OSCEDTG6[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

OSCEDTG6.exe
Size

24.3MB
MD5

191d1e29bd258d5a807054d2f06ebb9e
SHA1

e8342c43775bd82250b9d2070948c4f1494433dc
SHA256

56f7087ac2f3acbd80d6f04a0cd2801d2e382cb20426530d58dac93e54e8eba7
SHA512

6fc4fede1f2debc7873a8fda2d06cc3fbc89ef23dab867f0c41679fed68e9dbeaba74c2c9c6342761b00607e2cb76601688d5b125f3d6534150c66d5cca958ad
SSDEEP

393216:jkbwzO1yREkZgf8UgP8AxYDX1+TtIiFGuvB5IjWqn6eCz1vyxXUS+drp16:obwzFRRbUbX71QtIZS3ILn6eQyV+df

Score

3^/10

pyinstaller

Malware Config

Signatures

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
sample	pyinstaller

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
OSCEDTG6.exe

Files

OSCEDTG6.exe
.exe windows:6 windows x64 arch:x64

75dda45dc32e05a3af06bc89a562d849

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

D:\SSD 2\ALHACK\x64\Release\SLIGHTS.pdb

Imports

kernel32

GetConsoleWindow
Module32NextW
QueryFullProcessImageNameW
CreateFileMappingW
MapViewOfFile
lstrcmpiW
SetConsoleTitleW
IsDebuggerPresent
CheckRemoteDebuggerPresent
HeapDestroy
HeapFree
HeapSize
InitializeCriticalSectionEx
DeleteCriticalSection
CreateRemoteThread
GetTickCount64
VirtualQuery
VirtualAllocEx
UnmapViewOfFile
WideCharToMultiByte
LocalFree
EnterCriticalSection
LeaveCriticalSection
SleepEx
GetSystemDirectoryA
VerifyVersionInfoA
GetTickCount
MoveFileExA
WaitForSingleObjectEx
GetEnvironmentVariableA
GetFileType
WaitForMultipleObjects
SetLastError
SetThreadExecutionState
GetFileSizeEx
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
WakeAllConditionVariable
SleepConditionVariableSRW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
GetLocaleInfoEx
CreateProcessW
GetProcessHeap
GetProcAddress
GetWindowsDirectoryW
Module32FirstW
HeapAlloc
CreateThread
LoadLibraryW
GetCurrentDirectoryW
FindClose
FindFirstFileW
FindFirstFileExW
FindNextFileW
GetFileAttributesExW
SetFileInformationByHandle
AreFileApisANSI
GetFileInformationByHandleEx
OutputDebugStringW
HeapReAlloc
Process32FirstW
DeleteFileW
LoadLibraryA
GetCurrentThread
CreateFileA
Process32NextW
Sleep
CreateToolhelp32Snapshot
OpenProcess
GetModuleHandleA
ContinueDebugEvent
WaitForSingleObject
TerminateProcess
WaitForDebugEvent
VirtualAlloc
GetStdHandle
GetCurrentProcess
GetCommandLineW
SetConsoleTextAttribute
VirtualProtect
WriteProcessMemory
GetModuleFileNameA
GetStartupInfoW
QueryPerformanceCounter
QueryPerformanceFrequency
GlobalUnlock
GlobalLock
GlobalFree
GlobalAlloc
MultiByteToWideChar
GetModuleFileNameW
lstrlenW
GetModuleHandleW
WaitNamedPipeW
GetCurrentProcessId
CloseHandle
GetLastError
CreateFileW
PeekNamedPipe
FreeLibrary
WriteFile
FormatMessageA
ReadFile

