536d2c15ac1a3e7572d5d66d36f1295747bf3b0927eefd3c1dd606cbf62d79eeN

Sharing

Copy URL Twitter E-mail

General

Target

536d2c15ac1a3e7572d5d66d36f1295747bf3b0927eefd3c1dd606cbf62d79eeN
Size

56KB
MD5

6e41418776c61abc30a580836d190ca0
SHA1

07b560749e9c6ed3c565a33cb60e314e6ed41387
SHA256

536d2c15ac1a3e7572d5d66d36f1295747bf3b0927eefd3c1dd606cbf62d79ee
SHA512

da81bccfbb4d3b32e7da4a06e25ba96e6bc5b72cc4e4d8f3296d6001636a784958469de83774d8ce7c21450893350b21b0007d8d27943acb0d52b405a2dee21a
SSDEEP

768:Q6D2+uq+SIuG1ijglhEUPJiaPaEEL32h1cBMGWR2G73QkAFY4CKNGf3DCWfEy:Q6KRqrZjYPPJOq1cuJqY4efHfEy

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/vdsbas.dll

Files

536d2c15ac1a3e7572d5d66d36f1295747bf3b0927eefd3c1dd606cbf62d79eeN
.cab
vdsbas.dll
.dll regsvr32 windows:5 windows x86 arch:x86

0776c623ae4c07e248dbcdcd531656f0

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

vdsbas.pdb

Imports

msvcrt

??1type_info@@UAE@XZ
?terminate@@YAXXZ
_adjust_fdiv
_initterm
free
wcsncmp
_snwprintf
sprintf
strstr
strchr
memmove
strncpy
_CxxThrowException
?_set_se_translator@@YAP6AXIPAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z
wcschr
towupper
wcsstr
wcsncpy
wcslen
wcscmp
wcscpy
_wcsicmp
_except_handler3
_purecall
??2@YAPAXI@Z
??3@YAXPAX@Z
__CxxFrameHandler
malloc
swprintf
atoi

msvcp60

??1_Lockit@std@@QAE@XZ
??0_Lockit@std@@QAE@XZ

atl

ord32
ord15
ord23
ord57
ord18
ord21
ord16
ord30

ntdll

NtPowerInformation
NtSetInformationFile
NtQueryInformationFile
NtQueryVolumeInformationFile
NtQuerySystemInformation

kernel32

WaitForSingleObject
Sleep
GetFileSize
HeapReAlloc
SetEndOfFile
FindFirstVolumeW
FindNextVolumeW
FindVolumeClose
SetFilePointerEx
ReadFile
SetFilePointer
WriteFile
CreateFileW
QueryPerformanceCounter
DeviceIoControl
CreateThread
LoadLibraryW
GetProcAddress
FreeLibrary
CloseHandle
GetSystemDirectoryW
QueryDosDeviceW
InterlockedCompareExchange
GetModuleHandleW
GetLastError
DisableThreadLibraryCalls
InterlockedDecrement
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
InterlockedExchange
EnterCriticalSection
lstrlenW
ResumeThread
DeleteCriticalSection
HeapFree
GetProcessHeap
InitializeCriticalSection
InterlockedIncrement
LeaveCriticalSection

user32

DefWindowProcW
PeekMessageW
GetMessageW
UnregisterDeviceNotification
PostThreadMessageW
RegisterDeviceNotificationW

ole32

CoCreateGuid
CoTaskMemAlloc
CoTaskMemFree

setupapi

CM_Get_Parent
SetupDiGetClassDevsW
SetupDiEnumDeviceInterfaces
SetupDiDestroyDeviceInfoList

