2024-10-17_73834217524d9646ddc441682e0e13c8_hijackloader_ryuk

Sharing

Copy URL Twitter E-mail

General

Target

2024-10-17_73834217524d9646ddc441682e0e13c8_hijackloader_ryuk
Size

10.6MB
MD5

73834217524d9646ddc441682e0e13c8
SHA1

e057fbfdb3ed26dcc28e4fa01cc991c587673867
SHA256

7708756fa1a8561c6ba4728a03a825d10b3ad41ba4c154a21e5fbd1c1cbe718b
SHA512

d73d1cd83dacc78d68952905b43b202632c5ae4ce92c7ba992293ea2a5bc047f3559de4b49deb8da82a844ca666908bd343ccaaac8bd39321d85dbf920197d4e
SSDEEP

98304:7G+lVcKOTGRleImZ19M91ybx2NdYk9KM7VTOyj1vzMiItGGyicAQAIl:6otLiZL01mx2NdYk9KM7xj5zM8gIl

Score

1^/10

Malware Config

Signatures

Files

2024-10-17_73834217524d9646ddc441682e0e13c8_hijackloader_ryuk
.exe windows:6 windows x64 arch:x64

44b545736fda8d7eee52367601acdc76

Code Sign

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/08/2022, 00:00

Not After

09/11/2031, 23:59

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

23/03/2022, 00:00

Not After

22/03/2037, 23:59

Subject

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

29/04/2021, 00:00

Not After

28/04/2036, 23:59

Subject

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0c:4d:69:72:4b:94:fa:3c:2a:4a:3d:29:07:80:3d:5a
Certificate

Issuer

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Not Before

21/09/2022, 00:00

Not After

21/11/2033, 23:59

Subject

CN=DigiCert Timestamp 2022 - 2,O=DigiCert,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

07:84:a5:71:22:7a:38:d1:eb:58:99:b8:69:32:94:54
Certificate

Issuer

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Not Before

24/01/2023, 00:00

Not After

05/03/2025, 23:59

Subject

CN=O&O Software GmbH,O=O&O Software GmbH,L=Berlin,ST=Berlin,C=DE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

29/04/2021, 00:00

Not After

28/04/2036, 23:59

Subject

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

07:84:a5:71:22:7a:38:d1:eb:58:99:b8:69:32:94:54
Certificate

Issuer

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Not Before

24/01/2023, 00:00

Not After

05/03/2025, 23:59

Subject

CN=O&O Software GmbH,O=O&O Software GmbH,L=Berlin,ST=Berlin,C=DE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

38:63:de:f8
Certificate

Issuer

CN=Entrust.net Certification Authority (2048),OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)+OU=(c) 1999 Entrust.net Limited,O=Entrust.net

Not Before

24/12/1999, 17:50

Not After

24/07/2029, 14:15

Subject

CN=Entrust.net Certification Authority (2048),OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)+OU=(c) 1999 Entrust.net Limited,O=Entrust.net

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

58:da:13:ff:00:00:00:00:51:ce:0d:f7
Certificate

Issuer

CN=Entrust.net Certification Authority (2048),OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)+OU=(c) 1999 Entrust.net Limited,O=Entrust.net

Not Before

22/07/2015, 19:02

Not After

22/06/2029, 19:32

Subject

CN=Entrust Timestamping CA - TS1,OU=See www.entrust.net/legal-terms+OU=(c) 2015 Entrust\, Inc. - for authorized use only,O=Entrust\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

56:ab:95:75:28:9c:a5:9f:0e:17:d4:0b:ea:05:c3:1f
Certificate

Issuer

CN=Entrust Timestamping CA - TS1,OU=See www.entrust.net/legal-terms+OU=(c) 2015 Entrust\, Inc. - for authorized use only,O=Entrust\, Inc.,C=US

