35d2671e5f9fd3ad3bf1dac091870193d5110c145874b75c11b8fe5259a58dc1N[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

35d2671e5f9fd3ad3bf1dac091870193d5110c145874b75c11b8fe5259a58dc1N.exe
Size

9.1MB
MD5

ec675597a17a9e9b9c92d7d44d2cc150
SHA1

cac3654154f03b1831635ee9caec15c2a863e257
SHA256

35d2671e5f9fd3ad3bf1dac091870193d5110c145874b75c11b8fe5259a58dc1
SHA512

0047802d6a5f07f17eec3956f088ba7fe196010eaa2e56711702c0dc717a2ec96ead11814826f05d764483702b64a716b1e5c5686d4efa7f61a67f102fa3f68f
SSDEEP

196608:Lmi5US3zVH4w18ut60aknBizd5DgOq7WMet1FH9:Lr573BH7180NaTDq7WRp

Score

3^/10

Malware Config

Signatures

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/$PLUGINSDIR/InstallOptions.dll
unpack001/$PLUGINSDIR/System.dll

Files

35d2671e5f9fd3ad3bf1dac091870193d5110c145874b75c11b8fe5259a58dc1N.exe
.exe windows:5 windows x86 arch:x86

b729b61eb1515fcf7b3e511e4e66258b

Code Sign

10:9f:1d:aa:af:b8:33:15:a6:b6:4a:6e:ed:82:d8:16
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2009-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09,O=VeriSign\, Inc.,C=US

Not Before

04/11/2009, 00:00

Not After

03/11/2012, 23:59

Subject

CN=DT Soft Ltd,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=DT Soft Ltd,L=Belize City,ST=Belize,C=BZ

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

65:52:26:e1:b2:2e:18:e1:59:0f:29:85:ac:22:e7:5c
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

21/05/2009, 00:00

Not After

20/05/2019, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2009-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15/06/2007, 00:00

Not After

14/06/2012, 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

c3:e2:46:7b:e2:c8:44:3a:13:43:65:ad:4e:c7:61:d8:44:03:06:b4
Signer

Actual PE Digest

c3:e2:46:7b:e2:c8:44:3a:13:43:65:ad:4e:c7:61:d8:44:03:06:b4

Digest Algorithm

sha1

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

SetFileTime
CompareFileTime
SearchPathW
GetShortPathNameW
GetFullPathNameW
MoveFileW
SetCurrentDirectoryW
GetFileAttributesW
GetLastError
CreateDirectoryW
SetFileAttributesW
Sleep
GetTickCount
CreateFileW
GetFileSize
GetModuleFileNameW
GetCurrentProcess
CopyFileW
ExitProcess
GetWindowsDirectoryW
GetTempPathW
GetCommandLineW
SetErrorMode
CloseHandle
lstrlenW
lstrcpynW
GetDiskFreeSpaceW
GlobalUnlock
GlobalLock
CreateThread
LoadLibraryW
CreateProcessW
lstrcmpiA
GetTempFileNameW
lstrcatW
GetProcAddress
LoadLibraryA
GetModuleHandleA
OpenProcess
lstrcpyW
GetVersionExW
GetSystemDirectoryW
GetVersion
lstrcpyA
RemoveDirectoryW
lstrcmpiW
lstrcmpW
ExpandEnvironmentStringsW
GlobalAlloc
WaitForSingleObject
GetExitCodeProcess
GlobalFree
GetModuleHandleW
LoadLibraryExW
FreeLibrary
WritePrivateProfileStringW
GetPrivateProfileStringW
WideCharToMultiByte
MulDiv
lstrlenA
WriteFile
ReadFile
MultiByteToWideChar
SetFilePointer
FindClose
FindNextFileW
FindFirstFileW
DeleteFileW
lstrcpynA

