359cc374085a98ac9738ccfd5d59b4c005120a898eff47aafb3f5cd79f547323

Sharing

Copy URL Twitter E-mail

General

Target

359cc374085a98ac9738ccfd5d59b4c005120a898eff47aafb3f5cd79f547323
Size

1.3MB
MD5

ae1f5182b32b00cecfc0ce28a820ebb6
SHA1

d3e938300fa1e2b9bceb1a45aa28034b757b3c84
SHA256

359cc374085a98ac9738ccfd5d59b4c005120a898eff47aafb3f5cd79f547323
SHA512

7ebbb4f3a3907d5233238407fe0e75a3caf33a5a08ab001781f98ad5f62eb2268c1dc701a31f9b7d308c47401f9814a5b8bb5d4f454f64ae765759ecbf2cc828
SSDEEP

24576:nNq9HxxgJvIgemwRCZQPG3RuG1lJ31aQ6uB2J3YfHJXJqKYNiu3MDOAFdEKM779V:nNacJvIgemeov1VaaYktdq

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
359cc374085a98ac9738ccfd5d59b4c005120a898eff47aafb3f5cd79f547323

Files

359cc374085a98ac9738ccfd5d59b4c005120a898eff47aafb3f5cd79f547323
.dll windows:6 windows x64 arch:x64

829a304e56d109db3a0d424a06098757

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

C:\GitLab-Runner\builds\temp\FortiClientHS\x64\Release\GuiMessenger.pdb

Imports

wininet

InternetConnectW
InternetReadFile
HttpSendRequestW
HttpQueryInfoW
InternetOpenW
InternetCloseHandle
InternetSetOptionW
HttpAddRequestHeadersW
InternetQueryDataAvailable
HttpOpenRequestW

msi

ord173
ord205
ord113

ws2_32

freeaddrinfo
inet_ntoa
socket
inet_addr
gethostbyname
ntohs
WSAGetLastError
ioctlsocket
htons
htonl
recv
connect
getaddrinfo
send
bind
shutdown
ntohl
select
closesocket

kernel32

GetFileAttributesExW
GetCurrentDirectoryW
GetLocaleInfoEx
FormatMessageA
InitializeSListHead
DisableThreadLibraryCalls
IsDebuggerPresent
SleepConditionVariableSRW
WakeAllConditionVariable
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
IsProcessorFeaturePresent
GetModuleFileNameA
GetConsoleScreenBufferInfo
SetLastError
SetConsoleTextAttribute
EnterCriticalSection
GetCurrentProcess
GetStdHandle
OutputDebugStringA
LeaveCriticalSection
InitializeCriticalSection
ExpandEnvironmentStringsA
WaitForSingleObject
GetCurrentThreadId
GetModuleHandleA
CreateEventW
Sleep
CreateFileA
SetEvent
QueryPerformanceFrequency
DeleteFileA
CloseHandle
CreateThread
GetLocalTime
GetProcAddress
DeleteCriticalSection
GetCurrentProcessId
WideCharToMultiByte
GetSystemTimeAsFileTime
QueryPerformanceCounter
GetTickCount
SetUnhandledExceptionFilter
OpenMutexW
GetCommandLineW
GetModuleFileNameW
CreateMutexW
ReleaseMutex
GetTimeFormatW
GetDateFormatW
FindFirstFileW
FindClose
MultiByteToWideChar
GetLocaleInfoW
FileTimeToSystemTime
FileTimeToLocalFileTime
GetFullPathNameW
GetUserDefaultUILanguage
GetACP
GetModuleHandleW
ProcessIdToSessionId
HeapFree
InitializeCriticalSectionEx
HeapSize
GetLastError
HeapReAlloc
HeapAlloc
HeapDestroy
GetProcessHeap
FindNextFileW
GetFinalPathNameByHandleW
CreateFileW
ReadFile
SetNamedPipeHandleState
WriteFile
GetOverlappedResult
OpenFileMappingW
UnmapViewOfFile
MapViewOfFile
TerminateProcess
OpenProcess
CreateToolhelp32Snapshot
Process32NextW
Process32FirstW
ExitProcess
ExpandEnvironmentStringsW
GetShortPathNameW
LocalFree
CreateFileMappingW
GetComputerNameW
OutputDebugStringW
GetTempPathW
GetFileAttributesW
DeviceIoControl
LoadLibraryW
FreeLibrary
CreateDirectoryW
GetComputerNameExW
GetLogicalDriveStringsW
GetPrivateProfileStringW
GetDriveTypeW
CreateProcessW
GetTickCount64
SetCurrentDirectoryW
RtlVirtualUnwind
UnhandledExceptionFilter
SetFileInformationByHandle
AreFileApisANSI
MoveFileExW
GetFileInformationByHandleEx
RtlLookupFunctionEntry
RtlCaptureContext
SetSearchPathMode
SetDefaultDllDirectories
LoadLibraryA
SetEnvironmentVariableA
LoadLibraryExA
VirtualQuery
RaiseException
VirtualProtect
GetSystemInfo
SystemTimeToFileTime

