ec9c04d3f23bf00312dcc765c8ca1724540f3cfdd69d5b36f77f11931057499c

Sharing

Copy URL Twitter E-mail

General

Target

ec9c04d3f23bf00312dcc765c8ca1724540f3cfdd69d5b36f77f11931057499c
Size

12.8MB
MD5

98468324bfa756fce580c75aab3a72d5
SHA1

76787431c49979d8e86b224fa1c3057d96cd578d
SHA256

ec9c04d3f23bf00312dcc765c8ca1724540f3cfdd69d5b36f77f11931057499c
SHA512

5078f924acb0c13158a4aa8edf396b7e2bceee8ac2de0303b9fecf71fee009d13f0863bd7ce6ddca3ed1b9f50f5e037a768eb2908780748d6c875867aa2be6d0
SSDEEP

393216:/fOF6WmxOlt944Be+6jRO1bPt2IpOvxgsk:/fH7x2HXl6jRobPr6gsk

Score

8^/10

upx

Malware Config

Signatures

Patched UPX-packed file 1 IoCs

Sample is packed with UPX but required header fields are zeroed out to prevent unpacking with the default UPX tool.

resource	yara_rule
static1/unpack002/out.upx	patched_upx

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
static1/unpack001/myapp.exe	upx

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
static1/unpack002/out.upx	embeds_openssl

Unsigned PE 6 IoCs

Checks for missing Authenticode signature.

resource
ec9c04d3f23bf00312dcc765c8ca1724540f3cfdd69d5b36f77f11931057499c
unpack001/$PLUGINSDIR/InstallOptions.dll
unpack001/$PLUGINSDIR/System.dll
unpack001/To-do List.exe
unpack001/myapp.exe
unpack002/out.upx

Files

ec9c04d3f23bf00312dcc765c8ca1724540f3cfdd69d5b36f77f11931057499c
.exe windows:4 windows x86 arch:x86

f4639a0b3116c2cfc71144b88a929cfd

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

advapi32

RegEnumValueW
RegEnumKeyW
RegQueryValueExW
RegSetValueExW
RegCloseKey
RegDeleteValueW
RegDeleteKeyW
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
RegOpenKeyExW
RegCreateKeyExW

shell32

SHGetPathFromIDListW
SHBrowseForFolderW
SHGetFileInfoW
SHFileOperationW
ShellExecuteExW

ole32

CoCreateInstance
OleUninitialize
OleInitialize
IIDFromString
CoTaskMemFree

comctl32

ImageList_Destroy
ord17
ImageList_AddMasked
ImageList_Create

user32

MessageBoxIndirectW
GetDlgItemTextW
SetDlgItemTextW
CreatePopupMenu
AppendMenuW
TrackPopupMenu
OpenClipboard
EmptyClipboard
SetClipboardData
CloseClipboard
IsWindowVisible
CallWindowProcW
GetMessagePos
CheckDlgButton
LoadCursorW
SetCursor
GetSysColor
SetWindowPos
GetWindowLongW
IsWindowEnabled
SetClassLongW
GetSystemMenu
EnableMenuItem
GetWindowRect
ScreenToClient
EndDialog
RegisterClassW
SystemParametersInfoW
CharPrevW
GetClassInfoW
DialogBoxParamW
CharNextW
ExitWindowsEx
DestroyWindow
CreateDialogParamW
SetTimer
SetWindowTextW
PostQuitMessage
SetForegroundWindow
ShowWindow
wsprintfW
SendMessageTimeoutW
FindWindowExW
IsWindow
GetDlgItem
SetWindowLongW
LoadImageW
GetDC
ReleaseDC
EnableWindow
InvalidateRect
SendMessageW
DefWindowProcW
BeginPaint
GetClientRect
FillRect
DrawTextW
EndPaint
CharNextA
wsprintfA
DispatchMessageW
CreateWindowExW
PeekMessageW
GetSystemMetrics

gdi32

GetDeviceCaps
SetBkColor
SelectObject
DeleteObject
CreateBrushIndirect
CreateFontIndirectW
SetBkMode
SetTextColor

