11f3993ddabc7772731122b9d9a83dfaf6ec04efd2d353ca6d1e3c916c175a49

Sharing

Copy URL Twitter E-mail

General

Target

11f3993ddabc7772731122b9d9a83dfaf6ec04efd2d353ca6d1e3c916c175a49
Size

2.3MB
MD5

9eae2bff0b9b0325bf0b3a58a848a785
SHA1

8383375fecbdbf8a942da0eb6793026a8f96f674
SHA256

11f3993ddabc7772731122b9d9a83dfaf6ec04efd2d353ca6d1e3c916c175a49
SHA512

6e5a049dadbce5a024f2c35b85e8c0adf596d93ad173626c1d5afaeed55e8146ba735b910c4c20abde90cd1d6196ec8818b1d3d68046bf4be9584c7495152169
SSDEEP

49152:NT7NX1qBmdQ//VegLeEANiB/rdrp4A+w5m3O2THPuf8AfEpB7:RnqBf//cgBANydmwcevf

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
11f3993ddabc7772731122b9d9a83dfaf6ec04efd2d353ca6d1e3c916c175a49

Files

11f3993ddabc7772731122b9d9a83dfaf6ec04efd2d353ca6d1e3c916c175a49
.exe windows:5 windows x86 arch:x86

9405d1ccf4131adfefee24792f0fd5a6

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

E:\Perforce\cm_meap_win7_agent_5_0_38a\agent\Release\MajorSecAgent.pdb

Imports

shlwapi

PathFindFileNameW
PathRemoveArgsW
StrStrIW

ws2_32

htons
gethostbyaddr
inet_addr
recv
select
WSAGetLastError
WSACreateEvent
socket
inet_ntoa
gethostbyname
closesocket
connect
ioctlsocket
htonl
WSAAddressToStringA
WSACleanup
WSAStartup
sendto
recvfrom
ntohs
ntohl

libcurl

curl_easy_cleanup
curl_slist_append
curl_easy_init
curl_easy_setopt
curl_easy_perform
curl_easy_getinfo
curl_global_cleanup
curl_easy_strerror
curl_global_init
curl_slist_free_all

kernel32

FindNextFileW
FindClose
GetLogicalDriveStringsW
CreateFileA
DeviceIoControl
GetDiskFreeSpaceExW
GetTempPathW
SetFileAttributesW
DeleteFileW
MoveFileW
EnterCriticalSection
LeaveCriticalSection
GlobalMemoryStatusEx
GetUserDefaultUILanguage
GetLocaleInfoW
GetSystemDirectoryW
GetTickCount
GetProcessId
OpenProcess
GetFileAttributesW
CopyFileW
CreateEventW
GetOverlappedResult
CancelIo
SearchPathW
ExpandEnvironmentStringsW
QueryDosDeviceW
VirtualQueryEx
InitializeCriticalSection
DeleteCriticalSection
GetCurrentThreadId
GetCurrentProcessId
SetErrorMode
SetUnhandledExceptionFilter
GetEnvironmentVariableW
GetSystemWindowsDirectoryW
GetModuleFileNameW
ReadFile
LocalFree
FormatMessageW
GetSystemTimes
GetProcessTimes
GetSystemTimeAsFileTime
FindFirstChangeNotificationW
WaitForMultipleObjects
FindNextChangeNotification
FindCloseChangeNotification
GetExitCodeProcess
GetFileTime
GetProcessHeap
HeapAlloc
HeapReAlloc
HeapFree
CreateNamedPipeW
ResetEvent
ConnectNamedPipe
FlushFileBuffers
DisconnectNamedPipe
WriteFile
OpenEventW
SetEvent
ReadProcessMemory
CreateFileW
AssignProcessToJobObject
TerminateJobObject
lstrcmpiW
RaiseException
DecodePointer
InitializeCriticalSectionAndSpinCount
HeapDestroy
HeapSize
VerSetConditionMask
LoadLibraryA
VerifyVersionInfoW
SetConsoleCtrlHandler
InterlockedDecrement
RtlUnwind
InitializeSListHead
GetStartupInfoW
IsDebuggerPresent
GetModuleHandleW
WideCharToMultiByte
GetVersionExW
GetSystemInfo
GetCurrentProcess
CreateProcessW
WaitForSingleObject
TerminateProcess
SetLastError
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
CloseHandle
Sleep
CreateMutexW
GetLastError
MoveFileExW
CreateThread
ExitThread
FreeLibraryAndExitThread
GetModuleHandleExW
GetFileType
IsProcessorFeaturePresent
UnhandledExceptionFilter
GetSystemDirectoryA
CreateSemaphoreA
CreateEventA
DuplicateHandle
ReleaseSemaphore
ResumeThread
SetThreadContext
GetThreadContext
GetThreadPriority
SetThreadPriority
GetCurrentThread
InterlockedExchangeAdd
InterlockedExchange
LCMapStringW
GetFileInformationByHandle
FindFirstFileW
GetDriveTypeW
GetLogicalDrives
FreeLibrary
MultiByteToWideChar
GetProcAddress
CreateJobObjectW
CompareStringW
GetCPInfo
EncodePointer
GetStringTypeW
LoadLibraryExW
FileTimeToSystemTime
FileTimeToLocalFileTime
LocalAlloc
FindFirstFileExW
GetWindowsDirectoryW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetComputerNameExW
RemoveDirectoryW
GetStdHandle
SetConsoleTextAttribute
GetConsoleScreenBufferInfo
LockResource
LoadResource
SizeofResource
FindResourceW
MapViewOfFileEx
CreateDirectoryW
QueryPerformanceFrequency
CreateMutexA
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
ReleaseMutex
GetFileSizeEx
QueryPerformanceCounter
MapViewOfFile
CreateFileMappingW
FormatMessageA
GetSystemTime
SystemTimeToFileTime
GetFileSize
LockFileEx
CreateFileMappingA
UnlockFile
HeapCompact
DeleteFileA
GetVersionExA
WaitForSingleObjectEx
FlushViewOfFile
OutputDebugStringW
GetFileAttributesExW
GetFileAttributesA
GetDiskFreeSpaceA
GetTempPathA
HeapValidate
UnmapViewOfFile
UnlockFileEx
SetEndOfFile
GetFullPathNameA
SetFilePointer
LockFile
OutputDebugStringA
GetDiskFreeSpaceW
WriteConsoleW
ExitProcess
GetTimeZoneInformation
GetCommandLineA
GetCommandLineW
InterlockedCompareExchange
GetFullPathNameW
HeapCreate
TryEnterCriticalSection
GetACP
GetConsoleMode
ReadConsoleW
SetFilePointerEx
GetDateFormatW
GetTimeFormatW
IsValidLocale
SetEnvironmentVariableW
SetEnvironmentVariableA
GetOEMCP
IsValidCodePage
GetUserDefaultLCID
EnumSystemLocalesW
GetConsoleCP
SetStdHandle
LoadLibraryW
AreFileApisANSI

