af5f18500d28a501bdb0cf5855db9027ac018d0cc60de5b3502a6967279d586a

Sharing

Copy URL Twitter E-mail

General

Target

af5f18500d28a501bdb0cf5855db9027ac018d0cc60de5b3502a6967279d586a
Size

356KB
MD5

7240f572139c3ef088cacbbab9976b7a
SHA1

d5d0d3cbe35bdca4082da0ebffc976e108a0a9f1
SHA256

af5f18500d28a501bdb0cf5855db9027ac018d0cc60de5b3502a6967279d586a
SHA512

e152f1c858fd668a5131f8700a5019c09de6c30c691241dc2141c7d544be485d386dc2a97fc1cad47e342aa2bb6a17cc418988b62f793808f219ae7bc4c94731
SSDEEP

6144:liySBfFd7Jtc+G4owlhgDNEpfC67loFdML/pkRWtB9dUFpZ82B7ozEYUkzrI0CQU:liRR/Fe4d6NYf77ubML/pk4QPB7SEY/u

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
af5f18500d28a501bdb0cf5855db9027ac018d0cc60de5b3502a6967279d586a

Files

af5f18500d28a501bdb0cf5855db9027ac018d0cc60de5b3502a6967279d586a
.exe windows:5 windows x86 arch:x86

0f75a43091c2fedace08fe729ff2f824

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

X:\GFServer\Release\GuoBbigClient.pdb

Imports

wininet

InternetCloseHandle
HttpOpenRequestW
HttpSendRequestW
InternetConnectW
InternetOpenW

shell32

ShellExecuteA

user32

EnumWindows
SendMessageW
GetWindowRect
GetWindowThreadProcessId
CreateDesktopW
wsprintfW
PostMessageW

advapi32

RegDeleteValueW
RegSetValueExA
RegEnumValueA
RegQueryValueExA
GetTokenInformation
RegSetValueExW
RegOpenKeyExW
OpenProcessToken
RegQueryValueExW
RegCreateKeyExW
RegCloseKey
AdjustTokenPrivileges
RegOpenKeyExA
LookupPrivilegeValueW

ws2_32

htons
shutdown
sendto
recv
socket
closesocket
inet_pton
send
select
connect
ioctlsocket
gethostbyname
__WSAFDIsSet
WSAGetLastError
inet_addr
recvfrom
WSAStartup

winhttp

WinHttpCrackUrl
WinHttpReadData
WinHttpOpen
WinHttpQueryDataAvailable
WinHttpCloseHandle
WinHttpConnect
WinHttpSendRequest
WinHttpSetTimeouts
WinHttpReceiveResponse
WinHttpAddRequestHeaders
WinHttpCheckPlatform
WinHttpOpenRequest

ole32

CoInitializeEx
CoCreateInstance
CoSetProxyBlanket
CoGetObject
CoUninitialize

oleaut32

SysAllocString
SysFreeString
VariantClear

iphlpapi

GetExtendedTcpTable

kernel32

SetStdHandle
WriteConsoleW
FlushFileBuffers
GetStringTypeW
LoadLibraryW
CreateFileW
SetEndOfFile
lstrlenA
LocalFree
LCMapStringW
SetFilePointerEx
UnregisterWaitEx
QueryDepthSList
InterlockedFlushSList
InterlockedPushEntrySList
InitializeSListHead
ReleaseSemaphore
VirtualProtect
VirtualFree
VirtualAlloc
GetVersionExW
FreeLibraryAndExitThread
GetThreadTimes
OutputDebugStringW
GetCPInfo
GetOEMCP
GetACP
IsValidCodePage
ReadConsoleW
ReadFile
GetConsoleMode
GetConsoleCP
HeapSize
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
WriteFile
GetFileType
GetStdHandle
GetProcessHeap
UnregisterWait
RegisterWaitForSingleObject
SetThreadAffinityMask
GetProcessAffinityMask
GetNumaHighestNodeNumber
DeleteTimerQueueTimer
ChangeTimerQueueTimer
CreateTimerQueueTimer
GetLogicalProcessorInformation
GetThreadPriority
SetThreadPriority
InterlockedPopEntrySList
ReadProcessMemory
Sleep
MultiByteToWideChar
GetModuleFileNameA
DeleteFileA
MoveFileExA
GetCurrentProcess
WaitForSingleObject
SetEvent
GetModuleHandleW
OpenProcess
TerminateProcess
GetLastError
GetProcAddress
GetTempFileNameA
ResetEvent
Process32FirstW
CreateEventW
WaitForMultipleObjects
Process32NextW
CreateToolhelp32Snapshot
OpenEventW
CloseHandle
GetTempPathA
CreateThread
GetTickCount
InitializeCriticalSection
LeaveCriticalSection
CreateProcessA
EnterCriticalSection
LoadLibraryA
OpenThread
GetModuleHandleA
DeleteCriticalSection
GetCurrentProcessId
SuspendThread
ResumeThread
GetModuleFileNameW
GetWindowsDirectoryW
InterlockedDecrement
GetSystemInfo
WideCharToMultiByte
VirtualProtectEx
WriteProcessMemory
GetNativeSystemInfo
GetSystemTimes
Thread32First
GetFileAttributesA
Thread32Next
GlobalMemoryStatusEx
GetProcessId
Module32FirstW
Module32NextW
DuplicateHandle
GetCurrentThread
GetCurrentThreadId
GetSystemTimeAsFileTime
GetCommandLineW
HeapFree
EncodePointer
DecodePointer
IsDebuggerPresent
IsProcessorFeaturePresent
ExitProcess
GetModuleHandleExW
AreFileApisANSI
HeapAlloc
ExitThread
LoadLibraryExW
HeapReAlloc
RaiseException
RtlUnwind
FreeLibrary
UnhandledExceptionFilter
SetUnhandledExceptionFilter
SetLastError
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetStartupInfoW
CreateSemaphoreW
CreateTimerQueue
WaitForSingleObjectEx
SignalObjectAndWait
SwitchToThread

Sections

.text
Size: 268KB - Virtual size: 267KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 61KB - Virtual size: 60KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 10KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 872B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 15KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

0f75a43091c2fedace08fe729ff2f824

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

wininet

shell32

user32

advapi32

ws2_32

winhttp

ole32

oleaut32

iphlpapi

kernel32

Sections

.text Size: 268KB - Virtual size: 267KB

.rdata Size: 61KB - Virtual size: 60KB

.data Size: 10KB - Virtual size: 27KB

.rsrc Size: 1024B - Virtual size: 872B

.reloc Size: 15KB - Virtual size: 14KB

.text
Size: 268KB - Virtual size: 267KB

.rdata
Size: 61KB - Virtual size: 60KB

.data
Size: 10KB - Virtual size: 27KB

.rsrc
Size: 1024B - Virtual size: 872B

.reloc
Size: 15KB - Virtual size: 14KB