kernel32

lstrcmpiA
CreateFileW
GetTempFileNameW
RemoveDirectoryW
CreateProcessW
CreateDirectoryW
GetLastError
CreateThread
GlobalLock
GlobalUnlock
GetDiskFreeSpaceW
WideCharToMultiByte
lstrcpynW
lstrlenW
SetErrorMode
GetVersionExW
GetCommandLineW
GetTempPathW
GetWindowsDirectoryW
WriteFile
CopyFileW
ExitProcess
GetCurrentProcess
GetModuleFileNameW
GetFileSize
GetTickCount
Sleep
SetFileAttributesW
GetFileAttributesW
SetCurrentDirectoryW
MoveFileW
GetFullPathNameW
GetShortPathNameW
SearchPathW
CompareFileTime
SetFileTime
CloseHandle
lstrcmpiW
lstrcmpW
ExpandEnvironmentStringsW
GlobalFree
GlobalAlloc
GetModuleHandleW
LoadLibraryExW
FreeLibrary
WritePrivateProfileStringW
GetPrivateProfileStringW
lstrlenA
MultiByteToWideChar
ReadFile
SetFilePointer
FindClose
FindNextFileW
FindFirstFileW
DeleteFileW
MulDiv
lstrcpyA
MoveFileExW
lstrcatW
GetSystemDirectoryW
GetProcAddress
GetModuleHandleA
GetExitCodeProcess
WaitForSingleObject
SetEnvironmentVariableW

Sections

.text
Size: 26KB - Virtual size: 26KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 170KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.ndata
Size: - Virtual size: 76KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 49KB - Virtual size: 48KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$PLUGINSDIR/InstallOptions.dll
.dll windows:4 windows x86 arch:x86

85f08eb0cbec010ecbc287fa68321173

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

SetCurrentDirectoryW
GetCurrentDirectoryW
GlobalUnlock
GlobalLock
GetModuleHandleW
CloseHandle
SetEndOfFile
GetPrivateProfileIntW
SetFilePointer
MultiByteToWideChar
ReadFile
GetFileSize
CreateFileW
lstrcmpiW
GetPrivateProfileStringW
lstrcatW
lstrcpynW
WritePrivateProfileStringW
lstrlenW
lstrcpyW
GlobalFree
WriteFile
GlobalAlloc

user32

PtInRect
LoadCursorW
GetDlgCtrlID
CloseClipboard
GetClipboardData
OpenClipboard
GetClientRect
SetWindowRgn
LoadIconW
LoadImageW
SetWindowLongW
CreateWindowExW
MapDialogRect
SetWindowPos
GetWindowRect
CreateDialogParamW
ShowWindow
EnableMenuItem
GetSystemMenu
EnableWindow
GetDlgItem
DestroyIcon
DestroyWindow
DispatchMessageW
TranslateMessage
GetMessageW
IsDialogMessageW
SetCursor
DrawTextW
GetWindowLongW
DrawFocusRect
CallWindowProcW
PostMessageW
MessageBoxW
GetSysColor
CharNextW
wsprintfW
GetWindowTextW
SetWindowTextW
SendMessageW
MapWindowPoints

gdi32

SetTextColor
CreateCompatibleDC
GetObjectW
GetDIBits
CreateRectRgn
CombineRgn
DeleteObject
SelectObject

shell32

SHBrowseForFolderW
SHGetDesktopFolder
SHGetPathFromIDListW
ShellExecuteW

comdlg32

GetOpenFileNameW
GetSaveFileNameW
CommDlgExtendedError

ole32

CoTaskMemFree

Exports

Exports

dialog
initDialog
make_unicode
show

Sections

.text
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 152B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/System.dll
.dll windows:4 windows x86 arch:x86

509a34b3a68a773e0afb4259e68f9f82

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GlobalAlloc
GlobalFree
GlobalSize
lstrcpynW
lstrcpyW
GetProcAddress
WideCharToMultiByte
VirtualFree
FreeLibrary
lstrlenW
LoadLibraryW
GetModuleHandleW
MultiByteToWideChar
VirtualAlloc
VirtualProtect
GetLastError

user32

wsprintfW

ole32

StringFromGUID2
CLSIDFromString

Exports

Exports

Alloc
Call
Copy
Free
Get
Int64Op
Store
StrAlloc

Sections

.text
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 867B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 120B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1024B - Virtual size: 662B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/ioSpecial.ini
$PLUGINSDIR/modern-wizard.bmp
$PLUGINSDIR/webview2bootstrapper/MicrosoftEdgeWebview2Setup.exe
.exe windows:5 windows x86 arch:x86

ccc6e30409f96054ca558f4765d32e38

Code Sign

33:00:00:01:e2:f1:7d:92:02:0e:49:f8:7f:00:00:00:00:01:e2
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15/12/2020, 21:31

