50de6e3f3474d35a66fd8e8495dfc82ab8bb96d23bc05e62561ca6c95e7abd3cN

Sharing

Copy URL Twitter E-mail

General

Target

50de6e3f3474d35a66fd8e8495dfc82ab8bb96d23bc05e62561ca6c95e7abd3cN
Size

19KB
MD5

b5d2133f78edcbbefe860168bcfd0e00
SHA1

8c25d751f8012284c47332daa2d2fb959fb9e76f
SHA256

50de6e3f3474d35a66fd8e8495dfc82ab8bb96d23bc05e62561ca6c95e7abd3c
SHA512

25de17f11ffc9342542b41a4065bd183f82981ca6425b372d9f3d50e8545fe6be2fb17f505e175dd285bc1e269281b8be59f207207834f09783b6138a4fa1f0b
SSDEEP

384:HGsBGwRsABoANpjOz30TGDSRg9D63BdLVu55oHo6OncE5xecyE7HOq:VY4VB6z+GOiBo9855oHSTbeMHP

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/coadmin.dll

Files

50de6e3f3474d35a66fd8e8495dfc82ab8bb96d23bc05e62561ca6c95e7abd3cN
.cab
coadmin.dll
.dll regsvr32 windows:5 windows x86 arch:x86

30f394da5cf084ee7eeae85b5a550f2f

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

coadmin.pdb

Imports

msvcrt

??2@YAPAXI@Z
wcschr
wcslen
_wcsupr
wcsstr
wcscpy
memmove
_wcsnicmp
_wcsicmp
free
_onexit
__dllonexit
_adjust_fdiv
malloc
_initterm
??3@YAXPAX@Z

advapi32

CryptAcquireContextA
RegQueryValueExA
SetThreadToken
OpenThreadToken
AccessCheck
RegOpenKeyExA
QueryServiceStatus
StartServiceA
CloseServiceHandle
ControlService
EnumDependentServicesA
OpenServiceA
OpenSCManagerA
RegCloseKey
RegSetValueExA
RegCreateKeyExA
RegDeleteKeyA

ole32

CoCreateFreeThreadedMarshaler
CoCreateInstance
CoUninitialize
CoRevokeClassObject
CoRegisterClassObject
CoInitializeEx
CoGetCallContext
CoSetProxyBlanket
CoImpersonateClient
CoDisconnectObject

kernel32

LeaveCriticalSection
EnterCriticalSection
SetLastError
GetVersionExA
GetCurrentThread
SetEvent
CreateEventA
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
DisableThreadLibraryCalls
DeleteCriticalSection
GetModuleHandleA
GetModuleFileNameA
InterlockedDecrement
FileTimeToLocalFileTime
LocalFileTimeToFileTime
Sleep
LocalAlloc
GetLastError
InterlockedIncrement
LocalFree
CloseHandle

shell32

ShellExecuteA

iisrtl

?FindString@MULTISZ@@QAEHPBD@Z
IISInitializeCriticalSection
?AuxAppend@MULTISZ@@AAEHPBEIH@Z
?CalcLength@MULTISZ@@SGKPBDPAK@Z
PuDeleteDebugPrintsObject
?AuxInit@MULTISZ@@AAEXPBE@Z
?AuxAppend@STRAU@@AAEHQAGIH@Z
?AuxAppend@STRAU@@AAEHQADIH@Z
?QueryStr@STRAU@@QAEPADH@Z
?AuxInit@STRAU@@AAEXQAG@Z
?AuxInit@STRAU@@AAEXQAD@Z
?AuxAppend@STR@@AAEHPBEIH@Z
?AuxInit@STR@@AAEXPBE@Z
??1BUFFER@@QAE@XZ
PuCreateDebugPrintsObject
IISGetPlatformType
?ReallocStorage@BUFFER@@AAEHI@Z
?GetNewStorage@BUFFER@@AAEHI@Z
InetReleaseResource
InetConvertExclusiveToShared
InetConvertSharedToExclusive
InetAcquireResourceShared
InetAcquireResourceExclusive
InetDeleteResource
InetInitializeResource
?DeleteChain@BUFFER_CHAIN@@QAEKXZ
PuDbgPrint

