2024-09-05_c7f49a52da7ccca233f8751694db8b1c_mafia

Sharing

Copy URL Twitter E-mail

General

Target

2024-09-05_c7f49a52da7ccca233f8751694db8b1c_mafia
Size

523KB
MD5

c7f49a52da7ccca233f8751694db8b1c
SHA1

c9d0cbb8382a073543b3c436c443f646122680f0
SHA256

f17147677c61998c389df1221a4878e0005666f47a33c6c1f3455bec0296affd
SHA512

6fcbe268efa4b0f68c007075289262fce0129eda294127cd9429614a913c65c4fc95ebe3e0b1e8cc22684a23efdf2b0e916613486f39afea320ffa775e24f4b0
SSDEEP

12288:8X+18taRMVB6eoxAc3CtVzkZkouX0ABXJqGu+Y:O+1hyrzk1ukABXJqGu+Y

Score

1^/10

Malware Config

Signatures

Files

2024-09-05_c7f49a52da7ccca233f8751694db8b1c_mafia
.exe windows:5 windows x86 arch:x86

87128074191c32d3a9c87b17c0f71fd0

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

07:53:1d:94:3d:db:11:4c:9c:db:80:39:51:08:28:3e
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

23/09/2015, 00:00

Not After

28/09/2018, 23:59

Subject

CN=EASY SOLUTIONS\, INC.,O=EASY SOLUTIONS\, INC.,L=Doral,ST=Florida,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

19:1a:32:cb:75:9c:97:b8:cf:ac:11:8d:d5:12:7f:49
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

04/03/2014, 00:00

Not After

03/03/2024, 23:59

Subject

CN=Symantec Class 3 Extended Validation Code Signing CA - G2,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

67:f0:a9:88:dd:8f:88:50:33:71:62:ec:cb:5e:5f:c9
Certificate

Issuer

CN=Symantec Class 3 Extended Validation Code Signing CA - G2,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

22/09/2015, 00:00

Not After

21/09/2018, 23:59

Subject

SERIALNUMBER=4381490,CN=Easy Solutions\, Inc.,O=Easy Solutions\, Inc.,L=Doral,ST=Florida,C=US,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.2=#130844656c6177617265,1.3.6.1.4.1.311.60.2.1.3=#13025553

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

5f:d6:93:fa:b0:98:e3:f4:67:7b:b8:cb:67:2c:22:9e
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

11/06/2015, 00:00

Not After

29/12/2020, 23:59

Subject

CN=GeoTrust 2048-bit Timestamping Signer 1,O=GeoTrust Inc,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

01/01/1997, 00:00

Not After

31/12/2020, 23:59

Subject

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2e:44:97:ca:79:ed:0d:8c:f7:bf:58:2a:49:79:94:a4:81:88:d9:75:6f:88:30:5c:80:4b:38:bf:98:af:da:0a
Signer

Actual PE Digest

2e:44:97:ca:79:ed:0d:8c:f7:bf:58:2a:49:79:94:a4:81:88:d9:75:6f:88:30:5c:80:4b:38:bf:98:af:da:0a

Digest Algorithm

sha256

PE Digest Matches

true

a1:4b:e3:fc:fb:bc:65:60:f0:93:75:6d:7e:7e:4e:47:56:46:d6:4d
Signer

Actual PE Digest

a1:4b:e3:fc:fb:bc:65:60:f0:93:75:6d:7e:7e:4e:47:56:46:d6:4d

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

C:\Users\dsb\Documents\Jenkins\workspace\DetectUpdate-Client-Production\VS2010\Release\DetectUpdate.pdb

