381f8d1e6076b1c00008f8017418ce40N[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

381f8d1e6076b1c00008f8017418ce40N.exe
Size

1.5MB
MD5

381f8d1e6076b1c00008f8017418ce40
SHA1

1f8c79567de90fa9520af2a848c5f3d4da60e36a
SHA256

0fad7cf60668c907fbd1d4b787e7fd8d3e64c87d0dbebbd7f58c0e30ba7b0e12
SHA512

3def4d0396dd427564ebb731270c9419c02bd50655f5164d9206e3490a779ed4d668265980c941086fc84cecbdb782e76cede206880a090dc59714eede26ee37
SSDEEP

24576:3eBph5QMHmYLgvxVirnlBUKZ408vTZrX+lgdW:3Eh5fHrLgviLlBUKubZrX+ld

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
381f8d1e6076b1c00008f8017418ce40N.exe

Files

381f8d1e6076b1c00008f8017418ce40N.exe
.exe windows:6 windows x86 arch:x86

04fbb19013a91ed924d0bc93d226411d

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

D:\dbs\sh\ddvsm\0128_230433\cmd\4m\out\binaries\x86ret\bin\i386\bptoob\ScriptedHost\ScriptedSandbox32.pdb

Imports

advapi32

EventUnregister
EventRegister
EventWrite
RegCloseKey
RegOpenKeyExW
RegQueryValueExW
RegEnumValueA
RegEnumKeyExW
RegEnumKeyExA
RegDeleteTreeA
RegDeleteKeyValueW
RegDeleteKeyValueA
RegDeleteValueW
RegDeleteValueA
RegDeleteKeyExW
RegDeleteKeyExA
RegDeleteKeyW
RegDeleteKeyA
RegQueryValueExA
RegOpenKeyExA
RegCreateKeyExA
RegLoadAppKeyW
RegDeleteTreeW
RegCreateKeyExW
RegSaveKeyW
RegGetKeySecurity
OpenProcessToken
AdjustTokenPrivileges
LookupPrivilegeValueW
RegQueryInfoKeyA
RegQueryInfoKeyW
AllocateAndInitializeSid
CheckTokenMembership
FreeSid
RegEnumValueW

kernel32

GetTempPathW
GetTempFileNameW
ReadProcessMemory
CreateEventW
WaitForSingleObject
GetCurrentProcess
ExitProcess
GetCurrentProcessId
GetOverlappedResult
WaitNamedPipeW
CreateFileW
DuplicateHandle
DecodePointer
SetEvent
LocalFree
OpenProcess
GetModuleHandleW
GetSystemDirectoryW
LoadLibraryW
CreateThread
CreatePipe
WaitForMultipleObjects
VirtualQuery
VirtualProtect
SetThreadContext
GetThreadContext
ResumeThread
SuspendThread
VerifyVersionInfoW
VerSetConditionMask
GetPrivateProfileStringW
HeapLock
GetVersionExW
HeapUnlock
Thread32Next
OpenThread
Thread32First
CreateToolhelp32Snapshot
InitializeCriticalSection
CompareStringA
GetFileAttributesExW
Sleep
GetTickCount
FlushViewOfFile
UnmapViewOfFile
MapViewOfFile
CreateFileMappingW
CreateDirectoryW
FindFirstFileW
ReleaseMutex
CreateMutexW
FindAtomW
AddAtomW
GetFileAttributesW
LoadLibraryExA
VirtualFree
VirtualAlloc
FlushInstructionCache
InterlockedPopEntrySList
ReadFile
LCMapStringEx
TryEnterCriticalSection
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
InitializeSRWLock
WriteConsoleW
ReadConsoleW
SetEndOfFile
SetFilePointerEx
GetConsoleMode
GetConsoleCP
FlushFileBuffers
SetStdHandle
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
GetCPInfo
GetOEMCP
IsValidCodePage
FindNextFileW
FindFirstFileExW
FindClose
OutputDebugStringW
GetStringTypeW
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetLocaleInfoW
LCMapStringW
CompareStringW
GetFileType
GetCurrentThread
GetACP
WideCharToMultiByte
MultiByteToWideChar
GetStdHandle
GetModuleHandleExW
FreeLibrary
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
InitializeCriticalSectionAndSpinCount
EncodePointer
InterlockedPushEntrySList
RtlUnwind
TerminateProcess
IsProcessorFeaturePresent
GetStartupInfoW
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent
InitializeSListHead
GetSystemTimeAsFileTime
QueryPerformanceCounter
CloseHandle
CompareStringOrdinal
FindResourceW
FindResourceExW
LoadResource
LockResource
SizeofResource
GetProcAddress
LoadLibraryExW
lstrcmpW
MulDiv
GlobalAlloc
GlobalLock
GlobalUnlock
SetLastError
RaiseException
GetCurrentThreadId
InitializeCriticalSectionEx
DeleteCriticalSection
GetModuleFileNameW
LeaveCriticalSection
EnterCriticalSection
GetLastError
GetProcessHeap
HeapAlloc
HeapFree
HeapReAlloc
HeapSize
HeapDestroy
WriteFile

