1a911e5a4c4de3b3c33d69effd2238f213074c4b35b6528384236f8aad284f86N

Sharing

Copy URL Twitter E-mail

General

Target

1a911e5a4c4de3b3c33d69effd2238f213074c4b35b6528384236f8aad284f86N
Size

4.1MB
MD5

86329d97cd7a6f3a64c4c8af825dbfa0
SHA1

bba4c784e69ef090d6b4955fab741bb7c1011b54
SHA256

1a911e5a4c4de3b3c33d69effd2238f213074c4b35b6528384236f8aad284f86
SHA512

c6256dcddcf5c13ba28c8532884e86dd7ea89a2ce04711c6d5983c6cebca483b5a859d4e3e9c50c4f35cb8f530b258661fdcc4bb9f23359467cc1e411d4b7a95
SSDEEP

98304:KQ+bqdbwbfuoC2Ky7tW4oWjrNwljKKxQ:jPdbwDuot/7tW4oWjrNwlOK

Score

3^/10

Malware Config

Signatures

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
sample	embeds_openssl

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
1a911e5a4c4de3b3c33d69effd2238f213074c4b35b6528384236f8aad284f86N

Files

1a911e5a4c4de3b3c33d69effd2238f213074c4b35b6528384236f8aad284f86N
.exe windows:6 windows x64 arch:x64

1d3f730022d5053f942cdcbc7b98aac8

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

WaitForSingleObjectEx
MoveFileExW
SleepEx
GetModuleHandleA
GetEnvironmentVariableA
GetCurrentThread
QueryPerformanceFrequency
CreateEventW
SetEvent
InitializeCriticalSectionEx
GetTickCount
QueryPerformanceCounter
FormatMessageW
ReadConsoleW
ReadConsoleA
SetConsoleMode
GetConsoleMode
FindNextFileW
FindFirstFileW
FindClose
SystemTimeToFileTime
GetSystemTime
LoadLibraryW
FormatMessageA
LoadLibraryA
FreeLibrary
GetSystemDirectoryA
Sleep
ReadFile
PeekNamedPipe
WaitForMultipleObjects
VerSetConditionMask
VerifyVersionInfoW
CreateFileW
GetFileSizeEx
RtlCaptureContext
RtlLookupFunctionEntry
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
InitializeSListHead
IsDebuggerPresent
GetConsoleWindow
VirtualProtectEx
EnumSystemFirmwareTables
GetSystemDirectoryW
CreateSemaphoreA
GetExitCodeThread
WaitForSingleObject
ReleaseSemaphore
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
CloseHandle
GetACP
WideCharToMultiByte
VirtualFree
GetSystemTimeAsFileTime
GetCurrentProcessId
GetModuleHandleExW
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
GetCurrentThreadId
AcquireSRWLockShared
AcquireSRWLockExclusive
ReleaseSRWLockShared
ReleaseSRWLockExclusive
InitializeSRWLock
SetLastError
GetEnvironmentVariableW
RtlVirtualUnwind
MultiByteToWideChar
GetProcAddress
GetModuleHandleW
GetLastError
WriteFile
GetFileType
GetStdHandle
GetCurrentProcess

user32

GetProcessWindowStation
GetUserObjectInformationW
MessageBoxW
ShowWindow

msvcp140

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?uncaught_exceptions@std@@YAHXZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?_Xlength_error@std@@YAXPEBD@Z
?good@ios_base@std@@QEBA_NXZ
?flags@ios_base@std@@QEBAHXZ
?width@ios_base@std@@QEBA_JXZ
?width@ios_base@std@@QEAA_J_J@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ
?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ

ws2_32

WSACleanup
WSAGetLastError
htonl
htons
gethostname
shutdown
WSAEventSelect
WSAEnumNetworkEvents
WSAStartup
gethostbyname
freeaddrinfo
select
socket
getaddrinfo
inet_addr
ntohs
getsockname
ioctlsocket
closesocket
__WSAFDIsSet
WSAIoctl
inet_ntop
inet_ntoa
inet_pton
WSAWaitForMultipleEvents
connect
setsockopt
getpeername
getsockopt
WSAResetEvent
gethostbyaddr
getservbyport
WSACreateEvent
getservbyname
WSASetLastError
WSACloseEvent
recv
send
accept
bind
sendto
recvfrom
listen

