76c4edcb5f549cf760e308cac9dddda0N[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

76c4edcb5f549cf760e308cac9dddda0N.exe
Size

902KB
MD5

76c4edcb5f549cf760e308cac9dddda0
SHA1

1a365ae82df9d5217fd6446c88dadb4f474edb36
SHA256

3a7615aba06998afa94a0472d5a1727dd100404681bf6a87054431dcc7862075
SHA512

2eaccb7a80be7666b768f5cd5c9883c4a08c2e950e8ed61f298afc49b8b9de91f5c5848b5e8b39bf8af4400e376280c8396ab6fc35e78bc57846533c8199e237
SSDEEP

12288:hbhEbeLAjGjF6IXvbx0QFmv86sKU3tDuTtd4HtWTk9r52DnfJ0l6xdr:hbhEba7jZXvOQsk6iRuPGYToOn3xZ

Score

1^/10

Malware Config

Signatures

Files

76c4edcb5f549cf760e308cac9dddda0N.exe
.exe windows:5 windows x86 arch:x86

8720533a1261e43def3b8df575d526ef

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

10/12/2013, 00:00

Not After

09/12/2023, 23:59

Subject

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

1c:a9:cc:01:74:7a:11:b1:ea:af:10:3c:8d:9a:9e:6c
Certificate

Issuer

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

02/06/2015, 00:00

Not After

31/08/2018, 23:59

Subject

CN=OPSWAT\, Inc.,O=OPSWAT\, Inc.,L=San Francisco,ST=California,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

e2:35:8e:ac:6c:de:0c:72:19:fa:11:d6:67:c3:be:17:e8:db:ef:29
Signer

Actual PE Digest

e2:35:8e:ac:6c:de:0c:72:19:fa:11:d6:67:c3:be:17:e8:db:ef:29

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

X:\BuildAgent\work\d26598ff69389235\bin\Release\GearsAgentService.pdb

Imports

winhttp

WinHttpOpen
WinHttpGetDefaultProxyConfiguration
WinHttpGetIEProxyConfigForCurrentUser
WinHttpGetProxyForUrl
WinHttpCloseHandle

version

GetFileVersionInfoSizeW
GetFileVersionInfoW
VerQueryValueW

wtsapi32

WTSEnumerateSessionsW
WTSQuerySessionInformationW
WTSFreeMemory
WTSQueryUserToken

psapi

EnumProcessModules
GetModuleFileNameExW
EnumProcesses

rpcrt4

RpcServerRegisterIf2
RpcServerListen
RpcStringBindingComposeW
RpcBindingFromStringBindingW
RpcRaiseException
RpcServerUseProtseqEpW
NdrClientCall2
NdrServerCall2
RpcBindingFree
RpcStringFreeW
UuidToStringW
UuidCreate

userenv

CreateEnvironmentBlock
GetProfilesDirectoryW

ws2_32

WSACleanup
WSAStartup
gethostname
WSAAddressToStringW

iphlpapi

GetAdaptersAddresses

wininet

InternetConnectW
InternetCloseHandle
InternetOpenW
HttpQueryInfoW
HttpSendRequestW
HttpOpenRequestW
InternetReadFile

gdiplus

GdipDisposeImage
GdipCreateBitmapFromHBITMAP
GdipGetImageEncodersSize
GdipGetImageEncoders
GdipCloneImage
GdiplusShutdown
GdipFree
GdipAlloc
GdiplusStartup
GdipSaveImageToStream

crypt32

CertOpenSystemStoreW
CryptStringToBinaryW
CertCompareCertificateName
CertDeleteCertificateFromStore
CertEnumCertificateContextProperties
CertGetCertificateContextProperty
CertCreateCertificateContext
CertDuplicateCertificateContext
CertEnumCertificatesInStore
CertCloseStore

libeay32

ord78
ord66
ord52
ord95
ord1882
ord8
ord333
ord3212
ord279
ord283
ord281
ord674
ord608
ord575
ord658
ord602
ord600
ord664
ord641
ord673
ord656
ord246
ord1306
ord1305
ord1291
ord400
ord421
ord401
ord1912
ord601
ord605
ord607
ord670
ord657
ord672
ord667

