87602f5e04fe724815a9699386530700N[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

87602f5e04fe724815a9699386530700N.exe
Size

703KB
MD5

87602f5e04fe724815a9699386530700
SHA1

37deebfd3b48c6896bd53bd932051dcced8e9e76
SHA256

965504fa3576352dc40fb5e5cbccdf3d40fc9260d7d920b8728292af57107cdc
SHA512

c97caece5add29b75aa4684685c1ee0d8519ac5f0947f8a5fa9bf22a14f018052a737bb3af7804079814a9b3ad6c089acd306ee3870dd2b1d69be0894bdacfe7
SSDEEP

12288:yrdyPTzT5bqAnrLg53RL0jOuFvh00atLJsKq8QhRn+Yx9SkDM6IiTyrxK9UTs687:yrdyL8ArMBV0m0wKKefx9TzTylK9aQ

Score

3^/10

Malware Config

Signatures

Unsigned PE 6 IoCs

Checks for missing Authenticode signature.

resource
87602f5e04fe724815a9699386530700N.exe
unpack001/$PLUGINSDIR/AccessControl.dll
unpack001/$PLUGINSDIR/ProKill.dll
unpack001/$PLUGINSDIR/SimpleSC.dll
unpack001/$PLUGINSDIR/System.dll
unpack001/$PLUGINSDIR/crypto.dll

NSIS installer 2 IoCs

installer

resource	yara_rule
sample	nsis_installer_1
sample	nsis_installer_2

Files

87602f5e04fe724815a9699386530700N.exe
.exe windows:4 windows x86 arch:x86

099c0646ea7282d232219f8807883be0

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

CompareFileTime
SearchPathA
GetShortPathNameA
GetFullPathNameA
MoveFileA
SetCurrentDirectoryA
GetFileAttributesA
GetLastError
CreateDirectoryA
SetFileAttributesA
Sleep
GetTickCount
CreateFileA
GetFileSize
GetModuleFileNameA
GetCurrentProcess
CopyFileA
ExitProcess
SetFileTime
GetTempPathA
GetCommandLineA
SetErrorMode
LoadLibraryA
lstrcpynA
GetDiskFreeSpaceA
GlobalUnlock
GlobalLock
CreateThread
CreateProcessA
RemoveDirectoryA
GetTempFileNameA
lstrlenA
lstrcatA
GetSystemDirectoryA
GetVersion
CloseHandle
lstrcmpiA
lstrcmpA
ExpandEnvironmentStringsA
GlobalFree
GlobalAlloc
WaitForSingleObject
GetExitCodeProcess
GetModuleHandleA
LoadLibraryExA
GetProcAddress
FreeLibrary
MultiByteToWideChar
WritePrivateProfileStringA
GetPrivateProfileStringA
WriteFile
ReadFile
MulDiv
SetFilePointer
FindClose
FindNextFileA
FindFirstFileA
DeleteFileA
GetWindowsDirectoryA

user32

EndDialog
ScreenToClient
GetWindowRect
EnableMenuItem
GetSystemMenu
SetClassLongA
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongA
SetCursor
LoadCursorA
CheckDlgButton
GetMessagePos
LoadBitmapA
CallWindowProcA
IsWindowVisible
CloseClipboard
SetClipboardData
EmptyClipboard
RegisterClassA
TrackPopupMenu
AppendMenuA
CreatePopupMenu
GetSystemMetrics
SetDlgItemTextA
GetDlgItemTextA
MessageBoxIndirectA
CharPrevA
DispatchMessageA
PeekMessageA
DestroyWindow
CreateDialogParamA
SetTimer
SetWindowTextA
PostQuitMessage
SetForegroundWindow
wsprintfA
SendMessageTimeoutA
FindWindowExA
SystemParametersInfoA
CreateWindowExA
GetClassInfoA
DialogBoxParamA
CharNextA
OpenClipboard
ExitWindowsEx
IsWindow
GetDlgItem
SetWindowLongA
LoadImageA
GetDC
EnableWindow
InvalidateRect
SendMessageA
DefWindowProcA
BeginPaint
GetClientRect
FillRect
DrawTextA
EndPaint
ShowWindow

