81e192575df3d902304f13eaf4687d6bdb3d38e2b01069c4fa0c5b42269cb332N

Sharing

Copy URL Twitter E-mail

General

Target

81e192575df3d902304f13eaf4687d6bdb3d38e2b01069c4fa0c5b42269cb332N
Size

2.6MB
MD5

a770518adff93f72c47b0cbc87561b80
SHA1

fce8c52741c3f8c4a8a9d0b63bd43549b505afb6
SHA256

81e192575df3d902304f13eaf4687d6bdb3d38e2b01069c4fa0c5b42269cb332
SHA512

c0e428e680e2691414aa2b6f6e9d55a39577c45cbcc2db70e40ec43ba9152e9c3efe396f0c0ca2db2d3296b8f19993e9aa826c74aeff4b73cc1a88993c7a4c77
SSDEEP

24576:clFAdcOwlEMVU4Juz5mgEOY089vGabtRepqBVcNTToH0VIrFntYXaez75UbAAVpn:cgzUgP5avGQCx6te1SUKp2lm

Score

1^/10

Malware Config

Signatures

Files

81e192575df3d902304f13eaf4687d6bdb3d38e2b01069c4fa0c5b42269cb332N
.exe windows:5 windows x86 arch:x86

ed8f557f9793f59c42061447461dd831

Code Sign

05:b0:ff
Certificate

Issuer

OU=Equifax Secure Certificate Authority,O=Equifax,C=US

Not Before

16/02/2006, 18:01

Not After

19/02/2016, 18:01

Subject

CN=Intel External Basic Policy CA,O=Intel Corporation,C=US

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

61:0b:dc:8f:00:00:00:00:00:1a
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:01

Not After

23/05/2016, 17:11

Subject

OU=Equifax Secure Certificate Authority,O=Equifax,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

17:01:ce:eb:00:01:00:00:90:28
Certificate

Issuer

CN=Intel External Basic Issuing CA 3A,O=Intel Corporation,C=US

Not Before

01/08/2012, 22:27

Not After

15/05/2015, 19:35

Subject

CN=Intel Corporation - Intel® Management Engine Firmware,OU=Intel Architecture Group,O=Intel Corporation

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:1e:80:b7:00:00:00:00:00:07
Certificate

Issuer

CN=Intel External Basic Policy CA,O=Intel Corporation,C=US

Not Before

15/05/2009, 19:25

Not After

15/05/2015, 19:35

Subject

CN=Intel External Basic Issuing CA 3A,O=Intel Corporation,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

74:86:b1:6c:71:6b:a0:51:a3:b9:a2:9a:ec:8c:f8:cd:f0:2f:65:69
Signer

Actual PE Digest

74:86:b1:6c:71:6b:a0:51:a3:b9:a2:9a:ec:8c:f8:cd:f0:2f:65:69

Digest Algorithm

sha1

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

D:\ccViews\autobuild1_BR-1305-003V_7.1_Snapshot\AMT_Development\SW\Src\Services\UNS\Release\UNS.pdb

Imports

wsock32

getsockname
getpeername
shutdown
closesocket
ntohl
ntohs
accept
__WSAFDIsSet
bind
listen
WSAStartup
socket
setsockopt
htons
connect
getsockopt
ioctlsocket
gethostbyname
WSACleanup
recv
send
WSAGetLastError
inet_ntoa
select
inet_addr
htonl

crypt32

CryptProtectData
CryptUnprotectData
CertFindCertificateInStore
CertGetNameStringA
CertOpenStore
CertCloseStore
CertFreeCertificateContext

iphlpapi

NotifyAddrChange
GetIpNetTable
GetIpAddrTable
GetPerAdapterInfo
GetAdaptersInfo
GetExtendedTcpTable
GetNetworkParams
CancelIPChangeNotify

