blankgrabber | ValoaimV9[.]rar

Sharing

Copy URL Twitter E-mail

General

Target

ValoaimV9.rar
Size

7.0MB
MD5

2d1f4359801b13423f7723abba1877ae
SHA1

7a60bc669978fab88664530d6fddd701c8cc3893
SHA256

b4e66eee45c58565b1cffb6f413a27bff72d376e6fe055c36ff092abd98b492a
SHA512

53b6bcd7c94a3eefc863c04d15f8675dff21e8939aae913d767d0ec425a7b21ca0d242a9a5a4b1b483ef9965a333ef9c702c6ca78ad2932e5d6b64790df53b5f
SSDEEP

196608:vJCSOS2xPXSjWIEMMIIvneg8K0Q3QcnozrYPazf+1f8:cSOSaX/5vegJlpwrXfM8

Score

10^/10

blankgrabber

Malware Config

Signatures

A stealer written in Python and packaged with Pyinstaller 1 IoCs

resource	yara_rule
static1/unpack002/�P{�I�.pyc	blankgrabber

Blankgrabber family
blankgrabber

Unsigned PE 3 IoCs

Checks for missing Authenticode signature.

resource
unpack001/ValoaimV9.exe
unpack001/XInput1_4.dll
unpack001/rasadhlp.dll

Files

ValoaimV9.rar
.rar
How to use.txt
ValoaimV9.exe
.exe windows:5 windows x64 arch:x64

f4f2e2b03fe5666a721620fcea3aea9b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

user32

CreateWindowExW
PostMessageW
GetMessageW
MessageBoxW
MessageBoxA
SystemParametersInfoW
DestroyIcon
SetWindowLongPtrW
GetWindowLongPtrW
GetClientRect
InvalidateRect
ReleaseDC
GetDC
DrawTextW
GetDialogBaseUnits
EndDialog
DialogBoxIndirectParamW
MoveWindow
SendMessageW

comctl32

ord380

kernel32

IsValidCodePage
GetStringTypeW
GetFileAttributesExW
HeapReAlloc
FlushFileBuffers
GetCurrentDirectoryW
GetACP
GetOEMCP
GetModuleHandleW
MulDiv
GetLastError
SetDllDirectoryW
CreateFileW
GetFinalPathNameByHandleW
CloseHandle
GetModuleFileNameW
CreateSymbolicLinkW
GetCPInfo
GetCommandLineW
GetEnvironmentVariableW
SetEnvironmentVariableW
ExpandEnvironmentStringsW
CreateDirectoryW
GetTempPathW
WaitForSingleObject
Sleep
GetExitCodeProcess
CreateProcessW
GetStartupInfoW
FreeLibrary
LoadLibraryExW
SetConsoleCtrlHandler
FindClose
FindFirstFileExW
GetCurrentProcess
LocalFree
FormatMessageW
MultiByteToWideChar
WideCharToMultiByte
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetProcessHeap
GetTimeZoneInformation
HeapSize
WriteConsoleW
SetEndOfFile
GetProcAddress
GetSystemTimeAsFileTime
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
InitializeSListHead
IsDebuggerPresent
RtlUnwindEx
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
EncodePointer
RaiseException
RtlPcToFileHeader
GetCommandLineA
GetDriveTypeW
GetFileInformationByHandle
GetFileType
PeekNamedPipe
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
GetFullPathNameW
RemoveDirectoryW
FindNextFileW
SetStdHandle
DeleteFileW
ReadFile
GetStdHandle
WriteFile
ExitProcess
GetModuleHandleExW
HeapFree
GetConsoleMode
ReadConsoleW
SetFilePointerEx
GetConsoleOutputCP
GetFileSizeEx
HeapAlloc
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
CompareStringW
LCMapStringW

advapi32

OpenProcessToken
GetTokenInformation
ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertSidToStringSidW

gdi32

SelectObject
DeleteObject
CreateFontIndirectW

Sections

.text
Size: 172KB - Virtual size: 171KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 76KB - Virtual size: 75KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 500B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
�P{�I�.pyc
XInput1_4.dll
.dll windows:10 windows x64 arch:x64

d05a85d591f6e82ba032f8ecb86de7bf

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

XInput1_4.pdb

Imports

msvcrt

_initterm
memcpy
malloc
free
_amsg_exit
_XcptFilter
_wcsnicmp
__C_specific_handler
_vsnwprintf
memset

api-ms-win-eventing-classicprovider-l1-1-0

GetTraceLoggerHandle
UnregisterTraceGuids
RegisterTraceGuidsW
TraceMessage
GetTraceEnableFlags
GetTraceEnableLevel