gdi32

SetBkColor
GetDeviceCaps
DeleteObject
CreateBrushIndirect
CreateFontIndirectA
SetBkMode
SetTextColor
SelectObject

shell32

SHGetPathFromIDListA
SHBrowseForFolderA
SHGetFileInfoA
ShellExecuteA
SHFileOperationA
SHGetSpecialFolderLocation

advapi32

RegQueryValueExA
RegSetValueExA
RegEnumKeyA
RegEnumValueA
RegOpenKeyExA
RegDeleteKeyA
RegDeleteValueA
RegCloseKey
RegCreateKeyExA

comctl32

ImageList_AddMasked
ImageList_Destroy
ord17
ImageList_Create

ole32

CoTaskMemFree
OleInitialize
OleUninitialize
CoCreateInstance

version

GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA

Sections

.text
Size: 23KB - Virtual size: 22KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 107KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.ndata
Size: - Virtual size: 124KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 27KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$PLUGINSDIR/AccessControl.dll
.dll windows:4 windows x86 arch:x86

1e63c8029cce4cd0432cd72aeab6b25a

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GlobalFree
lstrcpynA
CloseHandle
GetCurrentProcess
lstrlenA
LocalAlloc
LoadLibraryA
GetProcAddress
lstrcmpiA
GetLastError
lstrcatA
GetFileAttributesA
lstrcpyA
LocalFree
GlobalAlloc

user32

wsprintfA

advapi32

RegGetKeySecurity
GetSecurityDescriptorDacl
GetSecurityDescriptorGroup
RegCloseKey
LookupAccountNameA
GetSidSubAuthorityCount
AdjustTokenPrivileges
GetUserNameA
SetSecurityDescriptorGroup
RegSetKeySecurity
IsValidSid
GetSecurityDescriptorOwner
GetSidSubAuthority
OpenProcessToken
GetSidIdentifierAuthority
LookupAccountSidA
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
LookupPrivilegeValueA
RegOpenKeyExA
SetSecurityDescriptorOwner

Exports

Exports

ClearOnFile
ClearOnRegKey
DenyOnFile
DenyOnRegKey
DisableFileInheritance
DisableRegKeyInheritance
EnableFileInheritance
EnableRegKeyInheritance
GetCurrentUserName
GetFileGroup
GetFileOwner
GetRegKeyGroup
GetRegKeyOwner
GrantOnFile
GrantOnRegKey
NameToSid
RevokeOnFile
RevokeOnRegKey
SetFileGroup
SetFileOwner
SetOnFile
SetOnRegKey
SetRegKeyGroup
SetRegKeyOwner
SidToName

Sections

.text
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 348B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1024B - Virtual size: 978B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/CloseBtn.png
.png
$PLUGINSDIR/ProKill.dll
.dll windows:5 windows x86 arch:x86

6190f72bd100acba02b42391911fe724

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

D:\projects\ProKill\Release\ProKill.pdb

Imports

kernel32

GetCurrentProcess
CloseHandle
CreateToolhelp32Snapshot
Process32FirstW
OpenProcess
Sleep
TerminateProcess
MultiByteToWideChar
GlobalFree
Process32NextW
lstrcpyA
GetCurrentProcessId
GetCurrentThreadId
GetTickCount
QueryPerformanceCounter
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
InterlockedCompareExchange
InterlockedExchange
DecodePointer
EncodePointer
GetSystemTimeAsFileTime

