vnc[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

vnc.exe
Size

3.3MB
MD5

5d80af8e4ed4d389f05c527bff83a7f7
SHA1

ff1d4cd6a28fe544b3294db1578052d15ccc13b5
SHA256

f562b418ce4c62e77fc658b5ffb73326f13ddee2eb5caa5cd31a1fc00c82c792
SHA512

8f0c36933841317a36c83f6a6ba02db112a9b6ff2f1613d1b670a8150f2e51bcab032d58faa71c7f920ffb48fd296abdff4dde47b16e5b2c9973b0f835f1b3bc
SSDEEP

98304:gQen0OvdHcQfsspL2bkyMRQJ4wGtIaqRulJbtcBx:gn0OvdHGspL2bkyMRQJ4wGtIaqRulJb4

Score

1^/10

Malware Config

Signatures

Files

vnc.exe
.exe windows:4 windows x64 arch:x64

156d1fd6a88de904d98f70176d175a22

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

28:38:aa:2a:b3:50:5b:fa:bd:47:4c:9c:37:3c:42:53
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

10/08/2012, 00:00

Not After

21/08/2015, 23:59

Subject

CN=RealVNC Ltd,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=RealVNC Ltd,L=Cambridge,ST=Cambridgeshire,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2a:79:df:a7:23:50:c4:18:34:58:06:67:42:6b:18:d7:93:8a:5c:a6
Signer

Actual PE Digest

2a:79:df:a7:23:50:c4:18:34:58:06:67:42:6b:18:d7:93:8a:5c:a6

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

c:\hudson\workspace\vnc_5.0.x\label\win\src\release\x64\vncviewer.pdb

Imports

ws2_32

setsockopt
WSAIoctl
WSAEventSelect
WSAEnumNetworkEvents
closesocket
socket
WSAStartup
ioctlsocket
inet_addr
gethostbyname
getpeername
WSASocketW
WSADuplicateSocketW
htonl
getservbyname
htons
gethostbyaddr
getservbyport
ntohs
WSASetLastError
bind
recv
send
getsockname
WSAConnect
select
listen
getsockopt
accept
inet_ntoa
WSAGetLastError

comctl32

ImageList_Destroy
ImageList_Create
ord17
ImageList_ReplaceIcon
CreatePropertySheetPageW
PropertySheetW
InitCommonControlsEx
_TrackMouseEvent
ImageList_Draw

imm32

ImmSetOpenStatus
ImmGetVirtualKey
ImmGetContext

kernel32

WriteFile
DuplicateHandle
GetCurrentProcess
CreatePipe
SetErrorMode
GetDiskFreeSpaceW
GetDiskFreeSpaceExW
GetVolumeInformationW
GetDriveTypeW
FindClose
FindFirstFileA
GetFileAttributesA
GetLogicalDrives
ReadFile
GlobalMemoryStatus
CloseHandle
SetEnvironmentVariableA
CompareStringW
CompareStringA
GetLocaleInfoW
GetStringTypeW
GetStringTypeA
IsValidLocale
EnumSystemLocalesA
GetLocaleInfoA
GetUserDefaultLCID
LCMapStringW
LCMapStringA
GetModuleHandleW
ResetEvent
GetCurrentDirectoryW
Sleep
GetTickCount
GetLastError
GetVersion
GetConsoleCP
GetTimeZoneInformation
WriteConsoleW
GetConsoleOutputCP
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
GlobalFree
GlobalUnlock
GlobalAlloc
GlobalLock
GetCurrentProcessId
CreateEventW
SetEvent
GlobalSize
WaitForMultipleObjects
GetCurrentThreadId
WaitForSingleObject
ExpandEnvironmentStringsW
CreateFileW
SetFileAttributesW
MulDiv
CancelIo
GetOverlappedResult
GetComputerNameW
GetTempFileNameW
CreateDirectoryW
GetTempPathW
GetProfileStringW
SizeofResource
LockResource
LoadResource
FindResourceW
WideCharToMultiByte
MultiByteToWideChar
GetSystemTimeAsFileTime
FormatMessageW
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
FreeLibrary
GetProcAddress
LoadLibraryW
ResumeThread
CreateThread
GetThreadTimes
GetCurrentThread
TerminateThread
GetFileAttributesW
DeleteFileW
MoveFileW
GetSystemTime
GetLocalTime
OutputDebugStringW
GetCommandLineW
GetModuleFileNameW
LocalFree
CreateProcessW
GetStdHandle
SetHandleInformation
GetExitCodeProcess
TerminateProcess
GetVersionExW
AllocConsole
OpenProcess
FindFirstFileW
FindNextFileW
FindNextFileA
LocalAlloc
FlushFileBuffers
ExitProcess
SetLastError
LoadLibraryA
GetSystemDirectoryA
RtlLookupFunctionEntry
RtlUnwindEx
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
RtlCaptureContext
RaiseException
RtlPcToFileHeader
SetFilePointer
GetFileType
GetModuleHandleA
GetCommandLineA
HeapFree
GetVersionExA
HeapAlloc
GetProcessHeap
GetStartupInfoA
DeleteFileA
GetConsoleMode
GetDateFormatA
GetTimeFormatA
HeapReAlloc
DebugBreak
GetModuleFileNameA
SetEndOfFile
FlsGetValue
FlsSetValue
FlsFree
FlsAlloc
RtlVirtualUnwind
HeapSize
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
SetHandleCount
SetStdHandle
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
HeapSetInformation
HeapCreate
QueryPerformanceCounter
CreateFileA
WriteConsoleA