Imports

version

GetFileVersionInfoSizeW
VerQueryValueW
GetFileVersionInfoW

kernel32

CopyFileW
MoveFileExW
FlushFileBuffers
SetFilePointer
ReadFile
GetFileSize
GetFileTime
SetFileTime
SetEndOfFile
GetSystemTimeAsFileTime
FileTimeToSystemTime
CompareFileTime
FindClose
SetFileAttributesW
WaitForSingleObjectEx
WaitForMultipleObjectsEx
GetExitCodeProcess
TerminateProcess
SetPriorityClass
AssignProcessToJobObject
CreateJobObjectW
ReadProcessMemory
GetShortPathNameW
Process32NextW
Process32FirstW
CreateToolhelp32Snapshot
GetLongPathNameW
ProcessIdToSessionId
FormatMessageW
LoadLibraryW
SetErrorMode
GetProcessWorkingSetSize
GlobalMemoryStatusEx
SetProcessWorkingSetSize
GetSystemPowerStatus
GetPrivateProfileStringW
DeviceIoControl
GetDiskFreeSpaceExW
GetFileAttributesW
SleepEx
GetTimeZoneInformation
SetStdHandle
GetConsoleMode
GetConsoleCP
IsValidLocale
EnumSystemLocalesA
GetLocaleInfoA
GetFileAttributesExW
PeekNamedPipe
GetFileInformationByHandle
GetFullPathNameW
QueryPerformanceCounter
GetFileType
SetHandleCount
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetStringTypeW
IsValidCodePage
GetOEMCP
GetACP
GetLocaleInfoW
HeapCreate
GetStdHandle
ExitProcess
IsProcessorFeaturePresent
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetCPInfo
LCMapStringW
SetThreadPriority
TerminateThread
ResumeThread
SuspendThread
CreateProcessW
lstrcmpW
GlobalFree
GetSystemDirectoryW
GetWindowsDirectoryW
GetComputerNameW
VirtualQuery
GetThreadPriority
ResetEvent
InitializeCriticalSection
TryEnterCriticalSection
GetLogicalDriveStringsW
QueryDosDeviceW
SetLastError
GetCurrentProcessId
OpenProcess
LocalAlloc
LocalFree
VerSetConditionMask
VerifyVersionInfoW
GetCurrentProcess
FindFirstFileW
FindNextFileW
GetLocalTime
CreateFileW
WriteFile
CreateDirectoryW
GetCurrentDirectoryW
SetEnvironmentVariableA
DeleteFileW
MoveFileW
GetCurrentThread
WideCharToMultiByte
GetUserDefaultUILanguage
GetCommandLineW
LoadLibraryExW
FreeLibrary
InterlockedDecrement
CreateThread
GetCurrentThreadId
GetTickCount
WaitForSingleObject
GetModuleFileNameW
CreateEventW
CreateWaitableTimerW
SetWaitableTimer
Sleep
WaitForMultipleObjects
SetEvent
lstrcmpiW
CloseHandle
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
EnterCriticalSection
GetLastError
RaiseException
lstrlenW
GetModuleHandleW
GetProcAddress
GetVersionExW
GetTempPathW
MultiByteToWideChar
FindResourceExW
FindResourceW
GetSystemInfo
VirtualAlloc
VirtualProtect
FindFirstFileExW
GetDriveTypeW
FileTimeToLocalFileTime
GetStartupInfoW
HeapSetInformation
RtlUnwind
DecodePointer
EncodePointer
InterlockedExchange
InterlockedIncrement
GetProcessHeap
HeapSize
HeapReAlloc
HeapFree
HeapAlloc
HeapDestroy
LoadResource
LockResource
SizeofResource
WriteConsoleW
CompareStringW
GetUserDefaultLCID

user32

TranslateMessage
DispatchMessageW
GetMessageW
GetProcessWindowStation
ExitWindowsEx
GetGuiResources
LoadStringW
PostThreadMessageW
GetWindowLongW
SetWindowPos
MapWindowPoints
MessageBoxW
GetMonitorInfoW
MonitorFromWindow
GetWindowRect
GetWindow
GetParent
CharLowerW
SetForegroundWindow
IsWindowVisible
DestroyWindow
GetWindowThreadProcessId
EnumWindows
AllowSetForegroundWindow
PeekMessageW
MsgWaitForMultipleObjects
FlashWindow
GetLastInputInfo
SystemParametersInfoW
CharUpperW
GetClientRect
CharNextW
OpenInputDesktop
CloseDesktop
GetUserObjectInformationW
CreateWindowExW

advapi32

SetSecurityDescriptorOwner
GetSecurityDescriptorControl
MakeAbsoluteSD
GetSecurityDescriptorSacl
GetSecurityDescriptorDacl
GetSecurityDescriptorGroup
GetSecurityDescriptorOwner
IsTokenRestricted
AllocateAndInitializeSid
CheckTokenMembership
FreeSid
AdjustTokenPrivileges
LookupPrivilegeValueW
PrivilegeCheck
DuplicateTokenEx
CreateProcessAsUserW
ConvertStringSecurityDescriptorToSecurityDescriptorA
SetNamedSecurityInfoW
LookupAccountSidW
ConvertSidToStringSidW
EqualSid
GetTokenInformation
GetSidIdentifierAuthority
GetSidSubAuthorityCount
OpenThreadToken
OpenProcessToken
RegFlushKey
RegRestoreKeyW
RegSaveKeyW
RegEnumValueW
RevertToSelf
ImpersonateLoggedOnUser
StartServiceCtrlDispatcherW
RegisterServiceCtrlHandlerW
GetSidLengthRequired
InitializeSid
GetSidSubAuthority
ChangeServiceConfigW
ChangeServiceConfig2W
RegEnumKeyExW
SetSecurityDescriptorDacl
SetSecurityDescriptorGroup
GetAclInformation
InitializeAcl
AddAce
CopySid
IsValidSid
GetLengthSid
DeleteService
CreateServiceW
SetServiceStatus
RegisterEventSourceW
ReportEventW
DeregisterEventSource
ControlService
OpenSCManagerW
OpenServiceW
CloseServiceHandle
StartServiceW
RegQueryInfoKeyW
RegSetValueExW
RegCloseKey
RegDeleteValueW
RegDeleteKeyW
RegCreateKeyExW
RegOpenKeyExW
InitializeSecurityDescriptor
RegQueryValueExW

