C:\Users\ALEX\Documents\Visual Studio 2013\Projects\oMrongStealer\oMrongStealer\obj\Release\oMrongStealer.pdb
Static task
static1
Behavioral task
behavioral1
Sample
oMrongStealer.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
oMrongStealer.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
oMrongStealer.vshost.exe
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
oMrongStealer.vshost.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
x.dll
Resource
win7-20240705-en
Behavioral task
behavioral6
Sample
x.dll
Resource
win10v2004-20240709-en
General
-
Target
oMrongStealer.zip
-
Size
809KB
-
MD5
9e1b939d787d91980089aa26790533e5
-
SHA1
c0d67bb71d7859f66cc4efe87ba9d23b5e6147f9
-
SHA256
8763547429c3c40bcbe41bb29cdb19812068ac7cd0f7cc325394e3123da7b825
-
SHA512
5949167c33f554d15c31ee1ac887a5e4752428e6857a80ba0c5100f369bef46afdc950059b727e40f7c7792e07a030cad1d7c420f43ba9e57276a58366aac76c
-
SSDEEP
12288:fdjfuU4wUeok/Fy6J5BSW+LlKwXY87L/yi9XiCup9Ed+J5rsSOsvdRIwFB1+qV0:fdDax2jSWIKwXY8P/ruoc3sSOsFN1+N
Malware Config
Signatures
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource unpack001/oMrongStealer.exe
Files
-
oMrongStealer.zip.zip
-
oMrongStealer.exe.exe windows:4 windows x86 arch:x86
f34d5f2d4577ed6d9ceec516c1f5a744
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
PDB Paths
Imports
mscoree
_CorExeMain
Sections
.text Size: 19KB - Virtual size: 19KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.sdata Size: 512B - Virtual size: 312B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 12KB - Virtual size: 12KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 12B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
-
oMrongStealer.exe.config
-
oMrongStealer.pdb
-
oMrongStealer.vshost.exe.exe windows:4 windows x86 arch:x86
f34d5f2d4577ed6d9ceec516c1f5a744
Code Sign
33:00:00:00:5a:ed:2f:f4:e4:20:99:3f:3a:00:00:00:00:00:5aCertificate
IssuerCN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=USNot Before23-05-2014 17:13Not After23-08-2015 17:13SubjectCN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:B8EC-30A4-7144,O=Microsoft Corporation,L=Redmond,ST=WA,C=USExtended Key Usages
ExtKeyUsageTimeStamping
33:00:00:00:ca:6c:d5:32:12:35:c4:e1:55:00:01:00:00:00:caCertificate
IssuerCN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=USNot Before22-04-2014 17:39Not After22-07-2015 17:39SubjectCN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=USExtended Key Usages
ExtKeyUsageCodeSigning
61:33:26:1a:00:00:00:00:00:31Certificate
IssuerCN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6dNot Before31-08-2010 22:19Not After31-08-2020 22:29SubjectCN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=USKey Usages
KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign
61:16:68:34:00:00:00:00:00:1cCertificate
IssuerCN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6dNot Before03-04-2007 12:53Not After03-04-2021 13:03SubjectCN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=USExtended Key Usages
ExtKeyUsageTimeStamping
Key Usages
KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign
33:00:00:00:1a:77:bb:74:b3:07:d1:16:b8:00:00:00:00:00:1aCertificate
IssuerCN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=USNot Before24-09-2013 17:41Not After24-12-2014 17:41SubjectCN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=USExtended Key Usages
ExtKeyUsageCodeSigning
61:0e:90:d2:00:00:00:00:00:03Certificate
IssuerCN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=USNot Before08-07-2011 20:59Not After08-07-2026 21:09SubjectCN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=USKey Usages
KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign
78:11:82:87:90:19:17:fa:49:7d:b3:cb:92:39:3c:2a:48:a9:f1:0a:22:fb:06:02:2d:a1:cb:55:b0:cd:37:94Signer
Actual PE Digest78:11:82:87:90:19:17:fa:49:7d:b3:cb:92:39:3c:2a:48:a9:f1:0a:22:fb:06:02:2d:a1:cb:55:b0:cd:37:94Digest Algorithmsha256PE Digest Matchestruec2:44:96:a6:71:c9:c9:a2:19:cf:aa:41:bb:f5:96:90:9b:7a:7a:03Signer
Actual PE Digestc2:44:96:a6:71:c9:c9:a2:19:cf:aa:41:bb:f5:96:90:9b:7a:7a:03Digest Algorithmsha1PE Digest MatchestrueHeaders
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
PDB Paths
f:\binaries\Intermediate\vsproject\vshost32.csproj__1853760103\objr\x86\vshost32.pdb
Imports
mscoree
_CorExeMain
Sections
.text Size: 4KB - Virtual size: 4KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 1KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 12B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
-
oMrongStealer.vshost.exe.config
-
oMrongStealer.vshost.exe.manifest
-
oMrongStealer.xml
-
x.dll