Not After

02/12/2021, 21:31

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/07/2011, 20:59

Not After

08/07/2026, 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

64:57:97:41:81:d1:09:95:4f:1c:10:95:8c:65:4e:63
Certificate

Issuer

CN=EdgeBuild,O=EdgeBuild,L=Redmond,ST=Washington,C=US

Not Before

15/06/2020, 23:52

Not After

31/12/2039, 23:59

Subject

CN=EdgeBuild,O=EdgeBuild,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageKeyEncipherment

04:3a:7c:79:39:d1:49:44:6f:2d:46:7c:3b:c6:8d:89:67:b1:4b:fd:cd:5f:9f:1d:33:a5:17:9b:41:84:03:0e
Signer

Actual PE Digest

04:3a:7c:79:39:d1:49:44:6f:2d:46:7c:3b:c6:8d:89:67:b1:4b:fd:cd:5f:9f:1d:33:a5:17:9b:41:84:03:0e

Digest Algorithm

sha256

PE Digest Matches

true

04:3a:7c:79:39:d1:49:44:6f:2d:46:7c:3b:c6:8d:89:67:b1:4b:fd:cd:5f:9f:1d:33:a5:17:9b:41:84:03:0e
Signer

Actual PE Digest

04:3a:7c:79:39:d1:49:44:6f:2d:46:7c:3b:c6:8d:89:67:b1:4b:fd:cd:5f:9f:1d:33:a5:17:9b:41:84:03:0e

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

mi_exe_stub.pdb

Imports

kernel32

GetStdHandle
WriteFile
GetModuleFileNameW
ExitProcess
GetModuleHandleExW
OutputDebugStringW
HeapAlloc
HeapFree
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetCommandLineA
GetCommandLineW
MultiByteToWideChar
WideCharToMultiByte
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetStdHandle
GetFileType
RaiseException
LCMapStringW
GetProcessHeap
HeapSize
HeapReAlloc
FlushFileBuffers
GetConsoleOutputCP
GetConsoleMode
SetFilePointerEx
CreateFileW
CloseHandle
WriteConsoleW
DecodePointer
VirtualProtect
EncodePointer
QueryPerformanceCounter
LoadLibraryExW
GetProcAddress
FreeLibrary
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
SetLastError
GetLastError
RtlUnwind
TerminateProcess
GetCurrentProcess
GetModuleHandleW
IsProcessorFeaturePresent
GetStartupInfoW
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent
InitializeSListHead
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
GetStringTypeW
CreateDirectoryW
SizeofResource
Wow64DisableWow64FsRedirection
RemoveDirectoryW
GetTempPathW
FormatMessageW
Wow64RevertWow64FsRedirection
GetDiskFreeSpaceExW
LockResource
DeleteFileW
FindResourceExW
LoadResource
FindResourceW
HeapDestroy
LocalFree
VerSetConditionMask
CopyFileW
VerifyVersionInfoW
GetTempFileNameW
lstrcmpiW
CreateMutexW
WaitForSingleObject
ReleaseMutex
CreateEventW
SetEvent
CreateThread
UnmapViewOfFile
CreateFileMappingW
MapViewOfFile
VirtualQuery
CreateProcessW
GetExitCodeProcess
ResetEvent
WaitForSingleObjectEx
GetSystemInfo
LoadLibraryExA

advapi32

RegOpenKeyExA
SetSecurityDescriptorDacl
GetAclInformation
SetSecurityDescriptorOwner
GetSidSubAuthority
GetSidLengthRequired
CopySid
InitializeSid
IsValidSid
AddAce
InitializeSecurityDescriptor
InitializeAcl
GetLengthSid
GetSecurityDescriptorLength
MakeSelfRelativeSD
MakeAbsoluteSD
SetSecurityDescriptorGroup
RegOpenKeyExW
RegQueryValueExW
GetSecurityDescriptorSacl
GetSecurityDescriptorDacl
GetSecurityDescriptorGroup
GetSecurityDescriptorControl
GetSecurityDescriptorOwner
RegCloseKey
RegQueryValueExA
RegCreateKeyExA
RegSetValueExW
RegSetValueExA
RegDeleteValueA

