cf2900687b5848803d1bebe35c6e0d6d865eb9137851f0c5f55ca25b73f66731

Sharing

Copy URL Twitter E-mail

General

Target

cf2900687b5848803d1bebe35c6e0d6d865eb9137851f0c5f55ca25b73f66731
Size

1.6MB
MD5

571b0693dae00704817709cf97ac458b
SHA1

cb5128a4a3d4be4ae82f0ddc7063fb61fdd36651
SHA256

cf2900687b5848803d1bebe35c6e0d6d865eb9137851f0c5f55ca25b73f66731
SHA512

6aa3ec14743ad59ea9f0ec8a7fc5b8a09c392d128b360d29ae516b63a3cdc22eda5133c840d779c35b40adeeee8db5e6f24d2566a1adeb60b721b2b88647284d
SSDEEP

49152:W/KMHpriTsSebcFvVa4eZw6QAhukeMJz66:YbAvVa3w6QA0dMJz6

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
cf2900687b5848803d1bebe35c6e0d6d865eb9137851f0c5f55ca25b73f66731

Files

cf2900687b5848803d1bebe35c6e0d6d865eb9137851f0c5f55ca25b73f66731
.exe windows:5 windows x64 arch:x64

bb78ca51f3812c5d9e777ae0a407ffa7

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

d:\winapps\gu6\dll\vc\Memfiles\sourcecode\Memfiles\x64\Release\MemfilesService.pdb

Imports

mfc90u

ord5335
ord4373
ord3269
ord5700
ord6234
ord1582
ord4030
ord3975
ord4871
ord722
ord512
ord1949
ord2067
ord2436
ord4699
ord1840
ord1080
ord583
ord3317
ord4601
ord3039
ord2932
ord5332
ord1634
ord1698
ord1699
ord2010
ord5307
ord1389
ord3014
ord6027
ord5093
ord3436
ord6425
ord3902
ord6423
ord1553
ord2226
ord2233
ord2470
ord2452
ord2450
ord2468
ord2480
ord2457
ord2473
ord2478
ord2461
ord4355
ord2465
ord2459
ord2475
ord2455
ord949
ord945
ord947
ord943
ord938
ord5365
ord5367
ord6101
ord1635
ord4393
ord4843
ord3494
ord5346
ord4294
ord6421
ord5201
ord1954
ord5284
ord4349
ord1430
ord4048
ord1658
ord1661
ord6056
ord3137
ord2139
ord3740
ord362
ord4139
ord2326
ord5658
ord1519
ord285
ord3008
ord4145
ord4121
ord6422
ord3901
ord6424
ord4438
ord2110
ord2065
ord5713
ord3906
ord1025
ord1429
ord6053
ord3135
ord1713
ord1714
ord5013
ord4856
ord4322
ord5314
ord911
ord440
ord680
ord6438
ord2981
ord2016
ord2515
ord2463
ord5230
ord6363
ord5511
ord3932
ord1966
ord3005
ord5356
ord5358
ord2303
ord4050
ord4687
ord5362
ord799
ord1149
ord5345
ord5696
ord2325
ord779
ord265
ord1233
ord266
ord3535
ord1938
ord1839
ord6381
ord2602
ord2797
ord2904
ord4419
ord2780
ord2907
ord2605
ord2711
ord2598
ord3818
ord3819
ord3809
ord2709
ord4051
ord4596
ord4372
ord3424
ord3261
ord1041
ord1071
ord3930
ord671
ord617
ord688
ord450
ord772
ord577
ord3783
ord4658
ord286
ord762
ord570
ord1209
ord1211
ord1103
ord2533
ord5533
ord316
ord589
ord6281
ord4187
ord280
ord2378
ord791
ord887
ord789
ord2531
ord296
ord588
ord6003
ord386
ord640
ord4103
ord5532
ord777

msvcr90

__CxxFrameHandler3
memset
memcpy
?_type_info_dtor_internal_method@type_info@@QEAAXXZ
__crt_debugger_hook
?terminate@@YAXXZ
_decode_pointer
_onexit
_lock
__dllonexit
_unlock
__set_app_type
_encode_pointer
_fmode
_commode
__setusermatherr
_configthreadlocale
_initterm_e
_initterm
_wcmdln
exit
_cexit
_exit
_XcptFilter
__C_specific_handler
__wgetmainargs
_amsg_exit
fclose
ftell
fwrite
ferror
fprintf
fread
fopen
_errno
fputc
strcpy_s
strrchr
rand
free
memcpy_s
printf
malloc
wcscpy_s
_strnicmp
wcsrchr
isalpha
_stricmp
wcsncpy_s
tolower
strstr
wcschr
_wcsicmp
?what@exception@std@@UEBAPEBDXZ
_purecall
swprintf_s
_invalid_parameter_noinfo
memmove_s
??0exception@std@@QEAA@AEBQEBD@Z
??1exception@std@@UEAA@XZ
??0exception@std@@QEAA@XZ
??0exception@std@@QEAA@AEBV01@@Z
_CxxThrowException