Not Before

04/10/2022, 17:21

Not After

01/01/2029, 00:00

Subject

CN=Entrust Timestamp Authority - TSA1,O=Entrust\, Inc.,L=Ottawa,ST=Ontario,C=CA

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

47:6e:67:73:44:47:e9:64:38:a5:e4:8f:d0:9a:06:85:8f:86:23:05:0c:53:ae:10:c6:2b:08:fd:ba:a8:ce:a7
Signer

Actual PE Digest

47:6e:67:73:44:47:e9:64:38:a5:e4:8f:d0:9a:06:85:8f:86:23:05:0c:53:ae:10:c6:2b:08:fd:ba:a8:ce:a7

Digest Algorithm

sha256

PE Digest Matches

true

92:01:89:39:7d:b0:c4:05:b3:bf:8e:0a:87:14:34:33:63:dc:6b:41
Signer

Actual PE Digest

92:01:89:39:7d:b0:c4:05:b3:bf:8e:0a:87:14:34:33:63:dc:6b:41

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

e:\jenkins-slave\workspace\oodi\18\OO\OODI-BIN\src\applications\maincmd\app\v140\x64\maincmd_vc\ClientRelease\oodicmdc.pdb

Imports

kernel32

OpenMutexW
CreateMutexW
ReleaseMutex
DeviceIoControl
TryEnterCriticalSection
GetProcAddress
GetModuleHandleW
SystemTimeToFileTime
FileTimeToSystemTime
GlobalGetAtomNameW
lstrcmpA
QueryActCtxW
FindActCtxSectionStringW
DeactivateActCtx
ActivateActCtx
CreateActCtxW
GetModuleHandleExW
GetModuleFileNameW
InitializeCriticalSectionAndSpinCount
OutputDebugStringA
SetLastError
CopyFileW
FormatMessageW
MulDiv
LocalFree
GlobalFree
GlobalUnlock
GlobalLock
GlobalSize
GlobalAlloc
WideCharToMultiByte
MultiByteToWideChar
GetProcessHeap
DeleteCriticalSection
DecodePointer
HeapAlloc
RaiseException
HeapReAlloc
HeapSize
InitializeCriticalSectionEx
HeapFree
GetExitCodeProcess
CreateProcessW
GetTickCount
FormatMessageA
WriteConsoleW
SetEnvironmentVariableA
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetOEMCP
IsValidCodePage
SetFilePointerEx
AcquireSRWLockExclusive
GetTimeZoneInformation
EnumSystemLocalesW
IsValidLocale
GetTimeFormatW
GetDateFormatW
GetConsoleMode
GetConsoleCP
GetACP
ExitProcess
SetStdHandle
QueryPerformanceFrequency
VirtualQuery
VirtualAlloc
GetCommandLineW
GetCommandLineA
FreeLibraryAndExitThread
HeapQueryInformation
PeekNamedPipe
GetFileType
InterlockedFlushSList
InterlockedPushEntrySList
RtlUnwindEx
RtlPcToFileHeader
RtlCompareMemory
GetComputerNameW
GetEnvironmentVariableW
TerminateThread
WriteProcessMemory
GetSystemTime
ExpandEnvironmentStringsW
GetSystemInfo
FindNextFileW
FindFirstFileExW
GetDriveTypeW
GetLocalTime
GetCPInfo
LCMapStringW
GetStringTypeW
OutputDebugStringW
InitOnceExecuteOnce
