81711d5f01c04629384f81b89c1c45ceccfeacbc79563f4345c93bd4fafe9e75

Sharing

Copy URL

Twitter E-mail

General

Target

81711d5f01c04629384f81b89c1c45ceccfeacbc79563f4345c93bd4fafe9e75
Size

23.6MB
MD5

2c633c38bdd318467a5d0d0c56118308
SHA1

f9eef900ecfb8f5763ab29d5e85553f4111cf044
SHA256

81711d5f01c04629384f81b89c1c45ceccfeacbc79563f4345c93bd4fafe9e75
SHA512

f08d25025f36130c6cdb73590e7c772cf2e6af409ae8ada4a9eec541e733ccc1365cff313e1ac151b3d9110ae2ce1669b89cba65b38f4f3e16692470031271be
SSDEEP

393216:CMCeiJ/GjhJZqZ2nZILINNLNrO826rEwXZqzcLR3JZ+T9RTqBzyjjM0pUF4b:KrZGjhHnZIEN/32TwXZVF3qrqBzSjr

Score

1^/10

Malware Config

Signatures

NSIS installer 1 IoCs

installer

resource	yara_rule
sample	nsis_installer_2

Files

81711d5f01c04629384f81b89c1c45ceccfeacbc79563f4345c93bd4fafe9e75
.exe windows:5 windows x86 arch:x86

564f337694aaaa89649f444373d7be3c

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21-12-2012 00:00

Not After

30-12-2020 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18-10-2012 00:00

Not After

29-12-2020 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fd
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

08-11-2006 00:00

Not After

07-11-2021 23:59

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageServerAuth
ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning
ExtKeyUsageNetscapeServerGatedCrypto

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

45:98:a2:8d:fd:dc:bc:31:de:d0:f2:98:07:c5:a7:43
Certificate

Issuer

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

05-01-2016 00:00

Not After

26-07-2018 23:59

Subject

CN=ShenZhen Thunder Networking Technologies Ltd.,OU=Operate,O=ShenZhen Thunder Networking Technologies Ltd.,L=Shenzhen,ST=Guangdong,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

10-12-2013 00:00

Not After

09-12-2023 23:59

Subject

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fd
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

08-11-2006 00:00

Not After

07-11-2021 23:59

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageServerAuth
ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning
ExtKeyUsageNetscapeServerGatedCrypto

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

45:98:a2:8d:fd:dc:bc:31:de:d0:f2:98:07:c5:a7:43
Certificate

Issuer

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

05-01-2016 00:00

Not After

26-07-2018 23:59

Subject

CN=ShenZhen Thunder Networking Technologies Ltd.,OU=Operate,O=ShenZhen Thunder Networking Technologies Ltd.,L=Shenzhen,ST=Guangdong,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

10-12-2013 00:00

Not After

09-12-2023 23:59

Subject

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

55:45:ca:02:24:61:90:d9:79:ee:b4:0d:b9:ff:bc:18
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

11-06-2015 00:00

Not After

29-12-2020 23:59

Subject

CN=GeoTrust 2048-bit Timestamping Signer 3,O=GeoTrust Inc,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

01-01-1997 00:00

Not After

31-12-2020 23:59

Subject

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21-12-2012 00:00

Not After

30-12-2020 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

20:3c:7f:cf:fa:51:a5:33:5f:c4:2d:e5:f5:a2:ae:6f:f6:c2:85:17:ad:3d:e7:a2:47:73:0d:0f:eb:47:9a:f0
Signer

Actual PE Digest

20:3c:7f:cf:fa:51:a5:33:5f:c4:2d:e5:f5:a2:ae:6f:f6:c2:85:17:ad:3d:e7:a2:47:73:0d:0f:eb:47:9a:f0

Digest Algorithm

sha256

PE Digest Matches

true

83:55:b8:1c:5c:16:b7:50:fe:6b:a5:82:cd:7b:b4:65:84:2e:a3:6c
Signer

Actual PE Digest

83:55:b8:1c:5c:16:b7:50:fe:6b:a5:82:cd:7b:b4:65:84:2e:a3:6c

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

d:\Work\code\xl8_client_setup\SpeedThunder\pdb\Product_Release\ThunderInstall.pdb

