dcrat | inv2[.]rar

Sharing

Copy URL

Twitter E-mail

General

Target

inv2.rar
Size

998KB
MD5

7278d7ca66978bcaecdb36ac396e933a
SHA1

ca9e4626966312df94e901772513943e2698245a
SHA256

6b5c914e114e50038d60c875ca17291783bddea90a8a3b79dd0d936f2f63a7ea
SHA512

a19a214c429f02427b09e155063ff9bc643ef1c66cde419e33d98aae32fe254261570770078cb7761bbebd0727181c28e06cda9aa5fc8114ee16cee0fc685d2f
SSDEEP

24576:r41Gv8NkGPvzNHtZXDoMa2C1KeYqoh8kKuscli0nLwy:r46wkw1LoMa2C1KeYbRco

Score

10^/10

rat qqtalk voov dcrat stealc

Malware Config

Extracted

Family

stealc

Botnet

QQtalk

http://154.216.17.90

Attributes

url_path
/a48146f6763ef3af.php

Extracted

Family

stealc

Botnet

Voov

http://154.216.17.90

Attributes

url_path
/a48146f6763ef3af.php

Signatures

DCRat payload 1 IoCs

rat

Processes:

resource	yara_rule
static1/unpack001/hjgesadfseawd.exe	family_dcrat_v2

Dcrat family
dcrat
Stealc family
stealc

Unsigned PE 6 IoCs

Checks for missing Authenticode signature.

Processes:

resource
unpack001/baedawdgh.exe
unpack001/gweadtrgh.exe
unpack001/hjgesadfseawd.exe
unpack001/kisloyat.exe
unpack001/kisteruop.exe
unpack001/pothjmawdtrg.exe

Files

inv2.rar
.rar
baedawdgh.exe
.exe windows:4 windows x86 arch:x86

0252f8597a857ddcc37d09e38ea5837d

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Imports

kernel32

CopyFileA
DeleteCriticalSection
EnterCriticalSection
ExitProcess
ExpandEnvironmentStringsA
FindClose
FindFirstFileA
FindNextFileA
FreeLibrary
GetCommandLineA
GetLastError
GetModuleFileNameA
GetModuleHandleA
GetProcAddress
GlobalAlloc
GlobalLock
GlobalUnlock
InitializeCriticalSection
LeaveCriticalSection
LoadLibraryA
SetUnhandledExceptionFilter
Sleep
TlsGetValue
VirtualProtect
VirtualQuery

msvcrt

_strdup
_stricoll
__getmainargs
__mb_cur_max
__p__environ
__p__fmode
__set_app_type
_cexit
_errno
_fpreset
_fullpath
_iob
_isctype
_onexit
_pctype
_setmode
abort
atexit
calloc
free
fwrite
malloc
mbstowcs
memcpy
realloc
rename
setlocale
signal
sprintf
strcoll
strlen
tolower
vfprintf
wcstombs

shell32

ShellExecuteA

user32

CloseClipboard
EmptyClipboard
GetClipboardData
OpenClipboard
SetClipboardData

Sections

.text
Size: 18KB - Virtual size: 18KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 40B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.eh_fram
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 112B

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 32B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
gdwadtyjuesfshas.exe
.exe windows:5 windows x86 arch:x86

b43a496632b1ed46252f26d650f3ccb2

Code Sign

0f:d1:bb:ca:79:6b:d7:f8:dd:4c:82:e1:0a:9a:96:31
Certificate

Issuer

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

13-01-2022 00:00

Not After

09-11-2031 23:59

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0e:4d:67:f6:43:16:c9:2a:3b:7a:17:cc:46:97:6a:8f
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

28-07-2021 00:00

Not After

27-07-2036 23:59

Subject

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA256 2021 CA1,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

03:9c:12:44:48:06:1e:99:e6:9c:d9:5d:57:c8:07:a6
Certificate

Issuer

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA256 2021 CA1,O=DigiCert\, Inc.,C=US

Not Before

27-06-2024 00:00

Not After

15-10-2024 23:59

Subject

SERIALNUMBER=4969967,CN=Zoom Video Communications\, Inc.,O=Zoom Video Communications\, Inc.,L=San Jose,ST=California,C=US,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.2=#130844656c6177617265,1.3.6.1.4.1.311.60.2.1.3=#13025553

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16
Certificate

Issuer

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Not Before

14-07-2023 00:00

Not After

13-10-2034 23:59

Subject

CN=DigiCert Timestamp 2023,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

23-03-2022 00:00

Not After

22-03-2037 23:59

Subject

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01-08-2022 00:00

Not After

09-11-2031 23:59

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0f:d1:bb:ca:79:6b:d7:f8:dd:4c:82:e1:0a:9a:96:31
Certificate