kernel32

ExitThread
PeekNamedPipe
GetDriveTypeW
SystemTimeToTzSpecificLocalTime
GetTimeZoneInformation
GetCPInfo
UnhandledExceptionFilter
SetUnhandledExceptionFilter
SetLastError
TlsAlloc
TlsGetValue
TlsSetValue
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
CloseHandle
GetTickCount
lstrlenW
CreateProcessW
CreateDirectoryW
FreeLibrary
GetProcAddress
GetLastError
LoadLibraryW
SetEvent
WaitForSingleObject
CreateEventW
InitializeCriticalSectionAndSpinCount
TryEnterCriticalSection
InterlockedDecrement
TlsFree
ResetEvent
Sleep
FormatMessageW
RemoveDirectoryW
DeleteFileW
WTSGetActiveConsoleSessionId
GetSystemDirectoryW
GetCurrentProcess
SetPriorityClass
DecodePointer
InterlockedIncrement
RaiseException
LoadResource
SizeofResource
lstrcmpiW
LoadLibraryExW
GetModuleFileNameW
GetModuleHandleW
FindResourceW
MultiByteToWideChar
LockFile
UnlockFile
WriteFile
SetFilePointer
CreateFileW
MoveFileExW
LocalAlloc
GetSystemTimeAsFileTime
GetFileSizeEx
GetSystemInfo
MapViewOfFile
CreateFileMappingW
HeapAlloc
HeapFree
GetFileType
ReadFile
FindClose
GetModuleHandleExW
ExpandEnvironmentStringsW
GetTempPathW
GetFullPathNameW
SetFileAttributesW
FindFirstFileW
FindNextFileW
CopyFileW
WideCharToMultiByte
CreateThread
WaitForMultipleObjects
GlobalFree
LoadLibraryA
TerminateThread
GetOverlappedResult
CancelIo
FlushFileBuffers
ConnectNamedPipe
DisconnectNamedPipe
CreateNamedPipeW
OpenProcess
TerminateProcess
GetExitCodeProcess
DuplicateHandle
CreatePipe
GetNativeSystemInfo
ReleaseSemaphore
CreateSemaphoreW
HeapReAlloc
HeapSize
GetCurrentThreadId
IsDebuggerPresent
GetVersionExW
FileTimeToLocalFileTime
FileTimeToSystemTime
GetFileAttributesW
GetFileTime
SetFileTime
LocalFileTimeToFileTime
DosDateTimeToFileTime
lstrlenA
OutputDebugStringW
GetSystemTime
GetPrivateProfileStringW
GetTempFileNameW
GetExitCodeThread
FindFirstFileExW
GetSystemDefaultUILanguage
GetStartupInfoW
InterlockedCompareExchange
GetCurrentThread
GetCommandLineW
FreeConsole
CompareStringW
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
IsValidCodePage
GetACP
GetOEMCP
ExitProcess
AreFileApisANSI
GetStdHandle
GetConsoleCP
GetConsoleMode
ReadConsoleW
SetFilePointerEx
SetStdHandle
GetCurrentDirectoryW
GetFileInformationByHandle
VirtualQuery
VirtualProtect
VirtualAlloc
IsProcessorFeaturePresent
RtlUnwind
EncodePointer
GetStringTypeW
GetProcessHeap
SetEnvironmentVariableA
QueryPerformanceCounter
GetCurrentProcessId
GetEnvironmentStringsW
FreeEnvironmentStringsW
WriteConsoleW
SetEndOfFile
LocalFree
InterlockedExchange

user32

LoadStringW
GetIconInfo
DrawIconEx
DestroyIcon
FillRect
ReleaseDC
GetDC
GetSystemMetrics
GetMessageW
CharNextW
wsprintfW
CharUpperW
TranslateMessage
PostThreadMessageW
DispatchMessageW

gdi32

GetObjectW
SetBkMode
SelectObject
DeleteObject
DeleteDC
CreateSolidBrush
CreateCompatibleDC
CreateCompatibleBitmap

