2ad9957c937b85260ece59619d7faa50N[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

2ad9957c937b85260ece59619d7faa50N.exe
Size

393KB
MD5

2ad9957c937b85260ece59619d7faa50
SHA1

c6432de5feade5f55ba808c5d43966bfc16de12b
SHA256

c158746fc376abf70360b31873cb236222e43636e3706dd956abc605fdfc7ccc
SHA512

0f14bce0d3d08b40cd7bb11b6faa56da9944867027bf804d2cfc3da7be3c9b133960284fa91bf5bf2374c945bf82aa9bd841d146121f965f482a6d7f9c4a94e6
SSDEEP

6144:hP+NbVklNXD42QXhtgn03k35946hYu8+cOG:F+Nul6R6PbhlG

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2ad9957c937b85260ece59619d7faa50N.exe

Files

2ad9957c937b85260ece59619d7faa50N.exe
.dll windows:5 windows x86 arch:x86

d85f04f1ff5855384b6cd7c06edf6980

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

rpcss.pdb

Imports

advapi32

ControlService
SetTokenInformation
ImpersonateLoggedOnUser
CreateProcessAsUserW
StartServiceW
ConvertSidToStringSidW
QueryServiceStatus
DuplicateTokenEx
RegSetValueExW
LsaRetrievePrivateData
LookupAccountNameW
AccessCheck
GetSecurityDescriptorLength
RegCreateKeyExW
ConvertStringSecurityDescriptorToSecurityDescriptorW
QueryServiceStatusEx
SaferCreateLevel
SaferComputeTokenFromLevel
SaferCloseLevel
CommandLineFromMsiDescriptor
IsValidSecurityDescriptor
LookupAccountSidW
FreeSid
AllocateAndInitializeSid
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
AddAccessAllowedAce
InitializeAcl
GetLengthSid
RegCloseKey
RegQueryValueExW
RegOpenKeyExW
CloseServiceHandle
OpenServiceW
OpenSCManagerW
AllocateLocallyUniqueId
SetServiceStatus
RegQueryValueA
RegisterServiceCtrlHandlerExW
RegisterEventSourceW
ReportEventW
DeregisterEventSource
IsValidSid
GetSidIdentifierAuthority
GetSidSubAuthorityCount
GetSidSubAuthority
GetSecurityDescriptorDacl
GetAce
RegOpenKeyW
RegQueryValueW
CryptAcquireContextW
CryptReleaseContext
SystemFunction036
CryptGenRandom
RegNotifyChangeKeyValue
RegQueryInfoKeyW
RegEnumValueW
ImpersonateAnonymousToken
OpenThreadToken
RevertToSelf
RegOpenUserClassesRoot
SaferiCompareTokenLevels
CheckTokenMembership
CopySid
SetThreadToken
CreateWellKnownSid
LsaOpenPolicy
LsaQueryInformationPolicy
LsaClose
EqualSid
GetTokenInformation
OpenProcessToken
ChangeServiceConfigW
LsaFreeMemory

kernel32

DisableThreadLibraryCalls
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
GetCurrentProcessId
GetCurrentThreadId
GetTickCount
LoadLibraryA
InterlockedCompareExchange
FreeLibrary
GetProcAddress
TlsAlloc
LocalAlloc
CreateEventA
LocalFree
Sleep
GetComputerNameA
QueryPerformanceCounter
GlobalMemoryStatus
GetDiskFreeSpaceA
InterlockedExchange
EnterCriticalSection
LeaveCriticalSection
GetComputerNameW
GetLastError
lstrcmpW
GetProcessHeap
HeapAlloc
HeapFree
GetDriveTypeW
lstrcpynW
MultiByteToWideChar
lstrlenA
GetExitCodeProcess
WaitForMultipleObjects
CreateMutexW
UnmapViewOfFile
MapViewOfFile
CreateFileMappingW
ResumeThread
OpenFileMappingW
CreateProcessW
ReadFile
ReleaseActCtx
WriteFile
WaitNamedPipeW
InitializeCriticalSectionAndSpinCount
lstrcmpiA
MapViewOfFileEx
VirtualAlloc
VirtualFree
GetSystemTimeAsFileTime
DelayLoadFailureHook
SetLastError
CloseHandle
DeviceIoControl
CreateFileW
SleepEx
InterlockedIncrement
InterlockedDecrement
CreateThread
GetSystemInfo
lstrcpyW
lstrlenW
RegisterWaitForSingleObject
CreateEventW
SetEvent
WaitForSingleObject
lstrcatW
TerminateJobObject
GetCurrentThread
InterlockedExchangeAdd
DeleteTimerQueueTimer
CreateTimerQueueTimer
DeleteCriticalSection
IsDebuggerPresent
DebugBreak
ResetEvent
TlsSetValue
TlsGetValue
GetModuleHandleW
LoadLibraryExA
ExpandEnvironmentStringsW
GetModuleFileNameW
ReleaseMutex
FindActCtxSectionGuid
FindActCtxSectionStringW
LoadLibraryW
GetSystemDirectoryW
GetSystemWow64DirectoryW
lstrcmpiW
SearchPathW
AddRefActCtx
OpenProcess
DuplicateHandle
InitializeCriticalSection
OpenEventW
LoadLibraryExW
FindClose
FindFirstFileW

