85d4d53a3f6ba34c41f6797690f076b5e3afde17469a4cdf1c83af9259ce588fN

Sharing

Copy URL Twitter E-mail

General

Target

85d4d53a3f6ba34c41f6797690f076b5e3afde17469a4cdf1c83af9259ce588fN
Size

543KB
MD5

7f964fc016e98ce54eafba662df3b3b0
SHA1

54fe6225a9458614aa09ffc9e037ad8a63854725
SHA256

85d4d53a3f6ba34c41f6797690f076b5e3afde17469a4cdf1c83af9259ce588f
SHA512

86711f5c38763936eb4d5f88b90cfc140f17fadef39e4d9f48128b86945672db70c9331b9330548f60f2e24fc3dfc61d33afc013d88b959c606cd8f831ff7719
SSDEEP

12288:oaNj9jJ42ujuKylt78+EWd/hFss/BtssLw1C0:oSj1hujuKylt1oizA

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
85d4d53a3f6ba34c41f6797690f076b5e3afde17469a4cdf1c83af9259ce588fN

Files

85d4d53a3f6ba34c41f6797690f076b5e3afde17469a4cdf1c83af9259ce588fN
.dll windows:5 windows x86 arch:x86

cf4202a057d4246ddc78538df57959de

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

D:\疯神\20150411\AhnManager\Release\AhnHelper.pdb

Imports

shlwapi

StrRChrW

kernel32

FlushFileBuffers
lstrcmpiA
GetModuleFileNameA
CreateThread
GetProcAddress
ExitProcess
Sleep
GetCurrentThreadId
SetEvent
ExitThread
GetLastError
CreateNamedPipeA
GetCurrentProcessId
FindResourceW
QueryDosDeviceW
lstrcmpiW
GetModuleHandleW
SetLastError
CopyFileA
GetTickCount
GetTempPathA
CloseHandle
OpenProcess
ResumeThread
CreateProcessA
CreateProcessW
GetModuleHandleA
lstrcpyA
HeapFree
HeapAlloc
GetProcessHeap
UnmapViewOfFile
WriteConsoleA
MapViewOfFile
CreateFileMappingA
LoadLibraryA
OpenFileMappingA
GetCurrentProcess
OpenThread
lstrcatA
GetSystemDirectoryA
TlsFree
GetCommandLineA
CreateFileA
TlsAlloc
DisableThreadLibraryCalls
FreeLibrary
TlsGetValue
TlsSetValue
GetConsoleMode
GetConsoleCP
SetStdHandle
LCMapStringW
LCMapStringA
GetStringTypeW
GetStringTypeA
GetLocaleInfoA
GetConsoleOutputCP
WriteConsoleW
GetCurrentDirectoryA
GetModuleHandleExA
HeapSize
InitializeCriticalSectionAndSpinCount
VirtualProtect
VirtualQuery
GetVersionExA
GetSystemInfo
IsValidCodePage
GetCurrentThread
WriteProcessMemory
GetThreadContext
VirtualAllocEx
VirtualFreeEx
WaitForSingleObject
CreateRemoteThread
Thread32Next
Thread32First
CreateToolhelp32Snapshot
IsBadReadPtr
WideCharToMultiByte
MultiByteToWideChar
ReadFile
SetFilePointer
VirtualAlloc
VirtualFree
InterlockedIncrement
InterlockedDecrement
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
HeapReAlloc
HeapCreate
HeapDestroy
WriteFile
GetStdHandle
SetHandleCount
GetFileType
GetStartupInfoA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
GetSystemTimeAsFileTime
RaiseException
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetCPInfo
GetACP
GetOEMCP

user32

MessageBoxA
GetSystemMetrics
wsprintfA
GetWindowTextA
GetWindowThreadProcessId
SetWindowsHookExA
UnhookWindowsHookEx
CallNextHookEx
EnumWindows

version

GetFileVersionInfoSizeW
GetFileVersionInfoW
GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA

psapi

GetMappedFileNameA
GetProcessImageFileNameA

ntdll

ZwSetContextThread
ZwQueryVirtualMemory
RtlCaptureStackBackTrace
RtlUnwind
ZwQueryObject
ZwQueryInformationThread
ZwProtectVirtualMemory
ZwQueryInformationProcess
RtlNtStatusToDosError

advapi32

AdjustTokenPrivileges
OpenProcessToken
LookupPrivilegeValueA

Exports

Exports

AhnAddRemoterInjects
AhnCreateProcessA
AhnCreateProcessWithSDK
AhnExportEx
AhnGetMainThreadId
AhnInstallHook
AhnUnHook
AntiLDRSetModuleInfo
WahApcUserInfo
WahCloseApcHelper
WahCloseHandleHelper
WahCloseNotificationHandleHelper
WahCloseSocketHandle
WahCloseThread
WahCompleteRequest
WahCreateHandleContextTable
WahCreateNotificationHandle
WahCreateSocketHandle
WahDestroyHandleContextTable
WahDisableNonIFSHandleSupport
WahEnableNonIFSHandleSupport
WahEnumerateHandleContexts
WahInsertHandleContext
WahNotifyAllProcesses
WahOpenApcHelper
WahOpenCurrentThread
WahOpenHandleHelper
WahOpenNotificationHandleHelper
WahQueueUserApc
WahReferenceContextByHandle
WahRemoveHandleContext
WahWaitForNotification
_AhnAddRemoterInjects@8
_AhnCreateProcessA@12
_AhnCreateProcessWithSDK@28
_AhnGetScanAddress@12
_AhnInstallHook@12
_AhnUnHook@4
_AntiHookCreateRmoterThread@8
_AntiHookCreateRmoterThreadEx@12
_AntiHookGetMainThreadId@0
_AntiHookGetProcAddress@8
_AntiHookGetProcAddressEx@8
_AntiHookGetProcAddressForTable@8
_AntiHookGetReturnAddress@4
_AntiHookGetSelfModuleByAddress@4
_AntiHookGetSelfModuleHandle@0
_AntiHookGetSelfModuleName@4
_AntiHookSetThreadToMain@0
_AntiHookSetToken@0

Sections

.text
Size: 73KB - Virtual size: 73KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 21KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.date0
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp0
Size: 436KB - Virtual size: 435KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

cf4202a057d4246ddc78538df57959de

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

shlwapi

kernel32

user32

version

psapi

ntdll

advapi32

Exports

Exports

Sections

.text Size: 73KB - Virtual size: 73KB

.rdata Size: 21KB - Virtual size: 21KB

.data Size: 5KB - Virtual size: 16KB

.date0 Size: 512B - Virtual size: 24B

.vmp0 Size: 436KB - Virtual size: 435KB

.reloc Size: 4KB - Virtual size: 4KB

.rsrc Size: 1KB - Virtual size: 1KB

.text
Size: 73KB - Virtual size: 73KB

.rdata
Size: 21KB - Virtual size: 21KB

.data
Size: 5KB - Virtual size: 16KB

.date0
Size: 512B - Virtual size: 24B

.vmp0
Size: 436KB - Virtual size: 435KB

.reloc
Size: 4KB - Virtual size: 4KB

.rsrc
Size: 1KB - Virtual size: 1KB