user32

EmptyClipboard
OpenClipboard
SetActiveWindow
RegisterClipboardFormatW
GetFocus
PostMessageW
DestroyIcon
GetScrollInfo
AppendMenuW
CreatePopupMenu
DestroyMenu
GetMessagePos
InflateRect
DrawIconEx
mouse_event
GetKeyboardState
MsgWaitForMultipleObjects
PeekMessageW
keybd_event
MapVirtualKeyW
ToAsciiEx
ToUnicodeEx
VkKeyScanExA
VkKeyScanExW
WaitForInputIdle
ReleaseDC
GetDC
GetWindowDC
CallNextHookEx
GetForegroundWindow
SetWindowsHookExW
UnhookWindowsHookEx
IsRectEmpty
ChangeDisplaySettingsW
EnumDisplaySettingsW
GetParent
SetMenuItemInfoW
RegisterWindowMessageW
GetIconInfo
SetClipboardData
GetWindowThreadProcessId
GetClassNameW
CloseDesktop
EnumDesktopWindows
OpenDesktopW
EnumDesktopsW
GetProcessWindowStation
UnregisterClassW
RegisterClassW
CheckMenuItem
GetMenuState
DeleteMenu
InsertMenuItemW
GetMenuItemCount
GetWindowTextW
DialogBoxParamW
IsDialogMessageW
CreateDialogParamW
EndDialog
EnumChildWindows
MessageBoxW
IsWindowEnabled
RegisterClassExW
CallWindowProcW
CopyRect
SetParent
DrawFocusRect
GetNextDlgTabItem
GetKeyState
ChangeClipboardChain
SetClipboardViewer
GetClipboardOwner
ReleaseCapture
GetWindowInfo
CreateWindowExA
GetMessageTime
OffsetRect
MapWindowPoints
SetWindowRgn
IsZoomed
GetClipboardData
GetUserObjectInformationW
GetDesktopWindow
CloseClipboard
SetScrollInfo
SetCursor
CreateIconIndirect
SendMessageTimeoutW
GetAsyncKeyState
GetKeyboardLayout
SetWindowTextW
SendMessageW
SetWindowLongW
SetForegroundWindow
ShowWindow
FindWindowW
IsIconic
GetUpdateRect
MessageBeep
SetWindowLongPtrW
GetMessageW
EnableWindow
MoveWindow
LoadImageW
PostThreadMessageW
DrawTextW
CreateWindowExW
DestroyWindow
GetComboBoxInfo
GetWindowLongPtrW
SetWindowPos
GetWindowRect
SetFocus
FillRect
GetSysColorBrush
ScrollWindowEx
GetClientRect
SystemParametersInfoW
ShowCursor
SetCapture
IsWindowVisible
SetTimer
KillTimer
TranslateMessage
DispatchMessageW
PostQuitMessage
LoadMenuW
GetSubMenu
SetMenuDefaultItem
TrackPopupMenu
GetDlgItem
GetSystemMenu
EnableMenuItem
DefWindowProcW
AdjustWindowRect
LoadCursorW
LoadIconW
BeginPaint
EndPaint
UpdateWindow
ValidateRect
GetCursorPos
ScreenToClient
InvalidateRect
ClientToScreen
GetWindowLongW
SetRect
AdjustWindowRectEx
GetSystemMetrics