advapi32

StartServiceCtrlDispatcherW
SetServiceStatus
RegisterServiceCtrlHandlerExW
InitializeSecurityDescriptor
RegSetValueExW
RegCreateKeyExW
QueryServiceStatus
OpenServiceW
OpenSCManagerW
CloseServiceHandle
RegQueryValueExW
RegOpenKeyExW
RegEnumKeyExW
RegDeleteKeyW
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
SetEntriesInAclW
GetNamedSecurityInfoW
SetNamedSecurityInfoW
RegDisablePredefinedCache
RegDeleteValueW
RegQueryInfoKeyW
CryptAcquireContextW
CryptReleaseContext
CryptGenKey
CryptDestroyKey
CryptSetKeyParam
CryptGetKeyParam
CryptGetProvParam
CryptGenRandom
CryptExportKey
CryptImportKey
CryptEncrypt
CryptDecrypt
SetSecurityDescriptorDacl
CryptDuplicateKey
DeregisterEventSource
RegisterEventSourceW
ReportEventW
OpenProcessToken
GetTokenInformation
GetSecurityInfo
SetSecurityInfo
RevertToSelf
ImpersonateLoggedOnUser
CreateProcessAsUserW
RegNotifyChangeKeyValue
RegEnumValueW
RegOpenKeyW
ChangeServiceConfigW
ChangeServiceConfig2W
ControlService
DeleteService
QueryServiceStatusEx
StartServiceW
LookupAccountNameW
DuplicateTokenEx
RegisterServiceCtrlHandlerW
CreateServiceW
SetSecurityDescriptorGroup
SetSecurityDescriptorOwner
CopySid
GetLengthSid
IsValidSid
ConvertSidToStringSidW
OpenThreadToken

shell32

CommandLineToArgvW
SHGetFolderPathW
ExtractIconW

ole32

CoRevokeClassObject
CoAddRefServerProcess
CoReleaseServerProcess
CoInitializeSecurity
StringFromGUID2
CoRegisterClassObject
CreateStreamOnHGlobal
CoTaskMemFree
CoTaskMemRealloc
CoTaskMemAlloc
CoCreateInstance
CoSetProxyBlanket
CoInitializeEx
CoUninitialize
CoResumeClassObjects

oleaut32

SafeArrayCreateVector
SafeArrayPutElement
BSTR_UserFree
BSTR_UserUnmarshal
BSTR_UserMarshal
BSTR_UserSize
VARIANT_UserFree
VARIANT_UserUnmarshal
VARIANT_UserMarshal
VARIANT_UserSize
LoadRegTypeLi
LoadTypeLi
VarUI4FromStr
VariantCopy
SysStringLen
RegisterTypeLi
UnRegisterTypeLi
VariantClear
VariantInit
SysFreeString
SysAllocString

Sections

.text
Size: 607KB - Virtual size: 607KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 214KB - Virtual size: 214KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 14KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 22KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 36KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

8720533a1261e43def3b8df575d526ef

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2aCertificate

Extended Key Usages

Key Usages

1c:a9:cc:01:74:7a:11:b1:ea:af:10:3c:8d:9a:9e:6cCertificate

Extended Key Usages

Key Usages

e2:35:8e:ac:6c:de:0c:72:19:fa:11:d6:67:c3:be:17:e8:db:ef:29Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

winhttp

version

wtsapi32

psapi

rpcrt4

userenv

ws2_32

iphlpapi

wininet

gdiplus

crypt32

libeay32

kernel32

user32

gdi32

advapi32

shell32

ole32

oleaut32

Sections

.text Size: 607KB - Virtual size: 607KB

.rdata Size: 214KB - Virtual size: 214KB

.data Size: 14KB - Virtual size: 24KB

.rsrc Size: 22KB - Virtual size: 22KB

.reloc Size: 36KB - Virtual size: 35KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

1c:a9:cc:01:74:7a:11:b1:ea:af:10:3c:8d:9a:9e:6c
Certificate

e2:35:8e:ac:6c:de:0c:72:19:fa:11:d6:67:c3:be:17:e8:db:ef:29
Signer

.text
Size: 607KB - Virtual size: 607KB

.rdata
Size: 214KB - Virtual size: 214KB

.data
Size: 14KB - Virtual size: 24KB

.rsrc
Size: 22KB - Virtual size: 22KB

.reloc
Size: 36KB - Virtual size: 35KB