f3153b4278483b61f477e96cf77774d51c1f7b2b85e0b0891f8e04928d5e492e

Sharing

Copy URL Twitter E-mail

General

Target

f3153b4278483b61f477e96cf77774d51c1f7b2b85e0b0891f8e04928d5e492e
Size

237KB
MD5

2adc3cd35363f2bb7531188195598d55
SHA1

39554ed1d9b53cc3e3c58c7f61013e988db9940b
SHA256

f3153b4278483b61f477e96cf77774d51c1f7b2b85e0b0891f8e04928d5e492e
SHA512

76fed26d8c545ae3588b70cb16fe249829bb213c62bab0524a50394fa6011aeb723cb70f52bdd274119d08873ae5760b540a1f3278c45e06463a415269f96b7e
SSDEEP

3072:ypx4YnqkNI3wDGag1FV1omI+USNGfnULbtVR/Zv+WDozS6xTSgz/fJAF2MbDKl6r:yUntLnnI+LcnUlVPFLR0/2tyzMck

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/海外模式前期准备工具.u.exe

Files

f3153b4278483b61f477e96cf77774d51c1f7b2b85e0b0891f8e04928d5e492e
.zip
海外模式前期准备工具.u.exe
.exe windows:4 windows x86 arch:x86

3b6a0e559c29f1366986c2533b08c1ae

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

mfc42

ord6199
ord3874
ord540
ord5053
ord2859
ord3582
ord1945
ord4589
ord4588
ord4899
ord4370
ord4892
ord5076
ord4341
ord4349
ord4890
ord4531
ord4545
ord4543
ord4526
ord4529
ord4524
ord4964
ord4961
ord4108
ord4407
ord5240
ord3748
ord1726
ord5260
ord4432
ord813
ord527
ord560
ord794
ord4273
ord2252
ord4464
ord4299
ord3481
ord4723
ord5265
ord4376
ord4853
ord4998
ord2514
ord6052
ord1775
ord5280
ord4425
ord3597
ord641
ord324
ord693
ord2302
ord4234
ord860
ord4710
ord4202
ord6334
ord4224
ord1168
ord2582
ord4402
ord3370
ord3640
ord3998
ord656
ord6907
ord939
ord2818
ord858
ord3301
ord4476
ord3610
ord1907
ord5161
ord5162
ord5160
ord4905
ord4742
ord4976
ord4948
ord4358
ord4377
ord5287
ord4835
ord768
ord489
ord2301
ord4258
ord4854
ord1980
ord668
ord941
ord2770
ord356
ord2864
ord2294
ord2362
ord1908
ord1690
ord2528
ord5288
ord4439
ord2054
ord4431
ord496
ord497
ord771
ord4259
ord6215
ord3092
ord4715
ord3737
ord809
ord736
ord556
ord439
ord1088
ord2122
ord5495
ord3216
ord537
ord4129
ord2614
ord3174
ord354
ord3448
ord1664
ord6358
ord3913
ord4508
ord755
ord470
ord1146
ord4220
ord2584
ord3654
ord2438
ord2863
ord1644
ord3742
ord818
ord2152
ord1233
ord6197
ord6380
ord4809
ord283
ord5572
ord2915
ord535
ord5683
ord4203
ord940
ord3319
ord1642
ord3337
ord665
ord1138
ord1979
ord6385
ord5773
ord1228
ord5186
ord4278
ord6010
ord6779
ord5710
ord1105
ord6663
ord6650
ord6591
ord6807
ord6857
ord6823
ord6855
ord6832
ord6859
ord6867
ord6847
ord6814
ord6839
ord6846
ord6858
ord6816
