b32988d3cce6b86f1a0efc5e83f8fea90061aec721f7118a88d1fd300eaf151b

Sharing

Copy URL Twitter E-mail

General

Target

b32988d3cce6b86f1a0efc5e83f8fea90061aec721f7118a88d1fd300eaf151b
Size

13.5MB
MD5

5813a9a7590be5a5d026babb416fbbfe
SHA1

f047da97308d4934986b039175577c14ae5c13c1
SHA256

b32988d3cce6b86f1a0efc5e83f8fea90061aec721f7118a88d1fd300eaf151b
SHA512

622abf52f0a7ac199cdd5de93e87f2ad8dfbbecc7c3e68ebd6513559057a3b91603b5b09228c1d2b2d16c1c1a0f34a88558d69c2186ef95a3562761230857304
SSDEEP

393216:IqgacPtugL6so6tNJw33fitX7I4N5N1mwZuaha72A/4EZ:APtugLJl4nfI7l5Thh82A/4EZ

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack002/NoEscape.exe/NoEscape.exe-Latest Version/NoEscape.exe

Files

b32988d3cce6b86f1a0efc5e83f8fea90061aec721f7118a88d1fd300eaf151b
.zip

Password: infected
0x000300000002aa6e-720
.zip
NoEscape.exe/NoEscape.exe-Latest Version/NoEscape.exe
.exe windows:6 windows x86 arch:x86

f400a8c725e9bcee856360087d72fec3

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Imports

kernel32

GetModuleHandleA
GetProcAddress

netapi32

NetUserAdd

ntdll

RtlGetVersion

user32

GetDC

gdi32

BitBlt

advapi32

FreeSid

shell32

ShellExecuteW

ole32

CoTaskMemFree

bcrypt

BCryptGenRandom

vcruntime140

wcsstr

api-ms-win-crt-string-l1-1-0

wmemcpy_s

api-ms-win-crt-runtime-l1-1-0

exit

api-ms-win-crt-math-l1-1-0

__setusermatherr

api-ms-win-crt-stdio-l1-1-0

_set_fmode

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

api-ms-win-crt-heap-l1-1-0

_set_new_mode

Sections

.MPRESS1
Size: 609KB - Virtual size: 1.8MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.MPRESS2
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 18KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
NoEscape.exe/NoEscape.exe-Latest Version/vc_redist.x86.exe
.exe windows:5 windows x86 arch:x86

8e2588a9cf43886de3449dfff03137b6

Code Sign

33:00:00:00:71:b3:2e:8a:6b:82:aa:1f:4e:00:00:00:00:00:71
Certificate

Issuer

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

20/03/2015, 17:32

Not After

20/06/2016, 17:32

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:B8EC-30A4-7144,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

33:00:00:01:0a:2c:79:ae:d7:79:7b:a6:ac:00:01:00:00:01:0a
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

04/06/2015, 17:42

Not After

04/09/2016, 17:42

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:33:26:1a:00:00:00:00:00:31
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

31/08/2010, 22:19

Not After

31/08/2020, 22:29

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:16:68:34:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

03/04/2007, 12:53

Not After

03/04/2021, 13:03

Subject

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:38:8d:23:6d:16:27:a3:26:e0:00:00:00:00:00:38
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

01/10/2014, 18:11

Not After

01/01/2016, 18:11

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/07/2011, 20:59

Not After

08/07/2026, 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

ab:06:cb:ec:52:d7:a1:69:63:80:49:01:2e:f8:86:a1:5e:87:65:11:a6:e9:90:cd:1f:7b:f7:ad:25:14:e8:b4
Signer

Actual PE Digest

ab:06:cb:ec:52:d7:a1:69:63:80:49:01:2e:f8:86:a1:5e:87:65:11:a6:e9:90:cd:1f:7b:f7:ad:25:14:e8:b4

Digest Algorithm

sha256

PE Digest Matches

true

df:f2:e7:17:7c:35:2e:2a:10:e7:c1:35:9e:a2:41:d0:98:70:74:d6
Signer

Actual PE Digest

df:f2:e7:17:7c:35:2e:2a:10:e7:c1:35:9e:a2:41:d0:98:70:74:d6

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP
IMAGE_FILE_NET_RUN_FROM_SWAP

