njrat | Setup_Update[.]zip

Sharing

Copy URL

Twitter E-mail

General

Target

Setup_Update.zip
Size

346KB
MD5

eb751de314ba1859e4fa6ace8ac7bc51
SHA1

c47e21d1db58017a96811bf73d96933f0bafb0ce
SHA256

ea98c9bf854db4937cdd2f7430d21d72169cb3a5f676ffc41e71659b250438d2
SHA512

c8b7547b90498d20790ab941642b8e128e75ea9585c7dd749805e597cd214720d23e5d4761b8fbea058bc28a5343c2dc123e9a251da2ea72cc7584f6648713ca
SSDEEP

6144:jnVs5WDMq+8Z+hn5dXsPx9+HCwIsKDQeWVIbZhholaE4bX:7yMDMq+8Zonv8Z98QpeGZXola1bX

Score

10^/10

hack njrat

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HACK

35.159.113.6:1337

Mutex

d8dd25933bbb5fc191f7e51a861b997a

Attributes

reg_key
d8dd25933bbb5fc191f7e51a861b997a
splitter
|'|'|

Signatures

Njrat family
njrat

Unsigned PE 4 IoCs

Checks for missing Authenticode signature.

resource
unpack001/Setup_Update/SetupUpdate.exe
unpack001/Setup_Update/hidserv.dll
unpack001/Setup_Update/hlink.dll
unpack001/Setup_Update/hmkd.dll

Files

Setup_Update.zip
.zip
Setup_Update/SetupUpdate.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 35KB - Virtual size: 34KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 576B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Setup_Update/TUTORIAL.txt
Setup_Update/hidserv.dll
.dll windows:10 windows x64 arch:x64

5b244aaf586cec4ff1ba79dabf3d4672

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

hidserv.pdb

Imports

msvcrt

_amsg_exit
free
_initterm
__C_specific_handler
malloc
_XcptFilter
memset

ntdll

RtlLookupFunctionEntry
RtlCaptureContext
RtlPublishWnfStateData
EtwUnregisterTraceGuids
RtlVirtualUnwind
EtwTraceMessage
EtwGetTraceLoggerHandle
EtwGetTraceEnableLevel
EtwRegisterTraceGuidsW
EtwGetTraceEnableFlags

api-ms-win-service-core-l1-1-0

RegisterServiceCtrlHandlerExW
SetServiceStatus

api-ms-win-service-management-l1-1-0

StartServiceW
OpenSCManagerW
OpenServiceW
CloseServiceHandle

api-ms-win-service-management-l2-1-0

QueryServiceConfigW
ChangeServiceConfigW

kernel32

DelayLoadFailureHook
ResolveDelayLoadedAPI
CreateFileW
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetTickCount
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
Sleep
LocalFree
WaitForSingleObject
CreateEventW
CloseHandle
CreateThread
ReadFile
CancelIo
WaitForMultipleObjects
CreateMutexW
OpenEventW
ReleaseMutex
GetLastError
SetEvent
GetProcAddress
WTSGetActiveConsoleSessionId
FreeLibrary
SleepEx
LoadLibraryExW
CompareStringW
LocalAlloc

hid

HidD_GetHidGuid
HidP_GetScaledUsageValue
HidP_MaxUsageListLength
HidP_GetButtonCaps
HidD_GetAttributes
HidP_GetUsages
HidP_GetUsageValue
HidP_GetValueCaps
HidP_GetLinkCollectionNodes
HidP_GetCaps
HidD_GetPreparsedData
HidD_FreePreparsedData

cfgmgr32

CM_Get_DevNode_Registry_PropertyW
CM_Get_Parent
CM_Get_Child
CM_Get_Sibling

user32

SendNotifyMessageW
TranslateMessage
KillTimer
SystemParametersInfoW
UnregisterDeviceNotification
GetGUIThreadInfo
SendInput
PostMessageW
SetTimer
DefWindowProcW
DestroyWindow
GetMessageW
DispatchMessageW
RegisterDeviceNotificationW
RegisterClassExW
UnregisterClassW
CreateWindowExW

Exports

Exports

InstallHidserv
ServiceMain

Sections

.text
Size: 24KB - Virtual size: 23KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 816B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 40B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 72B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Setup_Update/hlink.dll
.dll regsvr32 windows:10 windows x64 arch:x64