advapi32

LookupPrivilegeValueW
OpenProcessToken
AdjustTokenPrivileges

msvcr100

__CppXcptFilter
_crt_debugger_hook
?terminate@@YAXXZ
?_type_info_dtor_internal_method@type_info@@QAEXXZ
_amsg_exit
_unlock
__dllonexit
_lock
_onexit
_except_handler4_common
_encoded_null
_initterm_e
__clean_type_info_names_internal
free
_malloc_crt
?what@exception@std@@UBEPBDXZ
??_U@YAPAXI@Z
??2@YAPAXI@Z
??0exception@std@@QAE@ABV01@@Z
??_V@YAXPAX@Z
memmove
??3@YAXPAX@Z
??1exception@std@@UAE@XZ
??0exception@std@@QAE@ABQBD@Z
_initterm
memcpy
_CxxThrowException
__CxxFrameHandler3
memset

msvcp100

?_Xout_of_range@std@@YAXPBD@Z
?_Xlength_error@std@@YAXPBD@Z

Exports

Exports

KillPro

Sections

.text
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 960B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 436B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 768B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/SimpleSC.dll
.dll windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
IMAGE_FILE_BYTES_REVERSED_HI

Exports

Exports

ContinueService
ExistsService
GetErrorMessage
GetServiceBinaryPath
GetServiceDelayedAutoStartInfo
GetServiceDescription
GetServiceDisplayName
GetServiceFailure
GetServiceFailureFlag
GetServiceLogon
GetServiceName
GetServiceStartType
GetServiceStatus
GrantServiceLogonPrivilege
InstallService
PauseService
RemoveService
RemoveServiceLogonPrivilege
RestartService
ServiceIsPaused
ServiceIsRunning
ServiceIsStopped
SetServiceBinaryPath
SetServiceDelayedAutoStartInfo
SetServiceDescription
SetServiceFailure
SetServiceFailureFlag
SetServiceLogon
SetServiceStartType
StartService
StopService

Sections

CODE
Size: 47KB - Virtual size: 47KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

DATA
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

BSS
Size: - Virtual size: 2KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 1024B - Virtual size: 950B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$PLUGINSDIR/System.dll
.dll windows:4 windows x86 arch:x86

2017f2acbdaa42ab3e4adeb8b4c37e7b

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GlobalAlloc
GlobalFree
GlobalSize
GetLastError
lstrcpyA
lstrcpynA
FreeLibrary
lstrcatA
GetProcAddress
LoadLibraryA
GetModuleHandleA
MultiByteToWideChar
lstrlenA
WideCharToMultiByte
VirtualAlloc
VirtualProtect

user32

wsprintfA

ole32

StringFromGUID2
CLSIDFromString

Exports

Exports

Alloc
Call
Copy
Free
Get
Int64Op
Store

Sections

.text
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 784B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 100B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1024B - Virtual size: 520B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/bg.png
.png
$PLUGINSDIR/bk.PNG
.png
$PLUGINSDIR/cancel.png
.png
$PLUGINSDIR/cancel2.png
.png
$PLUGINSDIR/cancel3.png
.png
$PLUGINSDIR/change.png
.png
$PLUGINSDIR/check-box.png
.png
$PLUGINSDIR/crypto.dll
.dll windows:5 windows x86 arch:x86

acd90cbb2562fadce39075a277e43cfb

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

d:\dllprj\crypto\Release\crypto.pdb

Imports

kernel32

GetLastError
HeapFree
HeapAlloc
GetCurrentThreadId
DecodePointer
GetCommandLineA
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
HeapCreate
HeapDestroy
GetProcAddress
GetModuleHandleW
ExitProcess
WriteFile
GetStdHandle
GetModuleFileNameW
EncodePointer
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
InterlockedDecrement
Sleep
SetHandleCount
InitializeCriticalSectionAndSpinCount
GetFileType
GetStartupInfoW
DeleteCriticalSection
GetModuleFileNameA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStringsW
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
IsProcessorFeaturePresent
LeaveCriticalSection
EnterCriticalSection
LoadLibraryW
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
HeapReAlloc
RtlUnwind
HeapSize
LCMapStringW
MultiByteToWideChar
GetStringTypeW

