df6e32f680ce5ed5577062d81c64844e90031521c812973b93fec8f26a355cc9

Sharing

Copy URL Twitter E-mail

General

Target

df6e32f680ce5ed5577062d81c64844e90031521c812973b93fec8f26a355cc9
Size

1.0MB
MD5

a672028506e9d1aea6ab3a63bf82b693
SHA1

f20c9cca652593a21f56e2011f41353ca4eb5b40
SHA256

df6e32f680ce5ed5577062d81c64844e90031521c812973b93fec8f26a355cc9
SHA512

a365d77de323955149e7370ae2a2717dab87c62fe68c097c1f9c474409f66898bb76b12ba64f014ef34d371d14db909e631f160e49d2b0e105a980d241ee95cf
SSDEEP

24576:Mgj2FcOw/stTsQ6Rrhh+TrRZSVZ4lTKun+oDc1qWTY:Lj2ij/W52tgT1ZSVZlunkFTY

Score

1^/10

Malware Config

Signatures

Files

df6e32f680ce5ed5577062d81c64844e90031521c812973b93fec8f26a355cc9
.zip
Event Viewer-木马/wdlogin.exe
.exe windows:6 windows x86 arch:x86

3644bdf88251bf3c202459c83b521671

Code Sign

18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4a
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/11/2006, 00:00

Not After

16/07/2036, 23:59

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0a:00:5d:2e:2b:cd:41:37:16:82:17:d8:c7:27:74:7c
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

16/05/2014, 00:00

Not After

16/05/2015, 23:59

Subject

CN=Beijing JoinHope Image Technology Ltd.,O=Beijing JoinHope Image Technology Ltd.,L=Beijing,ST=Beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:a1:a2:d4:f6:05:f3:5a:38:a7:44:7b:8c:65:cb:bf:58:e6:35:a3
Signer

Actual PE Digest

0e:a1:a2:d4:f6:05:f3:5a:38:a7:44:7b:8c:65:cb:bf:58:e6:35:a3

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

D:\Work\Install_Driver\Driver_helper\Release\wdlogin.pdb

Imports

ws2_32

WSACleanup
WSAStartup
closesocket
send
WSAGetLastError
ntohl
gethostname
ioctlsocket
sendto
recvfrom
freeaddrinfo
getaddrinfo
listen
htonl
accept
select
__WSAFDIsSet
WSAIoctl
WSASetLastError
setsockopt
ntohs
htons
getsockopt
getsockname
getpeername
connect
bind
recv
socket

wldap32

ord46
ord217
ord50
ord60
ord45
ord211
ord41
ord301
ord200
ord30
ord79
ord35
ord33
ord32
ord27
ord26
ord22
ord143

crypt32

CertGetNameStringA
CertCloseStore
CertEnumCertificatesInStore
CertFreeCertificateChain
CertGetCertificateChain
CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
CryptQueryObject
CertOpenStore
CertAddCertificateContextToStore
CryptStringToBinaryA
CertFreeCertificateContext
CertFindCertificateInStore