gdi32

CreateSolidBrush
CreateCompatibleDC
CreateCompatibleBitmap
SelectObject
DeleteObject
BitBlt
DeleteDC
GetStockObject
GetObjectW
GetDeviceCaps

user32

GetWindowLongW
SetWindowLongW
DefWindowProcW
LoadCursorW
RegisterClassExW
UnregisterClassW
IsWindow
IsChild
GetFocus
SetFocus
GetWindow
PostMessageW
GetSysColor
GetClassNameW
SendMessageW
GetDlgItem
EndPaint
BeginPaint
DestroyAcceleratorTable
GetDesktopWindow
ReleaseDC
GetDC
InvalidateRect
CallWindowProcW
InvalidateRgn
GetClientRect
FillRect
ReleaseCapture
SetCapture
MoveWindow
ScreenToClient
GetParent
ClientToScreen
CreateAcceleratorTableW
SetWindowTextW
DestroyWindow
CreateWindowExW
GetClassInfoExW
RedrawWindow
SetWindowPos
GetWindowTextW
PeekMessageW
SetTimer
KillTimer
CallNextHookEx
UnhookWindowsHookEx
SetWindowsHookExW
GetAsyncKeyState
SetParent
AttachThreadInput
GetGUIThreadInfo
GetWindowThreadProcessId
PostThreadMessageW
DispatchMessageW
TranslateMessage
PostQuitMessage
GetMessageW
GetDoubleClickTime
AllowSetForegroundWindow
GetMonitorInfoW
MonitorFromPoint
RegisterWindowMessageW
GetWindowTextLengthW
CharNextW

ole32

CoTaskMemFree
OleLockRunning
CreateStreamOnHGlobal
CoCreateInstance
CoGetClassObject
CLSIDFromProgID
CLSIDFromString
OleInitialize
IIDFromString
CoInitialize
CoReleaseServerProcess
CoAddRefServerProcess
CoInitializeEx
CoUninitialize
CoCreateGuid
StringFromCLSID
OleUninitialize
CoGetMalloc
CreateBindCtx
CoTaskMemAlloc
StringFromGUID2

oleaut32

SysAllocStringByteLen
SysFreeString
SysAllocString
OleCreateFontIndirect
LoadRegTypeLi
SysStringLen
VariantClear
LoadTypeLi
VariantInit
SysAllocStringLen
VariantCopy
SafeArrayAccessData
SafeArrayUnaccessData
VarBstrCat
SafeArrayUnlock
SafeArrayDestroy
SafeArrayCreate
SafeArrayLock
DispCallFunc
VariantChangeType
SysStringByteLen

shlwapi

PathRemoveFileSpecW
StrCmpIW
StrCmpNIW
PathFileExistsW
PathFindFileNameW
PathAppendW
StrStrW
ord176
ord12
PathCombineW
PathIsRootW

shell32

CommandLineToArgvW
SHGetKnownFolderPath

version

VerQueryValueW
GetFileVersionInfoSizeW
GetFileVersionInfoW

wer

WerReportCreate
WerReportAddFile
WerReportSubmit
WerReportAddDump
WerReportSetParameter
WerReportCloseHandle

urlmon

CreateUri

vcruntime140

__uncaught_exception
wcschr
strrchr
memcmp

Sections

.text
Size: 331KB - Virtual size: 330KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.detourc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.detourd
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1.2MB - Virtual size: 1.8MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

04fbb19013a91ed924d0bc93d226411d

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

advapi32

kernel32

gdi32

user32

ole32

oleaut32

shlwapi

shell32

version

wer

urlmon

vcruntime140

Sections

.text Size: 331KB - Virtual size: 330KB

.data Size: 4KB - Virtual size: 8KB

.idata Size: 8KB - Virtual size: 8KB

.detourc Size: 4KB - Virtual size: 4KB

.detourd Size: 512B - Virtual size: 12B

.rsrc Size: 2KB - Virtual size: 1KB

.reloc Size: 1.2MB - Virtual size: 1.8MB

.text
Size: 331KB - Virtual size: 330KB

.data
Size: 4KB - Virtual size: 8KB

.idata
Size: 8KB - Virtual size: 8KB

.detourc
Size: 4KB - Virtual size: 4KB

.detourd
Size: 512B - Virtual size: 12B

.rsrc
Size: 2KB - Virtual size: 1KB

.reloc
Size: 1.2MB - Virtual size: 1.8MB