Xii3EhegArrwLRS2[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

Xii3EhegArrwLRS2.exe
Size

6.6MB
MD5

4d101b7037dd68152fb5048ba52e6645
SHA1

a9fecb7489627d55b993d1c3c01ccdcc5eef1762
SHA256

fd7f0eb6441590d4b7b20092c883342a41a6333dcdbf263195c40d4ec55c8384
SHA512

37336fd9ad00a97bbc7aec24241ebf8ae908864ef1d876f6de4ca2c1dd6b735266c40a2fdfd222a43d1f3a874af91e75a43d50fbf2b50145bd6945cbca5823f4
SSDEEP

98304:S+9fbYFsLmS9pgr+eWm5FJxtL3k1vp2S1JPPAS:S+LmS9pgrdWm5FJxtL3k1vp91JX

Score

3^/10

Malware Config

Signatures

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
sample	embeds_openssl

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
Xii3EhegArrwLRS2.exe

Files

Xii3EhegArrwLRS2.exe
.exe windows:6 windows x64 arch:x64

66237ba5a57e5b2b356784bbb2ca01eb

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

d3d11

D3D11CreateDeviceAndSwapChain

user32

GetWindowRect
ReleaseDC
SetCursorPos
ReleaseCapture
IsWindowUnicode
SetProcessDPIAware
GetClientRect
SetCursor
SetCapture
LoadCursorW
GetForegroundWindow
GetKeyboardLayout
TrackMouseEvent
ClientToScreen
GetCapture
OpenClipboard
SetWindowPos
GetDC
GetMessageExtraInfo
GetKeyState
UpdateWindow
PostQuitMessage
FindWindowW
TranslateMessage
SetLayeredWindowAttributes
PeekMessageW
DispatchMessageW
RegisterClassExW
UnregisterClassW
CreateWindowExW
DestroyWindow
DefWindowProcW
GetWindowThreadProcessId
CloseClipboard
MonitorFromWindow
ShowWindow
EmptyClipboard
GetClipboardData
SetClipboardData
IsIconic
MessageBoxW
GetCursorPos
GetProcessWindowStation
GetUserObjectInformationW
ScreenToClient

gdi32

GetDeviceCaps
CreateSolidBrush

urlmon

URLDownloadToFileA

kernel32

GlobalLock
WideCharToMultiByte
GlobalUnlock
GetModuleHandleA
GetLocaleInfoA
LoadLibraryA
QueryPerformanceFrequency
GetProcAddress
VerSetConditionMask
FreeLibrary
QueryPerformanceCounter
WriteProcessMemory
SetWaitableTimer
SetLastError
EnterCriticalSection
CreateWaitableTimerW
WaitForMultipleObjects
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
GetQueuedCompletionStatus
InitializeCriticalSectionEx
WaitForSingleObject
OpenProcess
PostQueuedCompletionStatus
CreateEventW
Sleep
FormatMessageW
GlobalFree
SetEvent
TerminateThread
CloseHandle
QueueUserAPC
DecodePointer
VirtualAllocEx
LocalFree
DeleteCriticalSection
GetModuleHandleW
SleepEx
CreateRemoteThread
GetSystemTimeAsFileTime
FormatMessageA
CreateIoCompletionPort
InitializeSListHead
GetStartupInfoW
IsDebuggerPresent
IsProcessorFeaturePresent
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlLookupFunctionEntry
RtlCaptureContext
GetCPInfo
CompareStringEx
GetModuleFileNameW
SleepConditionVariableSRW
WakeAllConditionVariable
LCMapStringEx
GlobalAlloc
MultiByteToWideChar
OutputDebugStringW
RtlUnwindEx
GetLastError
EncodePointer
TryAcquireSRWLockExclusive
GetLocaleInfoEx
RaiseException
RtlPcToFileHeader
GetFileSizeEx
VerifyVersionInfoW
PeekNamedPipe
ReadFile
GetEnvironmentVariableA
WaitForSingleObjectEx
GetSystemDirectoryW
GetTickCount
FindNextFileW
FindFirstFileW
FindClose
ReadConsoleW
ReadConsoleA
SetConsoleMode
GetConsoleMode
LoadLibraryW
SystemTimeToFileTime
GetSystemTime
RtlVirtualUnwind
ConvertThreadToFiberEx
ConvertFiberToThread
GetCurrentProcessId
GetACP
CreateSemaphoreA
GetExitCodeThread
ReleaseSemaphore
InitializeCriticalSection
CreateFiberEx
DeleteFiber
WriteConsoleW
CreateThread
ExitThread
FreeLibraryAndExitThread
SetConsoleCtrlHandler
ExitProcess
GetDriveTypeW
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
GetConsoleOutputCP
HeapAlloc
HeapFree
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
RtlUnwind
LoadLibraryExW
GetDateFormatW
GetTimeFormatW
CompareStringW
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
HeapReAlloc
HeapSize
GetTimeZoneInformation
SetStdHandle
FindFirstFileExW
IsValidCodePage
GetOEMCP
GetCommandLineA
GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
GetProcessHeap
GetStringTypeW
SwitchToFiber
WriteFile
GetFileType
GetEnvironmentVariableW
GetCurrentDirectoryW
CreateDirectoryW
CreateFileW
DeleteFileW
FlushFileBuffers
GetFileAttributesW
GetFileInformationByHandle
GetFullPathNameW
RemoveDirectoryW
SetEndOfFile
SetFileAttributesW
SetFilePointerEx
DeviceIoControl
GetWindowsDirectoryW
CreateDirectoryExW
MoveFileExW
AreFileApisANSI
GetModuleHandleExW
InitializeSRWLock
ReleaseSRWLockExclusive
ReleaseSRWLockShared
AcquireSRWLockExclusive
AcquireSRWLockShared
GetCurrentThreadId
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
VirtualFree
GetSystemDirectoryA
GetStdHandle

