fb662eea8e09f819738d7d07a8b72b876d0b58f6cd44ec56140c005ad4a026efN

Sharing

Copy URL

Twitter E-mail

General

Target

fb662eea8e09f819738d7d07a8b72b876d0b58f6cd44ec56140c005ad4a026efN
Size

9.7MB
MD5

2b824c0142540e5ee27ee33b97bdb2a0
SHA1

6fa9dbc115845ee0efbb7d65b8dc97a4d97b7872
SHA256

fb662eea8e09f819738d7d07a8b72b876d0b58f6cd44ec56140c005ad4a026ef
SHA512

d88a0483c345296221cb1b79b4f9ea60682d69932839067a0e5a9adf0c0e2c5bb6423805144a82063171715e2a21d442f4baf9dc8591ad2a199d1192da5eaa1d
SSDEEP

196608:+LqYqUBMGjACEq5wqY0QbSsTq0fzPfS7gJ0qLwoOELx5M00:iq+MnCJwqETry8M6rB0

Score

1^/10

Malware Config

Signatures

Files

fb662eea8e09f819738d7d07a8b72b876d0b58f6cd44ec56140c005ad4a026efN
.exe windows:6 windows x86 arch:x86

e0d7a46fde432212611c74366be1f95f

Code Sign

33:00:00:00:71:b3:2e:8a:6b:82:aa:1f:4e:00:00:00:00:00:71
Certificate

Issuer

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

20-03-2015 17:32

Not After

20-06-2016 17:32

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:B8EC-30A4-7144,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

33:00:00:01:0a:2c:79:ae:d7:79:7b:a6:ac:00:01:00:00:01:0a
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

04-06-2015 17:42

Not After

04-09-2016 17:42

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:33:26:1a:00:00:00:00:00:31
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

31-08-2010 22:19

Not After

31-08-2020 22:29

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:16:68:34:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

03-04-2007 12:53

Not After

03-04-2021 13:03

Subject

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

e4:ee:e9:2a:da:ba:5f:fe:25:bb:64:12:7f:b6:56:d3:35:90:df:0b
Signer

Actual PE Digest

e4:ee:e9:2a:da:ba:5f:fe:25:bb:64:12:7f:b6:56:d3:35:90:df:0b

Digest Algorithm

sha1

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

P:\Target\x86\ship\groove\x-none\groove.pdb

Imports

vcruntime140

__std_terminate
memcmp
memset
_CxxThrowException
memmove
memcpy
__CxxFrameHandler3
wcsrchr
wcsstr
__telemetry_main_invoke_trigger
__telemetry_main_return_trigger
__vcrt_InitializeCriticalSectionEx
_except_handler4_common
wcschr

msvcp140

?_Xbad_function_call@std@@YAXXZ
?_Xlength_error@std@@YAXPBD@Z
?_Xbad_alloc@std@@YAXXZ

api-ms-win-crt-runtime-l1-1-0

_initterm
_get_wide_winmain_command_line
_initialize_wide_environment
_configure_wide_argv
_initterm_e
_set_app_type
_seh_filter_exe
_resetstkoflw
_invalid_parameter_noinfo_noreturn
_initialize_onexit_table
_register_onexit_function
_exit
_crt_atexit
_invalid_parameter_noinfo
_cexit
_controlfp_s
_beginthread
_c_exit
_register_thread_local_exe_atexit_callback
_set_invalid_parameter_handler
_beginthreadex
_get_errno
_errno
terminate
exit
_set_errno
_endthreadex

api-ms-win-crt-string-l1-1-0

wcsncat_s
wcstok_s
wcsncpy_s
wcscat_s
wcscpy_s
_wcsrev
strncpy_s
isprint
_wcsnicmp
_wcsicmp
wcspbrk
towlower
wcsncmp

api-ms-win-crt-heap-l1-1-0

malloc
calloc
_recalloc
_set_new_mode
free
realloc

api-ms-win-crt-time-l1-1-0

_localtime64_s
_ftime64_s

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vsnwprintf_s
_wsopen_s
_close
_lseek
_read
_write
__stdio_common_vfwprintf_s
_set_fmode
__p__commode
__acrt_iob_func
__stdio_common_vfwprintf
__stdio_common_vswprintf_s
__stdio_common_vsnprintf_s
__stdio_common_vsprintf_s
__stdio_common_vswscanf