Exports

Exports

br_crypto_rc4_decode
br_crypto_rc4_encode

Sections

.text
Size: 19KB - Virtual size: 19KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 436B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/delete.png
.png
$PLUGINSDIR/down.png
.png
$PLUGINSDIR/finish.png
.png
$PLUGINSDIR/go.png
.png
$PLUGINSDIR/go2.png
.png
$PLUGINSDIR/img_01.png
.png
$PLUGINSDIR/input_01.png
.png
$PLUGINSDIR/jieyabutton.png
.png
$PLUGINSDIR/jindutiao.png
.png
$PLUGINSDIR/up.png
.png
KaolaExt.dll
.dll regsvr32 windows:5 windows x86 arch:x86

4a907556e289208a5348f40f1b8f6031

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

22:97:a8:80:ad:01:84:6a:8f:46:52:4b:7e:a7:b5:02
Certificate

Issuer

CN=WoSign Class 3 Code Signing CA,O=WoSign CA Limited,C=CN

Not Before

03/02/2015, 01:26

Not After

03/02/2016, 01:26

Subject

CN=Yantai Zhenghao Network Technology (Zhifu Branch) Co.\, LTD.,O=Yantai Zhenghao Network Technology (Zhifu Branch) Co.\, LTD.,L=Yantai,ST=Shandong,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageMicrosoftCommercialCodeSigning

Key Usages

KeyUsageDigitalSignature

6b:da:df:ef:f0:66:1b:d2:64:2a:f4:6e:cb:b2:79:40
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

09/07/1999, 18:31

Not After

09/07/2019, 18:40

Subject

CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

46:bb:b3:40:fa:b9:c1:79:28:93:8c:93:da:10:86:79
Certificate

Issuer

CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN

Not Before

08/08/2009, 01:00

Not After

08/08/2024, 01:00

Subject

CN=WoSign Class 3 Code Signing CA,O=WoSign CA Limited,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageMicrosoftCommercialCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

8e:fd:3f:17:e3:46:82:58:92:e3:a8:f1:ff:21:0a:2b:b8:50:bb:3e
Signer

Actual PE Digest

8e:fd:3f:17:e3:46:82:58:92:e3:a8:f1:ff:21:0a:2b:b8:50:bb:3e

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

shlwapi

PathRemoveFileSpecW
PathMatchSpecW
PathAddBackslashW
PathFileExistsW

kernel32

GetCurrentDirectoryA
DeleteFileA
RemoveDirectoryA
CreateDirectoryA
MoveFileA
CreateFileA
FindNextFileA
FindFirstFileA
SetFileAttributesA
GetFileAttributesA
FormatMessageA
lstrlenW
lstrcmpiW
LoadLibraryW
GetCommandLineW
GetVolumeInformationW
GetDriveTypeW
GetDiskFreeSpaceW
GetFullPathNameW
SetCurrentDirectoryW
GetCurrentDirectoryW
DeleteFileW
RemoveDirectoryW
CreateDirectoryW
GetProcAddress
MoveFileW
CreateFileW
FindNextFileW
FindFirstFileW
SetFileAttributesW
GetFileAttributesW
FormatMessageW
GetVersion
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
IsDBCSLeadByte
WriteFile
SetFilePointer
SetUnhandledExceptionFilter
GetCurrentProcess
SetThreadLocale
WritePrivateProfileStringW
MultiByteToWideChar
WriteConsoleW
SetCurrentDirectoryA
GetConsoleMode
GetConsoleCP
HeapSize
LCMapStringW
GetStringTypeW
IsValidCodePage
GetOEMCP
GetACP
GetCPInfo
GetSystemTimeAsFileTime
GetCurrentProcessId
GetTickCount
QueryPerformanceCounter
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetStartupInfoW
GetFileType
InitializeCriticalSectionAndSpinCount
SetHandleCount
RaiseException
Sleep
GetStdHandle
ExitProcess
HeapDestroy
HeapCreate
InterlockedDecrement
SetLastError
InterlockedIncrement
TlsFree
TlsSetValue
GetTempPathW
TlsGetValue
TlsAlloc
IsProcessorFeaturePresent
IsDebuggerPresent
UnhandledExceptionFilter
TerminateProcess
EncodePointer
DecodePointer
CreateThread
GetCurrentThreadId
ExitThread
HeapReAlloc
HeapAlloc
HeapFree
GetLastError
RtlUnwind
CreateFileMappingW
MapViewOfFile
GlobalAlloc
GetDiskFreeSpaceA
GetDriveTypeA
GetVolumeInformationA
GetCommandLineA
LoadLibraryA
lstrlenA
lstrcmpiA
GetModuleHandleA
GetModuleHandleW
GetModuleFileNameW
SetStdHandle
lstrcatW
GlobalLock
GlobalUnlock
GetThreadLocale
GetSystemDefaultLCID
GetModuleFileNameA
GetFullPathNameA
CreateProcessA
WaitForSingleObject
CloseHandle
GetVersionExW
WideCharToMultiByte
FlushFileBuffers