api-ms-win-core-handle-l1-1-0

DuplicateHandle
CloseHandle

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime
GetVersionExW
GetSystemInfo
GetTickCount

api-ms-win-core-quirks-l1-1-0

QuirkIsEnabled

api-ms-win-security-base-l1-1-0

GetTokenInformation

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleExW
GetProcAddress
FreeLibrary
LoadLibraryExW
LoadLibraryExA

api-ms-win-core-errorhandling-l1-1-0

UnhandledExceptionFilter
SetUnhandledExceptionFilter
RaiseException
GetLastError
SetLastError

api-ms-win-core-synch-l1-2-0

InitOnceExecuteOnce
Sleep

api-ms-win-core-synch-l1-1-0

DeleteCriticalSection
ResetEvent
LeaveCriticalSection
SetEvent
CreateEventW
AcquireSRWLockExclusive
InitializeCriticalSection
WaitForSingleObject
ReleaseSRWLockExclusive
EnterCriticalSection

api-ms-win-core-processthreads-l1-1-0

CreateThread
TerminateProcess
GetCurrentThreadId
GetCurrentProcessId
GetCurrentProcess

api-ms-win-core-io-l1-1-0

DeviceIoControl
GetOverlappedResult

api-ms-win-core-com-l1-1-0

CoCreateInstance

api-ms-win-core-file-l1-1-0

CreateFileW

api-ms-win-core-heap-l1-1-0

GetProcessHeap
HeapFree
HeapAlloc

api-ms-win-eventing-provider-l1-1-0

EventUnregister
EventWriteTransfer
EventRegister
EventSetInformation

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-rtlsupport-l1-1-0

RtlCaptureContext
RtlVirtualUnwind
RtlLookupFunctionEntry

api-ms-win-devices-query-l1-1-0

DevCloseObjectQuery
DevCreateObjectQuery

api-ms-win-rtcore-ntuser-private-l1-1-4

ord2597

devobj

DevObjGetDeviceProperty
DevObjCreateDeviceInfoList
DevObjGetClassDevs
DevObjEnumDeviceInfo
DevObjEnumDeviceInterfaces
DevObjGetDeviceInterfaceDetail
DevObjDestroyDeviceInfoList

api-ms-win-downlevel-kernel32-l1-1-0

QueueUserWorkItem

api-ms-win-core-memory-l1-1-0

VirtualQuery
VirtualProtect

Exports

Exports

DllMain
XInputEnable
XInputGetAudioDeviceIds
XInputGetBatteryInformation
XInputGetCapabilities
XInputGetKeystroke
XInputGetState
XInputSetState

Sections

.text
Size: 29KB - Virtual size: 29KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 32B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 80B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
mfcm140u.dll
.dll windows:6 windows x64 arch:x64

3504912454b3d7dc5a9dc9973a496284

Code Sign

33:00:00:00:e5:ce:9e:eb:de:4d:48:35:f4:00:00:00:00:00:e5
Certificate

Issuer

CN=Microsoft Windows Third Party Component CA 2013,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/02/2023, 22:33

Not After

31/01/2024, 22:33

Subject

CN=Microsoft Windows Software Compatibility Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

33:00:00:00:14:9d:fb:c3:1f:1f:63:c3:10:00:00:00:00:00:14
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

01/05/2013, 20:44

Not After

01/05/2028, 20:54

Subject

CN=Microsoft Windows Third Party Component CA 2013,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:03:3c:2b:0a:49:d9:d2:91:7e:ac:00:00:00:00:03:3c
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

16/02/2023, 20:10

Not After

31/01/2024, 20:10

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/07/2011, 20:59

Not After

08/07/2026, 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

11:3a:8d:c1:14:39:2a:bb:93:e5:6e:11:1e:32:7c:c9:95:4d:f2:e0:ca:ed:0c:1e:38:d2:43:c0:07:4c:3e:d9
Signer

Actual PE Digest

11:3a:8d:c1:14:39:2a:bb:93:e5:6e:11:1e:32:7c:c9:95:4d:f2:e0:ca:ed:0c:1e:38:d2:43:c0:07:4c:3e:d9

Digest Algorithm

sha256

PE Digest Matches

true

11:3a:8d:c1:14:39:2a:bb:93:e5:6e:11:1e:32:7c:c9:95:4d:f2:e0:ca:ed:0c:1e:38:d2:43:c0:07:4c:3e:d9
Signer

