neshta | SQLi_Dumper[.]rar

Sharing

Copy URL

Twitter E-mail

General

Target

SQLi_Dumper.rar
Size

4.4MB
MD5

c844dbd74cc3a75f26375d7f5ae22e2c
SHA1

812a3ea938525a0fa662336ba6098d859a8740e8
SHA256

a9e37d93c75519978a510dbfd6ff292339783062acb18ee95cb6df5f65978cda
SHA512

81a1f29bd4ac1bc3869699e7a8ab990de07fc29a7b1ed4392db0f5ba5f14f9571ea77d61ebb177f591945b8c15e64b4368237e93db6878fa5a85baf15d3d88cd
SSDEEP

98304:BX4A3EfxCzIznluLrShKZhOVJ1IaCX05aMEMpwlpI6J6FGHhr5x:2A8CzolqrRhOAXqapXdikz

Score

10^/10

neshta redline

Malware Config

Signatures

Detect Neshta payload 1 IoCs

resource	yara_rule
static1/unpack001/SQLi_Dumper/SQli-Dumper-cleaned.exe	family_neshta

Neshta family
neshta

RedLine payload 1 IoCs

resource	yara_rule
static1/unpack001/SQLi_Dumper/SQli-Dumper-cleaned.exe	family_redline

Redline family
redline

Unsigned PE 4 IoCs

Checks for missing Authenticode signature.

resource
unpack001/SQLi_Dumper/ChilkatDotNet2.dll
unpack001/SQLi_Dumper/ControlsGui.dll
unpack001/SQLi_Dumper/SQli-Dumper-cleaned.exe
unpack001/SQLi_Dumper/TXT/SQLi Dumper-cleaned.exe

Files

SQLi_Dumper.rar
.rar
SQLi_Dumper/ChilkatDotNet2.dll
.dll windows:4 windows x86 arch:x86

df14ae5e0ef0bf3ed00e41ee4d3f519e

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

c:\Ck2000\components\ChilkatDotNet2\release\ChilkatDotNet2.pdb

Imports

msvcr80

_rmdir
remove
clock
rename
realloc
malloc
isdigit
strtol
strpbrk
fgets
fputc
fgetc
printf
_setmode
__iob_func
__FrameUnwindFilter
_cexit
__CxxQueryExceptionSize
__CxxExceptionFilter
__CxxRegisterExceptionObject
__CxxDetectRethrow
__CxxUnregisterExceptionObject
_fileno
_crt_debugger_hook
_except_handler4_common
__clean_type_info_names_internal
?_type_info_dtor_internal_method@type_info@@QAEXXZ
?terminate@@YAXXZ
_onexit
_lock
__dllonexit
_unlock
__CppXcptFilter
_adjust_fdiv
_amsg_exit
_initterm_e
_initterm
_decode_pointer
free
_encoded_null
_malloc_crt
_encode_pointer
srand
towupper
towlower
isalnum
atoi
floor
__timezone
_time64
_mktime64
_localtime64
_gmtime64
_filelengthi64
_filelength
fwrite
fread
ferror
ftell
_telli64
fseek
_atoi64
qsort
memmove
rand
memchr
fopen
fprintf
fclose
_wcsicmp
getenv
sprintf
toupper
tolower
sscanf
memcpy
memset
??2@YAPAXI@Z
strrchr
_purecall
strstr
_stricmp
strncmp
_strnicmp
strncpy
__CxxFrameHandler3
strchr
??3@YAXPAX@Z