Issuer

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

13-01-2022 00:00

Not After

09-11-2031 23:59

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0e:4d:67:f6:43:16:c9:2a:3b:7a:17:cc:46:97:6a:8f
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

28-07-2021 00:00

Not After

27-07-2036 23:59

Subject

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA256 2021 CA1,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

03:9c:12:44:48:06:1e:99:e6:9c:d9:5d:57:c8:07:a6
Certificate

Issuer

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA256 2021 CA1,O=DigiCert\, Inc.,C=US

Not Before

27-06-2024 00:00

Not After

15-10-2024 23:59

Subject

SERIALNUMBER=4969967,CN=Zoom Video Communications\, Inc.,O=Zoom Video Communications\, Inc.,L=San Jose,ST=California,C=US,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.2=#130844656c6177617265,1.3.6.1.4.1.311.60.2.1.3=#13025553

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16
Certificate

Issuer

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Not Before

14-07-2023 00:00

Not After

13-10-2034 23:59

Subject

CN=DigiCert Timestamp 2023,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

23-03-2022 00:00

Not After

22-03-2037 23:59

Subject

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01-08-2022 00:00

Not After

09-11-2031 23:59

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

9c:3e:7c:44:eb:55:a0:68:e5:7e:20:e9:02:05:38:2f:6c:55:72:e0
Signer

Actual PE Digest

9c:3e:7c:44:eb:55:a0:68:e5:7e:20:e9:02:05:38:2f:6c:55:72:e0

Digest Algorithm

sha1

PE Digest Matches

true

06:97:53:54:24:f5:b7:b4:3d:2a:0a:2f:72:47:7a:5f:de:ef:bd:db:38:ba:53:46:4b:e4:ed:ce:8f:5e:33:78
Signer

Actual PE Digest

06:97:53:54:24:f5:b7:b4:3d:2a:0a:2f:72:47:7a:5f:de:ef:bd:db:38:ba:53:46:4b:e4:ed:ce:8f:5e:33:78

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

c:\jenkins\workspace\Client\Client\Windows\launcher\Bin\Release\NewZoomWebLauncher.pdb

Imports

shlwapi

ord155
StrCmpNIW
StrStrA
PathAppendW
PathIsRelativeW

kernel32

GetFileAttributesA
FileTimeToSystemTime
CreateDirectoryA
GetSystemTime
GetFileTime
SetUnhandledExceptionFilter
GetTickCount
GetSystemDirectoryW
LoadLibraryW
ExitProcess
LoadLibraryExW
HeapLock
HeapWalk
GetVersion
HeapUnlock
ReleaseSemaphore
CreateSemaphoreA
VerifyVersionInfoA
GetCommandLineA
GetWindowsDirectoryA
GetStartupInfoA
VerSetConditionMask
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
ExitThread
TerminateThread
CreateThread
DeleteCriticalSection
CompareFileTime
WriteFile
SetFilePointer
SetEndOfFile
SystemTimeToFileTime
FlushFileBuffers
ReleaseMutex
GetLocalTime
QueryPerformanceCounter
GetSystemTimeAsFileTime
IsProcessorFeaturePresent
UnhandledExceptionFilter
TerminateProcess
GetTempFileNameA
VerifyVersionInfoW
GetFileAttributesW
OpenProcess
QueryDosDeviceW
K32GetProcessImageFileNameW
CreateToolhelp32Snapshot
Process32NextW
Process32FirstW
GetWindowsDirectoryW
GetModuleHandleW
GetProcessTimes
MultiByteToWideChar
RaiseException
CreateProcessA
WideCharToMultiByte
GetModuleHandleExW
GetStringTypeW
GetCPInfo
GetOEMCP
GetACP
IsValidCodePage
LCMapStringW
TlsSetValue
FreeLibrary
TlsGetValue
IsDebuggerPresent
LoadLibraryExA
VirtualQuery
VirtualProtect
GetSystemInfo
GetProcessHeap
GetCurrentProcessId
GetProcAddress
HeapAlloc
ExpandEnvironmentStringsA
CloseHandle
DeleteFileA
CreateFileA
MoveFileExA
OpenMutexA
GetLastError
CopyFileA
GetTempPathA
Sleep
GetModuleHandleA
GetCurrentThreadId
WaitForSingleObject
CreateMutexA
FindClose
GetCurrentProcess
SetLastError
HeapFree
FindFirstFileA
GetModuleFileNameA
LocalFree
CreateFileW
RtlUnwind

