af87407264370c17688e06a544bf38963c92b58808278c5ff9168c7f12436589

Sharing

Copy URL

Twitter E-mail

General

Target

af87407264370c17688e06a544bf38963c92b58808278c5ff9168c7f12436589
Size

497KB
MD5

f21ed2ff0529d3e9795a9d524d633235
SHA1

e40e660d124a42977e76cf320c5cc807e52e9d91
SHA256

af87407264370c17688e06a544bf38963c92b58808278c5ff9168c7f12436589
SHA512

bfb17b0377b2b2c0839123dcc4011d0a628204ff3f3e852499920f728557dbf19140ed03e0ac4309d1e95dc3bf0f8ec2f94046171cd59d6c12ba6c50d4ac1fe4
SSDEEP

6144:i4aOfXvklytT9r7oylegUeKgyQyDXCNpy+ygQcR+SwZX7ZBuvPlv:UIsIPcvQyDXCNpyrTZLivt

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
af87407264370c17688e06a544bf38963c92b58808278c5ff9168c7f12436589

Files

af87407264370c17688e06a544bf38963c92b58808278c5ff9168c7f12436589
.dll windows:6 windows x64 arch:x64

b2079e1cfa135d74944eadd006f219b8

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

C:\build\endpoint\bin\x64\Release\Product.Configuration.Agent.dll.pdb

Imports

txmlutil

?LoadFile@TiXmlDocument@@QEAA_NPEB_WW4TiXmlEncoding@@@Z
?FirstChildElement@TiXmlNode@@QEAAPEAVTiXmlElement@@PEB_W@Z
??1TiXmlDocument@@UEAA@XZ
?ToElement@TiXmlHandle@@QEBAPEAVTiXmlElement@@XZ
?GetText@TiXmlElement@@QEBAPEB_WXZ
?Attribute@TiXmlElement@@QEBAPEB_WPEB_W@Z
??0TiXmlDocument@@QEAA@XZ
?FirstChild@TiXmlHandle@@QEBA?AV1@PEB_W@Z
?NextSiblingElement@TiXmlNode@@QEBAPEBVTiXmlElement@@PEB_W@Z

epsjson

?isUInt@Value@Json@@QEBA_NXZ
?asUInt@Value@Json@@QEBAIXZ
??1Value@Json@@QEAA@XZ
??0Value@Json@@QEAA@PEBD@Z
?isObject@Value@Json@@QEBA_NXZ
??4Value@Json@@QEAAAEAV01@V01@@Z
??0Value@Json@@QEAA@W4ValueType@1@@Z
?isMember@Value@Json@@QEBA_NAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z
??AValue@Json@@QEAAAEAV01@AEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z
?isArray@Value@Json@@QEBA_NXZ
?isValidIndex@Value@Json@@QEBA_NI@Z
??AValue@Json@@QEAAAEAV01@H@Z
?isNull@Value@Json@@QEBA_NXZ
??0Value@Json@@QEAA@AEBV01@@Z
?isString@Value@Json@@QEBA_NXZ
?asString@Value@Json@@QEBA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ
??0Value@Json@@QEAA@$$QEAV01@@Z
?toStyledString@Value@Json@@QEBA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ
??AValue@Json@@QEAAAEAV01@PEBD@Z
?begin@Value@Json@@QEAA?AVValueIterator@2@XZ
??1ValueIterator@Json@@QEAA@XZ
??EValueIterator@Json@@QEAAAEAV01@XZ
??9ValueIteratorBase@Json@@QEBA_NAEBV01@@Z
?end@Value@Json@@QEAA?AVValueIterator@2@XZ
?key@ValueIteratorBase@Json@@QEBA?AVValue@2@XZ
??0Value@Json@@QEAA@_N@Z
??0Value@Json@@QEAA@I@Z
??0Value@Json@@QEAA@H@Z
??0Value@Json@@QEAA@AEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z
?getMemberNames@Value@Json@@QEBA?AV?$vector@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V?$allocator@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@std@@XZ
?isMember@Value@Json@@QEBA_NPEBD@Z
?isInt64@Value@Json@@QEBA_NXZ
?asInt64@Value@Json@@QEBA_JXZ
?isUInt64@Value@Json@@QEBA_NXZ
?asUInt64@Value@Json@@QEBA_KXZ
??0Value@Json@@QEAA@_J@Z
?size@Value@Json@@QEBAIXZ
??0FastWriter@Json@@QEAA@XZ
??1FastWriter@Json@@UEAA@XZ
?write@FastWriter@Json@@UEAA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AEBVValue@2@@Z
??0Value@Json@@QEAA@_K@Z
?asBool@Value@Json@@QEBA_NXZ
?isInt@Value@Json@@QEBA_NXZ
?isBool@Value@Json@@QEBA_NXZ
?asInt@Value@Json@@QEBAHXZ