normaliz

IdnToAscii

kernel32

GetDriveTypeW
CreateFileW
FindNextFileW
FindFirstFileExW
FindClose
GetModuleHandleExW
ExitProcess
LoadLibraryExW
RtlUnwind
OutputDebugStringW
InitializeSListHead
GetCurrentThreadId
GetCurrentProcessId
GetStartupInfoW
IsDebuggerPresent
GetFileInformationByHandle
CreateThread
ExitThread
FreeLibraryAndExitThread
SetFilePointerEx
WriteFile
GetCommandLineA
GetCommandLineW
GetConsoleMode
ReadConsoleW
GetConsoleCP
IsProcessorFeaturePresent
TerminateProcess
GetCurrentProcess
MultiByteToWideChar
RaiseException
GetLastError
InitializeCriticalSectionEx
LeaveCriticalSection
DeleteCriticalSection
LoadResource
LockResource
SizeofResource
FindResourceW
FindResourceExW
DecodePointer
CloseHandle
GetModuleFileNameW
GetFileSize
HeapDestroy
HeapAlloc
HeapFree
HeapReAlloc
HeapSize
GetProcessHeap
CreateMutexW
Sleep
GetModuleFileNameA
GetLocalTime
DeleteFileA
CreateFileA
GetFileTime
FileTimeToSystemTime
SystemTimeToTzSpecificLocalTime
WideCharToMultiByte
GetTickCount
SetLastError
FormatMessageA
SleepEx
VerSetConditionMask
QueryPerformanceFrequency
GetSystemDirectoryA
FreeLibrary
GetModuleHandleA
GetProcAddress
LoadLibraryA
VerifyVersionInfoA
QueryPerformanceCounter
WaitForSingleObjectEx
ExpandEnvironmentStringsA
GetStdHandle
WriteConsoleW
ReadFile
PeekNamedPipe
WaitForMultipleObjects
GetFileSizeEx
SetUnhandledExceptionFilter
UnhandledExceptionFilter
ResetEvent
SetEvent
GetUserDefaultLCID
IsValidLocale
EnumSystemLocalesW
GetFileAttributesExW
GetCurrentDirectoryW
GetFullPathNameW
SetStdHandle
FlushFileBuffers
GetTimeZoneInformation
IsValidCodePage
GetACP
GetOEMCP
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
SetEndOfFile
EnterCriticalSection
GetFileType
GetCPInfo
GetStringTypeW
GetLocaleInfoW
LCMapStringW
CompareStringW
GetModuleHandleW
GetSystemTimeAsFileTime
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
SwitchToThread
CreateEventW
InitializeCriticalSectionAndSpinCount
EncodePointer

user32

MessageBoxA

advapi32

CryptEncrypt
CryptImportKey
CryptDestroyKey
CryptDestroyHash
CryptHashData
CryptCreateHash
CryptGenRandom
CryptGetHashParam
CryptReleaseContext
CryptAcquireContextA
RegSetValueExW
RegQueryValueExW
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW

shell32

SHGetSpecialFolderPathA

ole32

CoUninitialize
CoInitialize
CoCreateInstance

shlwapi

PathAppendA
PathFindFileNameA
PathRemoveExtensionA
PathRemoveFileSpecA
PathFindFileNameW

Sections

.text
Size: 523KB - Virtual size: 522KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 122KB - Virtual size: 122KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 952B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 23KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Event Viewer-木马/wrme.exe
.exe windows:6 windows x86 arch:x86

dcea574f525f79697a429cb9a42318af

Code Sign

18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4a
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/11/2006, 00:00

Not After

16/07/2036, 23:59

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0a:00:5d:2e:2b:cd:41:37:16:82:17:d8:c7:27:74:7c
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

16/05/2014, 00:00

Not After

16/05/2015, 23:59

Subject

CN=Beijing JoinHope Image Technology Ltd.,O=Beijing JoinHope Image Technology Ltd.,L=Beijing,ST=Beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

81:c3:18:b1:81:36:bc:76:7c:f1:26:6d:ca:73:e3:a2:4b:c0:28:bb
Signer

Actual PE Digest

81:c3:18:b1:81:36:bc:76:7c:f1:26:6d:ca:73:e3:a2:4b:c0:28:bb

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

D:\Work\Install_Driver\Driver_helper\Release\wrme.pdb

Imports

dxgi

CreateDXGIFactory

ws2_32

connect
getpeername
getsockname
recv
socket
WSAGetLastError
send
closesocket
WSACleanup
WSAStartup
getsockopt
ntohl
gethostname
ioctlsocket
sendto
recvfrom
freeaddrinfo
getaddrinfo
listen
htonl
accept
select
__WSAFDIsSet
WSAIoctl
WSASetLastError
setsockopt
ntohs
htons
bind

wldap32

ord26
ord27
ord22
ord41
ord50
ord45
ord60
ord211
ord46
ord217
ord143
ord32
ord33
ord301
ord200
ord30
ord79
ord35

crypt32

CertGetNameStringA
CertCloseStore
CertEnumCertificatesInStore
CertFreeCertificateChain
CertGetCertificateChain
CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
CryptQueryObject
CertOpenStore
CertAddCertificateContextToStore
CryptStringToBinaryA
CertFreeCertificateContext
CertFindCertificateInStore

