39206261c26c70811b3369bf96f0e3d54396caa90b251b8f63bc038957e6214a

Sharing

Copy URL Twitter E-mail

General

Target

39206261c26c70811b3369bf96f0e3d54396caa90b251b8f63bc038957e6214a
Size

1.1MB
MD5

7bc0d3c33592f6c7699bac4e391e2119
SHA1

06e46dab800713bb4ea3fb6082d1371b1dfd2a57
SHA256

39206261c26c70811b3369bf96f0e3d54396caa90b251b8f63bc038957e6214a
SHA512

0bd4384cf9143b23a90018014b56950b52455dadcea81d9406bc4fe6bc8afcb572122f024a41a3d2041936a5b46d2ec7df424591b182db612e19e5cb35f36a2e
SSDEEP

24576:hC6WOL5q0Sy9yZKj3zfrKFKE46n8OPsahf8qC9PdeOr/rDQE:hC6xE0SSyZ4zfWEE46nHsObsMwjDQE

Score

5^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
static1/unpack001/1/bin/cygwin1.dll	upx

Unsigned PE 4 IoCs

Checks for missing Authenticode signature.

resource
unpack001/1/bin/WinDivert.dll
unpack001/1/bin/cygwin1.dll
unpack002/out.upx
unpack001/1/bin/winws.exe

Files

39206261c26c70811b3369bf96f0e3d54396caa90b251b8f63bc038957e6214a
.zip
1/bin/WinDivert.dll
.dll windows:4 windows x64 arch:x64

0b649f8e17494bb31b47f6e959a1769c

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_DLL

Imports

advapi32

CloseServiceHandle
CreateServiceW
DeleteService
OpenSCManagerW
OpenServiceW
RegCloseKey
RegCreateKeyExA
RegSetValueExA
RegSetValueExW
StartServiceW

kernel32

CloseHandle
CreateEventW
CreateFileW
CreateMutexW
DeviceIoControl
GetLastError
GetModuleFileNameW
GetOverlappedResult
HeapAlloc
HeapCreate
HeapDestroy
ReleaseMutex
SetLastError
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
WaitForSingleObject

Exports

Exports

WinDivertClose
WinDivertGetParam
WinDivertHelperCalcChecksums
WinDivertHelperCompileFilter
WinDivertHelperDecrementTTL
WinDivertHelperEvalFilter
WinDivertHelperFormatFilter
WinDivertHelperFormatIPv4Address
WinDivertHelperFormatIPv6Address
WinDivertHelperHashPacket
WinDivertHelperHtonIPv6Address
WinDivertHelperHtonIpv6Address
WinDivertHelperHtonl
WinDivertHelperHtonll
WinDivertHelperHtons
WinDivertHelperNtohIPv6Address
WinDivertHelperNtohIpv6Address
WinDivertHelperNtohl
WinDivertHelperNtohll
WinDivertHelperNtohs
WinDivertHelperParseIPv4Address
WinDivertHelperParseIPv6Address
WinDivertHelperParsePacket
WinDivertOpen
WinDivertRecv
WinDivertRecvEx
WinDivertSend
WinDivertSendEx
WinDivertSetParam
WinDivertShutdown

Sections

.text
Size: 30KB - Virtual size: 30KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 32B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.pdata
Size: 1024B - Virtual size: 840B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.xdata
Size: 1024B - Virtual size: 800B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 16B

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 512B - Virtual size: 240B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
1/bin/WinDivert64.sys
.sys windows:10 windows x64 arch:x64

db584dd0570594898805dd67d7ff391c

Code Sign

01
Certificate

Issuer

CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

01/01/2004, 00:00

Not After

31/12/2028, 23:59

Subject

CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

48:fc:93:b4:60:55:94:8d:36:a7:c9:8a:89:d6:94:16
Certificate

Issuer

CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

25/05/2021, 00:00

Not After

31/12/2028, 23:59

Subject

CN=Sectigo Public Code Signing Root R46,O=Sectigo Limited,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:d7:08:a8:91:40:53:19:e2:a5:bb:d3:39:b9:ad:6e
Certificate

Issuer

CN=Sectigo Public Code Signing Root R46,O=Sectigo Limited,C=GB

Not Before

22/03/2021, 00:00

Not After

21/03/2036, 23:59

Subject

CN=Sectigo Public Code Signing CA EV R36,O=Sectigo Limited,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9
Certificate

