4956ae4c43ed408a0b58bd05ea4f8ef39e46a36925f3caecb15ce9d84ff4a91a

Sharing

Copy URL Twitter E-mail

General

Target

4956ae4c43ed408a0b58bd05ea4f8ef39e46a36925f3caecb15ce9d84ff4a91a
Size

3.1MB
MD5

24c5ed6b5f6a401fcefabaaa09f8fd3c
SHA1

24ffc01ec175fc165c0cb3f420b9fa4bd70f7de6
SHA256

4956ae4c43ed408a0b58bd05ea4f8ef39e46a36925f3caecb15ce9d84ff4a91a
SHA512

b884d0f2f6c50e745a32f7634b0292ba5299c2f685425e48b0aba9e24243960d5f89406d5df587027570445bd2048f3f95e2f59c57ae7eb04fdc111c29df019a
SSDEEP

24576:F0YabREoYsC91gNyp0oqaTggBmHOhZWjiakySy+pOOsaBrNt0XeNEvhwWQO/i:F0YaNRE8rXmWGakU+IOsajt0XeOv+WS

Score

1^/10

Malware Config

Signatures

Files

4956ae4c43ed408a0b58bd05ea4f8ef39e46a36925f3caecb15ce9d84ff4a91a
.dll windows:10 windows x64 arch:x64

fe0ea67c78b8e215b4e521c7bb656d28

Code Sign

33:00:00:06:e6:5a:10:d4:fa:64:1b:41:15:00:00:00:00:06:e6
Certificate

Issuer

CN=Microsoft Development PCA 2014,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

17/07/2024, 21:16

Not After

15/09/2025, 21:16

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

33:00:00:00:03:c6:f9:b4:c3:ae:be:59:4b:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Development Root Certificate Authority 2014,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

28/05/2014, 17:33

Not After

28/05/2029, 17:43

Subject

CN=Microsoft Development PCA 2014,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:27:44:e3:4f:d6:9b:c9:be:f8:ce:c2:25:e3:f8:84:b1:01:a8:2e:f5:0e:e5:6a:8b:2a:5e:44:7d:71:b0:d4
Signer

Actual PE Digest

33:27:44:e3:4f:d6:9b:c9:be:f8:ce:c2:25:e3:f8:84:b1:01:a8:2e:f5:0e:e5:6a:8b:2a:5e:44:7d:71:b0:d4

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP
IMAGE_FILE_NET_RUN_FROM_SWAP
IMAGE_FILE_DLL

PDB Paths

SetupCore.pdb

Imports

msvcrt

_snprintf_s
strncmp
_errno
memset
strcpy_s
qsort
_wcstoi64
iswspace
wcscpy_s
__C_specific_handler
_initterm
malloc
free
_amsg_exit
_XcptFilter
memmove
memcpy
_CxxThrowException
?what@exception@@UEBAPEBDXZ
??0exception@@QEAA@AEBQEBDH@Z
??0exception@@QEAA@AEBQEBD@Z
fwprintf
memmove_s
_wcstoui64
wcsstr
_wfopen
wcschr
??0exception@@QEAA@AEBV0@@Z
??0exception@@QEAA@XZ
??1exception@@UEAA@XZ
_purecall
wcstoul
fclose
swscanf_s
_wcsicmp
memcpy_s
_vsnwprintf
wcsncmp
wcsrchr
_wtoi
towupper
_vscwprintf
_vsnprintf
_wcsnicmp
?terminate@@YAXXZ
_lock
_unlock
__dllonexit
_onexit
??1type_info@@UEAA@XZ
memcmp
__CxxFrameHandler3
wcscmp

