2616606e4c05c39b2d18c44615ba09d7cdc230c449928eb43caa22c7b36534caN

Sharing

Copy URL Twitter E-mail

General

Target

2616606e4c05c39b2d18c44615ba09d7cdc230c449928eb43caa22c7b36534caN
Size

5.5MB
MD5

0e8b52245e382b3f296f42dbbee92700
SHA1

54ab1c8e049813dbde8d7e9eea9115799d7dd77f
SHA256

2616606e4c05c39b2d18c44615ba09d7cdc230c449928eb43caa22c7b36534ca
SHA512

d00caf9644d9f662406d79a63e4dc54b2f57f6dbfdb06442aebeaebd0315ce31b9e9ef8f3f109f1a0644d9eda4ab06b1efe46425505598ca0bea032f27ca72f5
SSDEEP

98304:Hw+wnksSyeRIYyO8ZZg6AxODROSP1IicMCw:QjksdeRIrZZg6AxODROSPeNr

Score

3^/10

Malware Config

Signatures

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
sample	embeds_openssl

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2616606e4c05c39b2d18c44615ba09d7cdc230c449928eb43caa22c7b36534caN

Files

2616606e4c05c39b2d18c44615ba09d7cdc230c449928eb43caa22c7b36534caN
.exe windows:6 windows x64 arch:x64

f5c4235381367977d1b2a89463478880

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

DeviceIoControl
GetConsoleWindow
WideCharToMultiByte
CreateSemaphoreA
FormatMessageW
FormatMessageA
LocalFree
VirtualProtectEx
SetEnvironmentVariableW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetOEMCP
IsValidCodePage
FindFirstFileExW
RemoveDirectoryW
DeleteFileW
GetFileAttributesExW
SetEndOfFile
GetFullPathNameW
GetCurrentDirectoryW
SetStdHandle
GetFileAttributesW
WriteConsoleW
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcess
CreateEventA
WaitForSingleObjectEx
ReleaseSemaphore
SetEvent
AcquireSRWLockShared
AcquireSRWLockExclusive
ReleaseSRWLockShared
ReleaseSRWLockExclusive
InitializeSRWLock
GetProcessHeap
HeapFree
HeapAlloc
QueryPerformanceFrequency
QueryPerformanceCounter
DuplicateHandle
CloseHandle
EnumSystemFirmwareTables
HeapSize
HeapReAlloc
FlushFileBuffers
EnumSystemLocalesW
GetUserDefaultLCID
AreFileApisANSI
MultiByteToWideChar
GetLastError
WakeAllConditionVariable
SleepConditionVariableSRW
GetCurrentProcessId
SwitchToThread
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
OpenEventA
ResetEvent
Sleep
WaitForMultipleObjectsEx
SetWaitableTimer
ResumeThread
GetModuleHandleA
GetProcAddress
CreateWaitableTimerA
GetStdHandle
GetFileType
WriteFile
GetModuleHandleW
RtlVirtualUnwind
GetEnvironmentVariableW
SetLastError
GetModuleHandleExW
VirtualFree
GetACP
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
TryEnterCriticalSection
DeleteCriticalSection
WaitForSingleObject
GetExitCodeThread
GetSystemDirectoryA
FreeLibrary
LoadLibraryA
LoadLibraryW
GetSystemTime
SystemTimeToFileTime
FindClose
FindFirstFileW
FindNextFileW
GetConsoleMode
SetConsoleMode
ReadConsoleA
ReadConsoleW
GetTickCount
InitializeCriticalSectionEx
CreateEventW
GetCurrentThread
GetSystemDirectoryW
SleepEx
MoveFileExW
GetEnvironmentVariableA
ReadFile
PeekNamedPipe
WaitForMultipleObjects
VerSetConditionMask
VerifyVersionInfoW
CreateFileW
GetFileSizeEx
RaiseException
SetHandleInformation
IsDebuggerPresent
GetHandleInformation
CreateIoCompletionPort
GetQueuedCompletionStatusEx
InitOnceExecuteOnce
GetTickCount64
SetFileCompletionNotificationModes
GetStringTypeW
InitializeConditionVariable
WakeConditionVariable
SleepConditionVariableCS
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
EncodePointer
DecodePointer
LCMapStringEx
GetLocaleInfoEx
CompareStringEx
GetCPInfo
InitializeCriticalSectionAndSpinCount
InitializeSListHead
RtlCaptureContext
RtlLookupFunctionEntry
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
GetStartupInfoW
RtlPcToFileHeader
RtlUnwindEx
InterlockedPushEntrySList
LoadLibraryExW
CreateThread
ExitThread
FreeLibraryAndExitThread
ExitProcess
SetConsoleCtrlHandler
GetDriveTypeW
GetFileInformationByHandle
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
SetFilePointerEx
CreateDirectoryW
GetModuleFileNameW
GetCommandLineA
GetCommandLineW
GetConsoleOutputCP
GetTimeZoneInformation
GetTempPathW
GetDateFormatW
GetTimeFormatW
CompareStringW
LCMapStringW
GetLocaleInfoW
IsValidLocale
RtlUnwind