Issuer

CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US

Not Before

02/05/2019, 00:00

Not After

18/01/2038, 23:59

Subject

CN=Sectigo RSA Time Stamping CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

90:39:7f:9a:d2:4a:3a:13:f2:bd:91:5f:08:38:a9:43
Certificate

Issuer

CN=Sectigo RSA Time Stamping CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

11/05/2022, 00:00

Not After

10/08/2033, 23:59

Subject

CN=Sectigo RSA Time Stamping Signer #3,O=Sectigo Limited,ST=Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

61:50:19:91:b1:8f:32:38:04:52:51:37:dc:25:00:5a
Certificate

Issuer

CN=Sectigo Public Code Signing CA EV R36,O=Sectigo Limited,C=GB

Not Before

25/05/2022, 00:00

Not After

25/05/2023, 23:59

Subject

SERIALNUMBER=91510107MA7E8Y2876,CN=成都密思听科技有限公司,O=成都密思听科技有限公司,ST=四川省,C=CN,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.3=#1302434e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

33:00:00:00:57:ee:4d:65:9a:92:3e:7c:10:00:00:00:00:00:57
Certificate

Issuer

CN=Microsoft Windows Third Party Component CA 2014,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

07/06/2022, 18:08

Not After

01/06/2023, 18:08

Subject

CN=Microsoft Windows Hardware Compatibility Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

33:00:00:00:0d:69:0d:5d:78:93:d0:76:df:00:00:00:00:00:0d
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15/10/2014, 20:31

Not After

15/10/2029, 20:41

Subject

CN=Microsoft Windows Third Party Component CA 2014,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

5a:de:d7:5d:6b:eb:31:58:49:f6:98:a7:8f:80:33:de:26:eb:15:19:55:a1:cb:c0:1e:30:37:32:0e:2a:0e:b6
Signer

Actual PE Digest

5a:de:d7:5d:6b:eb:31:58:49:f6:98:a7:8f:80:33:de:26:eb:15:19:55:a1:cb:c0:1e:30:37:32:0e:2a:0e:b6

Digest Algorithm

sha256

PE Digest Matches

true

5a:de:d7:5d:6b:eb:31:58:49:f6:98:a7:8f:80:33:de:26:eb:15:19:55:a1:cb:c0:1e:30:37:32:0e:2a:0e:b6
Signer

Actual PE Digest

5a:de:d7:5d:6b:eb:31:58:49:f6:98:a7:8f:80:33:de:26:eb:15:19:55:a1:cb:c0:1e:30:37:32:0e:2a:0e:b6

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\WinDivert-2.2.2\install\MSVC\amd64\WinDivert64.pdb

Imports

ntoskrnl.exe

RtlCopyUnicodeString
KeBugCheckEx
IoGetRequestorProcess
PsGetProcessId
ExUuidCreate
ObfDereferenceObject
ObfReferenceObject
IoWriteErrorLogEntry
IoGetCurrentProcess
IoFreeMdl
IoAllocateMdl
IoAllocateErrorLogEntry
MmMapLockedPagesSpecifyCache
MmBuildMdlForNonPagedPool
ExFreePoolWithTag
ExAllocatePoolWithTag
KeReleaseInStackQueuedSpinLock
KeAcquireInStackQueuedSpinLock
RtlGetVersion
RtlIntegerToUnicodeString

hal

KeQueryPerformanceCounter

ndis.sys

NdisAllocateNetBufferPool
NdisFreeNetBufferPool
NdisAllocateNetBufferListPool
NdisGetDataBuffer
NdisAdvanceNetBufferDataStart
NdisRetreatNetBufferDataStart
NdisFreeNetBufferListPool

fwpkclnt.sys

FwpmTransactionAbort0
FwpmTransactionBegin0
FwpmEngineClose0
FwpmEngineOpen0
FwpsQueryPacketInjectionState0
FwpmProviderAdd0
FwpmProviderDeleteByKey0
FwpsInjectNetworkReceiveAsync0
FwpmSubLayerAdd0
FwpmSubLayerDeleteByKey0
FwpmCalloutAdd0
FwpmCalloutDeleteByKey0
FwpmFilterAdd0
FwpmFilterDeleteByKey0
FwpmTransactionCommit0
FwpsCalloutRegister0
FwpsCalloutUnregisterByKey0
FwpsFlowAssociateContext0
FwpsFlowRemoveContext0
FwpsInjectionHandleCreate0
FwpsInjectionHandleDestroy0
FwpsAllocateNetBufferAndNetBufferList0
FwpsFreeNetBufferList0
FwpsInjectNetworkSendAsync0
FwpsInjectForwardAsync0

wdfldr.sys

WdfVersionBindClass
WdfVersionUnbindClass
WdfVersionBind
WdfVersionUnbind

Sections

.text
Size: 45KB - Virtual size: 44KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 17KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.gfids
Size: 512B - Virtual size: 4B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 420B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
1/bin/cygwin1.dll
.dll windows:4 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Exports