user32

CopyImage
ReleaseDC
GetDC
wsprintfA
CloseClipboard
IsClipboardFormatAvailable
RegisterClipboardFormatW
GetClipboardData
OpenClipboard
LoadStringW
GetWindowTextW
SetWindowTextW
GetWindowTextLengthW
GetDlgItemTextW
SetDlgItemTextW
PostMessageW
SendMessageW
SendDlgItemMessageW
MessageBoxW
CreateDialogParamW
DialogBoxParamW
GetWindowLongW
SetWindowLongW
CallWindowProcW
FindWindowW
CreateWindowExW
ModifyMenuW
CharUpperW
CharLowerW
GetWindowTextA
SetWindowTextA
GetWindowTextLengthA
GetDlgItemTextA
SetDlgItemTextA
PostMessageA
SendMessageA
SendDlgItemMessageA
MessageBoxA
CreateDialogParamA
DialogBoxParamA
GetWindowLongA
SetWindowLongA
CallWindowProcA
RegisterClassA
FindWindowA
CreateWindowExA
InsertMenuA
ModifyMenuA
CharUpperA
CharLowerA
LoadBitmapW
wsprintfW
EmptyClipboard
SetClipboardData
InsertMenuW
SetMenuItemBitmaps
RegisterClassW

gdi32

StretchBlt
CreateCompatibleDC
CreateCompatibleBitmap
SelectObject
DeleteDC
DeleteObject

comdlg32

GetSaveFileNameW
GetOpenFileNameA
GetSaveFileNameA
GetOpenFileNameW

advapi32

RegEnumKeyExW
RegCreateKeyExW
RegOpenKeyExW
RegQueryValueExW
RegCreateKeyExA
RegOpenKeyExA
RegDeleteKeyA
RegDeleteValueA
RegEnumKeyExA
RegEnumValueA
RegSetValueExA
RegQueryValueExA
RegQueryValueA
RegCloseKey
RegDeleteValueW
RegDeleteKeyW
RegSetValueExW
RegQueryValueW
RegEnumValueW

shell32

DragQueryFileW
ShellExecuteExW
DragQueryFileA
ShellExecuteA
ShellExecuteExA
SHGetPathFromIDListA
SHGetSpecialFolderPathW
SHBrowseForFolderA
ShellExecuteW

ole32

CoInitialize
ReleaseStgMedium
StringFromIID
CoGetMalloc
CoUninitialize
CoCreateInstance

winmm

PlaySoundW
PlaySoundA

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer
GetMenuFlags
IsRegistServer
SetMenuFlags
UpdateDll