advapi32

RegCloseKey
RegOpenKeyExW
RegQueryValueExW

vdsutil

?VdsSeTranslator@CVdsStructuredExceptionTranslator@@SGXIPAU_EXCEPTION_POINTERS@@@Z
??1CVdsCallTracer@@QAE@XZ
??0CVdsCallTracer@@QAE@KPBD@Z
?AddEventSource@@YGKPAGPAUHINSTANCE__@@@Z
?VdsTraceEx@@YAXKKPADZZ
?RegisterProvider@@YGJU_GUID@@0PAGW4_VDS_PROVIDER_TYPE@@110@Z
?RemoveEventSource@@YGKPAG@Z
?UnregisterProvider@@YGJU_GUID@@@Z
?VdsHeapFree@@YGHPAXK0@Z
?VdsHeapAlloc@@YGPAXPAXKK@Z
?VdsTraceExW@@YAXKKPAGZZ
??M@YG_NABU_GUID@@0@Z
?GetDiskLayout@@YGKPAXPAPAU_DRIVE_LAYOUT_INFORMATION_EX@@@Z
?OpenDevice@@YGKPAGKPAPAX@Z
?Uninitialize@CVdsAsyncObjectBase@@SGXXZ
?Uninitialize@CVdsPnPNotificationBase@@QAEXXZ
?GetDeviceName@@YGKPAXHQAG@Z
?GetInterfaceDetailData@@YGKPAXPAU_SP_DEVICE_INTERFACE_DATA@@PAPAU_SP_DEVICE_INTERFACE_DETAIL_DATA_W@@@Z
?Initialize@CVdsAsyncObjectBase@@SGKXZ
?Initialize@CVdsPnPNotificationBase@@QAEKXZ
?VdsInitializeCriticalSection@@YGKPAU_RTL_CRITICAL_SECTION@@@Z
?IsWinPE@@YGHXZ
?Clone@CPrvEnumObject@@UAGJPAPAUIEnumVdsObject@@@Z
?Reset@CPrvEnumObject@@UAGJXZ
?Skip@CPrvEnumObject@@UAGJK@Z
?Next@CPrvEnumObject@@UAGJKPAPAUIUnknown@@PAK@Z
?UnregisterHandle@CVdsPnPNotificationBase@@QAEXPAX@Z
?RegisterHandle@CVdsPnPNotificationBase@@QAEKPAXPAPAX@Z
?GetDeviceAndMediaType@@YGKPAXPAK1@Z
?Append@CPrvEnumObject@@QAEJPAUIUnknown@@@Z
??1CVdsAsyncObjectBase@@QAE@XZ
??0CVdsAsyncObjectBase@@QAE@XZ
?QueryObjects@@YGJPAUIUnknown@@PAPAUIEnumVdsObject@@AAU_RTL_CRITICAL_SECTION@@@Z
?QueryStatus@CVdsAsyncObjectBase@@UAGJPAJPAK@Z
?Signal@CVdsAsyncObjectBase@@QAEXXZ
?SetCompletionStatus@CVdsAsyncObjectBase@@QAEXJK@Z
?SetDiskLayout@@YGKPAXPAU_DRIVE_LAYOUT_INFORMATION_EX@@@Z
?GetVolumeName@@YGJPAG0@Z
?GetMediaGeometry@@YGKPAXPAU_VDS_DISK_PROP@@@Z
?IsMediaPresent@@YGHPAX@Z
?VdsTrace@@YAXKPADZZ
?GetDeviceNumber@@YGKPAXPAU_STORAGE_DEVICE_NUMBER@@@Z
?LockDismountVolume@@YGKPAXH@Z
?Unregister@CVdsPnPNotificationBase@@QAEXPAU_NotificationListeningRequest@@@Z
?Register@CVdsPnPNotificationBase@@QAEKPAU_NotificationListeningRequest@@K@Z
?GetPartitionInformation@@YGKPAXPAU_PARTITION_INFORMATION_EX@@@Z
?IsDiskClustered@@YGHPAX@Z
?GetDeviceRegistryProperty@@YGKKKPAPAEK@Z
?VdsAllocateEmptyString@@YGPAGXZ
?GetDeviceRegistryProperty@@YGKPAXPAU_SP_DEVINFO_DATA@@KPAPAEK@Z
?CreateDeviceInfoSet@@YGKPAGPAPAXPAU_SP_DEVINFO_DATA@@@Z
?GetDeviceLocation@@YGKPAXPAU_VDS_DISK_PROP@@@Z
?WaitImpl@CVdsAsyncObjectBase@@QAEJPAJ@Z
?GetIsRemovable@@YGKPAXPAH@Z
?IsDeviceFullyInstalled@@YGHPAG@Z
?LogError@@YGXPAGKKPAXKK0PAD@Z