Exports

GetCommandLineA@0
GetCommandLineW@0
_Exit
__argc
__argv
__assert
__assert_func
__assertfail
__b64_ntop
__b64_pton
__bsd_qsort_r
__check_rhosts_file
__chk_fail
__cpuset_alloc
__cpuset_free
__ctype_ptr__
__cxa_atexit
__cxa_finalize
__cygwin_user_data
__dn_comp
__dn_expand
__dn_skipname
__eprintf
__errno
__fbufsize
__flbf
__fpclassifyd
__fpclassifyf
__fpending
__fpurge
__freadable
__freading
__fsetlocking
__fwritable
__fwriting
__getpagesize
__getreent
__gets_chk
__gnu_basename
__infinity
__isinfd
__isinff
__isnand
__isnanf
__locale_ctype_ptr
__locale_ctype_ptr_l
__locale_mb_cur_max
__main
__mb_cur_max
__memcpy_chk
__memmove_chk
__mempcpy
__mempcpy_chk
__memset_chk
__opendir_with_d_ino
__progname
__rcmd_errstr
__res_close
__res_init
__res_mkquery
__res_nclose
__res_ninit
__res_nmkquery
__res_nquery
__res_nquerydomain
__res_nsearch
__res_nsend
__res_query
__res_querydomain
__res_search
__res_send
__res_state
__sched_getaffinity_sys
__signbitd
__signbitf
__signgam
__snprintf_chk
__sprintf_chk
__srget
__srget_r
__stack_chk_fail
__stack_chk_fail_local
__stack_chk_guard
__stpcpy_chk
__stpncpy_chk
__strcat_chk
__strcpy_chk
__strncat_chk
__strncpy_chk
__swbuf
__swbuf_r
__vsnprintf_chk
__vsprintf_chk
__wrap__ZdaPv
__wrap__ZdaPvRKSt9nothrow_t
__wrap__ZdlPv
__wrap__ZdlPvRKSt9nothrow_t
__wrap__Znam
__wrap__ZnamRKSt9nothrow_t
__wrap__Znwm
__wrap__ZnwmRKSt9nothrow_t
__xdrrec_getrec
__xdrrec_setnonblock
__xpg_sigpause
__xpg_strerror_r
_alloca
_check_for_executable
_ctype_
_daylight
_dll_crt0
_exit
_fe_dfl_env
_fe_nomask_env
_feinitialise
_fscanf_r
_get_osfhandle
_impure_ptr
_longjmp
_pipe
_pthread_cleanup_pop
_pthread_cleanup_push
_setjmp
_setmode
_sys_errlist
_sys_nerr
_timezone
_tzname
a64l
abort
abs
accept
accept4
access
acl
acl_add_perm
acl_calc_mask
acl_check
acl_clear_perms
acl_cmp
acl_copy_entry
acl_copy_ext
acl_copy_int
acl_create_entry
acl_delete_def_file
acl_delete_entry
acl_delete_perm
acl_dup
acl_entries
acl_equiv_mode
acl_error
acl_extended_fd
acl_extended_file
acl_extended_file_nofollow
acl_free
acl_from_mode
acl_from_text
acl_get_entry
acl_get_fd
acl_get_file
acl_get_perm
acl_get_permset
acl_get_qualifier
acl_get_tag_type
acl_init
acl_set_fd
acl_set_file
acl_set_permset
acl_set_qualifier
acl_set_tag_type
acl_size
acl_to_any_text
acl_to_text
acl_valid
aclcheck
aclfrommode
aclfrompbits
aclfromtext
aclsort
acltomode
acltopbits
acltotext
acos
acosf
acosh
acoshf
acoshl
acosl
aio_cancel
aio_error
aio_fsync
aio_read
aio_return
aio_suspend
aio_write
alarm
aligned_alloc
alphasort
arc4random
arc4random_addrandom
arc4random_buf
arc4random_stir
