c08b2e17861a8bf96427a43f74252070N

Sharing

Copy URL Twitter E-mail

General

Target

c08b2e17861a8bf96427a43f74252070N
Size

662KB
MD5

c08b2e17861a8bf96427a43f74252070
SHA1

2b2c8747f20a63c62f9f6f2a15177f4c66722766
SHA256

f96a00ae92e9c627e42a3f0dd1a9217bf32cb17448b373e71f28a45e224e42f0
SHA512

b71ec8c2e082e902c8ca7a3a89595c1b93e098b2388851ff2cfb666e7c0b17807eb5b29216e734bd8e1b49b14ed43439dc73db851af792e453433b6cfb9e4f37
SSDEEP

12288:MdbchCQsGlAf0T62L7iLy59CdV4JGBW3o/:MwLlUtFr4JGBuo

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
c08b2e17861a8bf96427a43f74252070N

Files

c08b2e17861a8bf96427a43f74252070N
.exe windows:10 windows x64 arch:x64

0d374e6d38de2e175118fe0ac979574b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

winlogon.pdb

Imports

msvcrt

memcpy
_wcsicmp
_callnewh
_cexit
_XcptFilter
wcstok
iswspace
wcspbrk
memcmp
wcsrchr
memset
_ismbblead
?terminate@@YAXXZ
_onexit
__dllonexit
_unlock
_vsnwprintf
__setusermatherr
_amsg_exit
free
_exit
wcsstr
_initterm
malloc
exit
wcscpy_s
__set_app_type
wcschr
_lock
_commode
_acmdln
_fmode
__CxxFrameHandler3
_tolower
_wtoi
_wcsnicmp
_ultow
__C_specific_handler
memmove_s
_purecall
memcpy_s
memmove
__getmainargs
wcscmp

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleExW
LoadStringW
GetProcAddress
GetModuleFileNameW
GetModuleHandleW
FindResourceExW
LoadLibraryExW
FreeLibrary
LoadResource
LockResource
GetModuleFileNameA

api-ms-win-core-synch-l1-2-0

InitOnceComplete
Sleep
InitOnceBeginInitialize
InitOnceExecuteOnce

api-ms-win-core-synch-l1-1-0

OpenEventW
AcquireSRWLockExclusive
InitializeCriticalSection
OpenSemaphoreW
CreateMutexW
CreateSemaphoreExW
TryEnterCriticalSection
ReleaseSRWLockExclusive
InitializeCriticalSectionEx
ReleaseSRWLockShared
EnterCriticalSection
WaitForSingleObjectEx
ReleaseSemaphore
CreateMutexExW
AcquireSRWLockShared
ResetEvent
ReleaseMutex
CreateEventW
DeleteCriticalSection
SetEvent
SleepEx
LeaveCriticalSection
WaitForSingleObject

api-ms-win-core-heap-l1-1-0

HeapAlloc
GetProcessHeap
HeapFree
HeapSize
HeapSetInformation

api-ms-win-core-errorhandling-l1-1-0

GetLastError
SetUnhandledExceptionFilter
RaiseException
SetErrorMode
UnhandledExceptionFilter
SetLastError

api-ms-win-core-threadpool-l1-2-0

TrySubmitThreadpoolCallback
CreateThreadpoolTimer
SetThreadpoolTimer
CloseThreadpoolCleanupGroup
CloseThreadpoolCleanupGroupMembers
CloseThreadpoolTimer
CloseThreadpool
WaitForThreadpoolTimerCallbacks
CreateThreadpoolCleanupGroup
CloseThreadpoolWork
SubmitThreadpoolWork
CreateThreadpoolWork
CreateThreadpool
SetThreadpoolThreadMaximum
SetThreadpoolThreadMinimum

api-ms-win-core-processthreads-l1-1-0

GetCurrentThread
GetCurrentProcessId
CreateProcessAsUserW
GetCurrentThreadId
OpenProcessToken
SetPriorityClass
SetThreadPriority
DeleteProcThreadAttributeList
ResumeThread
TerminateProcess
UpdateProcThreadAttribute
CreateProcessW
CreateThread
InitializeProcThreadAttributeList
GetProcessId
GetCurrentProcess
SetThreadToken
GetExitCodeProcess
GetStartupInfoW
CreateRemoteThread