Exports

Exports

??0?$CVdsHandleImpl@$0?0@@QAE@XZ
??0?$CVdsHandleImpl@$0A@@@QAE@XZ
??0?$CVdsHeapPtr@D@@QAE@XZ
??0?$CVdsHeapPtr@E@@QAE@XZ
??0?$CVdsHeapPtr@G@@QAE@XZ
??0?$CVdsHeapPtr@U_AUCTION_THREAD_PARAMETER@@@@QAE@XZ
??0?$CVdsHeapPtr@U_BOOT_ENTRY@@@@QAE@XZ
??0?$CVdsHeapPtr@U_DRIVE_LAYOUT_INFORMATION_EX@@@@QAE@XZ
??0?$CVdsHeapPtr@U_FILE_PATH@@@@QAE@XZ
??0?$CVdsHeapPtr@U_SP_DEVICE_INTERFACE_DETAIL_DATA_W@@@@QAE@XZ
??0?$CVdsHeapPtr@U_VDS_DRIVE_LAYOUT_INFORMATION_EX@@@@QAE@XZ
??0?$CVdsHeapPtr@U_VOLMGR_HIDDEN_VOLUMES@@@@QAE@XZ
??0?$CVdsPtr@D@@QAE@XZ
??0?$CVdsPtr@E@@QAE@XZ
??0?$CVdsPtr@G@@QAE@XZ
??0?$CVdsPtr@U_AUCTION_THREAD_PARAMETER@@@@QAE@XZ
??0?$CVdsPtr@U_BOOT_ENTRY@@@@QAE@XZ
??0?$CVdsPtr@U_DRIVE_LAYOUT_INFORMATION_EX@@@@QAE@XZ
??0?$CVdsPtr@U_FILE_PATH@@@@QAE@XZ
??0?$CVdsPtr@U_SP_DEVICE_INTERFACE_DETAIL_DATA_W@@@@QAE@XZ
??0?$CVdsPtr@U_VDS_DRIVE_LAYOUT_INFORMATION_EX@@@@QAE@XZ
??0?$CVdsPtr@U_VOLMGR_HIDDEN_VOLUMES@@@@QAE@XZ
??0CPrvEnumObject@@QAE@XZ
??0CVdsCriticalSection@@QAE@PAU_RTL_CRITICAL_SECTION@@@Z
??0CVdsPnPNotificationBase@@QAE@XZ
??0CVdsStructuredExceptionTranslator@@QAE@XZ
??0CVdsUnlockIt@@QAE@AAJ@Z
??1?$CVdsHandleImpl@$0?0@@QAE@XZ
??1?$CVdsHandleImpl@$0A@@@QAE@XZ
??1?$CVdsHeapPtr@D@@QAE@XZ
??1?$CVdsHeapPtr@E@@QAE@XZ
??1?$CVdsHeapPtr@G@@QAE@XZ
??1?$CVdsHeapPtr@U_AUCTION_THREAD_PARAMETER@@@@QAE@XZ
??1?$CVdsHeapPtr@U_BOOT_ENTRY@@@@QAE@XZ
??1?$CVdsHeapPtr@U_DRIVE_LAYOUT_INFORMATION_EX@@@@QAE@XZ
??1?$CVdsHeapPtr@U_FILE_PATH@@@@QAE@XZ
??1?$CVdsHeapPtr@U_SP_DEVICE_INTERFACE_DETAIL_DATA_W@@@@QAE@XZ
??1?$CVdsHeapPtr@U_VDS_DRIVE_LAYOUT_INFORMATION_EX@@@@QAE@XZ
??1?$CVdsHeapPtr@U_VOLMGR_HIDDEN_VOLUMES@@@@QAE@XZ
??1?$CVdsPtr@D@@QAE@XZ
??1?$CVdsPtr@E@@QAE@XZ
??1?$CVdsPtr@G@@QAE@XZ
??1?$CVdsPtr@U_AUCTION_THREAD_PARAMETER@@@@QAE@XZ
??1?$CVdsPtr@U_BOOT_ENTRY@@@@QAE@XZ
??1?$CVdsPtr@U_DRIVE_LAYOUT_INFORMATION_EX@@@@QAE@XZ
??1?$CVdsPtr@U_FILE_PATH@@@@QAE@XZ
??1?$CVdsPtr@U_SP_DEVICE_INTERFACE_DETAIL_DATA_W@@@@QAE@XZ
??1?$CVdsPtr@U_VDS_DRIVE_LAYOUT_INFORMATION_EX@@@@QAE@XZ