ord6815
ord6812
ord6845
ord6856
ord6808
ord6835
ord5875
ord4347
ord4889
ord4963
ord4960
ord6054
ord5281
ord1725
ord6614
ord6691
ord6742
ord6478
ord800
ord6800
ord4720
ord6813
ord4615
ord4612
ord4610
ord4274
ord6375
ord4486
ord2554
ord2512
ord5731
ord3922
ord1089
ord5199
ord2396
ord3346
ord5300
ord5302
ord4079
ord4698
ord5307
ord5289
ord5714
ord4622
ord3738
ord561
ord815
ord1205
ord4159
ord6117
ord2621
ord1134
ord2725
ord1771
ord6366
ord2413
ord2024
ord4219
ord2581
ord4401
ord3639
ord692
ord384
ord686
ord4243
ord2096
ord2100
ord3996
ord2862
ord6803
ord2099
ord3619
ord1842
ord4242
ord2723
ord2390
ord3059
ord5100
ord5103
ord4303
ord3350
ord5012
ord975
ord5472
ord3403
ord2879
ord2878
ord4151
ord4077
ord5237
ord2649
ord1665
ord4436
ord4427
ord796
ord696
ord807
ord674
ord529
ord394
ord554
ord366
ord5590
ord3435
ord926
ord922
ord924
ord4277
ord3797
ord2494
ord2627
ord2626
ord6000
ord2117
ord2452
ord2453
ord2089
ord2080
ord5882
ord3289
ord6625
ord4457
ord4163
ord5252
ord6880
ord5852
ord1008
ord4185
ord909
ord4413
ord5030
ord2764
ord1200
ord5282
ord5450
ord6394
ord5440
ord6383
ord4268
ord3295
ord6154
ord2530
ord4366
ord4056
ord5471
ord4121
ord2389
ord5086
ord1710
ord1715
ord5234
ord6369
ord5279
ord5064
ord5248
ord2444
ord3730
ord795
ord3721
ord1825
ord4238
ord4696
ord3058
ord3065
ord6336
ord2510
ord2542
ord5243
ord5740
ord1746
ord5577
ord3172
ord5653
ord4420
ord4953
ord4858
ord2399
ord4387
ord3454
ord3198
ord6080
ord6175
ord4623
ord4426
ord338
ord652
ord4823
ord4614
ord4613
ord2535
ord1871
ord1847
ord3089
ord4124
ord2380
ord2405
ord2841
ord2107
ord1949
ord1576
ord4297
ord5788
ord4133
ord2414
ord4284
ord4275
ord609
ord3574
ord4424
ord4627
ord4080
ord3079
ord2567
ord4123
ord4287
ord1802
ord616
ord4398
ord2578
ord4218
ord2023
ord2411
ord567
ord3402
ord2575
ord2379
ord2860
ord5785
ord1640
ord3571
ord3573
ord1641
ord3825
ord3831
ord3830
ord2976
ord3081
ord2985
ord3262
ord3136
ord4465
ord3259
ord3147
ord3663
ord3626
ord3693
ord823
ord825
ord323
ord6194
ord2754
ord640
ord3596
ord5864
ord6061
ord5571
ord5579
ord5736
ord5678
ord5794
ord5873
ord6172
ord6021
ord6189
ord4330
ord6186
ord5756
ord6192
ord5759
ord2971
ord5787
ord6514
ord5789
ord2982
ord5277
ord2124
ord2446
ord5261
ord1727
ord5065
ord3749
ord6376
ord2055
ord2648
ord4441
ord4837
ord3798
ord5290
ord4353
ord6374
ord5163
ord2385
ord5241
ord4396
ord1776
ord4078
ord4340
ord6055