Sections

.text
Size: 60KB - Virtual size: 59KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 10KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 25KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
KaolaExt64.dll
.dll regsvr32 windows:5 windows x64 arch:x64

c2a74efbc1c7a88aa1929a343f9438b9

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

22:97:a8:80:ad:01:84:6a:8f:46:52:4b:7e:a7:b5:02
Certificate

Issuer

CN=WoSign Class 3 Code Signing CA,O=WoSign CA Limited,C=CN

Not Before

03/02/2015, 01:26

Not After

03/02/2016, 01:26

Subject

CN=Yantai Zhenghao Network Technology (Zhifu Branch) Co.\, LTD.,O=Yantai Zhenghao Network Technology (Zhifu Branch) Co.\, LTD.,L=Yantai,ST=Shandong,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageMicrosoftCommercialCodeSigning

Key Usages

KeyUsageDigitalSignature

6b:da:df:ef:f0:66:1b:d2:64:2a:f4:6e:cb:b2:79:40
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

09/07/1999, 18:31

Not After

09/07/2019, 18:40

Subject

CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

46:bb:b3:40:fa:b9:c1:79:28:93:8c:93:da:10:86:79
Certificate

Issuer

CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN

Not Before

08/08/2009, 01:00

Not After

08/08/2024, 01:00

Subject

CN=WoSign Class 3 Code Signing CA,O=WoSign CA Limited,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageMicrosoftCommercialCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

68:03:6e:fc:c3:41:00:ec:d8:6b:4e:37:7c:e5:4b:c0:6b:a5:fa:bc
Signer

Actual PE Digest

68:03:6e:fc:c3:41:00:ec:d8:6b:4e:37:7c:e5:4b:c0:6b:a5:fa:bc

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

shlwapi

PathRemoveFileSpecW
PathMatchSpecW
PathAddBackslashW
PathFileExistsW

kernel32

GetCurrentDirectoryA
DeleteFileA
RemoveDirectoryA
CreateDirectoryA
MoveFileA
CreateFileA
FindNextFileA
FindFirstFileA
SetFileAttributesA
GetFileAttributesA
FormatMessageA
lstrlenW
lstrcmpiW
LoadLibraryW
GetCommandLineW
GetVolumeInformationW
GetDriveTypeW
GetDiskFreeSpaceW
GetFullPathNameW
SetCurrentDirectoryW
GetCurrentDirectoryW
DeleteFileW
RemoveDirectoryW
CreateDirectoryW
GetProcAddress
MoveFileW
CreateFileW
FindNextFileW
FindFirstFileW
SetFileAttributesW
GetFileAttributesW
FormatMessageW
GetVersion
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
IsDBCSLeadByte
WriteFile
SetFilePointer
SetUnhandledExceptionFilter
GetCurrentProcess
SetThreadLocale
WideCharToMultiByte
MultiByteToWideChar
WritePrivateProfileStringW
WriteConsoleW
SetCurrentDirectoryA
GetConsoleMode
GetConsoleCP
HeapSize
LCMapStringW
GetStringTypeW
IsValidCodePage
GetOEMCP
GetACP
GetCPInfo
GetSystemTimeAsFileTime
GetCurrentProcessId
GetTickCount
QueryPerformanceCounter
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetStartupInfoW
GetFileType
InitializeCriticalSectionAndSpinCount
SetHandleCount
Sleep
GetStdHandle
ExitProcess
HeapDestroy
HeapCreate
HeapSetInformation
RtlPcToFileHeader
RaiseException
FlsAlloc
SetLastError
FlsFree
FlsGetValue
GetTempPathW
RtlCaptureContext
RtlVirtualUnwind
IsDebuggerPresent
UnhandledExceptionFilter
TerminateProcess
EncodePointer
DecodePointer
FlsSetValue
CreateThread
GetCurrentThreadId
ExitThread
HeapReAlloc
HeapAlloc
HeapFree
GetLastError
RtlUnwindEx
RtlLookupFunctionEntry
CreateFileMappingW
MapViewOfFile
GetDiskFreeSpaceA
GetDriveTypeA
GetVolumeInformationA
GetCommandLineA
LoadLibraryA
lstrlenA
lstrcmpiA
GetModuleHandleA
GetModuleHandleW
GetModuleFileNameW
SetStdHandle
lstrcatW
GlobalAlloc
GlobalLock
GlobalUnlock
GetThreadLocale
GetSystemDefaultLCID
GetModuleFileNameA
GetFullPathNameA
CreateProcessA
WaitForSingleObject
CloseHandle
GetVersionExW
FlushFileBuffers