winhttp

WinHttpQueryDataAvailable
WinHttpCloseHandle
WinHttpSetOption
WinHttpDetectAutoProxyConfigUrl
WinHttpGetProxyForUrl
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpQueryHeaders
WinHttpQueryAuthSchemes
WinHttpSetStatusCallback
WinHttpReadData
WinHttpAddRequestHeaders
WinHttpCrackUrl
WinHttpConnect
WinHttpOpenRequest
WinHttpSetCredentials
WinHttpOpen

advapi32

CloseServiceHandle
OpenProcessToken
SetSecurityDescriptorDacl
SetSecurityDescriptorGroup
IsValidSid
GetLengthSid
CopySid
SetSecurityDescriptorOwner
InitializeSecurityDescriptor
RegQueryValueExW
RegQueryValueExA
RegOpenKeyExA
RegCloseKey
LookupAccountSidW
ConvertSidToStringSidA
EqualSid
ControlService
DeleteService
CreateServiceA
OpenServiceA
ChangeServiceConfigA
ChangeServiceConfig2A
SetServiceStatus
StartServiceCtrlDispatcherA
RegisterServiceCtrlHandlerExA
RegQueryInfoKeyA
GetTokenInformation
LookupAccountNameA
AddAccessAllowedAce
InitializeAcl
GetAclInformation
AddAce
RegEnumKeyExA
RegCreateKeyExW
RegSetValueExW
AllocateAndInitializeSid
CreateWellKnownSid
SetEntriesInAclA
RegSetKeySecurity
FreeSid
RegDeleteValueA
RegOpenKeyExW
RegDeleteValueW
RegDeleteKeyA
RegSetValueExA
RegCreateKeyExA
ReportEventA
DeregisterEventSource
RegisterEventSourceA
OpenSCManagerA
EnumServicesStatusExA
GetAce
OpenThreadToken

user32

GetProcessWindowStation
GetUserObjectInformationW
PostThreadMessageA
CharNextW
LoadStringA
MessageBoxA
CharUpperA
GetMessageA
TranslateMessage
DispatchMessageA
CharNextA
wsprintfA
UnregisterDeviceNotification
RegisterDeviceNotificationA
GetDesktopWindow

rpcrt4

UuidCreate
UuidToStringA
RpcStringFreeA

setupapi

SetupDiDestroyDeviceInfoList
SetupDiGetDeviceInterfaceDetailA
SetupDiEnumDeviceInterfaces
SetupDiGetClassDevsA