api-ms-win-crt-convert-l1-1-0

_wtoi
_ultow_s
_wcstoui64
_ui64tow_s
wcstoul
_ltow_s
wcstod
wcstol
_wtof

api-ms-win-crt-locale-l1-1-0

__initialize_lconv_for_unsigned_char
localeconv
_configthreadlocale

api-ms-win-crt-utility-l1-1-0

div
qsort

api-ms-win-crt-math-l1-1-0

_except1
_libm_sse2_sqrt_precise
floor
__setusermatherr

api-ms-win-crt-filesystem-l1-1-0

_wfullpath
_wsplitpath_s
_wremove

advapi32

RegEnumValueW
ConvertStringSecurityDescriptorToSecurityDescriptorW
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExW
RegQueryInfoKeyW
OpenProcessToken
GetTokenInformation
RegCreateKeyExW
RegDeleteKeyW
RegDeleteValueW
RegEnumKeyW
RegEnumKeyExW
RegQueryValueExW
RegSetValueExW
CryptAcquireContextA
RegGetValueW
RegOpenKeyExA
CryptReleaseContext
CryptGetHashParam
CryptCreateHash
CryptHashData
CryptDestroyHash
CloseServiceHandle
OpenSCManagerW
OpenServiceW
QueryServiceConfigW
StartTraceW
ControlTraceW
EnableTraceEx2
GetLengthSid
IsValidSid
ConvertSidToStringSidW
LsaClose
LsaOpenPolicy
LsaQueryInformationPolicy
RegOverridePredefKey
EventRegister
EventUnregister
DeregisterEventSource
RegisterEventSourceW
ReportEventW
EventWrite

cabinet

ord13
ord21
ord14
ord22
ord11
ord10
ord23
ord20

gdi32

DeleteDC
CreateCompatibleBitmap
CreateCompatibleDC
CreateRectRgn
DeleteObject
EnumFontFamiliesExW
GetClipBox
GetClipRgn
GetDeviceCaps
TranslateCharsetInfo
SelectObject
SetLayout
GetLayout
LPtoDP
SetViewportOrgEx
CreateFontIndirectW
GetStockObject
SetBkMode
SetTextColor
GetTextMetricsW
GetObjectW
SetBkColor
CreateSolidBrush
GdiGradientFill
CopyMetaFileW
CreateFontW
GetCurrentObject
RestoreDC
SaveDC
StretchBlt
CreateDIBSection
SetDIBColorTable
ExtTextOutW
CreateBitmap
CreatePatternBrush
GetTextColor
IntersectClipRect
SetBrushOrgEx
CreateDIBitmap
SetPixel
SelectClipRgn
BitBlt

gdiplus

GdipAlloc
GdipCloneImage
GdiplusShutdown
GdipDisposeImage
GdiplusStartup
GdipFree
GdipGetImageWidth
GdipGetImageHeight
GdipGetImagePixelFormat
GdipGetImagePalette
GdipGetImagePaletteSize
GdipCreateBitmapFromStream
GdipCreateBitmapFromScan0
GdipBitmapLockBits
GdipBitmapUnlockBits
GdipDeleteGraphics
GdipDrawImageI
GdipGetImageGraphicsContext

