelIo
CloseHandle
CompareFileTime
CreateEventA
CreateFileA
CreateFileMappingA
CreateMutexA
DeleteCriticalSection
EnterCriticalSection
FormatMessageW
FreeLibrary
GetConsoleMode
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentVariableA
GetFileAttributesA
GetFileType
GetLastError
GetModuleFileNameA
GetModuleHandleA
GetOverlappedResult
GetProcAddress
GetStdHandle
GetSystemDirectoryA
GetSystemInfo
GetSystemTimeAsFileTime
GetTickCount
GetTickCount64
GetTimeZoneInformation
InitOnceExecuteOnce
InitializeCriticalSection
InitializeCriticalSectionEx
LeaveCriticalSection
LoadLibraryA
MapViewOfFile
MoveFileExA
MultiByteToWideChar
PeekNamedPipe
QueryPerformanceCounter
QueryPerformanceFrequency
ReadFile
ReleaseMutex
ReleaseSRWLockExclusive
RtlVirtualUnwind
SetConsoleMode
SetEvent
SetHandleInformation
SetLastError
Sleep
SleepEx
TerminateProcess
TlsGetValue
UnmapViewOfFile
VerSetConditionMask
VerifyVersionInfoW
VirtualAlloc
VirtualFree
VirtualProtect
VirtualQuery
WaitForMultipleObjects
WaitForSingleObject
WaitForSingleObjectEx
WaitNamedPipeA
WideCharToMultiByte
WriteFile

normaliz

IdnToAscii
IdnToUnicode

api-ms-win-crt-convert-l1-1-0

atoi
mbrtowc
strtol
strtoll
strtoul
strtoull
wcrtomb
wcstombs

api-ms-win-crt-environment-l1-1-0

__p__environ
__p__wenviron
getenv

api-ms-win-crt-filesystem-l1-1-0

_findfirst64
_findclose
_findnext64
_fstat64
_fullpath
_lock_file
_stat64
_unlock_file
_unlink

api-ms-win-crt-heap-l1-1-0

_set_new_mode
calloc
free
malloc
realloc

api-ms-win-crt-locale-l1-1-0

localeconv

api-ms-win-crt-math-l1-1-0

_fdopen

api-ms-win-crt-private-l1-1-0

memchr
memcmp
memcpy
memmove
strchr
strrchr
strstr

api-ms-win-crt-runtime-l1-1-0

__p___argc
__p___argv
__p___wargv
__sys_errlist
__sys_nerr
_beginthreadex
_configure_narrow_argv
_configure_wide_argv
_crt_at_quick_exit
_crt_atexit
_errno
_execute_onexit_table
_exit
_initialize_narrow_environment
_initialize_onexit_table
_initialize_wide_environment
_initterm
_register_onexit_function
abort
exit
strerror

api-ms-win-crt-stdio-l1-1-0

__acrt_iob_func
__stdio_common_vfprintf
__stdio_common_vfwprintf
__stdio_common_vsprintf
__stdio_common_vsscanf
__stdio_common_vswprintf
_fseeki64
_get_osfhandle
_lseeki64
_open
fclose
feof
ferror
fflush
fgets
fopen
fputc
fputs
fread
fseek
ftell
fwrite
getc
rewind
setvbuf
ungetc
_write
_write
_read
_open
_fileno
_fileno
_close

api-ms-win-crt-string-l1-1-0

_strnicmp
isalnum
isspace
isupper
isxdigit
mbrlen
memset
strcmp
strcpy
strcspn
strlen
strncmp
strncpy
strpbrk
strspn
tolower
wcslen
_stricmp
_strdup

api-ms-win-crt-time-l1-1-0

__daylight
__timezone
__tzname
_difftime64
_gmtime64
_time64
_tzset
strftime

api-ms-win-crt-utility-l1-1-0

_byteswap_uint64
bsearch
qsort

user32

FindWindowA
SendMessageA

wldap32

ber_free
ldap_bind_s
ldap_err2string
ldap_first_attribute
ldap_first_entry
ldap_get_dn
ldap_get_values_len
ldap_init
ldap_memfree
ldap_msgfree
ldap_next_attribute
ldap_next_entry
ldap_search_s
ldap_set_option
ldap_simple_bind_s
ldap_sslinit
ldap_unbind_s
ldap_value_free_len

ws2_32

WSACleanup
WSACloseEvent
WSACreateEvent
WSAEnumNetworkEvents
WSAEventSelect
WSAGetLastError
WSAIoctl
WSAResetEvent
WSASetEvent
WSASetLastError
WSAStartup
WSAStringToAddressW
WSAWaitForMultipleEvents
__WSAFDIsSet
accept
bind
closesocket
connect
freeaddrinfo
getaddrinfo
gethostname
getpeername
getsockname
getsockopt
htonl
htons
inet_ntop
inet_pton
ioctlsocket
listen
ntohl
ntohs
recv
recvfrom
select
send
sendto
setsockopt
shutdown
socket