user32

ScreenToClient
GetMessagePos
CallWindowProcW
IsWindowVisible
LoadBitmapW
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
TrackPopupMenu
GetWindowRect
AppendMenuW
CreatePopupMenu
GetSystemMetrics
EndDialog
EnableMenuItem
GetSystemMenu
SetClassLongW
IsWindowEnabled
SetWindowPos
DialogBoxParamW
CheckDlgButton
CreateWindowExW
SystemParametersInfoW
RegisterClassW
SetDlgItemTextW
GetDlgItemTextW
MessageBoxIndirectW
CharNextA
CharUpperW
CharPrevW
DispatchMessageW
PeekMessageW
wsprintfA
DestroyWindow
CreateDialogParamW
SetTimer
SetWindowTextW
PostQuitMessage
SetForegroundWindow
ShowWindow
wsprintfW
SendMessageTimeoutW
LoadCursorW
SetCursor
GetWindowLongW
GetSysColor
CharNextW
GetClassInfoW
ExitWindowsEx
FindWindowExW
GetDlgItem
SetWindowLongW
LoadImageW
GetDC
EnableWindow
InvalidateRect
SendMessageW
DefWindowProcW
BeginPaint
GetClientRect
FillRect
DrawTextW
EndPaint
IsWindow

gdi32

SetBkColor
GetDeviceCaps
DeleteObject
CreateBrushIndirect
CreateFontIndirectW
SetBkMode
SetTextColor
SelectObject

shell32

SHBrowseForFolderW
SHGetPathFromIDListW
SHGetFileInfoW
ShellExecuteW
SHFileOperationW
SHGetSpecialFolderLocation

advapi32

RegEnumKeyW
RegOpenKeyExW
RegCloseKey
RegDeleteKeyW
RegDeleteValueW
RegCreateKeyExW
RegSetValueExW
RegQueryValueExW
RegEnumValueW

comctl32

ImageList_AddMasked
ImageList_Destroy
ord17
ImageList_Create

ole32

CoTaskMemFree
OleInitialize
OleUninitialize
CoCreateInstance

version

GetFileVersionInfoSizeW
GetFileVersionInfoW
VerQueryValueW

Sections

.text
Size: 25KB - Virtual size: 24KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 512B - Virtual size: 409KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.ndata
Size: - Virtual size: 1.5MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 9.1MB - Virtual size: 9.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
$PLUGINSDIR/InstallOptions.dll
.dll windows:5 windows x86 arch:x86

cd90e33ffbc335413a25300c682c83df

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

lstrcmpiW
GetModuleHandleW
GlobalLock
GlobalUnlock
GetCurrentDirectoryW
SetCurrentDirectoryW
GetPrivateProfileIntW
GetPrivateProfileStringW
lstrcatW
WritePrivateProfileStringW
lstrcpynW
lstrlenW
lstrcpyW
GlobalFree
GlobalAlloc

user32

OpenClipboard
DestroyIcon
LoadCursorW
DispatchMessageW
TranslateMessage
GetMessageW
IsDialogMessageW
ShowWindow
SetWindowLongW
GetClientRect
SetWindowRgn
LoadIconW
LoadImageW
CreateWindowExW
MapDialogRect
GetClipboardData
GetWindowRect
CreateDialogParamW
EnableMenuItem
GetSystemMenu
EnableWindow
GetDlgItem
SetCursor
DrawTextW
GetWindowLongW
DrawFocusRect
CallWindowProcW
PostMessageW
wsprintfW
CharNextW
MessageBoxW
CloseClipboard
GetDlgCtrlID
MapWindowPoints
SetWindowPos
PtInRect
GetWindowTextW
SetWindowTextW
SendMessageW
DestroyWindow

gdi32

SelectObject
CreateRectRgn
GetObjectW
CombineRgn
DeleteObject
CreateCompatibleDC
GetDIBits
SetTextColor

shell32

SHBrowseForFolderW
SHGetPathFromIDListW
ShellExecuteW
SHGetDesktopFolder

comdlg32

GetOpenFileNameW
CommDlgExtendedError
GetSaveFileNameW

ole32

CoTaskMemFree

Exports

Exports

dialog
initDialog
show

Sections

.text
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 152B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/SPTDinst-x64.exe
.exe windows:6 windows x64 arch:x64

