blankgrabber | lvVysTc[.]zip

Sharing

Copy URL

Twitter E-mail

General

Target

lvVysTc.zip
Size

8.6MB
MD5

d001b3303da444021e26c1f67d52b433
SHA1

6236627fde1667659bbb784fc31249b754e41109
SHA256

55076d193e58d93e5004fd85c807f7a7ba284e028ffcc2b757769162b4a2bc54
SHA512

6a840b729fd007a11b1cba9731fafb47d694ecc7571d6444c7541283113fda2d6d761a5d244948f1cfc581ca4f93970814368fa5786ec0904138523b0c873cf5
SSDEEP

196608:XBkLDwH4bLsCBWEHtq40Z9g9iXHWspX2mwSklMEAIzp+vBQ0w5t:Xo04VBWgtH0Z9g9e2YT9klXo20w/

Score

10^/10

blankgrabber

Malware Config

Signatures

A stealer written in Python and packaged with Pyinstaller 1 IoCs

resource	yara_rule
static1/unpack002/N�%��.pyc	blankgrabber

Blankgrabber family
blankgrabber

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/lvVysTc/Randazor/Razandor.dll

Files

lvVysTc.zip
.zip
lvVysTc/Randazor/Razandor.dll
.dll windows:6 windows x64 arch:x64

3a1f9d973bff43051a3daf411f707362

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

C:\Users\lucab\Downloads\uh\Xeno-main\Xeno-main\build\Release\net8.0-windows\Xeno.pdb

Imports

kernel32

UnmapViewOfFile
GlobalAlloc
GlobalFree
CloseHandle
FreeConsole
CreateFileMappingFromApp
GlobalLock
MapViewOfFileFromApp
GlobalUnlock
AllocConsole
SizeofResource
GetModuleHandleExW
GetProcessId
OpenProcess
CreateToolhelp32Snapshot
Sleep
GetLastError
Process32NextW
K32GetProcessMemoryInfo
QueryFullProcessImageNameA
LockResource
Process32FirstW
LoadResource
FindResourceW
VirtualProtectEx
VirtualAllocEx
VirtualQueryEx
TerminateProcess
LoadLibraryA
GetCurrentProcessId
GetExitCodeProcess
InitOnceBeginInitialize
InitOnceComplete
GetLocaleInfoEx
FormatMessageA
LocalFree
WideCharToMultiByte
SetConsoleTitleA
GetFileSizeEx
MultiByteToWideChar
GetFileInformationByHandleEx
CopyFileW
AreFileApisANSI
GetTempPathW
SetFileInformationByHandle
GetFullPathNameW
GetFileInformationByHandle
GetFileAttributesExW
GetFileAttributesW
FindNextFileW
FindFirstFileExW
FindFirstFileW
FindClose
CreateFileW
CreateDirectoryW
GetCurrentDirectoryW
SetCurrentDirectoryW
InitializeSListHead
DisableThreadLibraryCalls
GetSystemTimeAsFileTime
GetCurrentThreadId
GetModuleHandleW
IsDebuggerPresent
IsProcessorFeaturePresent
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
SleepConditionVariableSRW
WakeAllConditionVariable
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
CreateFile2
GetModuleFileNameA
QueryPerformanceCounter
GetProcAddress

user32

GetWindowThreadProcessId
MapVirtualKeyW
keybd_event
GetForegroundWindow
CloseClipboard
OpenClipboard
SetClipboardData
EnumWindows
SetForegroundWindow
EmptyClipboard

advapi32

GetCurrentHwProfileW

ole32

CoCreateGuid

libcrypto-3-x64

EVP_DigestFinal_ex
BIO_ctrl
OPENSSL_thread_stop
X509_STORE_free
X509_NAME_get_text_by_NID
EVP_MD_CTX_new
d2i_X509
X509_STORE_add_cert
OPENSSL_sk_num
X509_get_subject_name
EVP_md5
EVP_sha256
EVP_DigestUpdate
GENERAL_NAMES_free
EVP_MD_CTX_free
EVP_DigestInit_ex
OPENSSL_sk_value
ASN1_STRING_get0_data
EVP_sha512
BIO_new_socket
X509_free
ASN1_STRING_length
X509_get_ext_d2i

