Physiological Client[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

Physiological Client.exe
Size

5.7MB
MD5

06f4ee47a677c4f9c343d3041d24b7c8
SHA1

76ec3a9e8ed54b25de81396f5be18e9ebfc80bd4
SHA256

7709e3132ca65089b2d3f7e0184db1f900b1bd34c5ab4e08f5d4552bb39dbedb
SHA512

25064c86889c81b2c93d04292ee9e90d89c57215027a9eedb6ff3e8a503aa45938621576914544eefa07ee3ee8ddef03e7c98875787cb97666d399cdbe4fbf18
SSDEEP

49152:yZSjbWnV/XAQU+6hRqi0uAtJouGBKrosQBAT2QrAqWdvhD/y4uod4GOxsHAV34xt:6bVfAQUG9JNbp9nSWaJN

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
Physiological Client.exe

Files

Physiological Client.exe
.exe windows:6 windows x64 arch:x64

03542a0ccc80c82441f4a9e87b79dbe9

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

WideCharToMultiByte
SetEvent
ResetEvent
CreateEventW
RtlCaptureContext
RtlLookupFunctionEntry
QueryPerformanceCounter
VerifyVersionInfoA
LoadLibraryA
GetProcAddress
FreeLibrary
GetSystemDirectoryA
VerSetConditionMask
SleepEx
LeaveCriticalSection
EnterCriticalSection
FormatMessageA
SetLastError
GetModuleHandleW
GetModuleHandleA
GetModuleFileNameA
UnmapViewOfFile
MapViewOfFile
CreateFileA
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
OutputDebugStringW
ReadProcessMemory
WriteProcessMemory
SetFileAttributesA
CreateProcessA
OpenProcess
CreateToolhelp32Snapshot
Module32First
Module32Next
GetCurrentProcessId
GetCurrentDirectoryW
Beep
GetSystemInfo
VirtualQueryEx
FindResourceA
GetCurrentThreadId
LoadResource
LockResource
SizeofResource
CreateFileMappingA
WaitForMultipleObjects
PeekNamedPipe
GetSystemTimeAsFileTime
GetFileSizeEx
ReadFile
GetFileType
GetStdHandle
GetEnvironmentVariableA
MultiByteToWideChar
WaitForSingleObjectEx
MoveFileExA
RtlVirtualUnwind
GetTickCount
Sleep
GetCurrentProcess
DeleteCriticalSection
InitializeCriticalSectionEx
InitializeCriticalSectionAndSpinCount
GetLastError
CloseHandle

user32

GetForegroundWindow
GetWindowThreadProcessId
GetWindowTextA
GetCursorInfo
FindWindowA
SetCursorPos
GetCursorPos
SendMessageW
GetAsyncKeyState
keybd_event

advapi32

CryptGetHashParam
GetUserNameA
CryptAcquireContextA
CryptReleaseContext
CryptGenRandom
CryptCreateHash
CryptHashData
CryptDestroyHash
CryptDestroyKey
CryptEncrypt
CryptImportKey

msvcp140

?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
??1_Lockit@std@@QEAA@XZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??Bios_base@std@@QEBA_NXZ
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
??0_Lockit@std@@QEAA@H@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Xinvalid_argument@std@@YAXPEBD@Z
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD0@Z
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?always_noconv@codecvt_base@std@@QEBA_NXZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAPEAD0PEAH001@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?_Random_device@std@@YAIXZ
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
_Thrd_sleep
_Cnd_do_broadcast_at_thread_exit
_Query_perf_counter
_Query_perf_frequency
_Xtime_get_ticks
_Thrd_detach
?_Throw_Cpp_error@std@@YAXH@Z
?_Throw_C_error@std@@YAXH@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@N@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??Bid@locale@std@@QEAA_KXZ
?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?_Pnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBA_JXZ
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?_Gninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Gnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBA_JXZ
?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?width@ios_base@std@@QEAA_J_J@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ
?flags@ios_base@std@@QEBAHXZ
?width@ios_base@std@@QEBA_JXZ
?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ
?good@ios_base@std@@QEBA_NXZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?uncaught_exception@std@@YA_NXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?_Xout_of_range@std@@YAXPEBD@Z
?_Xbad_alloc@std@@YAXXZ
?_Xlength_error@std@@YAXPEBD@Z
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z

normaliz

IdnToAscii

wldap32

ord50
ord46
ord45
ord143
ord22
ord211
ord26
ord41
ord217
ord60
ord301
ord200
ord30
ord79
ord35
ord33
ord32
ord27