gdi32

Rectangle
CreateBrushIndirect
EndDoc
EndPage
StartPage
ResetDCW
StartDocW
StretchDIBits
GetDeviceCaps
CreateCompatibleBitmap
SetDIBColorTable
CreateDIBSection
DeleteDC
CreateCompatibleDC
CreateRectRgnIndirect
GetCurrentObject
SetMapMode
GetTextExtentPoint32W
GetDIBits
CreateDCW
CreatePen
CreateRectRgn
DeleteObject
RealizePalette
SelectPalette
CombineRgn
SetRectRgn
CreatePalette
SetPaletteEntries
GetRegionData
BitBlt
OffsetRgn
GetRandomRgn
StretchBlt
SetBrushOrgEx
SetStretchBltMode
GetStockObject
SetBkColor
CreateSolidBrush
CreateFontIndirectW
GetObjectW
MoveToEx
SetTextColor
SetBkMode
LineTo
SelectObject

comdlg32

GetOpenFileNameW
CommDlgExtendedError
GetSaveFileNameW

version

VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW

oleacc

AccessibleObjectFromWindow
LresultFromObject

winspool.drv

DeviceCapabilitiesW
GetPrinterW
DocumentPropertiesW
OpenPrinterW
ClosePrinter

advapi32

RegDeleteValueW
RegisterEventSourceW
ReportEventW
AllocateAndInitializeSid
RevertToSelf
GetUserNameW
ImpersonateLoggedOnUser
CopySid
GetLengthSid
IsValidSid
GetTokenInformation
CryptAcquireContextW
CryptReleaseContext
CryptGenRandom
RegCloseKey
RegNotifyChangeKeyValue
RegSetValueExW
RegEnumValueW
RegQueryInfoKeyW
RegEnumKeyExW
RegQueryValueExW
RegOpenKeyExW
RegCreateKeyExW
GetSecurityInfo
CreateProcessAsUserW
OpenProcessToken
EqualSid
DeregisterEventSource
InitializeAcl
GetAclInformation
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
FreeSid

shell32

SHGetDesktopFolder
SHAppBarMessage
SHGetFileInfoW
SHGetMalloc
Shell_NotifyIconW
SHAddToRecentDocs
ShellExecuteW
SHBrowseForFolderW

ole32

OleUninitialize
OleInitialize
CoUninitialize
CoCreateInstance
CoMarshalInterThreadInterfaceInStream
CoGetInterfaceAndReleaseStream
CoTaskMemAlloc
CoTaskMemFree
ReleaseStgMedium
OleSetClipboard
OleGetClipboard
CoInitializeEx

oleaut32

SysAllocString
SysAllocStringLen

Sections

.text
Size: 1.5MB - Virtual size: 1.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 518KB - Virtual size: 517KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 171KB - Virtual size: 191KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 119KB - Virtual size: 118KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 988KB - Virtual size: 987KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 29KB - Virtual size: 29KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

156d1fd6a88de904d98f70176d175a22

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

28:38:aa:2a:b3:50:5b:fa:bd:47:4c:9c:37:3c:42:53Certificate

Extended Key Usages

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

2a:79:df:a7:23:50:c4:18:34:58:06:67:42:6b:18:d7:93:8a:5c:a6Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ws2_32

comctl32

imm32

kernel32

user32

gdi32

comdlg32

version

oleacc

winspool.drv

advapi32

shell32

ole32

oleaut32

Sections

.text Size: 1.5MB - Virtual size: 1.5MB

.rdata Size: 518KB - Virtual size: 517KB

.data Size: 171KB - Virtual size: 191KB

.pdata Size: 119KB - Virtual size: 118KB

.rsrc Size: 988KB - Virtual size: 987KB

.reloc Size: 29KB - Virtual size: 29KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

28:38:aa:2a:b3:50:5b:fa:bd:47:4c:9c:37:3c:42:53
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

2a:79:df:a7:23:50:c4:18:34:58:06:67:42:6b:18:d7:93:8a:5c:a6
Signer

.text
Size: 1.5MB - Virtual size: 1.5MB

.rdata
Size: 518KB - Virtual size: 517KB

.data
Size: 171KB - Virtual size: 191KB

.pdata
Size: 119KB - Virtual size: 118KB

.rsrc
Size: 988KB - Virtual size: 987KB

.reloc
Size: 29KB - Virtual size: 29KB