General

Malware Config

Signatures

Files

• ArainsToolser.zip

  .zip

  Password: infected

• DIFxAPI.bpl
• NvSmart.hlp
• NvSmart.x64.hlp
• arpReport.exe

  .exe windows:5 windows x86 arch:x86

  Password: infected

  9206bd4a402561582018ceda38bf9057

  
  

  Code Sign

  04:09:18:1b:5f:d5:bb:66:75:53:43:b5:6f:95:50:08

  Certificate

  Issuer

  CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

  Not Before

  22-10-2013 12:00

  Not After

  22-10-2028 12:00

  Subject

  CN=DigiCert SHA2 Assured ID Code Signing CA,OU=www.digicert.com,O=DigiCert Inc,C=US

  Extended Key Usages

  ExtKeyUsageCodeSigning

  Key Usages

  KeyUsageDigitalSignature

  KeyUsageCertSign

  KeyUsageCRLSign

  02:fd:d8:26:61:a7:0c:76:59:ca:e2:24:bb:57:92:45

  Certificate

  Issuer

  CN=DigiCert SHA2 Assured ID Code Signing CA,OU=www.digicert.com,O=DigiCert Inc,C=US

  Not Before

  25-05-2021 00:00

  Not After

  21-08-2024 23:59

  Subject

  CN=TAOBAO (CHINA) SOFTWARE CO.\,LTD.,O=TAOBAO (CHINA) SOFTWARE CO.\,LTD.,L=杭州市,ST=浙江省,C=CN

  Extended Key Usages

  ExtKeyUsageCodeSigning

  Key Usages

  KeyUsageDigitalSignature

  04:09:18:1b:5f:d5:bb:66:75:53:43:b5:6f:95:50:08

  Certificate

  Issuer

  CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

  Not Before

  22-10-2013 12:00

  Not After

  22-10-2028 12:00

  Subject

  CN=DigiCert SHA2 Assured ID Code Signing CA,OU=www.digicert.com,O=DigiCert Inc,C=US

  Extended Key Usages

  ExtKeyUsageCodeSigning

  Key Usages

  KeyUsageDigitalSignature

  KeyUsageCertSign

  KeyUsageCRLSign

  02:fd:d8:26:61:a7:0c:76:59:ca:e2:24:bb:57:92:45

  Certificate

  Issuer

  CN=DigiCert SHA2 Assured ID Code Signing CA,OU=www.digicert.com,O=DigiCert Inc,C=US

  Not Before

  25-05-2021 00:00

  Not After

  21-08-2024 23:59

  Subject

  CN=TAOBAO (CHINA) SOFTWARE CO.\,LTD.,O=TAOBAO (CHINA) SOFTWARE CO.\,LTD.,L=杭州市,ST=浙江省,C=CN

  Extended Key Usages

  ExtKeyUsageCodeSigning

  Key Usages

  KeyUsageDigitalSignature

  0c:4d:69:72:4b:94:fa:3c:2a:4a:3d:29:07:80:3d:5a

  Certificate

  Issuer

  CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

  Not Before

  21-09-2022 00:00

  Not After

  21-11-2033 23:59

  Subject

  CN=DigiCert Timestamp 2022 - 2,O=DigiCert,C=US

  Extended Key Usages

  ExtKeyUsageTimeStamping

  Key Usages

  KeyUsageDigitalSignature

  07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b

  Certificate

  Issuer

  CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

  Not Before

  23-03-2022 00:00

  Not After

  22-03-2037 23:59

  Subject

  CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

  Extended Key Usages

  ExtKeyUsageTimeStamping

  Key Usages

  KeyUsageDigitalSignature

  KeyUsageCertSign

  KeyUsageCRLSign

  0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a

  Certificate

  Issuer

  CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

  Not Before

  01-08-2022 00:00

  Not After

  09-11-2031 23:59

  Subject

  CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

  Key Usages

  KeyUsageDigitalSignature

  KeyUsageCertSign

  KeyUsageCRLSign

  9c:d8:c5:af:8f:c5:36:06:18:6b:04:bb:50:07:ba:aa:6f:57:31:89:23:75:2c:80:aa:eb:b4:08:ff:bc:fa:60

