oMrongStealer[.]zip

Sharing

Copy URL

Twitter E-mail

General

Target

oMrongStealer.zip
Size

809KB
MD5

9e1b939d787d91980089aa26790533e5
SHA1

c0d67bb71d7859f66cc4efe87ba9d23b5e6147f9
SHA256

8763547429c3c40bcbe41bb29cdb19812068ac7cd0f7cc325394e3123da7b825
SHA512

5949167c33f554d15c31ee1ac887a5e4752428e6857a80ba0c5100f369bef46afdc950059b727e40f7c7792e07a030cad1d7c420f43ba9e57276a58366aac76c
SSDEEP

12288:fdjfuU4wUeok/Fy6J5BSW+LlKwXY87L/yi9XiCup9Ed+J5rsSOsvdRIwFB1+qV0:fdDax2jSWIKwXY8P/ruoc3sSOsFN1+N

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/oMrongStealer.exe

Files

oMrongStealer.zip
.zip
oMrongStealer.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

C:\Users\ALEX\Documents\Visual Studio 2013\Projects\oMrongStealer\oMrongStealer\obj\Release\oMrongStealer.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 19KB - Virtual size: 19KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.sdata
Size: 512B - Virtual size: 312B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
oMrongStealer.exe.config
oMrongStealer.pdb
oMrongStealer.vshost.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Code Sign

33:00:00:00:5a:ed:2f:f4:e4:20:99:3f:3a:00:00:00:00:00:5a
Certificate

Issuer

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23-05-2014 17:13

Not After

23-08-2015 17:13

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:B8EC-30A4-7144,O=Microsoft Corporation,L=Redmond,ST=WA,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

33:00:00:00:ca:6c:d5:32:12:35:c4:e1:55:00:01:00:00:00:ca
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22-04-2014 17:39

Not After

22-07-2015 17:39

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:33:26:1a:00:00:00:00:00:31
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

31-08-2010 22:19

Not After

31-08-2020 22:29

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:16:68:34:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

03-04-2007 12:53

Not After

03-04-2021 13:03

Subject

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:1a:77:bb:74:b3:07:d1:16:b8:00:00:00:00:00:1a
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

24-09-2013 17:41

Not After

24-12-2014 17:41

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08-07-2011 20:59

Not After

08-07-2026 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

78:11:82:87:90:19:17:fa:49:7d:b3:cb:92:39:3c:2a:48:a9:f1:0a:22:fb:06:02:2d:a1:cb:55:b0:cd:37:94
Signer

Actual PE Digest

78:11:82:87:90:19:17:fa:49:7d:b3:cb:92:39:3c:2a:48:a9:f1:0a:22:fb:06:02:2d:a1:cb:55:b0:cd:37:94

Digest Algorithm

sha256

PE Digest Matches

true

c2:44:96:a6:71:c9:c9:a2:19:cf:aa:41:bb:f5:96:90:9b:7a:7a:03
Signer

Actual PE Digest

c2:44:96:a6:71:c9:c9:a2:19:cf:aa:41:bb:f5:96:90:9b:7a:7a:03

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

f:\binaries\Intermediate\vsproject\vshost32.csproj__1853760103\objr\x86\vshost32.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
oMrongStealer.vshost.exe.config
oMrongStealer.vshost.exe.manifest
oMrongStealer.xml
x.dll

Sharing

General

Malware Config

Signatures

Files

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

mscoree

Sections

.text Size: 19KB - Virtual size: 19KB

.sdata Size: 512B - Virtual size: 312B

.rsrc Size: 12KB - Virtual size: 12KB

.reloc Size: 512B - Virtual size: 12B

f34d5f2d4577ed6d9ceec516c1f5a744

Code Sign

33:00:00:00:5a:ed:2f:f4:e4:20:99:3f:3a:00:00:00:00:00:5aCertificate

Extended Key Usages

33:00:00:00:ca:6c:d5:32:12:35:c4:e1:55:00:01:00:00:00:caCertificate

Extended Key Usages

61:33:26:1a:00:00:00:00:00:31Certificate

Key Usages

61:16:68:34:00:00:00:00:00:1cCertificate

Extended Key Usages

Key Usages

33:00:00:00:1a:77:bb:74:b3:07:d1:16:b8:00:00:00:00:00:1aCertificate

Extended Key Usages

61:0e:90:d2:00:00:00:00:00:03Certificate

Key Usages

78:11:82:87:90:19:17:fa:49:7d:b3:cb:92:39:3c:2a:48:a9:f1:0a:22:fb:06:02:2d:a1:cb:55:b0:cd:37:94Signer

c2:44:96:a6:71:c9:c9:a2:19:cf:aa:41:bb:f5:96:90:9b:7a:7a:03Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

mscoree

Sections

.text Size: 4KB - Virtual size: 4KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 12B

.text
Size: 19KB - Virtual size: 19KB

.sdata
Size: 512B - Virtual size: 312B

.rsrc
Size: 12KB - Virtual size: 12KB

.reloc
Size: 512B - Virtual size: 12B

33:00:00:00:5a:ed:2f:f4:e4:20:99:3f:3a:00:00:00:00:00:5a
Certificate

33:00:00:00:ca:6c:d5:32:12:35:c4:e1:55:00:01:00:00:00:ca
Certificate

61:33:26:1a:00:00:00:00:00:31
Certificate

61:16:68:34:00:00:00:00:00:1c
Certificate

33:00:00:00:1a:77:bb:74:b3:07:d1:16:b8:00:00:00:00:00:1a
Certificate

61:0e:90:d2:00:00:00:00:00:03
Certificate

78:11:82:87:90:19:17:fa:49:7d:b3:cb:92:39:3c:2a:48:a9:f1:0a:22:fb:06:02:2d:a1:cb:55:b0:cd:37:94
Signer

c2:44:96:a6:71:c9:c9:a2:19:cf:aa:41:bb:f5:96:90:9b:7a:7a:03
Signer

.text
Size: 4KB - Virtual size: 4KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 12B