fb4097cb18e4185f368046d4fd6c6a1158f317a53563dc5db11c50698f9ef35c

Sharing

Copy URL Twitter E-mail

General

Target

fb4097cb18e4185f368046d4fd6c6a1158f317a53563dc5db11c50698f9ef35c
Size

1.7MB
MD5

7e3adde5584713f2144ceb4d4fe6c3b7
SHA1

e9dfa74dffa3c5a4112a7ed1f0a840cf3969d7fa
SHA256

fb4097cb18e4185f368046d4fd6c6a1158f317a53563dc5db11c50698f9ef35c
SHA512

e303dbafa8c6fae8b6e4a2a3604fd92a763415bb68108c113da96922f067874dafcedd36a595c77215971ae957bd6adcc4cefbfee031daa9f5030ea4290caab3
SSDEEP

24576:ifF0HIQPSg7lVmlbBW8sRPEbyJlTaN8D1o:ifF65Sg7SFBURPcyJpaNIK

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
fb4097cb18e4185f368046d4fd6c6a1158f317a53563dc5db11c50698f9ef35c

Files

fb4097cb18e4185f368046d4fd6c6a1158f317a53563dc5db11c50698f9ef35c
.exe windows:6 windows x86 arch:x86

120cb0ff535b31a9f3f27b9e94c68802

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

ehRecvr.pdb

Imports

advapi32

CloseServiceHandle
OpenServiceW
OpenSCManagerW
ReportEventW
SetServiceStatus
RegDeleteValueW
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryValueExW
RegSetValueExW
RegQueryInfoKeyW
LookupAccountNameW
AddAce
GetAce
GetAclInformation
AddAccessAllowedAce
InitializeAcl
GetLengthSid
IsValidSid
DeleteService
ControlService
RegisterEventSourceW
RegEnumKeyExW
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
ChangeServiceConfig2W
CreateServiceW
DeregisterEventSource
RegisterServiceCtrlHandlerExW
RegDeleteKeyW
StartServiceCtrlDispatcherW
CreateWellKnownSid
RegGetValueW
RegEnumKeyW
RegEnumValueW
SetNamedSecurityInfoW
SetEntriesInAclW
GetNamedSecurityInfoW
FreeSid
CheckTokenMembership
AllocateAndInitializeSid
SetSecurityInfo
GetSecurityDescriptorDacl
ConvertStringSecurityDescriptorToSecurityDescriptorW
CopySid
SetSecurityDescriptorOwner
SetSecurityDescriptorGroup
GetTokenInformation
OpenProcessToken
LookupAccountSidW

kernel32

InterlockedDecrement
LoadLibraryW
GetProcAddress
GetModuleHandleW
lstrcmpiW
CloseHandle
SetEvent
MultiByteToWideChar
GetModuleFileNameW
Sleep
OutputDebugStringA
MoveFileExW
GetTempPathW
InterlockedIncrement
LeaveCriticalSection
ResetEvent
CreateEventW
SetPriorityClass
GetCurrentProcess
GetProfileIntW
FreeLibrary
SizeofResource
LoadResource
FindResourceW
LoadLibraryExW
GetCommandLineW
HeapSetInformation
GetTickCount
GetTickCount64
GetSystemTimeAsFileTime
GetCurrentThreadId
SleepEx
QueueUserAPC
GetCurrentThread
InterlockedExchange
DuplicateHandle
HeapReAlloc
LocalAlloc
LocalFree
GetCurrentProcessId
K32GetModuleBaseNameW
CreateWaitableTimerW
CreateThread
CreateDirectoryW
CancelWaitableTimer
SetWaitableTimer
GetExitCodeThread
WaitForSingleObject
OutputDebugStringW
WaitForMultipleObjects
OpenThread
FindClose
FindNextFileW
DeleteFileW
SetFileAttributesW
FindFirstFileW
GetFileAttributesW
ExitThread
WaitForMultipleObjectsEx
GetLocalTime
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
lstrlenA
SetThreadExecutionState
GetVersionExA
GetLastError
DeleteCriticalSection
InitializeCriticalSection
RaiseException
lstrlenW
HeapAlloc
GetProcessHeap
HeapFree
EnterCriticalSection
InterlockedCompareExchange
GetStartupInfoW
SetUnhandledExceptionFilter
GetModuleHandleA
QueryPerformanceCounter
TerminateProcess
UnhandledExceptionFilter
EncodeSystemPointer
DecodeSystemPointer