009902bd4acb32a7dd909f808775fd6e

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

hlink.pdb

Imports

msvcrt

memcpy
strcpy_s
__C_specific_handler
_strnicmp
isdigit
memmove
_wcsnicmp
iswdigit
wcschr
memcpy_s
wcsnlen
strcat_s
_vsnwprintf
memcmp
swprintf_s
strchr
_ultow_s
memmove_s
_XcptFilter
_amsg_exit
free
malloc
_initterm
_lock
_unlock
__dllonexit
_onexit
memset
sprintf_s
strcmp

advapi32

RegDeleteKeyA
RegQueryValueA
RegQueryValueExW
RegOpenKeyExW
RegSetValueExA
RegSetValueExW
RegCreateKeyExW
RegCreateKeyExA
RegCloseKey
RegQueryValueExA
RegOpenKeyExA

kernel32

RtlCaptureContext
Sleep
LoadLibraryExA
LeaveCriticalSection
CreateSemaphoreExW
CreateMutexExW
RtlLookupFunctionEntry
WinExec
CreateThreadpoolTimer
OpenSemaphoreW
DeleteCriticalSection
InitializeCriticalSectionEx
EnterCriticalSection
WaitForSingleObjectEx
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
QueryPerformanceCounter
GetSystemTimeAsFileTime
InitOnceExecuteOnce
GetCommandLineW
GetCurrentProcessId
WaitForThreadpoolTimerCallbacks
GetVersionExA
DisableThreadLibraryCalls
GlobalFree
GlobalAlloc
GlobalLock
GlobalUnlock
GetTickCount
lstrcmpiA
UnmapViewOfFile
CloseHandle
CreateFileMappingA
GetLastError
MapViewOfFile
CreateMutexA
WaitForSingleObject
ReleaseMutex
GetCurrentThreadId
OpenFileMappingA
OpenMutexA
lstrcmpiW
GetStringTypeExW
GetStringTypeExA
MultiByteToWideChar
WideCharToMultiByte
GetPrivateProfileStringW
GetPrivateProfileStringA
WritePrivateProfileStringW
WritePrivateProfileStringA
LoadLibraryA
GetProcAddress
GetModuleFileNameA
CreateFileW
CreateFileA
GetFileSize
GetFileAttributesW
GetFileAttributesA
FormatMessageW
HeapAlloc
GetProcessHeap
HeapFree
GetModuleHandleExW
DebugBreak
GetModuleHandleW
IsDebuggerPresent
OutputDebugStringW
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
AcquireSRWLockShared
ReleaseSRWLockShared
SetLastError
ReleaseSemaphore
SetThreadpoolTimer
CloseThreadpoolTimer

user32

CharNextA
LoadStringA
RegisterClipboardFormatA
LoadStringW
MessageBoxW
GetActiveWindow
CharUpperW
CharUpperA
CharPrevA

ole32

MkParseDisplayName
CoGetMalloc
CoUnmarshalInterface
CoMarshalInterface
CoGetMarshalSizeMax
CreateGenericComposite
CreateItemMoniker
StgCreateDocfile
CoLockObjectExternal
CreateAntiMoniker
GetHGlobalFromStream
CreateStreamOnHGlobal
OleSaveToStream
OleLoadFromStream
CreateFileMoniker
ProgIDFromCLSID
GetRunningObjectTable
ReleaseStgMedium
CreateBindCtx
CoCreateInstance

shell32

ShellExecuteA
DragQueryFileA
DragQueryFileW
ShellExecuteW
CommandLineToArgvW

shlwapi

StrStrIW
ord158
SHGetValueW
AssocCreate
ord215
UrlIsW

oleaut32

SysFreeString
SysStringLen

iertutil

CreateUri
ord700

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer
HlinkClone
HlinkCreateBrowseContext
HlinkCreateExtensionServices
HlinkCreateFromData
HlinkCreateFromMoniker
HlinkCreateFromString
HlinkCreateShortcut
HlinkCreateShortcutFromMoniker
HlinkCreateShortcutFromString
HlinkGetSpecialReference
HlinkGetValueFromParams
HlinkIsShortcut
HlinkNavigate
HlinkNavigateToStringReference
HlinkOnNavigate
HlinkOnRenameDocument
HlinkParseDisplayName
HlinkPreprocessMoniker
HlinkQueryCreateFromData
HlinkResolveMonikerForData
HlinkResolveShortcut
HlinkResolveShortcutToMoniker
HlinkResolveShortcutToString
HlinkResolveStringForData
HlinkSetSpecialReference
HlinkTranslateURL
HlinkUpdateStackItem
OleSaveToStreamEx

Sections

.text
Size: 116KB - Virtual size: 114KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 476B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Setup_Update/hmkd.dll
.dll windows:10 windows x64 arch:x64

