agenttesla | BastianHein Malware samples[.]zip

Sharing

Reason

error processing APK: readat analyses/250324/250324-ygyhfsyks8/static1/unpack001/BastianHein Malware samples/hamm/FF120262860500BAD3236F6E5BA5646F9A4152A9EB4CBFE837EDA4776A03F9EF .bat: negative offset

General

Target

BastianHein Malware samples.zip
Size

383.3MB
MD5

02c4b8634f78e28d57771c6d772d1f02
SHA1

722d093a07a56df8889cdccaabda0d8365e4cc6c
SHA256

e38ccf1e063def469086780d196f6810bd63d0bb09f0cf6d1caae9e537c398a6
SHA512

f88a9b8307922d4c27b564a9c48c68f00f7fb121433478d2d1d3dcf7bd9b832ea2639942ed717723217fef320bc071c26b01718a7a39c837dfc671e6439b7979
SSDEEP

6291456:SStz8RrF6hOEfIGtIcIw3e40ICQHfUcs1vn9Tp9re9mKcafLWxRyz4I9GXMAlKdv:uRJOOEfIGtIcIw3e40ICQHfUcsV9V96/

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6118451923:AAE5b-PwqcIYRWOSTvI2HWoqu2xjLtG2iDA/sendMessage?chat_id=5725945887

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

BwRat 1.0.0

Botnet

Default

127.0.0.1:8848

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Fagootinc GROUP

192.168.0.178:9250

Mutex

Env3rSdhZhcn

Attributes

delay
3
install
true
install_file
LSRPDRFR.exe
install_folder
%AppData%

aes.plain

Extracted

Family

blackguard

http://funkyjazz.me/

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Extracted

Family

discordrat

Attributes

discord_token
MTMzMDYxOTg4NTMzMTQxNTEyMA.GvolIj.JCM-OtlpaFBedk3GoFB_aY1Hi31oF4XpkLv81A
server_id
1330576263034699828

Extracted

Family

redline

Botnet

cheat

billred229102.duckdns.org:26546

Extracted

Family

remcos

Botnet

zyn

kobo2025rmc.duckdns.org:14646

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-ZU8BO7
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

xworm

37.114.39.23:5555

127.0.0.1:7000

Attributes

Install_directory
%ProgramData%
install_file
srtm.exe

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Extracted

Family

darkcomet

Botnet

Guest16_min

xerxesrox.no-ip.biz:83

Mutex

DCMIN_MUTEX-EHQMHJU

Attributes

InstallPath
DCSCMIN\IMDCSC.exe
gencode
PcrJ6QRL7ZlH
install
true
offline_keylogger
true
persistence
false
reg_key
DarkComet RAT

rc4.plain

Extracted

Family

mirai

boki.ug-rp.info

Extracted

Family

formbook

Version

4.1

Campaign

a02d

Decoy

coplus.market

oofing-jobs-74429.bond

healchemists.xyz

oofcarpenternearme-jp.xyz

enewebsolutions.online

harepoint.legal

88977.club

omptables.xyz

eat-pumps-31610.bond

endown.graphics

amsexgirls.website

ovevibes.xyz

u-thiensu.online

yblinds.xyz

rumpchiefofstaff.store

erzog.fun

rrm.lat

agiclime.pro

agaviet59.shop

lbdoanhnhan.net

Extracted

Family

formbook

Version

4.1

Campaign

i62s

Decoy

nvee.info

ovixo.shop

edical-services-36754.bond

iv-test-46512.bond

log103accountbest.shop

cbogamuzrjud.shop

elegaemra.live

razyanimal.art

rasilcap-iagen.info

hy5w9nv.top

ental-age-testing-ai-now.today

ztsuponline.top

esmiid.net

hdpafagrwzwmz.shop

nriqueavila01justresume.click

perationsznl.top

arwrapping-us-44807679.live

oolsvote.shop

1594.net

umanitarkhrestsoc.cyou

Extracted

Family

blihanstealer

Mutex

pomdfghrt

Attributes

user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; CIBA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Signatures

Agenttesla family
agenttesla

Async RAT payload 3 IoCs

rat

resource	yara_rule
static1/unpack001/BastianHein Malware samples/AsyncRAT/AsyncRAT-0e1c49b6f18f737c17423eed597f37bab695ef39a605c4273757e6f00438e14b.exe	family_asyncrat
static1/unpack001/BastianHein Malware samples/AsyncRAT/AsyncRAT-ebdd545410d74a5b7d323f4742f7bc9f056d3e5a00ce72095fc6f475bba0723a.exe	family_asyncrat
static1/unpack001/BastianHein Malware samples/AsyncRAT/AsyncRAT-f51ead138a3878cf9583205d32a173a3a2aba042da75fa87f6e0c4dd7b4504a9.exe	family_asyncrat

Asyncrat family
asyncrat
Berbew family
berbew
Blackguard family
blackguard
Blackmoon family
blackmoon
Blihanstealer family
blihanstealer

Cobalt Strike reflective loader 26 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-20_07bc98d5c9bd592d763109b1d8c6b93c_cobalt-strike_cobaltstrike_poet-rat	cobalt_reflective_dll
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-23_0b786960662ee07f2283af45c9f333a3_cobalt-strike_cobaltstrike_poet-rat	cobalt_reflective_dll
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-23_1bc77af5cda61769d36985b36b813e8f_cobalt-strike_cobaltstrike_poet-rat	cobalt_reflective_dll
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-23_3bc05a287de51e1cfe5d51ab73e3042f_cobalt-strike_cobaltstrike_poet-rat	cobalt_reflective_dll
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-23_747627c33118f775c37ca927a1cd671d_cobalt-strike_cobaltstrike_poet-rat	cobalt_reflective_dll
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-23_98c1e0ec4dc2b7c0eb37ac383bbd8ae0_cobalt-strike_cobaltstrike_poet-rat	cobalt_reflective_dll
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-23_e3547c7a0790c549109ce0abb2839b80_cobalt-strike_cobaltstrike_poet-rat	cobalt_reflective_dll
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-23_e4ee45b3511305ada6d78e651eb3e03d_cobalt-strike_cobaltstrike_poet-rat	cobalt_reflective_dll
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-23_f02e8c800922ad581bd49db9053c5ad4_cobalt-strike_cobaltstrike_poet-rat	cobalt_reflective_dll
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-25_e12131df52f9767d151b87d429e7091d_cobalt-strike_cobaltstrike_poet-rat.exe	cobalt_reflective_dll
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-27_56f77a2a3a97469c694f466c81c7dc0f_cobalt-strike_cobaltstrike_poet-rat.exe	cobalt_reflective_dll
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-27_8fe7246cad8c25f7be284ceb1638f8d1_cobalt-strike_cobaltstrike_poet-rat.exe	cobalt_reflective_dll
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-27_c4c3e600067a77381eb7ee3ea84df4a2_cobalt-strike_cobaltstrike_poet-rat.exe	cobalt_reflective_dll
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-27_c81f31bdddc564f059c63088074fea6d_cobalt-strike_cobaltstrike_poet-rat	cobalt_reflective_dll
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-28_df939c4cef1865d9ab2573984d14b444_cobalt-strike_cobaltstrike_poet-rat.exe	cobalt_reflective_dll
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-29_23324854d7a957ed61b0d1e9c8d3787d_cobalt-strike_cobaltstrike_poet-rat.exe	cobalt_reflective_dll
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-29_4ef9d670f043c1bbf5847b79e6990201_cobalt-strike_cobaltstrike_poet-rat.exe	cobalt_reflective_dll
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-29_5dddc97aa8de9118d357945b407b9cdf_cobalt-strike_cobaltstrike_poet-rat.exe	cobalt_reflective_dll
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-29_8db813fda6e07735cc26f178a165ddae_cobalt-strike_cobaltstrike_poet-rat.exe	cobalt_reflective_dll
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-29_94e7b6e64fbd2db94cf600eabdb90c66_cobalt-strike_cobaltstrike_poet-rat.exe	cobalt_reflective_dll
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-30_82bb28ed6217161f2dc8d9dcc825484b_cobalt-strike_cobaltstrike_poet-rat.exe	cobalt_reflective_dll
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-30_8608d0f5072ffd3f75b4b6ffc0f86f28_cobalt-strike_cobaltstrike_poet-rat.exe	cobalt_reflective_dll
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-30_b0baaa3b72d0580dc23840131ff41985_cobalt-strike_cobaltstrike_poet-rat.exe	cobalt_reflective_dll
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-02-01_432095b88894c4d3bb99c6a90403429b_cobalt-strike_cobaltstrike_poet-rat.exe	cobalt_reflective_dll
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-02-04_0ee70892c83663e033ee9bd29d5b0fff_cobalt-strike_cobaltstrike_poet-rat_snatch.exe	cobalt_reflective_dll
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-02-04_1f6236cf265f053f7dd5d9a6db70d8c7_cobalt-strike_cobaltstrike_poet-rat_snatch.exe	cobalt_reflective_dll

Cobaltstrike family
cobaltstrike

DCRat payload 3 IoCs

rat

resource	yara_rule
static1/unpack001/BastianHein Malware samples/DcRat/DarkCristalRAT-7f435bef5663b3d191b82230b2c96d50cdd1d5aec7b516dd0152ff8f2f8a0667.exe	family_dcrat_v2
static1/unpack001/BastianHein Malware samples/DcRat/HEUR.Trojan-Spy.MSIL.Stealer.gen-40603df340cee8c3d00939469470a28acbf64401ec12d32ba68fe54e7f04c6d4.exe	dcrat
static1/unpack001/BastianHein Malware samples/DcRat/mega porno.exe	dcrat

Darkcomet family
darkcomet
Dcrat family
dcrat

Detect Blackmoon payload 4 IoCs

resource	yara_rule
static1/unpack001/BastianHein Malware samples/blackmoon/2025-01-28_35490cab569419795dfb2018f9a17976_icedid_xiaobaminer.exe	family_blackmoon
static1/unpack001/BastianHein Malware samples/blackmoon/2025-01-28_4a7df03a574c6271c839684f540a7a4d_icedid_xiaobaminer.exe	family_blackmoon
static1/unpack001/BastianHein Malware samples/blackmoon/2025-01-29_69b41cf98c265e6dcc00161fd0f300c0_icedid_xmrig.exe	family_blackmoon
static1/unpack001/BastianHein Malware samples/blackmoon/2025-01-29_73793810b24bed54a0d892dd76b3baab_luca-stealer_mafia_metamorfo.exe	family_blackmoon

Detect Neshta payload 1 IoCs

resource	yara_rule
static1/unpack001/BastianHein Malware samples/spyware/fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe	family_neshta

Detect Xworm Payload 2 IoCs

resource	yara_rule
static1/unpack001/BastianHein Malware samples/XwormRAT/XwormRAT-4f7c6539db5778bc0fb3980846786a8d08ff96989d3692e9cb09016a647bbcdb.exe	family_xworm
static1/unpack001/BastianHein Malware samples/XwormRAT/XwormRAT-ffc9cbd3d4b61402ddbbb7596e5929a1c0952a0fe35a4537cdca8bc6a65d7c37.exe	family_xworm

Discordrat family
discordrat
Formbook family
formbook

Formbook payload 2 IoCs

rat

resource	yara_rule
static1/unpack001/BastianHein Malware samples/formbook/2656-25-0x0000000000400000-0x000000000042F000-memory.exe	formbook
static1/unpack001/BastianHein Malware samples/formbook/FormBook-34517e69384b6b82ef9411783dc2683d6d7ae0f4b298370dd3b489f9ccd817fa.exe	formbook

Gh0st RAT payload 1 IoCs

resource	yara_rule
static1/unpack001/BastianHein Malware samples/GhostRat/2cba103a4023e6be7f5285499150fe00.exe	family_gh0strat

Gh0strat family
gh0strat
Mirai family
mirai
Neshta family
neshta
Njrat family
njrat
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
static1/unpack001/BastianHein Malware samples/AzoRult/3a4a38ed839a1f73825b8456fc1efa73a65a7af25ba3513472d05cfac5ecef78.exe	family_quasar

RedLine payload 1 IoCs

resource	yara_rule
static1/unpack001/BastianHein Malware samples/RedLineStealer/8e10fe5a2aeb3e337b184bfbb2c8ef2f256115c287ba664523ff91eb9181f56c.dll.exe	family_redline

Redline family
redline
Remcos family
remcos

SectopRAT payload 1 IoCs

resource	yara_rule
static1/unpack001/BastianHein Malware samples/RedLineStealer/8e10fe5a2aeb3e337b184bfbb2c8ef2f256115c287ba664523ff91eb9181f56c.dll.exe	family_sectoprat

Sectoprat family
sectoprat

StormKitty payload 1 IoCs

resource	yara_rule
static1/unpack001/BastianHein Malware samples/AsyncRAT/AsyncRAT-0e1c49b6f18f737c17423eed597f37bab695ef39a605c4273757e6f00438e14b.exe	family_stormkitty

Stormkitty family
stormkitty

XMRig Miner payload 29 IoCs

miner

resource	yara_rule
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-20_07bc98d5c9bd592d763109b1d8c6b93c_cobalt-strike_cobaltstrike_poet-rat	xmrig
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-23_0b786960662ee07f2283af45c9f333a3_cobalt-strike_cobaltstrike_poet-rat	xmrig
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-23_1bc77af5cda61769d36985b36b813e8f_cobalt-strike_cobaltstrike_poet-rat	xmrig
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-23_3bc05a287de51e1cfe5d51ab73e3042f_cobalt-strike_cobaltstrike_poet-rat	xmrig
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-23_747627c33118f775c37ca927a1cd671d_cobalt-strike_cobaltstrike_poet-rat	xmrig
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-23_98c1e0ec4dc2b7c0eb37ac383bbd8ae0_cobalt-strike_cobaltstrike_poet-rat	xmrig
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-23_e3547c7a0790c549109ce0abb2839b80_cobalt-strike_cobaltstrike_poet-rat	xmrig
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-23_e4ee45b3511305ada6d78e651eb3e03d_cobalt-strike_cobaltstrike_poet-rat	xmrig
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-23_f02e8c800922ad581bd49db9053c5ad4_cobalt-strike_cobaltstrike_poet-rat	xmrig
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-25_e12131df52f9767d151b87d429e7091d_cobalt-strike_cobaltstrike_poet-rat.exe	xmrig
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-27_56f77a2a3a97469c694f466c81c7dc0f_cobalt-strike_cobaltstrike_poet-rat.exe	xmrig
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-27_8fe7246cad8c25f7be284ceb1638f8d1_cobalt-strike_cobaltstrike_poet-rat.exe	xmrig
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-27_c4c3e600067a77381eb7ee3ea84df4a2_cobalt-strike_cobaltstrike_poet-rat.exe	xmrig
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-27_c81f31bdddc564f059c63088074fea6d_cobalt-strike_cobaltstrike_poet-rat	xmrig
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-28_df939c4cef1865d9ab2573984d14b444_cobalt-strike_cobaltstrike_poet-rat.exe	xmrig
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-29_23324854d7a957ed61b0d1e9c8d3787d_cobalt-strike_cobaltstrike_poet-rat.exe	xmrig
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-29_4ef9d670f043c1bbf5847b79e6990201_cobalt-strike_cobaltstrike_poet-rat.exe	xmrig
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-29_5dddc97aa8de9118d357945b407b9cdf_cobalt-strike_cobaltstrike_poet-rat.exe	xmrig
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-29_8db813fda6e07735cc26f178a165ddae_cobalt-strike_cobaltstrike_poet-rat.exe	xmrig
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-29_94e7b6e64fbd2db94cf600eabdb90c66_cobalt-strike_cobaltstrike_poet-rat.exe	xmrig
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-30_82bb28ed6217161f2dc8d9dcc825484b_cobalt-strike_cobaltstrike_poet-rat.exe	xmrig
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-30_8608d0f5072ffd3f75b4b6ffc0f86f28_cobalt-strike_cobaltstrike_poet-rat.exe	xmrig
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-30_b0baaa3b72d0580dc23840131ff41985_cobalt-strike_cobaltstrike_poet-rat.exe	xmrig
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-02-01_432095b88894c4d3bb99c6a90403429b_cobalt-strike_cobaltstrike_poet-rat.exe	xmrig
static1/unpack001/BastianHein Malware samples/XMRIG/2025-01-30_bc04d3d67bd15341a38cc82816740acd_cobalt-strike_polyvice_xmrig	xmrig
static1/unpack001/BastianHein Malware samples/XMRIG/2025-01-30_bc04d3d67bd15341a38cc82816740acd_cobalt-strike_polyvice_xmrig	family_xmrig
static1/unpack001/BastianHein Malware samples/XMRIG/adivina.exe	family_xmrig_powershell_dropper
static1/unpack001/BastianHein Malware samples/blackmoon/2025-01-29_69b41cf98c265e6dcc00161fd0f300c0_icedid_xmrig.exe	xmrig
static1/unpack001/BastianHein Malware samples/elf/adivina	family_xmrig_powershell_dropper

Xmrig family
xmrig
Xworm family
xworm

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
static1/unpack001/BastianHein Malware samples/AsyncRAT/AsyncRAT-1bc071f4c896be8efa58f95700af9335d7fe356a49356be84cbd28bf205a9959.exe	themida

