2024-09-01_c4bf51cab0b8ddb4dd00cc12756ddfcc_mafia

Sharing

Copy URL Twitter E-mail

General

Target

2024-09-01_c4bf51cab0b8ddb4dd00cc12756ddfcc_mafia
Size

851KB
MD5

c4bf51cab0b8ddb4dd00cc12756ddfcc
SHA1

8a918b393564c415f572b72791d532ea8df0e78c
SHA256

a7f769ba83f5a3f353a4a358e63751b38270bca3f5de3b89e71821f4dfeb9a83
SHA512

8493b3d1c72a4786da8357d2e145a400aafaf6658342a2580daddd433449a22d8927bca6c82b1db81b30db3195676a91eedc1934012e0e56844ecc440fc00695
SSDEEP

24576:dshGpfnly3IDo1Is8VlXq3TNE/NlVG3GfOZW:dsYhlwh78VlqKCPW

Score

1^/10

Malware Config

Signatures

Files

2024-09-01_c4bf51cab0b8ddb4dd00cc12756ddfcc_mafia
.exe windows:5 windows x86 arch:x86

38db21a68008eec76ef145871266820c

Code Sign

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5e
Certificate

Issuer

CN=thawte Primary Root CA,OU=Certification Services Division+OU=(c) 2006 thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

33:a6:a2:62:6f:72:48:24:5f:3a:61:5a:8c:e7:da:de
Certificate

Issuer

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Not Before

04/07/2014, 00:00

Not After

01/08/2016, 23:59

Subject

CN=Beijing Funshion Online Technologies Ltd.,OU=SECURE APPLICATION DEVELOPMENT,O=Beijing Funshion Online Technologies Ltd.,L=Beijing,ST=Beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageMicrosoftCommercialCodeSigning

Key Usages

KeyUsageDigitalSignature

25:1f:5d:98:81:82:17:2e:3c:41:9e:01:4f:b0:40:4c
Certificate

Issuer

CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN

Not Before

08/08/2009, 01:00

Not After

08/08/2024, 01:00

Subject

CN=WoSign Time Stamping Signer,O=WoSign CA Limited,C=CN

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

49:e5:4d:c2:aa:ca:84:f3:f9:e0:0b:15:c0:bd:47:bb:f7:ae:3f:41
Signer

Actual PE Digest

49:e5:4d:c2:aa:ca:84:f3:f9:e0:0b:15:c0:bd:47:bb:f7:ae:3f:41

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

I:\build4.0.2\Funshion\Rel\src\toolkits\bin_inst\Release\Uninstall.pdb

Imports

gdiplus

GdipCreateBitmapFromStream
GdipReleaseDC
GdipDeleteGraphics
GdipCreateFromHDC
GdipSetImageAttributesColorMatrix
GdipDisposeImageAttributes
GdipCreateImageAttributes
GdipGetImageHeight
GdipGetImageWidth
GdipDisposeImage
GdipCloneImage
GdipLoadImageFromFileICM
GdipFree
GdipAlloc
GdipDrawLine
GdipDeletePen
GdipCreatePen1
GdipSetTextRenderingHint
GdipResetClip
GdipEndContainer
GdipRotateWorldTransform
GdipScaleWorldTransform
GdipTranslateWorldTransform
GdipBeginContainer2
GdipSetClipRect
GdiplusShutdown
GdipDrawImageRectRect
GdiplusStartup