Exports

Exports

curl_easy_cleanup
curl_easy_duphandle
curl_easy_escape
curl_easy_getinfo
curl_easy_header
curl_easy_init
curl_easy_nextheader
curl_easy_option_by_id
curl_easy_option_by_name
curl_easy_option_next
curl_easy_pause
curl_easy_perform
curl_easy_recv
curl_easy_reset
curl_easy_send
curl_easy_setopt
curl_easy_strerror
curl_easy_unescape
curl_easy_upkeep
curl_escape
curl_formadd
curl_formfree
curl_formget
curl_free
curl_getdate
curl_getenv
curl_global_cleanup
curl_global_init
curl_global_init_mem
curl_global_sslset
curl_global_trace
curl_maprintf
curl_mfprintf
curl_mime_addpart
curl_mime_data
curl_mime_data_cb
curl_mime_encoder
curl_mime_filedata
curl_mime_filename
curl_mime_free
curl_mime_headers
curl_mime_init
curl_mime_name
curl_mime_subparts
curl_mime_type
curl_mprintf
curl_msnprintf
curl_msprintf
curl_multi_add_handle
curl_multi_assign
curl_multi_cleanup
curl_multi_fdset
curl_multi_get_handles
curl_multi_info_read
curl_multi_init
curl_multi_perform
curl_multi_poll
curl_multi_remove_handle
curl_multi_setopt
curl_multi_socket
curl_multi_socket_action
curl_multi_socket_all
curl_multi_strerror
curl_multi_timeout
curl_multi_wait
curl_multi_waitfds
curl_multi_wakeup
curl_mvaprintf
curl_mvfprintf
curl_mvprintf
curl_mvsnprintf
curl_mvsprintf
curl_pushheader_byname
curl_pushheader_bynum
curl_share_cleanup
curl_share_init
curl_share_setopt
curl_share_strerror
curl_slist_append
curl_slist_free_all
curl_strequal
curl_strnequal
curl_unescape
curl_url
curl_url_cleanup
curl_url_dup
curl_url_get
curl_url_set
curl_url_strerror
curl_version
curl_version_info
curl_ws_meta
curl_ws_recv
curl_ws_send

Sections

.text
Size: 2.2MB - Virtual size: 2.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 693KB - Virtual size: 693KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.buildid
Size: 512B - Virtual size: 32B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 42KB - Virtual size: 53KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.note
Size: 512B - Virtual size: 364B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rodata
Size: 17KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 1016B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 21KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

a3d31abc8a019476805053d40036b990

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

d3d11

dwmapi

ntdll

ws2_32

kernel32

user32

msvcp140

imm32

d3dcompiler_47

mswsock

libcurl

vcruntime140

vcruntime140_1

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-locale-l1-1-0

Exports

Exports

Sections

.text Size: 569KB - Virtual size: 568KB

.rdata Size: 132KB - Virtual size: 131KB

.data Size: 181KB - Virtual size: 183KB

.pdata Size: 24KB - Virtual size: 23KB

.rsrc Size: 512B - Virtual size: 488B

.reloc Size: 2KB - Virtual size: 2KB

f005c3f78e8420e502da59527e185b97

Code Sign

21:05:fc:25:c2:a4:7d:bd:fd:de:47:cc:23:77:50:00:1d:5b:5b:b2Certificate

Key Usages

3f:ce:36:e2:7d:57:32:82:a8:5f:00:c4:17:99:d6:70:39:63:34:cbCertificate

Extended Key Usages

Key Usages

04:77:44:4a:41:de:d5:4f:24:77:81:5a:11:a7:71:8a:c5:f0:f9:05:3a:56:0e:6b:03:11:a9:e9:96:1a:93:12:98:b6:57:ec:e4:1a:46:77:52:2e:9b:74:e0:05:28:92:11:ea:b1:fd:9c:0c:73:0e:99:6d:26:53:30:b4:32:65Signer

Headers

DLL Characteristics

File Characteristics

Imports

bcrypt

crypt32

kernel32

normaliz

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-environment-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-private-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-utility-l1-1-0

user32

wldap32

ws2_32

Exports

Exports

Sections

.text Size: 2.2MB - Virtual size: 2.2MB

.rdata Size: 693KB - Virtual size: 693KB

.buildid Size: 512B - Virtual size: 32B

.text
Size: 569KB - Virtual size: 568KB

.rdata
Size: 132KB - Virtual size: 131KB

.data
Size: 181KB - Virtual size: 183KB

.pdata
Size: 24KB - Virtual size: 23KB

.rsrc
Size: 512B - Virtual size: 488B

.reloc
Size: 2KB - Virtual size: 2KB

21:05:fc:25:c2:a4:7d:bd:fd:de:47:cc:23:77:50:00:1d:5b:5b:b2
Certificate

3f:ce:36:e2:7d:57:32:82:a8:5f:00:c4:17:99:d6:70:39:63:34:cb
Certificate

04:77:44:4a:41:de:d5:4f:24:77:81:5a:11:a7:71:8a:c5:f0:f9:05:3a:56:0e:6b:03:11:a9:e9:96:1a:93:12:98:b6:57:ec:e4:1a:46:77:52:2e:9b:74:e0:05:28:92:11:ea:b1:fd:9c:0c:73:0e:99:6d:26:53:30:b4:32:65
Signer

.text
Size: 2.2MB - Virtual size: 2.2MB

.rdata
Size: 693KB - Virtual size: 693KB

.buildid
Size: 512B - Virtual size: 32B

.data
Size: 42KB - Virtual size: 53KB

.pdata
Size: 2KB - Virtual size: 1KB

.note
Size: 512B - Virtual size: 364B

.rodata
Size: 17KB - Virtual size: 17KB

.tls
Size: 512B - Virtual size: 16B

.rsrc
Size: 1024B - Virtual size: 1016B

.reloc
Size: 21KB - Virtual size: 20KB