AutoIT Executable 23 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
static1/unpack001/BastianHein Malware samples/AgentTesla/197b8f685fe939f045c8c17c01ab6811d2ad9f47ef63ddc3e667443966c0a005	autoit_exe
static1/unpack001/BastianHein Malware samples/AgentTesla/197b8f685fe939f045c8c17c01ab6811d2ad9f47ef63ddc3e667443966c0a005.exe	autoit_exe
static1/unpack001/BastianHein Malware samples/AgentTesla/309c72a0cfc3bd2a848c978921abe215da76dd3aa38f3221d28cb6524c35ba85	autoit_exe
static1/unpack003/QUOTATION#008699.exe	autoit_exe
static1/unpack001/BastianHein Malware samples/AgentTesla/AgentTesla-3b6632b43aa88d79aa9bdcf19f38f11fd3b0a86915cef4408e390a4d70f068cd.exe	autoit_exe
static1/unpack001/BastianHein Malware samples/AgentTesla/COTIZACIÓN ORDEN DE COMPRA 86352____________________________________________pdf.exe	autoit_exe
static1/unpack001/BastianHein Malware samples/AgentTesla/INQ No.KP-44-00-PS-PI-INQ-0026.exe	autoit_exe
static1/unpack001/BastianHein Malware samples/AgentTesla/Orden de compra 36530 PI-18789.exe	autoit_exe
static1/unpack001/BastianHein Malware samples/AgentTesla/Orden de compra 834290125.exe	autoit_exe
static1/unpack001/BastianHein Malware samples/AgentTesla/PO-67642.exe	autoit_exe
static1/unpack001/BastianHein Malware samples/AgentTesla/RFQ_Product_Service Name_Priority_Order_Deadline_This_Week.scr	autoit_exe
static1/unpack001/BastianHein Malware samples/AgentTesla/SHIPPINGDOCUMENT.exe	autoit_exe
static1/unpack001/BastianHein Malware samples/AgentTesla/a9811a63013f9a7fc654c88ab730f86187ef992231b230968c6d82a1e5ae5482.exe	autoit_exe
static1/unpack005/out.upx	autoit_exe
static1/unpack001/BastianHein Malware samples/AgentTesla/doc02902501025.exe	autoit_exe
static1/unpack001/BastianHein Malware samples/AzoRult/3a4a38ed839a1f73825b8456fc1efa73a65a7af25ba3513472d05cfac5ecef78.exe	autoit_exe
static1/unpack001/BastianHein Malware samples/RedLineStealer/33933960a12c42cfc5240325d9cb332b6f609ebeafa257f3fa7603cd82436552.exe	autoit_exe
static1/unpack001/BastianHein Malware samples/RemcosRat/1218876bc6c34ebcc73be253436e4a48e83c36ddc71b35cc10265073adce380c	autoit_exe
static1/unpack001/BastianHein Malware samples/RemcosRat/2c9e0f36dceb0c4a806dc23512747ee70a487fce3ad4a38474ea31f321e0f438.exe	autoit_exe
static1/unpack001/BastianHein Malware samples/RemcosRat/38052ddd9c64e44bd2631ae021c1e973bed0ddfc8be6c3b2714011647c551d53.exe	autoit_exe
static1/unpack001/BastianHein Malware samples/SnakeKeyLogger/35c15f0e2e558228afbff51b637bfd6e206c0d388a9296590b08d0b64bc6297a.exe	autoit_exe
static1/unpack001/BastianHein Malware samples/revengeRat/4cce13ad0d0f35ef0fe324ddebb0f7d567611c407c0c0029419d73c049d4e6d8N.exe	autoit_exe
static1/unpack001/BastianHein Malware samples/revengeRat/4ee0ec29adfa239c36143e772654ba2fc40cdbc15e3452e44e5148fdd96327da.exe	autoit_exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
static1/unpack001/BastianHein Malware samples/AgentTesla/ac0c869888d9501a709cb33762d8062ecf7139116a4c0dbe07171f2c5a77b96c	upx
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-20_07bc98d5c9bd592d763109b1d8c6b93c_cobalt-strike_cobaltstrike_poet-rat	upx
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-23_0b786960662ee07f2283af45c9f333a3_cobalt-strike_cobaltstrike_poet-rat	upx
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-23_1bc77af5cda61769d36985b36b813e8f_cobalt-strike_cobaltstrike_poet-rat	upx
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-23_3bc05a287de51e1cfe5d51ab73e3042f_cobalt-strike_cobaltstrike_poet-rat	upx
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-23_747627c33118f775c37ca927a1cd671d_cobalt-strike_cobaltstrike_poet-rat	upx
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-23_98c1e0ec4dc2b7c0eb37ac383bbd8ae0_cobalt-strike_cobaltstrike_poet-rat	upx
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-23_e3547c7a0790c549109ce0abb2839b80_cobalt-strike_cobaltstrike_poet-rat	upx
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-23_e4ee45b3511305ada6d78e651eb3e03d_cobalt-strike_cobaltstrike_poet-rat	upx
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-23_f02e8c800922ad581bd49db9053c5ad4_cobalt-strike_cobaltstrike_poet-rat	upx
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-25_e12131df52f9767d151b87d429e7091d_cobalt-strike_cobaltstrike_poet-rat.exe	upx
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-27_56f77a2a3a97469c694f466c81c7dc0f_cobalt-strike_cobaltstrike_poet-rat.exe	upx
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-27_8fe7246cad8c25f7be284ceb1638f8d1_cobalt-strike_cobaltstrike_poet-rat.exe	upx
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-27_c4c3e600067a77381eb7ee3ea84df4a2_cobalt-strike_cobaltstrike_poet-rat.exe	upx
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-27_c81f31bdddc564f059c63088074fea6d_cobalt-strike_cobaltstrike_poet-rat	upx
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-28_df939c4cef1865d9ab2573984d14b444_cobalt-strike_cobaltstrike_poet-rat.exe	upx
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-29_23324854d7a957ed61b0d1e9c8d3787d_cobalt-strike_cobaltstrike_poet-rat.exe	upx
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-29_4ef9d670f043c1bbf5847b79e6990201_cobalt-strike_cobaltstrike_poet-rat.exe	upx
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-29_5dddc97aa8de9118d357945b407b9cdf_cobalt-strike_cobaltstrike_poet-rat.exe	upx
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-29_8db813fda6e07735cc26f178a165ddae_cobalt-strike_cobaltstrike_poet-rat.exe	upx
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-29_94e7b6e64fbd2db94cf600eabdb90c66_cobalt-strike_cobaltstrike_poet-rat.exe	upx
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-30_82bb28ed6217161f2dc8d9dcc825484b_cobalt-strike_cobaltstrike_poet-rat.exe	upx
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-30_8608d0f5072ffd3f75b4b6ffc0f86f28_cobalt-strike_cobaltstrike_poet-rat.exe	upx
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-30_b0baaa3b72d0580dc23840131ff41985_cobalt-strike_cobaltstrike_poet-rat.exe	upx
static1/unpack001/BastianHein Malware samples/Cobaltstrike/2025-02-01_432095b88894c4d3bb99c6a90403429b_cobalt-strike_cobaltstrike_poet-rat.exe	upx
static1/unpack001/BastianHein Malware samples/Prometei/1fc2e9c09273238015bbb12b66bf78c1e0b31f543c0c4b1a4c1c085b9baf95c4.elf	upx
static1/unpack001/BastianHein Malware samples/Prometei/716585e00bd74b0215ac99053cda914e58dd90af2d1be1cc2e94ac5324994e59.elf	upx
static1/unpack001/BastianHein Malware samples/Prometei/f5222424c27095ff4a71a3b3b9e14dd2ba001a89a4c44ece9877ee4cbc368050.elf	upx
static1/unpack001/BastianHein Malware samples/Prometei/fe1f096ec8b228265af05d76901fd0125f67a88ddc4dfd2e486c1ee6504227cc.elf	upx
static1/unpack001/BastianHein Malware samples/Ransomware/7182b75194b976c5aa46654baca5c2736309a9ee6108d76c6fe10a171083d6db.exe	upx
static1/unpack001/BastianHein Malware samples/Ransomware/8b60d946a1e6e850db92da6e21a39fbf182c660c9c089d48b1d547f24b4abc36.exe	upx
static1/unpack001/BastianHein Malware samples/Ransomware/fed4bc35216d2788c03c47bbcb71aa99a2714ab803999066df98eb52a2fd1057N.exe	upx
static1/unpack001/BastianHein Malware samples/RemcosRat/remcos_a_encrypted_decrypted.exe	upx
static1/unpack001/BastianHein Malware samples/XwormRAT/XwormRAT-760a3b7f4efe07c216e3a317f04ddc0f1e3f89c48997503bde708cff81fad7ad.exe	upx
static1/unpack001/BastianHein Malware samples/blackmoon/38803273f78fddff5d8a05f62926f3f557f58ea1455658864d54425a75d88398N.exe	upx
static1/unpack001/BastianHein Malware samples/blackmoon/4615496d4e7df4170805f0b7a79adaf5.exe	upx
static1/unpack001/BastianHein Malware samples/blackmoon/79272f405999d6971d9a6b4cf6c497990988db06c74b31550f93e8dfeb1b35b4.exe	upx
static1/unpack001/BastianHein Malware samples/darkcomet/6ed9ff5400c6d67dd68f7bdbb5842e72.exe	upx
static1/unpack001/BastianHein Malware samples/revengeRat/91527413a929193ca82cba1f856c5203355524ba588651bbe88a623a1125e51c.exe	upx
static1/unpack001/BastianHein Malware samples/revengeRat/ccfcd88a55fd550f63d8ba2c045c08522ec1b3815b22bac3d2ddaf1d392e35bbN.exe	upx
static1/unpack001/BastianHein Malware samples/spyware/21178fd1cb20560b93cfdce1c04d98305bf162ad2e22a0350d5056d23af6ae9cN.exe	upx
static1/unpack001/BastianHein Malware samples/tinba/00780717a0350d74c06b227f236f6826c4b53c19ca7e1a99187c6c11dd905fa9N.exe	upx
static1/unpack001/BastianHein Malware samples/tinba/0c81de86734b9572a69818e7a3ebb50cacc4c460d676b5cf0f42b2647cfc7959.exe	upx
static1/unpack001/BastianHein Malware samples/tinba/13c56dbd6fc67255336e251cfa23944f5cbb31fb35d91ab470e69ec3b1e0128bN.exe	upx
static1/unpack001/BastianHein Malware samples/tinba/203fa5b045bcc12dfe50844639897dea253bbbc19a0480d10e6f73eac37323d8N.exe	upx
static1/unpack001/BastianHein Malware samples/tinba/33c3d0c4847980dc79536ef491e596c6365d75d736bf8aabb814f995f6deb6f8.exe	upx
static1/unpack001/BastianHein Malware samples/tinba/38a2f2d0fbb26e1f2ab109d4779cd31e79244298a6ceb83bf483a0268dc8e355N.exe	upx
static1/unpack001/BastianHein Malware samples/tinba/3d31b34ad1ae466cb169d16c8fe3d4a0f3291aa58222adc35cd74460cb99630a.exe	upx
static1/unpack001/BastianHein Malware samples/tinba/49616b669ede0d88f952af00531ebec3351414ff965dfeff5b0964b4ac838049N.exe	upx
static1/unpack001/BastianHein Malware samples/tinba/4ed83478f1cd128443282f0735c777a0c2dae6513e1d9695891f83040f346818.exe	upx
static1/unpack001/BastianHein Malware samples/tinba/577051e5764910b6f18d528013165a720356112dd338698280a76e7b2a6e24d1.exe	upx
static1/unpack001/BastianHein Malware samples/tinba/5a3e3f8b66b307f9fcc4ef8e6a68d3fd8e416b3716cfd5f6c0893a33b5169765N.exe	upx
static1/unpack001/BastianHein Malware samples/tinba/5b2930f1c0cc9a040aee1c14eb6fa61072cc45d881994ed2975f6fd2354d8dde.exe	upx
static1/unpack001/BastianHein Malware samples/tinba/65a67b7e0bd34ae4c1de6de8b3c6c3db7c09ae526af4914bb012f13abf927d26.exe	upx
static1/unpack001/BastianHein Malware samples/tinba/694decb30226b8e3da044ce0ad963bbeff1af9af4a94c0527a954de6cbd08da6	upx
static1/unpack001/BastianHein Malware samples/tinba/7087bf238addbd8ada881d9014fa1313e3286c3f24080400ad1560b4fbef52e1.exe	upx
static1/unpack001/BastianHein Malware samples/tinba/7087bf238addbd8ada881d9014fa1313e3286c3f24080400ad1560b4fbef52e1N.exe	upx
static1/unpack001/BastianHein Malware samples/tinba/73deb6fc408b72da99cd831db55a06a92230c6f834e3cf31fd8854bd6b93d68c	upx
static1/unpack001/BastianHein Malware samples/tinba/762984acc17f00c41045116b954ea047c665c391f0326101d46b640022037dd4.exe	upx
static1/unpack001/BastianHein Malware samples/tinba/9071909cfd852693300404833275c708c789f1bc2d3588d2121c159ff1b479c0.exe	upx
static1/unpack001/BastianHein Malware samples/tinba/919ebd053037624564b29179ef6e0f58bd29ff9bffb98fe76856380266039ed6N.exe	upx
static1/unpack001/BastianHein Malware samples/tinba/98c895f9acf465a671d1dbaa13318b60060d37ae16481da3a6a9e483cb2b05ad.exe	upx
static1/unpack001/BastianHein Malware samples/tinba/b97c1992b1a0dbbc8cb79dffb905624bd8d9063d35a00a991d7a7f0f97b46eb2N.exe	upx
static1/unpack001/BastianHein Malware samples/tinba/d75216d6201edc170f5bfa9821d4a9e56080d46d04e31a1a9cb74ced59ade32fN.exe	upx

Unsigned PE 289 IoCs

Checks for missing Authenticode signature.