1677c54969f9e0f007e4a70459e756b9

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

hmkd.pdb

Imports

msvcrt

free
_amsg_exit
_XcptFilter
??1type_info@@UEAA@XZ
_onexit
memmove
memcpy
__dllonexit
__C_specific_handler
__CxxFrameHandler3
_CxxThrowException
?what@exception@@UEBAPEBDXZ
??1exception@@UEAA@XZ
??0exception@@QEAA@AEBV0@@Z
??0exception@@QEAA@AEBQEBDH@Z
wcscmp
??0exception@@QEAA@AEBQEBD@Z
_unlock
_lock
_purecall
_callnewh
_initterm
malloc
memcpy_s
memset
??3@YAXPEAX@Z

tbs

Tbsi_Context_Create
Tbsip_Context_Close
Tbsip_Submit_Command

ncrypt

BCryptDuplicateKey
BCryptImportKey
BCryptEncrypt
BCryptDestroyHash
BCryptFinishHash
BCryptGetProperty
BCryptHashData
BCryptDestroyKey
BCryptDestroySecret
BCryptExportKey
BCryptSecretAgreement
BCryptFinalizeKeyPair
BCryptGenerateKeyPair
BCryptImportKeyPair
BCryptGenRandom
BCryptCreateHash
BCryptCloseAlgorithmProvider
BCryptOpenAlgorithmProvider
NCryptGetProperty
BCryptDeriveKey

api-ms-win-core-synch-l1-1-0

EnterCriticalSection
InitializeCriticalSection
LeaveCriticalSection
DeleteCriticalSection

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
TerminateProcess

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemTimeAsFileTime

api-ms-win-core-rtlsupport-l1-1-0

RtlVirtualUnwind
RtlCaptureContext
RtlLookupFunctionEntry

api-ms-win-core-errorhandling-l1-1-0

UnhandledExceptionFilter
SetUnhandledExceptionFilter

Exports

Exports

HMKDCreateHmacKey
HMKDDeriveKey
HMKDGetHmacStatus
HMKDImportHmacKey

Sections

.text
Size: 44KB - Virtual size: 40KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 16KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 436B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Setup_Update/hnetcfg.dll
.dll regsvr32 windows:10 windows x64 arch:x64

e11b37eebf78c5f0f6bbed1d692ab809

Code Sign

33:00:00:04:a8:82:e6:b8:ac:1c:5d:5f:f0:00:00:00:00:04:a8
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

12-09-2024 20:04

Not After

11-09-2025 20:04

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

90:62:74:fb:03:c7:86:73:e6:c7:5e:31:ec:90:d7:5f:53:ab:ff:f3:7f:3a:48:e2:4a:59:3f:41:dd:b8:e1:19
Signer

Actual PE Digest

90:62:74:fb:03:c7:86:73:e6:c7:5e:31:ec:90:d7:5f:53:ab:ff:f3:7f:3a:48:e2:4a:59:3f:41:dd:b8:e1:19

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

HNetCfg.pdb

Imports

msvcrt

wcschr
mbstowcs
??3@YAXPEAX@Z
memset
realloc
_errno
??1type_info@@UEAA@XZ
_onexit
memcmp
__dllonexit
_unlock
_lock
?terminate@@YAXXZ
_initterm
_amsg_exit
_XcptFilter
memmove
memcpy
__CxxFrameHandler3
_CxxThrowException
?what@exception@@UEBAPEBDXZ
??0exception@@QEAA@AEBQEBDH@Z
??0exception@@QEAA@AEBQEBD@Z
_callnewh
_wcsicmp
wcsstr
free
malloc
wcsncpy_s
__C_specific_handler
_vsnprintf_s
??0exception@@QEAA@AEBV0@@Z
??0exception@@QEAA@XZ
??1exception@@UEAA@XZ
_purecall
memcpy_s
_vsnwprintf
??_V@YAXPEAX@Z
__CxxFrameHandler4
wcscmp

ntdll

RtlRegisterWait
RtlDeregisterWaitEx
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
RtlIpv4StringToAddressW
VerSetConditionMask
EtwUnregisterTraceGuids
EtwRegisterTraceGuidsW
EtwGetTraceEnableFlags
EtwGetTraceEnableLevel
EtwGetTraceLoggerHandle
EtwTraceMessage
NtDelayExecution

api-ms-win-core-libraryloader-l1-2-0

LoadStringW
FreeLibrary
FreeLibraryAndExitThread
LockResource
GetProcAddress
LoadLibraryExW
GetModuleHandleW
GetModuleFileNameA
GetModuleHandleExW
DisableThreadLibraryCalls
GetModuleFileNameW
FindResourceExW
LoadResource
SizeofResource

