d4ab1f1729c4b9aa0df5d142bc12418c70664ea7ca82a335d2dd8c1c0dee9394

Sharing

Copy URL Twitter E-mail

General

Target

d4ab1f1729c4b9aa0df5d142bc12418c70664ea7ca82a335d2dd8c1c0dee9394
Size

756KB
MD5

f70fae58de335b24b1585df9fb4e15bb
SHA1

23cd8ce7d3d353078d9f50af5abf8dc7589c04bf
SHA256

d4ab1f1729c4b9aa0df5d142bc12418c70664ea7ca82a335d2dd8c1c0dee9394
SHA512

713ec3b69450cbf5b715970d3c43bc23b6ccc89f08338131b5d7f26c6c384aa40f28a2af5bdf8834651f15b1e11b4aee3d6d3eabb583ce4bc801a4bf939ec6cc
SSDEEP

12288:5dqHF9HRBZ7NIdhRXmq7LLn0AIBph0lhSMXlikE6q28e5NYR:/qHF9HXZ7Odh3HLnhWh0lhSMXlXEsYR

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
d4ab1f1729c4b9aa0df5d142bc12418c70664ea7ca82a335d2dd8c1c0dee9394

Files

d4ab1f1729c4b9aa0df5d142bc12418c70664ea7ca82a335d2dd8c1c0dee9394
.dll windows:6 windows x64 arch:x64

7f38571db398b9b3f87f57879556aab0

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

F:\TemporaryBuilds\azure-adaware-pool-build-de-1\11\s\_build\bin\x64\Release\updater.pdb

Imports

wtsapi32

WTSQueryUserToken
WTSEnumerateSessionsW

userenv

DestroyEnvironmentBlock
CreateEnvironmentBlock

kernel32

GetCurrentThreadId
GetCurrentProcessId
SetConsoleTextAttribute
GetConsoleScreenBufferInfo
WriteConsoleA
WriteFile
GetStdHandle
GetConsoleMode
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
HeapAlloc
GetProcessHeap
HeapFree
QueryPerformanceCounter
QueryPerformanceFrequency
SizeofResource
GetLastError
LockResource
LoadResource
FindResourceW
GetModuleHandleW
GetModuleFileNameW
FormatMessageA
WideCharToMultiByte
LocalFree
GetDynamicTimeZoneInformation
CreateJobObjectW
CreateIoCompletionPort
SetInformationJobObject
AssignProcessToJobObject
GetQueuedCompletionStatus
WaitForSingleObject
ResumeThread
GetExitCodeProcess
TerminateProcess
ProcessIdToSessionId
GetCurrentProcess
GetSystemDirectoryW
GetFileAttributesExW
CreateFileW
FindClose
FindFirstFileW
CreateDirectoryW
GetLocaleInfoEx
CloseHandle
MultiByteToWideChar
OutputDebugStringW
AreFileApisANSI
GetProcAddress
GlobalFree
InitializeCriticalSectionEx
InitializeSListHead
GetSystemTimeAsFileTime
IsDebuggerPresent
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
SleepConditionVariableSRW
WakeAllConditionVariable
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
GetFileInformationByHandleEx

advapi32

RevertToSelf
ImpersonateLoggedOnUser
GetTokenInformation
CreateProcessAsUserW
OpenProcessToken

shell32

SHGetFolderPathW

boost_thread-vc144-mt-x64-1_85

??1thread_data_base@detail@boost@@UEAA@XZ
?interruptible_wait@this_thread@boost@@YA_NPEAXAEBUmono_platform_timepoint@detail@2@@Z
??0disable_interruption@this_thread@boost@@QEAA@XZ
??1disable_interruption@this_thread@boost@@QEAA@XZ
?joinable@thread@boost@@QEBA_NXZ
?interrupt@thread@boost@@QEAAXXZ
??0thread@boost@@QEAA@XZ
??0thread_data_base@detail@boost@@QEAA@XZ
?join@thread@boost@@QEAAXXZ
??4thread@boost@@QEAAAEAV01@$$QEAV01@@Z
??1thread@boost@@QEAA@XZ
?start_thread@thread@boost@@AEAAXXZ
?notify_all_at_thread_exit@thread_data_base@detail@boost@@UEAAXPEAVcondition_variable@3@PEAVmutex@3@@Z
?interruption_requested@this_thread@boost@@YA_NXZ

fmt

?vformat@v10@fmt@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V?$basic_string_view@D@12@V?$basic_format_args@V?$basic_format_context@Vappender@v10@fmt@@D@v10@fmt@@@12@@Z
?format_system_error@v10@fmt@@YAXAEAV?$buffer@D@detail@12@HPEBD@Z
??$vformat_to@D@detail@v10@fmt@@YAXAEAV?$buffer@D@012@V?$basic_string_view@D@12@V?$basic_format_args@V?$basic_format_context@Vappender@v10@fmt@@D@v10@fmt@@@12@Vlocale_ref@012@@Z
?throw_format_error@detail@v10@fmt@@YAXPEBD@Z
?is_printable@detail@v10@fmt@@YA_NI@Z

libcurl

curl_mime_free
curl_easy_cleanup
curl_easy_init
curl_free
curl_easy_escape
curl_slist_append
curl_slist_free_all
curl_version_info
curl_easy_setopt
curl_easy_perform
curl_easy_getinfo