InitializeSRWLock
ReleaseSRWLockExclusive
GetStdHandle
CreateFileW
ExitThread
FreeLibrary
CloseHandle
GetExitCodeThread
WaitForSingleObject
CreateThread
Sleep
SetConsoleCtrlHandler
SetEnvironmentVariableW
GetCurrentProcess
K32GetModuleFileNameExW
GetLastError
LoadLibraryW
SetConsoleCursorPosition
FillConsoleOutputCharacterW
WriteConsoleOutputCharacterW
FindResourceW
LoadResource
LockResource
SizeofResource
GetConsoleScreenBufferInfo
InitializeConditionVariable
WakeConditionVariable
SleepConditionVariableSRW
OpenThread
RtlCaptureStackBackTrace
LoadLibraryA
CreateIoCompletionPort
GetQueuedCompletionStatusEx
PostQueuedCompletionStatus
GetModuleHandleA
SetFileCompletionNotificationModes
CreateFileA
ConnectNamedPipe
CancelIo
CreateNamedPipeA
CreateTimerQueue
SignalObjectAndWait
SwitchToThread
GetThreadPriority
GetLogicalProcessorInformation
CreateTimerQueueTimer
ChangeTimerQueueTimer
DeleteTimerQueueTimer
GetNumaHighestNodeNumber
GetProcessAffinityMask
SetThreadAffinityMask
RegisterWaitForSingleObject
UnregisterWait
GetThreadTimes
VirtualFree
ReleaseSemaphore
InterlockedPopEntrySList
QueryDepthSList
UnregisterWaitEx
DeleteFiber
ConvertFiberToThread
SetConsoleMode
ReadConsoleA
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GlobalReAlloc
GlobalHandle
LocalAlloc
LocalReAlloc
GetCurrentProcessId
GlobalFlags
lstrcmpW
GlobalAddAtomW
DeleteFileW
FindClose
FindFirstFileW
FlushFileBuffers
GetFileSize
GetFullPathNameW
GetVolumeInformationW
InitializeSListHead
GetSystemTimeAsFileTime
QueryPerformanceCounter
GetStartupInfoW
IsDebuggerPresent
WaitForSingleObjectEx
ResetEvent
IsProcessorFeaturePresent
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
GetUserDefaultLCID
SearchPathW
GetProfileIntW
GetTempPathW
GetTempFileNameW
VerifyVersionInfoW
VerSetConditionMask
GetWindowsDirectoryW
FindResourceExW
lstrcpyW
GetCurrentDirectoryW
VirtualProtect
SystemTimeToTzSpecificLocalTime
GetFileTime
GetFileSizeEx
GetFileAttributesExW
GetFileAttributesW
FileTimeToLocalFileTime
GetVersionExW
GetCurrentThread
GlobalFindAtomW
GlobalDeleteAtom
FreeResource
ResumeThread
SuspendThread
SetThreadPriority
GetCurrentThreadId
CreateEventW
SetEvent
GetUserDefaultUILanguage
GetLocaleInfoW
CompareStringW
GetSystemDirectoryW
EncodePointer
lstrcmpiW
LoadLibraryExW
DuplicateHandle
WriteFile
UnlockFile
SetFilePointer
SetEndOfFile
ReadFile
ReadConsoleW
LockFile