kernel32

LeaveCriticalSection
InitializeCriticalSection
GetModuleFileNameW
LoadLibraryW
GetProcAddress
FreeLibrary
WideCharToMultiByte
GetLastError
InitializeCriticalSectionEx
MultiByteToWideChar
LoadLibraryExW
GetModuleHandleW
CloseHandle
VerSetConditionMask
VerifyVersionInfoW
CreateFileW
GetSystemDirectoryW
CreateEventW
SetEvent
WaitForSingleObject
CreateThread
GetCurrentProcess
GetSystemTime
SystemTimeToFileTime
SetFileTime
FlushFileBuffers
InitializeProcThreadAttributeList
DeleteProcThreadAttributeList
AssignProcessToJobObject
CreateJobObjectW
SetInformationJobObject
DuplicateHandle
CreateDirectoryW
CreateProcessW
WaitForMultipleObjects
GetExitCodeProcess
LocalFree
LocalAlloc
UnhandledExceptionFilter
Sleep
SetUnhandledExceptionFilter
DeleteCriticalSection
GetModuleHandleExW
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
EnterCriticalSection
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
OutputDebugStringW
IsDebuggerPresent
MoveFileExW

advapi32

RegCloseKey
GetWindowsAccountDomainSid
LsaNtStatusToWinError
LsaClose
LsaFreeMemory
LsaQueryInformationPolicy
LsaOpenPolicy
ConvertStringSidToSidW
ConvertSidToStringSidW
CloseServiceHandle
OpenSCManagerW
QueryServiceConfigW
OpenServiceW
RegQueryValueExW
RegOpenKeyExW

msvcp140

?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z
_Thrd_detach
?_Xout_of_range@std@@YAXPEBD@Z
_Query_perf_counter
_Query_perf_frequency
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
_Cnd_timedwait
_Cnd_do_broadcast_at_thread_exit
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
_Cnd_init_in_situ
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
?always_noconv@codecvt_base@std@@QEBA_NXZ
??Bid@locale@std@@QEAA_KXZ
_Thrd_yield
_Mtx_destroy_in_situ
_Mtx_init_in_situ
_Cnd_wait
_Thrd_id
_Thrd_join
_Cnd_signal
_Mtx_unlock
_Mtx_lock
?_Throw_Cpp_error@std@@YAXH@Z
_Xtime_get_ticks
?_Syserror_map@std@@YAPEBDH@Z
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?_Xbad_function_call@std@@YAXXZ
?_Xlength_error@std@@YAXPEBD@Z
_Cnd_destroy_in_situ

winmm

timeGetTime

shlwapi

PathFileExistsW
PathIsRelativeW
PathRemoveFileSpecW
PathAddBackslashW
PathRemoveBackslashW

rpcrt4

UuidCreate

vcruntime140_1

__CxxFrameHandler4

vcruntime140

__C_specific_handler
memset
_CxxThrowException
_purecall
__current_exception
__std_exception_destroy
wcsrchr
__std_terminate
__current_exception_context
__RTDynamicCast
memcmp
__std_exception_copy
memcpy
__std_type_info_destroy_list
memmove

api-ms-win-crt-string-l1-1-0

wcscat_s
_wcsicmp
wcsncpy_s
wcscpy_s
_strupr

api-ms-win-crt-heap-l1-1-0

malloc
free
realloc
_callnewh

api-ms-win-crt-runtime-l1-1-0

_cexit
_crt_atexit
_initterm_e
_invalid_parameter_noinfo_noreturn
_execute_onexit_table
_initialize_onexit_table
_initterm
_initialize_narrow_environment
_errno
_register_onexit_function
terminate
_configure_narrow_argv
_seh_filter_dll
_invalid_parameter_noinfo
_beginthreadex

api-ms-win-crt-convert-l1-1-0

atoi

api-ms-win-crt-stdio-l1-1-0

fwrite
fgetpos
_fseeki64
fsetpos
setvbuf
fflush
__stdio_common_vsprintf_s
ungetc
fputc
fgetc
_get_stream_buffer_pointers
__stdio_common_vsprintf
__stdio_common_vswprintf_s
fclose
__stdio_common_vswprintf
__stdio_common_vsnwprintf_s
__stdio_common_vswscanf
fread

api-ms-win-crt-multibyte-l1-1-0

_mbscmp

api-ms-win-crt-time-l1-1-0

_time64

api-ms-win-crt-filesystem-l1-1-0

_lock_file
_unlock_file

api-ms-win-crt-math-l1-1-0

ceilf

Exports

Exports

BdCreateObject
BdDestroyObject

Sections

.text
Size: 358KB - Virtual size: 357KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 98KB - Virtual size: 98KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 17KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 16KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

b2079e1cfa135d74944eadd006f219b8

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

txmlutil

epsjson

kernel32

advapi32

msvcp140

winmm

shlwapi

rpcrt4

vcruntime140_1

vcruntime140

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-multibyte-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-math-l1-1-0

Exports

Exports

Sections

.text Size: 358KB - Virtual size: 357KB

.rdata Size: 98KB - Virtual size: 98KB

.data Size: 17KB - Virtual size: 19KB

.pdata Size: 16KB - Virtual size: 16KB

.rsrc Size: 2KB - Virtual size: 2KB

.reloc Size: 3KB - Virtual size: 2KB

.text
Size: 358KB - Virtual size: 357KB

.rdata
Size: 98KB - Virtual size: 98KB

.data
Size: 17KB - Virtual size: 19KB

.pdata
Size: 16KB - Virtual size: 16KB

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 3KB - Virtual size: 2KB