shell32

ord165
ShellExecuteExW
SHGetSpecialFolderPathW

ole32

CoInitializeSecurity
CoCreateInstance
CoResumeClassObjects
CoInitialize
CoAddRefServerProcess
CoReleaseServerProcess
CLSIDFromString
CoRevertToSelf
CoImpersonateClient
StringFromGUID2
CoInitializeEx
CoUninitialize
CoTaskMemFree
CoTaskMemAlloc
CoTaskMemRealloc
CoRevokeClassObject
CoRegisterClassObject
CoCreateGuid

oleaut32

VarUI4FromStr
SysFreeString
SysStringLen
RegisterTypeLi
SysAllocString
UnRegisterTypeLi
LoadTypeLi

shlwapi

PathRemoveFileSpecW
PathCanonicalizeW
PathStripPathW
PathFindFileNameW
PathAppendW
SHQueryValueExW
PathRemoveExtensionW

userenv

UnloadUserProfile
CreateEnvironmentBlock
DestroyEnvironmentBlock

wintrust

CryptCATAdminAcquireContext
CryptCATAdminReleaseContext
CryptCATAdminCalcHashFromFileHandle
CryptCATAdminEnumCatalogFromHash
CryptCATCatalogInfoFromContext
CryptCATAdminReleaseCatalogContext
WinVerifyTrust

crypt32

CertCloseStore
CryptMsgClose
CryptMsgGetParam
CertFindCertificateInStore
CryptQueryObject
CertGetNameStringW

psapi

GetProcessMemoryInfo
EnumProcesses
EnumProcessModules
GetModuleFileNameExW

wtsapi32

WTSFreeMemory
WTSEnumerateSessionsW
WTSQuerySessionInformationW

winhttp

WinHttpQueryDataAvailable
WinHttpQueryAuthSchemes
WinHttpQueryHeaders
WinHttpReceiveResponse
WinHttpSendRequest
WinHttpSetCredentials
WinHttpAddRequestHeaders
WinHttpOpenRequest
WinHttpCrackUrl
WinHttpGetIEProxyConfigForCurrentUser
WinHttpGetProxyForUrl
WinHttpOpen
WinHttpGetDefaultProxyConfiguration
WinHttpCloseHandle
WinHttpSetOption
WinHttpConnect
WinHttpReadData

netapi32

NetApiBufferFree
NetWkstaUserGetInfo

Sections

.text
Size: 357KB - Virtual size: 357KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 116KB - Virtual size: 115KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 24KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

87128074191c32d3a9c87b17c0f71fd0

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

07:53:1d:94:3d:db:11:4c:9c:db:80:39:51:08:28:3eCertificate

Extended Key Usages

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

19:1a:32:cb:75:9c:97:b8:cf:ac:11:8d:d5:12:7f:49Certificate

Extended Key Usages

Key Usages

67:f0:a9:88:dd:8f:88:50:33:71:62:ec:cb:5e:5f:c9Certificate

Extended Key Usages

Key Usages

5f:d6:93:fa:b0:98:e3:f4:67:7b:b8:cb:67:2c:22:9eCertificate

Extended Key Usages

Key Usages

Certificate

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

2e:44:97:ca:79:ed:0d:8c:f7:bf:58:2a:49:79:94:a4:81:88:d9:75:6f:88:30:5c:80:4b:38:bf:98:af:da:0aSigner

a1:4b:e3:fc:fb:bc:65:60:f0:93:75:6d:7e:7e:4e:47:56:46:d6:4dSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

version

kernel32

user32

advapi32

shell32

ole32

oleaut32

shlwapi

userenv

wintrust

crypt32

psapi

wtsapi32

winhttp

netapi32

Sections

.text Size: 357KB - Virtual size: 357KB

.rdata Size: 116KB - Virtual size: 115KB

.data Size: 8KB - Virtual size: 18KB

.rsrc Size: 3KB - Virtual size: 2KB

.reloc Size: 24KB - Virtual size: 23KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

07:53:1d:94:3d:db:11:4c:9c:db:80:39:51:08:28:3e
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

19:1a:32:cb:75:9c:97:b8:cf:ac:11:8d:d5:12:7f:49
Certificate

67:f0:a9:88:dd:8f:88:50:33:71:62:ec:cb:5e:5f:c9
Certificate

5f:d6:93:fa:b0:98:e3:f4:67:7b:b8:cb:67:2c:22:9e
Certificate

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

2e:44:97:ca:79:ed:0d:8c:f7:bf:58:2a:49:79:94:a4:81:88:d9:75:6f:88:30:5c:80:4b:38:bf:98:af:da:0a
Signer

a1:4b:e3:fc:fb:bc:65:60:f0:93:75:6d:7e:7e:4e:47:56:46:d6:4d
Signer

.text
Size: 357KB - Virtual size: 357KB

.rdata
Size: 116KB - Virtual size: 115KB

.data
Size: 8KB - Virtual size: 18KB

.rsrc
Size: 3KB - Virtual size: 2KB

.reloc
Size: 24KB - Virtual size: 23KB