normaliz

IdnToAscii

shell32

ShellExecuteExW

kernel32

GetCPInfo
GetStringTypeW
IsProcessorFeaturePresent
IsDebuggerPresent
GetStartupInfoW
GetCurrentThreadId
InitializeSListHead
RtlUnwind
LoadLibraryExW
ExitProcess
GetFileInformationByHandle
CreateThread
ExitThread
FreeLibraryAndExitThread
GetCommandLineW
GetConsoleMode
ReadConsoleW
LCMapStringW
CompareStringW
GetSystemTimeAsFileTime
TlsFree
TlsSetValue
TlsGetValue
DecodePointer
CloseHandle
RaiseException
GetLastError
HeapAlloc
HeapReAlloc
HeapFree
HeapSize
GetProcessHeap
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
DeleteCriticalSection
CreateMutexW
Sleep
GetLocalTime
GetWindowsDirectoryA
GetModuleFileNameW
MultiByteToWideChar
OutputDebugStringA
VerSetConditionMask
GetDriveTypeW
GetCurrentProcess
GetSystemInfo
GetVersionExA
GetModuleHandleW
GetProcAddress
VerifyVersionInfoW
GetConsoleCP
WideCharToMultiByte
OutputDebugStringW
SetFilePointerEx
TerminateProcess
UnhandledExceptionFilter
GetModuleHandleExW
LocalFree
CreateFileW
DeviceIoControl
CreateFileA
FindClose
FindNextFileW
ReadFile
WriteFile
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
ExpandEnvironmentStringsA
FreeLibrary
GetCurrentDirectoryW
SetLastError
FormatMessageA
SleepEx
QueryPerformanceFrequency
GetSystemDirectoryA
GetModuleHandleA
LoadLibraryA
VerifyVersionInfoA
QueryPerformanceCounter
WaitForSingleObjectEx
GetStdHandle
GetFileType
PeekNamedPipe
WaitForMultipleObjects
GetFileSizeEx
TlsAlloc
CreateEventW
InitializeCriticalSectionAndSpinCount
EncodePointer
SetUnhandledExceptionFilter
GetCurrentProcessId
GetCommandLineA
FlushFileBuffers
GetFullPathNameW
SetStdHandle
GetTimeZoneInformation
FindFirstFileExW
IsValidCodePage
GetACP
GetOEMCP
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
GetFileAttributesExW
SetEndOfFile
WriteConsoleW
GetTickCount

user32

GetSystemMetrics

advapi32

CryptReleaseContext
CryptEncrypt
CryptImportKey
CryptDestroyKey
CryptAcquireContextA
RegSetValueExW
RegQueryValueExW
RegOpenKeyExW
RegCreateKeyExW
RegCloseKey
CryptGetHashParam
CryptGenRandom
CryptHashData
CryptCreateHash
CryptDestroyHash

ole32

CoInitialize
CoInitializeEx
CoCreateInstance
CoUninitialize
CoSetProxyBlanket
CoInitializeSecurity

oleaut32

VariantInit
VariantClear
SysFreeString
SysAllocString

shlwapi

PathRemoveFileSpecW
PathAppendA
PathAppendW

iphlpapi

GetAdaptersInfo

version

VerQueryValueW
GetFileVersionInfoSizeW
GetFileVersionInfoW

Sections

.text
Size: 480KB - Virtual size: 479KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 116KB - Virtual size: 115KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 21KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Event Viewer-木马/wuhost.exe
.exe windows:6 windows x86 arch:x86

4a26c10d101657fd63f31ce7ce361a29

Code Sign

18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4a
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/11/2006, 00:00

Not After

16/07/2036, 23:59

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0a:00:5d:2e:2b:cd:41:37:16:82:17:d8:c7:27:74:7c
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

16/05/2014, 00:00

Not After

16/05/2015, 23:59

Subject

CN=Beijing JoinHope Image Technology Ltd.,O=Beijing JoinHope Image Technology Ltd.,L=Beijing,ST=Beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