statusstrings

GetStatusString

xerces-c_2_7

?fgXercescDefaultLocale@XMLUni@xercesc_2_7@@2QBDB
?Initialize@XMLPlatformUtils@xercesc_2_7@@SAXQBD0QAVPanicHandler@2@QAVMemoryManager@2@_N@Z
?XMLDecl@AbstractDOMParser@xercesc_2_7@@UAEXQB_W000@Z
?startInputSource@XercesDOMParser@xercesc_2_7@@UAEXABVInputSource@2@@Z
?attDef@AbstractDOMParser@xercesc_2_7@@UAEXABVDTDElementDecl@2@ABVDTDAttDef@2@_N@Z
?doctypeComment@AbstractDOMParser@xercesc_2_7@@UAEXQB_W@Z
?doctypeDecl@AbstractDOMParser@xercesc_2_7@@UAEXABVDTDElementDecl@2@QB_W1_N2@Z
?doctypePI@AbstractDOMParser@xercesc_2_7@@UAEXQB_W0@Z
?doctypeWhitespace@AbstractDOMParser@xercesc_2_7@@UAEXQB_WI@Z
?elementDecl@AbstractDOMParser@xercesc_2_7@@UAEXABVDTDElementDecl@2@_N@Z
?endAttList@AbstractDOMParser@xercesc_2_7@@UAEXABVDTDElementDecl@2@@Z
?endIntSubset@AbstractDOMParser@xercesc_2_7@@UAEXXZ
?endExtSubset@AbstractDOMParser@xercesc_2_7@@UAEXXZ
?entityDecl@AbstractDOMParser@xercesc_2_7@@UAEXABVDTDEntityDecl@2@_N1@Z
?resetDocType@AbstractDOMParser@xercesc_2_7@@UAEXXZ
?notationDecl@AbstractDOMParser@xercesc_2_7@@UAEXABVXMLNotationDecl@2@_N@Z
?startAttList@AbstractDOMParser@xercesc_2_7@@UAEXABVDTDElementDecl@2@@Z
?startIntSubset@AbstractDOMParser@xercesc_2_7@@UAEXXZ
?startExtSubset@AbstractDOMParser@xercesc_2_7@@UAEXXZ
?TextDecl@AbstractDOMParser@xercesc_2_7@@UAEXQB_W0@Z
?handleElementPSVI@AbstractDOMParser@xercesc_2_7@@UAEXQB_W0PAVPSVIElement@2@@Z
?Terminate@XMLPlatformUtils@xercesc_2_7@@SAXXZ
?handleAttributesPSVI@AbstractDOMParser@xercesc_2_7@@UAEXQB_W0PAVPSVIAttributeList@2@@Z
??1XercesDOMParser@xercesc_2_7@@UAE@XZ
?fgDOMXMLDeclaration@XMLUni@xercesc_2_7@@2QB_WB
?startEntityReference@AbstractDOMParser@xercesc_2_7@@UAEXABVXMLEntityDecl@2@@Z
?startElement@AbstractDOMParser@xercesc_2_7@@UAEXABVXMLElementDecl@2@IQB_WABV?$RefVectorOf@VXMLAttr@xercesc_2_7@@@2@I_N3@Z
?startDocument@AbstractDOMParser@xercesc_2_7@@UAEXXZ
?resetDocument@AbstractDOMParser@xercesc_2_7@@UAEXXZ
?ignorableWhitespace@AbstractDOMParser@xercesc_2_7@@UAEXQB_WI_N@Z
?endEntityReference@AbstractDOMParser@xercesc_2_7@@UAEXABVXMLEntityDecl@2@@Z
?endElement@AbstractDOMParser@xercesc_2_7@@UAEXABVXMLElementDecl@2@I_NQB_W@Z
?endDocument@AbstractDOMParser@xercesc_2_7@@UAEXXZ
?docPI@AbstractDOMParser@xercesc_2_7@@UAEXQB_W0@Z
?docComment@AbstractDOMParser@xercesc_2_7@@UAEXQB_W@Z
?docCharacters@AbstractDOMParser@xercesc_2_7@@UAEXQB_WI_N@Z
??0MemBufInputSource@xercesc_2_7@@QAE@QBEIQBD_NQAVMemoryManager@1@@Z
??0XercesDOMParser@xercesc_2_7@@QAE@QAVXMLValidator@1@QAVMemoryManager@1@QAVXMLGrammarPool@1@@Z
?setDoNamespaces@AbstractDOMParser@xercesc_2_7@@QAEX_N@Z
?setDoSchema@AbstractDOMParser@xercesc_2_7@@QAEX_N@Z
?setExternalNoNamespaceSchemaLocation@AbstractDOMParser@xercesc_2_7@@QAEXQBD@Z
?parse@AbstractDOMParser@xercesc_2_7@@QAEXABVInputSource@2@@Z
?getMessage@DOMException@xercesc_2_7@@QBEPB_WXZ
?getMessage@XMLException@xercesc_2_7@@QBEPB_WXZ
?transcode@XMLString@xercesc_2_7@@SAPA_WQBD@Z
?release@XMLString@xercesc_2_7@@SAXPAPA_W@Z
?transcode@XMLString@xercesc_2_7@@SAPADQB_W@Z
?release@XMLString@xercesc_2_7@@SAXPAPAD@Z
?resolveEntity@XercesDOMParser@xercesc_2_7@@UAEPAVInputSource@2@PAVXMLResourceIdentifier@2@@Z
?resetEntities@XercesDOMParser@xercesc_2_7@@UAEXXZ
?expandSystemId@XercesDOMParser@xercesc_2_7@@UAE_NQB_WAAVXMLBuffer@2@@Z
?elementTypeInfo@AbstractDOMParser@xercesc_2_7@@UAEXQB_W0@Z
?setPSVIHandler@AbstractDOMParser@xercesc_2_7@@UAEXQAVPSVIHandler@2@@Z
?createElementNSNode@AbstractDOMParser@xercesc_2_7@@MAEPAVDOMElement@2@PB_W0@Z
?error@XercesDOMParser@xercesc_2_7@@UAEXIQB_WW4ErrTypes@XMLErrorReporter@2@000JJ@Z
?endInputSource@XercesDOMParser@xercesc_2_7@@UAEXABVInputSource@2@@Z
?handlePartialElementPSVI@AbstractDOMParser@xercesc_2_7@@UAEXQB_W0PAVPSVIElement@2@@Z
?resetErrors@XercesDOMParser@xercesc_2_7@@UAEXXZ
?getDocument@AbstractDOMParser@xercesc_2_7@@QAEPAVDOMDocument@2@XZ
??1MemBufInputSource@xercesc_2_7@@UAE@XZ
??3XMemory@xercesc_2_7@@SAXPAX@Z
?getRawBuffer@MemBufFormatTarget@xercesc_2_7@@QBEPBEXZ
??0MemBufFormatTarget@xercesc_2_7@@QAE@HQAVMemoryManager@1@@Z
??2XMemory@xercesc_2_7@@SAPAXI@Z
?fgMemoryManager@XMLPlatformUtils@xercesc_2_7@@2PAVMemoryManager@2@A
?getDOMImplementation@DOMImplementationRegistry@xercesc_2_7@@SAPAVDOMImplementation@2@PB_W@Z
?writeChars@MemBufFormatTarget@xercesc_2_7@@UAEXQBEIQAVXMLFormatter@2@@Z
?flush@XMLFormatTarget@xercesc_2_7@@UAEXXZ
?resolveEntity@XercesDOMParser@xercesc_2_7@@UAEPAVInputSource@2@QB_W00@Z
??1MemBufFormatTarget@xercesc_2_7@@UAE@XZ