kernel32

SizeofResource
LockResource
LoadResource
FindResourceW
FindResourceExW
GetCommandLineW
CreateFileA
GetModuleFileNameA
WriteFile
CloseHandle
EnterCriticalSection
LeaveCriticalSection
WideCharToMultiByte
InitializeCriticalSection
DeleteCriticalSection
HeapAlloc
CreateEventA
GetSystemDirectoryW
SetEvent
GetCurrentProcess
InterlockedExchange
TlsGetValue
TlsSetValue
TlsAlloc
TlsFree
GetModuleHandleExA
WaitForSingleObject
ResetEvent
CreateEventW
GetTickCount
Sleep
CreateFileW
CreateMutexW
OpenMutexW
GetCurrentThreadId
GetCurrentProcessId
FlushFileBuffers
ReleaseMutex
MultiByteToWideChar
CreateToolhelp32Snapshot
Process32FirstW
lstrcmpW
Process32NextW
LoadLibraryW
GetProcAddress
FreeLibrary
MoveFileW
DeleteFileW
CopyFileW
GetLastError
CreateDirectoryW
WritePrivateProfileStringW
GetPrivateProfileStringW
GetNativeSystemInfo
OpenProcess
TerminateProcess
GetSystemInfo
GetVersionExW
GetModuleHandleW
GlobalAlloc
GlobalLock
GlobalUnlock
Module32FirstW
Module32NextW
CreateProcessW
GetModuleFileNameW
GetDiskFreeSpaceExW
FindFirstFileW
HeapFree
FindClose
SetFileAttributesW
GetTempPathW
GetFileAttributesW
RemoveDirectoryW
GetDriveTypeW
GetLogicalDrives
MoveFileExW
GetPrivateProfileIntW
CopyFileExW
WinExec
LocalFree
SetLastError
RaiseException
GetStringTypeW
EncodePointer
DecodePointer
GetSystemTimeAsFileTime
OpenEventA
ResumeThread
SystemTimeToFileTime
WaitForMultipleObjects
SetWaitableTimer
CreateWaitableTimerA
FormatMessageA
QueryPerformanceCounter
HeapSetInformation
GetStartupInfoW
ExitThread
CreateThread
GetTimeFormatW
GetDateFormatW
RtlUnwind
GetCPInfo
LCMapStringW
CompareStringW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
ExitProcess
GetStdHandle
GetLocaleInfoW
GetACP
GetOEMCP
SetEnvironmentVariableA
IsValidCodePage
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
GetFileType
HeapCreate
GetTimeZoneInformation
SetFilePointer
GetUserDefaultLCID
GetLocaleInfoA
EnumSystemLocalesA
IsValidLocale
GetConsoleCP
WriteConsoleW
GetConsoleMode
GetProcessHeap
InterlockedDecrement
InterlockedIncrement
ReadFile
InitializeCriticalSectionAndSpinCount
HeapDestroy
HeapSize
HeapReAlloc
InterlockedCompareExchange
FindNextFileW
IsProcessorFeaturePresent
SetStdHandle
SetEndOfFile

user32

EnableWindow
FindWindowW
wsprintfW
SendMessageW
ReleaseDC
UpdateLayeredWindow
GetWindowRect
SetWindowPos
ReleaseCapture
GetCapture
SetCapture
GetWindowLongW
SetWindowLongW
ShowWindow
IsWindow
RegisterClassW
LoadIconW
LoadCursorW
SetCursor
DestroyWindow
SetTimer
UnregisterClassW
PostMessageW
KillTimer
WaitMessage
GetQueueStatus
TranslateMessage
RegisterClassExW
CallMsgFilterW
MsgWaitForMultipleObjectsEx
CreateWindowExW
DefWindowProcW
DispatchMessageW
PeekMessageW
GetDC
PostQuitMessage
SystemParametersInfoW
UnregisterClassA
GetWindowDC

gdi32

EnumFontFamiliesW
DeleteDC
DeleteObject
SelectObject
CreateDIBSection
CreateCompatibleDC

advapi32

RegQueryValueExA
RegOpenKeyExW
RegCloseKey

shell32

SHFileOperationW
ord162
ord165
ShellExecuteW
ShellExecuteExW
SHGetSpecialFolderPathW
ShellExecuteA
SHChangeNotify

ole32

CoUninitialize
CoInitializeEx
CoCreateInstance
CoSetProxyBlanket
CreateStreamOnHGlobal
CoCreateGuid
CoTaskMemFree
CoInitialize

oleaut32

VariantInit

wininet

InternetGetCookieExW
InternetSetCookieW
InternetOpenUrlW
InternetGetConnectedState
InternetOpenA
InternetSetOptionA
InternetCloseHandle

shlwapi

PathRemoveBackslashW
PathIsRootW
PathAppendW
PathFileExistsW
PathRemoveFileSpecW
SHDeleteValueW
SHDeleteKeyW
PathFindFileNameW
SHGetValueW
SHSetValueW
PathCanonicalizeW

