ddabd9b9bd6fb61906c47e4a5f6c7ef56cdcb2d26b810912f9d92e22ad1a729b

Sharing

Copy URL Twitter E-mail

General

Target

ddabd9b9bd6fb61906c47e4a5f6c7ef56cdcb2d26b810912f9d92e22ad1a729b
Size

1.4MB
MD5

983598738c8b068af3360ca55ca16b3b
SHA1

b273d8d30e375f492b6e0bd263087b9796fa8b24
SHA256

ddabd9b9bd6fb61906c47e4a5f6c7ef56cdcb2d26b810912f9d92e22ad1a729b
SHA512

afc4a43b5fd287e109478605f38be2db3714eadb4b8f6271def7cfbf67c9d87b860c4df3ef30e82bea431c238233470d56b07c554db59b72819ecbac59ac8d04
SSDEEP

24576:Zr2P4ULguiQ6SMChZ9C1zj1SqdAGFQZIxpK545UJoeIUrEH7A:EMCNazjYq+ZI2a5UJoeZ

Score

1^/10

Malware Config

Signatures

Files

ddabd9b9bd6fb61906c47e4a5f6c7ef56cdcb2d26b810912f9d92e22ad1a729b
.exe windows:5 windows x86 arch:x86

6031220667923ca607529965625c877a

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

54:92:38:03:40:3d:c0:8b:e2:4f:0d:7c:8c:cc:55:93
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

15/02/2016, 00:00

Not After

02/05/2019, 23:59

Subject

CN=QIHU 360 SOFTWARE CO. LIMITED,OU=Client Security Group,O=QIHU 360 SOFTWARE CO. LIMITED,L=Hong Kong,ST=Hong Kong,C=HK

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

30:d2:67:84:66:ae:9b:33:28:5f:1a:53:17:2f:ec:17
Certificate

Issuer

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

01/02/2016, 00:00

Not After

02/05/2019, 23:59

Subject

CN=QIHU 360 SOFTWARE CO. LIMITED,OU=Client Security Group,O=QIHU 360 SOFTWARE CO. LIMITED,L=Hong Kong,ST=Hong Kong,C=HK

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

10/12/2013, 00:00

Not After

09/12/2023, 23:59

Subject

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

5f:d6:93:fa:b0:98:e3:f4:67:7b:b8:cb:67:2c:22:9e
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

11/06/2015, 00:00

Not After

29/12/2020, 23:59

Subject

CN=GeoTrust 2048-bit Timestamping Signer 1,O=GeoTrust Inc,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

01/01/1997, 00:00

Not After

31/12/2020, 23:59

Subject

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

4d:9e:f3:75:ba:3e:d5:25:c5:64:9b:0d:b8:13:89:21:8e:4f:a9:a7:fd:d3:99:33:d9:af:c6:6d:0d:da:b2:c7
Signer

Actual PE Digest

4d:9e:f3:75:ba:3e:d5:25:c5:64:9b:0d:b8:13:89:21:8e:4f:a9:a7:fd:d3:99:33:d9:af:c6:6d:0d:da:b2:c7

