module[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

module.exe
Size

5.0MB
MD5

0a79769e0465bed32a21b3545fb1938f
SHA1

eec3146e39ca0517767aa7bc1c9ffb00d51620b3
SHA256

c2163941718db4b919f3f2585d5f7fa31ba1645040a9a6f3eedadedcbb3363c6
SHA512

6a4f64326692493b6a9c4436dd59f0345e62caa6ed375d591ba948501bb0fc89c41a4da83032a11b9c96a4c00b9290ba264c4d99ee500c5b4718857ce668de50
SSDEEP

98304:bbgM5cxrhMvp6lgzSk9GTC3koLNWaruhN1NT:bMJmc2zbL3l5Wrh1T

Score

3^/10

Malware Config

Signatures

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
sample	embeds_openssl

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
module.exe

Files

module.exe
.exe windows:6 windows x64 arch:x64

0557e33cc5bf2f7ed1ae409d0cb723e3

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\destroylonely\Documents\Repos\loader-shit-code\output\build\tsar.pdb

Imports

ws2_32

WSAIoctl
WSAWaitForMultipleEvents
WSAResetEvent
WSAEventSelect
WSAEnumNetworkEvents
WSACreateEvent
WSACloseEvent
getpeername
setsockopt
listen
bind
accept
send
__WSAFDIsSet
WSASetLastError
getservbyname
getservbyport
gethostbyaddr
inet_ntoa
inet_addr
htonl
WSAGetLastError
gethostbyname
select
ntohs
getsockopt
getsockname
ioctlsocket
recv
gethostname
shutdown
inet_ntop
inet_pton
freeaddrinfo
getaddrinfo
WSACleanup
WSAStartup
socket
sendto
recvfrom
ntohl
htons
connect
closesocket

advapi32

DeregisterEventSource
RegisterEventSourceW
ReportEventW
CryptAcquireContextW
CryptReleaseContext
CryptDestroyKey
CryptSetHashParam
CryptGetProvParam
CryptGetUserKey
CryptExportKey
CryptDecrypt
CryptCreateHash
CryptDestroyHash
CryptSignHashW
RegGetValueA
CryptImportKey
CryptEnumProvidersW
CryptGenRandom
OpenThreadToken
CryptGetHashParam
CryptHashData
CryptEncrypt

kernel32

SleepConditionVariableSRW
IsDebuggerPresent
GetStartupInfoW
GetModuleHandleW
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
Sleep
QueryPerformanceCounter
WakeAllConditionVariable
VerSetConditionMask
GetProcAddress
QueryPerformanceFrequency
LoadLibraryA
GetModuleHandleA
GlobalUnlock
WideCharToMultiByte
GlobalLock
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
IsProcessorFeaturePresent
TerminateProcess
GlobalFree
GlobalAlloc
UnhandledExceptionFilter
RtlCaptureContext
RtlLookupFunctionEntry
SetUnhandledExceptionFilter
RtlVirtualUnwind
FreeLibrary
GetCurrentProcess
MultiByteToWideChar
InitializeSListHead
ReleaseSRWLockShared
AcquireSRWLockShared
CreateFileW
FindClose
FindFirstFileW
FindNextFileW
GetTickCount
CloseHandle
GetLastError
MoveFileExW
VirtualFree
GetStdHandle
GetFileType
WriteFile
SetLastError
InitializeSRWLock
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetFileSizeEx
GetEnvironmentVariableW
GetModuleHandleExW
GetACP
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
ReleaseSemaphore
WaitForSingleObject
GetExitCodeThread
CreateSemaphoreA
GetSystemDirectoryA
FormatMessageA
LoadLibraryW
VerifyVersionInfoW
WaitForMultipleObjects
PeekNamedPipe
ReadFile
GetEnvironmentVariableA
WaitForSingleObjectEx
FormatMessageW
SleepEx
GetSystemDirectoryW
GetCurrentThread
CreateEventW
SetEvent
InitializeCriticalSectionEx
ReadConsoleW
ReadConsoleA
SetConsoleMode
GetConsoleMode
SystemTimeToFileTime
GetSystemTime

user32

MessageBoxW
GetUserObjectInformationW
SetClipboardData
GetProcessWindowStation
DefWindowProcW
DispatchMessageA
GetClipboardData
EmptyClipboard
CloseClipboard
SetWindowLongA
GetCursorPos
SetCursorPos
ReleaseCapture
IsWindowUnicode
GetClientRect
SetCursor
SetCapture
GetForegroundWindow
TrackMouseEvent
ClientToScreen
GetCapture
ScreenToClient
GetWindowRect
LoadCursorA
GetKeyState
UpdateWindow
GetDesktopWindow
PostQuitMessage
PeekMessageA
TranslateMessage
SetLayeredWindowAttributes
CreateWindowExA
MoveWindow
GetWindowLongA
DestroyWindow
UnregisterClassW
RegisterClassExW
ShowWindow
OpenClipboard