user32

SetCursorPos
GetSysColorBrush
LoadCursorW
SendMessageW
EnableWindow
IsWindowEnabled
MessageBoxW
GetWindowLongW
GetUserObjectInformationW
GetProcessWindowStation
RegisterClassExW
GetParent
GetWindowThreadProcessId
GetLastActivePopup
SetFocus
SetScrollPos
GetScrollPos
GetWindow
IsWindow
ShowWindow
MoveWindow
SetWindowPos
GetDlgItem
CheckDlgButton
GetMenuItemCount
GetDlgCtrlID
GetFocus
SetWindowTextW
SetWindowLongW
IsDialogMessageW
GetWindowRect
ClientToScreen
PtInRect
GetDesktopWindow
GetClassNameW
RealChildWindowFromPoint
DestroyIcon
TranslateMessage
DispatchMessageW
PeekMessageW
IsWindowVisible
GetActiveWindow
GetKeyState
ValidateRect
GetCursorPos
SetWindowsHookExW
CallNextHookEx
GetSysColor
DrawTextExW
GrayStringW
TabbedTextOutW
GetWindowDC
BeginPaint
EndPaint
ScreenToClient
FillRect
RegisterWindowMessageW
GetMessagePos
GetMessageTime
PostMessageW
DefWindowProcW
ReleaseDC
GetDC
GetSystemMetrics
GetWindowTextLengthW
GetWindowTextW
UnhookWindowsHookEx
RemoveMenu
AppendMenuW
GetMenuItemID
GetSubMenu
GetMenuState
CopyIcon
FrameRect
DrawIcon
UnionRect
UpdateLayeredWindow
MonitorFromPoint
LoadAcceleratorsW
TranslateAcceleratorW
InsertMenuItemW
UnpackDDElParam
ReuseDDElParam
GetComboBoxInfo
PostThreadMessageW
WaitMessage
GetKeyboardLayout
IsCharLowerW
MapVirtualKeyExW
ToUnicodeEx
GetKeyboardState
CreateAcceleratorTableW
DestroyAcceleratorTable
GetMenuStringW
CharUpperW
CharNextW
SubtractRect
CopyAcceleratorTableW
SetRect
LockWindowUpdate
SetMenuDefaultItem
GetDoubleClickTime
ModifyMenuW
RegisterClipboardFormatW
CharUpperBuffW
IsClipboardFormatAvailable
GetUpdateRect
DrawTextW
InsertMenuW
CallWindowProcW
RegisterClassW
GetClassInfoW
GetClassInfoExW
CreateWindowExW
IsMenu
IsChild
DestroyWindow
GetWindowPlacement
SetWindowPlacement
BeginDeferWindowPos
DeferWindowPos
EndDeferWindowPos
IsIconic
GetCapture
DrawMenuBar
DefFrameProcW
DefMDIChildProcW
CreateMenu
TranslateMDISysAccel
GetMenu
SetMenu
TrackPopupMenu
UpdateWindow
SetActiveWindow
GetForegroundWindow
SetForegroundWindow
RedrawWindow
ScrollWindow
SetScrollRange
GetScrollRange
ShowScrollBar
SetPropW
GetPropW
GetWindowRgn
DestroyCursor
RemovePropW
GetClientRect
AdjustWindowRectEx
MapWindowPoints
CopyRect
EqualRect
GetWindowLongPtrW
SetWindowLongPtrW
GetClassLongPtrW
GetTopWindow
LoadIconW
SetScrollInfo
wsprintfW
ExitWindowsEx
LoadStringW
MsgWaitForMultipleObjects
GetMessageW
GetScrollInfo
WinHelpW
MonitorFromWindow
GetMonitorInfoW
PostQuitMessage
CheckMenuItem
EnableMenuItem
SetMenuItemBitmaps
GetMenuCheckMarkDimensions
SetMenuItemInfoW
LoadBitmapW
InflateRect
IntersectRect
DestroyMenu
GetMenuItemInfoW
SystemParametersInfoW
CopyImage
SendDlgItemMessageA
SetRectEmpty
OffsetRect
CreateDialogIndirectParamW
EndDialog
GetNextDlgTabItem
GetAsyncKeyState
MapDialogRect
ShowOwnedPopups
BringWindowToTop
GetSystemMenu
IsZoomed
DrawFrameControl
SetCursor
DeleteMenu
SetTimer
KillTimer
InvalidateRect
TrackMouseEvent
LoadImageW
GetNextDlgGroupItem
SetCapture
ReleaseCapture
WindowFromPoint
DrawFocusRect
IsRectEmpty
DrawIconEx
GetIconInfo
MessageBeep
EnableScrollBar
HideCaret
InvertRect
NotifyWinEvent
CreatePopupMenu
GetMenuDefaultItem
MapVirtualKeyW
GetKeyNameTextW
LoadMenuW
SetLayeredWindowAttributes
EnumDisplayMonitors
SetClassLongPtrW
SetWindowRgn
SetParent
OpenClipboard
CloseClipboard
SetClipboardData
EmptyClipboard
DrawStateW
DrawEdge