libssl-3-x64

SSL_pending
SSL_get_error
SSL_peek
SSL_connect
OPENSSL_init_ssl
SSL_free
SSL_CTX_get_cert_store
SSL_CTX_set_default_verify_paths
SSL_new
SSL_CTX_free
SSL_CTX_set_cert_store
SSL_CTX_use_certificate_file
SSL_CTX_use_PrivateKey_file
SSL_CTX_new
SSL_write
SSL_get_verify_result
TLS_client_method
SSL_CTX_set_default_passwd_cb_userdata
SSL_ctrl
SSL_set_bio
SSL_read
SSL_set_verify
SSL_CTX_load_verify_locations
SSL_get1_peer_certificate
SSL_shutdown

xxhash

XXH32

zstd

ZSTD_decompress
ZSTD_compressBound
ZSTD_isError
ZSTD_getErrorName
ZSTD_compress
ZSTD_maxCLevel

msvcp140

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z
_Thrd_detach
??0_Locinfo@std@@QEAA@PEBD@Z
??1_Locinfo@std@@QEAA@XZ
?_Getcoll@_Locinfo@std@@QEBA?AU_Collvec@@XZ
??Bid@locale@std@@QEAA_KXZ
?_Xlength_error@std@@YAXPEBD@Z
?_Xout_of_range@std@@YAXPEBD@Z
_Cnd_signal
_Thrd_hardware_concurrency
?__ExceptionPtrCreate@@YAXPEAX@Z
_Cnd_init_in_situ
_Strxfrm
?__ExceptionPtrCopy@@YAXPEAXPEBX@Z
_Query_perf_frequency
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?_Throw_Cpp_error@std@@YAXH@Z
?uncaught_exceptions@std@@YAHXZ
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
?_Xbad_alloc@std@@YAXXZ
?_Xinvalid_argument@std@@YAXPEBD@Z
?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z
?_Winerror_map@std@@YAHH@Z
?_Xbad_function_call@std@@YAXXZ
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
?id@?$ctype@D@std@@2V0locale@2@A
?_Random_device@std@@YAIXZ
?id@?$collate@D@std@@2V0locale@2@A
?_Syserror_map@std@@YAPEBDH@Z
?__ExceptionPtrDestroy@@YAXPEAX@Z
_Mtx_lock
?__ExceptionPtrCurrentException@@YAXPEAX@Z
?__ExceptionPtrRethrow@@YAXPEBX@Z
_Strcoll
_Cnd_do_broadcast_at_thread_exit
_Cnd_wait
_Thrd_id
_Query_perf_counter
_Thrd_join
_Mtx_unlock
_Cnd_broadcast
_Cnd_destroy_in_situ
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAPEAD0PEAH001@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?overflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHH@Z
?pbackfail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHH@Z
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?underflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?seekoff@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA?AV?$fpos@U_Mbstatet@@@2@_JHH@Z
?seekpos@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA?AV?$fpos@U_Mbstatet@@@2@V32@H@Z
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@I@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_J@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??_D?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?good@ios_base@std@@QEBA_NXZ
??7ios_base@std@@QEBA_NXZ
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?tolower@?$ctype@D@std@@QEBAPEBDPEADPEBD@Z
?tolower@?$ctype@D@std@@QEBADD@Z
?always_noconv@codecvt_base@std@@QEBA_NXZ
??1facet@locale@std@@MEAA@XZ
??0facet@locale@std@@IEAA@_K@Z
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
?_Incref@facet@locale@std@@UEAAXXZ

