0bbb361ac91d3661c6023a495e6721c0N[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

0bbb361ac91d3661c6023a495e6721c0N.exe
Size

1.2MB
MD5

0bbb361ac91d3661c6023a495e6721c0
SHA1

4bab61f66b071f10a82df4937a265f1b38dc0f2b
SHA256

2261453bf37b6b5c551b95b47e4e39be94787520e95bca690db91c1b4795997e
SHA512

1ff314b0d799b003a106069521187fa37f31a38b4f41e8662fdda33581f5d2c2b7ec8400da31dc1e77f341c8bc0a0d0f36bf5e1936ae929ca3aeb30ab5fda625
SSDEEP

24576:cc3k6WruioS81p/ZCXEAla+BXm7W68JeqSxn1sFNMccp:cqWKiH8vZCXEAjBW7WhxSF1sFCp

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
0bbb361ac91d3661c6023a495e6721c0N.exe

NSIS installer 1 IoCs

installer

resource	yara_rule
sample	nsis_installer_2

Files

0bbb361ac91d3661c6023a495e6721c0N.exe
.exe windows:5 windows x86 arch:x86

f5bb66f1fc4fb1f0a098392df8bfd2d5

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

d:\XL_Work\code_svn\xl_client\xl8_client_setup\pdb\Product_Release\ThunderInstall.pdb

Imports

wininet

InternetCloseHandle
InternetOpenUrlW
InternetOpenW
InternetOpenUrlA
InternetReadFile

ws2_32

WSACleanup
WSAStartup
inet_addr
gethostbyname
htons
socket
connect
WSAAsyncSelect
send
WSAGetLastError
closesocket
recv

version

GetFileVersionInfoSizeW
GetFileVersionInfoW
VerQueryValueW

kernel32

CreateDirectoryW
GetFileAttributesW
FindFirstFileW
UnmapViewOfFile
MapViewOfFile
OpenFileMappingW
SizeofResource
DeviceIoControl
CreateFileA
GlobalMemoryStatusEx
QueryPerformanceCounter
QueryPerformanceFrequency
SetThreadPriority
SetPriorityClass
GetThreadPriority
GetPriorityClass
GetVersionExW
GetSystemInfo
GetSystemDefaultLCID
WaitForMultipleObjects
TerminateThread
CreateThread
GetCurrentProcessId
InterlockedIncrement
GetCommandLineW
MultiByteToWideChar
WideCharToMultiByte
GetSystemDirectoryW
SetDllDirectoryW
CreateFileMappingW
FileTimeToSystemTime
SetFilePointer
WriteFile
GetFileSize
GetPrivateProfileStringA
GetPrivateProfileStringW
GetPrivateProfileIntW
GetPrivateProfileSectionW
TerminateProcess
OpenProcess
GetLocalTime
ResetEvent
FreeLibrary
GetCurrentDirectoryW
SetCurrentDirectoryW
IsBadCodePtr
VirtualQuery
FindResourceExW
DuplicateHandle
ReleaseMutex
HeapAlloc
HeapFree
VirtualFree
GetProcessHeap
lstrcpynW
VirtualAlloc
MoveFileExW
GetVolumeInformationW
ReadFile
GetDriveTypeA
WriteConsoleW
GetConsoleOutputCP
WriteConsoleA
RemoveDirectoryW
GetLocaleInfoW
IsValidLocale
EnumSystemLocalesA
GetUserDefaultLCID
GetStringTypeA
GetLocaleInfoA
InitializeCriticalSectionAndSpinCount
SetStdHandle
GetDateFormatA
GetTimeFormatA
GetCurrentDirectoryA
GetFullPathNameW
GetStartupInfoA
SetHandleCount
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetConsoleMode
GetConsoleCP
GetTimeZoneInformation
IsValidCodePage
GetOEMCP
GetModuleFileNameA
GetStdHandle
GetModuleHandleA
HeapCreate
TlsFree
TlsSetValue
TlsAlloc
TlsGetValue
GetStringTypeW
GetCPInfo
LCMapStringW
LCMapStringA
GetFileType
FileTimeToLocalFileTime
GetSystemTimeAsFileTime
ExitThread
RtlUnwind
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
InterlockedExchange
HeapSize
HeapReAlloc
HeapDestroy
IsProcessorFeaturePresent
LoadLibraryA
InterlockedCompareExchange
MoveFileW
SetEndOfFile
CopyFileW
FindNextFileW
GetFileInformationByHandle
FindClose
ResumeThread
GetVersionExA
EnumResourceNamesW
GetFileSizeEx
lstrcpyA
GetFileAttributesA
CreateDirectoryA
lstrcatA
GetSystemDirectoryA
GetVolumeInformationA
WritePrivateProfileStringA
SetEnvironmentVariableA
CompareStringW
CompareStringA
GetCurrentProcess
GetCurrentThread
CloseHandle
CreateProcessW
LocalFree
GetStartupInfoW
DeleteCriticalSection
InitializeCriticalSection
WritePrivateProfileStringW
DeleteFileW
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
LoadLibraryW
SetFileAttributesW
CreateFileW
CreateEventW
OpenEventW
SetEvent
GetTickCount
GetACP
ExitProcess
GetDiskFreeSpaceExW
LoadResource
LockResource
GlobalHandle
GlobalFree
GetExitCodeProcess
GetTempPathW
GlobalLock
GlobalUnlock
GetModuleFileNameW
MulDiv
lstrcmpW
GetLastError
OutputDebugStringW
DebugBreak
lstrlenA
Sleep
SetLastError
lstrlenW
GetCurrentThreadId
InterlockedDecrement
FindResourceW
GetLogicalDriveStringsW
GetDriveTypeW
OpenMutexW
CreateMutexW
GetModuleHandleW
GetProcAddress
GlobalAlloc
FlushInstructionCache
LeaveCriticalSection
EnterCriticalSection
RaiseException
WaitForSingleObject
FlushFileBuffers