api-ms-win-core-localization-l1-2-0

GetThreadUILanguage
FormatMessageW

api-ms-win-core-debug-l1-1-0

OutputDebugStringW
IsDebuggerPresent
DebugBreak

api-ms-win-core-handle-l1-1-0

DuplicateHandle
CloseHandle

api-ms-win-core-registry-l1-1-0

RegGetValueW
RegCloseKey
RegGetValueA
RegDeleteKeyExW
RegCreateKeyExW
RegOpenKeyExW
RegDeleteValueW
RegFlushKey
RegEnumKeyExW
RegNotifyChangeKeyValue
RegDeleteTreeW
RegEnumValueW
RegSetKeySecurity
RegQueryInfoKeyW
RegQueryValueExW
RegSetValueExW

api-ms-win-core-processthreads-l1-1-1

OpenProcess
GetProcessMitigationPolicy

api-ms-win-eventing-controller-l1-1-0

StartTraceW
ControlTraceW
EnableTraceEx2

api-ms-win-core-heap-l2-1-0

LocalAlloc
LocalFree
LocalReAlloc

api-ms-win-core-file-l2-1-0

MoveFileExW

api-ms-win-core-memory-l1-1-0

VirtualFree
VirtualAlloc

api-ms-win-core-memory-l1-1-1

VirtualUnlock
SetProcessWorkingSetSizeEx
VirtualLock
GetProcessWorkingSetSizeEx

api-ms-win-core-processenvironment-l1-1-0

SearchPathW
SetEnvironmentVariableW
GetCommandLineW
ExpandEnvironmentStringsW

api-ms-win-core-sysinfo-l1-1-0

GetSystemWindowsDirectoryW
GetLocalTime
GetVersionExW
GetSystemTimeAsFileTime
GetTickCount
GetTickCount64

api-ms-win-security-base-l1-1-0

FreeSid
IsValidSid
EqualSid
CheckTokenMembership
DuplicateTokenEx
GetSecurityDescriptorDacl
DuplicateToken
GetTokenInformation
GetSidIdentifierAuthority
AllocateAndInitializeSid
SetTokenInformation
AdjustTokenPrivileges
RevertToSelf
CreateWellKnownSid
ImpersonateLoggedOnUser
GetLengthSid
AllocateLocallyUniqueId
CreateRestrictedToken

rpcrt4

RpcMgmtIsServerListening
Ndr64AsyncClientCall
RpcAsyncInitializeHandle
RpcBindingSetAuthInfoExW
RpcStringFreeW
RpcBindingFromStringBindingW
RpcAsyncCancelCall
RpcServerUnsubscribeForNotification
RpcServerInqCallAttributesW
RpcServerTestCancel
RpcServerUseProtseqEpW
NdrServerCall2
Ndr64AsyncServerCallAll
NdrServerCallAll
NdrAsyncServerCall
RpcRaiseException
RpcServerInqBindings
RpcEpRegisterW
RpcEpUnregister
RpcServerListen
RpcServerRegisterIfEx
RpcServerUnregisterIf
RpcServerUseProtseqW
I_RpcBindingIsClientLocal
RpcBindingVectorFree
RpcStringBindingComposeW
RpcServerSubscribeForNotification
NdrClientCall3
RpcBindingUnbind
RpcBindingFree
I_RpcExceptionFilter
RpcBindingBind
UuidFromStringW
RpcBindingCreateW
RpcRevertToSelf
RpcImpersonateClient
I_RpcBindingInqLocalClientPID
RpcAsyncAbortCall
I_RpcMapWin32Status
RpcAsyncCompleteCall

api-ms-win-core-string-l1-1-0

WideCharToMultiByte
CompareStringOrdinal
CompareStringW

api-ms-win-core-com-l1-1-0

CoUninitialize
CoInitializeEx
CoTaskMemAlloc
CoTaskMemFree

api-ms-win-core-psapi-l1-1-0

QueryFullProcessImageNameW

api-ms-win-core-sysinfo-l1-2-0

GetProductInfo

api-ms-win-power-base-l1-1-0

PowerDeterminePlatformRoleEx

api-ms-win-core-file-l1-1-0

CompareFileTime
GetFileAttributesW
GetShortPathNameW
CreateFileW

api-ms-win-core-timezone-l1-1-0

SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime

api-ms-win-core-datetime-l1-1-0

GetTimeFormatW
GetDateFormatW

api-ms-win-power-setting-l1-1-0

PowerSettingUnregisterNotification
PowerSettingRegisterNotification

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-shutdown-l1-1-1

InitiateShutdownW

api-ms-win-service-management-l1-1-0

CloseServiceHandle
OpenServiceW
OpenSCManagerW
StartServiceW

api-ms-win-service-management-l2-1-0

QueryServiceConfigW
NotifyServiceStatusChangeW
QueryServiceStatusEx

api-ms-win-core-rtlsupport-l1-1-0

RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
RtlCompareMemory

api-ms-win-eventing-classicprovider-l1-1-0

RegisterTraceGuidsW
UnregisterTraceGuids
GetTraceEnableFlags
GetTraceEnableLevel
GetTraceLoggerHandle