PDB Paths

E:\delivery\Dev\wix37\build\ship\x86\burn.pdb

Imports

gdiplus

GdiplusShutdown
GdiplusStartup
GdipDeleteGraphics
GdipFree
GdipCloneImage
GdipDisposeImage
GdipGetImageWidth
GdipGetImageHeight
GdipCreateBitmapFromResource
GdipCreateFromHDC
GdipSetInterpolationMode
GdipDrawImageRectI
GdipAlloc

advapi32

QueryServiceConfigW
CryptAcquireContextW
CryptCreateHash
CryptHashData
CryptGetHashParam
CryptDestroyHash
CryptReleaseContext
RegDeleteKeyW
RegCreateKeyExW
RegEnumKeyExW
RegEnumValueW
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
ConvertStringSecurityDescriptorToSecurityDescriptorW
RegCloseKey
RegDeleteValueW
RegQueryValueExW
GetUserNameW
InitiateSystemShutdownExW
CreateWellKnownSid
InitializeAcl
SetEntriesInAclW
DecryptFileW
ChangeServiceConfigW
ControlService
CloseServiceHandle
QueryServiceStatus
OpenServiceW
OpenSCManagerW
RegQueryInfoKeyW
RegSetValueExW
SetEntriesInAclA
SetSecurityDescriptorGroup
RegOpenKeyExW
GetTokenInformation
CheckTokenMembership
AllocateAndInitializeSid
FreeSid
LookupAccountNameW
SetNamedSecurityInfoW
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
SetSecurityDescriptorOwner

user32

GetMessageW
PeekMessageW
PostMessageW
IsWindow
PostQuitMessage
GetWindowLongW
SetWindowLongW
DefWindowProcW
UnregisterClassW
DispatchMessageW
TranslateMessage
IsDialogMessageW
MsgWaitForMultipleObjects
WaitForInputIdle
LoadCursorW
BeginPaint
EndPaint
GetCursorPos
MonitorFromPoint
GetMonitorInfoW
ReleaseDC
MessageBoxW
PostThreadMessageW
RegisterClassW
CreateWindowExW

oleaut32

VariantClear
VariantInit
SysAllocString
SysFreeString

gdi32

GetDeviceCaps
CreateDCW

shell32

ShellExecuteExW
SHGetFolderPathW
CommandLineToArgvW

ole32

CoTaskMemFree
CoCreateInstance
CoInitialize
CoUninitialize
CoInitializeEx
StringFromGUID2
CoInitializeSecurity
CLSIDFromProgID

kernel32

GetCurrentProcess
InitializeCriticalSection
TlsFree
DeleteCriticalSection
CloseHandle
TlsGetValue
Sleep
GetLastError
ReleaseMutex
TlsSetValue
TlsAlloc
GetCurrentThreadId
GetVersionExW
GetModuleHandleW
ReadFile
SetFilePointerEx
CreateFileW
GetCurrentProcessId
GetProcessId
WriteFile
ConnectNamedPipe
SetNamedPipeHandleState
lstrlenW
CompareStringW
LocalFree
CreateNamedPipeW
WaitForSingleObject
OpenProcess
lstrlenA
RemoveDirectoryW
GetFileAttributesW
ExpandEnvironmentStringsW
LeaveCriticalSection
EnterCriticalSection
FreeLibrary
GetProcAddress
VerifyVersionInfoW
VerSetConditionMask
GetComputerNameW
GetTempPathW
GetSystemDirectoryW
GetSystemWow64DirectoryW
GetVolumePathNameW
HeapAlloc
GetSystemDefaultLangID
GetUserDefaultLangID
GetDateFormatW
GetSystemTime
InterlockedExchange
LoadLibraryW
InterlockedCompareExchange
GetExitCodeThread
CreateThread
SetEvent
WaitForMultipleObjects
CreateEventW
ProcessIdToSessionId
InterlockedIncrement
InterlockedDecrement
GetStringTypeW
SetFileAttributesW
FindClose
FindNextFileW
FindFirstFileW
CreateProcessW
SetCurrentDirectoryW
GetCurrentDirectoryW
GetExitCodeProcess
SetThreadExecutionState
CopyFileExW
HeapSetInformation
MapViewOfFile
CreateFileMappingW
CreateMutexW
SetEndOfFile
ResetEvent
SetFileTime
LocalFileTimeToFileTime
DosDateTimeToFileTime
CreateFileA
GetSystemTimeAsFileTime
VirtualFree
VirtualAlloc
DeleteFileW
GetThreadLocale
GetTimeZoneInformation
TerminateProcess
UnhandledExceptionFilter
SystemTimeToTzSpecificLocalTime
SystemTimeToFileTime
GlobalAlloc
IsProcessorFeaturePresent
GetTickCount
QueryPerformanceCounter
HeapCreate
SetLastError
EncodePointer
GetFileType
InitializeCriticalSectionAndSpinCount
SetHandleCount
GetEnvironmentStringsW
GlobalFree
MoveFileExW
CopyFileW
GetFileSizeEx
GetModuleHandleA
RaiseException
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
RtlUnwind
SetFilePointer
WideCharToMultiByte
GetConsoleCP
GetConsoleMode
HeapSize
HeapReAlloc
LCMapStringW
MultiByteToWideChar
SetStdHandle
WriteConsoleW
FlushFileBuffers
GetLocalTime
UnmapViewOfFile
IsDebuggerPresent
DuplicateHandle
HeapFree
FormatMessageW
GetTempFileNameW
GetWindowsDirectoryW
CompareStringA
FreeEnvironmentStringsW
GetModuleFileNameW
GetStdHandle
DecodePointer
ExitProcess
SetUnhandledExceptionFilter
GetStartupInfoW
GetCommandLineW
GetFullPathNameW
CreateDirectoryW
GetProcessHeap