user32

TranslateMessage
SetTimer
PostThreadMessageW
KillTimer
RegisterDeviceNotificationW
MsgWaitForMultipleObjectsEx
DispatchMessageW
PeekMessageW
UnregisterDeviceNotification
CharNextW
LoadStringW
UnregisterClassA

msvcrt

_wfopen
_resetstkoflw
calloc
__dllonexit
wcscat_s
wcsncpy_s
wcscpy_s
memcpy_s
free
_unlock
_errno
realloc
_except_handler4_common
?terminate@@YAXXZ
__set_app_type
__p__fmode
__p__commode
_purecall
_amsg_exit
_initterm
_wcmdln
exit
_XcptFilter
_exit
_cexit
__wgetmainargs
_callnewh
_localtime64
wcsftime
wcstok_s
_time64
??0exception@@QAE@XZ
wcsstr
wcsncmp
_wcsnicmp
wcscspn
_lock
_onexit
??1type_info@@UAE@XZ
_controlfp
fputws
__setusermatherr
fflush
_itow_s
_CxxThrowException
??0exception@@QAE@ABV0@@Z
malloc
memcpy
memset
_ui64tow
??1exception@@UAE@XZ
?what@exception@@UBEPBDXZ
??0exception@@QAE@ABQBD@Z
memmove_s
swprintf_s
_vsnwprintf
wcschr
iswalpha
_wcsicmp
floor
__CxxFrameHandler3
_ftol2_sse
fclose

ole32

CoInitialize
CoTaskMemAlloc
CoImpersonateClient
CoRevertToSelf
CLSIDFromString
CoFreeUnusedLibrariesEx
CoCreateGuid
StringFromCLSID
CoDisconnectObject
CoWaitForMultipleHandles
CoInitializeSecurity
StringFromGUID2
CoUninitialize
CoInitializeEx
CoSuspendClassObjects
CoTaskMemFree
CoRegisterClassObject
CoRevokeClassObject
CoCreateInstance
CoTaskMemRealloc

oleaut32

SysStringByteLen
SysStringLen
VariantInit
VariantClear
SysAllocStringLen
SysAllocString
LoadTypeLi
UnRegisterTypeLi
RegisterTypeLi
VarUI4FromStr
SafeArrayDestroy
SafeArrayUnaccessData
SafeArrayAccessData
SafeArrayGetUBound
SafeArrayGetLBound
SafeArrayGetElement
DispCallFunc
SafeArrayRedim
VarBstrCat
SysFreeString
SysAllocStringByteLen
VarBstrCmp
SafeArrayCreate

shlwapi

PathFileExistsW

version

GetFileVersionInfoW
GetFileVersionInfoSizeW
VerQueryValueA

ehtrace

ehTraceEvent
ehUnregisterTraceGUIDs
ehFreeEventBuffer
ehAllocateEventBuffer
ehRegisterTraceGUIDs

shell32

SHGetKnownFolderPath
SHCreateDirectoryExW

slc

SLGetWindowsInformationDWORD

Exports

Exports

_CETWProvider_Initialize@20
_CETWProvider_TraceCriticalCall@12
_CETWProvider_TraceEHomeEvent@56
_CETWProvider_TraceErrorEvent@16
_CETWProvider_TraceErrorLevel@24
_CETWProvider_TraceEventID@12
_CETWProvider_TraceInfo@12
_CETWProvider_TracePerfMarkerEnd@12
_CETWProvider_TracePerfMarkerStart@12
_CETWProvider_TraceTextLevel@20
_CETWProvider_TraceVideoSize@16
_CETWProvider_Uninitialize@4

Sections

.text
Size: 520KB - Virtual size: 520KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1.2MB - Virtual size: 1.8MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

120cb0ff535b31a9f3f27b9e94c68802

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

advapi32

kernel32

user32

msvcrt

ole32

oleaut32

shlwapi

version

ehtrace

shell32

slc

Exports

Exports

Sections

.text Size: 520KB - Virtual size: 520KB

.data Size: 3KB - Virtual size: 3KB

.rsrc Size: 5KB - Virtual size: 4KB

.reloc Size: 1.2MB - Virtual size: 1.8MB

.text
Size: 520KB - Virtual size: 520KB

.data
Size: 3KB - Virtual size: 3KB

.rsrc
Size: 5KB - Virtual size: 4KB

.reloc
Size: 1.2MB - Virtual size: 1.8MB