Digest Algorithm

sha256

PE Digest Matches

false

cc:bb:fb:58:89:68:49:2b:9c:f2:ac:e0:23:fb:d5:18:8d:ae:70:92
Signer

Actual PE Digest

cc:bb:fb:58:89:68:49:2b:9c:f2:ac:e0:23:fb:d5:18:8d:ae:70:92

Digest Algorithm

sha1

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

C:\vmagent_new\bin\joblist\89080\out\Release\360Installer.pdb

Imports

ws2_32

htons
htonl

kernel32

MoveFileExW
FindClose
GetFullPathNameW
FindFirstFileW
lstrcpyW
FindNextFileW
RemoveDirectoryW
FreeConsole
Process32FirstW
Process32NextW
WideCharToMultiByte
CreateMutexW
CreateEventW
SetEvent
WaitForSingleObject
GetLogicalDrives
WriteFile
LocalAlloc
InterlockedCompareExchange
CreateFileA
GetFileSize
CreateProcessW
GetTickCount
FindResourceExW
lstrcmpiA
lstrcmpA
WriteConsoleW
GetConsoleOutputCP
WriteConsoleA
GetLocaleInfoW
SetStdHandle
LCMapStringW
LCMapStringA
GetModuleHandleA
QueryPerformanceCounter
GetStartupInfoA
GetFileType
GetEnvironmentStringsW
FreeEnvironmentStringsW
FlushFileBuffers
GetConsoleMode
GetConsoleCP
InitializeCriticalSectionAndSpinCount
CreateToolhelp32Snapshot
GetStringTypeW
GetStringTypeA
IsValidLocale
EnumSystemLocalesA
GetLocaleInfoA
GetUserDefaultLCID
IsValidCodePage
GetOEMCP
GetACP
GetCPInfo
GetStdHandle
HeapDestroy
HeapCreate
HeapSize
HeapReAlloc
RtlUnwind
GetStartupInfoW
ExitProcess
CreateThread
ExitThread
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
TerminateProcess
TlsFree
DeleteAtom
FindAtomW
TlsAlloc
ReleaseMutex
AddAtomW
OpenThread
GetAtomNameW
TlsSetValue
TlsGetValue
GetSystemTime
FormatMessageW
SetFilePointerEx
SetEndOfFile
LocalFileTimeToFileTime
GetSystemTimeAsFileTime
SystemTimeToFileTime
VirtualAlloc
VirtualFree
IsProcessorFeaturePresent
LoadLibraryA
HeapAlloc
GetProcessHeap
HeapFree
GetPrivateProfileStringW
MulDiv
OpenProcess
QueryDosDeviceW
GetModuleFileNameA
InterlockedExchange
GetVersion
GetDiskFreeSpaceExW
DeleteFileW
GetTempFileNameW
lstrlenA
OutputDebugStringW
DebugBreak
GetDriveTypeW
GetLogicalDriveStringsW
GetFileSizeEx
GlobalFree
GlobalUnlock
GlobalLock
GlobalAlloc
SetLastError
FlushInstructionCache
GetCurrentProcess
Sleep
GetSystemDirectoryW
LoadLibraryW
GetProcAddress
SetEnvironmentVariableW
GetTempPathW
FreeResource
LockResource
GetUserDefaultUILanguage
DeviceIoControl
GetCurrentProcessId
CreateFileW
SetFilePointer
ReadFile
CloseHandle
LocalFree
GetCommandLineW
GetVersionExW
GetCurrentThreadId
InterlockedIncrement
InterlockedDecrement
DeleteCriticalSection
InitializeCriticalSection
GetModuleFileNameW
GetModuleHandleW
LoadLibraryExW
FindResourceW
LoadResource
SizeofResource
MultiByteToWideChar
GetLastError
EnterCriticalSection
RaiseException
LeaveCriticalSection
lstrcmpiW
lstrlenW
FreeLibrary
SetHandleCount

user32

CharNextW
EnumWindows
DefWindowProcW
UnregisterClassA
LoadCursorW
SetActiveWindow
GetForegroundWindow
GetClassInfoExW
RegisterClassExW
LoadStringW
DispatchMessageW
TranslateMessage
GetMessageW
PeekMessageW
FindWindowW
CharLowerW
MessageBoxW
IsWindow
IsIconic
ShowWindow
BringWindowToTop
SetForegroundWindow
AllowSetForegroundWindow
keybd_event
GetKeyboardState
IsRectEmpty
GetWindowThreadProcessId
UpdateLayeredWindow
GetWindowDC
SetWindowPos
SendMessageTimeoutW
DestroyWindow
AttachThreadInput
GetDlgCtrlID
EnableWindow
InflateRect
GetWindowTextW
IsWindowEnabled
EndDialog
DialogBoxParamW
SetCursor
GetActiveWindow
OffsetRect
CallWindowProcW
SystemParametersInfoW
RedrawWindow
SetTimer
LoadIconW
KillTimer
ScreenToClient
PostQuitMessage
GetSystemMetrics
LoadImageW
GetWindow
MonitorFromWindow
GetMonitorInfoW
GetParent
MapWindowPoints
SetWindowTextW
IsDialogMessageW
GetClassNameW
InvalidateRect
CopyRect
EndPaint
BeginPaint
PostMessageW
IsWindowVisible
SetWindowRgn
CreateWindowExW
GetDlgItem
GetWindowRect
ReleaseDC
GetDC
SendMessageW
wvsprintfW
SetFocus
GetClientRect
MoveWindow
GetWindowLongW
SetWindowLongW
CreateDialogParamW

gdi32

CombineRgn
CreateRectRgn
BitBlt
GetDeviceCaps
CreateCompatibleBitmap
CreateCompatibleDC
DeleteDC
CreateFontIndirectW
DeleteObject
EnumFontFamiliesW
CreateDIBSection
SetViewportOrgEx
SaveDC
RestoreDC
SelectObject
StretchBlt
CreateFontW
OffsetViewportOrgEx