user32

GetSystemMetrics
ExitWindowsEx

advapi32

AdjustTokenPrivileges
OpenProcessToken
CloseServiceHandle
OpenSCManagerW
CreateServiceW
OpenServiceW
StartServiceW
QueryServiceStatus
ControlService
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
FreeSid
CryptAcquireContextA
CryptReleaseContext
LookupPrivilegeValueA
CryptGetHashParam
CryptCreateHash
CryptHashData
CryptDestroyHash
RegEnumKeyExW
RegQueryInfoKeyW
RegEnumValueW
OpenEventLogW
CloseEventLog
ReadEventLogW
GetTokenInformation
LookupAccountSidW
RegQueryValueExW
RegOpenKeyExW
RegCloseKey
SetSecurityDescriptorSacl
AllocateAndInitializeSid
GetSidLengthRequired
InitializeAcl
LookupPrivilegeValueW

ole32

CoSetProxyBlanket
CoInitializeSecurity
OleRun
CoTaskMemFree
CoCreateInstance
CoInitializeEx
StringFromGUID2
CoUninitialize

oleaut32

SysFreeString
GetErrorInfo
VariantInit
SysAllocString
VariantClear

psapi

GetProcessImageFileNameW
GetProcessMemoryInfo
GetModuleFileNameExW

iphlpapi

SetTcpEntry
GetExtendedTcpTable
GetAdaptersAddresses
NotifyAddrChange
SendARP
GetIpNetTable
GetAdaptersInfo

libeay32

ord493
ord356
ord1167
ord736
ord363
ord857
ord629
ord3844
ord2623
ord626
ord3180
ord267
ord364
ord316
ord2150
ord905
ord251
ord11
ord269
ord1141
ord1870
ord2936
ord2712
ord2630
ord2914
ord3782
ord78
ord52
ord266
ord2656
ord89
ord2206
ord2894
ord3067
ord67
ord2927
ord2660
ord276
ord3783
ord492
ord341
ord3479
ord3712
ord340
ord3765
ord342
ord197
ord196
ord1804
ord502
ord504
ord503
ord484
ord224
ord227
ord223
ord66
ord246
ord2081
ord1882
ord444
ord3090
ord181
ord3109
ord2878
ord2145
ord333
ord268
ord60
ord366
ord1654
ord3035
ord2722
ord1653
ord2925
ord2787
ord3050

version

VerQueryValueW
GetFileVersionInfoSizeW
GetFileVersionInfoW

setupapi

SetupDiDestroyDeviceInfoList
CM_Query_And_Remove_SubTreeW
CM_Get_Parent
CM_Get_Device_IDW
SetupDiEnumDeviceInfo
SetupDiGetClassDevsW
SetupDiGetDeviceRegistryPropertyW
CM_Request_Device_EjectW