user32

ShowWindow
GetUserObjectInformationW
GetProcessWindowStation
MessageBoxW

ws2_32

getnameinfo
WSASocketA
WSAPoll
gethostname
freeaddrinfo
getsockname
__WSAFDIsSet
WSAIoctl
inet_ntop
inet_pton
WSAWaitForMultipleEvents
WSAResetEvent
WSAEventSelect
WSAEnumNetworkEvents
ioctlsocket
ntohl
getaddrinfo
WSACreateEvent
WSACloseEvent
sendto
recvfrom
getpeername
shutdown
socket
setsockopt
listen
connect
closesocket
bind
accept
send
recv
WSASetLastError
getservbyname
getservbyport
gethostbyaddr
inet_ntoa
inet_addr
htons
htonl
WSAGetLastError
WSACleanup
WSAStartup
gethostbyname
select
ntohs
getsockopt

iphlpapi

GetAdaptersAddresses
if_indextoname

crypt32

CertEnumCertificatesInStore
CertFindCertificateInStore
CertDuplicateCertificateContext
CertFreeCertificateContext
CertGetCertificateContextProperty
CertOpenSystemStoreW
CertCloseStore
CryptStringToBinaryW
PFXImportCertStore
CryptDecodeObjectEx
CertAddCertificateContextToStore
CertFindExtension
CertGetNameStringW
CryptQueryObject
CertFreeCertificateChain
CertCreateCertificateChainEngine
CertFreeCertificateChainEngine
CertGetCertificateChain
CertOpenStore

api-ms-win-core-synch-l1-2-0

WakeByAddressSingle
WaitOnAddress

bcrypt

BCryptGenRandom

advapi32

CryptExportKey
CryptImportKey
CryptEncrypt
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
CryptGetHashParam
OpenThreadToken
CryptEnumProvidersW
CryptSignHashW
CryptDestroyHash
CryptCreateHash
CryptDecrypt
CryptGetUserKey
CryptGetProvParam
CryptSetHashParam
CryptDestroyKey
CryptGenRandom
CryptReleaseContext
CryptAcquireContextW
ReportEventW
DeregisterEventSource
RegisterEventSourceW
CryptHashData

Sections

.text
Size: 4.1MB - Virtual size: 4.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 48KB - Virtual size: 65KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 187KB - Virtual size: 186KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 348B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 48KB - Virtual size: 48KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.rsrc
Size: 89KB - Virtual size: 88KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

f5c4235381367977d1b2a89463478880

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

ws2_32

iphlpapi

crypt32

api-ms-win-core-synch-l1-2-0

bcrypt

advapi32

Sections

.text Size: 4.1MB - Virtual size: 4.1MB

.rdata Size: 1.1MB - Virtual size: 1.1MB

.data Size: 48KB - Virtual size: 65KB

.pdata Size: 187KB - Virtual size: 186KB

_RDATA Size: 512B - Virtual size: 348B

.reloc Size: 48KB - Virtual size: 48KB

.rsrc Size: 89KB - Virtual size: 88KB

.text
Size: 4.1MB - Virtual size: 4.1MB

.rdata
Size: 1.1MB - Virtual size: 1.1MB

.data
Size: 48KB - Virtual size: 65KB

.pdata
Size: 187KB - Virtual size: 186KB

_RDATA
Size: 512B - Virtual size: 348B

.reloc
Size: 48KB - Virtual size: 48KB

.rsrc
Size: 89KB - Virtual size: 88KB