BH6[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

BH6.exe
Size

19.9MB
MD5

f97da648154c8cd8d29d57a12b8103a1
SHA1

a552b48a8f53217432e31f826d9c17eb40097d4e
SHA256

b8bceaf09272d5f30b89940737763afa6dfb78647c81165af1aa8a10d0afeb35
SHA512

f49386ce4f93df99885e37165a99a30008812b51842b69c4a19ba0b3990d1d6f3f19a0c600bc4dee9d4eff003fb2721d31ca5dc87c48b0ecfb73f6f4760a5f3c
SSDEEP

393216:VXhHdh4QDApwm5jOA2GzrXELu/A6CtJIuKOGhEv:VxrGzrrN56

Score

1^/10

Malware Config

Signatures

Files

BH6.exe
.exe windows:5 windows x86 arch:x86

094cabbcc8dc2a5c278d2c3fca16643b

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

54:02:9f:41:f6:3a:52:88:34:d3:60:39:87:19:92:95
Certificate

Issuer

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

25/04/2017, 00:00

Not After

03/05/2018, 23:59

Subject

CN=CAPCOM Co.\,Ltd.,OU=R&D Asset Management Section,O=CAPCOM Co.\,Ltd.,L=Osaka,ST=Osaka,C=JP

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

10/12/2013, 00:00

Not After

09/12/2023, 23:59

Subject

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

a8:f5:58:87:97:eb:0d:09:91:58:3e:b9:48:7a:7d:4e:21:d9:52:7f:38:72:a8:59:eb:66:74:42:55:ab:45:3d
Signer

Actual PE Digest

a8:f5:58:87:97:eb:0d:09:91:58:3e:b9:48:7a:7d:4e:21:d9:52:7f:38:72:a8:59:eb:66:74:42:55:ab:45:3d

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

C:\BH6PC\PC\RE6\BH6\ProjectOutput\MasterRelease_L4DWin32\BH6.pdb

Imports

kernel32

CreateThread
LocalAlloc
CloseHandle
ResetEvent
WaitForSingleObject
WriteConsoleW
SetEnvironmentVariableA
CompareStringW
GetStringTypeW
CreateFileW
FlushFileBuffers
SetStdHandle
GetConsoleMode
GetConsoleCP
GetTimeZoneInformation
LCMapStringW
HeapCreate
GetEnvironmentStringsW
FreeEnvironmentStringsW
IsValidCodePage
GetOEMCP
GetACP
GetCPInfo
SetLastError
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
InterlockedExchange
GetModuleFileNameW
HeapSize
GetFileType
InitializeCriticalSectionAndSpinCount
SetHandleCount
HeapReAlloc
RaiseException
GetStartupInfoW
GetUserDefaultLCID
DeleteFileA
HeapSetInformation
GetModuleHandleW
Sleep
GetPrivateProfileSectionNamesW
IsDebuggerPresent
WideCharToMultiByte
GetPrivateProfileStringW
MultiByteToWideChar
WritePrivateProfileStringW
GetTickCount
InterlockedIncrement
SetUnhandledExceptionFilter
DeleteCriticalSection
UnhandledExceptionFilter
DecodePointer
EncodePointer
IsProcessorFeaturePresent
GetProcessHeap
HeapAlloc
HeapFree
SetThreadPriority
GetStdHandle
CreateProcessA
GetCurrentProcessId
TerminateProcess
GetDiskFreeSpaceExW
FindFirstFileW
FindClose
SetEvent
CreateEventA
GlobalFree
ExitProcess
VerSetConditionMask
VerifyVersionInfoA
QueryPerformanceFrequency
QueryPerformanceCounter
LoadLibraryA
OutputDebugStringA
CreateDirectoryW
GetFileAttributesW
GetCommandLineA
LoadLibraryW
FreeLibrary
DebugBreak
GetExitCodeThread
GetCurrentDirectoryA
WaitForMultipleObjects
SetThreadIdealProcessor
InitializeCriticalSection
InterlockedDecrement
LeaveCriticalSection
RtlUnwind
EnterCriticalSection
VirtualAlloc
VirtualFree
GetCurrentThreadId
InterlockedExchangeAdd
InterlockedCompareExchange
GetCurrentProcess
FileTimeToSystemTime
CreateDirectoryA
GetFileAttributesA
MoveFileA
SetCurrentDirectoryA
GetModuleFileNameA
FindNextFileA
FindFirstFileA
CopyFileA
SetEndOfFile
GetLastError
GetFileSize
CreateFileA
GetDiskFreeSpaceA
SleepEx
ReadFileEx
ReadFile
WriteFile
SetFilePointer
GlobalLock
GlobalAlloc
GlobalUnlock
GetCurrentDirectoryW
GetProcAddress
GetModuleHandleA
CreateMutexA
ReleaseMutex
GetSystemTimeAsFileTime
GetSystemInfo
ResumeThread
SuspendThread