ole32

CoTaskMemFree
CoUninitialize
CoInitializeEx

shell32

SHGetKnownFolderPath
ord680
CommandLineToArgvW
SHGetFolderPathW

user32

CharLowerBuffW
MessageBoxW

Sections

.text
Size: 103KB - Virtual size: 102KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 34KB - Virtual size: 33KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1.6MB - Virtual size: 1.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
To-do List.exe
.exe windows:6 windows x64 arch:x64

c2d457ad8ac36fc9f18d45bffcd450c2

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

WriteFile
WriteConsoleW
WerSetFlags
WerGetFlags
WaitForMultipleObjects
WaitForSingleObject
VirtualQuery
VirtualFree
VirtualAlloc
TlsAlloc
SwitchToThread
SuspendThread
SetWaitableTimer
SetProcessPriorityBoost
SetEvent
SetErrorMode
SetConsoleCtrlHandler
RtlVirtualUnwind
RtlLookupFunctionEntry
ResumeThread
RaiseFailFastException
PostQueuedCompletionStatus
LoadLibraryW
LoadLibraryExW
SetThreadContext
GetThreadContext
GetSystemInfo
GetSystemDirectoryA
GetStdHandle
GetQueuedCompletionStatusEx
GetProcessAffinityMask
GetProcAddress
GetErrorMode
GetEnvironmentStringsW
GetCurrentThreadId
GetConsoleMode
FreeEnvironmentStringsW
ExitProcess
DuplicateHandle
CreateWaitableTimerExW
CreateThread
CreateIoCompletionPort
CreateFileA
CreateEventA
CloseHandle
AddVectoredExceptionHandler
AddVectoredContinueHandler

Sections

.text
Size: 3.7MB - Virtual size: 3.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4.1MB - Virtual size: 4.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 596KB - Virtual size: 1.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 96KB - Virtual size: 96KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.xdata
Size: 512B - Virtual size: 180B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 83KB - Virtual size: 82KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.symtab
Size: 512B - Virtual size: 4B

IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.rsrc
Size: 48KB - Virtual size: 47KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
myapp.exe
.exe windows:6 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

UPX0
Size: - Virtual size: 18.0MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 7.0MB - Virtual size: 7.0MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 5KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
out.upx
.exe windows:6 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Exports