user32

GetWindowTextA
GetSystemMetrics
MessageBoxW
GetForegroundWindow
GetUserObjectInformationW
GetWindowThreadProcessId
CloseDesktop
GetThreadDesktop
EnumWindows

advapi32

RegDeleteValueW
RegQueryValueExW
RegOpenKeyExW
RegCloseKey
RegOpenKeyA
RegQueryValueExA
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
RegOpenCurrentUser
RevertToSelf

shell32

ShellExecuteExW
SHGetFolderPathW
ShellExecuteW
SHGetSpecialFolderPathW

ole32

CoUninitialize
CoInitializeEx
CoInitialize
CoCreateGuid
StringFromGUID2

dbghelp

MakeSureDirectoryPathExists
MiniDumpWriteDump

msvcp140

?is@?$ctype@_W@std@@QEBA_NF_W@Z
?tolower@?$ctype@_W@std@@QEBA_W_W@Z
?tolower@?$ctype@_W@std@@QEBAPEB_WPEA_WPEB_W@Z
?_Getcat@?$ctype@_W@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
_Wcsxfrm
?id@?$collate@_W@std@@2V0locale@2@A
?id@?$ctype@_W@std@@2V0locale@2@A
_Wcscoll
??0_Locinfo@std@@QEAA@PEBD@Z
??1_Locinfo@std@@QEAA@XZ
?_Getcoll@_Locinfo@std@@QEBA?AU_Collvec@@XZ
??0facet@locale@std@@IEAA@_K@Z
??1facet@locale@std@@MEAA@XZ
?tolower@?$ctype@D@std@@QEBADD@Z
?tolower@?$ctype@D@std@@QEBAPEBDPEADPEBD@Z
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?_Ipfx@?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAA_N_N@Z
_Strcoll
?id@?$collate@D@std@@2V0locale@2@A
?id@?$ctype@D@std@@2V0locale@2@A
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z
_Strxfrm
?_Incref@facet@locale@std@@UEAAXXZ
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
?_Addfac@_Locimp@locale@std@@AEAAXPEAVfacet@23@_K@Z
?in@?$codecvt@_WDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEA_W3AEAPEA_W@Z
?out@?$codecvt@_WDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEB_W1AEAPEB_WPEAD3AEAPEAD@Z
?unshift@?$codecvt@_WDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?uncaught_exception@std@@YA_NXZ
?_Xbad_alloc@std@@YAXXZ
?_Xout_of_range@std@@YAXPEBD@Z
?_Xlength_error@std@@YAXPEBD@Z
?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAA_JPEB_W_J@Z
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z
??0?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAA@XZ
?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ
?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z
??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IEAA@XZ
??0?$basic_iostream@_WU?$char_traits@_W@std@@@std@@QEAA@PEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@@Z
??1?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
?_Lock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAAXXZ
?showmanyc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JXZ
?uflow@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAGXZ
?xsgetn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JPEA_W_J@Z
?xsputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JPEB_W_J@Z
?setbuf@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAPEAV12@PEA_W_J@Z
?sync@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAHXZ
?imbue@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAXAEBVlocale@2@@Z
??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
??1?$basic_iostream@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
?good@ios_base@std@@QEBA_NXZ
??1?$basic_istream@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
?snextc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAGXZ
?sbumpc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAGXZ
?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAGXZ
??0?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAA@PEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z
??0?$codecvt@_WDU_Mbstatet@@@std@@QEAA@_K@Z
??Bios_base@std@@QEBA_NXZ
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
??Bid@locale@std@@QEAA_KXZ
?_Winerror_map@std@@YAHH@Z
?_Syserror_map@std@@YAPEBDH@Z
?_New_Locimp@_Locimp@locale@std@@CAPEAV123@AEBV123@@Z
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
?empty@locale@std@@SA?AV12@XZ
?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z
?id@?$codecvt@_WDU_Mbstatet@@@std@@2V0locale@2@A
?widen@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBA_WD@Z
?getloc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEBA?AVlocale@2@XZ
?_Init@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAXXZ
??4?$_Yarn@D@std@@QEAAAEAV01@PEBD@Z
?imbue@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAA?AVlocale@2@AEBV32@@Z
??1?$codecvt@_WDU_Mbstatet@@@std@@MEAA@XZ
?_Getcat@?$codecvt@_WDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z

shlwapi

PathFileExistsW

vcruntime140_1

__CxxFrameHandler4

api-ms-win-crt-string-l1-1-0

strcmp
strncat_s
tolower
iswspace
_strdup
iswdigit
isspace
wcsncpy_s
isalnum
isalpha
iswalnum
strncpy
wcstok
strncpy_s
wcsncat_s
strncmp
wcsnlen
wcstok_s
strtok_s
_stricmp
wmemcpy_s
_wcsicmp
_wcsdup
wcsncpy