Imports

wininet

InternetOpenUrlA
InternetOpenW
InternetCloseHandle

ws2_32

socket
WSAStartup
WSACleanup
gethostbyname
inet_addr
htons
connect
WSAAsyncSelect
send
WSAGetLastError
closesocket
recv

version

VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW

kernel32

UnmapViewOfFile
MapViewOfFile
OpenFileMappingW
SizeofResource
DeviceIoControl
CreateFileA
GlobalMemoryStatusEx
QueryPerformanceCounter
QueryPerformanceFrequency
SetThreadPriority
SetPriorityClass
GetThreadPriority
GetPriorityClass
GetVersionExW
GetSystemInfo
WaitForMultipleObjects
TerminateThread
CreateThread
GetCurrentProcessId
InterlockedIncrement
GetCommandLineW
MultiByteToWideChar
WideCharToMultiByte
GetSystemDirectoryW
lstrlenA
SetDllDirectoryW
CreateFileMappingW
FileTimeToSystemTime
SetFilePointer
WriteFile
GetFileSize
GetPrivateProfileStringA
GetPrivateProfileIntW
GetPrivateProfileSectionW
GetLocalTime
TerminateProcess
OpenProcess
FreeLibrary
ResetEvent
GetCurrentDirectoryW
SetCurrentDirectoryW
IsBadCodePtr
VirtualQuery
FindResourceExW
ReleaseMutex
ReadFile
CompareStringA
GetDriveTypeA
WriteConsoleW
GetConsoleOutputCP
FindFirstFileW
FlushFileBuffers
GetLocaleInfoW
InitializeCriticalSectionAndSpinCount
SetStdHandle
MoveFileExW
GetFullPathNameW
GetTimeZoneInformation
GetStringTypeA
IsValidLocale
EnumSystemLocalesA
GetLocaleInfoA
GetUserDefaultLCID
GetDateFormatA
GetTimeFormatA
GetStartupInfoA
SetHandleCount
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetConsoleMode
GetConsoleCP
IsValidCodePage
GetOEMCP
GetACP
GetModuleFileNameA
GetStdHandle
GetModuleHandleA
HeapCreate
TlsFree
TlsSetValue
TlsAlloc
TlsGetValue
GetStringTypeW
GetCPInfo
LCMapStringW
LCMapStringA
GetFileType
FileTimeToLocalFileTime
GetSystemTimeAsFileTime
ExitThread
RtlUnwind
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
InterlockedExchange
HeapSize
HeapReAlloc
HeapDestroy
VirtualAlloc
VirtualFree
IsProcessorFeaturePresent
LoadLibraryA
HeapAlloc
GetProcessHeap
HeapFree
InterlockedCompareExchange
MoveFileW
SetEndOfFile
GetFileAttributesW
DeleteFileW
WriteConsoleA
CreateDirectoryW
ResumeThread
GetVersionExA
CopyFileW
FindNextFileW
lstrcpyA
GetFileAttributesA
CreateDirectoryA
lstrcatA
GetSystemDirectoryA
GetVolumeInformationA
WritePrivateProfileStringA
SetEnvironmentVariableA
CompareStringW
GetCurrentProcess
GetCurrentThread
CloseHandle
FindClose
RemoveDirectoryW
OutputDebugStringW
EnumResourceNamesW
GetFileSizeEx
DeleteCriticalSection
InitializeCriticalSection
WritePrivateProfileStringW
InterlockedDecrement
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
LoadLibraryW
SetFileAttributesW
CreateFileW
CreateEventW
OpenEventW
SetEvent
GetTickCount
ExitProcess
GetDiskFreeSpaceExW
LoadResource
LockResource
CreateProcessW
GlobalHandle
GlobalFree
GetTempPathW
GlobalLock
GlobalUnlock
GetModuleFileNameW
MulDiv
lstrcmpW
GetLastError
lstrlenW
Sleep
SetLastError
GetCurrentThreadId
FindResourceW
GlobalAlloc
FlushInstructionCache
GetLogicalDriveStringsW
GetDriveTypeW
OpenMutexW
CreateMutexW
GetModuleHandleW
GetProcAddress
LeaveCriticalSection
EnterCriticalSection
RaiseException
WaitForSingleObject
GetExitCodeProcess
GetStartupInfoW
LocalFree
GetCurrentDirectoryA

