eb5b250be045ebb96ec3be53ff2a81a3d34a7c7e2e892cc378d8fa7b05a84701N

Sharing

Copy URL

Twitter E-mail

General

Target

eb5b250be045ebb96ec3be53ff2a81a3d34a7c7e2e892cc378d8fa7b05a84701N
Size

333KB
MD5

d7eadfc3b361f326c7999dbe8e9ef7f0
SHA1

28f936a78ef9cefda0667714f8fff6a9a7c76fd0
SHA256

eb5b250be045ebb96ec3be53ff2a81a3d34a7c7e2e892cc378d8fa7b05a84701
SHA512

52534ed43e05a3413852714591e919379f514c5f3d4af5a60d718a5c64ce4976af69c79d90c55d3b2063ffa9a5021f0fb919285ca54b7e03f18689569c032655
SSDEEP

6144:eILU50cDi8Ar3vLkf049n/m+GGv9uLrmSVqjy00tDxta+7SY2f:e9GSOCunmqDBSn

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
eb5b250be045ebb96ec3be53ff2a81a3d34a7c7e2e892cc378d8fa7b05a84701N

Files

eb5b250be045ebb96ec3be53ff2a81a3d34a7c7e2e892cc378d8fa7b05a84701N
.exe windows:6 windows x86 arch:x86

577ccb129f3ff548d539c307d8d0a191

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

mcrmgr.pdb

Imports

advapi32

EventRegister
EventUnregister
EventWrite
RegGetValueW
CryptCreateHash
CryptHashData
CryptReleaseContext
CryptDestroyKey
CryptAcquireContextW
CryptDestroyHash
CryptVerifySignatureW
CryptImportKey

kernel32

CreateProcessW
TerminateProcess
WaitForSingleObject
TerminateThread
ResumeThread
WaitForMultipleObjects
QueryDosDeviceW
QueryFullProcessImageNameW
LoadLibraryW
ResetEvent
K32GetProcessImageFileNameW
CreateFileW
InterlockedCompareExchange
InterlockedIncrement
InterlockedDecrement
GetLastError
LocalFree
ProcessIdToSessionId
OpenProcess
K32EnumProcessModules
K32GetModuleBaseNameW
lstrcmpiW
K32EnumProcesses
CreateEventW
SetEvent
GetModuleHandleW
HeapSetInformation
PowerSetRequest
GetTickCount
Sleep
RaiseException
lstrlenW
SetLastError
GetVersion
GetSystemInfo
VirtualProtect
VirtualFree
VirtualAlloc
ReadFile
GetOverlappedResult
WriteFile
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
GetSystemWindowsDirectoryW
GetProcAddress
UnhandledExceptionFilter
GetCurrentProcess
GetSystemTimeAsFileTime
GetCurrentThreadId
QueryPerformanceCounter
GetModuleHandleA
SetUnhandledExceptionFilter
GetStartupInfoW
InterlockedExchange
GetWindowsDirectoryW
LoadLibraryExW
PowerCreateRequest
FreeLibrary
CreateThread
CloseHandle
LocalAlloc
GetCurrentProcessId

user32

MapVirtualKeyExW
LoadStringW
UnregisterDeviceNotification
PostMessageW
FindWindowW
SetWinEventHook
GetMessageW
IsWindowVisible
IsWindow
EnumWindows
TranslateMessage
DispatchMessageW
RegisterClassW
CreateWindowExW
RegisterDeviceNotificationW
ShowWindow
GetWindowTextW
SendMessageTimeoutW
GetForegroundWindow
SetForegroundWindow
GetWindowThreadProcessId
UnhookWinEvent
DefWindowProcW
GetKeyboardLayout
PostQuitMessage

msvcrt

_exit
_cexit
__wgetmainargs
malloc
_callnewh
free
memcpy
wcschr
??0exception@@QAE@XZ
_wcsnicmp
_CxxThrowException
??0exception@@QAE@ABV0@@Z
??1exception@@UAE@XZ
?what@exception@@UBEPBDXZ
??0exception@@QAE@ABQBD@Z
memcpy_s
memmove_s
_vsnwprintf
memset
__CxxFrameHandler3
_wcsicmp
exit
_wcmdln
_initterm
_amsg_exit
__setusermatherr
__p__commode
__p__fmode
__set_app_type
_purecall
_unlock
_controlfp
__dllonexit
_lock
_onexit
??1type_info@@UAE@XZ
?terminate@@YAXXZ
_except_handler4_common
_XcptFilter

crypt32

CertVerifyCertificateChainPolicy
CertFindCertificateInStore
CertOpenStore
CertCloseStore
CryptHashPublicKeyInfo
CertFreeCertificateChain
CertGetCertificateChain
CryptDecodeObjectEx
CertAddEncodedCertificateToStore
CryptDecodeObject
CertFreeCertificateContext

ntdll

NtOpenProcess
NtQueryVirtualMemory

oleaut32

SysAllocStringLen
SysAllocString
SysFreeString
SysStringLen

qwave

QOSCloseHandle
QOSCreateHandle
QOSStartTrackingClient
QOSStopTrackingClient

secur32

GetUserNameExW

setupapi

SetupDiOpenDeviceInterfaceW
SetupDiEnumDeviceInterfaces
SetupDiGetDevicePropertyW
SetupDiCreateDeviceInfoList
SetupDiDestroyDeviceInfoList
SetupDiGetClassDevsW
SetupDiGetDeviceInterfaceDetailW

shell32

SHGetFolderPathW

shlwapi

PathFindFileNameW

version

GetFileVersionInfoW
GetFileVersionInfoSizeW
VerQueryValueW

winsta

WinStationFreeUserCertificates
WinStationServerPing
WinStationUnRegisterNotificationEvent
WinStationRegisterNotificationEvent
WinStationGetUserCertificates

wintrust

CryptCATAdminAcquireContext
CryptCATAdminCalcHashFromFileHandle
CryptCATAdminEnumCatalogFromHash
CryptCATCatalogInfoFromContext
CryptCATAdminReleaseCatalogContext
CryptCATClose
CryptCATAdminReleaseContext
CryptCATOpen
WTHelperProvDataFromStateData
WTHelperGetProvSignerFromChain
CryptCATGetMemberInfo
WinVerifyTrust

ws2_32

htonl
htons

wtsapi32

WTSRegisterSessionNotification
WTSLogoffSession
WTSQuerySessionInformationW
WTSVirtualChannelClose
WTSVirtualChannelQuery
WTSFreeMemory
WTSVirtualChannelOpen

sqmapi

SqmSet
SqmAddToStreamDWord
SqmAddToStreamString
SqmGetSession

Sections

.text
Size: 222KB - Virtual size: 222KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 46KB - Virtual size: 46KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 26KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 36KB - Virtual size: 37KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

577ccb129f3ff548d539c307d8d0a191

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

advapi32

kernel32

user32

msvcrt

crypt32

ntdll

oleaut32

qwave

secur32

setupapi

shell32

shlwapi

version

winsta

wintrust

ws2_32

wtsapi32

sqmapi

Sections

.text Size: 222KB - Virtual size: 222KB

.data Size: 46KB - Virtual size: 46KB

.rsrc Size: 26KB - Virtual size: 26KB

.reloc Size: 36KB - Virtual size: 37KB

.text
Size: 222KB - Virtual size: 222KB

.data
Size: 46KB - Virtual size: 46KB

.rsrc
Size: 26KB - Virtual size: 26KB

.reloc
Size: 36KB - Virtual size: 37KB