6a:d8:08:1d:d5:39:9a:d3:d1:d1:2c:4b:52:61:bd:47:04:a1:21:a0
Signer

Actual PE Digest

6a:d8:08:1d:d5:39:9a:d3:d1:d1:2c:4b:52:61:bd:47:04:a1:21:a0

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

D:\Work\Install_Driver\Driver_helper\Release\wuhost.pdb

Imports

ws2_32

ntohs
htons
getsockopt
getsockname
getpeername
connect
bind
recv
socket
WSAGetLastError
send
closesocket
setsockopt
ntohl
gethostname
ioctlsocket
sendto
recvfrom
freeaddrinfo
getaddrinfo
listen
htonl
accept
select
__WSAFDIsSet
WSACleanup
WSAStartup
WSAIoctl
WSASetLastError

wldap32

ord27
ord22
ord41
ord50
ord45
ord30
ord32
ord60
ord211
ord46
ord217
ord26
ord33
ord301
ord200
ord35
ord79
ord143

crypt32

CryptQueryObject
CertCloseStore
CertEnumCertificatesInStore
CertFreeCertificateChain
CertGetCertificateChain
CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
CertOpenStore
CertGetNameStringA
CertAddCertificateContextToStore
CryptStringToBinaryA
CertFreeCertificateContext
CertFindCertificateInStore

normaliz

IdnToAscii

kernel32

ResetEvent
SetEvent
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
GetStartupInfoW
GetCurrentThreadId
InitializeSListHead
RtlUnwind
LoadLibraryExW
GetFileInformationByHandle
CreateThread
ExitThread
FreeLibraryAndExitThread
TlsSetValue
TlsFree
GetSystemTimeAsFileTime
HeapFree
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
HeapSize
GetLastError
HeapReAlloc
RaiseException
HeapAlloc
DecodePointer
DeleteCriticalSection
GetProcessHeap
CreateMutexW
Sleep
CloseHandle
GetModuleFileNameA
SetPriorityClass
GetCurrentProcess
SetThreadPriority
CopyFileA
GetFileAttributesA
OutputDebugStringW
GetCurrentThread
DeleteFileA
DeleteFileW
GetLocalTime
GetProcAddress
ExitProcess
CreateProcessW
GetModuleHandleW
CreateFileW
GetFileSize
ReadFile
WriteFile
SetFilePointerEx
GetDriveTypeW
FindClose
GetTickCount
FindNextFileW
FileTimeToSystemTime
SystemTimeToTzSpecificLocalTime
MoveFileExW
LocalFree
GetModuleFileNameW
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
TerminateProcess
GetModuleHandleExW
GetCurrentProcessId
WideCharToMultiByte
MultiByteToWideChar
GetCurrentDirectoryW
FreeLibrary
ExpandEnvironmentStringsA
VerSetConditionMask
GetCommandLineA
SetLastError
FormatMessageA
SleepEx
QueryPerformanceFrequency
GetSystemDirectoryA
GetModuleHandleA
LoadLibraryA
VerifyVersionInfoA
QueryPerformanceCounter
WaitForSingleObjectEx
GetStdHandle
GetFileType
PeekNamedPipe
WaitForMultipleObjects
CreateFileA
GetFileSizeEx
ReadConsoleW
GetCPInfo
GetStringTypeW
GetLocaleInfoW
LCMapStringW
CompareStringW
EncodePointer
GetConsoleMode
GetCommandLineW
GetConsoleCP
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
FlushFileBuffers
GetFullPathNameW
SetStdHandle
GetTimeZoneInformation
FindFirstFileExW
IsValidCodePage
GetACP
GetOEMCP
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
GetFileAttributesExW
SetEndOfFile
WriteConsoleW
TlsGetValue
TlsAlloc
SwitchToThread
CreateEventW
InitializeCriticalSectionAndSpinCount

advapi32

CryptImportKey
CryptDestroyHash
CryptHashData
CryptCreateHash
CryptGenRandom
CryptGetHashParam
CryptReleaseContext
CryptAcquireContextA
RegSetValueExW
RegQueryValueExW
RegCloseKey
RegDeleteValueW
RegCreateKeyExW
RegOpenKeyExW
CryptEncrypt
CryptDestroyKey

shell32

SHGetFolderPathA
SHChangeNotify
ShellExecuteExA
ShellExecuteA

ole32

CoInitialize
CoUninitialize
CoCreateInstance

oleaut32

VariantClear

shlwapi

PathFindFileNameA
PathFindFileNameW
PathFileExistsA
PathAppendA

version

GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA

Sections

.text
Size: 583KB - Virtual size: 583KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 127KB - Virtual size: 127KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 952B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 25KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