arc4random_uniform
argz_add
argz_add_sep
argz_append
argz_count
argz_create
argz_create_sep
argz_delete
argz_extract
argz_insert
argz_next
argz_replace
argz_stringify
asctime
asctime_r
asin
asinf
asinh
asinhf
asinhl
asinl
asnprintf
asprintf
at_quick_exit
atan
atan2
atan2f
atan2l
atanf
atanh
atanhf
atanhl
atanl
atexit
atof
atoff
atoi
atol
atoll
basename
bcmp
bcopy
bind
bindresvport
bindresvport_sa
bsearch
btowc
bzero
cabs
cabsf
cabsl
cacos
cacosf
cacosh
cacoshf
cacoshl
cacosl
call_once
calloc
canonicalize_file_name
carg
cargf
cargl
casin
casinf
casinh
casinhf
casinhl
casinl
catan
catanf
catanh
catanhf
catanhl
catanl
catclose
catgets
catopen
cbrt
cbrtf
cbrtl
ccos
ccosf
ccosh
ccoshf
ccoshl
ccosl
ceil
ceilf
ceill
cexp
cexpf
cexpl
cfgetispeed
cfgetospeed
cfmakeraw
cfsetispeed
cfsetospeed
cfsetspeed
chdir
chmod
chown
chroot
cimag
cimagf
cimagl
clearenv
clearerr
clearerr_unlocked
clock
clock_getcpuclockid
clock_getres
clock_gettime
clock_nanosleep
clock_setres
clock_settime
clog
clog10
clog10f
clog10l
clogf
clogl
close
closedir
closelog
cnd_broadcast
cnd_destroy
cnd_init
cnd_signal
cnd_timedwait
cnd_wait
confstr
conj
conjf
conjl
connect
copysign
copysignf
copysignl
cos
cosf
cosh
coshf
coshl
cosl
cpow
cpowf
cpowl
cproj
cprojf
cprojl
creal
crealf
creall
creat
csin
csinf
csinh
csinhf
csinhl
csinl
csqrt
csqrtf
csqrtl
ctan
ctanf
ctanh
ctanhf
ctanhl
ctanl
ctermid
ctime
ctime_r
cuserid
cwait
cygwin_attach_handle_to_fd
cygwin_conv_path
cygwin_conv_path_list
cygwin_create_path
cygwin_detach_dll
cygwin_dll_init
cygwin_internal
cygwin_logon_user
cygwin_posix_path_list_p
cygwin_set_impersonation_token
cygwin_split_path
cygwin_stackdump
cygwin_umount
cygwin_winpid_to_pid
daemon
dbm_clearerr
dbm_close
dbm_delete
dbm_dirfno
dbm_error
dbm_fetch
dbm_firstkey
dbm_nextkey
dbm_open
dbm_store
difftime
dirfd
dirname
div
dladdr
dlclose
dlerror
dlfork
dll_crt0__FP11per_process
dll_dllcrt0
dll_entry
dlopen
dlsym
dn_comp
dn_expand
dn_skipname
dprintf
drand48
drem
dremf
dreml
dup
dup2
dup3
duplocale
eaccess
ecvt
ecvtbuf
ecvtf
endgrent
endhostent
endmntent
endprotoent
endpwent
endservent
endusershell
endutent
endutxent
environ
envz_add
envz_entry
envz_get
envz_merge
envz_remove
envz_strip
erand48
erf
erfc
erfcf
erfcl
erff
erfl
err
error
error_at_line
error_message_count
error_one_per_line
error_print_progname
errx
euidaccess
execl
execle
execlp
execv
execve
execvp
execvpe
exit
exp
exp10
exp10f
exp10l
exp2
exp2f
exp2l
expf
expl
explicit_bzero
expm1
expm1f
expm1l
fabs
fabsf
fabsl
faccessat
facl
fchdir
fchmod
fchmodat
fchown
fchownat
fclose
fcloseall
fcntl
fcvt
fcvtbuf
fcvtf
fdatasync
fdim