api-ms-win-core-synch-l1-1-0

CreateSemaphoreExW
DeleteCriticalSection
ReleaseSemaphore
EnterCriticalSection
CreateEventW
WaitForSingleObjectEx
ResetEvent
WaitForSingleObject
ReleaseMutex
LeaveCriticalSection
InitializeCriticalSection
OpenSemaphoreW
SetEvent
CreateMutexExW
InitializeCriticalSectionAndSpinCount

api-ms-win-core-heap-l1-1-0

HeapFree
HeapAlloc
GetProcessHeap

api-ms-win-core-errorhandling-l1-1-0

SetLastError
RaiseException
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetLastError

api-ms-win-core-processthreads-l1-1-0

CreateThread
GetCurrentProcessId
GetCurrentProcess
GetCurrentThreadId
TerminateProcess

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-debug-l1-1-0

DebugBreak
OutputDebugStringA
IsDebuggerPresent
OutputDebugStringW

api-ms-win-core-handle-l1-1-0

CloseHandle

rpcrt4

CStdStubBuffer_AddRef
NdrDllGetClassObject
CStdStubBuffer_DebugServerQueryInterface
IUnknown_AddRef_Proxy
CStdStubBuffer_Invoke
NdrCStdStubBuffer_Release
NdrDllCanUnloadNow
CStdStubBuffer_IsIIDSupported
CStdStubBuffer_Connect
CStdStubBuffer_Disconnect
CStdStubBuffer_DebugServerRelease
NdrOleFree
NdrOleAllocate
CStdStubBuffer_QueryInterface
CStdStubBuffer_CountRefs
IUnknown_QueryInterface_Proxy
IUnknown_Release_Proxy

api-ms-win-core-com-midlproxystub-l1-1-0

ObjectStublessClient5
ObjectStublessClient3
ObjectStublessClient4
ObjectStublessClient10
ObjectStublessClient16
ObjectStublessClient12
ObjectStublessClient11
ObjectStublessClient17
ObjectStublessClient19
ObjectStublessClient13
ObjectStublessClient14
ObjectStublessClient15
ObjectStublessClient18
ObjectStublessClient7
ObjectStublessClient9
ObjectStublessClient6
ObjectStublessClient8
ObjectStublessClient20

api-ms-win-core-com-l1-1-0

CoRevertToSelf
CoImpersonateClient
CoInitializeEx
CoUninitialize
CoRevokeClassObject
CoSetProxyBlanket
CLSIDFromString
CoTaskMemFree
CoTaskMemRealloc
StringFromGUID2
CoRegisterClassObject
StringFromCLSID
CoCopyProxy
CoCreateInstance
CoTaskMemAlloc

api-ms-win-core-string-l2-1-0

CharNextW
CharPrevW

api-ms-win-core-registry-l1-1-0

RegQueryValueExW
RegDeleteValueW
RegSetValueExW
RegCloseKey
RegCreateKeyExW
RegEnumKeyExW
RegQueryInfoKeyW
RegOpenKeyExW

api-ms-win-core-string-l1-1-0

WideCharToMultiByte
MultiByteToWideChar

iphlpapi

ConvertInterfaceLuidToGuid
GetAdaptersAddresses

api-ms-win-service-management-l1-1-0

OpenServiceW
OpenSCManagerW
StartServiceW
CloseServiceHandle

api-ms-win-service-winsvc-l1-1-0

ControlService
QueryServiceStatus

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemDirectoryW
GetSystemTimeAsFileTime
GetComputerNameExW

api-ms-win-security-base-l1-1-0

FreeSid
CheckTokenMembership
AllocateAndInitializeSid

api-ms-win-core-heap-l2-1-0

LocalAlloc
GlobalFree
LocalFree
GlobalAlloc

api-ms-win-core-libraryloader-l1-2-1

LoadLibraryW
FindResourceW

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-ntuser-ie-window-l1-1-0

RemovePropW
GetWindowRect
SetWindowPos
GetWindowLongW
SetWindowLongW
GetParent
GetWindowTextW
GetPropW
CallWindowProcW
GetWindowLongPtrW
SetWindowLongPtrW
SetPropW
IsWindowEnabled
GetClientRect
SetFocus
ShowWindow
EnableWindow
SetWindowTextW
BeginDeferWindowPos
DeferWindowPos
EndDeferWindowPos

api-ms-win-ntuser-ie-message-l1-1-0

PostMessageW
SendMessageW

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpW
lstrlenW
lstrcmpA
lstrcmpiW

