c866bebd7ff21337ee973db5078bc7635170f994a7d6c9520a88f8313e4cbd0e

Sharing

Copy URL

Twitter E-mail

General

Target

c866bebd7ff21337ee973db5078bc7635170f994a7d6c9520a88f8313e4cbd0e
Size

294KB
MD5

0d1dfd1fb7aa2f1d6ad7b4bffafd6872
SHA1

52edf260720432f4352cd059289a621c9dbfc7e9
SHA256

c866bebd7ff21337ee973db5078bc7635170f994a7d6c9520a88f8313e4cbd0e
SHA512

8152f87e5f8feb61c14928399dc51270822dc06d264b6b2179e619af883492eb772992c99e69a4da7163be97f01a1f4f292d20df935394f178235903cda74e98
SSDEEP

6144:0BvAB4pns1v3Ui9aacnCOCtqc04GXiFVUFrKalvdhotbaaBv0XyIg+7S:02upns1vB94C9tX0rKaZzCaj7S

Score

3^/10

Malware Config

Signatures

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack002/PI 4717_PDF.exe
unpack003/$PLUGINSDIR/yeorkzn.dll

NSIS installer 2 IoCs

installer

resource	yara_rule
static1/unpack002/PI 4717_PDF.exe	nsis_installer_1
static1/unpack002/PI 4717_PDF.exe	nsis_installer_2

Files

c866bebd7ff21337ee973db5078bc7635170f994a7d6c9520a88f8313e4cbd0e
.zip

Password: infected
fd516fe5353da33498ec74acdd972956415fdc880483b6dc77955da9df9f9664
.rar
PI 4717_PDF.exe
.exe windows:4 windows x86 arch:x86

7fa974366048f9c551ef45714595665e

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

CompareFileTime
SearchPathA
GetShortPathNameA
GetFullPathNameA
MoveFileA
SetCurrentDirectoryA
GetFileAttributesA
GetLastError
CreateDirectoryA
SetFileAttributesA
Sleep
GetTickCount
GetFileSize
GetModuleFileNameA
GetCurrentProcess
CopyFileA
ExitProcess
GetWindowsDirectoryA
SetFileTime
GetCommandLineA
SetErrorMode
LoadLibraryA
lstrcpynA
GetDiskFreeSpaceA
GlobalUnlock
GlobalLock
CreateThread
CreateProcessA
RemoveDirectoryA
CreateFileA
GetTempFileNameA
lstrlenA
lstrcatA
GetSystemDirectoryA
GetVersion
CloseHandle
lstrcmpiA
lstrcmpA
ExpandEnvironmentStringsA
GlobalFree
GlobalAlloc
WaitForSingleObject
GetExitCodeProcess
GetModuleHandleA
LoadLibraryExA
GetProcAddress
FreeLibrary
MultiByteToWideChar
WritePrivateProfileStringA
GetPrivateProfileStringA
WriteFile
ReadFile
MulDiv
SetFilePointer
FindClose
FindNextFileA
FindFirstFileA
DeleteFileA
GetTempPathA

user32

EndDialog
ScreenToClient
GetWindowRect
EnableMenuItem
GetSystemMenu
SetClassLongA
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongA
SetCursor
LoadCursorA
CheckDlgButton
GetMessagePos
LoadBitmapA
CallWindowProcA
IsWindowVisible
CloseClipboard
SetClipboardData
EmptyClipboard
RegisterClassA
TrackPopupMenu
AppendMenuA
CreatePopupMenu
GetSystemMetrics
SetDlgItemTextA
GetDlgItemTextA
MessageBoxIndirectA
CharPrevA
DispatchMessageA
PeekMessageA
DestroyWindow
CreateDialogParamA
SetTimer
SetWindowTextA
PostQuitMessage
SetForegroundWindow
wsprintfA
SendMessageTimeoutA
FindWindowExA
SystemParametersInfoA
CreateWindowExA
GetClassInfoA
DialogBoxParamA
CharNextA
OpenClipboard
ExitWindowsEx
IsWindow
GetDlgItem
SetWindowLongA
LoadImageA
GetDC
EnableWindow
InvalidateRect
SendMessageA
DefWindowProcA
BeginPaint
GetClientRect
FillRect
DrawTextA
EndPaint
ShowWindow

gdi32

SetBkColor
GetDeviceCaps
DeleteObject
CreateBrushIndirect
CreateFontIndirectA
SetBkMode
SetTextColor
SelectObject

shell32

SHGetPathFromIDListA
SHBrowseForFolderA
SHGetFileInfoA
ShellExecuteA
SHFileOperationA
SHGetSpecialFolderLocation

advapi32

RegQueryValueExA
RegSetValueExA
RegEnumKeyA
RegEnumValueA
RegOpenKeyExA
RegDeleteKeyA
RegDeleteValueA
RegCloseKey
RegCreateKeyExA

comctl32

ImageList_AddMasked
ImageList_Destroy
ord17
ImageList_Create

ole32

CoTaskMemFree
OleInitialize
OleUninitialize
CoCreateInstance

version

GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA

Sections

.text
Size: 23KB - Virtual size: 22KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 151KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.ndata
Size: - Virtual size: 32KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$PLUGINSDIR/yeorkzn.dll
.dll windows:6 windows x86 arch:x86