kernel32

GetFullPathNameW
GetFullPathNameA
GetCurrentDirectoryA
GetCurrentDirectoryW
GetTempPathW
GetTempPathA
GetModuleFileNameW
CopyFileW
CopyFileA
GetModuleFileNameA
DeleteFileA
SetCurrentDirectoryW
SetCurrentDirectoryA
RemoveDirectoryW
CreateDirectoryA
SetFileAttributesA
SetFileAttributesW
GetFileAttributesA
GetFileAttributesW
CreateFileA
MoveFileW
MoveFileA
CreateDirectoryW
FindClose
FindNextFileA
FindFirstFileA
SetFilePointer
CloseHandle
GetFileTime
SetFileTime
FormatMessageA
WriteFile
GetFileSize
InitializeCriticalSection
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
GetVersionExA
CreateFileW
FileTimeToSystemTime
SystemTimeToFileTime
CompareFileTime
FileTimeToDosDateTime
GetSystemTime
GetLocalTime
LocalFileTimeToFileTime
FileTimeToLocalFileTime
GetTimeZoneInformation
InterlockedExchange
InterlockedCompareExchange
DisableThreadLibraryCalls
QueryPerformanceCounter
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetComputerNameA
GetOEMCP
GetACP
GetTickCount
Sleep
GetLastError
LocalFree
GetModuleHandleA
GetDiskFreeSpaceA
GetDriveTypeA
FreeLibrary
WideCharToMultiByte
SetLastError
GetStdHandle
GetFileType
SetEndOfFile
FlushFileBuffers
CreateFileMappingA
MapViewOfFile
IsBadReadPtr
UnmapViewOfFile
FindNextFileW
FindFirstFileW
GetProcAddress
LoadLibraryA
LocalAlloc
CreateThread
DeviceIoControl
MultiByteToWideChar
IsDBCSLeadByte
GetCPInfo
ReadFile
DeleteFileW

advapi32

DeleteService
OpenSCManagerA
CreateServiceA
CloseServiceHandle
CryptGetProvParam
OpenServiceA
StartServiceA
ControlService
UnlockServiceDatabase
ChangeServiceConfigA
LockServiceDatabase
QueryServiceConfigA
QueryServiceStatus
RegCloseKey
CryptAcquireContextW
CryptEnumProvidersA
CryptDestroyKey
CryptGenKey
CryptGetUserKey
RegEnumValueA
RegSetValueExA
RegSetValueExW
RegQueryValueExA
RegDeleteValueA
CryptExportKey
CryptImportKey
CryptDeriveKey
CryptDestroyHash
CryptHashData
SetFileSecurityA
SetFileSecurityW
LookupPrivilegeValueA
AdjustTokenPrivileges
CryptCreateHash
CryptGenRandom
CryptReleaseContext
CryptAcquireContextA
RegCreateKeyExA
RegOpenKeyExA
GetUserNameA
OpenProcessToken

msvcm80

?ThrowNestedModuleLoadException@<CrtImplementationDetails>@@YAXP$AAVException@System@@0@Z
?ThrowModuleLoadException@<CrtImplementationDetails>@@YAXP$AAVString@System@@P$AAVException@3@@Z
?DoCallBackInDefaultDomain@<CrtImplementationDetails>@@YAXP6GJPAX@Z0@Z
?ThrowModuleLoadException@<CrtImplementationDetails>@@YAXP$AAVString@System@@@Z
?RegisterModuleUninitializer@<CrtImplementationDetails>@@YAXP$AAVEventHandler@System@@@Z
?DoDllLanguageSupportValidation@<CrtImplementationDetails>@@YAXXZ

crypt32

CryptMsgControl
CertAddEncodedCertificateToStore
CertGetSubjectCertificateFromStore
CertDeleteCertificateFromStore
CertSaveStore
CertAddCertificateContextToStore
CertFindCertificateInStore
CertOpenStore
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateStore
CertCreateCertificateContext
CertDuplicateCertificateContext
CertGetCertificateContextProperty
CertGetIntendedKeyUsage
CryptDecodeObject
CertSetCertificateContextProperty
CertFreeCertificateContext
CertVerifyRevocation
CertNameToStrW
PFXVerifyPassword
PFXImportCertStore
CryptEncryptMessage
CryptVerifyDetachedMessageSignature
CryptVerifyMessageSignature
CryptEncodeObject
CryptSignMessage
CryptDecryptMessage
CryptMsgOpenToDecode
CryptMsgUpdate
CryptMsgClose
CryptMsgGetParam

ws2_32

listen
connect
socket
gethostbyname
bind
getsockname
accept
recv
send
WSAGetLastError
gethostname
closesocket
__WSAFDIsSet
htons
inet_addr
getpeername
inet_ntoa
ntohs
ioctlsocket
setsockopt
WSAStartup
select
shutdown