gdi32

OffsetRgn
GetRgnBox
Rectangle
LPtoDP
CreateRoundRectRgn
Polyline
Polygon
CreatePolygonRgn
GetTextColor
Ellipse
CreateEllipticRgn
SetDIBColorTable
CreateDIBSection
StretchBlt
SetPixel
GetDIBits
GetTextCharsetInfo
EnumFontFamiliesW
CreateDIBitmap
CreateCompatibleBitmap
GetBkColor
RealizePalette
GetSystemPaletteEntries
GetPaletteEntries
GetNearestPaletteIndex
CreatePalette
EnumFontFamiliesExW
GetTextMetricsW
GetTextExtentPoint32W
DPtoLP
SetRectRgn
PatBlt
CreateRectRgnIndirect
CreateFontIndirectW
CombineRgn
ScaleWindowExtEx
ScaleViewportExtEx
OffsetWindowOrgEx
OffsetViewportOrgEx
SetWindowOrgEx
SetWindowExtEx
SetViewportOrgEx
SetViewportExtEx
ExtTextOutW
TextOutW
MoveToEx
GetObjectW
SetTextAlign
SetTextColor
SetROP2
SetPolyFillMode
GetLayout
SetLayout
SetMapMode
SetBkMode
SetBkColor
SelectPalette
SelectObject
ExtSelectClipRgn
SelectClipRgn
SaveDC
RestoreDC
RectVisible
PtVisible
LineTo
IntersectClipRect
GetWindowExtEx
GetViewportExtEx
GetStockObject
GetPixel
GetObjectType
SetDIBits
EqualRgn
GetClipBox
ExcludeClipRect
Escape
DeleteDC
CreateSolidBrush
CreateRectRgn
CreatePatternBrush
CreatePen
CreateHatchBrush
CreateCompatibleDC
CreateBitmap
BitBlt
DeleteObject
GetDeviceCaps
CreateDCW
CopyMetaFileW
RoundRect
FillRgn
FrameRgn
GetBoundsRect
PtInRegion
ExtFloodFill
SetPaletteEntries
SetPixelV
GetWindowOrgEx
GetViewportOrgEx
GetTextFaceW

msimg32

AlphaBlend
TransparentBlt

winspool.drv

DocumentPropertiesW
ClosePrinter
OpenPrinterW

advapi32

InitializeSecurityDescriptor
OpenSCManagerW
OpenServiceW
ControlService
QueryServiceStatusEx
StartServiceW
ChangeServiceConfigW
CloseServiceHandle
RegCloseKey
RegCreateKeyExW
RegDeleteKeyW
RegEnumKeyW
RegOpenKeyExW
RegQueryValueW
RegDeleteValueW
RegEnumKeyExW
RegSetValueExW
RegQueryValueExW
RegEnumValueW
RegLoadKeyW
RegUnLoadKeyW
RegOpenKeyW
RegFlushKey
RegDeleteKeyExW
RegQueryInfoKeyW
OpenProcessToken
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenThreadToken
GetTokenInformation
LookupAccountSidW
GetUserNameW
AddAccessAllowedAce
AllocateAndInitializeSid
FreeSid
GetLengthSid
InitializeAcl
CryptGenRandom
SetSecurityDescriptorDacl
RegGetKeySecurity
RegSetKeySecurity
CryptEnumProvidersW
CryptSignHashW
CryptDestroyHash
CryptCreateHash
CryptDecrypt
CryptExportKey
CryptGetUserKey
CryptGetProvParam
CryptSetHashParam
ReportEventW
RegisterEventSourceW
DeregisterEventSource
CryptImportKey
CryptAcquireContextW
CryptDestroyKey
ImpersonateLoggedOnUser
RevertToSelf
LogonUserW
CryptReleaseContext

shell32

ShellExecuteW
SHGetPathFromIDListW
SHGetSpecialFolderLocation
SHGetFileInfoW
DragQueryFileW
DragFinish
SHBrowseForFolderW
SHAppBarMessage
SHGetDesktopFolder