rpcrt4

UuidToStringW
I_RpcMapWin32Status
RpcStringFreeW
UuidCreate
UuidCompare

wdscore

WdsSetupLogMessageW
ConstructPartialMsgVW
CurrentIP

crypt32

CertVerifyCertificateChainPolicy

wintrust

WinVerifyTrust
WTHelperProvDataFromStateData
WTHelperGetProvSignerFromChain

ntdll

RtlNtStatusToDosErrorNoTeb
RtlCompareUnicodeString
NtOpenSymbolicLinkObject
NtQuerySymbolicLinkObject
RtlInitializeCriticalSection
RtlDeleteCriticalSection
RtlCreateHeap
RtlLeaveCriticalSection
RtlEnterCriticalSection
RtlDestroyHeap
NtSetEaFile
NtSetSecurityObject
RtlFindAceByType
RtlSetControlSecurityDescriptor
RtlImpersonateSelf
RtlEqualUnicodeString
NtQueryVolumeInformationFile
RtlDeleteResource
RtlReleaseResource
RtlAcquireResourceShared
RtlAcquireResourceExclusive
RtlInitializeResource
DbgPrintEx
NtYieldExecution
NtWaitForSingleObject
NtQueryInformationFile
RtlExpandEnvironmentStrings
RtlReAllocateHeap
NtReadFile
NtWriteFile
NtQueryObject
RtlAllocateHeap
RtlInitUnicodeString
RtlSetThreadErrorMode
RtlGetThreadErrorMode
NtSetInformationFile
RtlFreeUnicodeString
NtQueryInformationProcess
RtlDosPathNameToNtPathName_U_WithStatus
NtQueryDirectoryObject
NtOpenDirectoryObject
NtQuerySystemInformation
VerSetConditionMask
NtOpenFile
NtClose
NtDeviceIoControlFile
RtlFreeHeap
RtlRaiseStatus
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlDosPathNameToNtPathName_U
RtlAdjustPrivilege
RtlGetVersion
RtlNtStatusToDosError
RtlCaptureContext

oleaut32

VariantInit
SysFreeString
SysAllocString

setupapi

SetupGetLineTextW
SetupDiGetDeviceInterfaceDetailW
CMP_WaitNoPendingInstallEvents
SetupDiDestroyDeviceInfoList
SetupDiEnumDeviceInfo
SetupCloseInfFile
SetupOpenInfFileW
SetupDiEnumDeviceInterfaces
SetupDiGetDeviceInterfacePropertyW
SetupGetFieldCount
SetupCopyOEMInfW
SetupDiGetDeviceRegistryPropertyW
SetupDiGetClassDevsW
SetupFindFirstLineW
SetupGetStringFieldW
SetupFindNextLine