  Signer

  Actual PE Digest

  9c:d8:c5:af:8f:c5:36:06:18:6b:04:bb:50:07:ba:aa:6f:57:31:89:23:75:2c:80:aa:eb:b4:08:ff:bc:fa:60

  Digest Algorithm

  sha256

  PE Digest Matches

  true

  2a:24:b6:ca:64:f0:f0:a8:36:05:e8:ee:a4:a6:f6:b7:a4:78:4b:fe

  Signer

  Actual PE Digest

  2a:24:b6:ca:64:f0:f0:a8:36:05:e8:ee:a4:a6:f6:b7:a4:78:4b:fe

  Digest Algorithm

  sha1

  PE Digest Matches

  true

  Headers

  DLL Characteristics

  IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE

  IMAGE_DLLCHARACTERISTICS_NX_COMPAT

  IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

  File Characteristics

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_32BIT_MACHINE

  PDB Paths

  D:\jenkins\workspace\ci.arphasdk.build\qtc_out\Release\arphaCrashReport.exe.pdb

  Imports

  arphadump

  SetWindowLocalDump

  GetArphaCrashReport

  GetArphaUtils

  shlwapi

  PathFileExistsW

  PathStripPathW

  PathRemoveFileSpecW

  kernel32

  HeapSize

  GetProcessHeap

  InitializeCriticalSectionAndSpinCount

  DeleteCriticalSection

  MultiByteToWideChar

  WideCharToMultiByte

  GetCommandLineW

  SetLastError

  EnterCriticalSection

  LeaveCriticalSection

  GetCurrentThreadId

  FindResourceExW

  FreeLibrary

  GetModuleFileNameW

  GetModuleHandleW

  HeapFree

  LoadLibraryExW

  LoadResource

  LockResource

  SizeofResource

  FindResourceW

  LocalFree

  lstrcmpiW

  GetPrivateProfileStringW

  CreateFileW

  GetFileAttributesExW

  GetFileSize

  ReadFile

  CloseHandle

  CreateProcessW

  HeapReAlloc

  HeapAlloc

  GetProcAddress

  HeapDestroy

  GetLastError

  RaiseException

  DecodePointer

  LCMapStringW

  GetConsoleCP

  GetConsoleMode

  FreeEnvironmentStringsW

  GetEnvironmentStringsW

  GetCommandLineA

  FlushFileBuffers

  SetFilePointerEx

  GetStringTypeW

  SetStdHandle

  GetCPInfo

  GetOEMCP

  GetACP

  IsValidCodePage

  FindNextFileW

  FindFirstFileExW

  FindClose

  GetFileType

  WriteFile

  GetStdHandle

  GetModuleHandleExW

  ExitProcess

  TlsFree

  TlsSetValue

  TlsGetValue

  TlsAlloc

  RtlUnwind

  GetSystemTimeAsFileTime

  GetCurrentProcessId

  QueryPerformanceCounter

  GetStartupInfoW

  TerminateProcess

  SetUnhandledExceptionFilter

  UnhandledExceptionFilter

  CreateEventW

  WaitForSingleObjectEx

  ResetEvent

  SetEvent

  LoadLibraryExA

  VirtualFree

  VirtualAlloc

  IsProcessorFeaturePresent

  FlushInstructionCache

  GetCurrentProcess

  InterlockedPushEntrySList

  InterlockedPopEntrySList

  InitializeSListHead

  EncodePointer

  OutputDebugStringW

  WriteConsoleW

  IsDebuggerPresent

  gdi32

  CreateFontW

  GetStockObject

  advapi32

  RegSetValueExW

  RegCreateKeyExW

  RegDeleteKeyW

  RegDeleteValueW

  RegQueryInfoKeyW

  RegOpenKeyExW

  RegEnumKeyExW

  RegCloseKey

  shell32

  ExtractIconExW

  ShellExecuteW

  CommandLineToArgvW

  ole32

  CoTaskMemFree

  CoUninitialize

  CoTaskMemAlloc

  CoInitialize

  CoCreateInstance

  CoTaskMemRealloc

  oleaut32

  VarUI4FromStr

  user32

  IsWindowVisible

  ShowWindow

  PostThreadMessageW

  PostMessageW

  GetMonitorInfoW

  MonitorFromWindow

  GetWindow

  GetParent

  GetWindowLongW

  MapWindowPoints

  GetWindowRect

  GetClientRect

  SetDlgItemTextW

  GetDlgItem

  EndDialog

  SetWindowPos

  SendMessageW

  SetWindowLongW

  CharNextW

  CreateDialogParamW

  DestroyWindow