user32

FindWindowW
GetDesktopWindow
GetWindowThreadProcessId
LoadCursorA
InflateRect
GetDC
SetWindowPos
SetActiveWindow
GetSystemMetrics
DrawTextA
MapWindowPoints
GetWindowLongA
FrameRect
AttachThreadInput
GetForegroundWindow
SetFocus
IsWindowVisible
PostMessageA
FindWindowA
PostQuitMessage
LoadIconA
RegisterClassExA
SetForegroundWindow
IsIconic
LoadStringA
RegisterClassA
GetClassInfoA
UnregisterClassA
SetWindowLongA
FillRect
IntersectRect
ShowWindowAsync
SetPropA
GetWindowRect
DestroyWindow
ShowWindow
IsWindow
MoveWindow
GetPropA
DefWindowProcA
CreateWindowExA
GetClientRect
UpdateWindow
InvalidateRect
BeginPaint
EndPaint
PostThreadMessageA
GetMessageA
DispatchMessageA
SetTimer
TranslateMessage
PeekMessageA
KillTimer
SendMessageA

gdi32

SetBkMode
CreateFontIndirectA
DeleteObject
GetObjectA
SelectObject
GetStockObject
SetTextColor
CreateSolidBrush

advapi32

CryptDestroyKey
OpenProcessToken
GetUserNameA
RegOpenKeyExA
RegQueryValueExA
RegCloseKey
DuplicateTokenEx
CheckTokenMembership
FreeSid
AllocateAndInitializeSid
CryptAcquireContextA
CryptCreateHash
CryptHashData
CryptDestroyHash
CryptReleaseContext
CryptVerifySignatureA

shell32

ShellExecuteW
SHGetFolderPathA

ole32

CoUninitialize
CoInitialize
CoCreateInstance

oleaut32

VariantInit
VariantClear
SysAllocString
SysFreeString

Sections

.text
Size: 69KB - Virtual size: 68KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 29KB - Virtual size: 29KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.didat
Size: 512B - Virtual size: 40B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
gweadtrgh.exe
.exe windows:6 windows x86 arch:x86

81961373b32efd4098659dcd8637f4f9

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NO_ISOLATION
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

CloseHandle
CreateDirectoryA
CreateFileA
CreateProcessA
CreateThread
ExitProcess
FileTimeToSystemTime
FindClose
FindFirstFileA
FindNextFileA
GetComputerNameA
GetCurrentProcess
GetDriveTypeA
GetFileInformationByHandle
GetFileSize
GetLocalTime
GetLogicalDriveStringsA
GetLogicalProcessorInformationEx
GetModuleHandleA
GetProcessHeap
GetThreadContext
GetTickCount
HeapAlloc
HeapFree
OpenProcess
RaiseException
ReadFile
ReadProcessMemory
SetFilePointer
SetThreadContext
Sleep
SystemTimeToFileTime
VirtualAlloc
VirtualAllocEx
VirtualAllocExNuma
VirtualFree
VirtualQueryEx
WaitForSingleObject
WriteFile
WriteProcessMemory
lstrcatA
lstrcmpiW
lstrcpyA
lstrlenA

msvcrt

??2@YAPAXI@Z
??3@YAXPAX@Z
??_U@YAPAXI@Z
??_V@YAXPAX@Z
_splitpath
atexit
free
isupper
malloc
memchr
memcmp
memcpy
memmove
memset
rand
srand
strchr
strcmp
strcpy
strcpy_s
strlen
strncpy
strstr
strtok_s

user32

CharToOemA
CloseDesktop
CreateDesktopA
GetDesktopWindow
OpenDesktopA
wsprintfA
wsprintfW

advapi32

GetCurrentHwProfileA
GetUserNameA
RegGetValueA
RegOpenKeyExA

api-ms-win-crt-runtime-l1-1-0

_invalid_parameter_noinfo_noreturn

shell32

SHFileOperationA
SHGetFolderPathA

ws2_32

WSACleanup
WSAStartup
closesocket
connect
freeaddrinfo
getaddrinfo
htons
recv
send
socket

shlwapi

PathFileExistsA
ord155

Sections

.text
Size: 276KB - Virtual size: 276KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 54KB - Virtual size: 54KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 41KB - Virtual size: 2.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.00cfg
Size: 512B - Virtual size: 4B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 36KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
hjgesadfseawd.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 887KB - Virtual size: 886KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 880B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
kisloyat.exe
.exe windows:5 windows x86 arch:x86