Actual PE Digest

11:3a:8d:c1:14:39:2a:bb:93:e5:6e:11:1e:32:7c:c9:95:4d:f2:e0:ca:ed:0c:1e:38:d2:43:c0:07:4c:3e:d9

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\MFCM140U.amd64.pdb

Imports

kernel32

DecodePointer
GetLastError
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
Sleep
TerminateProcess
GetCurrentProcess
OutputDebugStringW
InitializeSListHead
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext

api-ms-win-crt-heap-l1-1-0

free
_callnewh
malloc

vcruntime140

__FrameUnwindFilter
_CxxThrowException
_purecall
memset
__current_exception
__C_specific_handler
__std_exception_copy
memcpy
__current_exception_context
__std_type_info_destroy_list
__std_exception_destroy

vcruntime140_1

__CxxFrameHandler4

user32

CopyRect
GetWindow
SetWindowPos
PostMessageW
SendMessageW
GetClientRect

mfc140u

ord5227
ord7922
ord9941
ord7461
ord6256
ord2344
ord13499
ord7460
ord5749
ord5062
ord5229
ord5083
ord5569
ord5339
ord9041
ord5552
ord5363
ord2336
ord2234
ord5080
ord473
ord2212
ord7389
ord3504
ord12025
ord2527
ord2519
ord4250
ord13198
ord13197
ord7450
ord4334
ord8042
ord13862
ord13760
ord8506
ord13131
ord5236
ord7549
ord13766
ord8470
ord8467
ord5346
ord12611
ord13496
ord7835
ord7838
ord3795
ord3201
ord3202
ord8900
ord2222
ord2221
ord269
ord1503
ord1031
ord1641
ord1033
ord3847
ord2314
ord4006
ord3208
ord6128
ord6722
ord2497
ord823
ord1343
ord7173
ord11902
ord7424
ord6074
ord11851
ord11805
ord3713
ord371
ord8917
ord3205
ord10199
ord3172
ord11435
ord8614

api-ms-win-crt-runtime-l1-1-0

_initialize_onexit_table
_configure_narrow_argv
_seh_filter_dll
_execute_onexit_table
_crt_atexit
_initterm
_initterm_e
terminate
abort
_register_onexit_function
_cexit
_initialize_narrow_environment

mscoree

_CorDllMain

Exports

Exports

AfxmReleaseManagedReferences

Sections

.text
Size: 16KB - Virtual size: 16KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.nep
Size: 1024B - Virtual size: 528B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 51KB - Virtual size: 51KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1024B - Virtual size: 660B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 976B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 244B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
rasadhlp.dll
.dll windows:10 windows x64 arch:x64

feaf8ef2a61d5237fd324d1624a3894b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

rasadhlp.pdb

Imports

msvcrt

__C_specific_handler
free
_amsg_exit
_XcptFilter
memcpy
_initterm
_strlwr
malloc
memset

ntdll

RtlCaptureContext
NtCreateFile
NtDeviceIoControlFile
RtlInitUnicodeString
RtlLookupFunctionEntry
RtlVirtualUnwind

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetLastError

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-libraryloader-l1-2-0

LoadLibraryExW
FreeLibrary
GetProcAddress
DisableThreadLibraryCalls

api-ms-win-core-registry-l1-1-0

RegQueryValueExW
RegOpenKeyExW
RegCloseKey

api-ms-win-core-heap-obsolete-l1-1-0

LocalFree
LocalAlloc

api-ms-win-core-processthreads-l1-1-0

TerminateProcess
GetCurrentProcessId
GetCurrentThreadId
GetCurrentProcess

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-string-l1-1-0

WideCharToMultiByte

api-ms-win-core-synch-l1-1-0

WaitForSingleObject
CreateEventW

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemTimeAsFileTime

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Exports

Exports

AcsHlpNbConnection
WSAttemptAutodialAddr
WSAttemptAutodialName
WSNoteSuccessfulHostentLookup

Sections

.text
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1024B - Virtual size: 528B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 44B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
umpdc.dll
.dll windows:10 windows x64 arch:x64

171c26bd72218e670b2c74db98a744ab

Code Sign

33:00:00:04:13:31:bc:19:88:07:a9:07:74:00:00:00:00:04:13
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

03/02/2023, 00:05

Not After

01/02/2024, 00:05

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

6d:ff:ff:ac:d1:4a:f1:b5:59:9f:b9:b9:38:15:58:e2:1d:d4:b4:ca:69:1e:6c:4b:15:8d:00:60:39:1e:a9:ab
Signer