user32

GetDesktopWindow
SetWindowLongW
MessageBoxW
PostMessageW
ShowWindow
IsWindow
IsWindowVisible
DrawFocusRect
CopyRect
GetDlgCtrlID
DrawTextW
DrawIcon
OffsetRect
MsgWaitForMultipleObjects
GetActiveWindow
CharUpperW
PostThreadMessageW
RedrawWindow
DialogBoxIndirectParamW
RegisterWindowMessageW
GetWindowTextLengthW
GetWindowTextW
SetWindowTextW
wsprintfW
UnregisterClassA
CreateAcceleratorTableW
SendMessageW
GetFocus
SetCursor
ShowCursor
SetRectEmpty
GetWindowDC
UnionRect
PtInRect
GetWindowLongW
GetClassInfoExW
LoadCursorW
DefWindowProcW
RegisterClassExW
CreateWindowExW
GetSysColor
CharNextW
MoveWindow
PeekMessageW
GetMessageW
TranslateMessage
DispatchMessageW
CreateDialogIndirectParamW
PostQuitMessage
UpdateLayeredWindow
EqualRect
IsRectEmpty
SetWindowPos
GetClientRect
ClientToScreen
ScreenToClient
GetDC
ReleaseDC
InvalidateRect
InvalidateRgn
FindWindowW
SetCapture
IsChild
GetParent
GetDlgItem
GetClassNameW
ReleaseCapture
FillRect
DestroyWindow
CallWindowProcW
EndPaint
BeginPaint
DestroyAcceleratorTable
SetFocus
SetRect
GetTopWindow
LoadImageW
MonitorFromWindow
GetMonitorInfoW
MapWindowPoints
GetSystemMetrics
wsprintfA
GetWindowRect
SetWindowContextHelpId
MapDialogRect
EnableWindow
IsWindowEnabled
KillTimer
SetTimer
UpdateWindow
GetWindow

gdi32

GetWindowOrgEx
OffsetWindowOrgEx
CreateRectRgnIndirect
ExtTextOutW
LineTo
CreatePen
IntersectClipRect
MoveToEx
SetBkMode
CreateFontIndirectW
CreateRectRgn
GetClipBox
CombineRgn
GetTextMetricsW
SetViewportOrgEx
SetTextColor
SetBkColor
GetTextExtentPoint32W
GetStockObject
GetObjectW
CreateSolidBrush
GetDeviceCaps
BitBlt
CreateCompatibleDC
CreateCompatibleBitmap
SelectObject
DeleteObject
DeleteDC
SetWindowOrgEx
SelectClipRgn
SetDIBitsToDevice
StretchDIBits
CreateDIBSection
ExtSelectClipRgn

advapi32

GetAclInformation
GetAce
GetSidLengthRequired
InitializeSid
GetSidSubAuthority
EqualSid
CopySid
IsValidSid
SetNamedSecurityInfoW
InitializeAcl
AddAce
RegQueryValueExW
RegQueryInfoKeyW
RegOpenKeyExW
RegDeleteKeyW
RegCreateKeyW
RegSetValueExW
RegCloseKey
GetLengthSid
OpenProcessToken
DuplicateTokenEx
RegCreateKeyExW
GetNamedSecurityInfoW

shell32

SHGetFileInfoW
SHGetPathFromIDListW
SHBrowseForFolderW
SHGetSpecialFolderPathW
SHCreateDirectoryExW
ord680
ShellExecuteExW
SHGetFolderPathW
CommandLineToArgvW
ShellExecuteW
SHGetSpecialFolderPathA