resource
unpack001/BastianHein Malware samples/AgentTesla/06664fb0f86485bcac0d663acb92e1966ec35ea9ecf4ae8c9456a7167cf06823
unpack001/BastianHein Malware samples/AgentTesla/197b8f685fe939f045c8c17c01ab6811d2ad9f47ef63ddc3e667443966c0a005
unpack001/BastianHein Malware samples/AgentTesla/197b8f685fe939f045c8c17c01ab6811d2ad9f47ef63ddc3e667443966c0a005.exe
unpack001/BastianHein Malware samples/AgentTesla/2f83aacc31a29bb50a963b6f49cfe75d0f6f105f9d699571e312c3fd996b1888
unpack001/BastianHein Malware samples/AgentTesla/309c72a0cfc3bd2a848c978921abe215da76dd3aa38f3221d28cb6524c35ba85
unpack003/QUOTATION#008699.exe
unpack001/BastianHein Malware samples/AgentTesla/56a8937692fdf9a9c0b6cc236a9d3297.exe
unpack001/BastianHein Malware samples/AgentTesla/708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe
unpack001/BastianHein Malware samples/AgentTesla/AgentTesla-150f720cd5e58ff58c421398257b42b92318cec613c657825bc585a43db8270b.exe
unpack001/BastianHein Malware samples/AgentTesla/AgentTesla-15ec53cab469f3ee56ebb4bb924e7fd211585d273d2ce77d9fd1dbf7335e6249.exe
unpack001/BastianHein Malware samples/AgentTesla/AgentTesla-3b6632b43aa88d79aa9bdcf19f38f11fd3b0a86915cef4408e390a4d70f068cd.exe
unpack001/BastianHein Malware samples/AgentTesla/AgentTesla-47d4d0c51ec4940172fe3b02f8244547640661b9ba9efda0b7aa8238582a01c7.exe
unpack001/BastianHein Malware samples/AgentTesla/AgentTesla.exe
unpack004/MaterialDesignColors.dll
unpack004/MaterialDesignThemes.Wpf.dll
unpack004/Microsoft.Management.Infrastructure.dll
unpack004/SharpSteam.dll
unpack004/System.Management.Automation.dll
unpack004/UWPHook.exe
unpack004/VDFParser.dll
unpack001/BastianHein Malware samples/AgentTesla/COTIZACIÓN ORDEN DE COMPRA 86352____________________________________________pdf.exe
unpack001/BastianHein Malware samples/AgentTesla/FEBSOA_7645200097.exe
unpack001/BastianHein Malware samples/AgentTesla/INQ No.KP-44-00-PS-PI-INQ-0026.exe
unpack001/BastianHein Malware samples/AgentTesla/Invoice.exe
unpack001/BastianHein Malware samples/AgentTesla/NewOrder568330.GZ.exe
unpack001/BastianHein Malware samples/AgentTesla/ODEME DEKONTU 000887890087889000990000.exe
unpack001/BastianHein Malware samples/AgentTesla/Orden de compra 36530 PI-18789.exe
unpack001/BastianHein Malware samples/AgentTesla/Orden de compra 834290125.exe
unpack001/BastianHein Malware samples/AgentTesla/PO 28737-RM.exe
unpack001/BastianHein Malware samples/AgentTesla/PO-67642.exe
unpack001/BastianHein Malware samples/AgentTesla/PO490102811.exe
unpack001/BastianHein Malware samples/AgentTesla/PU6789000980.bat.exe
unpack001/BastianHein Malware samples/AgentTesla/RFQ_Product_Service Name_Priority_Order_Deadline_This_Week.scr
unpack001/BastianHein Malware samples/AgentTesla/SHIPPINGDOCUMENT.exe
unpack001/BastianHein Malware samples/AgentTesla/a43a6421f9f5f7ac6ce878ceff99e594fadc983275f4f2f464341e5564784c70.exe
unpack001/BastianHein Malware samples/AgentTesla/a5ef1fcb74fc781a1900ae1f6cfc12e410d27e97828be0e55b4e83beb6d35dbd
unpack001/BastianHein Malware samples/AgentTesla/a689d2c7fa2cc3712ff115a0dce0cd90c5d55c92bc87e7f24dcd05ad4a38db63.exe
unpack001/BastianHein Malware samples/AgentTesla/a9811a63013f9a7fc654c88ab730f86187ef992231b230968c6d82a1e5ae5482.exe
unpack001/BastianHein Malware samples/AgentTesla/ac0c869888d9501a709cb33762d8062ecf7139116a4c0dbe07171f2c5a77b96c
unpack005/out.upx
unpack001/BastianHein Malware samples/AgentTesla/ad269d354d181fb136d667589d1df4f9402585070c6385afad354fcb204bbabe.exe
unpack001/BastianHein Malware samples/AgentTesla/doc02902501025.exe
unpack001/BastianHein Malware samples/AgentTesla/e36d729fa02b3afcd3c60faf4e223ded54941dbc10c71cdd85fa9b202f05c4bb.exe
unpack001/BastianHein Malware samples/AgentTesla/ea182b46e91f32537a6220caf8c6afab856db2a1f54ff078d2505fce84886317
unpack001/BastianHein Malware samples/AgentTesla/shipment documents 0009405950609000799700000.exe
unpack001/BastianHein Malware samples/AsyncRAT/AsyncRAT-0e1c49b6f18f737c17423eed597f37bab695ef39a605c4273757e6f00438e14b.exe
unpack001/BastianHein Malware samples/AsyncRAT/AsyncRAT-1bc071f4c896be8efa58f95700af9335d7fe356a49356be84cbd28bf205a9959.exe
unpack001/BastianHein Malware samples/AsyncRAT/AsyncRAT-ebdd545410d74a5b7d323f4742f7bc9f056d3e5a00ce72095fc6f475bba0723a.exe
unpack001/BastianHein Malware samples/AsyncRAT/AsyncRAT-f51ead138a3878cf9583205d32a173a3a2aba042da75fa87f6e0c4dd7b4504a9.exe
unpack001/BastianHein Malware samples/AzoRult/3a4a38ed839a1f73825b8456fc1efa73a65a7af25ba3513472d05cfac5ecef78.exe
unpack001/BastianHein Malware samples/BlackGuard/f47db48129530cf19f3c42f0c9f38ce1915f403469483661999dc2b19e12650b
unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-20_07bc98d5c9bd592d763109b1d8c6b93c_cobalt-strike_cobaltstrike_poet-rat
unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-23_0b786960662ee07f2283af45c9f333a3_cobalt-strike_cobaltstrike_poet-rat
unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-23_1bc77af5cda61769d36985b36b813e8f_cobalt-strike_cobaltstrike_poet-rat
unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-23_3bc05a287de51e1cfe5d51ab73e3042f_cobalt-strike_cobaltstrike_poet-rat
unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-23_747627c33118f775c37ca927a1cd671d_cobalt-strike_cobaltstrike_poet-rat
unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-23_98c1e0ec4dc2b7c0eb37ac383bbd8ae0_cobalt-strike_cobaltstrike_poet-rat
unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-23_e3547c7a0790c549109ce0abb2839b80_cobalt-strike_cobaltstrike_poet-rat
unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-23_e4ee45b3511305ada6d78e651eb3e03d_cobalt-strike_cobaltstrike_poet-rat
unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-23_f02e8c800922ad581bd49db9053c5ad4_cobalt-strike_cobaltstrike_poet-rat
unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-25_c8ca6508ae4f1a87d47b8a531f3daa35_cobalt-strike_ryuk
unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-25_e12131df52f9767d151b87d429e7091d_cobalt-strike_cobaltstrike_poet-rat.exe
unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-27_56f77a2a3a97469c694f466c81c7dc0f_cobalt-strike_cobaltstrike_poet-rat.exe
unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-27_8fe7246cad8c25f7be284ceb1638f8d1_cobalt-strike_cobaltstrike_poet-rat.exe
unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-27_c4c3e600067a77381eb7ee3ea84df4a2_cobalt-strike_cobaltstrike_poet-rat.exe
unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-27_c81f31bdddc564f059c63088074fea6d_cobalt-strike_cobaltstrike_poet-rat
unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-28_df939c4cef1865d9ab2573984d14b444_cobalt-strike_cobaltstrike_poet-rat.exe
unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-29_23324854d7a957ed61b0d1e9c8d3787d_cobalt-strike_cobaltstrike_poet-rat.exe
unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-29_4ef9d670f043c1bbf5847b79e6990201_cobalt-strike_cobaltstrike_poet-rat.exe
unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-29_5dddc97aa8de9118d357945b407b9cdf_cobalt-strike_cobaltstrike_poet-rat.exe
unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-29_8db813fda6e07735cc26f178a165ddae_cobalt-strike_cobaltstrike_poet-rat.exe
unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-29_94e7b6e64fbd2db94cf600eabdb90c66_cobalt-strike_cobaltstrike_poet-rat.exe
unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-30_82bb28ed6217161f2dc8d9dcc825484b_cobalt-strike_cobaltstrike_poet-rat.exe
unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-30_8608d0f5072ffd3f75b4b6ffc0f86f28_cobalt-strike_cobaltstrike_poet-rat.exe
unpack001/BastianHein Malware samples/Cobaltstrike/2025-01-30_b0baaa3b72d0580dc23840131ff41985_cobalt-strike_cobaltstrike_poet-rat.exe
unpack001/BastianHein Malware samples/Cobaltstrike/2025-02-01_432095b88894c4d3bb99c6a90403429b_cobalt-strike_cobaltstrike_poet-rat.exe
unpack001/BastianHein Malware samples/Cobaltstrike/2025-02-04_0ee70892c83663e033ee9bd29d5b0fff_cobalt-strike_cobaltstrike_poet-rat_snatch.exe
unpack001/BastianHein Malware samples/Cobaltstrike/2025-02-04_1f6236cf265f053f7dd5d9a6db70d8c7_cobalt-strike_cobaltstrike_poet-rat_snatch.exe
unpack001/BastianHein Malware samples/Cobaltstrike/5d3c35291437efc8eb055aabf2d049992397f9c3016e33b0e2524f9ac35f847b
unpack001/BastianHein Malware samples/Cobaltstrike/a4ce886d170153cfb5b8d74ad0186d9966e32e5408e3bd3e940717fc16c6810f
unpack001/BastianHein Malware samples/Cobaltstrike/d2695ffe116958dca9625d2bc5a67d136ed12a0a267dafd05810a22384c1a866.exe
unpack001/BastianHein Malware samples/DcRat/AIMWARE CRACK 1.3.2.exe
unpack001/BastianHein Malware samples/DcRat/DarkCristalRAT-72f0a6f04fa93d4749d2ddd68d24c8323e0832341b278add88b8716e245c3a1b.exe
unpack001/BastianHein Malware samples/DcRat/DarkCristalRAT-7f435bef5663b3d191b82230b2c96d50cdd1d5aec7b516dd0152ff8f2f8a0667.exe
unpack001/BastianHein Malware samples/DcRat/HEUR.Trojan-Spy.MSIL.Stealer.gen-40603df340cee8c3d00939469470a28acbf64401ec12d32ba68fe54e7f04c6d4.exe
unpack001/BastianHein Malware samples/DcRat/mega porno.exe
unpack001/BastianHein Malware samples/DcRat/zapret.exe
unpack001/BastianHein Malware samples/DiscordRat/16e0775352021a90c3dec5a4d75d5db0b444ed8cae060fccdb86fde2080bdc82.exe
unpack001/BastianHein Malware samples/DiscordRat/Nixware Loader.exe
unpack001/BastianHein Malware samples/DiscordRat/WzAio.exe
unpack001/BastianHein Malware samples/DiscordRat/Zedfilter.exe
unpack001/BastianHein Malware samples/DiscordRat/seba.exe
unpack001/BastianHein Malware samples/Dridex/0e0d4494780c9010ece88f39f65bfbfcb13236e1652f7fe41e9c84a5b16583a5N.exe
unpack001/BastianHein Malware samples/Dridex/123a833c6ad4fefb0e612a93c8bfb2fda9525414b308f18c9d3ea56a5ea37fff.exe
unpack001/BastianHein Malware samples/Dridex/138cd54735f5ce4b638c5bb68c9e0bf5776cf81d776e46592ef10a9bc58b0277.exe
unpack001/BastianHein Malware samples/Gcleaner/1ada4287ce3b32605a713ee1c2d77ffe06f3b1309c2022f6eee4d2047177e2d6
unpack001/BastianHein Malware samples/GravityRat/2025-02-02_3349e5b5a57a12b60f96529f8a2fdb57_poet-rat_snatch.exe
unpack001/BastianHein Malware samples/LummaStealer/1ffd04c4a58b2294203e7c08225ab9c921b3afa8944d65ada62795789d6f5d4e
unpack001/BastianHein Malware samples/LummaStealer/2025-01-31_df1e3d66392952a819b4be0b09668315_frostygoop_poet-rat_snatch.exe
unpack001/BastianHein Malware samples/LummaStealer/LummaC2-40_2025-01-24_18-38.exe
unpack001/BastianHein Malware samples/MetaSploit/JaffaCakes118_679fb6c69999038d8ba7c11ac9ea88ce
unpack001/BastianHein Malware samples/NjRat/Camage.exe
unpack001/BastianHein Malware samples/Ransomware/2025-01-27_0b85d9244eec7abe32681316ef673c11_virlock.exe
unpack001/BastianHein Malware samples/Ransomware/7182b75194b976c5aa46654baca5c2736309a9ee6108d76c6fe10a171083d6db.exe
unpack001/BastianHein Malware samples/Ransomware/7cd7c04c62d2a8b4697ceebbe7dd95c910d687e4a6989c1d839117e55c1cafd7.exe
unpack001/BastianHein Malware samples/Ransomware/8b60d946a1e6e850db92da6e21a39fbf182c660c9c089d48b1d547f24b4abc36.exe
unpack001/BastianHein Malware samples/Ransomware/fed4bc35216d2788c03c47bbcb71aa99a2714ab803999066df98eb52a2fd1057N.exe
unpack001/BastianHein Malware samples/RedLineStealer/33933960a12c42cfc5240325d9cb332b6f609ebeafa257f3fa7603cd82436552.exe
unpack001/BastianHein Malware samples/RedLineStealer/8e10fe5a2aeb3e337b184bfbb2c8ef2f256115c287ba664523ff91eb9181f56c.dll.exe
unpack001/BastianHein Malware samples/RedLineStealer/Fortnitevbucks.exe
unpack001/BastianHein Malware samples/RedLineStealer/GodsFxckTools1.3.exe
unpack001/BastianHein Malware samples/RemcosRat/1218876bc6c34ebcc73be253436e4a48e83c36ddc71b35cc10265073adce380c
unpack001/BastianHein Malware samples/RemcosRat/1738015563919361d039476f160f7ec710cd59ae63288c5e3374a8a01175bfa08f734a7436492.dat-decoded.exe
unpack001/BastianHein Malware samples/RemcosRat/2025-01-25_8bb245bdfd9248935b898fdc750244cd_avoslocker_luca-stealer.exe
unpack001/BastianHein Malware samples/RemcosRat/2c9e0f36dceb0c4a806dc23512747ee70a487fce3ad4a38474ea31f321e0f438.exe
unpack001/BastianHein Malware samples/RemcosRat/38052ddd9c64e44bd2631ae021c1e973bed0ddfc8be6c3b2714011647c551d53.exe
unpack001/BastianHein Malware samples/RemcosRat/Vendor Questionnaire and EOI.exe
unpack001/BastianHein Malware samples/RemcosRat/completed payment Swift.exe
unpack001/BastianHein Malware samples/RemcosRat/payments.exe
unpack001/BastianHein Malware samples/RemcosRat/remcos_a_encrypted_decrypted.exe
unpack001/BastianHein Malware samples/Ryuk/2024-12-17_67164c4680d767fcc5dbe48c3586444c_luca-stealer_ryuk
unpack001/BastianHein Malware samples/SmokeLoader/004d58bf34da683aacf652abc4bf89317d4f0333b0aa0f134b257c4cc95fbcfa.exe
unpack001/BastianHein Malware samples/SmokeLoader/8ba0b30450c0c8e065f665ef3a8c1181b5d669480964211a89a20c42e87af1d0
unpack001/BastianHein Malware samples/SmokeLoader/d4b767b57f453d599559532d7351feeecd4027b89b0b117552b7a3432ed4a158.exe
unpack001/BastianHein Malware samples/SnakeKeyLogger/16a43aa836bfc334a9c67a4a6cbd25aa461b9332b7dbc5271afd75119c2a3521.exe
unpack001/BastianHein Malware samples/SnakeKeyLogger/35c15f0e2e558228afbff51b637bfd6e206c0d388a9296590b08d0b64bc6297a.exe
unpack001/BastianHein Malware samples/SnakeKeyLogger/Updated Price List for 2025 Business Year.exe
unpack001/BastianHein Malware samples/SnakeKeyLogger/b8f672498d679dcb998685dcc8fcb5251d5a2dd45bd53636f76e6ee422d9b161.exe
unpack001/BastianHein Malware samples/StealC/90208d9829610c65880196d3e28539b95394639d9b2c6a86c57d6f54d8962e60
unpack001/BastianHein Malware samples/StealC/bba4cd97ea9a1dbe8b1bb1dc19474a22c4f3427ff8ae695f64e93af58ce16eaa
unpack001/BastianHein Malware samples/VipKeyLogger/ODEME.01.28.202557KB.exe
unpack001/BastianHein Malware samples/XMRIG/2025-01-30_bc04d3d67bd15341a38cc82816740acd_cobalt-strike_polyvice_xmrig
unpack001/BastianHein Malware samples/XMRIG/adivina.exe
unpack001/BastianHein Malware samples/XwormRAT/XwormRAT-0bc94f9af6482d43ef7a579986827a1d5dd54236.exe
unpack001/BastianHein Malware samples/XwormRAT/XwormRAT-38944e7579d5fcd2263e7212954619c496d4ff087360b8db6e190e1bdf5358ce.exe
unpack001/BastianHein Malware samples/XwormRAT/XwormRAT-4f7c6539db5778bc0fb3980846786a8d08ff96989d3692e9cb09016a647bbcdb.exe
unpack001/BastianHein Malware samples/XwormRAT/XwormRAT-6ffec2e3e08096b1a19ed5cbb931590c3b0c2c5fef87c2f221bdf00099736fe1.exe
unpack001/BastianHein Malware samples/XwormRAT/XwormRAT-760a3b7f4efe07c216e3a317f04ddc0f1e3f89c48997503bde708cff81fad7ad.exe
unpack001/BastianHein Malware samples/XwormRAT/XwormRAT-ffc9cbd3d4b61402ddbbb7596e5929a1c0952a0fe35a4537cdca8bc6a65d7c37.exe
unpack001/BastianHein Malware samples/berbew/049a809c1c5e53d2d2a267937d86dadf91fd64ccc63920df3b358d5341dd10b1.exe
unpack001/BastianHein Malware samples/berbew/06874f91f3b93d937f680f71dfe3de140b93cf5e1309f6f4bcb46b82ff0ac62d
unpack001/BastianHein Malware samples/berbew/06ef6e2ffa0fdffb2ea1087200d5e283c94d06e98877543a3f45e30f0b02c933N.exe
unpack001/BastianHein Malware samples/berbew/06f2cd69693cc7ba8860a0a0e77c2bf0158638a180d5e3100cb3a7f7bbdc8904
unpack001/BastianHein Malware samples/berbew/0b553552b81d4a48baafaf4faaea37c60aedaeae9eeea0a0af4dc4430023cb50
unpack001/BastianHein Malware samples/berbew/0b8b510151a5276d1edac7940a4ddd386712e529904e269b522da80a8df205b2.exe
unpack001/BastianHein Malware samples/berbew/0bb217915a9029f0822f5c7c34b0097c6c735443b748f0e3ef6ccde7b756f4fc.exe
unpack001/BastianHein Malware samples/berbew/0bfd26288e3ac10b73349743bdba9758b4ce36b075b4e9c4252d4610a891a2eb.exe
unpack001/BastianHein Malware samples/berbew/0c3642c76401c11eae68361a8b5e92cf1810e82bce89eedee3aa8898b9b79e17.exe
unpack001/BastianHein Malware samples/berbew/0c4beb54f98c1c500de52c7f5295355648a76769e5124d3a85966cd869c7a947.exe
unpack001/BastianHein Malware samples/berbew/0d19f4f35171417d64abeab367f4e2db102e1e1b7f0b3369ea7e5d873f32f234
unpack001/BastianHein Malware samples/berbew/0d2d116a3642b6caf7c716e54551aba54c69d4d4c8449b9854b229502dd9adce
unpack001/BastianHein Malware samples/berbew/0dfe0718e47a54219e8315af90b9c0144faea5724016a67505218045e037ed3c
unpack001/BastianHein Malware samples/berbew/0e28a80c7e7e014ea2f12d0ac7b9759a7337f8c2717fc827ed9be7c4ad56024a.exe
unpack001/BastianHein Malware samples/berbew/13d885ffe6d92bbcd2a8aa655b1ff528df12a0c42958e4ccc6030cc601208e3e.exe
unpack001/BastianHein Malware samples/berbew/1b825081afb73860c0dd018d14788183ea23907f8a2e43eb26a25431b1167fbeN.exe
unpack001/BastianHein Malware samples/berbew/3fa253556b56edc736f40c14a791de12ac0b489ed0b15463ccf29608148d5a53N.exe
unpack001/BastianHein Malware samples/berbew/45892b76358de15a286a8095419bf22eb39787018e83deac8772d4fec8c5b7afN.exe
unpack001/BastianHein Malware samples/berbew/5a2ea52f812a17e0376c7c5236b44992c55d55257a97b1af99a0909094db39a0
unpack001/BastianHein Malware samples/berbew/6c13e929927013ada99437d81eb7a8ce.exe
unpack001/BastianHein Malware samples/berbew/6eec2ad6647ca277576cd2ec606bb948a70fad1f9da1f75cc106b039d92c5fb9.exe
unpack001/BastianHein Malware samples/berbew/8384367e4d16496e3ae32a611a271e1647bb2c4d8b64b25d84fff290b02d080e.exe
unpack001/BastianHein Malware samples/berbew/89adf30332271727c270458e062204ded7a1e192ea6c2a23e0549c2974a4ca82N.exe
unpack001/BastianHein Malware samples/berbew/9690762cb106ae66e3318eff75d1b40fe5699408d02f6a97d6679fc554cbab52.exe
unpack001/BastianHein Malware samples/berbew/9dad2cc0de2d90404a457d9298fd1a66a8bcd38667e124442cd2ea75a60b2f7dN.exe
unpack001/BastianHein Malware samples/berbew/ac96e79727fd5b19e0aad939d1616f7ac35b9bb63c279563feefe55a68174138N.exe
unpack001/BastianHein Malware samples/berbew/b2f30da91885af6a2d178e18304a4cd6e0635689074590ce68b2f065f49d8c5fN.exe
unpack001/BastianHein Malware samples/berbew/c2467140be88d84e53b2e94257955ecf4c15ac048eb0ee671add10b921877cf7.exe
unpack001/BastianHein Malware samples/berbew/e9b8c2f4799b1f5cf8014afabcb7325fea2dcf5f5d0d46af1166151727742e84.exe
unpack001/BastianHein Malware samples/berbew/e9bb0e6d7aa1368285df7658cb892d6f20a1bc7716baeae15fe4f0570a212685N.exe
unpack001/BastianHein Malware samples/berbew/ffed0b49c573e6a4c62f94df29b198b348c9a847d0cd84f03465e74e0543d8a8.exe
unpack001/BastianHein Malware samples/blackmoon/06b6063b216ecc1865b786a82c00f630302fc31fedf834c136ca000a61b872d0.exe
unpack001/BastianHein Malware samples/blackmoon/0aae46a9cf0b487605e3e4f1fe5785d6d59b5a8c523d949bd0e7aa2679f3e866
unpack001/BastianHein Malware samples/blackmoon/0ae46f38474a45b01cb872afee8fba36a8434e8e4841ad9d47b6244a731ea94c.exe
unpack001/BastianHein Malware samples/blackmoon/2025-01-28_35490cab569419795dfb2018f9a17976_icedid_xiaobaminer.exe
unpack001/BastianHein Malware samples/blackmoon/2025-01-28_4a7df03a574c6271c839684f540a7a4d_icedid_xiaobaminer.exe
unpack001/BastianHein Malware samples/blackmoon/2025-01-29_69b41cf98c265e6dcc00161fd0f300c0_icedid_xmrig.exe
unpack001/BastianHein Malware samples/blackmoon/21f0dfe59dc34878ad7833b71132aecd4db3bdb6001d06863ac5e662435ad420.exe
unpack001/BastianHein Malware samples/blackmoon/38803273f78fddff5d8a05f62926f3f557f58ea1455658864d54425a75d88398N.exe
unpack001/BastianHein Malware samples/blackmoon/3c38484012098f618aeee76ffb6fdd4bc37a03cbfa0b24c2e35a634b6a789516.exe
unpack001/BastianHein Malware samples/blackmoon/3ce66a1fbd937f66e09dd930ff9810085df5c2cfcbf73b7222e2fd72e375be79.exe
unpack001/BastianHein Malware samples/blackmoon/4615496d4e7df4170805f0b7a79adaf5.exe
unpack001/BastianHein Malware samples/blackmoon/4f86220b8e25e6be7b9227b38dc84d74.exe
unpack001/BastianHein Malware samples/blackmoon/52d15941e802177643ad69635bcb4cb98279cc50c0094eb6c4c906813f2a35cf.exe
unpack001/BastianHein Malware samples/blackmoon/647f0959a8d2dda683e7f247068f8090dcd8958d255d36bcea55b4f09d493c06.exe
unpack001/BastianHein Malware samples/blackmoon/7557555463f2aea8f9500cb65dc35ca20c59ac0742beda6494240e993d8d0549.exe
unpack001/BastianHein Malware samples/blackmoon/758172e802c500fcce2a9d66c729341022ced17627524b5a19b4e4b67871b34f.exe
unpack001/BastianHein Malware samples/blackmoon/79272f405999d6971d9a6b4cf6c497990988db06c74b31550f93e8dfeb1b35b4.exe
unpack001/BastianHein Malware samples/blackmoon/7cbe384f2bb818d7cd52193df8057b70642aa33887722e459a89edce6f2e1d3aN.exe
unpack001/BastianHein Malware samples/blackmoon/865a86014e8dfcee36bd075f93878b302343b1e85a9f94e9342259daeddc55ca.exe
unpack001/BastianHein Malware samples/blackmoon/9d2b3a2393486c144d86fe2a7e3d7d391fa6edac393b383b056c0194283b28e1N.exe
unpack001/BastianHein Malware samples/blackmoon/ae9e31e6e4e5390c99aca9898960a0fa8f4f67bb6cad3b5b25a7ed397639545b.exe
unpack001/BastianHein Malware samples/blackmoon/b5a9af06923518ef67d61ecb5aefe586360ab8a8f2c9230729e21cae65455c70.exe
unpack001/BastianHein Malware samples/blackmoon/bef267458b28aaa912120a4f42da4308f71f4aab0f236d634ffd2f47c9147d53.exe
unpack001/BastianHein Malware samples/blackmoon/cee04887f82b4ad4c27e7b237d34bd4251c9cf5c1344aee179e904a4c877ed42.exe
unpack001/BastianHein Malware samples/blackmoon/d9e640f73a96f69c8de36c6dfbcb6153f891ca72dd1cdbf85e83bed3d11fd132.exe
unpack001/BastianHein Malware samples/blackmoon/f00a9ad47c668be84e718d75bad6fab553221c1272276b6548785102898ea6c4N.exe
unpack001/BastianHein Malware samples/blackmoon/f00c41e45afaa99e16104e6c78dc3f6d6c593240fc93c76a75f57f5483c62970.exe
unpack001/BastianHein Malware samples/darkcomet/3db2660d7cffcb682ce00e0bde927517.exe
unpack001/BastianHein Malware samples/darkcomet/3e84c4c586e9ffb493a92f1c040ad576.exe
unpack001/BastianHein Malware samples/darkcomet/432239af3b4ba67d938ffc6bfb22956e.exe
unpack001/BastianHein Malware samples/darkcomet/6c25921d6c5ef5bb788d2f2ab7dcda29.exe
unpack001/BastianHein Malware samples/darkcomet/6ed9ff5400c6d67dd68f7bdbb5842e72.exe
unpack001/BastianHein Malware samples/emotet/2025-01-24_d8eb33b79f6ce4c816ee223e302def1f_icedid.exe
unpack001/BastianHein Malware samples/emotet/7e4f5b16ee4b4eae020cb097a515f827985bdeba25b0acfcc5fbc181ecaab888
unpack001/BastianHein Malware samples/emotet/ISmm7Q94U.dll
unpack001/BastianHein Malware samples/formbook/2656-25-0x0000000000400000-0x000000000042F000-memory.exe
unpack001/BastianHein Malware samples/formbook/42a78ab84a5fc43e1b379a2968a32f272492c860f0602649d25374d521b4b83c.exe
unpack001/BastianHein Malware samples/formbook/5a5ecb542145e7b9cc78d7f3d55a3b5d5183b8c5e7fb604c35085485127de7f4.exe
unpack001/BastianHein Malware samples/formbook/6f706398207b1fd3a00de5f859dc840cf8e100175fdabe260ebb96db5980f03c.exe
unpack001/BastianHein Malware samples/formbook/94fbf90615b1baf84da26854c9c7b72115eaa12eb8392d898c7689f433980120.exe
unpack001/BastianHein Malware samples/formbook/FormBook-34517e69384b6b82ef9411783dc2683d6d7ae0f4b298370dd3b489f9ccd817fa.exe
unpack001/BastianHein Malware samples/formbook/MtpEVOhIlX08ZbN.exe
unpack001/BastianHein Malware samples/formbook/Payment 013125.exe
unpack001/BastianHein Malware samples/formbook/ordre de virement..exe
unpack001/BastianHein Malware samples/revengeRat/4cce13ad0d0f35ef0fe324ddebb0f7d567611c407c0c0029419d73c049d4e6d8N.exe
unpack001/BastianHein Malware samples/revengeRat/4ee0ec29adfa239c36143e772654ba2fc40cdbc15e3452e44e5148fdd96327da.exe
unpack001/BastianHein Malware samples/revengeRat/58da7a4ad635828299caaea5812fa8bf.exe
unpack001/BastianHein Malware samples/spyware/1b93af61e6c7d2cbd71023f51c477ccbabf98f6d58ed4686e229e5fb8242fdcaN.exe
unpack001/BastianHein Malware samples/spyware/2025-01-25_ce88baef569a991be221f3078c5309d6_virlock
unpack001/BastianHein Malware samples/spyware/21178fd1cb20560b93cfdce1c04d98305bf162ad2e22a0350d5056d23af6ae9cN.exe
unpack001/BastianHein Malware samples/spyware/2e554fb62d19f66f5f5d1457ba5f468e.exe
unpack001/BastianHein Malware samples/spyware/3ff9f11f8f4ddcc7a2a2abfd5efd6e9e2f7c195036f841205f06f6cc4f69c020.exe
unpack001/BastianHein Malware samples/spyware/f8248bdd73d9a6cd4b0e15323803cc611e9ca2bf42b7b413c78cc811da07284bN.exe
unpack001/BastianHein Malware samples/spyware/fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
unpack001/BastianHein Malware samples/tinba/00780717a0350d74c06b227f236f6826c4b53c19ca7e1a99187c6c11dd905fa9N.exe
unpack001/BastianHein Malware samples/tinba/0c81de86734b9572a69818e7a3ebb50cacc4c460d676b5cf0f42b2647cfc7959.exe
unpack001/BastianHein Malware samples/tinba/13c56dbd6fc67255336e251cfa23944f5cbb31fb35d91ab470e69ec3b1e0128bN.exe
unpack001/BastianHein Malware samples/tinba/1bb50e315211c0cb82c9ae5e8f8219591c6270bebcffce97cd7c68bf7d41bd53N.exe
unpack001/BastianHein Malware samples/tinba/203fa5b045bcc12dfe50844639897dea253bbbc19a0480d10e6f73eac37323d8N.exe
unpack001/BastianHein Malware samples/tinba/23448590187355c378a032145a230f65fddb9b7a8e47b2d27232b1334f93ee0eN.exe
unpack001/BastianHein Malware samples/tinba/2f5f9c9f15797c49d14d61b9cbb83270333ec1a357c10d37ccc55d7ee7d1530aN.exe
unpack001/BastianHein Malware samples/tinba/33c3d0c4847980dc79536ef491e596c6365d75d736bf8aabb814f995f6deb6f8.exe
unpack001/BastianHein Malware samples/tinba/3812c78639561f390c5830a0c3626d17456969e1a2998bdd4931617ca566aa1bN.exe
unpack001/BastianHein Malware samples/tinba/38a2f2d0fbb26e1f2ab109d4779cd31e79244298a6ceb83bf483a0268dc8e355N.exe
unpack001/BastianHein Malware samples/tinba/3d31b34ad1ae466cb169d16c8fe3d4a0f3291aa58222adc35cd74460cb99630a.exe
unpack001/BastianHein Malware samples/tinba/45ce9ba083c60e0f2380813fe568227101f324a85a6bad76a1687aeb1fdf89c2.exe
unpack001/BastianHein Malware samples/tinba/45e3c909bef1c474eb68b11b1387be21c378d0d6caea8a3420ff8cf8306507c5.exe
unpack001/BastianHein Malware samples/tinba/49616b669ede0d88f952af00531ebec3351414ff965dfeff5b0964b4ac838049N.exe
unpack001/BastianHein Malware samples/tinba/4ed83478f1cd128443282f0735c777a0c2dae6513e1d9695891f83040f346818.exe
unpack001/BastianHein Malware samples/tinba/564c64019c65c26232b2f26af788d03d8f23391bce41b190005c89d3c1c49b3e.exe
unpack001/BastianHein Malware samples/tinba/577051e5764910b6f18d528013165a720356112dd338698280a76e7b2a6e24d1.exe
unpack001/BastianHein Malware samples/tinba/5a3e3f8b66b307f9fcc4ef8e6a68d3fd8e416b3716cfd5f6c0893a33b5169765N.exe
unpack001/BastianHein Malware samples/tinba/5b2930f1c0cc9a040aee1c14eb6fa61072cc45d881994ed2975f6fd2354d8dde.exe
unpack001/BastianHein Malware samples/tinba/65a67b7e0bd34ae4c1de6de8b3c6c3db7c09ae526af4914bb012f13abf927d26.exe
unpack001/BastianHein Malware samples/tinba/694decb30226b8e3da044ce0ad963bbeff1af9af4a94c0527a954de6cbd08da6
unpack001/BastianHein Malware samples/tinba/6b44063e2d46431859f99c03a54b4dedbab16814167019571dc7762159af4024N.exe
unpack001/BastianHein Malware samples/tinba/7087bf238addbd8ada881d9014fa1313e3286c3f24080400ad1560b4fbef52e1.exe
unpack001/BastianHein Malware samples/tinba/7087bf238addbd8ada881d9014fa1313e3286c3f24080400ad1560b4fbef52e1N.exe
unpack001/BastianHein Malware samples/tinba/73deb6fc408b72da99cd831db55a06a92230c6f834e3cf31fd8854bd6b93d68c
unpack001/BastianHein Malware samples/tinba/762984acc17f00c41045116b954ea047c665c391f0326101d46b640022037dd4.exe
unpack001/BastianHein Malware samples/tinba/7a9e50aefbe2bc256300765624aa7bd7e54b63061989f4a219c3111817be994f.exe
unpack001/BastianHein Malware samples/tinba/88b28712851de70e68340527f01f8b108160b3ecb411a2fd232e15d2c9e19b37.exe
unpack001/BastianHein Malware samples/tinba/8c42f7d05da923d9e5ddf7ba268e421634a229b332c037b6cd6a1e81d7d58b6e.exe
unpack001/BastianHein Malware samples/tinba/9071909cfd852693300404833275c708c789f1bc2d3588d2121c159ff1b479c0.exe
unpack001/BastianHein Malware samples/tinba/919ebd053037624564b29179ef6e0f58bd29ff9bffb98fe76856380266039ed6N.exe
unpack001/BastianHein Malware samples/tinba/98c895f9acf465a671d1dbaa13318b60060d37ae16481da3a6a9e483cb2b05ad.exe
unpack001/BastianHein Malware samples/tinba/b97c1992b1a0dbbc8cb79dffb905624bd8d9063d35a00a991d7a7f0f97b46eb2N.exe
unpack001/BastianHein Malware samples/tinba/bd28276fd9ef4bddb3075cdf8453aed9f78da4e2713d5078bb001919f25919e8.exe
unpack001/BastianHein Malware samples/tinba/c369cd31391c53e2eab7ca06d7d24e738073e221f3a1729c685a4a5fb1f564d9N.exe
unpack001/BastianHein Malware samples/tinba/c92607f14e44bb1f32adc2ed3bc1946dd2f61f7438438bf81d2e6dbe1712711d.exe
unpack001/BastianHein Malware samples/tinba/d2aa0f3e94249814cc9df7ce269e58036b8385efb86e1549e4636d2cbda29e7dN.exe
unpack001/BastianHein Malware samples/tinba/d6bb21a00f146abeff3310c98c7fad1437b34de59e2bbd5c0bf2a08c2fff9081.exe
unpack001/BastianHein Malware samples/tinba/d75216d6201edc170f5bfa9821d4a9e56080d46d04e31a1a9cb74ced59ade32fN.exe
unpack001/BastianHein Malware samples/tinba/ed02cb9e1685ac20241c4136ec13613c89449d7f966712a5904d0938df518915N.exe
unpack001/BastianHein Malware samples/tinba/f12b6dd2ea07de530f5f139dd06f33a5a57eed25db16fc06e8381190b2f295fd.exe
unpack001/BastianHein Malware samples/tinba/ff72623ff0898ab1ffae60e39ca079b01fb32a2be47eadeab57ea2c09cf80d7cN.exe
unpack001/BastianHein Malware samples/unclasified/0d3cbacb3e2d1d41f1325b6486ccafa6077e4d103865f41e85238e6219147d1aN.exe
unpack001/BastianHein Malware samples/unclasified/2025-01-25_775116ad03f7df6217efcca6c2b01c7e_cryptolocker.exe
unpack001/BastianHein Malware samples/unclasified/2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
unpack001/BastianHein Malware samples/unclasified/24080bbd2f63473948d09f51599129896c653f1ce8d18bf853f7696a3584195aN.exe
unpack001/BastianHein Malware samples/unclasified/25424b7e87163d21592ce14693a696536c7cd46a9abd7cc3fee2f0fa8eb727c0N.exe
unpack001/BastianHein Malware samples/unclasified/282e810fd41b17ea190083e50f76072fe561baeddec0c5bb082b4ba8ceb8c4fc.exe
unpack001/BastianHein Malware samples/unclasified/2cc9184002eac33ce183b8e6647ee7f4.exe.exe
unpack001/BastianHein Malware samples/unclasified/2e421206cea5dc3d51ccd136f55c3ccb.exe
unpack001/BastianHein Malware samples/unclasified/2e4c41fd9d7e488099334eb29a6a129ad8baf81e40fa70def98c98963fc6782cN.exe
unpack001/BastianHein Malware samples/unclasified/38766f28fc038dd0ac0aef4aafed48cc.exe
unpack001/BastianHein Malware samples/unclasified/493a0d2e26985360ef89cf7f29a7e45ba4f2f0ff.exe
unpack001/BastianHein Malware samples/unclasified/4a645db21820664f4f3d9d23f2967d790180a7e027ac7d13c865042ed48085b4.exe
unpack001/BastianHein Malware samples/unclasified/626ba566046f09c91dde566ce4e5f594ccd136b5db37f598407b73c28a628b4a.exe
unpack001/BastianHein Malware samples/unclasified/6939e5538a525c245cab0a90a55eeb824c4599f6c6b9318dd52cb83dca3d4ffd
unpack001/BastianHein Malware samples/unclasified/754f642b7beff1d880f464a94ddbabba8ed3a8a20be9aa173d54f4b5f2def77a
unpack001/BastianHein Malware samples/unclasified/832e6b92829719243bfed205d197fcedf7212ffd25247c1f6e024a84e220598f.exe
unpack001/BastianHein Malware samples/unclasified/8670dfa9adc5e7fb564d9053b142fcf95a3250c60a037e91186f4147d3e99793
unpack001/BastianHein Malware samples/unclasified/912edd7714e8e1f86fbe1cbf1614929dfaf2bf69ec7f29c7b18e84e2b81149e1N.exe
unpack001/BastianHein Malware samples/unclasified/FluxusB.exe
unpack001/BastianHein Malware samples/unclasified/a236d1d48df7c0818ada17aa0a13bc7840e6d375ff2ebd8e2cd134aa66723b6b.exe
unpack001/BastianHein Malware samples/unclasified/d2d5be7fa6010b6e5769864823dc8ed1ea253cab28ac506c2527dda658eedf82.exe
unpack001/BastianHein Malware samples/unclasified/d840b1492c71258a40c6ed9e9041b017cf05bee98093c343e56f3e00e5f6965bN.exe
unpack001/BastianHein Malware samples/unclasified/e34e6b097e4bcb66a6919057de46185303f55d3aaa33269889d601a1161157aaN.exe