api-ms-win-crt-heap-l1-1-0

realloc
free
_recalloc
calloc
_callnewh
malloc

api-ms-win-crt-time-l1-1-0

wcsftime
_localtime64
_mktime64
_localtime64_s
_mkgmtime64
_get_tzname
_tzset
clock
_get_daylight
_get_timezone
_time64

api-ms-win-crt-stdio-l1-1-0

__acrt_iob_func
fflush
fclose
fseek
_fsopen
fputwc
ungetwc
__stdio_common_vfprintf
fgetwc
fopen
_wfopen_s
__stdio_common_vsnprintf_s
fopen_s
fwrite
setvbuf
_ftelli64
_wfopen
__stdio_common_vswscanf
fputws
__stdio_common_vswprintf
ftell
fsetpos
fgetc
__stdio_common_vsnwprintf_s
fgetpos
_fseeki64
fread
ungetc

api-ms-win-crt-runtime-l1-1-0

perror
_invalid_parameter_noinfo
_errno
_invalid_parameter_noinfo_noreturn
abort
_initterm_e
_initterm
terminate
_cexit
_getpid
_crt_atexit
_execute_onexit_table
_register_onexit_function
_initialize_onexit_table
_initialize_narrow_environment
_beginthreadex
_configure_narrow_argv
_seh_filter_dll
_wassert
__p___argv
__p___argc
__p___wargv

api-ms-win-crt-filesystem-l1-1-0

_wstat64i32
_waccess
_unlock_file
_lock_file
_stat64i32
_wunlink

api-ms-win-crt-convert-l1-1-0

_i64toa
strtol
_itow
wcstombs
strtoul
wcstoul
_wtol
atoi
_ltow
_itoa
_wtoi

api-ms-win-crt-locale-l1-1-0

___lc_codepage_func
_wsetlocale

api-ms-win-crt-math-l1-1-0

ceilf

Exports

Exports

??0ArrayBufferAllocator@node@@QEAA@$$QEAV01@@Z
??0ArrayBufferAllocator@node@@QEAA@AEBV01@@Z
??0ArrayBufferAllocator@node@@QEAA@XZ
??0InitializationResult@node@@AEAA@XZ
??0InitializationResult@node@@QEAA@AEBV01@@Z
??0IsolatePlatformDelegate@node@@QEAA@$$QEAV01@@Z
??0IsolatePlatformDelegate@node@@QEAA@AEBV01@@Z
??0IsolatePlatformDelegate@node@@QEAA@XZ
??0MultiIsolatePlatform@node@@QEAA@AEBV01@@Z
??0MultiIsolatePlatform@node@@QEAA@XZ
??1ArrayBufferAllocator@node@@UEAA@XZ
??1CallbackScope@AsyncResource@node@@QEAA@XZ
??1MultiIsolatePlatform@node@@UEAA@XZ
??4ArrayBufferAllocator@node@@QEAAAEAV01@$$QEAV01@@Z
??4ArrayBufferAllocator@node@@QEAAAEAV01@AEBV01@@Z
??4DeleteACHHandle@node@@QEAAAEAU01@$$QEAU01@@Z
??4DeleteACHHandle@node@@QEAAAEAU01@AEBU01@@Z
??4InitializationResult@node@@QEAAAEAV01@AEBV01@@Z
??4IsolatePlatformDelegate@node@@QEAAAEAV01@$$QEAV01@@Z
??4IsolatePlatformDelegate@node@@QEAAAEAV01@AEBV01@@Z
??4MultiIsolatePlatform@node@@QEAAAEAV01@AEBV01@@Z
??_7ArrayBufferAllocator@node@@6B@
??_7InitializationResult@node@@6B@
??_7IsolatePlatformDelegate@node@@6B@
??_7MultiIsolatePlatform@node@@6B@

Sections

.text
Size: 901KB - Virtual size: 900KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 262KB - Virtual size: 262KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 129KB - Virtual size: 327KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 25KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

829a304e56d109db3a0d424a06098757

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

wininet

msi

ws2_32

kernel32

user32

advapi32

shell32

ole32

dbghelp

msvcp140

shlwapi

vcruntime140_1

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-math-l1-1-0

Exports

Exports

Sections

.text Size: 901KB - Virtual size: 900KB

.rdata Size: 262KB - Virtual size: 262KB

.data Size: 129KB - Virtual size: 327KB

.pdata Size: 25KB - Virtual size: 24KB

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 7KB - Virtual size: 7KB

.text
Size: 901KB - Virtual size: 900KB

.rdata
Size: 262KB - Virtual size: 262KB

.data
Size: 129KB - Virtual size: 327KB

.pdata
Size: 25KB - Virtual size: 24KB

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 7KB - Virtual size: 7KB