urlmon

UrlMkGetSessionOption

Exports

Exports

??_B?1??get_instance@?$singleton@VCFpFunshionIni@@@serialization@boost@@CAAAVCFpFunshionIni@@XZ@51
??_B?1??get_instance@?$singleton@VCFpInstallAppMgr@@@serialization@boost@@CAAAVCFpInstallAppMgr@@XZ@51
??_B?1??get_instance@?$singleton@VCFpInstallPath@@@serialization@boost@@CAAAVCFpInstallPath@@XZ@51
??_B?1??get_instance@?$singleton@VCFpSysLanguage@@@serialization@boost@@CAAAVCFpSysLanguage@@XZ@51
?get_instance@?$singleton@VCFpFunshionIni@@@serialization@boost@@CAAAVCFpFunshionIni@@XZ
?get_instance@?$singleton@VCFpInstallAppMgr@@@serialization@boost@@CAAAVCFpInstallAppMgr@@XZ
?get_instance@?$singleton@VCFpInstallPath@@@serialization@boost@@CAAAVCFpInstallPath@@XZ
?get_instance@?$singleton@VCFpSysLanguage@@@serialization@boost@@CAAAVCFpSysLanguage@@XZ
?get_mutable_instance@?$singleton@VCFpFunshionIni@@@serialization@boost@@SAAAVCFpFunshionIni@@XZ
?get_mutable_instance@?$singleton@VCFpInstallAppMgr@@@serialization@boost@@SAAAVCFpInstallAppMgr@@XZ
?get_mutable_instance@?$singleton@VCFpInstallPath@@@serialization@boost@@SAAAVCFpInstallPath@@XZ
?get_mutable_instance@?$singleton@VCFpSysLanguage@@@serialization@boost@@SAAAVCFpSysLanguage@@XZ
?instance@?$singleton@VCFpFunshionIni@@@serialization@boost@@0AAVCFpFunshionIni@@A
?instance@?$singleton@VCFpInstallAppMgr@@@serialization@boost@@0AAVCFpInstallAppMgr@@A
?instance@?$singleton@VCFpInstallPath@@@serialization@boost@@0AAVCFpInstallPath@@A
?instance@?$singleton@VCFpSysLanguage@@@serialization@boost@@0AAVCFpSysLanguage@@A
?t@?1??get_instance@?$singleton@VCFpFunshionIni@@@serialization@boost@@CAAAVCFpFunshionIni@@XZ@4V?$singleton_wrapper@VCFpFunshionIni@@@detail@34@A
?t@?1??get_instance@?$singleton@VCFpInstallAppMgr@@@serialization@boost@@CAAAVCFpInstallAppMgr@@XZ@4V?$singleton_wrapper@VCFpInstallAppMgr@@@detail@34@A
?t@?1??get_instance@?$singleton@VCFpInstallPath@@@serialization@boost@@CAAAVCFpInstallPath@@XZ@4V?$singleton_wrapper@VCFpInstallPath@@@detail@34@A
?t@?1??get_instance@?$singleton@VCFpSysLanguage@@@serialization@boost@@CAAAVCFpSysLanguage@@XZ@4V?$singleton_wrapper@VCFpSysLanguage@@@detail@34@A

Sections

.text
Size: 490KB - Virtual size: 489KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 123KB - Virtual size: 122KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 22KB - Virtual size: 42KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 2B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 155KB - Virtual size: 155KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 54KB - Virtual size: 54KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

38db21a68008eec76ef145871266820c

Code Sign

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5eCertificate

Extended Key Usages

Key Usages

33:a6:a2:62:6f:72:48:24:5f:3a:61:5a:8c:e7:da:deCertificate

Extended Key Usages

Key Usages

25:1f:5d:98:81:82:17:2e:3c:41:9e:01:4f:b0:40:4cCertificate

Extended Key Usages

Key Usages

49:e5:4d:c2:aa:ca:84:f3:f9:e0:0b:15:c0:bd:47:bb:f7:ae:3f:41Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

gdiplus

kernel32

user32

gdi32

advapi32

shell32

ole32

oleaut32

wininet

shlwapi

urlmon

Exports

Exports

Sections

.text Size: 490KB - Virtual size: 489KB

.rdata Size: 123KB - Virtual size: 122KB

.data Size: 22KB - Virtual size: 42KB

.tls Size: 512B - Virtual size: 2B

.rsrc Size: 155KB - Virtual size: 155KB

.reloc Size: 54KB - Virtual size: 54KB

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5e
Certificate

33:a6:a2:62:6f:72:48:24:5f:3a:61:5a:8c:e7:da:de
Certificate

25:1f:5d:98:81:82:17:2e:3c:41:9e:01:4f:b0:40:4c
Certificate

49:e5:4d:c2:aa:ca:84:f3:f9:e0:0b:15:c0:bd:47:bb:f7:ae:3f:41
Signer

.text
Size: 490KB - Virtual size: 489KB

.rdata
Size: 123KB - Virtual size: 122KB

.data
Size: 22KB - Virtual size: 42KB

.tls
Size: 512B - Virtual size: 2B

.rsrc
Size: 155KB - Virtual size: 155KB

.reloc
Size: 54KB - Virtual size: 54KB