Files

BastianHein Malware samples.zip
.zip
BastianHein Malware samples/._Process killer.exe
BastianHein Malware samples/AgentTesla/06664fb0f86485bcac0d663acb92e1966ec35ea9ecf4ae8c9456a7167cf06823
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 339KB - Virtual size: 339KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/AgentTesla/197b8f685fe939f045c8c17c01ab6811d2ad9f47ef63ddc3e667443966c0a005
.exe windows:5 windows x86 arch:x86

eb97e4fc5518ac300a92a11673825e0b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

wsock32

WSACleanup
socket
inet_ntoa
setsockopt
ntohs
recvfrom
ioctlsocket
htons
WSAStartup
__WSAFDIsSet
select
accept
listen
bind
closesocket
WSAGetLastError
recv
sendto
send
inet_addr
gethostbyname
gethostname
connect

version

GetFileVersionInfoW
GetFileVersionInfoSizeW
VerQueryValueW

winmm

timeGetTime
waveOutSetVolume
mciSendStringW

comctl32

ImageList_ReplaceIcon
ImageList_Destroy
ImageList_Remove
ImageList_SetDragCursorImage
ImageList_BeginDrag
ImageList_DragEnter
ImageList_DragLeave
ImageList_EndDrag
ImageList_DragMove
InitCommonControlsEx
ImageList_Create

mpr

WNetUseConnectionW
WNetCancelConnection2W
WNetGetConnectionW
WNetAddConnection2W

wininet

InternetQueryDataAvailable
InternetCloseHandle
InternetOpenW
InternetSetOptionW
InternetCrackUrlW
HttpQueryInfoW
InternetQueryOptionW
HttpOpenRequestW
HttpSendRequestW
FtpOpenFileW
FtpGetFileSize
InternetOpenUrlW
InternetReadFile
InternetConnectW

psapi

GetProcessMemoryInfo

iphlpapi

IcmpCreateFile
IcmpCloseHandle
IcmpSendEcho

userenv

DestroyEnvironmentBlock
UnloadUserProfile
CreateEnvironmentBlock
LoadUserProfileW