shlwapi

PathIsUNCW
PathStripToRootW
PathFindExtensionW
PathRemoveFileSpecW
StrFormatKBSizeW
PathFindFileNameW
PathFileExistsW

uxtheme

DrawThemeBackground
GetThemeColor
GetCurrentThemeName
GetWindowTheme
OpenThemeData
IsThemeBackgroundPartiallyTransparent
GetThemeSysColor
GetThemePartSize
CloseThemeData
DrawThemeParentBackground
IsAppThemed
DrawThemeText

ole32

OleLockRunning
RevokeDragDrop
RegisterDragDrop
CoLockObjectExternal
OleGetClipboard
DoDragDrop
CreateStreamOnHGlobal
CoInitialize
CoDisconnectObject
StringFromGUID2
CoCreateInstance
ReleaseStgMedium
OleDuplicateData
CoTaskMemFree
CoTaskMemAlloc
CoInitializeEx
OleCreateMenuDescriptor
OleDestroyMenuDescriptor
OleTranslateAccelerator
IsAccelerator
CoGetCallContext
CoInitializeSecurity
CoUninitialize

oleaut32

SysAllocStringLen
SysAllocString
VariantInit
LoadTypeLi
VarBstrFromDate
VariantChangeType
VariantCopy
VariantClear
SysStringLen
SafeArrayUnaccessData
SafeArrayAccessData
SysFreeString
VariantTimeToSystemTime
SystemTimeToVariantTime

ntdll

strrchr
strchr
strncpy
_strnicmp
wcscmp
wcscspn
wcsrchr
labs
memcmp
RtlInsertElementGenericTable
RtlInitializeGenericTable
RtlInitUnicodeString
RtlLeaveCriticalSection
RtlEnterCriticalSection
RtlDeleteCriticalSection
RtlInitializeCriticalSection
NtSetVolumeInformationFile
NtWriteFile
NtReadFile
wcspbrk
iswspace
iswalpha
iswdigit
towlower
wcstoul
_wtol
abs
wcsncmp
sin
NtFlushBuffersFile
floor
cos
sqrt
NtCreateFile
NtOpenProcess
RtlQueryEnvironmentVariable_U
NtQuerySystemInformation
RtlAdjustPrivilege
RtlCreateUnicodeString
RtlEqualUnicodeString
NtQueryDirectoryFile
NtSetInformationFile
NtQueryInformationFile
NtQueryVolumeInformationFile
NtFsControlFile
NtDeviceIoControlFile
NtDeleteFile
NtOpenFile
NtWaitForSingleObject
NtQuerySymbolicLinkObject
NtOpenSymbolicLinkObject
__C_specific_handler
wcschr
strlen
wcslen
memset
memcpy
strcspn
_wcsicmp
wcsstr
towupper
_wtoi
_wcstoui64
toupper
_wtoi64
memmove
RtlDeleteElementGenericTable
NtDuplicateObject
NtQueryObject
RtlDosPathNameToNtPathName_U
NtQueryAttributesFile
NtFreeVirtualMemory
NtAllocateVirtualMemory
RtlSystemTimeToLocalTime
NtQuerySystemTime
RtlGUIDFromString
RtlStringFromGUID
RtlFreeUnicodeString
strspn
_stricmp
strcmp
RtlDecompressBuffer
RtlCompressBuffer
RtlGetCompressionWorkSpaceSize
RtlInitAnsiString
RtlAnsiStringToUnicodeString
NtWaitForMultipleObjects
NtResetEvent
NtSetEvent
NtCreateEvent
NtClose
RtlTimeToTimeFields
LdrGetProcedureAddress
LdrLoadDll
LdrUnloadDll
RtlInitString
RtlDetermineDosPathNameType_U
RtlIsGenericTableEmpty
RtlNumberGenericTableElements
RtlEnumerateGenericTable
RtlLookupElementGenericTable
ceil