ws2_32

listen
shutdown
select
closesocket
bind
WSASocketW
WSACleanup
inet_pton
WSAStartup
getpeername
WSAAccept
WSAGetLastError
setsockopt
__WSAFDIsSet
getsockname
send
socket
ntohs
connect
recv
getnameinfo
getsockopt
freeaddrinfo
ioctlsocket
getaddrinfo

crypt32

CertCloseStore
CertFreeCertificateContext
CertEnumCertificatesInStore
CertOpenSystemStoreW

vcruntime140_1

__CxxFrameHandler4

vcruntime140

memcmp
memchr
__std_type_info_destroy_list
memset
_CxxThrowException
__C_specific_handler
__current_exception
strchr
__std_terminate
_purecall
__std_exception_copy
__std_exception_destroy
memcpy
__current_exception_context
memmove

api-ms-win-crt-runtime-l1-1-0

terminate
system
_invalid_parameter_noinfo
_beginthreadex
abort
_seh_filter_dll
_configure_narrow_argv
_initialize_narrow_environment
_initialize_onexit_table
_register_onexit_function
_execute_onexit_table
_crt_atexit
_cexit
_initterm
_initterm_e
_errno
_invalid_parameter_noinfo_noreturn

api-ms-win-crt-math-l1-1-0

acos
asin
atan
atan2
_dsign
round
ldexp
tan
ceil
ceilf
cos
cosh
exp
floor
fmod
log
log10
log2
pow
sin
sinh
sqrt
tanh

api-ms-win-crt-convert-l1-1-0

strtod
strtoul
strtoull
atoi
strtoll
strtol

api-ms-win-crt-heap-l1-1-0

malloc
realloc
free
_callnewh

api-ms-win-crt-stdio-l1-1-0

fread
fsetpos
ungetc
setvbuf
_get_stream_buffer_pointers
freopen_s
fgetpos
__stdio_common_vsprintf
fwrite
fgetc
fclose
fputc
__acrt_iob_func
fflush
_fseeki64

api-ms-win-crt-string-l1-1-0

strspn
strcmp
tolower
strncmp
strnlen
_wcsicmp
isdigit
strcpy_s

api-ms-win-crt-filesystem-l1-1-0

_access_s
_unlock_file
_lock_file

api-ms-win-crt-locale-l1-1-0

localeconv
___lc_codepage_func

Exports

Exports

Compilable
Execute
GetClients
Inject

Sections

.text
Size: 605KB - Virtual size: 604KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 169KB - Virtual size: 169KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 43KB - Virtual size: 50KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 26KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 108KB - Virtual size: 108KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
lvVysTc/Randazor/dangert.exe
.exe windows:6 windows x64 arch:x64

72c4e339b7af8ab1ed2eb3821c98713a

Code Sign

48:fc:93:b4:60:55:94:8d:36:a7:c9:8a:89:d6:94:16
Certificate

Issuer

CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

25-05-2021 00:00

Not After

31-12-2028 23:59

Subject

CN=Sectigo Public Code Signing Root R46,O=Sectigo Limited,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:d7:08:a8:91:40:53:19:e2:a5:bb:d3:39:b9:ad:6e
Certificate

Issuer

CN=Sectigo Public Code Signing Root R46,O=Sectigo Limited,C=GB

Not Before

22-03-2021 00:00

Not After

21-03-2036 23:59

Subject

CN=Sectigo Public Code Signing CA EV R36,O=Sectigo Limited,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

bf:b1:50:01:bb:f5:92:d4:96:2a:77:97:ea:73:6f:a3
Certificate

Issuer

CN=Sectigo Public Code Signing CA EV R36,O=Sectigo Limited,C=GB

Not Before

29-09-2021 00:00

Not After

28-09-2024 23:59

Subject

SERIALNUMBER=407950,CN=Akeo Consulting,O=Akeo Consulting,ST=Donegal,C=IE,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.3=#13024945