uxtheme

IsThemeActive

kernel32

DuplicateHandle
CreateThread
WaitForSingleObject
HeapAlloc
GetProcessHeap
HeapFree
Sleep
GetCurrentThreadId
MultiByteToWideChar
MulDiv
GetVersionExW
IsWow64Process
GetSystemInfo
FreeLibrary
LoadLibraryA
GetProcAddress
SetErrorMode
GetModuleFileNameW
WideCharToMultiByte
lstrcpyW
lstrlenW
GetModuleHandleW
QueryPerformanceCounter
VirtualFreeEx
OpenProcess
VirtualAllocEx
WriteProcessMemory
ReadProcessMemory
CreateFileW
SetFilePointerEx
SetEndOfFile
ReadFile
WriteFile
FlushFileBuffers
TerminateProcess
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
SetFileTime
GetFileAttributesW
FindFirstFileW
SetCurrentDirectoryW
GetLongPathNameW
GetShortPathNameW
DeleteFileW
FindNextFileW
CopyFileExW
MoveFileW
CreateDirectoryW
RemoveDirectoryW
SetSystemPowerState
QueryPerformanceFrequency
FindResourceW
LoadResource
LockResource
SizeofResource
EnumResourceNamesW
OutputDebugStringW
GetTempPathW
GetTempFileNameW
DeviceIoControl
GetLocalTime
CompareStringW
GetCurrentProcess
EnterCriticalSection
LeaveCriticalSection
GetStdHandle
CreatePipe
InterlockedExchange
TerminateThread
LoadLibraryExW
FindResourceExW
CopyFileW
VirtualFree
FormatMessageW
GetExitCodeProcess
GetPrivateProfileStringW
WritePrivateProfileStringW
GetPrivateProfileSectionW
WritePrivateProfileSectionW
GetPrivateProfileSectionNamesW
FileTimeToLocalFileTime
FileTimeToSystemTime
SystemTimeToFileTime
LocalFileTimeToFileTime
GetDriveTypeW
GetDiskFreeSpaceExW
GetDiskFreeSpaceW
GetVolumeInformationW
SetVolumeLabelW
CreateHardLinkW
SetFileAttributesW
CreateEventW
SetEvent
GetEnvironmentVariableW
SetEnvironmentVariableW
GlobalLock
GlobalUnlock
GlobalAlloc
GetFileSize
GlobalFree
GlobalMemoryStatusEx
Beep
GetSystemDirectoryW
HeapReAlloc
HeapSize
GetComputerNameW
GetWindowsDirectoryW
GetCurrentProcessId
GetProcessIoCounters
CreateProcessW
GetProcessId
SetPriorityClass
LoadLibraryW
VirtualAlloc
IsDebuggerPresent
GetCurrentDirectoryW
lstrcmpiW
DecodePointer
GetLastError
RaiseException
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
InterlockedDecrement
InterlockedIncrement
GetCurrentThread
CloseHandle
GetFullPathNameW
EncodePointer
ExitProcess
GetModuleHandleExW
ExitThread
GetSystemTimeAsFileTime
ResumeThread
GetCommandLineW
IsProcessorFeaturePresent
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
SetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetStartupInfoW
GetStringTypeW
SetStdHandle
GetFileType
GetConsoleCP
GetConsoleMode
RtlUnwind
ReadConsoleW
GetTimeZoneInformation
GetDateFormatW
GetTimeFormatW
LCMapStringW
GetEnvironmentStringsW
FreeEnvironmentStringsW
WriteConsoleW
FindClose
SetEnvironmentVariableA

user32

AdjustWindowRectEx
CopyImage
SetWindowPos
GetCursorInfo
RegisterHotKey
ClientToScreen
GetKeyboardLayoutNameW
IsCharAlphaW
IsCharAlphaNumericW
IsCharLowerW
IsCharUpperW
GetMenuStringW
GetSubMenu
GetCaretPos
IsZoomed
MonitorFromPoint
GetMonitorInfoW
SetWindowLongW
SetLayeredWindowAttributes
FlashWindow
GetClassLongW
TranslateAcceleratorW
IsDialogMessageW
GetSysColor
InflateRect
DrawFocusRect
DrawTextW
FrameRect
DrawFrameControl
FillRect
PtInRect
DestroyAcceleratorTable
CreateAcceleratorTableW
SetCursor
GetWindowDC
GetSystemMetrics
GetActiveWindow
CharNextW
wsprintfW
RedrawWindow
DrawMenuBar
DestroyMenu
SetMenu
GetWindowTextLengthW
CreateMenu
IsDlgButtonChecked
DefDlgProcW
CallWindowProcW
ReleaseCapture
SetCapture
CreateIconFromResourceEx
mouse_event
ExitWindowsEx
SetActiveWindow
FindWindowExW
EnumThreadWindows
SetMenuDefaultItem
InsertMenuItemW
IsMenu
TrackPopupMenuEx
GetCursorPos
DeleteMenu
SetRect
GetMenuItemID
GetMenuItemCount
SetMenuItemInfoW
GetMenuItemInfoW
SetForegroundWindow
IsIconic
FindWindowW
MonitorFromRect
keybd_event
SendInput
GetAsyncKeyState
SetKeyboardState
GetKeyboardState
GetKeyState
VkKeyScanW
LoadStringW
DialogBoxParamW
MessageBeep
EndDialog
SendDlgItemMessageW
GetDlgItem
SetWindowTextW
CopyRect
ReleaseDC
GetDC
EndPaint
BeginPaint
GetClientRect
GetMenu
DestroyWindow
EnumWindows
GetDesktopWindow
IsWindow
IsWindowEnabled
IsWindowVisible
EnableWindow
InvalidateRect
GetWindowLongW
GetWindowThreadProcessId
AttachThreadInput
GetFocus
GetWindowTextW
ScreenToClient
SendMessageTimeoutW
EnumChildWindows
CharUpperBuffW
GetParent
GetDlgCtrlID
SendMessageW
MapVirtualKeyW
PostMessageW
GetWindowRect
SetUserObjectSecurity
CloseDesktop
CloseWindowStation
OpenDesktopW
SetProcessWindowStation
GetProcessWindowStation
OpenWindowStationW
GetUserObjectSecurity
MessageBoxW
DefWindowProcW
SetClipboardData
EmptyClipboard
CountClipboardFormats
CloseClipboard
GetClipboardData
IsClipboardFormatAvailable
OpenClipboard
BlockInput
GetMessageW
LockWindowUpdate
DispatchMessageW
TranslateMessage
PeekMessageW
UnregisterHotKey
CheckMenuRadioItem
CharLowerBuffW
MoveWindow
SetFocus
PostQuitMessage
KillTimer
CreatePopupMenu
RegisterWindowMessageW
SetTimer
ShowWindow
CreateWindowExW
RegisterClassExW
LoadIconW
LoadCursorW
GetSysColorBrush
GetForegroundWindow
MessageBoxA
DestroyIcon
SystemParametersInfoW
LoadImageW
GetClassNameW

gdi32

StrokePath
DeleteObject
GetTextExtentPoint32W
ExtCreatePen
GetDeviceCaps
EndPath
SetPixel
CloseFigure
CreateCompatibleBitmap
CreateCompatibleDC
SelectObject
StretchBlt
GetDIBits
LineTo
AngleArc
MoveToEx
Ellipse
DeleteDC
GetPixel
CreateDCW
GetStockObject
GetTextFaceW
CreateFontW
SetTextColor
PolyDraw
BeginPath
Rectangle
SetViewportOrgEx
GetObjectW
SetBkMode
RoundRect
SetBkColor
CreatePen
CreateSolidBrush
StrokeAndFillPath

comdlg32

GetOpenFileNameW
GetSaveFileNameW

advapi32

GetAce
RegEnumValueW
RegDeleteValueW
RegDeleteKeyW
RegEnumKeyExW
RegSetValueExW
RegOpenKeyExW
RegCloseKey
RegQueryValueExW
RegConnectRegistryW
InitializeSecurityDescriptor
InitializeAcl
AdjustTokenPrivileges
OpenThreadToken
OpenProcessToken
LookupPrivilegeValueW
DuplicateTokenEx
CreateProcessAsUserW
CreateProcessWithLogonW
GetLengthSid
CopySid
LogonUserW
AllocateAndInitializeSid
CheckTokenMembership
RegCreateKeyExW
FreeSid
GetTokenInformation
GetSecurityDescriptorDacl
GetAclInformation
AddAce
SetSecurityDescriptorDacl
GetUserNameW
InitiateSystemShutdownExW

shell32

DragQueryPoint
ShellExecuteExW
DragQueryFileW
SHEmptyRecycleBinW
SHGetPathFromIDListW
SHBrowseForFolderW
SHCreateShellItem
SHGetDesktopFolder
SHGetSpecialFolderLocation
SHGetFolderPathW
SHFileOperationW
ExtractIconExW
Shell_NotifyIconW
ShellExecuteW
DragFinish

ole32

CoTaskMemAlloc
CoTaskMemFree
CLSIDFromString
ProgIDFromCLSID
CLSIDFromProgID
OleSetMenuDescriptor
MkParseDisplayName
OleSetContainedObject
CoCreateInstance
IIDFromString
StringFromGUID2
CreateStreamOnHGlobal
OleInitialize
OleUninitialize
CoInitialize
CoUninitialize
GetRunningObjectTable
CoGetInstanceFromFile
CoGetObject
CoSetProxyBlanket
CoCreateInstanceEx
CoInitializeSecurity

oleaut32

LoadTypeLibEx
VariantCopyInd
SysReAllocString
SysFreeString
SafeArrayDestroyDescriptor
SafeArrayDestroyData
SafeArrayUnaccessData
SafeArrayAccessData
SafeArrayAllocData
SafeArrayAllocDescriptorEx
SafeArrayCreateVector
RegisterTypeLi
CreateStdDispatch
DispCallFunc
VariantChangeType
SysStringLen
VariantTimeToSystemTime
VarR8FromDec
SafeArrayGetVartype
VariantCopy
VariantClear
OleLoadPicture
QueryPathOfRegTypeLi
RegisterTypeLibForUser
UnRegisterTypeLibForUser
UnRegisterTypeLi
CreateDispTypeInfo
SysAllocString
VariantInit

Sections

.text
Size: 568KB - Virtual size: 567KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 191KB - Virtual size: 191KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 213KB - Virtual size: 213KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 28KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/AgentTesla/197b8f685fe939f045c8c17c01ab6811d2ad9f47ef63ddc3e667443966c0a005.exe
.exe windows:5 windows x86 arch:x86

eb97e4fc5518ac300a92a11673825e0b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

wsock32

WSACleanup
socket
inet_ntoa
setsockopt
ntohs
recvfrom
ioctlsocket
htons
WSAStartup
__WSAFDIsSet
select
accept
listen
bind
closesocket
WSAGetLastError
recv
sendto
send
inet_addr
gethostbyname
gethostname
connect

version

GetFileVersionInfoW
GetFileVersionInfoSizeW
VerQueryValueW

winmm

timeGetTime
waveOutSetVolume
mciSendStringW

comctl32

ImageList_ReplaceIcon
ImageList_Destroy
ImageList_Remove
ImageList_SetDragCursorImage
ImageList_BeginDrag
ImageList_DragEnter
ImageList_DragLeave
ImageList_EndDrag
ImageList_DragMove
InitCommonControlsEx
ImageList_Create

mpr

WNetUseConnectionW
WNetCancelConnection2W
WNetGetConnectionW
WNetAddConnection2W

wininet

InternetQueryDataAvailable
InternetCloseHandle
InternetOpenW
InternetSetOptionW
InternetCrackUrlW
HttpQueryInfoW
InternetQueryOptionW
HttpOpenRequestW
HttpSendRequestW
FtpOpenFileW
FtpGetFileSize
InternetOpenUrlW
InternetReadFile
InternetConnectW

psapi

GetProcessMemoryInfo

iphlpapi

IcmpCreateFile
IcmpCloseHandle
IcmpSendEcho

userenv

DestroyEnvironmentBlock
UnloadUserProfile
CreateEnvironmentBlock
LoadUserProfileW

uxtheme

IsThemeActive

kernel32

DuplicateHandle
CreateThread
WaitForSingleObject
HeapAlloc
GetProcessHeap
HeapFree
Sleep
GetCurrentThreadId
MultiByteToWideChar
MulDiv
GetVersionExW
IsWow64Process
GetSystemInfo
FreeLibrary
LoadLibraryA
GetProcAddress
SetErrorMode
GetModuleFileNameW
WideCharToMultiByte
lstrcpyW
lstrlenW
GetModuleHandleW
QueryPerformanceCounter
VirtualFreeEx
OpenProcess
VirtualAllocEx
WriteProcessMemory
ReadProcessMemory
CreateFileW
SetFilePointerEx
SetEndOfFile
ReadFile
WriteFile
FlushFileBuffers
TerminateProcess
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
SetFileTime
GetFileAttributesW
FindFirstFileW
SetCurrentDirectoryW
GetLongPathNameW
GetShortPathNameW
DeleteFileW
FindNextFileW
CopyFileExW
MoveFileW
CreateDirectoryW
RemoveDirectoryW
SetSystemPowerState
QueryPerformanceFrequency
FindResourceW
LoadResource
LockResource
SizeofResource
EnumResourceNamesW
OutputDebugStringW
GetTempPathW
GetTempFileNameW
DeviceIoControl
GetLocalTime
CompareStringW
GetCurrentProcess
EnterCriticalSection
LeaveCriticalSection
GetStdHandle
CreatePipe
InterlockedExchange
TerminateThread
LoadLibraryExW
FindResourceExW
CopyFileW
VirtualFree
FormatMessageW
GetExitCodeProcess
GetPrivateProfileStringW
WritePrivateProfileStringW
GetPrivateProfileSectionW
WritePrivateProfileSectionW
GetPrivateProfileSectionNamesW
FileTimeToLocalFileTime
FileTimeToSystemTime
SystemTimeToFileTime
LocalFileTimeToFileTime
GetDriveTypeW
GetDiskFreeSpaceExW
GetDiskFreeSpaceW
GetVolumeInformationW
SetVolumeLabelW
CreateHardLinkW
SetFileAttributesW
CreateEventW
SetEvent
GetEnvironmentVariableW
SetEnvironmentVariableW
GlobalLock
GlobalUnlock
GlobalAlloc
GetFileSize
GlobalFree
GlobalMemoryStatusEx
Beep
GetSystemDirectoryW
HeapReAlloc
HeapSize
GetComputerNameW
GetWindowsDirectoryW
GetCurrentProcessId
GetProcessIoCounters
CreateProcessW
GetProcessId
SetPriorityClass
LoadLibraryW
VirtualAlloc
IsDebuggerPresent
GetCurrentDirectoryW
lstrcmpiW
DecodePointer
GetLastError
RaiseException
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
InterlockedDecrement
InterlockedIncrement
GetCurrentThread
CloseHandle
GetFullPathNameW
EncodePointer
ExitProcess
GetModuleHandleExW
ExitThread
GetSystemTimeAsFileTime
ResumeThread
GetCommandLineW
IsProcessorFeaturePresent
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
SetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetStartupInfoW
GetStringTypeW
SetStdHandle
GetFileType
GetConsoleCP
GetConsoleMode
RtlUnwind
ReadConsoleW
GetTimeZoneInformation
GetDateFormatW
GetTimeFormatW
LCMapStringW
GetEnvironmentStringsW
FreeEnvironmentStringsW
WriteConsoleW
FindClose
SetEnvironmentVariableA

user32

AdjustWindowRectEx
CopyImage
SetWindowPos
GetCursorInfo
RegisterHotKey
ClientToScreen
GetKeyboardLayoutNameW
IsCharAlphaW
IsCharAlphaNumericW
IsCharLowerW
IsCharUpperW
GetMenuStringW
GetSubMenu
GetCaretPos
IsZoomed
MonitorFromPoint
GetMonitorInfoW
SetWindowLongW
SetLayeredWindowAttributes
FlashWindow
GetClassLongW
TranslateAcceleratorW
IsDialogMessageW
GetSysColor
InflateRect
DrawFocusRect
DrawTextW
FrameRect
DrawFrameControl
FillRect
PtInRect
DestroyAcceleratorTable
CreateAcceleratorTableW
SetCursor
GetWindowDC
GetSystemMetrics
GetActiveWindow
CharNextW
wsprintfW
RedrawWindow
DrawMenuBar
DestroyMenu
SetMenu
GetWindowTextLengthW
CreateMenu
IsDlgButtonChecked
DefDlgProcW
CallWindowProcW
ReleaseCapture
SetCapture
CreateIconFromResourceEx
mouse_event
ExitWindowsEx
SetActiveWindow
FindWindowExW
EnumThreadWindows
SetMenuDefaultItem
InsertMenuItemW
IsMenu
TrackPopupMenuEx
GetCursorPos
DeleteMenu
SetRect
GetMenuItemID
GetMenuItemCount
SetMenuItemInfoW
GetMenuItemInfoW
SetForegroundWindow
IsIconic
FindWindowW
MonitorFromRect
keybd_event
SendInput
GetAsyncKeyState
SetKeyboardState
GetKeyboardState
GetKeyState
VkKeyScanW
LoadStringW
DialogBoxParamW
MessageBeep
EndDialog
SendDlgItemMessageW
GetDlgItem
SetWindowTextW
CopyRect
ReleaseDC
GetDC
EndPaint
BeginPaint
GetClientRect
GetMenu
DestroyWindow
EnumWindows
GetDesktopWindow
IsWindow
IsWindowEnabled
IsWindowVisible
EnableWindow
InvalidateRect
GetWindowLongW
GetWindowThreadProcessId
AttachThreadInput
GetFocus
GetWindowTextW
ScreenToClient
SendMessageTimeoutW
EnumChildWindows
CharUpperBuffW
GetParent
GetDlgCtrlID
SendMessageW
MapVirtualKeyW
PostMessageW
GetWindowRect
SetUserObjectSecurity
CloseDesktop
CloseWindowStation
OpenDesktopW
SetProcessWindowStation
GetProcessWindowStation
OpenWindowStationW
GetUserObjectSecurity
MessageBoxW
DefWindowProcW
SetClipboardData
EmptyClipboard
CountClipboardFormats
CloseClipboard
GetClipboardData
IsClipboardFormatAvailable
OpenClipboard
BlockInput
GetMessageW
LockWindowUpdate
DispatchMessageW
TranslateMessage
PeekMessageW
UnregisterHotKey
CheckMenuRadioItem
CharLowerBuffW
MoveWindow
SetFocus
PostQuitMessage
KillTimer
CreatePopupMenu
RegisterWindowMessageW
SetTimer
ShowWindow
CreateWindowExW
RegisterClassExW
LoadIconW
LoadCursorW
GetSysColorBrush
GetForegroundWindow
MessageBoxA
DestroyIcon
SystemParametersInfoW
LoadImageW
GetClassNameW

gdi32

StrokePath
DeleteObject
GetTextExtentPoint32W
ExtCreatePen
GetDeviceCaps
EndPath
SetPixel
CloseFigure
CreateCompatibleBitmap
CreateCompatibleDC
SelectObject
StretchBlt
GetDIBits
LineTo
AngleArc
MoveToEx
Ellipse
DeleteDC
GetPixel
CreateDCW
GetStockObject
GetTextFaceW
CreateFontW
SetTextColor
PolyDraw
BeginPath
Rectangle
SetViewportOrgEx
GetObjectW
SetBkMode
RoundRect
SetBkColor
CreatePen
CreateSolidBrush
StrokeAndFillPath

comdlg32

GetOpenFileNameW
GetSaveFileNameW

advapi32

GetAce
RegEnumValueW
RegDeleteValueW
RegDeleteKeyW
RegEnumKeyExW
RegSetValueExW
RegOpenKeyExW
RegCloseKey
RegQueryValueExW
RegConnectRegistryW
InitializeSecurityDescriptor
InitializeAcl
AdjustTokenPrivileges
OpenThreadToken
OpenProcessToken
LookupPrivilegeValueW
DuplicateTokenEx
CreateProcessAsUserW
CreateProcessWithLogonW
GetLengthSid
CopySid
LogonUserW
AllocateAndInitializeSid
CheckTokenMembership
RegCreateKeyExW
FreeSid
GetTokenInformation
GetSecurityDescriptorDacl
GetAclInformation
AddAce
SetSecurityDescriptorDacl
GetUserNameW
InitiateSystemShutdownExW

shell32

DragQueryPoint
ShellExecuteExW
DragQueryFileW
SHEmptyRecycleBinW
SHGetPathFromIDListW
SHBrowseForFolderW
SHCreateShellItem
SHGetDesktopFolder
SHGetSpecialFolderLocation
SHGetFolderPathW
SHFileOperationW
ExtractIconExW
Shell_NotifyIconW
ShellExecuteW
DragFinish

ole32

CoTaskMemAlloc
CoTaskMemFree
CLSIDFromString
ProgIDFromCLSID
CLSIDFromProgID
OleSetMenuDescriptor
MkParseDisplayName
OleSetContainedObject
CoCreateInstance
IIDFromString
StringFromGUID2
CreateStreamOnHGlobal
OleInitialize
OleUninitialize
CoInitialize
CoUninitialize
GetRunningObjectTable
CoGetInstanceFromFile
CoGetObject
CoSetProxyBlanket
CoCreateInstanceEx
CoInitializeSecurity

oleaut32

LoadTypeLibEx
VariantCopyInd
SysReAllocString
SysFreeString
SafeArrayDestroyDescriptor
SafeArrayDestroyData
SafeArrayUnaccessData
SafeArrayAccessData
SafeArrayAllocData
SafeArrayAllocDescriptorEx
SafeArrayCreateVector
RegisterTypeLi
CreateStdDispatch
DispCallFunc
VariantChangeType
SysStringLen
VariantTimeToSystemTime
VarR8FromDec
SafeArrayGetVartype
VariantCopy
VariantClear
OleLoadPicture
QueryPathOfRegTypeLi
RegisterTypeLibForUser
UnRegisterTypeLibForUser
UnRegisterTypeLi
CreateDispTypeInfo
SysAllocString
VariantInit