Exports

GetSMErrorText
OnUpdateBaseDir
OnUpdateBool
OnUpdateLong
OnUpdateLongGEZero
OnUpdateReal
OnUpdateStr
OnUpdateStrNotEmpty
OnUpdateString
OnUpdateStringUnempty
PHP_3HAVAL128Init
PHP_3HAVAL160Init
PHP_3HAVAL192Init
PHP_3HAVAL224Init
PHP_3HAVAL256Init
PHP_3TIGERInit
PHP_4HAVAL128Init
PHP_4HAVAL160Init
PHP_4HAVAL192Init
PHP_4HAVAL224Init
PHP_4HAVAL256Init
PHP_4TIGERInit
PHP_5HAVAL128Init
PHP_5HAVAL160Init
PHP_5HAVAL192Init
PHP_5HAVAL224Init
PHP_5HAVAL256Init
PHP_ADLER32Copy
PHP_ADLER32Final
PHP_ADLER32Init
PHP_ADLER32Update
PHP_CRC32BEFinal
PHP_CRC32BUpdate
PHP_CRC32CUpdate
PHP_CRC32Copy
PHP_CRC32Init
PHP_CRC32LEFinal
PHP_CRC32Update
PHP_FNV132Final
PHP_FNV132Init
PHP_FNV132Update
PHP_FNV164Final
PHP_FNV164Init
PHP_FNV164Update
PHP_FNV1a32Update
PHP_FNV1a64Update
PHP_GOSTFinal
PHP_GOSTInit
PHP_GOSTInitCrypto
PHP_GOSTUpdate
PHP_HAVAL128Final
PHP_HAVAL160Final
PHP_HAVAL192Final
PHP_HAVAL224Final
PHP_HAVAL256Final
PHP_HAVALUpdate
PHP_JOAATFinal
PHP_JOAATInit
PHP_JOAATUpdate
PHP_MD2Final
PHP_MD2InitArgs
PHP_MD2Update
PHP_MD4Final
PHP_MD4InitArgs
PHP_MD4Update
PHP_MD5Final
PHP_MD5InitArgs
PHP_MD5Update
PHP_MURMUR3ACopy
PHP_MURMUR3AFinal
PHP_MURMUR3AInit
PHP_MURMUR3AUpdate
PHP_MURMUR3CCopy
PHP_MURMUR3CFinal
PHP_MURMUR3CInit
PHP_MURMUR3CUpdate
PHP_MURMUR3FCopy
PHP_MURMUR3FFinal
PHP_MURMUR3FInit
PHP_MURMUR3FUpdate
PHP_RIPEMD128Final
PHP_RIPEMD128Init
PHP_RIPEMD128Update
PHP_RIPEMD160Final
PHP_RIPEMD160Init
PHP_RIPEMD160Update
PHP_RIPEMD256Final
PHP_RIPEMD256Init
PHP_RIPEMD256Update
PHP_RIPEMD320Final
PHP_RIPEMD320Init
PHP_RIPEMD320Update
PHP_SHA1Final
PHP_SHA1InitArgs
PHP_SHA1Update
PHP_SHA224Final
PHP_SHA224InitArgs
PHP_SHA224Update
PHP_SHA256Final
PHP_SHA256InitArgs
PHP_SHA256Update
PHP_SHA3224Init
PHP_SHA3224Update
PHP_SHA3256Init
PHP_SHA3256Update
PHP_SHA3384Init
PHP_SHA3384Update
PHP_SHA3512Init
PHP_SHA3512Update
PHP_SHA384Final
PHP_SHA384InitArgs
PHP_SHA384Update
PHP_SHA512Final
PHP_SHA512InitArgs
PHP_SHA512Update
PHP_SHA512_224Final
PHP_SHA512_224InitArgs
PHP_SHA512_256Final
PHP_SHA512_256InitArgs
PHP_SNEFRUFinal
PHP_SNEFRUInit
PHP_SNEFRUUpdate
PHP_TIGER128Final
PHP_TIGER160Final
PHP_TIGER192Final
PHP_TIGERUpdate
PHP_WHIRLPOOLFinal
PHP_WHIRLPOOLInit
PHP_WHIRLPOOLUpdate
PHP_XXH32Copy
PHP_XXH32Final
PHP_XXH32Init
PHP_XXH32Update
PHP_XXH3_128_Copy
PHP_XXH3_128_Final
PHP_XXH3_128_Init
PHP_XXH3_128_Update
PHP_XXH3_64_Copy
PHP_XXH3_64_Final
PHP_XXH3_64_Init
PHP_XXH3_64_Update
PHP_XXH64Copy
PHP_XXH64Final
PHP_XXH64Init
PHP_XXH64Update
TSMClose
TSendMail
ValidateFormat
XML_GetUserData
__zend_calloc
__zend_malloc
__zend_realloc
__zend_strdup
_call_user_function_impl
_convert_to_string@@8
_ecalloc@@16
_efree@@8
_emalloc@@8
_erealloc2@@24
_erealloc@@16
_estrdup@@8
_estrndup@@16
_is_numeric_string_ex@@56
_php_emit_fd_setsize_warning
_php_error_log
_php_error_log_ex
_php_find_ps_module
_php_find_ps_serializer
_php_get_stream_filters_hash
_php_glob_stream_get_count
_php_glob_stream_get_path
_php_glob_stream_get_pattern
_php_math_basetolong
_php_math_basetozval
_php_math_longtobase
_php_math_number_format
_php_math_number_format_ex
_php_math_number_format_long
_php_math_round
_php_math_zvaltobase
_php_stream_alloc
_php_stream_cast
_php_stream_copy_to_mem
_php_stream_copy_to_stream
_php_stream_copy_to_stream_ex
_php_stream_eof
_php_stream_fill_read_buffer