mpr

WNetCancelConnection2W
WNetGetUniversalNameW
WNetAddConnection2W

wininet

HttpEndRequestW
InternetOpenW
InternetCloseHandle
InternetConnectW
InternetReadFile
InternetWriteFile
InternetFindNextFileW
InternetGetLastResponseInfoW
FtpFindFirstFileW
FtpPutFileEx
FtpDeleteFileW
FtpOpenFileW
FtpCreateDirectoryW
FtpRemoveDirectoryW
FtpCommandW
FtpGetFileSize
InternetSetOptionA
HttpOpenRequestA
InternetConnectA
HttpQueryInfoA
InternetOpenA
HttpSendRequestExW
HttpAddRequestHeadersA

oleacc

LresultFromObject
AccessibleObjectFromWindow
CreateStdAccessibleObject

gdiplus

GdipDrawImageRectI
GdipSetInterpolationMode
GdipCreateFromHDC
GdipCreateBitmapFromHBITMAP
GdipCreateBitmapFromFile
GdipDrawImageI
GdipDeleteGraphics
GdipBitmapUnlockBits
GdipBitmapLockBits
GdipCreateBitmapFromScan0
GdipCreateBitmapFromStream
GdipGetImagePaletteSize
GdipGetImagePalette
GdipGetImagePixelFormat
GdipGetImageHeight
GdipGetImageWidth
GdipGetImageGraphicsContext
GdipDisposeImage
GdipCloneImage
GdiplusStartup
GdipFree
GdipAlloc
GdiplusShutdown

imm32

ImmGetContext
ImmGetOpenStatus
ImmReleaseContext

winmm

PlaySoundW

version

GetFileVersionInfoA
GetFileVersionInfoSizeA
GetFileVersionInfoSizeW
GetFileVersionInfoW
VerQueryValueW
VerQueryValueA

wintrust

WinVerifyTrust

bcrypt

BCryptImportKeyPair
BCryptSignHash
BCryptVerifySignature
BCryptDestroyHash
BCryptGenRandom
BCryptFinishHash
BCryptHashData
BCryptCreateHash
BCryptDestroyKey
BCryptOpenAlgorithmProvider
BCryptGetProperty
BCryptSetProperty
BCryptCloseAlgorithmProvider
BCryptEncrypt
BCryptDecrypt
BCryptExportKey
BCryptImportKey

winhttp

WinHttpSetTimeouts
WinHttpOpenRequest
WinHttpSetOption
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpQueryHeaders
WinHttpWriteData
WinHttpReadData
WinHttpCloseHandle
WinHttpOpen
WinHttpConnect
WinHttpAddRequestHeaders

setupapi

SetupDiGetClassDevsW
SetupDiGetDeviceInterfaceDetailW
SetupDiDestroyDeviceInfoList
SetupDiEnumDeviceInterfaces

ws2_32

getsockname
listen
WSARecv
WSASetLastError
WSAIoctl
shutdown
ntohs
getsockopt
inet_ntop
inet_pton
freeaddrinfo
getaddrinfo
WSAGetLastError
socket
setsockopt
send
recv
htons
ioctlsocket
connect
closesocket
bind
WSACleanup
WSAStartup

userenv

GetUserProfileDirectoryW

crypt32

CryptStringToBinaryA
CryptQueryObject
CertAddCertificateContextToStore
CertSetCertificateContextProperty
CertFindCertificateInStore
CertCloseStore
CertOpenStore
CryptDecodeObjectEx
CertVerifyCertificateChainPolicy
CertFreeCertificateChain
CertGetCertificateChain
CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
CertFreeCertificateContext
CertGetCertificateContextProperty
CertEnumCertificatesInStore
CertDuplicateCertificateContext

ncrypt

NCryptImportKey
NCryptFreeObject
NCryptOpenStorageProvider

secur32

AcquireCredentialsHandleA
AcceptSecurityContext
DeleteSecurityContext
ApplyControlToken
QueryContextAttributesW
FreeContextBuffer
EncryptMessage
DecryptMessage
InitializeSecurityContextA