ole32

CoInitializeSecurity
CoUninitialize
CoSetProxyBlanket
CoInitialize
OleUninitialize
OleInitialize
CreateStreamOnHGlobal
CoRevokeClassObject
CoRegisterClassObject
CoTaskMemFree
CoTaskMemAlloc
CoCreateInstance
CLSIDFromString
CLSIDFromProgID
CoGetClassObject
OleLockRunning
StringFromGUID2
CoInitializeEx

oleaut32

SysAllocStringLen
SysAllocString
VariantInit
VariantClear
SysStringLen
LoadRegTypeLi
LoadTypeLi
UnRegisterTypeLi
RegisterTypeLi
SysFreeString
OleCreateFontIndirect

shlwapi

SHGetValueW
PathIsDirectoryW
StrCmpNW
SHSetValueW
StrStrW
PathIsRootW
StrCpyNW
PathRemoveBlanksW
StrCmpW
PathFindFileNameW
PathGetDriveNumberW
PathAppendW
PathCombineW
StrCmpIW
PathFileExistsW
PathFindExtensionW

comctl32

_TrackMouseEvent

msimg32

AlphaBlend

iphlpapi

GetAdaptersInfo

imm32

ImmDisableIME

gdiplus

GdipGetImageWidth
GdipDisposeImage
GdipAlloc
GdipFree
GdipCloneImage
GdipLoadImageFromStream
GdiplusStartup
GdipDeleteGraphics
GdipCreateFromHDC
GdipDrawImageRectI
GdipGetImageHeight

Sections

.text
Size: 685KB - Virtual size: 685KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 113KB - Virtual size: 113KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 21KB - Virtual size: 76KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 22.8MB - Virtual size: 22.8MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

564f337694aaaa89649f444373d7be3c

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fdCertificate

Extended Key Usages

Key Usages

45:98:a2:8d:fd:dc:bc:31:de:d0:f2:98:07:c5:a7:43Certificate

Extended Key Usages

Key Usages

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2aCertificate

Extended Key Usages

Key Usages

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fdCertificate

Extended Key Usages

Key Usages

45:98:a2:8d:fd:dc:bc:31:de:d0:f2:98:07:c5:a7:43Certificate

Extended Key Usages

Key Usages

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2aCertificate

Extended Key Usages

Key Usages

55:45:ca:02:24:61:90:d9:79:ee:b4:0d:b9:ff:bc:18Certificate

Extended Key Usages

Key Usages

Certificate

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

20:3c:7f:cf:fa:51:a5:33:5f:c4:2d:e5:f5:a2:ae:6f:f6:c2:85:17:ad:3d:e7:a2:47:73:0d:0f:eb:47:9a:f0Signer

83:55:b8:1c:5c:16:b7:50:fe:6b:a5:82:cd:7b:b4:65:84:2e:a3:6cSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

wininet

ws2_32

version

kernel32

user32

gdi32

advapi32

shell32

ole32

oleaut32

shlwapi

comctl32

msimg32

iphlpapi

imm32

gdiplus

Sections

.text Size: 685KB - Virtual size: 685KB

.rdata Size: 113KB - Virtual size: 113KB

.data Size: 21KB - Virtual size: 76KB

.rsrc Size: 22.8MB - Virtual size: 22.8MB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fd
Certificate

45:98:a2:8d:fd:dc:bc:31:de:d0:f2:98:07:c5:a7:43
Certificate

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fd
Certificate

45:98:a2:8d:fd:dc:bc:31:de:d0:f2:98:07:c5:a7:43
Certificate

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

55:45:ca:02:24:61:90:d9:79:ee:b4:0d:b9:ff:bc:18
Certificate

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

20:3c:7f:cf:fa:51:a5:33:5f:c4:2d:e5:f5:a2:ae:6f:f6:c2:85:17:ad:3d:e7:a2:47:73:0d:0f:eb:47:9a:f0
Signer

83:55:b8:1c:5c:16:b7:50:fe:6b:a5:82:cd:7b:b4:65:84:2e:a3:6c
Signer

.text
Size: 685KB - Virtual size: 685KB

.rdata
Size: 113KB - Virtual size: 113KB

.data
Size: 21KB - Virtual size: 76KB

.rsrc
Size: 22.8MB - Virtual size: 22.8MB