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

7b:05:b1:d4:49:68:51:44:f7:c9:89:d2:9c:19:9d:12
Certificate

Issuer

CN=VeriSign Universal Root Certification Authority,OU=VeriSign Trust Network+OU=(c) 2008 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

12-01-2016 00:00

Not After

11-01-2031 23:59

Subject

CN=Symantec SHA256 TimeStamping CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

7b:d4:e5:af:ba:cc:07:3f:a1:01:23:04:22:41:4d:12
Certificate

Issuer

CN=Symantec SHA256 TimeStamping CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

23-12-2017 00:00

Not After

22-03-2029 23:59

Subject

CN=Symantec SHA256 TimeStamping Signer - G3,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

59:d2:d0:0f:8a:f7:a9:f7:ec:7d:79:44:2f:cd:d5:9a:d6:a9:6d:0c:eb:c0:5b:4d:66:d3:73:dc:29:5c:c5:96
Signer

Actual PE Digest

59:d2:d0:0f:8a:f7:a9:f7:ec:7d:79:44:2f:cd:d5:9a:d6:a9:6d:0c:eb:c0:5b:4d:66:d3:73:dc:29:5c:c5:96

Digest Algorithm

sha256

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

user32

CreateWindowExW
ShutdownBlockReasonCreate
MsgWaitForMultipleObjects
ShowWindow
DestroyWindow
RegisterClassW
DefWindowProcW
PeekMessageW
DispatchMessageW
TranslateMessage
PostMessageW
GetMessageW
MessageBoxW
MessageBoxA
SystemParametersInfoW
DestroyIcon
SetWindowLongPtrW
GetWindowLongPtrW
GetClientRect
InvalidateRect
ReleaseDC
GetDC
DrawTextW
GetDialogBaseUnits
EndDialog
DialogBoxIndirectParamW
MoveWindow
SendMessageW

comctl32

ord380

kernel32

GetACP
IsValidCodePage
GetStringTypeW
GetFileAttributesExW
SetEnvironmentVariableW
FlushFileBuffers
GetCurrentDirectoryW
LCMapStringW
CompareStringW
FlsFree
GetOEMCP
GetCPInfo
GetModuleHandleW
MulDiv
FormatMessageW
GetLastError
GetModuleFileNameW
LoadLibraryExW
SetDllDirectoryW
CreateSymbolicLinkW
GetProcAddress
GetEnvironmentStringsW
GetCommandLineW
GetEnvironmentVariableW
ExpandEnvironmentStringsW
DeleteFileW
FindClose
FindFirstFileW
FindNextFileW
GetDriveTypeW
RemoveDirectoryW
GetTempPathW
CloseHandle
QueryPerformanceCounter
QueryPerformanceFrequency
WaitForSingleObject
Sleep
GetCurrentProcess
TerminateProcess
GetExitCodeProcess
CreateProcessW
GetStartupInfoW
FreeLibrary
LocalFree
SetConsoleCtrlHandler
K32EnumProcessModules
K32GetModuleFileNameExW
CreateFileW
FindFirstFileExW
GetFinalPathNameByHandleW
MultiByteToWideChar
WideCharToMultiByte
FlsSetValue
FreeEnvironmentStringsW
GetProcessHeap
GetTimeZoneInformation
HeapSize
HeapReAlloc
WriteConsoleW
SetEndOfFile
CreateDirectoryW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
RtlUnwindEx
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
EncodePointer
RaiseException
RtlPcToFileHeader
GetCommandLineA
GetFileInformationByHandle
GetFileType
PeekNamedPipe
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
ReadFile
GetFullPathNameW
SetStdHandle
GetStdHandle
WriteFile
ExitProcess
GetModuleHandleExW
HeapFree
GetConsoleMode
ReadConsoleW
SetFilePointerEx
GetConsoleOutputCP
GetFileSizeEx
HeapAlloc
FlsAlloc
FlsGetValue

advapi32

OpenProcessToken
GetTokenInformation
ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertSidToStringSidW

gdi32

SelectObject
DeleteObject
CreateFontIndirectW

Sections

.text
Size: 168KB - Virtual size: 167KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 75KB - Virtual size: 74KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
N�%��.pyc