Exports

Exports

GetCommunicationInstance

Sections

.text
Size: 6.9MB - Virtual size: 6.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2.9MB - Virtual size: 2.9MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 249KB - Virtual size: 452KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 350KB - Virtual size: 349KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.gfids
Size: 106KB - Virtual size: 106KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.giats
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 59B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 17KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 114KB - Virtual size: 114KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

44b545736fda8d7eee52367601acdc76

Code Sign

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5aCertificate

Key Usages

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5bCertificate

Extended Key Usages

Key Usages

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9Certificate

Extended Key Usages

Key Usages

0c:4d:69:72:4b:94:fa:3c:2a:4a:3d:29:07:80:3d:5aCertificate

Extended Key Usages

Key Usages

07:84:a5:71:22:7a:38:d1:eb:58:99:b8:69:32:94:54Certificate

Extended Key Usages

Key Usages

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9Certificate

Extended Key Usages

Key Usages

07:84:a5:71:22:7a:38:d1:eb:58:99:b8:69:32:94:54Certificate

Extended Key Usages

Key Usages

38:63:de:f8Certificate

Key Usages

58:da:13:ff:00:00:00:00:51:ce:0d:f7Certificate

Extended Key Usages

Key Usages

56:ab:95:75:28:9c:a5:9f:0e:17:d4:0b:ea:05:c3:1fCertificate

Extended Key Usages

Key Usages

47:6e:67:73:44:47:e9:64:38:a5:e4:8f:d0:9a:06:85:8f:86:23:05:0c:53:ae:10:c6:2b:08:fd:ba:a8:ce:a7Signer

92:01:89:39:7d:b0:c4:05:b3:bf:8e:0a:87:14:34:33:63:dc:6b:41Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

gdi32

msimg32

winspool.drv

advapi32

shell32

shlwapi

uxtheme

ole32

oleaut32

ntdll

mpr

wininet

oleacc

gdiplus

imm32

winmm

version

wintrust

bcrypt

winhttp

setupapi

ws2_32

userenv

crypt32

ncrypt

secur32

Exports

Exports

Sections

.text Size: 6.9MB - Virtual size: 6.9MB

.rdata Size: 2.9MB - Virtual size: 2.9MB

.data Size: 249KB - Virtual size: 452KB

.pdata Size: 350KB - Virtual size: 349KB

.gfids Size: 106KB - Virtual size: 106KB

.giats Size: 512B - Virtual size: 16B

.tls Size: 512B - Virtual size: 59B

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9
Certificate

0c:4d:69:72:4b:94:fa:3c:2a:4a:3d:29:07:80:3d:5a
Certificate

07:84:a5:71:22:7a:38:d1:eb:58:99:b8:69:32:94:54
Certificate

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9
Certificate

07:84:a5:71:22:7a:38:d1:eb:58:99:b8:69:32:94:54
Certificate

38:63:de:f8
Certificate

58:da:13:ff:00:00:00:00:51:ce:0d:f7
Certificate

56:ab:95:75:28:9c:a5:9f:0e:17:d4:0b:ea:05:c3:1f
Certificate

47:6e:67:73:44:47:e9:64:38:a5:e4:8f:d0:9a:06:85:8f:86:23:05:0c:53:ae:10:c6:2b:08:fd:ba:a8:ce:a7
Signer

92:01:89:39:7d:b0:c4:05:b3:bf:8e:0a:87:14:34:33:63:dc:6b:41
Signer

.text
Size: 6.9MB - Virtual size: 6.9MB

.rdata
Size: 2.9MB - Virtual size: 2.9MB

.data
Size: 249KB - Virtual size: 452KB

.pdata
Size: 350KB - Virtual size: 349KB

.gfids
Size: 106KB - Virtual size: 106KB

.giats
Size: 512B - Virtual size: 16B

.tls
Size: 512B - Virtual size: 59B

.rsrc
Size: 17KB - Virtual size: 17KB

.reloc
Size: 114KB - Virtual size: 114KB