shell32

ShellExecuteA

mscoree

_CorDllMain

Sections

.text
Size: 3.9MB - Virtual size: 3.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.4MB - Virtual size: 1.4MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 304KB - Virtual size: 337KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 164KB - Virtual size: 162KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
SQLi_Dumper/ControlsGui.dll
.dll windows:4 windows x86 arch:x86

dae02f32a21e03ce65412f6e56942daa

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

X:\SQLi Dumper v.8.3 SRC\ControlsGui\obj\Release\ControlsGui.pdb

Imports

mscoree

_CorDllMain

Sections

.text
Size: 123KB - Virtual size: 123KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 920B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
SQLi_Dumper/DIC/dic_admin.txt
SQLi_Dumper/DIC/dic_file_dump.txt
SQLi_Dumper/GeoIP.dat
SQLi_Dumper/SQLi Dumper.pdb
SQLi_Dumper/SQli-Dumper-cleaned.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Sections

CODE
Size: 29KB - Virtual size: 28KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

DATA
Size: 1024B - Virtual size: 536B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

BSS
Size: - Virtual size: 42KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: - Virtual size: 8B

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
SQLi_Dumper/Settings.xml
SQLi_Dumper/TXT/SQLi Dumper-cleaned.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 2.1MB - Virtual size: 2.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 94KB - Virtual size: 94KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
SQLi_Dumper/TXT/URL List (2).txt
SQLi_Dumper/TXT/URL Trash.txt

Sharing

General

Malware Config

Signatures

Files

df14ae5e0ef0bf3ed00e41ee4d3f519e

Headers

File Characteristics

PDB Paths

Imports

msvcr80

kernel32

advapi32

msvcm80

crypt32

ws2_32

shell32

mscoree

Sections

.text Size: 3.9MB - Virtual size: 3.9MB

.rdata Size: 1.4MB - Virtual size: 1.4MB

.data Size: 304KB - Virtual size: 337KB

.rsrc Size: 4KB - Virtual size: 2KB

.reloc Size: 164KB - Virtual size: 162KB

dae02f32a21e03ce65412f6e56942daa

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

mscoree

Sections

.text Size: 123KB - Virtual size: 123KB

.rsrc Size: 1024B - Virtual size: 920B

.reloc Size: 512B - Virtual size: 12B

Headers

File Characteristics

Sections

CODE Size: 29KB - Virtual size: 28KB

DATA Size: 1024B - Virtual size: 536B

BSS Size: - Virtual size: 42KB

.idata Size: 2KB - Virtual size: 2KB

.tls Size: - Virtual size: 8B

.rdata Size: 512B - Virtual size: 24B

.reloc Size: 1KB - Virtual size: 1KB

.rsrc Size: 5KB - Virtual size: 5KB

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

.text Size: 2.1MB - Virtual size: 2.1MB

.rsrc Size: 94KB - Virtual size: 94KB

.reloc Size: 512B - Virtual size: 12B

.text
Size: 3.9MB - Virtual size: 3.9MB

.rdata
Size: 1.4MB - Virtual size: 1.4MB

.data
Size: 304KB - Virtual size: 337KB

.rsrc
Size: 4KB - Virtual size: 2KB

.reloc
Size: 164KB - Virtual size: 162KB

.text
Size: 123KB - Virtual size: 123KB

.rsrc
Size: 1024B - Virtual size: 920B

.reloc
Size: 512B - Virtual size: 12B

CODE
Size: 29KB - Virtual size: 28KB

DATA
Size: 1024B - Virtual size: 536B

BSS
Size: - Virtual size: 42KB

.idata
Size: 2KB - Virtual size: 2KB

.tls
Size: - Virtual size: 8B

.rdata
Size: 512B - Virtual size: 24B

.reloc
Size: 1KB - Virtual size: 1KB

.rsrc
Size: 5KB - Virtual size: 5KB

.text
Size: 2.1MB - Virtual size: 2.1MB

.rsrc
Size: 94KB - Virtual size: 94KB

.reloc
Size: 512B - Virtual size: 12B