msvcrt

_onexit
__dllonexit
_adjust_fdiv
malloc
_initterm
free
wcschr
_resetstkoflw
_except_handler3
memmove
_wtoi
_purecall
ceil
_ftol
wcslen
wcscpy
_ultow
strncmp
wcstol
_stricmp
swprintf
_vsnwprintf
_wcsicmp
wcsncpy
towupper
wcscat

ntdll

RtlAllocateHeap
RtlFreeHeap
RtlImageNtHeader
RtlNtStatusToDosError
NtOpenFile
RtlInitString
RtlDeleteCriticalSection
RtlEqualSid
NtCompareTokens
NtQueryInformationToken
DbgPrint
NtQuerySystemInformation
NtOpenSection
NtFsControlFile
NtCreateFile
RtlAdjustPrivilege
NtSetInformationProcess
NtDuplicateToken
NtAllocateLocallyUniqueId
RtlInitUnicodeString
RtlEqualUnicodeString
NtSetUuidSeed
RtlSetSaclSecurityDescriptor
RtlSetDaclSecurityDescriptor
RtlSetGroupSecurityDescriptor
RtlSetOwnerSecurityDescriptor
RtlCreateSecurityDescriptor
RtlAddAce
RtlCreateAcl
RtlGetNtProductType
RtlInitializeCriticalSection
RtlLengthRequiredSid
RtlInitializeSid
RtlSubAuthoritySid
RtlAllocateAndInitializeSid
NtClose
NtOpenKey
RtlLengthSid
RtlCopySid

rpcrt4

RpcServerRegisterIf2
RpcMgmtSetServerStackSize
UuidCreate
RpcServerListen
RpcMgmtIsServerListening
I_RpcAllocate
I_RpcFree
RpcServerUseProtseqEpExW
RpcBindingFree
RpcBindingSetAuthInfoW
RpcBindingSetAuthInfoExW
NdrAsyncServerCall
NdrAsyncClientCall
MesEncodeFixedBufferHandleCreate
MesHandleFree
MesDecodeBufferHandleCreate
NdrMesTypeAlignSize2
NdrMesTypeEncode2
NdrMesTypeDecode2
RpcRevertToSelfEx
RpcImpersonateClient
RpcRaiseException
I_RpcBindingInqTransportType
RpcAsyncCompleteCall
RpcBindingSetOption
I_RpcBindingInqWireIdForSnego
RpcServerUnregisterIf
I_RpcServerInqLocalConnAddress
I_RpcServerCheckClientRestriction
TowerExplode
I_RpcSystemFunction001
RpcServerRegisterIfEx
I_RpcServerRegisterForwardFunction
I_RpcServerSetAddressChangeFn
I_RpcExceptionFilter
NdrClientCall2
NdrServerCall2
RpcStringBindingComposeW
RpcMgmtEnableIdleCleanup
I_RpcBindingInqLocalClientPID
RpcRevertToSelf
RpcBindingReset
RpcAsyncCancelCall
RpcBindingFromStringBindingW
RpcBindingSetObject
RpcAsyncInitializeHandle
RpcBindingCopy
RpcServerInqBindings
RpcBindingVectorFree
RpcStringFreeW
RpcBindingToStringBindingW
RpcStringBindingParseW
RpcServerRegisterAuthInfoW

secur32

FreeContextBuffer
LsaLogonUser
LsaLookupAuthenticationPackage
LsaRegisterLogonProcess
LsaFreeReturnBuffer
EnumerateSecurityPackagesW

user32

wsprintfW
LoadStringW
CharUpperW

ws2_32

closesocket
WSAIoctl
WSAGetLastError
inet_ntoa
gethostname
gethostbyname
socket
bind
WSASetServiceW
htons
getsockname

Exports

Exports

CoGetComCatalog
GetRPCSSInfo
ServiceMain
WhichService

Sections

.text
Size: 248KB - Virtual size: 248KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 131KB - Virtual size: 131KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 1016B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

d85f04f1ff5855384b6cd7c06edf6980

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

advapi32

kernel32

msvcrt

ntdll

rpcrt4

secur32

user32

ws2_32

Exports

Exports

Sections

.text Size: 248KB - Virtual size: 248KB

.data Size: 131KB - Virtual size: 131KB

.rsrc Size: 1024B - Virtual size: 1016B

.reloc Size: 11KB - Virtual size: 10KB

.text
Size: 248KB - Virtual size: 248KB

.data
Size: 131KB - Virtual size: 131KB

.rsrc
Size: 1024B - Virtual size: 1016B

.reloc
Size: 11KB - Virtual size: 10KB