601f92a37e399e99b473752cbdaaa645

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

C:\xampp\htdocs\Loct\ca1780ee94af4338930363744cc434e4\Loader\vubxhnbu\Release\vubxhnbu.pdb

Imports

imm32

ImmDestroySoftKeyboard
ImmSimulateHotKey
ImmEnumRegisterWordA
ImmGetIMCCLockCount
ImmGetImeMenuItemsW

kernel32

CreateFileW
ReadFile
SetFilePointerEx
CloseHandle
DuplicateHandle
HeapAlloc
HeapFree
GetProcessHeap
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
GetCurrentProcess
VirtualAlloc
lstrcpynW
lstrcpyW
lstrlenW
MultiByteToWideChar
SetStdHandle
GetConsoleMode
GetConsoleCP
FlushFileBuffers
GetFileType
HeapSize
OutputDebugStringW
HeapReAlloc
RtlUnwind
LoadLibraryExW
FreeLibrary
SetConsoleCtrlHandler
GetModuleFileNameW
WriteFile
GetStdHandle
LCMapStringW
CompareStringW
GetTimeFormatW
GetDateFormatW
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetLocaleInfoW
GetStringTypeW
WideCharToMultiByte
AreFileApisANSI
GetModuleHandleExW
ExitProcess
FatalAppExitA
CreateSemaphoreW
GetProcAddress
GetModuleHandleW
GetTickCount
GetStartupInfoW
TlsFree
TlsSetValue
WriteConsoleW
TlsGetValue
TlsAlloc
IsProcessorFeaturePresent
IsDebuggerPresent
EncodePointer
DecodePointer
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetLastError
SetLastError
GetCurrentThread
GetCurrentThreadId
UnhandledExceptionFilter
SetUnhandledExceptionFilter
InitializeCriticalSectionAndSpinCount
CreateEventW
Sleep
TerminateProcess

winmm

waveOutSetPitch
OpenDriver
timeEndPeriod
timeBeginPeriod
midiStreamPosition

msacm32

acmStreamPrepareHeader
acmFormatEnumW
acmFilterDetailsW
acmDriverDetailsW

mapi32

ord33
ord182
ord76
ord79

wininet

InternetConnectA
InternetOpenUrlW
DeleteUrlCacheGroup
InternetSetDialState

rpcrt4

RpcBindingInqAuthInfoW
RpcEpRegisterA
MesDecodeBufferHandleCreate
UuidToStringW
NdrClientContextMarshall

wsock32

ord1142
connect
WSAIsBlocking
ord1112

mpr

WNetAddConnection3W
WNetOpenEnumW
WNetGetConnectionA
WNetDisconnectDialog
MultinetGetConnectionPerformanceA

Exports

Exports

nojosrhxf

Sections

.text
Size: 99KB - Virtual size: 98KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 7KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 24KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
s2oxzovuruebqkn

Sharing

General

Malware Config

Signatures

Files

Password: infected

7fa974366048f9c551ef45714595665e

Headers

File Characteristics

Imports

kernel32

user32

gdi32

shell32

advapi32

comctl32

ole32

version

Sections

.text Size: 23KB - Virtual size: 22KB

.rdata Size: 5KB - Virtual size: 4KB

.data Size: 1024B - Virtual size: 151KB

.ndata Size: - Virtual size: 32KB

.rsrc Size: 2KB - Virtual size: 2KB

601f92a37e399e99b473752cbdaaa645

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

imm32

kernel32

winmm

msacm32

mapi32

wininet

rpcrt4

wsock32

mpr

Exports

Exports

Sections

.text Size: 99KB - Virtual size: 98KB

.bss Size: - Virtual size: 7KB

.rdata Size: 24KB - Virtual size: 23KB

.data Size: 10KB - Virtual size: 9KB

.rsrc Size: 512B - Virtual size: 480B

.text
Size: 23KB - Virtual size: 22KB

.rdata
Size: 5KB - Virtual size: 4KB

.data
Size: 1024B - Virtual size: 151KB

.ndata
Size: - Virtual size: 32KB

.rsrc
Size: 2KB - Virtual size: 2KB

.text
Size: 99KB - Virtual size: 98KB

.bss
Size: - Virtual size: 7KB

.rdata
Size: 24KB - Virtual size: 23KB

.data
Size: 10KB - Virtual size: 9KB

.rsrc
Size: 512B - Virtual size: 480B