api-ms-win-core-privateprofile-l1-1-0

GetPrivateProfileStringW

api-ms-win-ntuser-sysparams-l1-1-0

GetSystemMetrics

api-ms-win-core-atoms-l1-1-0

GlobalAddAtomW
GlobalDeleteAtom

api-ms-win-core-kernel32-legacy-l1-1-1

VerifyVersionInfoW

userenv

UnregisterGPNotification
RegisterGPNotification

api-ms-win-core-io-l1-1-0

GetOverlappedResult

api-ms-win-core-threadpool-legacy-l1-1-0

UnregisterWaitEx
QueueUserWorkItem

api-ms-win-core-kernel32-legacy-l1-1-0

RegisterWaitForSingleObject

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

gpapi

ord107

api-ms-win-core-processthreads-l1-1-1

GetProcessMitigationPolicy

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer
HNetDeleteRasConnection
HNetFreeSharingServicesPage
HNetGetFirewallSettingsPage
HNetGetSharingServicesPage
HNetSharedAccessSettingsDlg
HNetSharingAndFirewallSettingsDlg
RegisterClassObjects
ReleaseSingletons
RevokeClassObjects
WinBomConfigureWindowsFirewall

Sections

.text
Size: 316KB - Virtual size: 313KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 100KB - Virtual size: 99KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 16KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 872B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 32KB - Virtual size: 31KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

.text Size: 35KB - Virtual size: 34KB

.rsrc Size: 1024B - Virtual size: 576B

.reloc Size: 512B - Virtual size: 12B

5b244aaf586cec4ff1ba79dabf3d4672

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

ntdll

api-ms-win-service-core-l1-1-0

api-ms-win-service-management-l1-1-0

api-ms-win-service-management-l2-1-0

kernel32

hid

cfgmgr32

user32

Exports

Exports

Sections

.text Size: 24KB - Virtual size: 23KB

.rdata Size: 8KB - Virtual size: 6KB

.data Size: 4KB - Virtual size: 2KB

.pdata Size: 4KB - Virtual size: 816B

.didat Size: 4KB - Virtual size: 40B

.rsrc Size: 4KB - Virtual size: 1KB

.reloc Size: 4KB - Virtual size: 72B

009902bd4acb32a7dd909f808775fd6e

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

advapi32

kernel32

user32

ole32

shell32

shlwapi

oleaut32

iertutil

Exports

Exports

Sections

.text Size: 116KB - Virtual size: 114KB

.rdata Size: 20KB - Virtual size: 19KB

.data Size: 4KB - Virtual size: 2KB

.pdata Size: 8KB - Virtual size: 4KB

.rsrc Size: 4KB - Virtual size: 1KB

.reloc Size: 4KB - Virtual size: 476B

1677c54969f9e0f007e4a70459e756b9

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

tbs

ncrypt

api-ms-win-core-synch-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-rtlsupport-l1-1-0

.text
Size: 35KB - Virtual size: 34KB

.rsrc
Size: 1024B - Virtual size: 576B

.reloc
Size: 512B - Virtual size: 12B

.text
Size: 24KB - Virtual size: 23KB

.rdata
Size: 8KB - Virtual size: 6KB

.data
Size: 4KB - Virtual size: 2KB

.pdata
Size: 4KB - Virtual size: 816B

.didat
Size: 4KB - Virtual size: 40B

.rsrc
Size: 4KB - Virtual size: 1KB

.reloc
Size: 4KB - Virtual size: 72B

.text
Size: 116KB - Virtual size: 114KB

.rdata
Size: 20KB - Virtual size: 19KB

.data
Size: 4KB - Virtual size: 2KB

.pdata
Size: 8KB - Virtual size: 4KB

.rsrc
Size: 4KB - Virtual size: 1KB

.reloc
Size: 4KB - Virtual size: 476B

.text
Size: 44KB - Virtual size: 40KB

.rdata
Size: 16KB - Virtual size: 13KB

.data
Size: 4KB - Virtual size: 2KB

.pdata
Size: 4KB - Virtual size: 1KB

.rsrc
Size: 4KB - Virtual size: 1KB

.reloc
Size: 4KB - Virtual size: 436B

33:00:00:04:a8:82:e6:b8:ac:1c:5d:5f:f0:00:00:00:00:04:a8
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

90:62:74:fb:03:c7:86:73:e6:c7:5e:31:ec:90:d7:5f:53:ab:ff:f3:7f:3a:48:e2:4a:59:3f:41:dd:b8:e1:19
Signer

.text
Size: 316KB - Virtual size: 313KB

.rdata
Size: 100KB - Virtual size: 99KB

.data
Size: 4KB - Virtual size: 6KB

.pdata
Size: 16KB - Virtual size: 13KB

.didat
Size: 4KB - Virtual size: 872B