Sections

UPX0
Size: - Virtual size: 2.1MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 961KB - Virtual size: 964KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 36KB - Virtual size: 40KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
out.upx
.dll windows:4 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Sections

.text
Size: 1.9MB - Virtual size: 1.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

/4
Size: 14KB - Virtual size: 13KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 274KB - Virtual size: 273KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 400KB - Virtual size: 399KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.buildid
Size: 512B - Virtual size: 53B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.pdata
Size: 69KB - Virtual size: 68KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.xdata
Size: 69KB - Virtual size: 68KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 161KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 35KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 22KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/19
Size: 49KB - Virtual size: 48KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 15KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

/38
Size: 512B - Virtual size: 20B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
1/bin/quic_initial_www_google_com.bin
1/bin/tls_clienthello_www_google_com.bin
1/bin/winws.exe
.exe windows:4 windows x64 arch:x64

255c40683a25f28abd8a51314c080715

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED

PDB Paths

Imports

cygwin1

__cxa_atexit
__errno
__getreent
__locale_ctype_ptr
__main
__stack_chk_fail
__stack_chk_guard
_dll_crt0
_impure_ptr
atoi
calloc
chdir
close
cygwin_detach_dll
cygwin_internal
dirname
dll_dllcrt0
dup
exit
fclose
fflush
fgets
fopen
fork
fprintf
fputc
fread
free
fseek
fwrite
getopt_long_only
getpid
getsockopt
inet_ntop
inet_pton
localtime_r
malloc
memcmp
memcpy
memmem
memmove
memset
open
openlog
optarg
posix_memalign
printf
putchar
puts
random
realloc
setsid
setsockopt
signal
snprintf
srandom
sscanf
stat
strcasecmp
strchr
strcmp
strdup
strerror
strlen
strncasecmp
strncat
strncpy
syslog
time
tolower
toupper
usleep
vfprintf
vsnprintf

advapi32

RegCloseKey
RegEnumKeyExA
RegOpenKeyExA
RegQueryValueExA
RegQueryValueExW
RegisterServiceCtrlHandlerA
SetServiceStatus
StartServiceCtrlDispatcherA

kernel32

CancelIoEx
CloseHandle
CreateEventW
CreateMutexA
FormatMessageA
GetLastError
GetModuleHandleA
GetOverlappedResult
GetTickCount
LocalFree
ReleaseMutex
SetLastError
WaitForSingleObject
WideCharToMultiByte

ole32

CoCreateInstance
CoInitialize
CoUninitialize

oleaut32

SysFreeString

wlanapi

WlanCloseHandle
WlanEnumInterfaces
WlanFreeMemory
WlanOpenHandle
WlanQueryInterface

windivert

WinDivertClose
WinDivertOpen
WinDivertRecvEx
WinDivertSend

Sections

.text
Size: 125KB - Virtual size: 124KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 85KB - Virtual size: 84KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.buildid
Size: 512B - Virtual size: 53B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.pdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.xdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 23KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 268B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
1/discord.bat
.bat .vbs
1/discord_youtube.bat
.bat .vbs
1/list-discord.txt
1/list-general.txt
1/service_discord.bat
.bat .vbs
1/service_discord_youtube.bat
.bat .vbs
1/service_goodbye_discord.bat
.bat .vbs
1/service_remove.bat
.bat .vbs

Sharing

General

Malware Config

Signatures

Files

0b649f8e17494bb31b47f6e959a1769c

Headers

File Characteristics

Imports

advapi32

kernel32

Exports

Exports

Sections

.text Size: 30KB - Virtual size: 30KB

.data Size: 512B - Virtual size: 32B

.rdata Size: 9KB - Virtual size: 8KB

.pdata Size: 1024B - Virtual size: 840B

.xdata Size: 1024B - Virtual size: 800B

.bss Size: - Virtual size: 16B

.edata Size: 1KB - Virtual size: 1KB

.idata Size: 1KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 240B

db584dd0570594898805dd67d7ff391c

Code Sign

01Certificate

Key Usages

48:fc:93:b4:60:55:94:8d:36:a7:c9:8a:89:d6:94:16Certificate

Extended Key Usages

Key Usages

33:d7:08:a8:91:40:53:19:e2:a5:bb:d3:39:b9:ad:6eCertificate

Extended Key Usages

Key Usages

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9Certificate

Extended Key Usages

Key Usages

90:39:7f:9a:d2:4a:3a:13:f2:bd:91:5f:08:38:a9:43Certificate

Extended Key Usages

Key Usages

61:50:19:91:b1:8f:32:38:04:52:51:37:dc:25:00:5aCertificate

Extended Key Usages

Key Usages

33:00:00:00:57:ee:4d:65:9a:92:3e:7c:10:00:00:00:00:00:57Certificate

Extended Key Usages

33:00:00:00:0d:69:0d:5d:78:93:d0:76:df:00:00:00:00:00:0dCertificate

Key Usages

5a:de:d7:5d:6b:eb:31:58:49:f6:98:a7:8f:80:33:de:26:eb:15:19:55:a1:cb:c0:1e:30:37:32:0e:2a:0e:b6Signer