user32

CopyImage
ReleaseDC
GetDC
wsprintfA
CloseClipboard
IsClipboardFormatAvailable
RegisterClipboardFormatW
GetClipboardData
OpenClipboard
LoadStringW
GetWindowTextW
SetWindowTextW
GetWindowTextLengthW
GetDlgItemTextW
SetDlgItemTextW
PostMessageW
SendMessageW
SendDlgItemMessageW
MessageBoxW
CreateDialogParamW
DialogBoxParamW
GetWindowLongPtrW
SetWindowLongPtrW
CallWindowProcW
FindWindowW
CreateWindowExW
ModifyMenuW
CharUpperW
CharLowerW
GetWindowTextA
SetWindowTextA
GetWindowTextLengthA
GetDlgItemTextA
SetDlgItemTextA
PostMessageA
SendMessageA
SendDlgItemMessageA
MessageBoxA
CreateDialogParamA
DialogBoxParamA
GetWindowLongPtrA
SetWindowLongPtrA
CallWindowProcA
RegisterClassA
FindWindowA
CreateWindowExA
InsertMenuA
ModifyMenuA
CharUpperA
CharLowerA
LoadBitmapW
wsprintfW
EmptyClipboard
SetClipboardData
InsertMenuW
SetMenuItemBitmaps
RegisterClassW

gdi32

StretchBlt
CreateCompatibleDC
CreateCompatibleBitmap
SelectObject
DeleteDC
DeleteObject

comdlg32

GetSaveFileNameW
GetOpenFileNameA
GetSaveFileNameA
GetOpenFileNameW

advapi32

RegDeleteValueW
RegCreateKeyExW
RegOpenKeyExW
RegQueryValueExW
RegEnumValueW
RegCreateKeyExA
RegOpenKeyExA
RegDeleteKeyA
RegDeleteValueA
RegEnumKeyExA
RegEnumValueA
RegSetValueExA
RegQueryValueExA
RegQueryValueA
RegCloseKey
RegDeleteKeyW
RegSetValueExW
RegQueryValueW
RegEnumKeyExW

shell32

ShellExecuteW
ShellExecuteExW
DragQueryFileA
ShellExecuteA
ShellExecuteExA
SHGetSpecialFolderPathW
SHBrowseForFolderA
SHGetPathFromIDListA
DragQueryFileW

ole32

CoInitialize
ReleaseStgMedium
StringFromIID
CoGetMalloc
CoUninitialize
CoCreateInstance

winmm

PlaySoundW
PlaySoundA

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer
GetMenuFlags
IsRegistServer
SetMenuFlags
UpdateDll

Sections

.text
Size: 66KB - Virtual size: 65KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 27KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 11KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 25KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