user32

IsWindowVisible
IsWindow
MessageBoxW
GetDesktopWindow
DestroyIcon
LoadImageW
GetSystemMetrics
ShowWindow
GetClassInfoExW
LoadCursorW
wvsprintfW
DefWindowProcW
RegisterClassExW
MsgWaitForMultipleObjects
GetActiveWindow
CharUpperW
PostThreadMessageW
PeekMessageW
GetMessageW
TranslateMessage
DispatchMessageW
PostQuitMessage
UpdateLayeredWindow
SetRect
EqualRect
IsRectEmpty
CopyRect
GetTopWindow
MonitorFromWindow
PostMessageW
GetWindowLongW
SetWindowLongW
RedrawWindow
UnregisterClassA
DrawFocusRect
DrawIcon
GetWindowDC
DrawTextW
GetDlgCtrlID
SetCursor
ShowCursor
SetRectEmpty
OffsetRect
UnionRect
PtInRect
BringWindowToTop
CreateWindowExW
GetSysColor
CharNextW
MoveWindow
SetWindowPos
GetClientRect
ClientToScreen
ScreenToClient
GetMonitorInfoW
MapWindowPoints
wsprintfA
SetWindowContextHelpId
GetDC
ReleaseDC
MapDialogRect
GetWindowRect
EnableWindow
IsWindowEnabled
InvalidateRect
InvalidateRgn
SetCapture
IsChild
GetParent
GetDlgItem
GetClassNameW
ReleaseCapture
FillRect
DestroyWindow
CallWindowProcW
EndPaint
BeginPaint
DestroyAcceleratorTable
SetFocus
GetWindow
GetFocus
SendMessageW
CreateAcceleratorTableW
SetWindowTextW
GetWindowTextW
GetWindowTextLengthW
KillTimer
SetTimer
UpdateWindow
FindWindowW
LoadStringW
wsprintfW
CreateDialogIndirectParamW
DialogBoxIndirectParamW
RegisterWindowMessageW