cabinet

ord22
ord20
ord23

crypt32

CertGetCertificateContextProperty
CryptHashPublicKeyInfo

msi

ord88
ord17
ord125
ord116
ord115
ord118
ord8
ord171
ord205
ord45
ord137
ord141
ord238
ord190
ord169
ord90
ord173
ord111
ord70

rpcrt4

UuidCreate

wininet

InternetCloseHandle
HttpAddRequestHeadersW
HttpOpenRequestW
InternetErrorDlg
InternetReadFile
HttpSendRequestW
InternetSetOptionW
InternetOpenW
HttpQueryInfoW
InternetCrackUrlW
InternetConnectW

wintrust

WinVerifyTrust
WTHelperGetProvSignerFromChain
WTHelperProvDataFromStateData
CryptCATAdminCalcHashFromFileHandle

version

GetFileVersionInfoW
GetFileVersionInfoSizeW
VerQueryValueW

Sections

.text
Size: 229KB - Virtual size: 228KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 104KB - Virtual size: 104KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.wixburn
Size: 512B - Virtual size: 56B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 14KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 17KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

f400a8c725e9bcee856360087d72fec3

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

netapi32

ntdll

user32

gdi32

advapi32

shell32

ole32

bcrypt

vcruntime140

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-heap-l1-1-0

Sections

.MPRESS1 Size: 609KB - Virtual size: 1.8MB

.MPRESS2 Size: 4KB - Virtual size: 3KB

.rsrc Size: 18KB - Virtual size: 18KB

8e2588a9cf43886de3449dfff03137b6

Code Sign

33:00:00:00:71:b3:2e:8a:6b:82:aa:1f:4e:00:00:00:00:00:71Certificate

Extended Key Usages

33:00:00:01:0a:2c:79:ae:d7:79:7b:a6:ac:00:01:00:00:01:0aCertificate

Extended Key Usages

61:33:26:1a:00:00:00:00:00:31Certificate

Key Usages

61:16:68:34:00:00:00:00:00:1cCertificate

Extended Key Usages

Key Usages

33:00:00:00:38:8d:23:6d:16:27:a3:26:e0:00:00:00:00:00:38Certificate

Extended Key Usages

61:0e:90:d2:00:00:00:00:00:03Certificate

Key Usages

ab:06:cb:ec:52:d7:a1:69:63:80:49:01:2e:f8:86:a1:5e:87:65:11:a6:e9:90:cd:1f:7b:f7:ad:25:14:e8:b4Signer

df:f2:e7:17:7c:35:2e:2a:10:e7:c1:35:9e:a2:41:d0:98:70:74:d6Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

gdiplus

advapi32

user32

oleaut32

gdi32

shell32

ole32

kernel32

cabinet

crypt32

msi

rpcrt4

wininet

wintrust

version

Sections

.text Size: 229KB - Virtual size: 228KB

.rdata Size: 104KB - Virtual size: 104KB

.data Size: 4KB - Virtual size: 12KB

.wixburn Size: 512B - Virtual size: 56B

.tls Size: 512B - Virtual size: 9B

.rsrc Size: 14KB - Virtual size: 14KB

.reloc Size: 17KB - Virtual size: 17KB

.MPRESS1
Size: 609KB - Virtual size: 1.8MB

.MPRESS2
Size: 4KB - Virtual size: 3KB

.rsrc
Size: 18KB - Virtual size: 18KB

33:00:00:00:71:b3:2e:8a:6b:82:aa:1f:4e:00:00:00:00:00:71
Certificate

33:00:00:01:0a:2c:79:ae:d7:79:7b:a6:ac:00:01:00:00:01:0a
Certificate

61:33:26:1a:00:00:00:00:00:31
Certificate

61:16:68:34:00:00:00:00:00:1c
Certificate

33:00:00:00:38:8d:23:6d:16:27:a3:26:e0:00:00:00:00:00:38
Certificate

61:0e:90:d2:00:00:00:00:00:03
Certificate

ab:06:cb:ec:52:d7:a1:69:63:80:49:01:2e:f8:86:a1:5e:87:65:11:a6:e9:90:cd:1f:7b:f7:ad:25:14:e8:b4
Signer

df:f2:e7:17:7c:35:2e:2a:10:e7:c1:35:9e:a2:41:d0:98:70:74:d6
Signer

.text
Size: 229KB - Virtual size: 228KB

.rdata
Size: 104KB - Virtual size: 104KB

.data
Size: 4KB - Virtual size: 12KB

.wixburn
Size: 512B - Virtual size: 56B

.tls
Size: 512B - Virtual size: 9B

.rsrc
Size: 14KB - Virtual size: 14KB

.reloc
Size: 17KB - Virtual size: 17KB