Sharing

General

Malware Config

Signatures

Files

3a1f9d973bff43051a3daf411f707362

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

advapi32

ole32

libcrypto-3-x64

libssl-3-x64

xxhash

zstd

msvcp140

ws2_32

crypt32

vcruntime140_1

vcruntime140

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-locale-l1-1-0

Exports

Exports

Sections

.text Size: 605KB - Virtual size: 604KB

.rdata Size: 169KB - Virtual size: 169KB

.data Size: 43KB - Virtual size: 50KB

.pdata Size: 26KB - Virtual size: 26KB

.rsrc Size: 108KB - Virtual size: 108KB

.reloc Size: 4KB - Virtual size: 4KB

72c4e339b7af8ab1ed2eb3821c98713a

Code Sign

48:fc:93:b4:60:55:94:8d:36:a7:c9:8a:89:d6:94:16Certificate

Extended Key Usages

Key Usages

33:d7:08:a8:91:40:53:19:e2:a5:bb:d3:39:b9:ad:6eCertificate

Extended Key Usages

Key Usages

bf:b1:50:01:bb:f5:92:d4:96:2a:77:97:ea:73:6f:a3Certificate

Extended Key Usages

Key Usages

7b:05:b1:d4:49:68:51:44:f7:c9:89:d2:9c:19:9d:12Certificate

Extended Key Usages

Key Usages

7b:d4:e5:af:ba:cc:07:3f:a1:01:23:04:22:41:4d:12Certificate

Extended Key Usages

Key Usages

59:d2:d0:0f:8a:f7:a9:f7:ec:7d:79:44:2f:cd:d5:9a:d6:a9:6d:0c:eb:c0:5b:4d:66:d3:73:dc:29:5c:c5:96Signer

Headers

DLL Characteristics

File Characteristics

Imports

user32

comctl32

kernel32

advapi32

gdi32

Sections

.text Size: 168KB - Virtual size: 167KB

.rdata Size: 75KB - Virtual size: 74KB

.data Size: 3KB - Virtual size: 20KB

.pdata Size: 9KB - Virtual size: 8KB

.rsrc Size: 2KB - Virtual size: 2KB

.reloc Size: 2KB - Virtual size: 1KB

.text
Size: 605KB - Virtual size: 604KB

.rdata
Size: 169KB - Virtual size: 169KB

.data
Size: 43KB - Virtual size: 50KB

.pdata
Size: 26KB - Virtual size: 26KB

.rsrc
Size: 108KB - Virtual size: 108KB

.reloc
Size: 4KB - Virtual size: 4KB

48:fc:93:b4:60:55:94:8d:36:a7:c9:8a:89:d6:94:16
Certificate

33:d7:08:a8:91:40:53:19:e2:a5:bb:d3:39:b9:ad:6e
Certificate

bf:b1:50:01:bb:f5:92:d4:96:2a:77:97:ea:73:6f:a3
Certificate

7b:05:b1:d4:49:68:51:44:f7:c9:89:d2:9c:19:9d:12
Certificate

7b:d4:e5:af:ba:cc:07:3f:a1:01:23:04:22:41:4d:12
Certificate

59:d2:d0:0f:8a:f7:a9:f7:ec:7d:79:44:2f:cd:d5:9a:d6:a9:6d:0c:eb:c0:5b:4d:66:d3:73:dc:29:5c:c5:96
Signer

.text
Size: 168KB - Virtual size: 167KB

.rdata
Size: 75KB - Virtual size: 74KB

.data
Size: 3KB - Virtual size: 20KB

.pdata
Size: 9KB - Virtual size: 8KB

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 2KB - Virtual size: 1KB