099c0646ea7282d232219f8807883be0

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

shell32

advapi32

comctl32

ole32

version

Sections

.text Size: 23KB - Virtual size: 22KB

.rdata Size: 4KB - Virtual size: 4KB

.data Size: 1024B - Virtual size: 107KB

.ndata Size: - Virtual size: 124KB

.rsrc Size: 27KB - Virtual size: 26KB

1e63c8029cce4cd0432cd72aeab6b25a

Headers

File Characteristics

Imports

kernel32

user32

advapi32

Exports

Exports

Sections

.text Size: 10KB - Virtual size: 10KB

.data Size: 512B - Virtual size: 348B

.reloc Size: 1024B - Virtual size: 978B

6190f72bd100acba02b42391911fe724

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

advapi32

msvcr100

msvcp100

Exports

Exports

Sections

.text Size: 6KB - Virtual size: 6KB

.rdata Size: 3KB - Virtual size: 2KB

.data Size: 512B - Virtual size: 960B

.rsrc Size: 512B - Virtual size: 436B

.reloc Size: 1024B - Virtual size: 768B

Headers

File Characteristics

Exports

Exports

Sections

CODE Size: 47KB - Virtual size: 47KB

DATA Size: 1KB - Virtual size: 1KB

BSS Size: - Virtual size: 2KB

.idata Size: 3KB - Virtual size: 2KB

.edata Size: 1024B - Virtual size: 950B

.reloc Size: 3KB - Virtual size: 3KB

.rsrc Size: 4KB - Virtual size: 4KB

2017f2acbdaa42ab3e4adeb8b4c37e7b

Headers

File Characteristics

Imports

kernel32

user32

ole32

Exports

Exports

Sections

.text Size: 7KB - Virtual size: 7KB

.rdata Size: 1024B - Virtual size: 784B

.data Size: 512B - Virtual size: 100B

.text
Size: 23KB - Virtual size: 22KB

.rdata
Size: 4KB - Virtual size: 4KB

.data
Size: 1024B - Virtual size: 107KB

.ndata
Size: - Virtual size: 124KB

.rsrc
Size: 27KB - Virtual size: 26KB

.text
Size: 10KB - Virtual size: 10KB

.data
Size: 512B - Virtual size: 348B

.reloc
Size: 1024B - Virtual size: 978B

.text
Size: 6KB - Virtual size: 6KB

.rdata
Size: 3KB - Virtual size: 2KB

.data
Size: 512B - Virtual size: 960B

.rsrc
Size: 512B - Virtual size: 436B

.reloc
Size: 1024B - Virtual size: 768B

CODE
Size: 47KB - Virtual size: 47KB

DATA
Size: 1KB - Virtual size: 1KB

BSS
Size: - Virtual size: 2KB

.idata
Size: 3KB - Virtual size: 2KB

.edata
Size: 1024B - Virtual size: 950B

.reloc
Size: 3KB - Virtual size: 3KB

.rsrc
Size: 4KB - Virtual size: 4KB

.text
Size: 7KB - Virtual size: 7KB

.rdata
Size: 1024B - Virtual size: 784B

.data
Size: 512B - Virtual size: 100B

.reloc
Size: 1024B - Virtual size: 520B

.text
Size: 19KB - Virtual size: 19KB

.rdata
Size: 8KB - Virtual size: 8KB

.data
Size: 3KB - Virtual size: 6KB

.rsrc
Size: 512B - Virtual size: 436B

.reloc
Size: 2KB - Virtual size: 1KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

22:97:a8:80:ad:01:84:6a:8f:46:52:4b:7e:a7:b5:02
Certificate

6b:da:df:ef:f0:66:1b:d2:64:2a:f4:6e:cb:b2:79:40
Certificate

46:bb:b3:40:fa:b9:c1:79:28:93:8c:93:da:10:86:79
Certificate

8e:fd:3f:17:e3:46:82:58:92:e3:a8:f1:ff:21:0a:2b:b8:50:bb:3e
Signer

.text
Size: 60KB - Virtual size: 59KB

.rdata
Size: 20KB - Virtual size: 19KB

.data
Size: 10KB - Virtual size: 17KB

.rsrc
Size: 25KB - Virtual size: 25KB

.reloc
Size: 8KB - Virtual size: 8KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

22:97:a8:80:ad:01:84:6a:8f:46:52:4b:7e:a7:b5:02
Certificate

6b:da:df:ef:f0:66:1b:d2:64:2a:f4:6e:cb:b2:79:40
Certificate