imm32

ImmGetOpenStatus
ImmReleaseContext
ImmGetContext
ImmNotifyIME

kernel32

GetDiskFreeSpaceExW
ReadDirectoryChangesW
WritePrivateProfileStringW
CancelThreadpoolIo
StartThreadpoolIo
SubmitThreadpoolWork
DisassociateCurrentThreadFromCallback
DeviceIoControl
GetVolumeNameForVolumeMountPointW
GetVolumeInformationW
GetDriveTypeW
LocalFileTimeToFileTime
SetFileTime
ReleaseSemaphore
CreateFileMappingW
MapViewOfFile
FlushViewOfFile
UnmapViewOfFile
LockResource
GlobalMemoryStatus
OpenFileMappingW
GetSystemTimeAsFileTime
GetFileTime
FileTimeToDosDateTime
GlobalAlloc
GlobalHandle
GlobalFree
lstrcmpW
RegisterApplicationRestart
GetCurrentThread
GlobalSize
EncodePointer
AddAtomW
HeapSetInformation
VirtualProtect
WerRegisterMemoryBlock
WaitForSingleObjectEx
UnhandledExceptionFilter
IsProcessorFeaturePresent
InitializeSListHead
GetStartupInfoW
InterlockedPopEntrySList
InterlockedPushEntrySList
VirtualAlloc
VirtualFree
LoadLibraryExA
GetFileInformationByHandle
GetFinalPathNameByHandleW
GetLongPathNameW
ReadFile
SetEndOfFile
SetFilePointer
WriteFile
GetTempPathW
DebugBreak
OutputDebugStringW
QueryPerformanceCounter
QueryPerformanceFrequency
InitializeCriticalSection
TryEnterCriticalSection
ReleaseMutex
WaitForSingleObject
CreateMutexW
WaitForMultipleObjects
CreateSemaphoreW
GetFileSizeEx
TlsGetValue
TlsSetValue
TlsFree
CreateProcessW
OpenProcess
GlobalMemoryStatusEx
GetSystemTime
GetVersionExA
GetVersionExW
CreateThreadpoolWork
GetCurrentProcessId
CloseThreadpoolWork
CreateThreadpoolTimer
SetThreadpoolTimer
CloseThreadpoolTimer
CreateThreadpoolIo
CloseThreadpoolIo
Wow64DisableWow64FsRedirection
Wow64RevertWow64FsRedirection
IsWow64Process
LoadResource
SizeofResource
FindResourceW
GlobalLock
GlobalUnlock
MulDiv
lstrlenA
MoveFileW
FlsAlloc
MoveFileExW
VerifyVersionInfoW
SystemTimeToTzSpecificLocalTime
TzSpecificLocalTimeToSystemTime
FlsFree
GetModuleHandleExW
FormatMessageA
FileTimeToSystemTime
GetDateFormatW
lstrlenW
LoadLibraryA
ExitProcess
SetUnhandledExceptionFilter
K32GetProcessImageFileNameW
K32EnumProcesses
EnumSystemLocalesW
ConvertDefaultLocale
GetCurrencyFormatW
GetNumberFormatW
GetLocaleInfoW
GetStringTypeW
GetTimeFormatW
OpenFileById
GetFileInformationByHandleEx
GetTimeZoneInformation
GetLocalTime
GetCurrentDirectoryW
CompareFileTime
TlsAlloc
FileTimeToLocalFileTime
OutputDebugStringA
DecodePointer
RaiseException
GetLastError
SetLastError
HeapAlloc
HeapFree
GetProcessHeap
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
DeleteCriticalSection
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleW
GetProcAddress
LoadLibraryW
IsDebuggerPresent
InitializeCriticalSectionAndSpinCount
GetCurrentThreadId
GetTickCount
CreateDirectoryW
DeleteFileW
RemoveDirectoryW
lstrcmpiW
GetTempFileNameW
Beep
WideCharToMultiByte
GetCommandLineW
GetFileAttributesExW
CloseHandle
SetEvent
ResetEvent
CreateEventW
OpenEventW
Sleep
LocalFree
GetCurrentProcess
TerminateProcess
FindClose
FindCloseChangeNotification
FindFirstChangeNotificationW
FindFirstFileW
FindNextChangeNotification
FindNextFileW
CreateFileW
GetFileAttributesW
GetFileSize
GetShortPathNameW
SetFileAttributesW
GetVersion
GetSystemInfo
GetSystemDirectoryW
GetWindowsDirectoryW
FormatMessageW
CopyFileW
FlushInstructionCache
VirtualQuery
FreeLibrary
SetDllDirectoryW
FindAtomW
SetProcessDEPPolicy
LoadLibraryExW
CompareStringW
MultiByteToWideChar
LCMapStringW
GetUserDefaultLCID
VerSetConditionMask
FindFirstFileExW
FlushFileBuffers
SystemTimeToFileTime

msimg32

AlphaBlend
GradientFill

ole32

CoCreateInstance
CoInitializeSecurity
ReleaseStgMedium
OleDuplicateData
DoDragDrop
WriteClassStg
StgCreateDocfile
OleSetClipboard
CoGetClassObject
CreateStreamOnHGlobal
OleGetClipboard
CreateILockBytesOnHGlobal
StgCreateDocfileOnILockBytes
ProgIDFromCLSID
CoCreateGuid
CoSetProxyBlanket
StgOpenStorageOnILockBytes
PropVariantClear
CreateBindCtx
IsAccelerator
RevokeDragDrop
RegisterDragDrop
OleUninitialize
OleInitialize
CoTaskMemAlloc
StringFromGUID2
StringFromCLSID
CoCreateFreeThreadedMarshaler
CoDisconnectObject
CoRevokeClassObject
CoRegisterClassObject
CoInitializeEx
CoUninitialize
CLSIDFromString
CoTaskMemFree
IIDFromString
StringFromIID
CLSIDFromProgID
OleLockRunning

oleaut32

LoadRegTypeLi
VariantChangeType
SysAllocStringLen
SysReAllocStringLen
SafeArrayCreate
SafeArrayCopyData
SafeArrayDestroy
SafeArrayGetDim
SafeArrayGetElemsize
SafeArrayGetUBound
SafeArrayGetLBound
SafeArrayAccessData
SafeArrayUnaccessData
SafeArrayGetElement
LoadTypeLi
SafeArrayCopy
SafeArrayPtrOfIndex
SafeArrayGetVartype
SafeArrayCreateVector
VariantClear
VariantCopy
VariantCopyInd
VariantChangeTypeEx
LoadTypeLibEx
SetErrorInfo
GetErrorInfo
VariantTimeToSystemTime
VarDateFromStr
CreateErrorInfo
OleCreateFontIndirect
RegisterTypeLi
UnRegisterTypeLi
RegisterTypeLibForUser
UnRegisterTypeLibForUser
SysStringLen
SysAllocString
VariantInit
SysFreeString
SafeArrayPutElement