_php_stream_filter_alloc
_php_stream_filter_append
_php_stream_filter_flush
_php_stream_filter_prepend
_php_stream_flush
_php_stream_fopen
_php_stream_fopen_from_fd
_php_stream_fopen_from_file
_php_stream_fopen_from_pipe
_php_stream_fopen_temporary_file
_php_stream_fopen_tmpfile
_php_stream_fopen_with_path
_php_stream_free
_php_stream_free_enclosed
_php_stream_get_line
_php_stream_get_url_stream_wrappers_hash
_php_stream_getc
_php_stream_make_seekable
_php_stream_memory_create
_php_stream_memory_get_buffer
_php_stream_memory_open
_php_stream_mkdir
_php_stream_mmap_range
_php_stream_mmap_unmap
_php_stream_mmap_unmap_ex
_php_stream_mode_to_str
_php_stream_open_wrapper_as_file
_php_stream_open_wrapper_ex
_php_stream_opendir
_php_stream_passthru
_php_stream_printf
_php_stream_putc
_php_stream_puts
_php_stream_read
_php_stream_readdir
_php_stream_rmdir
_php_stream_scandir
_php_stream_seek
_php_stream_set_option
_php_stream_sock_open_from_socket
_php_stream_sock_open_host
_php_stream_stat
_php_stream_stat_path
_php_stream_sync
_php_stream_tell
_php_stream_temp_create
_php_stream_temp_create_ex
_php_stream_temp_open
_php_stream_truncate_set_size
_php_stream_write
_php_stream_xport_create
_safe_emalloc@@24
_safe_erealloc@@32
_safe_malloc@@24
_safe_realloc@@32
_smart_string_alloc@@16
_smart_string_alloc_persistent@@16
_try_convert_to_string@@8
_zend_bailout
_zend_get_special_const
_zend_handle_numeric_str_ex@@24
_zend_hash_index_find@@16
_zend_hash_init@@32
_zend_hash_iterators_update@@24
_zend_mem_block_size@@8
_zend_mm_alloc@@16
_zend_mm_block_size@@16
_zend_mm_free@@16
_zend_mm_realloc2@@32
_zend_mm_realloc@@24
_zend_new_array@@8
_zend_new_array_0@@0
_zend_observer_class_linked_notify@@16
_zend_observer_error_notify
_zend_observer_function_declared_notify@@16
add_assoc_array_ex
add_assoc_bool_ex
add_assoc_double_ex
add_assoc_long_ex
add_assoc_null_ex
add_assoc_object_ex
add_assoc_reference_ex
add_assoc_resource_ex
add_assoc_str_ex
add_assoc_string_ex
add_assoc_stringl_ex
add_assoc_zval_ex
add_function@@24
add_index_array
add_index_bool
add_index_double
add_index_long
add_index_null
add_index_object
add_index_reference
add_index_resource
add_index_str
add_index_string
add_index_stringl
add_next_index_array
add_next_index_bool
add_next_index_double
add_next_index_long
add_next_index_null
add_next_index_object
add_next_index_reference
add_next_index_resource
add_next_index_str
add_next_index_string
add_next_index_stringl
add_property_array_ex
add_property_bool_ex
add_property_double_ex
add_property_long_ex
add_property_null_ex
add_property_object_ex
add_property_reference_ex
add_property_resource_ex
add_property_str_ex
add_property_string_ex
add_property_stringl_ex
add_property_zval_ex
ap_php_asprintf
ap_php_conv_10
ap_php_conv_p2
ap_php_slprintf
ap_php_snprintf
ap_php_vasprintf
ap_php_vslprintf
ap_php_vsnprintf
append_user_shutdown_function
array_set_zval_key
assertion_error_ce
basic_globals
bitwise_and_function@@24
bitwise_not_function@@16
bitwise_or_function@@24
bitwise_xor_function@@24
boolean_not_function@@16
boolean_xor_function@@24
ce_SimpleXMLElement
ce_SimpleXMLIterator
cfg_get_double
cfg_get_entry
cfg_get_entry_ex
cfg_get_long
cfg_get_string
compare_function@@24
compile_file
compile_filename
compile_string
compiler_globals
concat_function@@24
config_zval_dtor