fltlib

FilterSendMessage

cabinet

ord20
ord23
ord22

kernel32

ExpandEnvironmentStringsW
GetSystemDefaultUILanguage
GetModuleFileNameW
WaitForMultipleObjects
SetEnvironmentVariableW
GetLocaleInfoEx
GetUserDefaultUILanguage
GetProductInfo
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
GetEnvironmentVariableW
GetSystemPowerStatus
InitializeCriticalSectionEx
WaitForThreadpoolTimerCallbacks
FindClose
WaitForSingleObject
LocalAlloc
CreateFileW
GetFileAttributesW
GetCurrentThreadId
ReleaseMutex
GetSystemDirectoryW
GetSystemDefaultLocaleName
LCIDToLocaleName
GetLogicalDriveStringsW
CreateEventW
Sleep
FormatMessageW
GetTimeZoneInformation
GetTickCount64
GetLastError
EnumSystemLocalesEx
ReleaseSRWLockExclusive
OutputDebugStringW
GetThreadUILanguage
SetEvent
CloseThreadpoolTimer
GetDiskFreeSpaceExW
DisableThreadLibraryCalls
AcquireSRWLockExclusive
WaitForSingleObjectEx
DeleteFileW
OpenSemaphoreW
GlobalFree
CloseHandle
SetThreadpoolTimer
ReleaseSRWLockShared
CreateThreadpoolTimer
CompareStringW
ResetEvent
HeapAlloc
GetProcAddress
SetFilePointerEx
CreateMutexExW
LocalFree
AcquireSRWLockShared
DeleteCriticalSection
LCMapStringW
GetCurrentProcessId
GetProcessHeap
GetModuleHandleW
FreeLibrary
CopyFileW
WideCharToMultiByte
LocaleNameToLCID
SystemTimeToTzSpecificLocalTime
GetSystemTime
DebugBreak
GetSystemWindowsDirectoryW
VirtualQuery
GetDriveTypeW
LoadLibraryExW
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
QueryPerformanceCounter
GetSystemTimeAsFileTime
GetTickCount
GetVersionExW
GetFileSizeEx
GetModuleHandleExW
GetVersionExA
CreateFileA
WriteFile
SetFilePointer
lstrcmpiW
DosDateTimeToFileTime
LocalFileTimeToFileTime
SetFileTime
GetTempFileNameW
GetTempPathW
GetNativeSystemInfo
CopyFileExW
GetLocaleInfoW
QueryDosDeviceW
GetSystemInfo
GetLogicalDrives
FindFirstVolumeW
DeviceIoControl
FindVolumeClose
FindNextVolumeW
SetThreadPreferredUILanguages
GetLongPathNameW
GetFinalPathNameByHandleW
GetVolumePathNameW
GetVolumeNameForVolumeMountPointW
GetCurrentDirectoryW
SetCurrentDirectoryW
GetFileInformationByHandleEx
FindFirstFileNameW
GetDiskFreeSpaceW
SetFileAttributesW
GetFileInformationByHandle
SetFileInformationByHandle
FindNextFileNameW
FlushFileBuffers
GetPrivateProfileSectionW
GetPrivateProfileStringW
CreateThread
GetCurrentThread
SearchPathW
UnmapViewOfFile
FindResourceExW
LoadResource
CreateFileMappingW
MapViewOfFile
VirtualAlloc
VirtualFree
RtlCompareMemory
CreateMutexW
OpenProcess
GetOverlappedResult
InitializeCriticalSection
HeapReAlloc
SetEndOfFile
LockFileEx
UnlockFileEx
GetHandleInformation
DuplicateHandle
GlobalMemoryStatusEx
RemoveDirectoryW
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
GetVolumePathNamesForVolumeNameW
FindFirstFileW
ReleaseSemaphore
GetCurrentProcess
FindNextFileW
GetFullPathNameW
EnterCriticalSection
SetLastError
HeapFree
MultiByteToWideChar
CreateSemaphoreExW
GetVolumeInformationW
GetModuleFileNameA
ReadFile
CreateDirectoryW
GetFileSize
SleepConditionVariableSRW
WakeAllConditionVariable
DelayLoadFailureHook
LoadLibraryExA
GetModuleHandleExA
InitOnceComplete
InitOnceBeginInitialize
CompareStringOrdinal
OutputDebugStringA
RaiseFailFastException
GetPrivateProfileIntW
GetSystemDefaultLCID
VerifyVersionInfoW
IsValidLocale
IsValidCodePage
SizeofResource
LockResource
SetErrorMode
LoadLibraryW

advapi32

FreeSid
GetTokenInformation
LookupPrivilegeValueW
SetSecurityDescriptorDacl
AdjustTokenPrivileges
AllocateAndInitializeSid
OpenProcessToken
OpenThreadToken
InitializeSecurityDescriptor
InitializeAcl
GetLengthSid
AddAccessAllowedAce
RegDeleteKeyExW
RegCloseKey
RegQueryInfoKeyW
RegDeleteKeyW
RegCreateKeyExW
CloseEncryptedFileRaw
WriteEncryptedFileRaw
OpenEncryptedFileRawW
GetAclInformation
GetSecurityDescriptorControl
GetSecurityDescriptorSacl
GetSecurityDescriptorDacl
GetSecurityDescriptorGroup
GetSecurityDescriptorOwner
RevertToSelf
RegSetValueExW
GetSecurityDescriptorLength
EqualSid
EventRegister
EventUnregister
SetThreadToken
RegUnLoadKeyW
RegLoadKeyW
RegOpenKeyExW
RegGetValueW
RegCreateKeyW
DuplicateTokenEx
GetTraceLoggerHandle
GetTraceEnableFlags
GetTraceEnableLevel
RegisterTraceGuidsW
UnregisterTraceGuids
EventWriteTransfer
RegDeleteValueW
RegEnumValueW
RegQueryValueExW