2577803b71d3a8b25f8eee79c5b99a32

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15/06/2007, 00:00

Not After

14/06/2012, 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

32:17:b3:18:d8:b2:b1:50:1b:37:11:ee:65:20:57:04
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

27/06/2007, 00:00

Not After

22/08/2010, 23:59

Subject

CN=Duplex Secure Ltd,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Duplex Secure Ltd,ST=Nevis,C=KN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:0c:12:06:00:00:00:00:00:1b
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:01

Not After

23/05/2016, 17:11

Subject

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

27:87:a9:51:a2:d8:91:ac:12:31:db:bf:2e:f5:e8:dc:08:ce:cd:c7
Signer

Actual PE Digest

27:87:a9:51:a2:d8:91:ac:12:31:db:bf:2e:f5:e8:dc:08:ce:cd:c7

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

c:\projects\sptdold\setup\objfre_wnet_amd64\amd64\SPTDinst.pdb

Imports

advapi32

OpenServiceA
CloseServiceHandle
RegSetValueExA
RegQueryValueExA
CreateServiceA
RegDeleteKeyA
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
RegCreateKeyExA
RegOpenKeyExA
RegGetKeySecurity
RegDeleteValueA
AllocateAndInitializeSid
OpenSCManagerA
FreeSid
RegSetKeySecurity
RegCloseKey

kernel32

VirtualFree
GetProcessHeap
GetCommandLineA
Sleep
GetTickCount
GetLastError
GetProcAddress
VirtualAlloc
LoadLibraryA
LocalAlloc
GetModuleHandleA
CreateMutexA
ReleaseMutex
CloseHandle
LocalFree
CreateThread
TerminateProcess
GetSystemTimeAsFileTime
GetCurrentProcessId
GetCurrentThreadId
QueryPerformanceCounter
GetModuleHandleW
SetUnhandledExceptionFilter
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
GetStartupInfoW
WaitForSingleObject
HeapFree
GetCurrentProcess
HeapAlloc
HeapReAlloc
UnhandledExceptionFilter

user32

DialogBoxParamA
EndDialog
GetDlgItem
MessageBoxA
SendMessageA
SendDlgItemMessageA
EnableWindow

msvcrt

_mbsnbicmp
__getmainargs
__C_specific_handler
_XcptFilter
_exit
_ismbblead
_cexit
exit
_acmdln
_initterm
_amsg_exit
__setusermatherr
_commode
_fmode
__set_app_type
memset
?terminate@@YAXXZ
srand
rand
_errno
free
_fsopen
memmove
_tempnam
sprintf
_mbsicmp
rename
fclose
_unlink
fwrite

crypt32

CertOpenStore
CertFreeCertificateContext
CertCloseStore
CertSetCertificateContextProperty
CertAddEncodedCertificateToStore

Exports

Exports

A0DB34FC6FE35D429A28ADDE5467D4D7

Sections

.text
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 818KB - Virtual size: 820KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 384B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.sptd0
Size: 512B - Virtual size: 324B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.sptd1
Size: 187KB - Virtual size: 187KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/SPTDinst-x86.exe
.exe windows:6 windows x86 arch:x86

5c640f8f77c3445fa8280bfbd4143b01

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15/06/2007, 00:00

Not After

14/06/2012, 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

32:17:b3:18:d8:b2:b1:50:1b:37:11:ee:65:20:57:04
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

27/06/2007, 00:00

Not After

22/08/2010, 23:59

Subject

CN=Duplex Secure Ltd,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Duplex Secure Ltd,ST=Nevis,C=KN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:0c:12:06:00:00:00:00:00:1b
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:01