convert_scalar_to_number@@8
convert_to_array@@8
convert_to_boolean@@8
convert_to_double@@8
convert_to_long@@8
convert_to_null@@8
convert_to_object@@8
core_globals
curl_CURLFile_class
curl_CURLStringFile_class
curl_ce
curl_multi_ce
curl_share_ce
decrement_function@@8
destroy_op_array
destroy_uploaded_files_hash
destroy_zend_class
destroy_zend_function
display_ini_entries
display_link_numbers
div_function@@24
do_bind_class
do_bind_function
dom_attr_class_entry
dom_cdatasection_class_entry
dom_characterdata_class_entry
dom_childnode_class_entry
dom_comment_class_entry
dom_document_class_entry
dom_documentfragment_class_entry
dom_documenttype_class_entry
dom_domexception_class_entry
dom_domimplementation_class_entry
dom_element_class_entry
dom_entity_class_entry
dom_entityreference_class_entry
dom_namednodemap_class_entry
dom_namespace_node_class_entry
dom_node_class_entry
dom_nodelist_class_entry
dom_notation_class_entry
dom_object_get_node
dom_parentnode_class_entry
dom_processinginstruction_class_entry
dom_text_class_entry
dom_xpath_class_entry
empty_fcall_info
empty_fcall_info_cache
execute_ex
execute_internal
executor_globals
expand_filepath
expand_filepath_ex
expand_filepath_with_mode
file_globals
finfo_objects_new
flock
fnmatch
free_estring
ftok
function_add_ref
gc_collect_cycles
gc_enable
gc_enabled
gc_possible_root@@8
gc_protect
gc_protected
gc_remove_from_buffer@@8
get_active_class_name
get_active_function_arg_name
get_active_function_name
get_active_function_or_method_name
get_binary_op
get_function_arg_name
get_function_or_method_name
get_timezone_info
get_unary_op
get_zend_version
getrusage
gettimeofday
glob
globfree
highlight_file
highlight_string
increment_function@@8
inet_aton
ini_scanner_globals
init_op_array
instanceof_function_slow@@16
is_equal_function@@24
is_identical_function@@24
is_not_equal_function@@24
is_not_identical_function@@24
is_numeric_str_function@@24
is_smaller_function@@24
is_smaller_or_equal_function@@24
is_zend_mm
is_zend_ptr
json_globals
jump_fcontext
language_scanner_globals
le_index_ptr
lex_scan@@16
localeconv_r
make_digest
make_digest_ex
make_fcontext
make_sha1_digest
mb_fast_convert
mb_illegal_output
mbfl_convert_filter_copy
mbfl_convert_filter_delete
mbfl_convert_filter_devcat
mbfl_convert_filter_feed
mbfl_convert_filter_feed_string
mbfl_convert_filter_flush
mbfl_convert_filter_get_vtbl
mbfl_convert_filter_new
mbfl_convert_filter_new2
mbfl_convert_filter_reset
mbfl_convert_filter_strcat
mbfl_encoding_pass
mbfl_encoding_preferred_mime_name
mbfl_filt_conv_common_ctor
mbfl_filt_conv_common_flush
mbfl_filt_conv_illegal_output
mbfl_filt_conv_pass
mbfl_filter_output_null
mbfl_filter_output_pipe
mbfl_get_supported_encodings
mbfl_memory_device_clear
mbfl_memory_device_devcat
mbfl_memory_device_init
mbfl_memory_device_output
mbfl_memory_device_realloc
mbfl_memory_device_reset
mbfl_memory_device_result
mbfl_memory_device_strcat
mbfl_memory_device_strncat
mbfl_memory_device_unput
mbfl_name2encoding
mbfl_name2language
mbfl_name2no_language
mbfl_no2encoding
mbfl_no2language
mbfl_no_encoding2name
mbfl_no_language2name
mbfl_strcut
mbfl_string_clear
mbfl_string_init
mbfl_string_init_set
mbfl_wchar_device_clear
mbfl_wchar_device_init
mbfl_wchar_device_output
mod_function@@24
module_registry
mul_function@@24
nanosleep
nice