crypt32

CertFreeCertificateChainEngine
CertGetCertificateChain
CertFreeCertificateChain
CertCreateCertificateChainEngine
CryptQueryObject
CertGetNameStringW
CertFindExtension
CertAddCertificateContextToStore
CryptDecodeObjectEx
PFXImportCertStore
CryptStringToBinaryW
CertOpenSystemStoreW
CertGetCertificateContextProperty
CertFreeCertificateContext
CertDuplicateCertificateContext
CertFindCertificateInStore
CertEnumCertificatesInStore
CertCloseStore
CertOpenStore

bcrypt

BCryptGenRandom

vcruntime140

memcmp
__C_specific_handler
__current_exception
__current_exception_context
memchr
wcschr
strstr
strrchr
strchr
wcsstr
memcpy
memmove
_CxxThrowException
__std_exception_destroy
__std_exception_copy
memset

vcruntime140_1

__CxxFrameHandler4

api-ms-win-crt-runtime-l1-1-0

_register_onexit_function
_initialize_onexit_table
raise
_register_thread_local_exe_atexit_callback
_c_exit
_cexit
terminate
__p___argc
exit
_initterm_e
_initterm
_get_initial_narrow_environment
_initialize_narrow_environment
_configure_narrow_argv
_exit
_set_app_type
_seh_filter_exe
strerror_s
__p___argv
_invalid_parameter_noinfo_noreturn
__sys_nerr
__sys_errlist
signal
_errno
_beginthreadex
_crt_atexit

api-ms-win-crt-heap-l1-1-0

free
malloc
_set_new_mode
calloc
_callnewh
realloc

api-ms-win-crt-stdio-l1-1-0

ftell
__stdio_common_vswprintf
__stdio_common_vsprintf
setvbuf
_setmode
__stdio_common_vsprintf_s
_wfopen
fopen
fread
_fileno
__acrt_iob_func
__stdio_common_vfprintf
fwrite
fclose
feof
__stdio_common_vsscanf
_wopen
_close
_write
_read
__p__commode
_set_fmode
ferror
_fseeki64
fputs
_lseeki64
fgets
fputc
fflush
fseek

api-ms-win-crt-utility-l1-1-0

qsort

api-ms-win-crt-string-l1-1-0

_wcsdup
strpbrk
wcsncpy
wcsncmp
wcspbrk
isspace
strncmp
strspn
strcspn
isdigit
tolower
_strdup
strncpy
strcmp
strncpy_s
strcat_s
strcpy_s

api-ms-win-crt-time-l1-1-0

_gmtime64_s
_gmtime64
strftime
_time64

api-ms-win-crt-environment-l1-1-0

getenv

api-ms-win-crt-convert-l1-1-0

strtol
atoi
strtoul
strtoll
wcstombs

api-ms-win-crt-filesystem-l1-1-0

_wstat64
_fstat64
_unlink
_stat64i32

api-ms-win-crt-math-l1-1-0

_fdopen
__setusermatherr

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

advapi32

CryptReleaseContext
DeregisterEventSource
RegisterEventSourceW
ReportEventW
CryptEncrypt
CryptImportKey
CryptHashData
CryptGetHashParam
OpenThreadToken
CryptEnumProvidersW
CryptSignHashW
CryptDestroyHash
CryptCreateHash
CryptDecrypt
CryptExportKey
CryptGetUserKey
CryptGetProvParam
CryptSetHashParam
CryptDestroyKey
CryptGenRandom
CryptAcquireContextW

Sections

.text
Size: 3.1MB - Virtual size: 3.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 851KB - Virtual size: 851KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 18KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 118KB - Virtual size: 117KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 38KB - Virtual size: 38KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

1d3f730022d5053f942cdcbc7b98aac8

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

msvcp140

ws2_32

crypt32

bcrypt

vcruntime140

vcruntime140_1

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-environment-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-locale-l1-1-0

advapi32

Sections

.text Size: 3.1MB - Virtual size: 3.1MB

.rdata Size: 851KB - Virtual size: 851KB

.data Size: 18KB - Virtual size: 28KB

.pdata Size: 118KB - Virtual size: 117KB

.reloc Size: 38KB - Virtual size: 38KB

.rsrc Size: 1KB - Virtual size: 4KB

.text
Size: 3.1MB - Virtual size: 3.1MB

.rdata
Size: 851KB - Virtual size: 851KB

.data
Size: 18KB - Virtual size: 28KB

.pdata
Size: 118KB - Virtual size: 117KB

.reloc
Size: 38KB - Virtual size: 38KB

.rsrc
Size: 1KB - Virtual size: 4KB