Not After

23/05/2016, 17:11

Subject

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

a0:b2:26:1c:1c:8f:e4:75:7e:07:a8:4a:14:a2:95:6a:ea:35:b7:57
Signer

Actual PE Digest

a0:b2:26:1c:1c:8f:e4:75:7e:07:a8:4a:14:a2:95:6a:ea:35:b7:57

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

c:\projects\sptdold\setup\objfre_w2k_x86\i386\SPTDinst.pdb

Imports

advapi32

OpenSCManagerA
FreeSid
EqualSid
GetTokenInformation
OpenProcessToken
OpenThreadToken
AllocateAndInitializeSid
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
RegCloseKey
RegSetKeySecurity
RegGetKeySecurity
RegOpenKeyExA
RegCreateKeyExA
RegSetValueExA
RegDeleteValueA
RegQueryValueExA
CreateServiceA
CloseServiceHandle
OpenServiceA
RegDeleteKeyA

kernel32

GetProcAddress
GetModuleHandleA
LocalFree
CreateMutexA
LocalAlloc
HeapFree
HeapAlloc
GetSystemDirectoryA
CloseHandle
CreateThread
ReleaseMutex
GetTickCount
WaitForSingleObject
GetCommandLineA
VirtualFree
VirtualAlloc
GetProcessHeap
TerminateProcess
GetSystemTimeAsFileTime
GetCurrentProcessId
GetCurrentThreadId
QueryPerformanceCounter
SetUnhandledExceptionFilter
RtlUnwind
GetStartupInfoA
InterlockedCompareExchange
InterlockedExchange
LoadLibraryA
GetCurrentThread
GetLastError
GetCurrentProcess
Sleep
HeapReAlloc
UnhandledExceptionFilter

user32

MessageBoxA
EnableWindow
GetDlgItem
SendDlgItemMessageA
SendMessageA
DialogBoxParamA
EndDialog

msvcrt

_errno
__getmainargs
_cexit
_exit
_XcptFilter
_ismbblead
exit
_acmdln
_initterm
_amsg_exit
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
?terminate@@YAXXZ
_controlfp
free
_unlink
fwrite
fclose
sprintf
??3@YAXPAX@Z
??2@YAPAXI@Z
_mbsnbicmp
_mbsicmp
srand
memset
memmove
rand
_fsopen
_tempnam
rename

crypt32

CertSetCertificateContextProperty
CertAddEncodedCertificateToStore
CertOpenStore
CertCloseStore
CertFreeCertificateContext

Exports

Exports

A0DB34FC6FE35D429A28ADDE5467D4D7

Sections

.text
Size: 14KB - Virtual size: 14KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 679KB - Virtual size: 680KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.sptd0
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.sptd1
Size: 145KB - Virtual size: 145KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/System.dll
.dll windows:5 windows x86 arch:x86

6c41c5e4d44f55745b925cc4e42b7fab

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GlobalAlloc
GlobalFree
GlobalSize
GetLastError
lstrcpyW
lstrcpynW
GetProcAddress
WideCharToMultiByte
lstrcatW
LoadLibraryW
GetModuleHandleW
MultiByteToWideChar
VirtualAlloc
VirtualProtect
lstrlenW
FreeLibrary

user32

wsprintfW

ole32

CLSIDFromString
StringFromGUID2

Exports

Exports

Alloc
Call
Copy
Free
Get
Int64Op
Store
StrAlloc

Sections

.text
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 899B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 64B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1024B - Virtual size: 574B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/dtsetup.ini
$PLUGINSDIR/ioSpecial.ini
$PLUGINSDIR/modern-header.bmp
$PLUGINSDIR/modern-wizard.bmp
$PLUGINSDIR/setuphlp.dll
.dll windows:4 windows x86 arch:x86

104bc70ae4cd55ac7fe489ae5f6cc292

Code Sign

10:9f:1d:aa:af:b8:33:15:a6:b6:4a:6e:ed:82:d8:16
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2009-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09,O=VeriSign\, Inc.,C=US