crypt32

CertGetCertificateChain
CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
CertCloseStore
CryptQueryObject
CertGetNameStringA
CertFindExtension
CertFreeCertificateChain
CryptDecodeObjectEx
PFXImportCertStore
CryptStringToBinaryA
CertFreeCertificateContext
CertFindCertificateInStore
CertEnumCertificatesInStore
CertOpenStore
CertAddCertificateContextToStore

ws2_32

setsockopt
socket
closesocket
recv
WSAIoctl
WSAStartup
WSACleanup
send
WSAGetLastError
accept
htonl
listen
ioctlsocket
__WSAFDIsSet
select
getaddrinfo
freeaddrinfo
recvfrom
sendto
gethostname
bind
ntohl
connect
getpeername
ntohs
htons
getsockopt
WSASetLastError
getsockname

api-ms-win-crt-stdio-l1-1-0

_lseeki64
ungetc
fgetc
ftell
fseek
_fseeki64
_get_stream_buffer_pointers
feof
setvbuf
fgetpos
_open
_close
__stdio_common_vsscanf
fputs
_write
_read
fsetpos
fopen
fclose
fputc
fwrite
fread
__acrt_iob_func
__stdio_common_vsprintf
fgets
fflush

api-ms-win-crt-runtime-l1-1-0

_cexit
terminate
_register_onexit_function
__sys_nerr
strerror
_initialize_onexit_table
_invalid_parameter_noinfo_noreturn
_errno
exit
system
_beginthreadex
_getpid
abort
_crt_atexit

api-ms-win-crt-heap-l1-1-0

calloc
realloc
free
malloc
_callnewh

api-ms-win-crt-convert-l1-1-0

strtoul
strtol
atoi
strtoll

api-ms-win-crt-time-l1-1-0

_time64
_gmtime64

api-ms-win-crt-math-l1-1-0

round
roundf
truncf

api-ms-win-crt-string-l1-1-0

strncpy
strncmp
tolower
strpbrk
strcmp
strcspn
toupper
_stricmp
isdigit
_strdup
isupper
strspn

api-ms-win-crt-utility-l1-1-0

qsort

api-ms-win-crt-filesystem-l1-1-0

_access
_stat64
_fstat64
_lock_file
_unlock_file
_unlink

vcruntime140

strchr
__FrameUnwindFilter
__CxxUnregisterExceptionObject
__CxxDetectRethrow
__current_exception_context
__current_exception
strstr
strrchr
__CxxExceptionFilter
memcmp
memchr
memset
memmove
memcpy
_CxxThrowException
__std_exception_destroy
__std_exception_copy
__CxxQueryExceptionSize
__CxxRegisterExceptionObject

windivert

WinDivertClose
WinDivertOpen
WinDivertRecv
WinDivertSend

gdi32

CreateRoundRectRgn

winmm

timeBeginPeriod

shlwapi

PathFindFileNameA
PathFindExtensionA

mscoree

_CorExeMain

Sections

Size: 472KB - Virtual size: 471KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Size: 1024B - Virtual size: 800B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Size: 1007KB - Virtual size: 1006KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 3KB - Virtual size: 45KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 1.4MB - Virtual size: 1.4MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Size: 240KB - Virtual size: 240KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

;sFI39(w
Size: 682KB - Virtual size: 682KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.text
Size: 545KB - Virtual size: 544KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1.4MB - Virtual size: 1.4MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

03542a0ccc80c82441f4a9e87b79dbe9

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

msvcp140

normaliz

wldap32

crypt32

ws2_32

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

vcruntime140

windivert

gdi32

winmm

shlwapi

mscoree

Sections

Size: 472KB - Virtual size: 471KB

Size: 1024B - Virtual size: 800B

Size: 1007KB - Virtual size: 1006KB

Size: 3KB - Virtual size: 45KB

Size: 12KB - Virtual size: 11KB

Size: 1.4MB - Virtual size: 1.4MB

Size: 1KB - Virtual size: 1KB

Size: 240KB - Virtual size: 240KB

;sFI39(w Size: 682KB - Virtual size: 682KB

.text Size: 545KB - Virtual size: 544KB

.rsrc Size: 1.4MB - Virtual size: 1.4MB

;sFI39(w
Size: 682KB - Virtual size: 682KB

.text
Size: 545KB - Virtual size: 544KB

.rsrc
Size: 1.4MB - Virtual size: 1.4MB