Sections

.text
Size: 568KB - Virtual size: 567KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 191KB - Virtual size: 191KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 213KB - Virtual size: 213KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 28KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/AgentTesla/1f4c54d2e88831db0ece02e0ddd45d37743ccc634f729164048344ccabb378b5
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Code Sign

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

29/04/2021, 00:00

Not After

28/04/2036, 23:59

Subject

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0d:1a:34:0f:78:d7:d0:00:e0:89:fd:ba:ad:65:22:df
Certificate

Issuer

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Not Before

03/11/2023, 00:00

Not After

04/11/2025, 23:59

Subject

SERIALNUMBER=2748129,CN=Adobe Inc.,OU=Acrobat DC,O=Adobe Inc.,L=San Jose,ST=ca,C=US,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.2=#130844656c6177617265,1.3.6.1.4.1.311.60.2.1.3=#13025553

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

0b:ae:66:bc:5a:ba:7f:95:87:c6:f9:e9:04:e3:33:04
Certificate

Issuer

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Not Before

26/09/2024, 00:00

Not After

25/11/2035, 23:59

Subject

CN=DigiCert Timestamp 2024,O=DigiCert,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

23/03/2022, 00:00

Not After

22/03/2037, 23:59

Subject

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/08/2022, 00:00

Not After

09/11/2031, 23:59

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

c3:8f:d7:cb:0a:b4:72:fb:e4:b7:cd:22:8a:2f:48:9f:56:2f:72:32:03:f4:bf:66:28:44:34:1b:84:fb:a9:b4
Signer

Actual PE Digest

c3:8f:d7:cb:0a:b4:72:fb:e4:b7:cd:22:8a:2f:48:9f:56:2f:72:32:03:f4:bf:66:28:44:34:1b:84:fb:a9:b4

Digest Algorithm

sha256

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 363KB - Virtual size: 363KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/AgentTesla/2f83aacc31a29bb50a963b6f49cfe75d0f6f105f9d699571e312c3fd996b1888
.exe windows:4 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

.text
Size: 637KB - Virtual size: 636KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/AgentTesla/309c72a0cfc3bd2a848c978921abe215da76dd3aa38f3221d28cb6524c35ba85
.exe windows:5 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 514KB - Virtual size: 513KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 56KB - Virtual size: 55KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 26KB - Virtual size: 105KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 103KB - Virtual size: 102KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/AgentTesla/31012025_0115_QUOTATION008699.exe
.iso
out.iso
.iso
QUOTATION#008699.exe
.exe windows:5 windows x86 arch:x86

eb97e4fc5518ac300a92a11673825e0b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

wsock32

WSACleanup
socket
inet_ntoa
setsockopt
ntohs
recvfrom
ioctlsocket
htons
WSAStartup
__WSAFDIsSet
select
accept
listen
bind
closesocket
WSAGetLastError
recv
sendto
send
inet_addr
gethostbyname
gethostname
connect

version

GetFileVersionInfoW
GetFileVersionInfoSizeW
VerQueryValueW

winmm

timeGetTime
waveOutSetVolume
mciSendStringW

comctl32

ImageList_ReplaceIcon
ImageList_Destroy
ImageList_Remove
ImageList_SetDragCursorImage
ImageList_BeginDrag
ImageList_DragEnter
ImageList_DragLeave
ImageList_EndDrag
ImageList_DragMove
InitCommonControlsEx
ImageList_Create

mpr

WNetUseConnectionW
WNetCancelConnection2W
WNetGetConnectionW
WNetAddConnection2W

wininet

InternetQueryDataAvailable
InternetCloseHandle
InternetOpenW
InternetSetOptionW
InternetCrackUrlW
HttpQueryInfoW
InternetQueryOptionW
HttpOpenRequestW
HttpSendRequestW
FtpOpenFileW
FtpGetFileSize
InternetOpenUrlW
InternetReadFile
InternetConnectW

psapi

GetProcessMemoryInfo

iphlpapi

IcmpCreateFile
IcmpCloseHandle
IcmpSendEcho

userenv

DestroyEnvironmentBlock
UnloadUserProfile
CreateEnvironmentBlock
LoadUserProfileW

uxtheme

IsThemeActive

kernel32

DuplicateHandle
CreateThread
WaitForSingleObject
HeapAlloc
GetProcessHeap
HeapFree
Sleep
GetCurrentThreadId
MultiByteToWideChar
MulDiv
GetVersionExW
IsWow64Process
GetSystemInfo
FreeLibrary
LoadLibraryA
GetProcAddress
SetErrorMode
GetModuleFileNameW
WideCharToMultiByte
lstrcpyW
lstrlenW
GetModuleHandleW
QueryPerformanceCounter
VirtualFreeEx
OpenProcess
VirtualAllocEx
WriteProcessMemory
ReadProcessMemory
CreateFileW
SetFilePointerEx
SetEndOfFile
ReadFile
WriteFile
FlushFileBuffers
TerminateProcess
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
SetFileTime
GetFileAttributesW
FindFirstFileW
SetCurrentDirectoryW
GetLongPathNameW
GetShortPathNameW
DeleteFileW
FindNextFileW
CopyFileExW
MoveFileW
CreateDirectoryW
RemoveDirectoryW
SetSystemPowerState
QueryPerformanceFrequency
FindResourceW
LoadResource
LockResource
SizeofResource
EnumResourceNamesW
OutputDebugStringW
GetTempPathW
GetTempFileNameW
DeviceIoControl
GetLocalTime
CompareStringW
GetCurrentProcess
EnterCriticalSection
LeaveCriticalSection
GetStdHandle
CreatePipe
InterlockedExchange
TerminateThread
LoadLibraryExW
FindResourceExW
CopyFileW
VirtualFree
FormatMessageW
GetExitCodeProcess
GetPrivateProfileStringW
WritePrivateProfileStringW
GetPrivateProfileSectionW
WritePrivateProfileSectionW
GetPrivateProfileSectionNamesW
FileTimeToLocalFileTime
FileTimeToSystemTime
SystemTimeToFileTime
LocalFileTimeToFileTime
GetDriveTypeW
GetDiskFreeSpaceExW
GetDiskFreeSpaceW
GetVolumeInformationW
SetVolumeLabelW
CreateHardLinkW
SetFileAttributesW
CreateEventW
SetEvent
GetEnvironmentVariableW
SetEnvironmentVariableW
GlobalLock
GlobalUnlock
GlobalAlloc
GetFileSize
GlobalFree
GlobalMemoryStatusEx
Beep
GetSystemDirectoryW
HeapReAlloc
HeapSize
GetComputerNameW
GetWindowsDirectoryW
GetCurrentProcessId
GetProcessIoCounters
CreateProcessW
GetProcessId
SetPriorityClass
LoadLibraryW
VirtualAlloc
IsDebuggerPresent
GetCurrentDirectoryW
lstrcmpiW
DecodePointer
GetLastError
RaiseException
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
InterlockedDecrement
InterlockedIncrement
GetCurrentThread
CloseHandle
GetFullPathNameW
EncodePointer
ExitProcess
GetModuleHandleExW
ExitThread
GetSystemTimeAsFileTime
ResumeThread
GetCommandLineW
IsProcessorFeaturePresent
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
SetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetStartupInfoW
GetStringTypeW
SetStdHandle
GetFileType
GetConsoleCP
GetConsoleMode
RtlUnwind
ReadConsoleW
GetTimeZoneInformation
GetDateFormatW
GetTimeFormatW
LCMapStringW
GetEnvironmentStringsW
FreeEnvironmentStringsW
WriteConsoleW
FindClose
SetEnvironmentVariableA

user32

AdjustWindowRectEx
CopyImage
SetWindowPos
GetCursorInfo
RegisterHotKey
ClientToScreen
GetKeyboardLayoutNameW
IsCharAlphaW
IsCharAlphaNumericW
IsCharLowerW
IsCharUpperW
GetMenuStringW
GetSubMenu
GetCaretPos
IsZoomed
MonitorFromPoint
GetMonitorInfoW
SetWindowLongW
SetLayeredWindowAttributes
FlashWindow
GetClassLongW
TranslateAcceleratorW
IsDialogMessageW
GetSysColor
InflateRect
DrawFocusRect
DrawTextW
FrameRect
DrawFrameControl
FillRect
PtInRect
DestroyAcceleratorTable
CreateAcceleratorTableW
SetCursor
GetWindowDC
GetSystemMetrics
GetActiveWindow
CharNextW
wsprintfW
RedrawWindow
DrawMenuBar
DestroyMenu
SetMenu
GetWindowTextLengthW
CreateMenu
IsDlgButtonChecked
DefDlgProcW
CallWindowProcW
ReleaseCapture
SetCapture
CreateIconFromResourceEx
mouse_event
ExitWindowsEx
SetActiveWindow
FindWindowExW
EnumThreadWindows
SetMenuDefaultItem
InsertMenuItemW
IsMenu
TrackPopupMenuEx
GetCursorPos
DeleteMenu
SetRect
GetMenuItemID
GetMenuItemCount
SetMenuItemInfoW
GetMenuItemInfoW
SetForegroundWindow
IsIconic
FindWindowW
MonitorFromRect
keybd_event
SendInput
GetAsyncKeyState
SetKeyboardState
GetKeyboardState
GetKeyState
VkKeyScanW
LoadStringW
DialogBoxParamW
MessageBeep
EndDialog
SendDlgItemMessageW
GetDlgItem
SetWindowTextW
CopyRect
ReleaseDC
GetDC
EndPaint
BeginPaint
GetClientRect
GetMenu
DestroyWindow
EnumWindows
GetDesktopWindow
IsWindow
IsWindowEnabled
IsWindowVisible
EnableWindow
InvalidateRect
GetWindowLongW
GetWindowThreadProcessId
AttachThreadInput
GetFocus
GetWindowTextW
ScreenToClient
SendMessageTimeoutW
EnumChildWindows
CharUpperBuffW
GetParent
GetDlgCtrlID
SendMessageW
MapVirtualKeyW
PostMessageW
GetWindowRect
SetUserObjectSecurity
CloseDesktop
CloseWindowStation
OpenDesktopW
SetProcessWindowStation
GetProcessWindowStation
OpenWindowStationW
GetUserObjectSecurity
MessageBoxW
DefWindowProcW
SetClipboardData
EmptyClipboard
CountClipboardFormats
CloseClipboard
GetClipboardData
IsClipboardFormatAvailable
OpenClipboard
BlockInput
GetMessageW
LockWindowUpdate
DispatchMessageW
TranslateMessage
PeekMessageW
UnregisterHotKey
CheckMenuRadioItem
CharLowerBuffW
MoveWindow
SetFocus
PostQuitMessage
KillTimer
CreatePopupMenu
RegisterWindowMessageW
SetTimer
ShowWindow
CreateWindowExW
RegisterClassExW
LoadIconW
LoadCursorW
GetSysColorBrush
GetForegroundWindow
MessageBoxA
DestroyIcon
SystemParametersInfoW
LoadImageW
GetClassNameW

gdi32

StrokePath
DeleteObject
GetTextExtentPoint32W
ExtCreatePen
GetDeviceCaps
EndPath
SetPixel
CloseFigure
CreateCompatibleBitmap
CreateCompatibleDC
SelectObject
StretchBlt
GetDIBits
LineTo
AngleArc
MoveToEx
Ellipse
DeleteDC
GetPixel
CreateDCW
GetStockObject
GetTextFaceW
CreateFontW
SetTextColor
PolyDraw
BeginPath
Rectangle
SetViewportOrgEx
GetObjectW
SetBkMode
RoundRect
SetBkColor
CreatePen
CreateSolidBrush
StrokeAndFillPath

comdlg32

GetOpenFileNameW
GetSaveFileNameW

advapi32

GetAce
RegEnumValueW
RegDeleteValueW
RegDeleteKeyW
RegEnumKeyExW
RegSetValueExW
RegOpenKeyExW
RegCloseKey
RegQueryValueExW
RegConnectRegistryW
InitializeSecurityDescriptor
InitializeAcl
AdjustTokenPrivileges
OpenThreadToken
OpenProcessToken
LookupPrivilegeValueW
DuplicateTokenEx
CreateProcessAsUserW
CreateProcessWithLogonW
GetLengthSid
CopySid
LogonUserW
AllocateAndInitializeSid
CheckTokenMembership
RegCreateKeyExW
FreeSid
GetTokenInformation
GetSecurityDescriptorDacl
GetAclInformation
AddAce
SetSecurityDescriptorDacl
GetUserNameW
InitiateSystemShutdownExW

shell32

DragQueryPoint
ShellExecuteExW
DragQueryFileW
SHEmptyRecycleBinW
SHGetPathFromIDListW
SHBrowseForFolderW
SHCreateShellItem
SHGetDesktopFolder
SHGetSpecialFolderLocation
SHGetFolderPathW
SHFileOperationW
ExtractIconExW
Shell_NotifyIconW
ShellExecuteW
DragFinish

ole32

CoTaskMemAlloc
CoTaskMemFree
CLSIDFromString
ProgIDFromCLSID
CLSIDFromProgID
OleSetMenuDescriptor
MkParseDisplayName
OleSetContainedObject
CoCreateInstance
IIDFromString
StringFromGUID2
CreateStreamOnHGlobal
OleInitialize
OleUninitialize
CoInitialize
CoUninitialize
GetRunningObjectTable
CoGetInstanceFromFile
CoGetObject
CoSetProxyBlanket
CoCreateInstanceEx
CoInitializeSecurity

oleaut32

LoadTypeLibEx
VariantCopyInd
SysReAllocString
SysFreeString
SafeArrayDestroyDescriptor
SafeArrayDestroyData
SafeArrayUnaccessData
SafeArrayAccessData
SafeArrayAllocData
SafeArrayAllocDescriptorEx
SafeArrayCreateVector
RegisterTypeLi
CreateStdDispatch
DispCallFunc
VariantChangeType
SysStringLen
VariantTimeToSystemTime
VarR8FromDec
SafeArrayGetVartype
VariantCopy
VariantClear
OleLoadPicture
QueryPathOfRegTypeLi
RegisterTypeLibForUser
UnRegisterTypeLibForUser
UnRegisterTypeLi
CreateDispTypeInfo
SysAllocString
VariantInit

Sections

.text
Size: 568KB - Virtual size: 567KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 191KB - Virtual size: 191KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 386KB - Virtual size: 385KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 28KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/AgentTesla/31c25e01cbaaeadccfa1321680bbfd51c17b876859be87fff22b2db8ee1e117c.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Code Sign

4c:aa:f9:ca:db:63:6f:e0:1f:f7:4e:d8:5b:03:86:9d
Certificate

Issuer

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

19/01/2010, 00:00

Not After

18/01/2038, 23:59

Subject

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:af
Certificate

Issuer

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

09/05/2013, 00:00

Not After

08/05/2028, 23:59

Subject

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

7c:11:18:cb:ba:dc:95:da:37:52:c4:6e:47:a2:74:38
Certificate

Issuer

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

13/11/2018, 00:00

Not After

08/11/2021, 23:59

Subject

CN=Simon Tatham,O=Simon Tatham,L=Cambridge,ST=Cambridgeshire,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0b
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

31/12/2015, 00:00

Not After

09/07/2019, 18:40

Subject

CN=COMODO SHA-1 Time Stamping Signer,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

4c:aa:f9:ca:db:63:6f:e0:1f:f7:4e:d8:5b:03:86:9d
Certificate

Issuer

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

19/01/2010, 00:00

Not After

18/01/2038, 23:59

Subject

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:af
Certificate

Issuer

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

09/05/2013, 00:00

Not After

08/05/2028, 23:59

Subject

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

7c:11:18:cb:ba:dc:95:da:37:52:c4:6e:47:a2:74:38
Certificate

Issuer

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

13/11/2018, 00:00

Not After

08/11/2021, 23:59

Subject

CN=Simon Tatham,O=Simon Tatham,L=Cambridge,ST=Cambridgeshire,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0b
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

31/12/2015, 00:00

Not After

09/07/2019, 18:40

Subject

CN=COMODO SHA-1 Time Stamping Signer,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

20:3b:c9:12:8e:d0:7b:4b:07:fa:d7:8e:ea:fc:5d:70:7e:f2:43:59:73:83:5c:c4:b2:7f:0b:35:db:a7:ea:fb
Signer

Actual PE Digest

20:3b:c9:12:8e:d0:7b:4b:07:fa:d7:8e:ea:fc:5d:70:7e:f2:43:59:73:83:5c:c4:b2:7f:0b:35:db:a7:ea:fb