shell32

ShellExecuteW

ole32

CoInitializeEx
CoUninitialize
CoCreateInstance
CoSetProxyBlanket

oleaut32

VariantInit
SysFreeString
SysAllocStringByteLen
VariantCopy
SysStringLen
VariantChangeType
VariantClear
SysAllocString

imm32

ImmReleaseContext
ImmSetCompositionWindow
ImmSetCandidateWindow
ImmGetContext

d3dcompiler_47

D3DCompile

ws2_32

WSACreateEvent
WSACloseEvent
sendto
WSAGetLastError
setsockopt
ioctlsocket
freeaddrinfo
gethostname
inet_ntop
inet_pton
WSAWaitForMultipleEvents
htons
htonl
getsockopt
WSAResetEvent
WSAEventSelect
closesocket
WSARecv
WSAAddressToStringW
connect
ntohs
getsockname
getpeername
WSAStartup
getaddrinfo
WSASocketW
WSASetLastError
listen
ntohl
select
WSASend
recvfrom
WSAIoctl
bind
accept
__WSAFDIsSet
WSACleanup
gethostbyname
inet_addr
inet_ntoa
gethostbyaddr
getservbyport
getservbyname
recv
send
socket
shutdown
WSAEnumNetworkEvents

bcrypt

BCryptGenRandom

crypt32

CertGetCertificateChain
CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
CryptQueryObject
CertGetNameStringW
CertFindExtension
CertAddCertificateContextToStore
CryptDecodeObjectEx
PFXImportCertStore
CryptStringToBinaryW
CertOpenSystemStoreW
CertGetCertificateContextProperty
CertFreeCertificateContext
CertDuplicateCertificateContext
CertFindCertificateInStore
CertEnumCertificatesInStore
CertCloseStore
CertOpenStore
CertFreeCertificateChain

advapi32

CryptGetUserKey
CryptEncrypt
CryptImportKey
CryptHashData
CryptGetHashParam
CryptEnumProvidersW
CryptSignHashW
CryptDestroyHash
CryptCreateHash
CryptDecrypt
CryptExportKey
CryptAcquireContextA
CryptGetProvParam
CryptSetHashParam
CryptDestroyKey
CryptAcquireContextW
ReportEventW
RegisterEventSourceW
DeregisterEventSource
CryptEnumProvidersA
CryptGenRandom
CryptReleaseContext

Sections

.text
Size: 4.9MB - Virtual size: 4.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.3MB - Virtual size: 1.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 64KB - Virtual size: 83KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 200KB - Virtual size: 199KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 49KB - Virtual size: 49KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

66237ba5a57e5b2b356784bbb2ca01eb

Headers

DLL Characteristics

File Characteristics

Imports

d3d11

user32

gdi32

urlmon

kernel32

shell32

ole32

oleaut32

imm32

d3dcompiler_47

ws2_32

bcrypt

crypt32

advapi32

Sections

.text Size: 4.9MB - Virtual size: 4.9MB

.rdata Size: 1.3MB - Virtual size: 1.3MB

.data Size: 64KB - Virtual size: 83KB

.pdata Size: 200KB - Virtual size: 199KB

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 49KB - Virtual size: 49KB

.text
Size: 4.9MB - Virtual size: 4.9MB

.rdata
Size: 1.3MB - Virtual size: 1.3MB

.data
Size: 64KB - Virtual size: 83KB

.pdata
Size: 200KB - Virtual size: 199KB

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 49KB - Virtual size: 49KB