admwprox

ReleaseObjectSecurityContextW

Exports

Exports

??0BUFFER@@QAE@I@Z
??0BUFFER@@QAE@PAEI@Z
??0BUFFER_CHAIN@@QAE@XZ
??0BUFFER_CHAIN_ITEM@@QAE@I@Z
??0MULTISZ@@QAE@ABV0@@Z
??0MULTISZ@@QAE@PADK@Z
??0MULTISZ@@QAE@PBD@Z
??0MULTISZ@@QAE@XZ
??0STR@@QAE@ABV0@@Z
??0STR@@QAE@K@Z
??0STR@@QAE@PADK@Z
??0STR@@QAE@PBD@Z
??0STR@@QAE@XZ
??0STRAU@@QAE@AAV0@@Z
??0STRAU@@QAE@QAD@Z
??0STRAU@@QAE@QADH@Z
??0STRAU@@QAE@QAG@Z
??0STRAU@@QAE@XZ
??0TS_RESOURCE@@QAE@XZ
??1BUFFER_CHAIN@@QAE@XZ
??1BUFFER_CHAIN_ITEM@@QAE@XZ
??1MULTISZ@@QAE@XZ
??1STR@@QAE@XZ
??1STRAU@@QAE@XZ
??1TS_RESOURCE@@QAE@XZ
??4BUFFER@@QAEAAV0@ABV0@@Z
??4BUFFER_CHAIN@@QAEAAV0@ABV0@@Z
??4BUFFER_CHAIN_ITEM@@QAEAAV0@ABV0@@Z
??4MULTISZ@@QAEAAV0@ABV0@@Z
??4STR@@QAEAAV0@ABV0@@Z
??4STRAU@@QAEAAV0@ABV0@@Z
??4TS_RESOURCE@@QAEAAV0@ABV0@@Z
??_FBUFFER@@QAEXXZ
??_FBUFFER_CHAIN_ITEM@@QAEXXZ
?Append@MULTISZ@@QAEHABVSTR@@@Z
?Append@MULTISZ@@QAEHPBD@Z
?Append@MULTISZ@@QAEHPBDK@Z
?Append@STR@@QAEHABV1@@Z
?Append@STR@@QAEHPBD@Z
?Append@STR@@QAEHPBDK@Z
?Append@STR@@QAEXD@Z
?Append@STR@@QAEXDD@Z
?Append@STRAU@@QAEHAAV1@@Z
?Append@STRAU@@QAEHQAD@Z
?Append@STRAU@@QAEHQADK@Z
?Append@STRAU@@QAEHQAG@Z
?Append@STRAU@@QAEHQAGK@Z
?AppendCRLF@STR@@QAEXXZ
?Clone@MULTISZ@@QBEHPAV1@@Z
?Clone@STR@@QBEHPAV1@@Z
?Convert@TS_RESOURCE@@QAEXW4TSRES_CONV_TYPE@@@Z
?Copy@MULTISZ@@QAEHABV1@@Z
?Copy@MULTISZ@@QAEHPBDK@Z
?Copy@STR@@QAEHABV1@@Z
?Copy@STR@@QAEHPBD@Z
?Copy@STR@@QAEHPBDK@Z
?Copy@STRAU@@QAEHAAV1@@Z
?Copy@STRAU@@QAEHQAD@Z
?Copy@STRAU@@QAEHQADK@Z
?Copy@STRAU@@QAEHQAG@Z
?Copy@STRAU@@QAEHQAGK@Z
?FindString@MULTISZ@@QAEHABVSTR@@@Z
?First@MULTISZ@@QBEPBDXZ
?IsCurrentUnicode@STRAU@@QAEHXZ
?IsDynAlloced@BUFFER@@ABEHXZ
?IsEmpty@MULTISZ@@QBEHXZ
?IsEmpty@STR@@QBEHXZ
?IsEmpty@STRAU@@QAEHXZ
?IsValid@BUFFER@@IBEHXZ
?IsValid@MULTISZ@@QBEHXZ
?IsValid@STR@@QBEHXZ
?IsValid@STRAU@@QAEHXZ
?Lock@TS_RESOURCE@@QAEXW4TSRES_LOCK_TYPE@@@Z
?Next@MULTISZ@@QBEPBDPBD@Z
?QueryCB@MULTISZ@@QBEIXZ
?QueryCB@STR@@QBEIXZ
?QueryCB@STRAU@@QAEIH@Z
?QueryCBA@STRAU@@QAEIXZ
?QueryCBW@STRAU@@QAEIXZ
?QueryCCH@MULTISZ@@QBEIXZ
?QueryCCH@STR@@QBEIXZ
?QueryCCH@STRAU@@QAEIXZ
?QueryPtr@BUFFER@@QBEPAXXZ
?QuerySize@BUFFER@@QBEIXZ
?QueryStr@MULTISZ@@QBEPADXZ
?QueryStr@STR@@QBEPADXZ
?QueryStrA@MULTISZ@@QBEPADXZ
?QueryStrA@STR@@QBEPADXZ
?QueryStrA@STRAU@@QAEPADXZ
?QueryStrW@STRAU@@QAEPAGXZ
?QueryStringCount@MULTISZ@@QBEKXZ
?QueryUsed@BUFFER_CHAIN_ITEM@@QBEKXZ
?RecalcLen@MULTISZ@@QAEXXZ
?Reset@MULTISZ@@QAEXXZ
?Reset@STR@@QAEXXZ
?Reset@STRAU@@QAEXXZ
?Resize@BUFFER@@QAEHI@Z
?Resize@BUFFER@@QAEHII@Z
?SetLen@STR@@QAEHK@Z
?SetUsed@BUFFER_CHAIN_ITEM@@QAEXK@Z
?SetValid@BUFFER@@IAEXH@Z
?Unlock@TS_RESOURCE@@QAEXXZ
DllRegisterServer
DllUnregisterServer
InitComAdmindata
TerminateComAdmindata

Sections

.text
Size: 38KB - Virtual size: 38KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 452B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

30f394da5cf084ee7eeae85b5a550f2f

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

advapi32

ole32

kernel32

shell32

iisrtl

admwprox

Exports

Exports

Sections

.text Size: 38KB - Virtual size: 38KB

.data Size: 512B - Virtual size: 452B

.rsrc Size: 2KB - Virtual size: 1KB

.reloc Size: 2KB - Virtual size: 1KB

.text
Size: 38KB - Virtual size: 38KB

.data
Size: 512B - Virtual size: 452B

.rsrc
Size: 2KB - Virtual size: 1KB

.reloc
Size: 2KB - Virtual size: 1KB