9688495fa0fb07674109d4238c74f5ee

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

msvcrt

rand
strncpy
??_V@YAXPAX@Z
strtok
memchr
strtok_s
??_U@YAPAXI@Z
strcpy_s
vsprintf_s
memmove
strlen
malloc
free
memcmp
??2@YAPAXI@Z
memset
memcpy
__CxxFrameHandler3
_except_handler3

kernel32

GetModuleFileNameW
GetStringTypeW
MultiByteToWideChar
LCMapStringW
lstrlenA
HeapAlloc
GetProcessHeap
VirtualProtect
CreateProcessA
lstrcatA
VirtualQueryEx
OpenProcess
ReadProcessMemory
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
EncodePointer
DecodePointer
TerminateProcess
GetCurrentProcess
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
EnterCriticalSection
RtlUnwind
GetProcAddress
GetModuleHandleW
ExitProcess
Sleep
WriteFile
GetStdHandle
GetLastError
LoadLibraryW
TlsGetValue
TlsSetValue
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
WideCharToMultiByte
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
RaiseException

Sections

.text
Size: 166KB - Virtual size: 165KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 45KB - Virtual size: 45KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 2.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 23KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
kisteruop.exe
.exe windows:5 windows x86 arch:x86

9688495fa0fb07674109d4238c74f5ee

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

msvcrt

rand
strncpy
??_V@YAXPAX@Z
strtok
memchr
strtok_s
??_U@YAPAXI@Z
strcpy_s
vsprintf_s
memmove
strlen
malloc
free
memcmp
??2@YAPAXI@Z
memset
memcpy
__CxxFrameHandler3
_except_handler3

kernel32

GetModuleFileNameW
GetStringTypeW
MultiByteToWideChar
LCMapStringW
lstrlenA
HeapAlloc
GetProcessHeap
VirtualProtect
CreateProcessA
lstrcatA
VirtualQueryEx
OpenProcess
ReadProcessMemory
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
EncodePointer
DecodePointer
TerminateProcess
GetCurrentProcess
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
EnterCriticalSection
RtlUnwind
GetProcAddress
GetModuleHandleW
ExitProcess
Sleep
WriteFile
GetStdHandle
GetLastError
LoadLibraryW
TlsGetValue
TlsSetValue
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
WideCharToMultiByte
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
RaiseException

Sections

.text
Size: 166KB - Virtual size: 165KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 45KB - Virtual size: 45KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 2.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 23KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
pothjmawdtrg.exe
.exe windows:6 windows x86 arch:x86

dbd248d6a07e5b5d3562c903534448e7

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

CloseHandle
HeapAlloc
HeapFree
GetProcessHeap
WaitForSingleObject
CreateEventW
WriteConsoleW
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoW
IsProcessorFeaturePresent
GetModuleHandleW
GetCurrentProcess
TerminateProcess
RtlUnwind
GetLastError
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
GetProcAddress
LoadLibraryExW
EncodePointer
RaiseException
GetStdHandle
WriteFile
GetModuleFileNameW
ExitProcess
GetModuleHandleExW
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetCommandLineA
GetCommandLineW
MultiByteToWideChar
WideCharToMultiByte
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetStdHandle
GetFileType
GetStringTypeW
LCMapStringW
HeapSize
HeapReAlloc
FlushFileBuffers
GetConsoleOutputCP
GetConsoleMode
SetFilePointerEx
CreateFileW
DecodePointer

Sections

.text
Size: 223KB - Virtual size: 222KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.textbss
Size: - Virtual size: 64KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 188KB - Virtual size: 187KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Files