Not Before

04/11/2009, 00:00

Not After

03/11/2012, 23:59

Subject

CN=DT Soft Ltd,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=DT Soft Ltd,L=Belize City,ST=Belize,C=BZ

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

65:52:26:e1:b2:2e:18:e1:59:0f:29:85:ac:22:e7:5c
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

21/05/2009, 00:00

Not After

20/05/2019, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2009-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15/06/2007, 00:00

Not After

14/06/2012, 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

e2:ac:0e:bb:d1:79:7c:92:14:20:6a:2f:97:56:bb:3f:bf:82:c8:e4
Signer

Actual PE Digest

e2:ac:0e:bb:d1:79:7c:92:14:20:6a:2f:97:56:bb:3f:bf:82:c8:e4

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

d:\Projects\dtlite-4-35-6\setup\plugin\SetupHlp\Release\setuphlp.pdb

Imports

gdi32

CreateFontIndirectW
SetTextColor
DeleteObject
SelectObject
GetObjectW
GetTextExtentPoint32W

user32

SetDlgItemTextW
IsCharAlphaNumericW
SetPropW
ReleaseCapture
SetCapture
InvalidateRect
GetParent
DrawFocusRect
GetPropW
CallWindowProcW
RemovePropW
GetWindowRect
ScreenToClient
SetTimer
KillTimer
GetSystemMetrics
IsWindowEnabled
GetDlgItemTextW
LoadCursorW
SetCursor
PeekMessageW
TranslateMessage
DispatchMessageW
GetWindowLongW
SetWindowLongW
IsWindow
IsWindowVisible
EnableWindow
ShowWindow
GetClientRect
GetDC
DrawTextW
wsprintfW
CreateWindowExW
ReleaseDC
wsprintfA
DialogBoxParamW
EndDialog
SetWindowTextW
SetWindowPos
GetDlgItem
LoadStringW
MessageBoxW
GetWindowTextW
GetClassNameW
EnumChildWindows
SetForegroundWindow
GetForegroundWindow
EnumWindows
SendMessageW
UnregisterClassA
GetCursorPos
GetCaretPos
GetQueueStatus
GetProcessWindowStation
GetOpenClipboardWindow
GetMessageTime
GetMessagePos
GetInputState
GetFocus
GetDesktopWindow
GetClipboardViewer
GetClipboardOwner
GetCapture
GetActiveWindow

ole32

CLSIDFromString
CoCreateGuid
ReleaseStgMedium
CoCreateInstance
CoTaskMemFree
CoTaskMemAlloc

advapi32

GetTraceEnableFlags
GetTraceEnableLevel
GetTraceLoggerHandle
RegisterTraceGuidsW
UnregisterTraceGuids
FreeSid
SetEntriesInAclW
SetNamedSecurityInfoW
RegEnumKeyExW
RegDeleteKeyW
RegDeleteValueW
RegCreateKeyExW
CryptGenRandom
LookupAccountNameW
ConvertSidToStringSidW
RegOpenKeyExW
RegQueryValueExW
RegSetValueExW
RegOpenKeyExA
RegSetValueExA
RegDeleteValueA
RegQueryValueExA
AllocateAndInitializeSid
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
TraceEvent

shell32

ShellExecuteA
ShellExecuteW
ShellExecuteExW
SHGetFolderPathW
CommandLineToArgvW
SHChangeNotify