advapi32

CryptAcquireContextW
RegOpenKeyExA
CreateProcessAsUserW
GetLengthSid
SetTokenInformation
ConvertStringSidToSidW
DuplicateTokenEx
RegQueryValueExW
RegOpenKeyW
OpenProcessToken
RegDeleteValueW
RegCreateKeyExW
RegSetValueExW
RegOpenKeyExW
RegEnumKeyExW
RegQueryInfoKeyW
RegCloseKey
RegDeleteKeyW
RegQueryValueExA
CryptGenRandom
CryptReleaseContext
RegEnumKeyExA

shell32

ord165
SHGetSpecialFolderPathW
SHAppBarMessage
ShellExecuteExW
Shell_NotifyIconW
SHCreateDirectoryExW
CommandLineToArgvW
ShellExecuteW

ole32

CoTaskMemFree
CoTaskMemRealloc
CoTaskMemAlloc
CoCreateGuid
CreateStreamOnHGlobal
CLSIDFromProgID
CoUninitialize
CoInitialize
CoCreateInstance

oleaut32

SysAllocString
SysFreeString
VarUI4FromStr

shlwapi

SHGetValueW
SHSetValueW
PathRemoveFileSpecW
PathIsRelativeW
StrCmpNIW
PathFindFileNameW
PathIsPrefixW
StrCmpW
PathUnquoteSpacesW
SHSetValueA
wnsprintfW
PathCombineW
PathAppendW
SHGetValueA
StrStrIW
PathFileExistsW

comctl32

InitCommonControlsEx
_TrackMouseEvent

version

GetFileVersionInfoW
VerQueryValueW
GetFileVersionInfoSizeW

psapi

GetProcessImageFileNameW

iphlpapi

GetIpAddrTable
GetAdaptersInfo

wininet

InternetConnectW
InternetOpenW
DeleteUrlCacheEntryW
InternetCloseHandle
HttpOpenRequestW
HttpQueryInfoW
HttpSendRequestW
InternetGetConnectedState

urlmon

URLDownloadToFileW
URLDownloadToCacheFileW

crypt32

CertFindCertificateInStore
CertFreeCertificateContext
CertGetNameStringW
CertCloseStore
CryptQueryObject
CryptMsgGetParam
CryptMsgClose

setupapi

SetupIterateCabinetW

netapi32

Netbios

Sections

.text
Size: 348KB - Virtual size: 347KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 74KB - Virtual size: 74KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 24KB - Virtual size: 38KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 918KB - Virtual size: 918KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

6031220667923ca607529965625c877a

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

54:92:38:03:40:3d:c0:8b:e2:4f:0d:7c:8c:cc:55:93Certificate

Extended Key Usages

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

30:d2:67:84:66:ae:9b:33:28:5f:1a:53:17:2f:ec:17Certificate

Extended Key Usages

Key Usages

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2aCertificate

Extended Key Usages

Key Usages

5f:d6:93:fa:b0:98:e3:f4:67:7b:b8:cb:67:2c:22:9eCertificate

Extended Key Usages

Key Usages

Certificate

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

4d:9e:f3:75:ba:3e:d5:25:c5:64:9b:0d:b8:13:89:21:8e:4f:a9:a7:fd:d3:99:33:d9:af:c6:6d:0d:da:b2:c7Signer

cc:bb:fb:58:89:68:49:2b:9c:f2:ac:e0:23:fb:d5:18:8d:ae:70:92Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ws2_32

kernel32

user32

gdi32

advapi32

shell32

ole32

oleaut32

shlwapi

comctl32

version

psapi

iphlpapi

wininet

urlmon

crypt32

setupapi

netapi32

Sections

.text Size: 348KB - Virtual size: 347KB

.rdata Size: 74KB - Virtual size: 74KB

.data Size: 24KB - Virtual size: 38KB

.rsrc Size: 918KB - Virtual size: 918KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

54:92:38:03:40:3d:c0:8b:e2:4f:0d:7c:8c:cc:55:93
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

30:d2:67:84:66:ae:9b:33:28:5f:1a:53:17:2f:ec:17
Certificate

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

5f:d6:93:fa:b0:98:e3:f4:67:7b:b8:cb:67:2c:22:9e
Certificate

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

4d:9e:f3:75:ba:3e:d5:25:c5:64:9b:0d:b8:13:89:21:8e:4f:a9:a7:fd:d3:99:33:d9:af:c6:6d:0d:da:b2:c7
Signer

cc:bb:fb:58:89:68:49:2b:9c:f2:ac:e0:23:fb:d5:18:8d:ae:70:92
Signer

.text
Size: 348KB - Virtual size: 347KB

.rdata
Size: 74KB - Virtual size: 74KB

.data
Size: 24KB - Virtual size: 38KB

.rsrc
Size: 918KB - Virtual size: 918KB