??1?$CVdsPtr@U_VOLMGR_HIDDEN_VOLUMES@@@@QAE@XZ
??1CPrvEnumObject@@QAE@XZ
??1CVdsCriticalSection@@QAE@XZ
??1CVdsDebugLog@@QAE@XZ
??1CVdsPnPNotificationBase@@QAE@XZ
??1CVdsStructuredExceptionTranslator@@QAE@XZ
??1CVdsUnlockIt@@QAE@XZ
??4?$CVdsHandleImpl@$0A@@@QAEPAXPAX@Z
??4?$CVdsHeapPtr@D@@QAEPADPAD@Z
??4?$CVdsHeapPtr@E@@QAEPAEPAE@Z
??4?$CVdsHeapPtr@G@@QAEPAGPAG@Z
??4?$CVdsHeapPtr@U_AUCTION_THREAD_PARAMETER@@@@QAEPAU_AUCTION_THREAD_PARAMETER@@PAU1@@Z
??4?$CVdsHeapPtr@U_BOOT_ENTRY@@@@QAEPAU_BOOT_ENTRY@@PAU1@@Z
??4?$CVdsHeapPtr@U_FILE_PATH@@@@QAEPAU_FILE_PATH@@PAU1@@Z
??4?$CVdsHeapPtr@U_VDS_DRIVE_LAYOUT_INFORMATION_EX@@@@QAEPAU_VDS_DRIVE_LAYOUT_INFORMATION_EX@@PAU1@@Z
??8?$CVdsHandleImpl@$0A@@@QBE_NPAX@Z
??8?$CVdsPtr@D@@QBE_NPAD@Z
??8?$CVdsPtr@E@@QBE_NPAE@Z
??8?$CVdsPtr@G@@QBE_NPAG@Z
??8?$CVdsPtr@U_BOOT_ENTRY@@@@QBE_NPAU_BOOT_ENTRY@@@Z
??8?$CVdsPtr@U_FILE_PATH@@@@QBE_NPAU_FILE_PATH@@@Z
??9?$CVdsHandleImpl@$0A@@@QBE_NPAX@Z
??9?$CVdsPtr@E@@QBE_NPAE@Z
??9?$CVdsPtr@G@@QBE_NPAG@Z
??9?$CVdsPtr@U_AUCTION_THREAD_PARAMETER@@@@QBE_NPAU_AUCTION_THREAD_PARAMETER@@@Z
??A?$CVdsPtr@D@@QAEAADK@Z
??B?$CVdsHandleImpl@$0?0@@QAEPAXXZ
??B?$CVdsHandleImpl@$0A@@@QAEPAXXZ
??B?$CVdsPtr@D@@QBEPADXZ
??B?$CVdsPtr@E@@QBEPAEXZ
??B?$CVdsPtr@G@@QBEPAGXZ
??B?$CVdsPtr@U_AUCTION_THREAD_PARAMETER@@@@QBEPAU_AUCTION_THREAD_PARAMETER@@XZ
??B?$CVdsPtr@U_DRIVE_LAYOUT_INFORMATION_EX@@@@QBEPAU_DRIVE_LAYOUT_INFORMATION_EX@@XZ
??B?$CVdsPtr@U_FILE_PATH@@@@QBEPAU_FILE_PATH@@XZ
??B?$CVdsPtr@U_VDS_DRIVE_LAYOUT_INFORMATION_EX@@@@QBEPAU_VDS_DRIVE_LAYOUT_INFORMATION_EX@@XZ
??C?$CVdsPtr@U_AUCTION_THREAD_PARAMETER@@@@QBEPAU_AUCTION_THREAD_PARAMETER@@XZ
??C?$CVdsPtr@U_BOOT_ENTRY@@@@QBEPAU_BOOT_ENTRY@@XZ
??C?$CVdsPtr@U_DRIVE_LAYOUT_INFORMATION_EX@@@@QBEPAU_DRIVE_LAYOUT_INFORMATION_EX@@XZ
??C?$CVdsPtr@U_FILE_PATH@@@@QBEPAU_FILE_PATH@@XZ
??C?$CVdsPtr@U_VDS_DRIVE_LAYOUT_INFORMATION_EX@@@@QBEPAU_VDS_DRIVE_LAYOUT_INFORMATION_EX@@XZ
??I?$CVdsHandleImpl@$0?0@@QAEPAPAXXZ
??I?$CVdsPtr@G@@QAEPAPAGXZ