Digest Algorithm

sha256

PE Digest Matches

false

7d:9e:0d:b8:4b:6d:45:3e:54:c5:28:e4:2e:70:0a:4c:9a:7e:18:94
Signer

Actual PE Digest

7d:9e:0d:b8:4b:6d:45:3e:54:c5:28:e4:2e:70:0a:4c:9a:7e:18:94

Digest Algorithm

sha1

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

yzjJ.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 887KB - Virtual size: 887KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 234KB - Virtual size: 234KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/AgentTesla/56a8937692fdf9a9c0b6cc236a9d3297.exe
.exe windows:4 windows x86 arch:x86

c5a2d9fb5390cc1f62ad8b3216c9cd1e

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvbvm60

__vbaVarSub
__vbaVarTstGt
__vbaStrI2
__vbaR8ForNextCheck
_CIcos
_adj_fptan
__vbaVarMove
__vbaAryMove
__vbaFreeVar
__vbaLineInputStr
__vbaStrVarMove
__vbaLenBstr
__vbaEnd
__vbaFreeVarList
_adj_fdiv_m64
__vbaRaiseEvent
__vbaFreeObjList
ord516
_adj_fprem1
__vbaRecAnsiToUni
ord519
__vbaResume
__vbaCopyBytes
__vbaVarCmpNe
__vbaStrCat
__vbaLsetFixstr
ord660
ord553
__vbaSetSystemError
__vbaRecDestruct
__vbaHresultCheckObj
__vbaLenVar
_adj_fdiv_m32
__vbaAryDestruct
__vbaExitProc
__vbaOnError
__vbaObjSet
_adj_fdiv_m16i
__vbaObjSetAddref
_adj_fdivr_m16i
__vbaVarIndexLoad
ord598
ord520
__vbaRefVarAry
__vbaBoolVarNull
_CIsin
ord631
ord709
ord632
__vbaChkstk
ord526
__vbaFileClose
EVENT_SINK_AddRef
__vbaGenerateBoundsError
ord528
ord529
__vbaStrCmp
__vbaPutOwner3
__vbaAryConstruct2
__vbaVarTstEq
__vbaDateR8
__vbaObjVar
__vbaI2I4
DllFunctionCall
__vbaRedimPreserve
_adj_fpatan
__vbaFixstrConstruct
__vbaRedim
__vbaRecUniToAnsi
EVENT_SINK_Release
__vbaUI1I2
_CIsqrt
__vbaVarAnd
EVENT_SINK_QueryInterface
__vbaExceptHandler
ord711
__vbaPrintFile
__vbaStrToUnicode
_adj_fprem
_adj_fdivr_m64
ord608
ord716
__vbaFPException
ord717
__vbaInStrVar
__vbaGetOwner3
__vbaUbound
__vbaStrVarVal
__vbaVarCat
__vbaDateVar
__vbaLsetFixstrFree
__vbaI2Var
ord644
ord537
ord645
_CIlog
__vbaErrorOverflow
__vbaFileOpen
__vbaVar2Vec
__vbaNew2
ord648
ord570
__vbaInStr
ord571
_adj_fdiv_m32i
ord572
_adj_fdivr_m32i
__vbaStrCopy
__vbaFreeStrList
ord576
_adj_fdivr_m32
_adj_fdiv_r
ord578
ord685
ord100
ord579
__vbaVarTstNe
__vbaVarSetVar
__vbaI4Var
ord610
__vbaAryLock
__vbaVarAdd
__vbaLateMemCall
__vbaStrToAnsi
__vbaVarDup
__vbaFpI4
__vbaVarLateMemCallLd
ord616
__vbaVarSetObjAddref
__vbaLateMemCallLd
ord617
_CIatan
__vbaStrMove
__vbaR8IntI4
__vbaStrVarCopy
ord619
ord542
ord543
_allmul
ord544
ord545
_CItan
__vbaAryUnlock
ord547
_CIexp
__vbaFreeStr
__vbaRecAssign
__vbaFreeObj
ord581

Sections

.text
Size: 44KB - Virtual size: 43KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 36KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/AgentTesla/708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 925KB - Virtual size: 925KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/AgentTesla/9da74e41306059077f155debea5f44a5969e79297c9de44a4e355e4bb68b0536.exe
.exe windows:4 windows x86 arch:x86

c8ba23b6b87d52f10b27f48f2f6aa725

Code Sign

48:fc:93:b4:60:55:94:8d:36:a7:c9:8a:89:d6:94:16
Certificate

Issuer

CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

25/05/2021, 00:00

Not After

31/12/2028, 23:59

Subject

CN=Sectigo Public Code Signing Root R46,O=Sectigo Limited,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

62:1d:6d:0c:52:01:9e:3b:90:79:15:20:89:21:1c:0a
Certificate

Issuer

CN=Sectigo Public Code Signing Root R46,O=Sectigo Limited,C=GB

Not Before

22/03/2021, 00:00

Not After

21/03/2036, 23:59

Subject

CN=Sectigo Public Code Signing CA R36,O=Sectigo Limited,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

c7:8d:5f:14:d5:47:90:77:f1:a8:ec:41:41:a8:21:36
Certificate

Issuer

CN=Sectigo Public Code Signing CA R36,O=Sectigo Limited,C=GB

Not Before

17/03/2023, 00:00

Not After

16/03/2024, 23:59

Subject

CN=Comodo Security Solutions\, Inc.,O=Comodo Security Solutions\, Inc.,ST=New Jersey,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

39:4c:25:e1:7c:a0:6d:27:a8:65:e2:3b:d9:1d:22:d4
Certificate

Issuer

CN=Sectigo RSA Time Stamping CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

03/05/2023, 00:00

Not After

02/08/2034, 23:59

Subject

CN=Sectigo RSA Time Stamping Signer #4,O=Sectigo Limited,ST=Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9
Certificate

Issuer

CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US

Not Before

02/05/2019, 00:00

Not After

18/01/2038, 23:59

Subject

CN=Sectigo RSA Time Stamping CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

91:c8:5c:5a:b9:ae:3f:d8:49:03:a6:cb:7d:39:c5:95:5e:57:bb:2c:d0:ca:47:38:36:eb:13:c1:ab:6d:c5:f8
Signer

Actual PE Digest

91:c8:5c:5a:b9:ae:3f:d8:49:03:a6:cb:7d:39:c5:95:5e:57:bb:2c:d0:ca:47:38:36:eb:13:c1:ab:6d:c5:f8

Digest Algorithm

sha256

PE Digest Matches

false

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetProcAddress
RtlMoveMemory
GetModuleHandleW

msvbvm60

__vbaVarSub
_CIcos
_adj_fptan
__vbaVarMove
__vbaVarVargNofree
__vbaFreeVar
__vbaAryMove
__vbaStrVarMove
__vbaLenBstr
__vbaFreeVarList
_adj_fdiv_m64
ord698
__vbaFreeObjList
_adj_fprem1
__vbaStrCat
__vbaSetSystemError
__vbaHresultCheckObj
__vbaLenVar
_adj_fdiv_m32
__vbaAryDestruct
ord595
__vbaObjSet
_adj_fdiv_m16i
__vbaObjSetAddref
_adj_fdivr_m16i
__vbaRefVarAry
__vbaBoolVarNull
_CIsin
__vbaVargVarMove
__vbaVarCmpGt
ord632
__vbaChkstk
EVENT_SINK_AddRef
__vbaAryConstruct2
__vbaVarTstEq
ord638
DllFunctionCall
__vbaVarOr
__vbaRedimPreserve
_adj_fpatan
__vbaRedim
EVENT_SINK_Release
__vbaNew
_CIsqrt
EVENT_SINK_QueryInterface
__vbaExceptHandler
__vbaStrToUnicode
ord606
_adj_fprem
_adj_fdivr_m64
__vbaFPException
__vbaStrVarVal
__vbaUbound
__vbaVarCat
__vbaI2Var
ord644
_CIlog
__vbaVar2Vec
__vbaNew2
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaStrCopy
__vbaI4Str
__vbaFreeStrList
_adj_fdivr_m32
_adj_fdiv_r
ord100
__vbaI4Var
__vbaAryLock
__vbaVarAdd
__vbaVarDup
__vbaStrToAnsi
__vbaFpI2
__vbaVarCopy
ord616
_CIatan
__vbaStrMove
__vbaCastObj
__vbaStrVarCopy
_allmul
_CItan
ord653
__vbaAryUnlock
_CIexp
__vbaFreeObj
__vbaFreeStr

Sections

.text
Size: 2.0MB - Virtual size: 2.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

XXZ
Size: 452KB - Virtual size: 449KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 32KB - Virtual size: 30KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/AgentTesla/AgentTesla-145f6076604900c379d5a82d6a95e6c56df274b34d77158056dccb5834516461.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Code Sign

4c:aa:f9:ca:db:63:6f:e0:1f:f7:4e:d8:5b:03:86:9d
Certificate

Issuer

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

19/01/2010, 00:00

Not After

18/01/2038, 23:59

Subject

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:af
Certificate

Issuer

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

09/05/2013, 00:00

Not After

08/05/2028, 23:59

Subject

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

7c:11:18:cb:ba:dc:95:da:37:52:c4:6e:47:a2:74:38
Certificate

Issuer

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

13/11/2018, 00:00

Not After

08/11/2021, 23:59

Subject

CN=Simon Tatham,O=Simon Tatham,L=Cambridge,ST=Cambridgeshire,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0b
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

31/12/2015, 00:00

Not After

09/07/2019, 18:40

Subject

CN=COMODO SHA-1 Time Stamping Signer,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

4c:aa:f9:ca:db:63:6f:e0:1f:f7:4e:d8:5b:03:86:9d
Certificate

Issuer

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

19/01/2010, 00:00

Not After

18/01/2038, 23:59

Subject

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:af
Certificate

Issuer

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

09/05/2013, 00:00

Not After

08/05/2028, 23:59

Subject

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

7c:11:18:cb:ba:dc:95:da:37:52:c4:6e:47:a2:74:38
Certificate

Issuer

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

13/11/2018, 00:00

Not After

08/11/2021, 23:59

Subject

CN=Simon Tatham,O=Simon Tatham,L=Cambridge,ST=Cambridgeshire,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0b
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

31/12/2015, 00:00

Not After

09/07/2019, 18:40

Subject

CN=COMODO SHA-1 Time Stamping Signer,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

fe:51:f1:e4:c7:dd:f6:95:9c:51:fe:ec:55:84:c8:ee:e4:87:ae:26:08:de:67:9d:c6:cd:3f:69:79:a9:64:d4
Signer

Actual PE Digest

fe:51:f1:e4:c7:dd:f6:95:9c:51:fe:ec:55:84:c8:ee:e4:87:ae:26:08:de:67:9d:c6:cd:3f:69:79:a9:64:d4

Digest Algorithm

sha256

PE Digest Matches

false

7b:94:30:16:72:47:7b:2e:82:6c:c2:61:0c:75:7b:2d:d3:02:cd:12
Signer

Actual PE Digest

7b:94:30:16:72:47:7b:2e:82:6c:c2:61:0c:75:7b:2d:d3:02:cd:12

Digest Algorithm

sha1

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

UChV.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 829KB - Virtual size: 828KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 171KB - Virtual size: 170KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/AgentTesla/AgentTesla-150f720cd5e58ff58c421398257b42b92318cec613c657825bc585a43db8270b.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 748KB - Virtual size: 747KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/AgentTesla/AgentTesla-15ec53cab469f3ee56ebb4bb924e7fd211585d273d2ce77d9fd1dbf7335e6249.exe
.exe windows:4 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 232KB - Virtual size: 231KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/AgentTesla/AgentTesla-3b6632b43aa88d79aa9bdcf19f38f11fd3b0a86915cef4408e390a4d70f068cd.exe
.exe windows:5 windows x86 arch:x86

eb97e4fc5518ac300a92a11673825e0b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

wsock32

WSACleanup
socket
inet_ntoa
setsockopt
ntohs
recvfrom
ioctlsocket
htons
WSAStartup
__WSAFDIsSet
select
accept
listen
bind
closesocket
WSAGetLastError
recv
sendto
send
inet_addr
gethostbyname
gethostname
connect

version

GetFileVersionInfoW
GetFileVersionInfoSizeW
VerQueryValueW

winmm

timeGetTime
waveOutSetVolume
mciSendStringW

comctl32

ImageList_ReplaceIcon
ImageList_Destroy
ImageList_Remove
ImageList_SetDragCursorImage
ImageList_BeginDrag
ImageList_DragEnter
ImageList_DragLeave
ImageList_EndDrag
ImageList_DragMove
InitCommonControlsEx
ImageList_Create

mpr

WNetUseConnectionW
WNetCancelConnection2W
WNetGetConnectionW
WNetAddConnection2W

wininet

InternetQueryDataAvailable
InternetCloseHandle
InternetOpenW
InternetSetOptionW
InternetCrackUrlW
HttpQueryInfoW
InternetQueryOptionW
HttpOpenRequestW
HttpSendRequestW
FtpOpenFileW
FtpGetFileSize
InternetOpenUrlW
InternetReadFile
InternetConnectW

psapi

GetProcessMemoryInfo

iphlpapi

IcmpCreateFile
IcmpCloseHandle
IcmpSendEcho

userenv

DestroyEnvironmentBlock
UnloadUserProfile
CreateEnvironmentBlock
LoadUserProfileW

uxtheme

IsThemeActive

kernel32

DuplicateHandle
CreateThread
WaitForSingleObject
HeapAlloc
GetProcessHeap
HeapFree
Sleep
GetCurrentThreadId
MultiByteToWideChar
MulDiv
GetVersionExW
IsWow64Process
GetSystemInfo
FreeLibrary
LoadLibraryA
GetProcAddress
SetErrorMode
GetModuleFileNameW
WideCharToMultiByte
lstrcpyW
lstrlenW
GetModuleHandleW
QueryPerformanceCounter
VirtualFreeEx
OpenProcess
VirtualAllocEx
WriteProcessMemory
ReadProcessMemory
CreateFileW
SetFilePointerEx
SetEndOfFile
ReadFile
WriteFile
FlushFileBuffers
TerminateProcess
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
SetFileTime
GetFileAttributesW
FindFirstFileW
SetCurrentDirectoryW
GetLongPathNameW
GetShortPathNameW
DeleteFileW
FindNextFileW
CopyFileExW
MoveFileW
CreateDirectoryW
RemoveDirectoryW
SetSystemPowerState
QueryPerformanceFrequency
FindResourceW
LoadResource
LockResource
SizeofResource
EnumResourceNamesW
OutputDebugStringW
GetTempPathW
GetTempFileNameW
DeviceIoControl
GetLocalTime
CompareStringW
GetCurrentProcess
EnterCriticalSection
LeaveCriticalSection
GetStdHandle
CreatePipe
InterlockedExchange
TerminateThread
LoadLibraryExW
FindResourceExW
CopyFileW
VirtualFree
FormatMessageW
GetExitCodeProcess
GetPrivateProfileStringW
WritePrivateProfileStringW
GetPrivateProfileSectionW
WritePrivateProfileSectionW
GetPrivateProfileSectionNamesW
FileTimeToLocalFileTime
FileTimeToSystemTime
SystemTimeToFileTime
LocalFileTimeToFileTime
GetDriveTypeW
GetDiskFreeSpaceExW
GetDiskFreeSpaceW
GetVolumeInformationW
SetVolumeLabelW
CreateHardLinkW
SetFileAttributesW
CreateEventW
SetEvent
GetEnvironmentVariableW
SetEnvironmentVariableW
GlobalLock
GlobalUnlock
GlobalAlloc
GetFileSize
GlobalFree
GlobalMemoryStatusEx
Beep
GetSystemDirectoryW
HeapReAlloc
HeapSize
GetComputerNameW
GetWindowsDirectoryW
GetCurrentProcessId
GetProcessIoCounters
CreateProcessW
GetProcessId
SetPriorityClass
LoadLibraryW
VirtualAlloc
IsDebuggerPresent
GetCurrentDirectoryW
lstrcmpiW
DecodePointer
GetLastError
RaiseException
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
InterlockedDecrement
InterlockedIncrement
GetCurrentThread
CloseHandle
GetFullPathNameW
EncodePointer
ExitProcess
GetModuleHandleExW
ExitThread
GetSystemTimeAsFileTime
ResumeThread
GetCommandLineW
IsProcessorFeaturePresent
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
SetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetStartupInfoW
GetStringTypeW
SetStdHandle
GetFileType
GetConsoleCP
GetConsoleMode
RtlUnwind
ReadConsoleW
GetTimeZoneInformation
GetDateFormatW
GetTimeFormatW
LCMapStringW
GetEnvironmentStringsW
FreeEnvironmentStringsW
WriteConsoleW
FindClose
SetEnvironmentVariableA

user32

AdjustWindowRectEx
CopyImage
SetWindowPos
GetCursorInfo
RegisterHotKey
ClientToScreen
GetKeyboardLayoutNameW
IsCharAlphaW
IsCharAlphaNumericW
IsCharLowerW
IsCharUpperW
GetMenuStringW
GetSubMenu
GetCaretPos
IsZoomed
MonitorFromPoint
GetMonitorInfoW
SetWindowLongW
SetLayeredWindowAttributes
FlashWindow
GetClassLongW
TranslateAcceleratorW
IsDialogMessageW
GetSysColor
InflateRect
DrawFocusRect
DrawTextW
FrameRect
DrawFrameControl
FillRect
PtInRect
DestroyAcceleratorTable
CreateAcceleratorTableW
SetCursor
GetWindowDC
GetSystemMetrics
GetActiveWindow
CharNextW
wsprintfW
RedrawWindow
DrawMenuBar
DestroyMenu
SetMenu
GetWindowTextLengthW
CreateMenu
IsDlgButtonChecked
DefDlgProcW
CallWindowProcW
ReleaseCapture
SetCapture
CreateIconFromResourceEx
mouse_event
ExitWindowsEx
SetActiveWindow
FindWindowExW
EnumThreadWindows
SetMenuDefaultItem
InsertMenuItemW
IsMenu
TrackPopupMenuEx
GetCursorPos
DeleteMenu
SetRect
GetMenuItemID
GetMenuItemCount
SetMenuItemInfoW
GetMenuItemInfoW
SetForegroundWindow
IsIconic
FindWindowW
MonitorFromRect
keybd_event
SendInput
GetAsyncKeyState
SetKeyboardState
GetKeyboardState
GetKeyState
VkKeyScanW
LoadStringW
DialogBoxParamW
MessageBeep
EndDialog
SendDlgItemMessageW
GetDlgItem
SetWindowTextW
CopyRect
ReleaseDC
GetDC
EndPaint
BeginPaint
GetClientRect
GetMenu
DestroyWindow
EnumWindows
GetDesktopWindow
IsWindow
IsWindowEnabled
IsWindowVisible
EnableWindow
InvalidateRect
GetWindowLongW
GetWindowThreadProcessId
AttachThreadInput
GetFocus
GetWindowTextW
ScreenToClient
SendMessageTimeoutW
EnumChildWindows
CharUpperBuffW
GetParent
GetDlgCtrlID
SendMessageW
MapVirtualKeyW
PostMessageW
GetWindowRect
SetUserObjectSecurity
CloseDesktop
CloseWindowStation
OpenDesktopW
SetProcessWindowStation
GetProcessWindowStation
OpenWindowStationW
GetUserObjectSecurity
MessageBoxW
DefWindowProcW
SetClipboardData
EmptyClipboard
CountClipboardFormats
CloseClipboard
GetClipboardData
IsClipboardFormatAvailable
OpenClipboard
BlockInput
GetMessageW
LockWindowUpdate
DispatchMessageW
TranslateMessage
PeekMessageW
UnregisterHotKey
CheckMenuRadioItem
CharLowerBuffW
MoveWindow
SetFocus
PostQuitMessage
KillTimer
CreatePopupMenu
RegisterWindowMessageW
SetTimer
ShowWindow
CreateWindowExW
RegisterClassExW
LoadIconW
LoadCursorW
GetSysColorBrush
GetForegroundWindow
MessageBoxA
DestroyIcon
SystemParametersInfoW
LoadImageW
GetClassNameW

