1571eb4f187d026fe7aabb8310982a36bc3827806ba835d98510942c87ebeec5N

Sharing

Copy URL Twitter E-mail

General

Target

1571eb4f187d026fe7aabb8310982a36bc3827806ba835d98510942c87ebeec5N
Size

100KB
MD5

63fdede5725891c95dac96cccf691680
SHA1

a1d44a6f09e2a862714f5a2871596dfb9b7f5940
SHA256

1571eb4f187d026fe7aabb8310982a36bc3827806ba835d98510942c87ebeec5
SHA512

247eb228d77b1c7ab9ba8e0264578e33f9694221b15567c4f313c04e14546dfccd3f5f13d386bbb902605d0b4990b3b603556ea3cbbdd3dd7dab276e8d18235e
SSDEEP

1536:ZjjHH8O/lKMHY1uoYLnayTp6tUEDowdhxsWoXK9dle3hPJzhF:ZjTHX/l1419YL1Tp6R8ahcX6M3pJzX

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
1571eb4f187d026fe7aabb8310982a36bc3827806ba835d98510942c87ebeec5N

Files

1571eb4f187d026fe7aabb8310982a36bc3827806ba835d98510942c87ebeec5N
.dll windows:5 windows x64 arch:x64

f1ed4635bae6b8ee204b143144bf0302

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

G:\dev\ProcessHacker\trunk\bin\Release64\plugins\WaitChainPlugin.pdb

Imports

processhacker.exe

PhAddEntryHashtable
PhCreateList
PhSetControlTheme
PhCmLoadSettings
PhDeleteTreeNewColumnMenu
PhFormatTime
PhGetStringSetting
PhHandleTreeNewColumnMenu
PhInitializeTreeNewColumnMenu
PhCreateHashtable
PhSetStringSetting2
PhCmSaveSettings
PhFormatDate
PhMainWndHandle
PhInsertEMenuItem
PhInitializeLayoutManager
PhGetTreeNewText
PhDeleteLayoutManager
PhFormatString
PhSetSelectThreadIdProcessPropContext
PhAllocate
PhCreateThread
PhPluginCreateEMenuItem
PhSaveWindowPlacementToSetting
PhFindProcessNode
PhLoadResourceEMenuItem
PhFindEMenuItem
PhCreateEMenu
PhAddItemList
PhAddSettings
PhRegisterDialog
PhSetClipboardString
PhGetGeneralCallback
PhUnregisterDialog
PhShowProcessProperties
PhLoadWindowPlacementFromSetting
PhAddLayoutItem
PhShowEMenu
PhRegisterCallback
PhSelectAndEnsureVisibleProcessNode
PhDestroyEMenu
PhFree
PhReferenceProcessItem
PhRegisterPlugin
PhGetPluginCallback
PhEnumProcesses
PhShowMessage
PhLayoutManagerLayout
PhDereferenceObject
PhCreateProcessPropContext
PhSetFlagsEMenuItem

ntdll

RtlLookupFunctionEntry
RtlCaptureContext
RtlUnwindEx
NtClose
LdrGetProcedureAddress
RtlVirtualUnwind

kernel32

GetProcessHeap
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
GetCPInfo
GetOEMCP
GetACP
IsValidCodePage
FindNextFileA
FindFirstFileExA
FindClose
LCMapStringW
HeapAlloc
HeapFree
WideCharToMultiByte
MultiByteToWideChar
GetModuleFileNameA
GetModuleHandleExW
ExitProcess
DeleteCriticalSection
LeaveCriticalSection
GetStdHandle
SetLastError
LoadLibraryExW
GetProcAddress
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
InitializeCriticalSectionAndSpinCount
InterlockedFlushSList
GetModuleFileNameW
GetModuleHandleW
GetStartupInfoW
IsDebuggerPresent
InitializeSListHead
GetSystemTimeAsFileTime
GetCurrentThreadId
RaiseException
CreateFileW
WriteConsoleW
GetLastError
LoadLibraryW
FreeLibrary
FileTimeToSystemTime
FileTimeToLocalFileTime
CloseHandle
SetFilePointerEx
GetConsoleMode
GetConsoleCP
GetFileType
GetStringTypeW
HeapSize
EnterCriticalSection
FlushFileBuffers
WriteFile
GetCurrentProcessId
SetStdHandle
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
HeapReAlloc

user32

RemovePropW
GetDlgItem
SetPropW
GetPropW
SendMessageW
EndDialog
DialogBoxParamW

advapi32

SystemFunction036
RegisterWaitChainCOMCallback
OpenThreadWaitChainSession
GetThreadWaitChain
CloseThreadWaitChainSession

Sections

.text
Size: 48KB - Virtual size: 48KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 39KB - Virtual size: 39KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.gfids
Size: 512B - Virtual size: 512B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 512B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

f1ed4635bae6b8ee204b143144bf0302

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

processhacker.exe

ntdll

kernel32

user32

advapi32

Sections

.text Size: 48KB - Virtual size: 48KB

.rdata Size: 39KB - Virtual size: 39KB

.data Size: 2KB - Virtual size: 7KB

.pdata Size: 4KB - Virtual size: 4KB

.gfids Size: 512B - Virtual size: 512B

.rsrc Size: 2KB - Virtual size: 2KB

.reloc Size: 2KB - Virtual size: 2KB

.data Size: 512B - Virtual size: 512B

.text
Size: 48KB - Virtual size: 48KB

.rdata
Size: 39KB - Virtual size: 39KB

.data
Size: 2KB - Virtual size: 7KB

.pdata
Size: 4KB - Virtual size: 4KB

.gfids
Size: 512B - Virtual size: 512B

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 2KB - Virtual size: 2KB

.data
Size: 512B - Virtual size: 512B