Actual PE Digest

6d:ff:ff:ac:d1:4a:f1:b5:59:9f:b9:b9:38:15:58:e2:1d:d4:b4:ca:69:1e:6c:4b:15:8d:00:60:39:1e:a9:ab

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

UMPDC.pdb

Imports

api-ms-win-crt-runtime-l1-1-0

_initterm
_initterm_e

api-ms-win-crt-private-l1-1-0

_o__cexit
_o__configure_narrow_argv
_o__execute_onexit_table
_o__initialize_narrow_environment
_o__initialize_onexit_table
_o__seh_filter_dll
memcpy
__C_specific_handler
_o___std_type_info_destroy_list

api-ms-win-crt-string-l1-1-0

memset

ntdll

ZwClose
AlpcGetMessageAttribute
AlpcInitializeMessageAttribute
TpWaitForAlpcCompletion
ZwAlpcConnectPort
RtlWaitOnAddress
RtlInitUnicodeString
ZwAlpcQueryInformation
TpReleaseAlpcCompletion
EtwEventWriteTransfer
ZwAlpcDisconnectPort
TpAllocAlpcCompletion
RtlWakeAddressAll
ZwAlpcCancelMessage
RtlFreeHeap
RtlAllocateHeap
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
EtwEventSetInformation
NtPowerInformation
EtwEventRegister
EtwEventUnregister
vDbgPrintEx
ZwAlpcSendWaitReceivePort

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-processthreads-l1-1-0

GetCurrentThreadId
GetCurrentProcessId
GetCurrentProcess
TerminateProcess

api-ms-win-core-sysinfo-l1-1-0

GetTickCount64
GetSystemTimeAsFileTime

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent

api-ms-win-core-errorhandling-l1-1-0

UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetLastError

api-ms-win-core-processthreads-l1-1-1

IsProcessorFeaturePresent

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleExW
GetModuleFileNameW

api-ms-win-core-synch-l1-1-0

CreateMutexW
WaitForSingleObjectEx
InitializeSRWLock
ReleaseSRWLockShared
AcquireSRWLockShared
ReleaseMutex
ReleaseSRWLockExclusive
AcquireSRWLockExclusive

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-threadpool-l1-2-0

CloseThreadpoolTimer
SetThreadpoolTimer
CreateThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CloseThreadpool
CreateThreadpool

api-ms-win-core-psapi-l1-1-0

QueryFullProcessImageNameW

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

Exports

Exports

PdcAcquireRwLockExclusive
PdcActivationClientActivityRequest
PdcActivationClientRegister
PdcActivationClientUnregister
PdcAllocate
PdcFree
PdcNotificationClientAcknowledge
PdcNotificationClientRegister
PdcNotificationClientUnregister
PdcPortClose
PdcPortOpen
PdcPortSendMessage
PdcPortSendMessageSynchronously
PdcPpmProfileClientRegister
PdcPpmProfileClientUnregister
PdcPpmProfileDisable
PdcPpmProfileEnable
PdcReleaseRwLockExclusive
PdcResiliencyClientAcknowledge
PdcResiliencyClientRegister
PdcResiliencyClientUnregister
PdcRwLockInitialize
PdcSignalClientPulse
PdcSignalClientRegister
PdcSignalClientSetActive
PdcSignalClientUnregister
PdcSleep
PdcTaskClientRegister
PdcTaskClientRequest
PdcTaskClientUnregister
Pdcv2ActivationClientActivate
Pdcv2ActivationClientDeactivate
Pdcv2ActivationClientRegister
Pdcv2ActivationClientRenewActivation
Pdcv2ActivationClientSetBrokeredProcessId
Pdcv2ActivationClientUnregister
SleepstudyHelperBlockerActiveDereference
SleepstudyHelperBlockerActiveReference
SleepstudyHelperBuildBlocker
SleepstudyHelperCreateBlockerFromGuid
SleepstudyHelperCreateLibrary
SleepstudyHelperDestroyBlocker
SleepstudyHelperDestroyBlockerBuilder
SleepstudyHelperDestroyLibrary
SleepstudyHelperGetBlockerGuid
SleepstudyHelperSetBlockerFriendlyName
SleepstudyHelperSetBlockerParentHandle
SleepstudyHelperSetBlockerVisible