??I?$CVdsPtr@U_DRIVE_LAYOUT_INFORMATION_EX@@@@QAEPAPAU_DRIVE_LAYOUT_INFORMATION_EX@@XZ
??I?$CVdsPtr@U_VDS_DRIVE_LAYOUT_INFORMATION_EX@@@@QAEPAPAU_VDS_DRIVE_LAYOUT_INFORMATION_EX@@XZ
?AllowCancel@CVdsAsyncObjectBase@@QAEXXZ
?Attach@?$CVdsPtr@G@@QAEXPAG@Z
?Attach@?$CVdsPtr@U_DRIVE_LAYOUT_INFORMATION_EX@@@@QAEXPAU_DRIVE_LAYOUT_INFORMATION_EX@@@Z
?Attach@?$CVdsPtr@U_SP_DEVICE_INTERFACE_DETAIL_DATA_W@@@@QAEXPAU_SP_DEVICE_INTERFACE_DETAIL_DATA_W@@@Z
?Attach@?$CVdsPtr@U_VDS_DRIVE_LAYOUT_INFORMATION_EX@@@@QAEXPAU_VDS_DRIVE_LAYOUT_INFORMATION_EX@@@Z
?Attach@?$CVdsPtr@U_VOLMGR_HIDDEN_VOLUMES@@@@QAEXPAU_VOLMGR_HIDDEN_VOLUMES@@@Z
?Close@?$CVdsHandleImpl@$0?0@@QAEXXZ
?Detach@?$CVdsHandleImpl@$0?0@@QAEPAXXZ
?Detach@?$CVdsPtr@G@@QAEPAGXZ
?Detach@?$CVdsPtr@U_AUCTION_THREAD_PARAMETER@@@@QAEPAU_AUCTION_THREAD_PARAMETER@@XZ
?Detach@?$CVdsPtr@U_DRIVE_LAYOUT_INFORMATION_EX@@@@QAEPAU_DRIVE_LAYOUT_INFORMATION_EX@@XZ
?Detach@?$CVdsPtr@U_VDS_DRIVE_LAYOUT_INFORMATION_EX@@@@QAEPAU_VDS_DRIVE_LAYOUT_INFORMATION_EX@@XZ
?DisallowCancel@CVdsAsyncObjectBase@@QAEXXZ
?GetOutputType@CVdsAsyncObjectBase@@QAE?AW4__MIDL___MIDL_itf_vdsswprv_0000_0002@@XZ
?IsCancelRequested@CVdsAsyncObjectBase@@QAEHXZ
?SetOutputType@CVdsAsyncObjectBase@@QAEXW4__MIDL___MIDL_itf_vdsswprv_0000_0002@@@Z
?SetPositionToLast@CPrvEnumObject@@QAEXXZ
?TracingLogEnabled@CVdsDebugLog@@QAEHXZ
?ZeroAsyncOut@CVdsAsyncObjectBase@@QAEXXZ
DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 126KB - Virtual size: 125KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

0776c623ae4c07e248dbcdcd531656f0

Headers

File Characteristics

PDB Paths

Imports

msvcrt

msvcp60

atl

ntdll

kernel32

user32

ole32

setupapi

advapi32

vdsutil

Exports

Exports

Sections

.text Size: 126KB - Virtual size: 125KB

.data Size: 1024B - Virtual size: 1KB

.rsrc Size: 2KB - Virtual size: 2KB

.reloc Size: 7KB - Virtual size: 7KB

.text
Size: 126KB - Virtual size: 125KB

.data
Size: 1024B - Virtual size: 1KB

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 7KB - Virtual size: 7KB