Sections

.text
Size: 10.8MB - Virtual size: 10.8MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 13.2MB - Virtual size: 13.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 147KB - Virtual size: 316KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 451KB - Virtual size: 450KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 149KB - Virtual size: 149KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

f4639a0b3116c2cfc71144b88a929cfd

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

shell32

ole32

comctl32

user32

gdi32

kernel32

Sections

.text Size: 26KB - Virtual size: 26KB

.rdata Size: 5KB - Virtual size: 5KB

.data Size: 1KB - Virtual size: 170KB

.ndata Size: - Virtual size: 76KB

.rsrc Size: 49KB - Virtual size: 48KB

85f08eb0cbec010ecbc287fa68321173

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

shell32

comdlg32

ole32

Exports

Exports

Sections

.text Size: 7KB - Virtual size: 7KB

.rdata Size: 2KB - Virtual size: 2KB

.data Size: 2KB - Virtual size: 19KB

.rsrc Size: 512B - Virtual size: 152B

.reloc Size: 1KB - Virtual size: 1KB

509a34b3a68a773e0afb4259e68f9f82

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

ole32

Exports

Exports

Sections

.text Size: 8KB - Virtual size: 8KB

.rdata Size: 1024B - Virtual size: 867B

.data Size: 512B - Virtual size: 120B

.reloc Size: 1024B - Virtual size: 662B

ccc6e30409f96054ca558f4765d32e38

Code Sign

33:00:00:01:e2:f1:7d:92:02:0e:49:f8:7f:00:00:00:00:01:e2Certificate

Extended Key Usages

61:0e:90:d2:00:00:00:00:00:03Certificate

Key Usages

64:57:97:41:81:d1:09:95:4f:1c:10:95:8c:65:4e:63Certificate

Extended Key Usages

Key Usages

04:3a:7c:79:39:d1:49:44:6f:2d:46:7c:3b:c6:8d:89:67:b1:4b:fd:cd:5f:9f:1d:33:a5:17:9b:41:84:03:0eSigner

04:3a:7c:79:39:d1:49:44:6f:2d:46:7c:3b:c6:8d:89:67:b1:4b:fd:cd:5f:9f:1d:33:a5:17:9b:41:84:03:0eSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

advapi32

ole32

shell32

user32

Sections

.text Size: 103KB - Virtual size: 102KB

.text
Size: 26KB - Virtual size: 26KB

.rdata
Size: 5KB - Virtual size: 5KB

.data
Size: 1KB - Virtual size: 170KB

.ndata
Size: - Virtual size: 76KB

.rsrc
Size: 49KB - Virtual size: 48KB

.text
Size: 7KB - Virtual size: 7KB

.rdata
Size: 2KB - Virtual size: 2KB

.data
Size: 2KB - Virtual size: 19KB

.rsrc
Size: 512B - Virtual size: 152B

.reloc
Size: 1KB - Virtual size: 1KB

.text
Size: 8KB - Virtual size: 8KB

.rdata
Size: 1024B - Virtual size: 867B

.data
Size: 512B - Virtual size: 120B

.reloc
Size: 1024B - Virtual size: 662B

33:00:00:01:e2:f1:7d:92:02:0e:49:f8:7f:00:00:00:00:01:e2
Certificate

61:0e:90:d2:00:00:00:00:00:03
Certificate

64:57:97:41:81:d1:09:95:4f:1c:10:95:8c:65:4e:63
Certificate

04:3a:7c:79:39:d1:49:44:6f:2d:46:7c:3b:c6:8d:89:67:b1:4b:fd:cd:5f:9f:1d:33:a5:17:9b:41:84:03:0e
Signer

04:3a:7c:79:39:d1:49:44:6f:2d:46:7c:3b:c6:8d:89:67:b1:4b:fd:cd:5f:9f:1d:33:a5:17:9b:41:84:03:0e
Signer

.text
Size: 103KB - Virtual size: 102KB

.rdata
Size: 34KB - Virtual size: 33KB

.data
Size: 2KB - Virtual size: 5KB

.rsrc
Size: 1.6MB - Virtual size: 1.6MB

.reloc
Size: 5KB - Virtual size: 5KB

.text
Size: 3.7MB - Virtual size: 3.7MB

.rdata
Size: 4.1MB - Virtual size: 4.1MB

.data
Size: 596KB - Virtual size: 1.1MB

.pdata
Size: 96KB - Virtual size: 96KB

.xdata
Size: 512B - Virtual size: 180B

.idata
Size: 1KB - Virtual size: 1KB

.reloc
Size: 83KB - Virtual size: 82KB

.symtab
Size: 512B - Virtual size: 4B

.rsrc
Size: 48KB - Virtual size: 47KB

UPX0
Size: - Virtual size: 18.0MB

UPX1
Size: 7.0MB - Virtual size: 7.0MB

.rsrc
Size: 5KB - Virtual size: 8KB

.text
Size: 10.8MB - Virtual size: 10.8MB

.rdata
Size: 13.2MB - Virtual size: 13.2MB

.data
Size: 147KB - Virtual size: 316KB

.pdata
Size: 451KB - Virtual size: 450KB

.rsrc
Size: 4KB - Virtual size: 4KB

.reloc
Size: 149KB - Virtual size: 149KB