user32

GetActiveWindow
GetCapture
ClientToScreen
LoadCursorW
ScreenToClient
GetKeyState
UpdateWindow
FindWindowA
PostQuitMessage
SetWindowLongW
FindWindowW
ReleaseCapture
SetCursorPos
EmptyClipboard
GetCursorPos
SetCapture
TranslateMessage
SetLayeredWindowAttributes
GetForegroundWindow
SetWindowDisplayAffinity
PeekMessageW
DispatchMessageW
GetAsyncKeyState
ShowWindow
RegisterClassExW
UnregisterClassW
GetSystemMetrics
CreateWindowExW
MessageBoxW
SetWindowPos
IsWindowVisible
DestroyWindow
GetWindow
DefWindowProcW
GetWindowThreadProcessId
GetWindowLongW
SetCursor
OpenClipboard
GetClientRect
GetClipboardData
SetClipboardData
CloseClipboard
PostMessageW
GetWindowTextA
MessageBoxA
EnumWindows
GetClassNameA

advapi32

RegOpenKeyExW
RegSetValueExW
CryptEncrypt
CryptImportKey
CryptDestroyKey
CryptDestroyHash
CryptHashData
CopySid
GetLengthSid
GetTokenInformation
IsValidSid
ConvertSidToStringSidA
CryptAcquireContextA
CryptReleaseContext
CryptGetHashParam
CryptGenRandom
RegQueryValueExW
GetUserNameA
RegCloseKey
OpenProcessToken
RegCreateKeyExW
CryptCreateHash

shell32

ShellExecuteA

msvcp140

?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@PEBX@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??Bios_base@std@@QEBA_NXZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
??Bid@locale@std@@QEAA_KXZ
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAADD@Z
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
?_Random_device@std@@YAIXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
_Xtime_get_ticks
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
_Cnd_init_in_situ
_Query_perf_frequency
?_Throw_Cpp_error@std@@YAXH@Z
_Mtx_lock
_Cnd_do_broadcast_at_thread_exit
_Query_perf_counter
_Mtx_unlock
_Cnd_broadcast
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?uncaught_exception@std@@YA_NXZ
?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A
?_Xbad_alloc@std@@YAXXZ
?_Xout_of_range@std@@YAXPEBD@Z
?_Winerror_map@std@@YAHH@Z
?_Xbad_function_call@std@@YAXXZ
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?_Xlength_error@std@@YAXPEBD@Z
?_Syserror_map@std@@YAPEBDH@Z
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ

imm32

ImmSetCompositionWindow
ImmGetContext
ImmReleaseContext

d3dx9_43

D3DXCreateTextureFromFileInMemory

dwmapi

DwmExtendFrameIntoClientArea

d3d9

Direct3DCreate9Ex

winhttp

WinHttpCloseHandle
WinHttpSendRequest
WinHttpConnect
WinHttpReadData
WinHttpOpen
WinHttpReceiveResponse
WinHttpOpenRequest

normaliz

IdnToAscii

wldap32

ord46
ord211
ord60
ord143
ord50
ord41
ord22
ord32
ord26
ord301
ord200
ord30
ord79
ord35
ord217
ord33
ord45
ord27

crypt32

CertGetCertificateChain
CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
CryptQueryObject
CertOpenStore
CertAddCertificateContextToStore
CertGetNameStringA
CertFindExtension
CertFreeCertificateChain
CryptDecodeObjectEx
PFXImportCertStore
CryptStringToBinaryA
CertFreeCertificateContext
CertFindCertificateInStore
CertEnumCertificatesInStore
CertCloseStore

ws2_32

closesocket
recv
send
WSAGetLastError
bind
connect
getpeername
getsockname
getsockopt
htons
ntohs
setsockopt
socket
ntohl
gethostname
sendto
recvfrom
WSASetLastError
getaddrinfo
select
__WSAFDIsSet
ioctlsocket
listen
htonl
accept
WSACleanup
WSAStartup
WSAIoctl
freeaddrinfo

rpcrt4

UuidToStringA
RpcStringFreeA
UuidCreate

psapi

EnumProcesses
GetModuleInformation
EnumProcessModules
GetModuleFileNameExW

ntdll

RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
VerSetConditionMask

userenv

UnloadUserProfile

vcruntime140_1

__CxxFrameHandler4

vcruntime140

strchr
__std_exception_destroy
__std_exception_copy
strstr
__std_terminate
__C_specific_handler
memchr
memcmp
memmove
memcpy
memset
_CxxThrowException
strrchr
__current_exception
__current_exception_context
wcsstr