api-ms-win-security-credentials-l1-1-0

CredFree
CredUnmarshalCredentialW

api-ms-win-security-lsalookup-l2-1-0

LookupAccountSidW
LookupAccountNameW

api-ms-win-core-version-l1-1-0

VerQueryValueW
GetFileVersionInfoExW
GetFileVersionInfoSizeExW

api-ms-win-service-winsvc-l1-1-0

QueryServiceStatus

api-ms-win-core-job-l2-1-0

QueryInformationJobObject
TerminateJobObject
SetInformationJobObject
AssignProcessToJobObject
CreateJobObjectW

api-ms-win-security-lsapolicy-l1-1-0

LsaOpenPolicy
LsaClose
LsaStorePrivateData

api-ms-win-core-appcompat-l1-1-0

BaseInitAppcompatCacheSupport

api-ms-win-security-credentials-l2-1-0

CredReadByTokenHandle

api-ms-win-base-bootconfig-l1-1-0

NotifyBootConfigStatus

api-ms-win-eventlog-legacy-l1-1-0

RegisterEventSourceW
DeregisterEventSource
GetEventLogInformation
ReportEventW

api-ms-win-core-threadpool-legacy-l1-1-0

UnregisterWaitEx
CreateTimerQueueTimer
QueueUserWorkItem
DeleteTimerQueueTimer

api-ms-win-core-kernel32-legacy-l1-1-0

UnregisterWait
GetComputerNameW
RegisterWaitForSingleObject

api-ms-win-core-registry-l2-1-0

RegCreateKeyW
RegOpenKeyW

api-ms-win-core-heap-obsolete-l1-1-0

LocalSize

api-ms-win-core-string-obsolete-l1-1-0

lstrlenW

api-ms-win-stateseparation-helpers-l1-1-0

GetPersistedRegistryLocationW

kernelbase

CreateProcessInternalW
AppContainerDeriveSidFromMoniker

ntdll

NtQueryInformationProcess
RtlInitializeResource
RtlAcquireResourceExclusive
RtlUnhandledExceptionFilter
RtlDeleteResource
NtGetCachedSigningLevel
WinSqmSetString
NtOpenEvent
NtSetEvent
RtlGetCurrentServiceSessionId
NtDeleteWnfStateName
NtCreateWnfStateName
RtlReleaseResource
RtlQueryResourcePolicy
__isascii
isupper
_vsnprintf
NtAdjustPrivilegesToken
RtlGetDaclSecurityDescriptor
RtlSetDaclSecurityDescriptor
RtlAddAce
NtCreateEvent
WinSqmIsOptedIn
WinSqmEndSession
WinSqmStartSession
RtlGetNtProductType
RtlSetSystemBootStatus
RtlRemovePrivileges
RtlpVerifyAndCommitUILanguageSettings
NtSetInformationProcess
EtwUnregisterTraceGuids
EtwRegisterTraceGuidsW
EtwGetTraceEnableFlags
EtwGetTraceEnableLevel
EtwGetTraceLoggerHandle
NtShutdownSystem
RtlCompareUnicodeString
RtlCreateEnvironment
TpReleaseTimer
TpWaitForTimer
TpAllocTimer
TpSetTimer
NtOpenThreadToken
NtOpenFile
RtlAppendUnicodeToString
NtOpenDirectoryObject
RtlFreeSid
NtSetSecurityObject
RtlSetSaclSecurityDescriptor
RtlAddMandatoryAce
RtlCreateAcl
RtlCreateSecurityDescriptor
RtlAllocateAndInitializeSid
RtlDestroyEnvironment
RtlCopySid
RtlNtStatusToDosErrorNoTeb
RtlSetEnvironmentVariable
RtlQueryEnvironmentVariable_U
RtlExpandEnvironmentStrings_U
RtlInitUnicodeStringEx
RtlGetAce
NtSetIRTimer
NtCreateIRTimer
NtSetInformationToken
NtCreateToken
RtlSubscribeWnfStateChangeNotification
RtlQueryWnfStateData
TpAllocWait
WinSqmSetDWORD
TpPostWork
TpAllocWork
RtlUnsubscribeWnfNotificationWaitForCompletion
TpReleaseWork
TpWaitForWork
TpReleaseWait
TpWaitForWait
TpSetWait
NtFilterToken
NtInitiatePowerAction
RtlAdjustPrivilege
RtlPublishWnfStateData
RtlLengthSid
EtwEventWriteStartScenario
EtwEventWriteEndScenario
RtlInitUnicodeString
NtAllocateLocallyUniqueId
RtlDeregisterWait
RtlRegisterWait
RtlTimeToSecondsSince1980
WinSqmAddToStream
TpSimpleTryPost
RtlEqualSid
EtwEventEnabled
EtwEventWrite
RtlCopyLuid
NtPowerInformation
EtwEventActivityIdControl
RtlGetActiveConsoleId
RtlInitString
NtQuerySystemInformation
NtSystemDebugControl
NtQueryInformationToken
NtOpenProcessToken
RtlLeaveCriticalSection
RtlEnterCriticalSection
RtlInitializeCriticalSection
RtlDeleteCriticalSection
RtlFreeUnicodeString
RtlNtStatusToDosError
RtlDuplicateUnicodeString
NtClose
RtlOpenCurrentUser
EtwTraceMessage
EtwEventRegister
EtwEventUnregister
RtlGetDeviceFamilyInfoEnum
EtwEventWriteTransfer
EtwEventSetInformation
NtDuplicateToken