Sections

.text
Size: 34KB - Virtual size: 33KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 14KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 56B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 512B - Virtual size: 76B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

f4f2e2b03fe5666a721620fcea3aea9b

Headers

DLL Characteristics

File Characteristics

Imports

user32

comctl32

kernel32

advapi32

gdi32

Sections

.text Size: 172KB - Virtual size: 171KB

.rdata Size: 76KB - Virtual size: 75KB

.data Size: 3KB - Virtual size: 12KB

.pdata Size: 9KB - Virtual size: 8KB

_RDATA Size: 512B - Virtual size: 500B

.rsrc Size: 2KB - Virtual size: 2KB

.reloc Size: 2KB - Virtual size: 1KB

d05a85d591f6e82ba032f8ecb86de7bf

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-quirks-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-io-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-devices-query-l1-1-0

api-ms-win-rtcore-ntuser-private-l1-1-4

devobj

api-ms-win-downlevel-kernel32-l1-1-0

api-ms-win-core-memory-l1-1-0

Exports

Exports

Sections

.text Size: 29KB - Virtual size: 29KB

.rdata Size: 9KB - Virtual size: 9KB

.data Size: 512B - Virtual size: 2KB

.pdata Size: 1KB - Virtual size: 1KB

.didat Size: 512B - Virtual size: 32B

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 80B

3504912454b3d7dc5a9dc9973a496284

Code Sign

33:00:00:00:e5:ce:9e:eb:de:4d:48:35:f4:00:00:00:00:00:e5Certificate

Extended Key Usages

33:00:00:00:14:9d:fb:c3:1f:1f:63:c3:10:00:00:00:00:00:14Certificate

Key Usages

33:00:00:03:3c:2b:0a:49:d9:d2:91:7e:ac:00:00:00:00:03:3cCertificate

Extended Key Usages

61:0e:90:d2:00:00:00:00:00:03Certificate

Key Usages

11:3a:8d:c1:14:39:2a:bb:93:e5:6e:11:1e:32:7c:c9:95:4d:f2:e0:ca:ed:0c:1e:38:d2:43:c0:07:4c:3e:d9Signer

11:3a:8d:c1:14:39:2a:bb:93:e5:6e:11:1e:32:7c:c9:95:4d:f2:e0:ca:ed:0c:1e:38:d2:43:c0:07:4c:3e:d9Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

.text
Size: 172KB - Virtual size: 171KB

.rdata
Size: 76KB - Virtual size: 75KB

.data
Size: 3KB - Virtual size: 12KB

.pdata
Size: 9KB - Virtual size: 8KB

_RDATA
Size: 512B - Virtual size: 500B

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 2KB - Virtual size: 1KB

.text
Size: 29KB - Virtual size: 29KB

.rdata
Size: 9KB - Virtual size: 9KB

.data
Size: 512B - Virtual size: 2KB

.pdata
Size: 1KB - Virtual size: 1KB

.didat
Size: 512B - Virtual size: 32B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 80B

33:00:00:00:e5:ce:9e:eb:de:4d:48:35:f4:00:00:00:00:00:e5
Certificate

33:00:00:00:14:9d:fb:c3:1f:1f:63:c3:10:00:00:00:00:00:14
Certificate

33:00:00:03:3c:2b:0a:49:d9:d2:91:7e:ac:00:00:00:00:03:3c
Certificate

61:0e:90:d2:00:00:00:00:00:03
Certificate

11:3a:8d:c1:14:39:2a:bb:93:e5:6e:11:1e:32:7c:c9:95:4d:f2:e0:ca:ed:0c:1e:38:d2:43:c0:07:4c:3e:d9
Signer

11:3a:8d:c1:14:39:2a:bb:93:e5:6e:11:1e:32:7c:c9:95:4d:f2:e0:ca:ed:0c:1e:38:d2:43:c0:07:4c:3e:d9
Signer

.text
Size: 16KB - Virtual size: 16KB

.nep
Size: 1024B - Virtual size: 528B

.rdata
Size: 51KB - Virtual size: 51KB

.data
Size: 2KB - Virtual size: 4KB

.pdata
Size: 1024B - Virtual size: 660B

.rsrc
Size: 1024B - Virtual size: 976B

.reloc
Size: 512B - Virtual size: 244B

.text
Size: 7KB - Virtual size: 6KB

.rdata
Size: 5KB - Virtual size: 4KB

.data
Size: 512B - Virtual size: 1KB

.pdata
Size: 1024B - Virtual size: 528B

.didat
Size: 512B - Virtual size: 16B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 44B

33:00:00:04:13:31:bc:19:88:07:a9:07:74:00:00:00:00:04:13
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

6d:ff:ff:ac:d1:4a:f1:b5:59:9f:b9:b9:38:15:58:e2:1d:d4:b4:ca:69:1e:6c:4b:15:8d:00:60:39:1e:a9:ab
Signer