version

GetFileVersionInfoA
GetFileVersionInfoSizeA
VerQueryValueA

kernel32

TlsFree
SetHandleCount
GetACP
VirtualFree
IsValidCodePage
SetStdHandle
GetStringTypeA
GetStringTypeW
HeapCreate
LCMapStringW
LCMapStringA
FindFirstFileW
GetDriveTypeW
ExitProcess
GetOEMCP
UnlockFile
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
SetEndOfFile
FlushFileBuffers
HeapSize
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetFullPathNameA
GetFileInformationByHandle
PeekNamedPipe
InitializeCriticalSectionAndSpinCount
LockFile
SetConsoleMode
ReadConsoleInputA
ExitThread
FindFirstFileA
GetDriveTypeA
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
SetConsoleCtrlHandler
GetStartupInfoA
GetFullPathNameW
CreateFileW
GetCurrentDirectoryA
VirtualQuery
GetSystemInfo
VirtualAlloc
VirtualProtect
GetConsoleMode
GetConsoleCP
SetFilePointer
GetTimeZoneInformation
GetDateFormatA
GetTimeFormatA
GetCPInfo
GetSystemTimeAsFileTime
HeapReAlloc
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
TerminateProcess
RtlUnwind
GetUserDefaultLCID
GetLocaleInfoA
EnumSystemLocalesA
IsValidLocale
GetLocaleInfoW
CompareStringA
CompareStringW
SetEnvironmentVariableA
CloseHandle
ReleaseSemaphore
CreateSemaphoreA
TlsGetValue
DuplicateHandle
TlsSetValue
TlsAlloc
InterlockedCompareExchange
CreateMutexA
SetThreadPriority
ResumeThread
InterlockedExchange
FlushConsoleInputBuffer
GetVersionExA
GlobalMemoryStatus
GetCurrentProcessId
QueryPerformanceCounter
GetTickCount
GetStdHandle
GetFileType
GetVersion
OpenEventA
ResetEvent
WaitForMultipleObjects
OpenProcess
CreateThread
GetModuleHandleW
GetCurrentThreadId
GetCommandLineA
SetErrorMode
RaiseException
GetSystemDefaultLCID
IsDBCSLeadByte
lstrcmpiA
LoadLibraryExA
FindResourceA
LoadResource
SizeofResource
WideCharToMultiByte
lstrlenW
GetComputerNameA
GlobalAlloc
GlobalFree
LocalAlloc
lstrlenA
GetModuleFileNameA
SetEvent
GetSystemTime
GetCurrentThread
MultiByteToWideChar
GetProcessHeap
HeapAlloc
HeapFree
LoadLibraryA
Sleep
CreateFileA
GetLastError
GetOverlappedResult
WaitForSingleObject
ReadFile
CreateEventA
WriteFile
DeviceIoControl
FormatMessageA
GetModuleHandleA
GetProcAddress
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
InterlockedIncrement
InterlockedDecrement
ReleaseMutex
SetLastError
LocalFree
FreeLibrary
GetCurrentProcess