0252f8597a857ddcc37d09e38ea5837d

Headers

File Characteristics

Imports

kernel32

msvcrt

shell32

user32

Sections

.text Size: 18KB - Virtual size: 18KB

.data Size: 512B - Virtual size: 40B

.rdata Size: 1KB - Virtual size: 1KB

.eh_fram Size: 4KB - Virtual size: 4KB

.bss Size: - Virtual size: 112B

.idata Size: 2KB - Virtual size: 1KB

.CRT Size: 512B - Virtual size: 24B

.tls Size: 512B - Virtual size: 32B

b43a496632b1ed46252f26d650f3ccb2

Code Sign

0f:d1:bb:ca:79:6b:d7:f8:dd:4c:82:e1:0a:9a:96:31Certificate

Extended Key Usages

Key Usages

0e:4d:67:f6:43:16:c9:2a:3b:7a:17:cc:46:97:6a:8fCertificate

Extended Key Usages

Key Usages

03:9c:12:44:48:06:1e:99:e6:9c:d9:5d:57:c8:07:a6Certificate

Extended Key Usages

Key Usages

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16Certificate

Extended Key Usages

Key Usages

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5bCertificate

Extended Key Usages

Key Usages

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5aCertificate

Key Usages

0f:d1:bb:ca:79:6b:d7:f8:dd:4c:82:e1:0a:9a:96:31Certificate

Extended Key Usages

Key Usages

0e:4d:67:f6:43:16:c9:2a:3b:7a:17:cc:46:97:6a:8fCertificate

Extended Key Usages

Key Usages

03:9c:12:44:48:06:1e:99:e6:9c:d9:5d:57:c8:07:a6Certificate

Extended Key Usages

Key Usages

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16Certificate

Extended Key Usages

Key Usages

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5bCertificate

Extended Key Usages

Key Usages

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5aCertificate

Key Usages

9c:3e:7c:44:eb:55:a0:68:e5:7e:20:e9:02:05:38:2f:6c:55:72:e0Signer

06:97:53:54:24:f5:b7:b4:3d:2a:0a:2f:72:47:7a:5f:de:ef:bd:db:38:ba:53:46:4b:e4:ed:ce:8f:5e:33:78Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

shlwapi

kernel32

user32

gdi32

advapi32

shell32

ole32

oleaut32

Sections

.text Size: 69KB - Virtual size: 68KB

.rdata Size: 29KB - Virtual size: 29KB

.data Size: 2KB - Virtual size: 3KB

.didat Size: 512B - Virtual size: 40B

.text
Size: 18KB - Virtual size: 18KB

.data
Size: 512B - Virtual size: 40B

.rdata
Size: 1KB - Virtual size: 1KB

.eh_fram
Size: 4KB - Virtual size: 4KB

.bss
Size: - Virtual size: 112B

.idata
Size: 2KB - Virtual size: 1KB

.CRT
Size: 512B - Virtual size: 24B

.tls
Size: 512B - Virtual size: 32B

0f:d1:bb:ca:79:6b:d7:f8:dd:4c:82:e1:0a:9a:96:31
Certificate

0e:4d:67:f6:43:16:c9:2a:3b:7a:17:cc:46:97:6a:8f
Certificate

03:9c:12:44:48:06:1e:99:e6:9c:d9:5d:57:c8:07:a6
Certificate

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16
Certificate

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

0f:d1:bb:ca:79:6b:d7:f8:dd:4c:82:e1:0a:9a:96:31
Certificate

0e:4d:67:f6:43:16:c9:2a:3b:7a:17:cc:46:97:6a:8f
Certificate

03:9c:12:44:48:06:1e:99:e6:9c:d9:5d:57:c8:07:a6
Certificate

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16
Certificate

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

9c:3e:7c:44:eb:55:a0:68:e5:7e:20:e9:02:05:38:2f:6c:55:72:e0
Signer

06:97:53:54:24:f5:b7:b4:3d:2a:0a:2f:72:47:7a:5f:de:ef:bd:db:38:ba:53:46:4b:e4:ed:ce:8f:5e:33:78
Signer

.text
Size: 69KB - Virtual size: 68KB

.rdata
Size: 29KB - Virtual size: 29KB

.data
Size: 2KB - Virtual size: 3KB

.didat
Size: 512B - Virtual size: 40B

.rsrc
Size: 4KB - Virtual size: 3KB

.reloc
Size: 5KB - Virtual size: 5KB

.text
Size: 276KB - Virtual size: 276KB

.rdata
Size: 54KB - Virtual size: 54KB

.data
Size: 41KB - Virtual size: 2.1MB

.00cfg
Size: 512B - Virtual size: 4B

.reloc
Size: 36KB - Virtual size: 35KB

.text
Size: 887KB - Virtual size: 886KB

.rsrc
Size: 1024B - Virtual size: 880B

.reloc
Size: 512B - Virtual size: 12B

.text
Size: 166KB - Virtual size: 165KB

.rdata
Size: 45KB - Virtual size: 45KB

.data
Size: 3KB - Virtual size: 2.1MB

.reloc
Size: 23KB - Virtual size: 23KB

.text
Size: 166KB - Virtual size: 165KB

.rdata
Size: 45KB - Virtual size: 45KB

.data
Size: 3KB - Virtual size: 2.1MB

.reloc
Size: 23KB - Virtual size: 23KB

.text
Size: 223KB - Virtual size: 222KB

.textbss
Size: - Virtual size: 64KB

.rdata
Size: 188KB - Virtual size: 187KB

.data
Size: 12KB - Virtual size: 14KB

.rsrc
Size: 5KB - Virtual size: 5KB

.reloc
Size: 9KB - Virtual size: 8KB