Exports

Exports

?DumpBinary@@YGXPAUIGrooveByteInputStream@@@Z
?DumpBinary@@YGXXZ
?DumpCommand@@YGXPAUIGrooveUICommand2@@@Z
?DumpCommandContainer@@YGXPAUIGrooveUICommandContainer3@@@Z
?DumpDisseminatedDesign@@YGXXZ
?DumpDynamicsDocument@@YGXPAVGCoDynamics@@@Z
?DumpElement@@YGXPAUIGrooveElement@@@Z
?DumpElement@@YGXXZ
?DumpElementToFile@@YGXPAUIGrooveElement@@@Z
?DumpElementToFile@@YGXXZ
?DumpFileSystemRecords@@YGXXZ
?DumpFileSystemSchema@@YGXXZ
?DumpRAFPropertyList@@YGXXZ
?DumpRecord3@@YGXPAUIGrooveRecord3@@@Z
?DumpRecord3@@YGXXZ
?DumpRecord3ToString@@YGXAAVGCStackStrBase@@@Z
?DumpRecord3ToString@@YGXPAUIGrooveRecord3@@AAVGCStackStrBase@@@Z
?DumpRecord@@YGXPAUIGrooveRecord@@@Z
?DumpRecord@@YGXXZ
?DumpSandboxedDesign@@YGXXZ
?DumpSiteCatalog@@YGXXZ
?DumpSiteCatalogToolEntry@@YGXXZ
?DumpSystemRecords@@YGXXZ
?DumpTable@@YGXPAUIGrooveTable@@@Z
?DumpTable@@YGXXZ
?DumpUserDataRecords@@YGXXZ
?DumpUserDataSchema@@YGXXZ
?DumpWSSHostCache@@YGXXZ
?DumpWSSSiteCache@@YGXXZ
?FormatDateTime@@YGXXZ
?GetBinaryDumpString@@YGXAAVGCStackStrBase@@@Z
?GetBinaryDumpString@@YGXPAUIGrooveByteInputStream@@AAVGCStackStrBase@@@Z
?g_pDumpTable@@3PAUIGrooveTable@@A
SPWChainCoCreateInstance
SPWChainGetGlobalInterfacePtrAddress

Sections

.text
Size: 6.1MB - Virtual size: 6.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 2.6MB - Virtual size: 2.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 103KB - Virtual size: 103KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 197KB - Virtual size: 197KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 590KB - Virtual size: 589KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

e0d7a46fde432212611c74366be1f95f

Code Sign

33:00:00:00:71:b3:2e:8a:6b:82:aa:1f:4e:00:00:00:00:00:71Certificate

Extended Key Usages

33:00:00:01:0a:2c:79:ae:d7:79:7b:a6:ac:00:01:00:00:01:0aCertificate

Extended Key Usages

61:33:26:1a:00:00:00:00:00:31Certificate

Key Usages

61:16:68:34:00:00:00:00:00:1cCertificate

Extended Key Usages

Key Usages

e4:ee:e9:2a:da:ba:5f:fe:25:bb:64:12:7f:b6:56:d3:35:90:df:0bSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

vcruntime140

msvcp140

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

advapi32

cabinet

gdi32

gdiplus

imm32

kernel32

msimg32

ole32

oleaut32

Exports

Exports

Sections

.text Size: 6.1MB - Virtual size: 6.1MB

.rdata Size: 2.6MB - Virtual size: 2.6MB

.data Size: 103KB - Virtual size: 103KB

.tls Size: 512B - Virtual size: 9B

.rsrc Size: 197KB - Virtual size: 197KB

.reloc Size: 590KB - Virtual size: 589KB

33:00:00:00:71:b3:2e:8a:6b:82:aa:1f:4e:00:00:00:00:00:71
Certificate

33:00:00:01:0a:2c:79:ae:d7:79:7b:a6:ac:00:01:00:00:01:0a
Certificate

61:33:26:1a:00:00:00:00:00:31
Certificate

61:16:68:34:00:00:00:00:00:1c
Certificate

e4:ee:e9:2a:da:ba:5f:fe:25:bb:64:12:7f:b6:56:d3:35:90:df:0b
Signer

.text
Size: 6.1MB - Virtual size: 6.1MB

.rdata
Size: 2.6MB - Virtual size: 2.6MB

.data
Size: 103KB - Virtual size: 103KB

.tls
Size: 512B - Virtual size: 9B

.rsrc
Size: 197KB - Virtual size: 197KB

.reloc
Size: 590KB - Virtual size: 589KB