api-ms-win-core-winrt-string-l1-1-0

WindowsDeleteString
WindowsGetStringRawBuffer
WindowsCreateStringReference

api-ms-win-core-winrt-l1-1-0

RoActivateInstance

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

Sections

.text
Size: 431KB - Virtual size: 430KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 123KB - Virtual size: 123KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 17KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 18KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 67KB - Virtual size: 66KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

0d374e6d38de2e175118fe0ac979574b

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-eventing-controller-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-file-l2-1-0

api-ms-win-core-memory-l1-1-0

api-ms-win-core-memory-l1-1-1

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-security-base-l1-1-0

rpcrt4

api-ms-win-core-string-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-psapi-l1-1-0

api-ms-win-core-sysinfo-l1-2-0

api-ms-win-power-base-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-datetime-l1-1-0

api-ms-win-power-setting-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-shutdown-l1-1-1

api-ms-win-service-management-l1-1-0

api-ms-win-service-management-l2-1-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-security-credentials-l1-1-0

api-ms-win-security-lsalookup-l2-1-0

api-ms-win-core-version-l1-1-0

api-ms-win-service-winsvc-l1-1-0

api-ms-win-core-job-l2-1-0

api-ms-win-security-lsapolicy-l1-1-0

api-ms-win-core-appcompat-l1-1-0

api-ms-win-security-credentials-l2-1-0

api-ms-win-base-bootconfig-l1-1-0

api-ms-win-eventlog-legacy-l1-1-0

api-ms-win-core-threadpool-legacy-l1-1-0

api-ms-win-core-kernel32-legacy-l1-1-0

api-ms-win-core-registry-l2-1-0

api-ms-win-core-heap-obsolete-l1-1-0

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-stateseparation-helpers-l1-1-0

kernelbase

ntdll

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

api-ms-win-core-apiquery-l1-1-0

Sections

.text Size: 431KB - Virtual size: 430KB

.rdata Size: 123KB - Virtual size: 123KB

.data Size: 17KB - Virtual size: 23KB

.pdata Size: 18KB - Virtual size: 17KB

.didat Size: 1KB - Virtual size: 1KB

.rsrc Size: 67KB - Virtual size: 66KB

.reloc Size: 3KB - Virtual size: 3KB

.text
Size: 431KB - Virtual size: 430KB

.rdata
Size: 123KB - Virtual size: 123KB

.data
Size: 17KB - Virtual size: 23KB

.pdata
Size: 18KB - Virtual size: 17KB

.didat
Size: 1KB - Virtual size: 1KB

.rsrc
Size: 67KB - Virtual size: 66KB

.reloc
Size: 3KB - Virtual size: 3KB