msvcp140

?classic@locale@std@@SAAEBV12@XZ
_Xtime_get_ticks
?_Xlength_error@std@@YAXPEBD@Z
_Thrd_id
?_Throw_Cpp_error@std@@YAXH@Z
_Thrd_join
_Mtx_lock
_Mtx_unlock
_Cnd_destroy_in_situ
_Cnd_signal
_Mbrtowc
?_Xbad_alloc@std@@YAXXZ
?_Xbad_function_call@std@@YAXXZ
?_Getcvt@_Locinfo@std@@QEBA?AU_Cvtvec@@XZ
??0_Lockit@std@@QEAA@H@Z
??1_Lockit@std@@QEAA@XZ
?_Xout_of_range@std@@YAXPEBD@Z
?_Syserror_map@std@@YAPEBDH@Z
?_Winerror_map@std@@YAHH@Z
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?uncaught_exceptions@std@@YAHXZ
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?width@ios_base@std@@QEAA_J_J@Z
?width@ios_base@std@@QEBA_JXZ
?flags@ios_base@std@@QEBAHXZ
?good@ios_base@std@@QEBA_NXZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
??Bid@locale@std@@QEAA_KXZ
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
?id@?$numpunct@D@std@@2V0locale@2@A
??1facet@locale@std@@MEAA@XZ
??0facet@locale@std@@IEAA@_K@Z
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
?_Incref@facet@locale@std@@UEAAXXZ
?_Gettrue@_Locinfo@std@@QEBAPEBDXZ
?_Getfalse@_Locinfo@std@@QEBAPEBDXZ
??1_Locinfo@std@@QEAA@XZ
??0_Locinfo@std@@QEAA@PEBD@Z
?id@?$ctype@_W@std@@2V0locale@2@A
?id@?$numpunct@_W@std@@2V0locale@2@A
?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ
?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ
?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAA_JPEB_W_J@Z
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z
??0?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAA@XZ
??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IEAA@XZ
??0?$basic_iostream@_WU?$char_traits@_W@std@@@std@@QEAA@PEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@@Z
??1?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
?_Lock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAAXXZ
?showmanyc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JXZ
?uflow@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAGXZ
?xsgetn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JPEA_W_J@Z
?xsputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JPEB_W_J@Z
?setbuf@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAPEAV12@PEA_W_J@Z
?sync@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAHXZ
?imbue@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAXAEBVlocale@2@@Z
??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
??1?$basic_iostream@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
?_Getcat@?$ctype@_W@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?tolower@?$ctype@_W@std@@QEBA_W_W@Z
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@G@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAG@Z
?uncaught_exception@std@@YA_NXZ
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Xinvalid_argument@std@@YAXPEBD@Z
??Bios_base@std@@QEBA_NXZ
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ

vcruntime140_1

__CxxFrameHandler4

vcruntime140

memcpy
memmove
memset
memchr
__current_exception_context
__C_specific_handler
__std_type_info_destroy_list
memcmp
__std_type_info_compare
_purecall
__std_exception_destroy
__std_exception_copy
__std_terminate
_CxxThrowException
__current_exception

api-ms-win-crt-time-l1-1-0

strftime
_localtime64_s
_gmtime64_s

api-ms-win-crt-stdio-l1-1-0

__acrt_iob_func
fclose
fputc
fgetc
_get_stream_buffer_pointers
fread
fwrite
fgetpos
__stdio_common_vsprintf
_fseeki64
fsetpos
setvbuf
fflush
__stdio_common_vfprintf
ungetc

api-ms-win-crt-runtime-l1-1-0

abort
_seh_filter_dll
_configure_narrow_argv
_initialize_narrow_environment
_initialize_onexit_table
_register_onexit_function
_execute_onexit_table
_crt_atexit
_cexit
_initterm
_initterm_e
terminate
_invalid_parameter_noinfo_noreturn
_errno

api-ms-win-crt-heap-l1-1-0

free
calloc
malloc
_callnewh

api-ms-win-crt-string-l1-1-0

tolower
isdigit

api-ms-win-crt-math-l1-1-0

ceilf
_ldsign
_dsign
_fdsign

api-ms-win-crt-convert-l1-1-0

strtoul
strtoll
strtod
strtoull

api-ms-win-crt-locale-l1-1-0

localeconv
___lc_codepage_func

api-ms-win-crt-filesystem-l1-1-0

_unlock_file
_lock_file

winhttp

WinHttpGetIEProxyConfigForCurrentUser
WinHttpOpen
WinHttpSetTimeouts
WinHttpGetProxyForUrl
WinHttpCloseHandle

ole32

CoCreateInstance
CoSetProxyBlanket
CoInitializeEx
CoUninitialize

oleaut32

VariantClear
SysAllocStringLen
VariantCopy
SysAllocString
SysFreeString
VariantInit

Exports

Exports

Create_Kernel
Create_Params

Sections

.text
Size: 448KB - Virtual size: 447KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 250KB - Virtual size: 250KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 30KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 21KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

boostdll
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 1000B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

7f38571db398b9b3f87f57879556aab0

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

wtsapi32

userenv

kernel32

advapi32

shell32

boost_thread-vc144-mt-x64-1_85

fmt

libcurl

msvcp140

vcruntime140_1

vcruntime140

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

winhttp

ole32

oleaut32

Exports

Exports

Sections

.text Size: 448KB - Virtual size: 447KB

.rdata Size: 250KB - Virtual size: 250KB

.data Size: 30KB - Virtual size: 32KB

.pdata Size: 21KB - Virtual size: 21KB

boostdll Size: 512B - Virtual size: 16B

.rsrc Size: 1024B - Virtual size: 1000B

.reloc Size: 3KB - Virtual size: 2KB

.text
Size: 448KB - Virtual size: 447KB

.rdata
Size: 250KB - Virtual size: 250KB

.data
Size: 30KB - Virtual size: 32KB

.pdata
Size: 21KB - Virtual size: 21KB

boostdll
Size: 512B - Virtual size: 16B

.rsrc
Size: 1024B - Virtual size: 1000B

.reloc
Size: 3KB - Virtual size: 2KB