kernel32

QueryPerformanceCounter
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsA
GetModuleFileNameA
GetStartupInfoA
GetFileType
GetCurrentProcessId
SetHandleCount
LCMapStringW
LCMapStringA
HeapCreate
HeapDestroy
ExitProcess
HeapSize
IsValidCodePage
GetOEMCP
GetACP
GetCPInfo
VirtualQuery
GetCurrentThread
SetLastError
TlsFree
TlsSetValue
SetFilePointer
GetConsoleCP
GetConsoleMode
GetStringTypeA
GetStringTypeW
InterlockedExchange
LoadLibraryA
SetStdHandle
FlushFileBuffers
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
SetEndOfFile
VirtualUnlock
VirtualLock
GetProcessWorkingSetSize
GetProcessTimes
GetThreadTimes
GlobalMemoryStatus
GetStdHandle
TlsAlloc
TlsGetValue
GetModuleHandleA
GetVersionExA
GetCommandLineA
GetCurrentThreadId
HeapReAlloc
InterlockedIncrement
GlobalUnlock
GlobalAlloc
GlobalLock
GlobalSize
InterlockedDecrement
LocalFree
LocalAlloc
FreeLibrary
GetProcAddress
LoadLibraryW
VirtualFree
VirtualAlloc
GetVersionExW
GetModuleHandleW
GetCommandLineW
CloseHandle
WaitForSingleObject
CreateMutexA
CreateEventA
lstrcatA
lstrcpyA
SetEvent
GetModuleFileNameW
CreateProcessW
ReleaseMutex
SetCurrentDirectoryW
GetCurrentDirectoryW
GlobalFree
MoveFileExW
Sleep
GetLocaleInfoW
FindClose
FindNextFileW
IsValidLocale
FindFirstFileW
SizeofResource
LockResource
LoadResource
FindResourceW
FindResourceExW
LeaveCriticalSection
EnterCriticalSection
GetLocaleInfoA
GetUserDefaultLCID
DeleteFileW
WriteFile
CreateFileW
MultiByteToWideChar
DeleteCriticalSection
CreateThread
InitializeCriticalSection
GetLastError
GetComputerNameExW
WideCharToMultiByte
DeviceIoControl
CreateFileA
GetSystemDirectoryA
GetSystemTimeAsFileTime
lstrlenA
GetTickCount
lstrlenW
GetFileTime
ReadFile
SetFileTime
HeapAlloc
GetProcessHeap
HeapFree
GlobalAddAtomW
DeleteAtom
lstrcpyW
FindFirstFileA
GetCurrentProcess
FindResourceA
CreateDirectoryW
GetSystemInfo
SetVolumeMountPointW
FormatMessageW
RtlUnwind
RaiseException
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetThreadLocale

version

GetFileVersionInfoW
GetFileVersionInfoSizeW
VerQueryValueW

oleaut32

SysAllocString
SysFreeString

Exports

Exports

A0DB34FC6FE35D429A28ADDE5467D4D7
Activate
CheckEmail
CheckSerialNumber
CheckToolbarConfigStatus
ComponentsPageFree
ComponentsPageInit
ComponentsPageUpdate
ExecuteWait
FinishCommonInstallation
FormatFile
GetBuyNowLink
GetLicenseInfo
GetOSInfo
GetParamStr
GetSpecStr
GetStr
GetTextLinkOffsets
GetTextWidth
GetToolbarConfig
Hlp1
Hlp14
Hlp2
Hlp3
Hlp4
InitFileAssociations
InitLang
InstallCommonComp
InstallToolbar
QuoteStr
ShellExecuteGadget
WaitPageFree
WaitPageInit

Sections

.text
Size: 200KB - Virtual size: 198KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 56KB - Virtual size: 54KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1.5MB - Virtual size: 1.5MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.text0
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.text1
Size: 952KB - Virtual size: 949KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 20KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

b729b61eb1515fcf7b3e511e4e66258b

Code Sign

10:9f:1d:aa:af:b8:33:15:a6:b6:4a:6e:ed:82:d8:16Certificate

Extended Key Usages

Key Usages

65:52:26:e1:b2:2e:18:e1:59:0f:29:85:ac:22:e7:5cCertificate

Extended Key Usages

Key Usages

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5Certificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