msvcrt

fopen
fwrite
_splitpath
memset
atol
_itoa
_ftol
sprintf
memcpy
strlen
_ltoa
strcat
strcpy
atoi
fread
ftell
fseek
memmove
calloc
free
strcmp
malloc
_mbsstr
_mbsnbcpy
_except_handler3
?terminate@@YAXXZ
__dllonexit
_onexit
_exit
_XcptFilter
??1type_info@@UAE@XZ
_setmbcp
_CxxThrowException
wcslen
_controlfp
__set_app_type
fclose
__p__commode
_stati64
gmtime
getenv
_fstati64
_lseeki64
memchr
_getpid
fflush
_adjust_fdiv
__setusermatherr
_initterm
__getmainargs
_acmdln
exit
fputc
_sys_nerr
strerror
_beginthreadex
fputs
qsort
fgets
strrchr
__mb_cur_max
_close
_pctype
strtol
strpbrk
strtoul
_iob
sscanf
tolower
time
strchr
strncpy
strstr
strncmp
memcmp
_mbscmp
__CxxFrameHandler
_strdup
_read
_write
_open
__p__fmode
_isctype
realloc
_errno

kernel32

GetModuleHandleA
WriteFile
SetFileTime
GetFileAttributesA
LocalFileTimeToFileTime
lstrcpyA
lstrcatA
GetCurrentDirectoryA
SystemTimeToFileTime
ReadFile
CloseHandle
CreateFileA
SetFilePointer
InterlockedDecrement
CreateDirectoryA
DeleteFileA
WaitForSingleObject
TerminateThread
Sleep
GetTickCount
FindFirstFileA
FindClose
MultiByteToWideChar
GlobalLock
GlobalUnlock
GlobalFree
GetSystemDirectoryA
lstrlenA
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
GetLastError
SetLastError
InitializeCriticalSection
GetProcAddress
FreeLibrary
SleepEx
LoadLibraryA
FormatMessageA
GetVersionExA
PeekNamedPipe
WaitForMultipleObjects
GetFileType
GetStdHandle
ExpandEnvironmentStringsA
WideCharToMultiByte
LocalFree
GetStartupInfoA

user32

SetForegroundWindow
IsWindowVisible
wsprintfA
UpdateWindow
LoadIconA
MessageBoxA
SetCapture
ScreenToClient
LoadMenuA
GetSubMenu
LoadImageA
GetSystemMetrics
GetWindowTextA
SetRect
InflateRect
FillRect
DrawStateA
TabbedTextOutA
DrawTextA
GrayStringA
SendMessageA
InvalidateRect
EnableWindow
GetSysColor
GetCursorPos
PtInRect
OffsetRect
GetWindowRect
GetClientRect
GetDC
ReleaseDC
SetTimer
KillTimer
GetParent
TrackPopupMenu
ReleaseCapture
DrawEdge
DrawIcon
CopyRect
LoadBitmapA
DestroyIcon

gdi32

GetMapMode
GetStockObject
CreateFontA
Escape
GetTextExtentPoint32A
ExtTextOutA
TextOutA
BitBlt
RoundRect
RectVisible
PtVisible
GetBkColor
SelectObject
CreateCompatibleDC
CreateCompatibleBitmap
CreateSolidBrush
CreatePen
DPtoLP
LPtoDP

advapi32

RegDeleteValueA
RegEnumKeyA
CryptImportKey
CryptEncrypt
CryptDestroyKey
CryptGetHashParam
CryptDestroyHash
CryptHashData
CryptCreateHash
CryptAcquireContextA
CryptGenRandom
CryptReleaseContext
RegSetValueExA
RegDeleteKeyA
RegEnumValueA
RegQueryValueExA
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA

shell32

Shell_NotifyIconA
ShellExecuteA
SHGetFileInfoA
SHGetPathFromIDListA
SHGetMalloc
SHGetDesktopFolder
SHBrowseForFolderA

comctl32

ImageList_AddMasked
ImageList_ReplaceIcon
ImageList_GetIcon
InitCommonControlsEx
_TrackMouseEvent

ole32

CoCreateInstance
OleRun
CoUninitialize

oleaut32

SafeArrayCreateVector
VariantClear
SafeArrayDestroy
SafeArrayAccessData
SysAllocString
SysFreeString
GetErrorInfo

wsock32

getservbyname
ioctlsocket
gethostbyaddr
getservbyport
htonl
recvfrom
listen
accept
inet_ntoa
gethostname
ntohl
inet_addr
bind
getsockopt
ntohs
getpeername
getsockname
select
WSAGetLastError
__WSAFDIsSet
WSASetLastError
WSAStartup
WSACleanup
htons
connect
getprotobyname
socket
setsockopt
sendto
gethostbyname
send
recv
closesocket

winmm

sndPlaySoundA

msvcp60

?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z
?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z

wldap32

ord41
ord22
ord211
ord143
ord60
ord50
ord26
ord27
ord30
ord200
ord32
ord33
ord301
ord35
ord79
ord46

ws2_32

WSAIoctl

crypt32

CertFreeCertificateContext

Sections

.text
Size: 488KB - Virtual size: 484KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 80KB - Virtual size: 79KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 12KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

3b6a0e559c29f1366986c2533b08c1ae

Headers

File Characteristics

Imports

mfc42

msvcrt

kernel32

user32

gdi32

advapi32

shell32

comctl32

ole32

oleaut32

wsock32

winmm

msvcp60

wldap32

ws2_32

crypt32

Sections

.text Size: 488KB - Virtual size: 484KB

.rdata Size: 80KB - Virtual size: 79KB

.data Size: 8KB - Virtual size: 8KB

.rsrc Size: 12KB - Virtual size: 10KB

.text
Size: 488KB - Virtual size: 484KB

.rdata
Size: 80KB - Virtual size: 79KB

.data
Size: 8KB - Virtual size: 8KB

.rsrc
Size: 12KB - Virtual size: 10KB