3644bdf88251bf3c202459c83b521671

Code Sign

18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4aCertificate

Key Usages

0a:00:5d:2e:2b:cd:41:37:16:82:17:d8:c7:27:74:7cCertificate

Extended Key Usages

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

0e:a1:a2:d4:f6:05:f3:5a:38:a7:44:7b:8c:65:cb:bf:58:e6:35:a3Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ws2_32

wldap32

crypt32

normaliz

kernel32

user32

advapi32

shell32

ole32

shlwapi

Sections

.text Size: 523KB - Virtual size: 522KB

.rdata Size: 122KB - Virtual size: 122KB

.data Size: 4KB - Virtual size: 8KB

.rsrc Size: 1024B - Virtual size: 952B

.reloc Size: 23KB - Virtual size: 22KB

dcea574f525f79697a429cb9a42318af

Code Sign

18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4aCertificate

Key Usages

0a:00:5d:2e:2b:cd:41:37:16:82:17:d8:c7:27:74:7cCertificate

Extended Key Usages

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

81:c3:18:b1:81:36:bc:76:7c:f1:26:6d:ca:73:e3:a2:4b:c0:28:bbSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

dxgi

ws2_32

wldap32

crypt32

normaliz

shell32

kernel32

user32

advapi32

ole32

oleaut32

shlwapi

iphlpapi

version

Sections

.text Size: 480KB - Virtual size: 479KB

.rdata Size: 116KB - Virtual size: 115KB

.data Size: 3KB - Virtual size: 9KB

.rsrc Size: 2KB - Virtual size: 2KB

.reloc Size: 21KB - Virtual size: 21KB

4a26c10d101657fd63f31ce7ce361a29

Code Sign

18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4aCertificate

Key Usages

0a:00:5d:2e:2b:cd:41:37:16:82:17:d8:c7:27:74:7cCertificate

Extended Key Usages

Key Usages

18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4a
Certificate

0a:00:5d:2e:2b:cd:41:37:16:82:17:d8:c7:27:74:7c
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

0e:a1:a2:d4:f6:05:f3:5a:38:a7:44:7b:8c:65:cb:bf:58:e6:35:a3
Signer

.text
Size: 523KB - Virtual size: 522KB

.rdata
Size: 122KB - Virtual size: 122KB

.data
Size: 4KB - Virtual size: 8KB

.rsrc
Size: 1024B - Virtual size: 952B

.reloc
Size: 23KB - Virtual size: 22KB

18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4a
Certificate

0a:00:5d:2e:2b:cd:41:37:16:82:17:d8:c7:27:74:7c
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

81:c3:18:b1:81:36:bc:76:7c:f1:26:6d:ca:73:e3:a2:4b:c0:28:bb
Signer

.text
Size: 480KB - Virtual size: 479KB

.rdata
Size: 116KB - Virtual size: 115KB

.data
Size: 3KB - Virtual size: 9KB

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 21KB - Virtual size: 21KB

18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4a
Certificate

0a:00:5d:2e:2b:cd:41:37:16:82:17:d8:c7:27:74:7c
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

6a:d8:08:1d:d5:39:9a:d3:d1:d1:2c:4b:52:61:bd:47:04:a1:21:a0
Signer

.text
Size: 583KB - Virtual size: 583KB

.rdata
Size: 127KB - Virtual size: 127KB

.data
Size: 4KB - Virtual size: 8KB

.rsrc
Size: 1024B - Virtual size: 952B

.reloc
Size: 25KB - Virtual size: 25KB