kernel32

Sleep
CreateEventW
ReadDirectoryChangesW
GetOverlappedResult
QueryPerformanceCounter
GetVolumeInformationW
GetDiskFreeSpaceW
FindFirstFileW
FindClose
FindNextFileW
MultiByteToWideChar
WideCharToMultiByte
GetDriveTypeW
ExpandEnvironmentStringsA
DeleteFileA
GlobalAlloc
GlobalLock
GlobalUnlock
GlobalFree
GetModuleHandleW
GetProcAddress
GetModuleFileNameW
GetCurrentThreadId
DeviceIoControl
CreateMutexW
CreateWaitableTimerW
SetWaitableTimer
ResumeThread
MapViewOfFile
UnmapViewOfFile
OpenProcess
DuplicateHandle
GetCurrentProcess
CreateFileMappingW
GetTickCount
GetLogicalDrives
ConnectNamedPipe
SetLastError
CreateNamedPipeW
SetNamedPipeHandleState
WaitNamedPipeW
DisconnectNamedPipe
GetNamedPipeInfo
FormatMessageW
LocalFree
CreateFileW
GetLastError
WaitForSingleObject
SetEvent
CreateThread
DeleteCriticalSection
RaiseException
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
GetPrivateProfileStringW
RtlLookupFunctionEntry
RtlCaptureContext
CloseHandle
RtlVirtualUnwind
IsDebuggerPresent
UnhandledExceptionFilter
TerminateProcess
GetSystemTimeAsFileTime
GetCurrentProcessId
SetUnhandledExceptionFilter
GetStartupInfoW
ResetEvent
InitializeCriticalSectionAndSpinCount
FlushFileBuffers
WriteFile
ReadFile

user32

MsgWaitForMultipleObjects
GetKeyState
PostMessageW
RedrawWindow
KillTimer
SetTimer
DrawIcon
GetClientRect
GetSystemMetrics
IsIconic
SendMessageW
AppendMenuW
GetSystemMenu
LoadIconW
EnableWindow
UnregisterDeviceNotification
RegisterDeviceNotificationW
PostThreadMessageW
MessageBoxW
TranslateMessage
LoadStringW
DispatchMessageW
GetMessageW
PeekMessageW

advapi32

OpenSCManagerW
CloseServiceHandle
CreateServiceW
ControlService
DeleteService
StartServiceCtrlDispatcherW
RegisterServiceCtrlHandlerExW
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
SetServiceStatus
OpenServiceW

shell32

SHCreateDirectoryExA
SHGetDesktopFolder

comctl32

InitCommonControlsEx

shlwapi

PathFileExistsA
ord354
StrFormatByteSizeW

ole32

CoUninitialize
CoInitialize
CreateStreamOnHGlobal

oleaut32

VariantInit
VariantClear

msvcp90

?clear@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAAXXZ
?insert@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAAAEAV12@_KPEB_W0@Z
??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAAAEAV01@PEB_W@Z
??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAA@XZ
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAA@XZ
?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEBAPEBDXZ
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAA@XZ
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAA@AEBV01@@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAA@PEBD@Z
??$?H_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@AEBV10@PEB_W@Z
??Y?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAAAEAV01@PEB_W@Z
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAA@PEB_W@Z
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2_KB
?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEBA?AV12@_K0@Z
?find_last_not_of@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEBA_KPEBD_K@Z
?find_last_not_of@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEBA_KAEBV12@_K@Z
?find_first_not_of@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEBA_KPEBD_K@Z
?find_first_not_of@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEBA_KAEBV12@_K@Z
?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEBA_KD_K@Z
?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEBA_NXZ
?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEBA_KXZ
?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAA?AV?$_String_iterator@DU?$char_traits@D@std@@V?$allocator@D@2@@2@XZ
?clear@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAAXXZ
?erase@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAAAEAV12@_K0@Z
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAAAEAV01@D@Z
??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAAAEAV01@PEBD@Z
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAAAEAV01@PEBD@Z
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAAAEAV01@AEBV01@@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAA@XZ
?rfind@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEBA_KPEBD_K1@Z
?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAAX_K@Z
??A?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAAAEA_W_K@Z
?at@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAAAEA_W_K@Z
??Y?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAAAEAV01@_W@Z
?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAA?AV?$_String_iterator@DU?$char_traits@D@std@@V?$allocator@D@2@@2@XZ

scanfile

GetFileInfoByFileNumber
StopScanFile
ScanAll
DeleteItemTree

Sections

.text
Size: 268KB - Virtual size: 268KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 94KB - Virtual size: 93KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 19KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1.2MB - Virtual size: 1.9MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

bb78ca51f3812c5d9e777ae0a407ffa7

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

mfc90u

msvcr90

kernel32

user32

advapi32

shell32

comctl32

shlwapi

ole32

oleaut32

msvcp90

scanfile

Sections

.text Size: 268KB - Virtual size: 268KB

.rdata Size: 94KB - Virtual size: 93KB

.data Size: 3KB - Virtual size: 8KB

.pdata Size: 19KB - Virtual size: 19KB

.rsrc Size: 13KB - Virtual size: 13KB

.reloc Size: 1.2MB - Virtual size: 1.9MB

.text
Size: 268KB - Virtual size: 268KB

.rdata
Size: 94KB - Virtual size: 93KB

.data
Size: 3KB - Virtual size: 8KB

.pdata
Size: 19KB - Virtual size: 19KB

.rsrc
Size: 13KB - Virtual size: 13KB

.reloc
Size: 1.2MB - Virtual size: 1.9MB