gdi32

CreateRectRgnIndirect
MoveToEx
SetBkMode
SelectClipRgn
CreateRectRgn
GetClipBox
IntersectClipRect
CreateFontIndirectW
CombineRgn
GetTextMetricsW
SetViewportOrgEx
GetTextExtentPoint32W
GetStockObject
GetObjectW
GetDeviceCaps
BitBlt
CreateCompatibleDC
CreateCompatibleBitmap
SelectObject
DeleteObject
DeleteDC
CreatePen
LineTo
SetBkColor
ExtTextOutW
ExtSelectClipRgn
GetWindowOrgEx
OffsetWindowOrgEx
SetWindowOrgEx
ExcludeClipRect
SetDIBitsToDevice
StretchDIBits
CreateDIBSection
SetTextColor
CreateSolidBrush

advapi32

CopySid
IsValidSid
SetNamedSecurityInfoW
InitializeAcl
AddAce
RegQueryValueExW
RegQueryInfoKeyW
RegOpenKeyExW
RegDeleteKeyW
RegCreateKeyW
RegSetValueExW
RegCloseKey
ConvertStringSidToSidW
GetLengthSid
SetTokenInformation
CreateProcessAsUserW
OpenThreadToken
OpenProcessToken
DuplicateTokenEx
GetSidSubAuthority
RegCreateKeyExW
GetNamedSecurityInfoW
GetAclInformation
GetAce
GetSidLengthRequired
InitializeSid
EqualSid

shell32

SHGetSpecialFolderPathA
SHGetPathFromIDListW
SHBrowseForFolderW
SHGetSpecialFolderPathW
SHCreateDirectoryExW
ord680
ShellExecuteExW
SHGetFileInfoW
ShellExecuteW
CommandLineToArgvW
SHGetFolderPathW
Shell_NotifyIconW

ole32

CLSIDFromString
CLSIDFromProgID
CoGetClassObject
CoCreateInstance
CoTaskMemAlloc
CreateStreamOnHGlobal
OleInitialize
OleUninitialize
CoSetProxyBlanket
CoUninitialize
CoInitializeSecurity
CoInitializeEx
CoInitialize
CoRevokeClassObject
CoRegisterClassObject
OleLockRunning
StringFromGUID2
CoTaskMemFree
OleRun

oleaut32

SysAllocStringLen
SysAllocString
VariantInit
VariantClear
OleCreateFontIndirect
LoadRegTypeLi
SysStringLen
UnRegisterTypeLi
RegisterTypeLi
SysAllocStringByteLen
SysStringByteLen
VariantChangeType
SysFreeString
LoadTypeLi
GetErrorInfo

shlwapi

StrCmpW
PathRemoveBlanksW
StrCpyNW
PathIsRootW
SHGetValueW
PathIsDirectoryW
StrCmpNW
SHSetValueW
StrStrW
PathFindFileNameW
PathGetDriveNumberW
PathAppendW
PathCombineW
StrCmpIW
PathFileExistsW
PathFindExtensionW

comctl32

_TrackMouseEvent

msimg32

AlphaBlend

userenv

UnloadUserProfile

iphlpapi

GetAdaptersInfo

imm32

ImmDisableIME

gdiplus

GdiplusStartup
GdipLoadImageFromStream
GdipFree
GdipAlloc
GdipDisposeImage
GdipGetImageWidth
GdipGetImageHeight
GdipCloneImage
GdipDeleteGraphics
GdipCreateFromHDC
GdipDrawImageRectI

Sections

.text
Size: 652KB - Virtual size: 652KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 112KB - Virtual size: 112KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 77KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 29.8MB - Virtual size: 29.8MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

f5bb66f1fc4fb1f0a098392df8bfd2d5

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

wininet

ws2_32

version

kernel32

user32

gdi32

advapi32

shell32

ole32

oleaut32

shlwapi

comctl32

msimg32

userenv

iphlpapi

imm32

gdiplus

Sections

.text Size: 652KB - Virtual size: 652KB

.rdata Size: 112KB - Virtual size: 112KB

.data Size: 20KB - Virtual size: 77KB

.rsrc Size: 29.8MB - Virtual size: 29.8MB

.text
Size: 652KB - Virtual size: 652KB

.rdata
Size: 112KB - Virtual size: 112KB

.data
Size: 20KB - Virtual size: 77KB

.rsrc
Size: 29.8MB - Virtual size: 29.8MB