user32

MessageBoxA
GetClientRect
IsIconic
GetForegroundWindow
SetPropA
RegisterClassExA
GetPropA
DefWindowProcA
GetFocus
SetWindowTextW
CreateWindowExA
DestroyWindow
RemovePropA
GetWindowThreadProcessId
wsprintfW
GetCursorInfo
ShowCursor
ClipCursor
GetCursorPos
ScreenToClient
ClientToScreen
GetKeyboardLayout
GetAsyncKeyState
UnregisterHotKey
RegisterHotKey
GetSystemMetrics
SetWindowLongA
SetWindowPos
PostMessageA
FindWindowW
LoadAcceleratorsA
LoadIconA
LoadCursorA
RegisterClassExW
DefWindowProcW
BeginPaint
EndPaint
GetWindowRect
PostQuitMessage
AdjustWindowRect
CreateWindowExW
GetSystemMenu
ShowWindow
UpdateWindow
SetTimer
KillTimer
PeekMessageA
TranslateMessage
DispatchMessageW
SendMessageW
CloseClipboard
SetClipboardData
EmptyClipboard
SendMessageA
SystemParametersInfoA

advapi32

RegOpenKeyExA
RegQueryValueExA
RegCloseKey

shell32

SHGetFolderPathW

ws2_32

inet_addr
recvfrom
WSAStartup
gethostname
WSACloseEvent
accept
listen
getsockopt
send
recv
setsockopt
getsockname
ntohs
htons
connect
ioctlsocket
getpeername
WSACreateEvent
socket
bind
gethostbyname
closesocket
__WSAFDIsSet
WSACleanup
sendto
WSAGetLastError
select

iphlpapi

GetIfTable
GetIfEntry
NotifyAddrChange

psapi

GetModuleFileNameExA

d3dx9_43

D3DXSaveTextureToFileA
D3DXGetShaderOutputSemantics
D3DXGetShaderConstantTable

d3d9

D3DPERF_SetOptions
D3DPERF_GetStatus
Direct3DCreate9

dinput8

DirectInput8Create

avifil32

AVIStreamRelease
AVIFileRelease
AVIFileExit
AVIStreamWrite

msvfw32

ICCompressorFree

winmm

timeBeginPeriod
timeEndPeriod
timeGetTime

gdiplus

GdipFree
GdipSaveImageToFile
GdiplusShutdown
GdipCloneImage
GdipAlloc
GdipLoadImageFromFile
GdipDisposeImage

imm32

ImmGetDefaultIMEWnd
ImmDisableIME
ImmReleaseContext
ImmGetCompositionStringA
ImmGetContext

steam_api

SteamUser
SteamRemoteStorage
SteamUtils
SteamUserStats
SteamFriends
SteamAPI_Shutdown
SteamAPI_Init
SteamAPI_IsSteamRunning
SteamAPI_RunCallbacks
SteamAPI_RegisterCallback
SteamAPI_RegisterCallResult
SteamNetworking
SteamMatchmaking
SteamHTTP
SteamApps
SteamAPI_UnregisterCallResult
SteamAPI_UnregisterCallback

version

GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA

gdi32

GetStockObject

ole32

CoTaskMemAlloc
CoTaskMemFree
CoSetProxyBlanket
CoInitialize
CoUninitialize
CoCreateInstance

oleaut32

SysAllocString
SysFreeString

Sections

.text
Size: 17.0MB - Virtual size: 17.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2.2MB - Virtual size: 2.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 546KB - Virtual size: 1.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 198KB - Virtual size: 198KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

094cabbcc8dc2a5c278d2c3fca16643b

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

54:02:9f:41:f6:3a:52:88:34:d3:60:39:87:19:92:95Certificate

Extended Key Usages

Key Usages

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2aCertificate

Extended Key Usages

Key Usages

a8:f5:58:87:97:eb:0d:09:91:58:3e:b9:48:7a:7d:4e:21:d9:52:7f:38:72:a8:59:eb:66:74:42:55:ab:45:3dSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

advapi32

shell32

ws2_32

iphlpapi

psapi

d3dx9_43

d3d9

dinput8

avifil32

msvfw32

winmm

gdiplus

imm32

steam_api

version

gdi32

ole32

oleaut32

Sections

.text Size: 17.0MB - Virtual size: 17.0MB

.rdata Size: 2.2MB - Virtual size: 2.2MB

.data Size: 546KB - Virtual size: 1.3MB

.rsrc Size: 198KB - Virtual size: 198KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

54:02:9f:41:f6:3a:52:88:34:d3:60:39:87:19:92:95
Certificate

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

a8:f5:58:87:97:eb:0d:09:91:58:3e:b9:48:7a:7d:4e:21:d9:52:7f:38:72:a8:59:eb:66:74:42:55:ab:45:3d
Signer

.text
Size: 17.0MB - Virtual size: 17.0MB

.rdata
Size: 2.2MB - Virtual size: 2.2MB

.data
Size: 546KB - Virtual size: 1.3MB

.rsrc
Size: 198KB - Virtual size: 198KB