user32

CharNextW
FindWindowExW
CharUpperW
LoadStringW

ole32

CoInitializeEx
CoUninitialize
CoCreateInstance
CoTaskMemFree
StringFromCLSID

version

VerQueryValueW
GetFileVersionInfoSizeW
GetFileVersionInfoSizeExW
GetFileVersionInfoExW
GetFileVersionInfoW

netapi32

NetApiBufferFree
NetGetJoinInformation

bcrypt

BCryptImportKeyPair
BCryptDestroyKey
BCryptDestroyHash
BCryptFinishHash
BCryptCreateHash
BCryptCloseAlgorithmProvider
BCryptOpenAlgorithmProvider
BCryptGetProperty
BCryptHashData
BCryptVerifySignature

mpr

WNetAddConnection2W
WNetCancelConnection2W

dnsapi

DnsValidateName_W

servicingcommon

GetIdentityAuthority

gdi32

CreateDCW
DeleteDC
EnumFontFamiliesExW
TranslateCharsetInfo

Exports

Exports

CreateSetupObject

Sections

.text
Size: 1.6MB - Virtual size: 1.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

fothk
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 36KB - Virtual size: 38KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 40KB - Virtual size: 39KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 72B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 380KB - Virtual size: 379KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

fe0ea67c78b8e215b4e521c7bb656d28

Code Sign

33:00:00:06:e6:5a:10:d4:fa:64:1b:41:15:00:00:00:00:06:e6Certificate

Extended Key Usages

33:00:00:00:03:c6:f9:b4:c3:ae:be:59:4b:00:00:00:00:00:03Certificate

Key Usages

33:27:44:e3:4f:d6:9b:c9:be:f8:ce:c2:25:e3:f8:84:b1:01:a8:2e:f5:0e:e5:6a:8b:2a:5e:44:7d:71:b0:d4Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

rpcrt4

wdscore

crypt32

wintrust

ntdll

oleaut32

setupapi

fltlib

cabinet

kernel32

advapi32

user32

ole32

version

netapi32

bcrypt

mpr

dnsapi

servicingcommon

gdi32

Exports

Exports

Sections

.text Size: 1.6MB - Virtual size: 1.6MB

fothk Size: 4KB - Virtual size: 4KB

.rdata Size: 1.1MB - Virtual size: 1.1MB

.data Size: 36KB - Virtual size: 38KB

.pdata Size: 40KB - Virtual size: 39KB

.didat Size: 4KB - Virtual size: 72B

.rsrc Size: 380KB - Virtual size: 379KB

.reloc Size: 20KB - Virtual size: 19KB

33:00:00:06:e6:5a:10:d4:fa:64:1b:41:15:00:00:00:00:06:e6
Certificate

33:00:00:00:03:c6:f9:b4:c3:ae:be:59:4b:00:00:00:00:00:03
Certificate

33:27:44:e3:4f:d6:9b:c9:be:f8:ce:c2:25:e3:f8:84:b1:01:a8:2e:f5:0e:e5:6a:8b:2a:5e:44:7d:71:b0:d4
Signer

.text
Size: 1.6MB - Virtual size: 1.6MB

fothk
Size: 4KB - Virtual size: 4KB

.rdata
Size: 1.1MB - Virtual size: 1.1MB

.data
Size: 36KB - Virtual size: 38KB

.pdata
Size: 40KB - Virtual size: 39KB

.didat
Size: 4KB - Virtual size: 72B

.rsrc
Size: 380KB - Virtual size: 379KB

.reloc
Size: 20KB - Virtual size: 19KB