c3:e2:46:7b:e2:c8:44:3a:13:43:65:ad:4e:c7:61:d8:44:03:06:b4Signer

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

shell32

advapi32

comctl32

ole32

version

Sections

.text Size: 25KB - Virtual size: 24KB

.rdata Size: 6KB - Virtual size: 6KB

.data Size: 512B - Virtual size: 409KB

.ndata Size: - Virtual size: 1.5MB

.rsrc Size: 9.1MB - Virtual size: 9.2MB

cd90e33ffbc335413a25300c682c83df

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

shell32

comdlg32

ole32

Exports

Exports

Sections

.text Size: 7KB - Virtual size: 6KB

.rdata Size: 4KB - Virtual size: 3KB

.data Size: 1024B - Virtual size: 17KB

.rsrc Size: 512B - Virtual size: 152B

.reloc Size: 1KB - Virtual size: 1KB

2577803b71d3a8b25f8eee79c5b99a32

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5Certificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2Certificate

Extended Key Usages

Key Usages

32:17:b3:18:d8:b2:b1:50:1b:37:11:ee:65:20:57:04Certificate

Extended Key Usages

Key Usages

61:0c:12:06:00:00:00:00:00:1bCertificate

Key Usages

27:87:a9:51:a2:d8:91:ac:12:31:db:bf:2e:f5:e8:dc:08:ce:cd:c7Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

advapi32

10:9f:1d:aa:af:b8:33:15:a6:b6:4a:6e:ed:82:d8:16
Certificate

65:52:26:e1:b2:2e:18:e1:59:0f:29:85:ac:22:e7:5c
Certificate

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

c3:e2:46:7b:e2:c8:44:3a:13:43:65:ad:4e:c7:61:d8:44:03:06:b4
Signer

.text
Size: 25KB - Virtual size: 24KB

.rdata
Size: 6KB - Virtual size: 6KB

.data
Size: 512B - Virtual size: 409KB

.ndata
Size: - Virtual size: 1.5MB

.rsrc
Size: 9.1MB - Virtual size: 9.2MB

.text
Size: 7KB - Virtual size: 6KB

.rdata
Size: 4KB - Virtual size: 3KB

.data
Size: 1024B - Virtual size: 17KB

.rsrc
Size: 512B - Virtual size: 152B

.reloc
Size: 1KB - Virtual size: 1KB

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

32:17:b3:18:d8:b2:b1:50:1b:37:11:ee:65:20:57:04
Certificate

61:0c:12:06:00:00:00:00:00:1b
Certificate

27:87:a9:51:a2:d8:91:ac:12:31:db:bf:2e:f5:e8:dc:08:ce:cd:c7
Signer

.text
Size: 16KB - Virtual size: 15KB

.data
Size: 818KB - Virtual size: 820KB

.pdata
Size: 512B - Virtual size: 384B

.idata
Size: 3KB - Virtual size: 3KB

.rsrc
Size: 7KB - Virtual size: 6KB

.sptd0
Size: 512B - Virtual size: 324B

.sptd1
Size: 187KB - Virtual size: 187KB

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

32:17:b3:18:d8:b2:b1:50:1b:37:11:ee:65:20:57:04
Certificate

61:0c:12:06:00:00:00:00:00:1b
Certificate

a0:b2:26:1c:1c:8f:e4:75:7e:07:a8:4a:14:a2:95:6a:ea:35:b7:57
Signer

.text
Size: 14KB - Virtual size: 14KB

.data
Size: 679KB - Virtual size: 680KB

.idata
Size: 3KB - Virtual size: 2KB

.rsrc
Size: 7KB - Virtual size: 6KB

.sptd0
Size: 4KB - Virtual size: 3KB

.sptd1
Size: 145KB - Virtual size: 145KB

.text
Size: 7KB - Virtual size: 7KB

.rdata
Size: 1024B - Virtual size: 899B

.data
Size: 512B - Virtual size: 64B

.reloc
Size: 1024B - Virtual size: 574B

10:9f:1d:aa:af:b8:33:15:a6:b6:4a:6e:ed:82:d8:16
Certificate

65:52:26:e1:b2:2e:18:e1:59:0f:29:85:ac:22:e7:5c
Certificate