dbghelp

ImageNtHeader
MiniDumpWriteDump

zlib1

uncompress
compress
compressBound

netapi32

NetUserEnum
NetUserGetLocalGroups
NetApiBufferFree

wintrust

CryptCATAdminEnumCatalogFromHash
CryptCATAdminAcquireContext
CryptCATAdminReleaseContext
CryptCATAdminReleaseCatalogContext
CryptCATAdminCalcHashFromFileHandle
WinVerifyTrust

imagehlp

ImageEnumerateCertificates
ImageGetCertificateHeader
ImageGetCertificateData

crypt32

CertFreeCertificateContext
CertFreeCertificateChain
CertGetNameStringW
CryptHashCertificate
CertCreateCertificateContext
CertCloseStore
CertFindCertificateInStore
CertOpenStore
CertVerifyCertificateChainPolicy
CryptVerifyMessageSignature
CertGetCertificateChain
CertGetCertificateContextProperty

Exports

Exports

yr_compiler_add_fd
yr_compiler_add_file
yr_compiler_add_string
yr_compiler_create
yr_compiler_define_boolean_variable
yr_compiler_define_float_variable
yr_compiler_define_integer_variable
yr_compiler_define_string_variable
yr_compiler_destroy
yr_compiler_get_current_file_name
yr_compiler_get_error_message
yr_compiler_get_rules
yr_compiler_load_atom_quality_table
yr_compiler_set_atom_quality_table
yr_compiler_set_callback
yr_compiler_set_include_callback
yr_compiler_set_re_ast_callback
yr_filemap_map
yr_filemap_map_ex
yr_filemap_map_fd
yr_filemap_unmap
yr_filemap_unmap_fd
yr_finalize
yr_get_configuration
yr_get_tidx
yr_hash_table_add
yr_hash_table_add_raw_key
yr_hash_table_clean
yr_hash_table_create
yr_hash_table_destroy
yr_hash_table_lookup
yr_hash_table_lookup_raw_key
yr_hash_table_remove
yr_hash_table_remove_raw_key
yr_initialize
yr_object_print_data
yr_process_close_iterator
yr_process_fetch_memory_block_data
yr_process_get_first_memory_block
yr_process_get_next_memory_block
yr_process_open_iterator
yr_rule_disable
yr_rule_enable
yr_rules_define_boolean_variable
yr_rules_define_float_variable
yr_rules_define_integer_variable
yr_rules_define_string_variable
yr_rules_destroy
yr_rules_get_stats
yr_rules_load
yr_rules_load_stream
yr_rules_save
yr_rules_save_stream
yr_rules_scan_fd
yr_rules_scan_file
yr_rules_scan_mem
yr_rules_scan_mem_blocks
yr_rules_scan_proc
yr_scanner_create
yr_scanner_define_boolean_variable
yr_scanner_define_float_variable
yr_scanner_define_integer_variable
yr_scanner_define_string_variable
yr_scanner_destroy
yr_scanner_last_error_rule
yr_scanner_last_error_string
yr_scanner_scan_fd
yr_scanner_scan_file
yr_scanner_scan_mem
yr_scanner_scan_mem_blocks
yr_scanner_scan_proc
yr_scanner_set_callback
yr_scanner_set_flags
yr_scanner_set_timeout
yr_set_configuration
yr_set_tidx

Sections

.text
Size: 1.6MB - Virtual size: 1.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 294KB - Virtual size: 294KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 27KB - Virtual size: 57KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gfids
Size: 1024B - Virtual size: 992B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.ctors
Size: 512B - Virtual size: 4B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.dtors
Size: 512B - Virtual size: 4B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 13B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 281KB - Virtual size: 280KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 69KB - Virtual size: 69KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

9405d1ccf4131adfefee24792f0fd5a6

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

shlwapi

ws2_32

libcurl

kernel32

user32

advapi32

ole32

oleaut32

psapi

iphlpapi

libeay32

version

setupapi

dbghelp

zlib1

netapi32

wintrust

imagehlp

crypt32

Exports

Exports

Sections

.text Size: 1.6MB - Virtual size: 1.6MB

.rdata Size: 294KB - Virtual size: 294KB

.data Size: 27KB - Virtual size: 57KB

.gfids Size: 1024B - Virtual size: 992B

.ctors Size: 512B - Virtual size: 4B

.dtors Size: 512B - Virtual size: 4B

.tls Size: 512B - Virtual size: 13B

.rsrc Size: 281KB - Virtual size: 280KB

.reloc Size: 69KB - Virtual size: 69KB

.text
Size: 1.6MB - Virtual size: 1.6MB

.rdata
Size: 294KB - Virtual size: 294KB

.data
Size: 27KB - Virtual size: 57KB

.gfids
Size: 1024B - Virtual size: 992B

.ctors
Size: 512B - Virtual size: 4B

.dtors
Size: 512B - Virtual size: 4B

.tls
Size: 512B - Virtual size: 13B

.rsrc
Size: 281KB - Virtual size: 280KB

.reloc
Size: 69KB - Virtual size: 69KB