api-ms-win-crt-runtime-l1-1-0

terminate
strerror
_register_onexit_function
_getpid
_beginthreadex
exit
_initialize_onexit_table
abort
_resetstkoflw
_register_thread_local_exe_atexit_callback
_c_exit
_initialize_narrow_environment
__p___argv
__p___argc
_exit
_configure_narrow_argv
_initterm_e
_invalid_parameter_noinfo
_initterm
_get_initial_narrow_environment
_invalid_parameter_noinfo_noreturn
system
_set_app_type
_seh_filter_exe
__sys_nerr
_cexit
_crt_atexit
_errno

api-ms-win-crt-string-l1-1-0

isupper
strncpy
strcat_s
strpbrk
_strdup
isprint
wcsncpy_s
strncmp
strcmp
strtok_s
strnlen
strspn
strcspn
tolower

api-ms-win-crt-stdio-l1-1-0

setvbuf
_set_fmode
fsetpos
__p__commode
_fseeki64
fgetc
__stdio_common_vsprintf_s
_get_stream_buffer_pointers
_read
_write
_close
_open
fgetpos
fgets
_lseeki64
_pclose
_popen
fputc
__acrt_iob_func
fopen
fputs
__stdio_common_vfprintf
__stdio_common_vswprintf
__stdio_common_vsscanf
fread
__stdio_common_vsprintf
_wfopen
fwrite
ungetc
feof
fseek
fclose
fflush
ftell

api-ms-win-crt-time-l1-1-0

_time64
_gmtime64

api-ms-win-crt-heap-l1-1-0

malloc
_callnewh
calloc
free
realloc
_recalloc
_set_new_mode

api-ms-win-crt-utility-l1-1-0

srand
qsort
rand

api-ms-win-crt-convert-l1-1-0

strtod
atoi
strtol
strtoul
atof
strtoll
strtoull

api-ms-win-crt-math-l1-1-0

sinf
_dsign
floorf
cosf
pow
cos
powf
atanf
atan2f
sin
asinf
sqrtf
__setusermatherr
_dclass
acosf
tanf
ceilf
fmodf
_hypotf

api-ms-win-crt-filesystem-l1-1-0

_fstat64
_stat64
_lock_file
_unlock_file
rename
_unlink
_access
remove

api-ms-win-crt-locale-l1-1-0

_configthreadlocale
localeconv
___lc_codepage_func

Sections

.text
Size: 2.3MB - Virtual size: 2.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 608KB - Virtual size: 607KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 21.1MB - Virtual size: 21.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 44KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 208KB - Virtual size: 207KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
cstealer.pyc

Sharing

General

Malware Config

Signatures

Files

75dda45dc32e05a3af06bc89a562d849

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

advapi32

shell32

msvcp140

imm32

d3dx9_43

dwmapi

d3d9

winhttp

normaliz

wldap32

crypt32

ws2_32

rpcrt4

psapi

ntdll

userenv

vcruntime140_1

vcruntime140

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-locale-l1-1-0

Sections

.text Size: 2.3MB - Virtual size: 2.3MB

.rdata Size: 608KB - Virtual size: 607KB

.data Size: 21.1MB - Virtual size: 21.3MB

.pdata Size: 44KB - Virtual size: 44KB

.rsrc Size: 208KB - Virtual size: 207KB

.reloc Size: 2KB - Virtual size: 1KB

.text
Size: 2.3MB - Virtual size: 2.3MB

.rdata
Size: 608KB - Virtual size: 607KB

.data
Size: 21.1MB - Virtual size: 21.3MB

.pdata
Size: 44KB - Virtual size: 44KB

.rsrc
Size: 208KB - Virtual size: 207KB

.reloc
Size: 2KB - Virtual size: 1KB