5a:de:d7:5d:6b:eb:31:58:49:f6:98:a7:8f:80:33:de:26:eb:15:19:55:a1:cb:c0:1e:30:37:32:0e:2a:0e:b6Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

hal

ndis.sys

fwpkclnt.sys

wdfldr.sys

Sections

.text Size: 45KB - Virtual size: 44KB

.rdata Size: 17KB - Virtual size: 17KB

.data Size: 512B - Virtual size: 16KB

.pdata Size: 2KB - Virtual size: 1KB

.gfids Size: 512B - Virtual size: 4B

INIT Size: 2KB - Virtual size: 2KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 420B

Headers

DLL Characteristics

File Characteristics

Exports

Exports

Sections

UPX0 Size: - Virtual size: 2.1MB

UPX1 Size: 961KB - Virtual size: 964KB

.rsrc Size: 36KB - Virtual size: 40KB

Headers

DLL Characteristics

File Characteristics

Sections

.text
Size: 30KB - Virtual size: 30KB

.data
Size: 512B - Virtual size: 32B

.rdata
Size: 9KB - Virtual size: 8KB

.pdata
Size: 1024B - Virtual size: 840B

.xdata
Size: 1024B - Virtual size: 800B

.bss
Size: - Virtual size: 16B

.edata
Size: 1KB - Virtual size: 1KB

.idata
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 240B

01
Certificate

48:fc:93:b4:60:55:94:8d:36:a7:c9:8a:89:d6:94:16
Certificate

33:d7:08:a8:91:40:53:19:e2:a5:bb:d3:39:b9:ad:6e
Certificate

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9
Certificate

90:39:7f:9a:d2:4a:3a:13:f2:bd:91:5f:08:38:a9:43
Certificate

61:50:19:91:b1:8f:32:38:04:52:51:37:dc:25:00:5a
Certificate

33:00:00:00:57:ee:4d:65:9a:92:3e:7c:10:00:00:00:00:00:57
Certificate

33:00:00:00:0d:69:0d:5d:78:93:d0:76:df:00:00:00:00:00:0d
Certificate

5a:de:d7:5d:6b:eb:31:58:49:f6:98:a7:8f:80:33:de:26:eb:15:19:55:a1:cb:c0:1e:30:37:32:0e:2a:0e:b6
Signer

5a:de:d7:5d:6b:eb:31:58:49:f6:98:a7:8f:80:33:de:26:eb:15:19:55:a1:cb:c0:1e:30:37:32:0e:2a:0e:b6
Signer

.text
Size: 45KB - Virtual size: 44KB

.rdata
Size: 17KB - Virtual size: 17KB

.data
Size: 512B - Virtual size: 16KB

.pdata
Size: 2KB - Virtual size: 1KB

.gfids
Size: 512B - Virtual size: 4B

INIT
Size: 2KB - Virtual size: 2KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 420B

UPX0
Size: - Virtual size: 2.1MB

UPX1
Size: 961KB - Virtual size: 964KB

.rsrc
Size: 36KB - Virtual size: 40KB

.text
Size: 1.9MB - Virtual size: 1.9MB

/4
Size: 14KB - Virtual size: 13KB

.data
Size: 274KB - Virtual size: 273KB

.rdata
Size: 400KB - Virtual size: 399KB

.buildid
Size: 512B - Virtual size: 53B

.pdata
Size: 69KB - Virtual size: 68KB

.xdata
Size: 69KB - Virtual size: 68KB

.bss
Size: - Virtual size: 161KB

.edata
Size: 35KB - Virtual size: 35KB

.reloc
Size: 22KB - Virtual size: 22KB

/19
Size: 49KB - Virtual size: 48KB

.idata
Size: 15KB - Virtual size: 14KB

.rsrc
Size: 1KB - Virtual size: 1KB

/38
Size: 512B - Virtual size: 20B

.text
Size: 125KB - Virtual size: 124KB

.data
Size: 2KB - Virtual size: 2KB

.rdata
Size: 85KB - Virtual size: 84KB

.buildid
Size: 512B - Virtual size: 53B

.pdata
Size: 4KB - Virtual size: 3KB

.xdata
Size: 4KB - Virtual size: 3KB

.bss
Size: - Virtual size: 23KB

.idata
Size: 4KB - Virtual size: 4KB

.rsrc
Size: 6KB - Virtual size: 6KB

.reloc
Size: 512B - Virtual size: 268B