  PeekMessageW

  DispatchMessageW

  TranslateMessage

  GetMessageW

  UnregisterClassW

  CheckDlgButton

  IsDlgButtonChecked

  GetActiveWindow

  SetTimer

  KillTimer

  GetWindowThreadProcessId

  LoadIconW

  IsDialogMessageW

  DialogBoxParamW

  EnableWindow

  SetWindowTextW

  UpdateWindow

  IsWindow

  comctl32

  InitCommonControlsEx

  Sections

  .text

  Size: 117KB - Virtual size: 117KB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .rdata

  Size: 37KB - Virtual size: 36KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .data

  Size: 3KB - Virtual size: 6KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .rsrc

  Size: 11KB - Virtual size: 11KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .reloc

  Size: 7KB - Virtual size: 6KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_DISCARDABLE

  IMAGE_SCN_MEM_READ

• arphadump.dll

  .dll windows:5 windows x86 arch:x86

  Password: infected

  1f932265b088694482b9ef6db31a2539

  
  

  Headers

  DLL Characteristics

  IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE

  IMAGE_DLLCHARACTERISTICS_NX_COMPAT

  File Characteristics

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_32BIT_MACHINE

  IMAGE_FILE_DLL

  PDB Paths

  C:\Users\luck\Desktop\FAST-AES\RoboformAES\Release\Roboform.pdb

  Imports

  kernel32

  WriteFile

  VirtualFree

  CloseHandle

  ReadFile

  VirtualAlloc

  GetFileSize

  CreateFileW

  SizeofResource

  LockResource

  LoadResource

  FindResourceW

  FindResourceExW

  CreateThread

  VirtualProtect

  lstrcpyW

  GetModuleFileNameW

  OutputDebugStringW

  GetModuleHandleA

  DisableThreadLibraryCalls

  RaiseException

  EnterCriticalSection

  LeaveCriticalSection

  GetLastError

  InitializeCriticalSectionAndSpinCount

  DeleteCriticalSection

  HeapDestroy

  HeapAlloc

  HeapFree

  HeapReAlloc

  HeapSize

  GetProcessHeap

  RtlUnwind

  GetCurrentThreadId

  DecodePointer

  GetCommandLineA

  EncodePointer

  TerminateProcess

  GetCurrentProcess

  UnhandledExceptionFilter

  SetUnhandledExceptionFilter

  IsDebuggerPresent

  TlsAlloc

  TlsGetValue

  TlsSetValue

  TlsFree

  InterlockedIncrement

  GetModuleHandleW

  SetLastError

  InterlockedDecrement

  GetProcAddress

  IsProcessorFeaturePresent

  Sleep

  ExitProcess

  SetHandleCount

  GetStdHandle

  GetFileType

  GetStartupInfoW

  GetModuleFileNameA

  FreeEnvironmentStringsW

  WideCharToMultiByte

  GetEnvironmentStringsW

  HeapCreate

  QueryPerformanceCounter

  GetTickCount

  GetCurrentProcessId

  GetSystemTimeAsFileTime

  GetCPInfo

  GetACP

  GetOEMCP

  IsValidCodePage

  LoadLibraryW

  LCMapStringW

  MultiByteToWideChar

  GetStringTypeW

  Exports

  Exports

  GetArphaApp

  GetArphaCrashDump

  GetArphaCrashReport

  GetArphaJamDump

  GetArphaService

  GetArphaUtils

  SetWindowLocalDump

  Sections

  .text

  Size: 31KB - Virtual size: 30KB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .rdata

  Size: 12KB - Virtual size: 11KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .data

  Size: 4KB - Virtual size: 15KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .rsrc

  Size: 7.1MB - Virtual size: 7.1MB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .reloc

  Size: 22KB - Virtual size: 22KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_DISCARDABLE

  IMAGE_SCN_MEM_READ