shell32

SHGetFolderPathA

ole32

CoCreateInstance
CoUninitialize
CoSetProxyBlanket
CoInitializeEx
CoInitializeSecurity
CoTaskMemAlloc
CoTaskMemRealloc
StringFromGUID2
CoResumeClassObjects
CoRevokeClassObject
CoRegisterClassObject
CoSuspendClassObjects
CoRevertToSelf
CoImpersonateClient
CoTaskMemFree

oleaut32

LoadRegTypeLi
SafeArrayPutElement
SysFreeString
VariantClear
VariantInit
SysAllocString
SysAllocStringLen
SafeArrayCreate
SafeArrayDestroy
SafeArrayUnlock
SafeArrayGetLBound
SafeArrayGetUBound
SafeArrayLock
VarUI4FromStr
LoadTypeLi
SysStringLen
VariantChangeType
SafeArrayGetVartype
SafeArrayCreateVector
SafeArrayCopy
SysStringByteLen
UnRegisterTypeLi
RegisterTypeLi

ws2_32

WSASetLastError
WSACreateEvent
getnameinfo

Exports

Exports

OPENSSL_Applink

Sections

.text
Size: 1.9MB - Virtual size: 1.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 412KB - Virtual size: 412KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 119KB - Virtual size: 149KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 26KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

ed8f557f9793f59c42061447461dd831

Code Sign

05:b0:ffCertificate

Key Usages

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

61:0b:dc:8f:00:00:00:00:00:1aCertificate

Key Usages

17:01:ce:eb:00:01:00:00:90:28Certificate

Extended Key Usages

Key Usages

61:1e:80:b7:00:00:00:00:00:07Certificate

Key Usages

74:86:b1:6c:71:6b:a0:51:a3:b9:a2:9a:ec:8c:f8:cd:f0:2f:65:69Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

wsock32

crypt32

iphlpapi

winhttp

advapi32

user32

rpcrt4

setupapi

statusstrings

xerces-c_2_7

version

kernel32

shell32

ole32

oleaut32

ws2_32

Exports

Exports

Sections

.text Size: 1.9MB - Virtual size: 1.9MB

.rdata Size: 412KB - Virtual size: 412KB

.data Size: 119KB - Virtual size: 149KB

.rsrc Size: 26KB - Virtual size: 26KB

05:b0:ff
Certificate

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

61:0b:dc:8f:00:00:00:00:00:1a
Certificate

17:01:ce:eb:00:01:00:00:90:28
Certificate

61:1e:80:b7:00:00:00:00:00:07
Certificate

74:86:b1:6c:71:6b:a0:51:a3:b9:a2:9a:ec:8c:f8:cd:f0:2f:65:69
Signer

.text
Size: 1.9MB - Virtual size: 1.9MB

.rdata
Size: 412KB - Virtual size: 412KB

.data
Size: 119KB - Virtual size: 149KB

.rsrc
Size: 26KB - Virtual size: 26KB