shell32

ShellExecuteA

imm32

ImmSetCandidateWindow
ImmSetCompositionWindow
ImmReleaseContext
ImmGetContext

d3dcompiler_43

D3DCompile

dwmapi

DwmExtendFrameIntoClientArea

msvcp140

?_Xbad_alloc@std@@YAXXZ
?_Xout_of_range@std@@YAXPEBD@Z
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?_Xlength_error@std@@YAXPEBD@Z
_Xtime_get_ticks
?c_str@?$_Yarn@D@std@@QEBAPEBDXZ
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
?id@?$numpunct@D@std@@2V0locale@2@A
?_Gettrue@_Locinfo@std@@QEBAPEBDXZ
?_Getfalse@_Locinfo@std@@QEBAPEBDXZ
?_Xbad_function_call@std@@YAXXZ
_Thrd_detach
_Query_perf_counter
_Cnd_do_broadcast_at_thread_exit
?_Throw_Cpp_error@std@@YAXH@Z
_Query_perf_frequency
??0_Locinfo@std@@QEAA@PEBD@Z
??1_Locinfo@std@@QEAA@XZ
?_Getcvt@_Locinfo@std@@QEBA?AU_Cvtvec@@XZ
??Bid@locale@std@@QEAA_KXZ
?_Incref@facet@locale@std@@UEAAXXZ
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
??0facet@locale@std@@IEAA@_K@Z
??1facet@locale@std@@MEAA@XZ

d3d11

D3D11CreateDeviceAndSwapChain

vcruntime140_1

__CxxFrameHandler4

vcruntime140

__std_terminate
strstr
strchr
__C_specific_handler
__std_exception_destroy
__std_exception_copy
wcsstr
strrchr
memchr
wcschr
_CxxThrowException
memcmp
memcpy
memmove
memset
__current_exception
__current_exception_context

api-ms-win-crt-stdio-l1-1-0

ftell
__acrt_iob_func
fflush
__stdio_common_vswprintf
fclose
fseek
feof
ferror
fgets
_fileno
setvbuf
_setmode
_set_fmode
__stdio_common_vfprintf
fwrite
_wfopen
fopen
__stdio_common_vsprintf
_wopen
fputc
fread
__stdio_common_vsprintf_s
__stdio_common_vsscanf
_lseeki64
_fseeki64
_write
_close
__p__commode
fputs
_read

api-ms-win-crt-utility-l1-1-0

qsort

api-ms-win-crt-string-l1-1-0

strcspn
strspn
_wcsdup
_strdup
strncpy_s
strcat_s
strcpy_s
strcmp
wcspbrk
strncpy
strncmp
wcsncmp
strpbrk
tolower
wcsncpy
isspace
isdigit

api-ms-win-crt-heap-l1-1-0

_callnewh
malloc
calloc
realloc
_set_new_mode
free

api-ms-win-crt-convert-l1-1-0

strtoul
atoi
strtod
strtoll
strtoull
strtol
wcstombs

api-ms-win-crt-runtime-l1-1-0

_beginthreadex
_invalid_parameter_noinfo_noreturn
_initterm
exit
_exit
terminate
_errno
_get_narrow_winmain_command_line
_initterm_e
signal
_crt_atexit
_configure_narrow_argv
_seh_filter_exe
_set_app_type
_register_onexit_function
strerror_s
raise
__sys_errlist
_initialize_onexit_table
_c_exit
_register_thread_local_exe_atexit_callback
_initialize_narrow_environment
__sys_nerr
_cexit

api-ms-win-crt-math-l1-1-0

ceilf
cosf
sqrtf
acosf
_fdopen
fmodf
powf
_fdsign
_ldsign
_dsign
sinf
__setusermatherr

api-ms-win-crt-locale-l1-1-0

_configthreadlocale
localeconv

crypt32

CertOpenStore
CertCloseStore
CertEnumCertificatesInStore
CertFindCertificateInStore
CertDuplicateCertificateContext
CertFreeCertificateContext
CertGetCertificateContextProperty
CertOpenSystemStoreW
CryptStringToBinaryW
PFXImportCertStore
CryptDecodeObjectEx
CertAddCertificateContextToStore
CertFindExtension
CertGetNameStringW
CryptQueryObject
CertCreateCertificateChainEngine
CertFreeCertificateChainEngine
CertGetCertificateChain
CertFreeCertificateChain

api-ms-win-crt-time-l1-1-0

_time64
_gmtime64_s
_gmtime64
strftime

api-ms-win-crt-environment-l1-1-0

getenv

api-ms-win-crt-filesystem-l1-1-0

_fstat64
_unlink
_wstat64
_stat64i32

bcrypt

BCryptGenRandom

Sections

.text
Size: 3.4MB - Virtual size: 3.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 298KB - Virtual size: 308KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 131KB - Virtual size: 131KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 39KB - Virtual size: 39KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.module
Size: 28KB - Virtual size: 28KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

0557e33cc5bf2f7ed1ae409d0cb723e3

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ws2_32

advapi32

kernel32

user32

shell32

imm32

d3dcompiler_43

dwmapi

msvcp140

d3d11

vcruntime140_1

vcruntime140

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-locale-l1-1-0

crypt32

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-environment-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

bcrypt

Sections

.text Size: 3.4MB - Virtual size: 3.4MB

.rdata Size: 1.1MB - Virtual size: 1.1MB

.data Size: 298KB - Virtual size: 308KB

.pdata Size: 131KB - Virtual size: 131KB

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 39KB - Virtual size: 39KB

.module Size: 28KB - Virtual size: 28KB

.text
Size: 3.4MB - Virtual size: 3.4MB

.rdata
Size: 1.1MB - Virtual size: 1.1MB

.data
Size: 298KB - Virtual size: 308KB

.pdata
Size: 131KB - Virtual size: 131KB

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 39KB - Virtual size: 39KB

.module
Size: 28KB - Virtual size: 28KB