gdi32

StrokePath
DeleteObject
GetTextExtentPoint32W
ExtCreatePen
GetDeviceCaps
EndPath
SetPixel
CloseFigure
CreateCompatibleBitmap
CreateCompatibleDC
SelectObject
StretchBlt
GetDIBits
LineTo
AngleArc
MoveToEx
Ellipse
DeleteDC
GetPixel
CreateDCW
GetStockObject
GetTextFaceW
CreateFontW
SetTextColor
PolyDraw
BeginPath
Rectangle
SetViewportOrgEx
GetObjectW
SetBkMode
RoundRect
SetBkColor
CreatePen
CreateSolidBrush
StrokeAndFillPath

comdlg32

GetOpenFileNameW
GetSaveFileNameW

advapi32

GetAce
RegEnumValueW
RegDeleteValueW
RegDeleteKeyW
RegEnumKeyExW
RegSetValueExW
RegOpenKeyExW
RegCloseKey
RegQueryValueExW
RegConnectRegistryW
InitializeSecurityDescriptor
InitializeAcl
AdjustTokenPrivileges
OpenThreadToken
OpenProcessToken
LookupPrivilegeValueW
DuplicateTokenEx
CreateProcessAsUserW
CreateProcessWithLogonW
GetLengthSid
CopySid
LogonUserW
AllocateAndInitializeSid
CheckTokenMembership
RegCreateKeyExW
FreeSid
GetTokenInformation
GetSecurityDescriptorDacl
GetAclInformation
AddAce
SetSecurityDescriptorDacl
GetUserNameW
InitiateSystemShutdownExW

shell32

DragQueryPoint
ShellExecuteExW
DragQueryFileW
SHEmptyRecycleBinW
SHGetPathFromIDListW
SHBrowseForFolderW
SHCreateShellItem
SHGetDesktopFolder
SHGetSpecialFolderLocation
SHGetFolderPathW
SHFileOperationW
ExtractIconExW
Shell_NotifyIconW
ShellExecuteW
DragFinish

ole32

CoTaskMemAlloc
CoTaskMemFree
CLSIDFromString
ProgIDFromCLSID
CLSIDFromProgID
OleSetMenuDescriptor
MkParseDisplayName
OleSetContainedObject
CoCreateInstance
IIDFromString
StringFromGUID2
CreateStreamOnHGlobal
OleInitialize
OleUninitialize
CoInitialize
CoUninitialize
GetRunningObjectTable
CoGetInstanceFromFile
CoGetObject
CoSetProxyBlanket
CoCreateInstanceEx
CoInitializeSecurity

oleaut32

LoadTypeLibEx
VariantCopyInd
SysReAllocString
SysFreeString
SafeArrayDestroyDescriptor
SafeArrayDestroyData
SafeArrayUnaccessData
SafeArrayAccessData
SafeArrayAllocData
SafeArrayAllocDescriptorEx
SafeArrayCreateVector
RegisterTypeLi
CreateStdDispatch
DispCallFunc
VariantChangeType
SysStringLen
VariantTimeToSystemTime
VarR8FromDec
SafeArrayGetVartype
VariantCopy
VariantClear
OleLoadPicture
QueryPathOfRegTypeLi
RegisterTypeLibForUser
UnRegisterTypeLibForUser
UnRegisterTypeLi
CreateDispTypeInfo
SysAllocString
VariantInit

Sections

.text
Size: 568KB - Virtual size: 567KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 191KB - Virtual size: 191KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 231KB - Virtual size: 230KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 28KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/AgentTesla/AgentTesla-47d4d0c51ec4940172fe3b02f8244547640661b9ba9efda0b7aa8238582a01c7.exe
.exe windows:4 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 232KB - Virtual size: 231KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/AgentTesla/AgentTesla-b2e66ccdc348de1a7d4a46b8af0e1b84b40e1aff56d0ae8c7b763acb42187933.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Code Sign

78:03:18:42:45:70:8a:41:cf:6f:01:b8:ee:b4:a9:54
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Not Before

28/07/2020, 00:00

Not After

18/03/2029, 00:00

Subject

CN=GlobalSign Code Signing Root R45,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

77:bd:0e:05:b7:59:0b:b6:1d:47:61:53:1e:3f:75:ed
Certificate

Issuer

CN=GlobalSign Code Signing Root R45,O=GlobalSign nv-sa,C=BE

Not Before

28/07/2020, 00:00

Not After

28/07/2030, 00:00

Subject

CN=GlobalSign GCC R45 EV CodeSigning CA 2020,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0e:61:94:e2:77:9d:53:1f:89:69:50:ff
Certificate

Issuer

CN=GlobalSign GCC R45 EV CodeSigning CA 2020,O=GlobalSign nv-sa,C=BE

Not Before

10/10/2023, 07:35

Not After

18/12/2026, 16:17

Subject

SERIALNUMBER=912 309 975,CN=Vivaldi Technologies AS,O=Vivaldi Technologies AS,STREET=Mølleparken 6,L=Oslo,ST=Oslo,C=NO,1.3.6.1.4.1.311.60.2.1.3=#13024e4f,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

01:9b:ea:de:c8:4d:6b:8f:f7:6c:3a:9f:2e:01:24:16
Certificate

Issuer

CN=GlobalSign Timestamping CA - SHA384 - G4,O=GlobalSign nv-sa,C=BE

Not Before

07/11/2023, 17:13

Not After

09/12/2034, 17:13

Subject

CN=Globalsign TSA for CodeSign1 - R6 - 202311,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

01:ec:1c:92:40:de:fd:2e:40:5d:7c:47:74
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R6,O=GlobalSign

Not Before

20/06/2018, 00:00

Not After

10/12/2034, 00:00

Subject

CN=GlobalSign Timestamping CA - SHA384 - G4,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

45:e6:bb:03:83:33:c3:85:65:48:e6:ff:45:51
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R6,O=GlobalSign

Not Before

10/12/2014, 00:00

Not After

10/12/2034, 00:00

Subject

CN=GlobalSign,OU=GlobalSign Root CA - R6,O=GlobalSign

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

9b:28:86:49:c3:91:c8:fb:66:9a:f9:01:9f:07:e1:e8:69:8e:aa:a1:09:87:b9:2a:1b:1e:92:61:6f:51:51:8d
Signer

Actual PE Digest

9b:28:86:49:c3:91:c8:fb:66:9a:f9:01:9f:07:e1:e8:69:8e:aa:a1:09:87:b9:2a:1b:1e:92:61:6f:51:51:8d

Digest Algorithm

sha256

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 2.4MB - Virtual size: 2.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 35KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/AgentTesla/AgentTesla-f44f9c59fd88c422bb1ea185831dc62dae1add72e3013827795c58c9f84405f4.vbs
.vbs
BastianHein Malware samples/AgentTesla/AgentTesla.exe
.exe windows:4 windows x86 arch:x86

7eae418c7423834ffc3d79b4300bd6fb

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

SetEnvironmentVariableW
SetFileAttributesW
Sleep
GetTickCount
GetFileSize
GetModuleFileNameW
GetCurrentProcess
CopyFileW
SetCurrentDirectoryW
GetFileAttributesW
GetWindowsDirectoryW
GetTempPathW
GetCommandLineW
GetVersion
SetErrorMode
lstrlenW
lstrcpynW
GetDiskFreeSpaceW
ExitProcess
MoveFileW
CreateThread
GetLastError
CreateDirectoryW
CreateProcessW
RemoveDirectoryW
lstrcmpiA
CreateFileW
GetTempFileNameW
WriteFile
lstrcpyA
MoveFileExW
lstrcatW
GetSystemDirectoryW
GetProcAddress
GetModuleHandleA
GetExitCodeProcess
WaitForSingleObject
lstrcmpiW
lstrcmpW
GetFullPathNameW
GetShortPathNameW
SearchPathW
CompareFileTime
SetFileTime
CloseHandle
ExpandEnvironmentStringsW
GlobalFree
GlobalLock
GlobalUnlock
GlobalAlloc
DeleteFileW
FindFirstFileW
FindNextFileW
FindClose
SetFilePointer
ReadFile
MulDiv
lstrlenA
WideCharToMultiByte
MultiByteToWideChar
WritePrivateProfileStringW
FreeLibrary
GetPrivateProfileStringW
GetModuleHandleW
LoadLibraryExW

user32

GetWindowRect
GetSystemMenu
SetClassLongW
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongW
SetCursor
LoadCursorW
CheckDlgButton
GetMessagePos
CallWindowProcW
IsWindowVisible
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
TrackPopupMenu
ScreenToClient
EnableMenuItem
GetDlgItem
SetDlgItemTextW
GetDlgItemTextW
MessageBoxIndirectW
CharPrevW
CharNextA
wsprintfA
DispatchMessageW
PeekMessageW
GetDC
ReleaseDC
EnableWindow
InvalidateRect
SendMessageW
DefWindowProcW
BeginPaint
GetClientRect
FillRect
SystemParametersInfoW
EndDialog
RegisterClassW
DialogBoxParamW
CreateWindowExW
GetClassInfoW
DestroyWindow
CharNextW
ExitWindowsEx
SetWindowTextW
LoadImageW
SetTimer
ShowWindow
PostQuitMessage
wsprintfW
SetWindowLongW
FindWindowExW
IsWindow
CreatePopupMenu
AppendMenuW
GetSystemMetrics
DrawTextW
EndPaint
CreateDialogParamW
SendMessageTimeoutW
SetForegroundWindow

gdi32

SelectObject
SetTextColor
SetBkMode
CreateFontIndirectW
CreateBrushIndirect
DeleteObject
GetDeviceCaps
SetBkColor

shell32

ShellExecuteExW
SHGetPathFromIDListW
SHGetSpecialFolderLocation
SHGetFileInfoW
SHFileOperationW
SHBrowseForFolderW

advapi32

AdjustTokenPrivileges
RegCreateKeyExW
RegOpenKeyExW
SetFileSecurityW
OpenProcessToken
LookupPrivilegeValueW
RegEnumValueW
RegDeleteKeyW
RegDeleteValueW
RegCloseKey
RegSetValueExW
RegQueryValueExW
RegEnumKeyW

comctl32

ImageList_Create
ImageList_AddMasked
ord17
ImageList_Destroy

ole32

OleUninitialize
OleInitialize
CoTaskMemFree
CoCreateInstance

Sections

.text
Size: 25KB - Virtual size: 24KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 128KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.ndata
Size: - Virtual size: 112KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 17KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
MaterialDesignColors.dll
.dll windows:4 windows x86 arch:x86

dae02f32a21e03ce65412f6e56942daa

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

D:\a\1\s\MaterialDesignColors.Wpf\obj\Release\net45\MaterialDesignColors.pdb

Imports

mscoree

_CorDllMain

Sections

.text
Size: 290KB - Virtual size: 289KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
MaterialDesignThemes.Wpf.dll
.dll windows:4 windows x86 arch:x86

dae02f32a21e03ce65412f6e56942daa

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

D:\a\1\s\MaterialDesignThemes.Wpf\obj\Release\net45\MaterialDesignThemes.Wpf.pdb

Imports

mscoree

_CorDllMain

Sections

.text
Size: 7.1MB - Virtual size: 7.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
MaterialDesignThemes.Wpf.xml
.xml
Microsoft.Management.Infrastructure.dll
.dll windows:4 windows x86 arch:x86

dae02f32a21e03ce65412f6e56942daa

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

mscoree

_CorDllMain

Sections

.text
Size: 28KB - Virtual size: 25KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
SharpSteam.dll
.dll windows:4 windows x86 arch:x86

dae02f32a21e03ce65412f6e56942daa

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

C:\Users\Brian\Documents\GitHub\SharpSteam\SharpSteam\obj\Release\SharpSteam.pdb

Imports

mscoree

_CorDllMain

Sections

.text
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 904B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
System.Management.Automation.dll
.dll windows:4 windows x86 arch:x86

dae02f32a21e03ce65412f6e56942daa

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

mscoree

_CorDllMain

Sections

.text
Size: 344KB - Virtual size: 343KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
System.Management.Automation.xml
.xml
UWPHook.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\Brian\Documents\GitHub\UWPHook\UWPHook\obj\Release\UWPHook.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 762KB - Virtual size: 761KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 68KB - Virtual size: 67KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
UWPHook.exe.config
.xml
VDFParser.dll
.dll windows:4 windows x86 arch:x86

dae02f32a21e03ce65412f6e56942daa

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

mscoree

_CorDllMain

Sections

.text
Size: 13KB - Virtual size: 12KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 928B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/AgentTesla/COTIZACIÓN ORDEN DE COMPRA 86352____________________________________________pdf.exe
.exe windows:5 windows x86 arch:x86

eb97e4fc5518ac300a92a11673825e0b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

wsock32

WSACleanup
socket
inet_ntoa
setsockopt
ntohs
recvfrom
ioctlsocket
htons
WSAStartup
__WSAFDIsSet
select
accept
listen
bind
closesocket
WSAGetLastError
recv
sendto
send
inet_addr
gethostbyname
gethostname
connect

version

GetFileVersionInfoW
GetFileVersionInfoSizeW
VerQueryValueW

winmm

timeGetTime
waveOutSetVolume
mciSendStringW

comctl32

ImageList_ReplaceIcon
ImageList_Destroy
ImageList_Remove
ImageList_SetDragCursorImage
ImageList_BeginDrag
ImageList_DragEnter
ImageList_DragLeave
ImageList_EndDrag
ImageList_DragMove
InitCommonControlsEx
ImageList_Create

mpr

WNetUseConnectionW
WNetCancelConnection2W
WNetGetConnectionW
WNetAddConnection2W

wininet

InternetQueryDataAvailable
InternetCloseHandle
InternetOpenW
InternetSetOptionW
InternetCrackUrlW
HttpQueryInfoW
InternetQueryOptionW
HttpOpenRequestW
HttpSendRequestW
FtpOpenFileW
FtpGetFileSize
InternetOpenUrlW
InternetReadFile
InternetConnectW

psapi

GetProcessMemoryInfo

iphlpapi

IcmpCreateFile
IcmpCloseHandle
IcmpSendEcho

userenv

DestroyEnvironmentBlock
UnloadUserProfile
CreateEnvironmentBlock
LoadUserProfileW

uxtheme

IsThemeActive

kernel32

DuplicateHandle
CreateThread
WaitForSingleObject
HeapAlloc
GetProcessHeap
HeapFree
Sleep
GetCurrentThreadId
MultiByteToWideChar
MulDiv
GetVersionExW
IsWow64Process
GetSystemInfo
FreeLibrary
LoadLibraryA
GetProcAddress
SetErrorMode
GetModuleFileNameW
WideCharToMultiByte
lstrcpyW
lstrlenW
GetModuleHandleW
QueryPerformanceCounter
VirtualFreeEx
OpenProcess
VirtualAllocEx
WriteProcessMemory
ReadProcessMemory
CreateFileW
SetFilePointerEx
SetEndOfFile
ReadFile
WriteFile
FlushFileBuffers
TerminateProcess
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
SetFileTime
GetFileAttributesW
FindFirstFileW
SetCurrentDirectoryW
GetLongPathNameW
GetShortPathNameW
DeleteFileW
FindNextFileW
CopyFileExW
MoveFileW
CreateDirectoryW
RemoveDirectoryW
SetSystemPowerState
QueryPerformanceFrequency
FindResourceW
LoadResource
LockResource
SizeofResource
EnumResourceNamesW
OutputDebugStringW
GetTempPathW
GetTempFileNameW
DeviceIoControl
GetLocalTime
CompareStringW
GetCurrentProcess
EnterCriticalSection
LeaveCriticalSection
GetStdHandle
CreatePipe
InterlockedExchange
TerminateThread
LoadLibraryExW
FindResourceExW
CopyFileW
VirtualFree
FormatMessageW
GetExitCodeProcess
GetPrivateProfileStringW
WritePrivateProfileStringW
GetPrivateProfileSectionW
WritePrivateProfileSectionW
GetPrivateProfileSectionNamesW
FileTimeToLocalFileTime
FileTimeToSystemTime
SystemTimeToFileTime
LocalFileTimeToFileTime
GetDriveTypeW
GetDiskFreeSpaceExW
GetDiskFreeSpaceW
GetVolumeInformationW
SetVolumeLabelW
CreateHardLinkW
SetFileAttributesW
CreateEventW
SetEvent
GetEnvironmentVariableW
SetEnvironmentVariableW
GlobalLock
GlobalUnlock
GlobalAlloc
GetFileSize
GlobalFree
GlobalMemoryStatusEx
Beep
GetSystemDirectoryW
HeapReAlloc
HeapSize
GetComputerNameW
GetWindowsDirectoryW
GetCurrentProcessId
GetProcessIoCounters
CreateProcessW
GetProcessId
SetPriorityClass
LoadLibraryW
VirtualAlloc
IsDebuggerPresent
GetCurrentDirectoryW
lstrcmpiW
DecodePointer
GetLastError
RaiseException
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
InterlockedDecrement
InterlockedIncrement
GetCurrentThread
CloseHandle
GetFullPathNameW
EncodePointer
ExitProcess
GetModuleHandleExW
ExitThread
GetSystemTimeAsFileTime
ResumeThread
GetCommandLineW
IsProcessorFeaturePresent
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
SetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetStartupInfoW
GetStringTypeW
SetStdHandle
GetFileType
GetConsoleCP
GetConsoleMode
RtlUnwind
ReadConsoleW
GetTimeZoneInformation
GetDateFormatW
GetTimeFormatW
LCMapStringW
GetEnvironmentStringsW
FreeEnvironmentStringsW
WriteConsoleW
FindClose
SetEnvironmentVariableA

user32

AdjustWindowRectEx
CopyImage
SetWindowPos
GetCursorInfo
RegisterHotKey
ClientToScreen
GetKeyboardLayoutNameW
IsCharAlphaW
IsCharAlphaNumericW
IsCharLowerW
IsCharUpperW
GetMenuStringW
GetSubMenu
GetCaretPos
IsZoomed
MonitorFromPoint
GetMonitorInfoW
SetWindowLongW
SetLayeredWindowAttributes
FlashWindow
GetClassLongW
TranslateAcceleratorW
IsDialogMessageW
GetSysColor
InflateRect
DrawFocusRect
DrawTextW
FrameRect
DrawFrameControl
FillRect
PtInRect
DestroyAcceleratorTable
CreateAcceleratorTableW
SetCursor
GetWindowDC
GetSystemMetrics
GetActiveWindow
CharNextW
wsprintfW
RedrawWindow
DrawMenuBar
DestroyMenu
SetMenu
GetWindowTextLengthW
CreateMenu
IsDlgButtonChecked
DefDlgProcW
CallWindowProcW
ReleaseCapture
SetCapture
CreateIconFromResourceEx
mouse_event
ExitWindowsEx
SetActiveWindow
FindWindowExW
EnumThreadWindows
SetMenuDefaultItem
InsertMenuItemW
IsMenu
TrackPopupMenuEx
GetCursorPos
DeleteMenu
SetRect
GetMenuItemID
GetMenuItemCount
SetMenuItemInfoW
GetMenuItemInfoW
SetForegroundWindow
IsIconic
FindWindowW
MonitorFromRect
keybd_event
SendInput
GetAsyncKeyState
SetKeyboardState
GetKeyboardState
GetKeyState
VkKeyScanW
LoadStringW
DialogBoxParamW
MessageBeep
EndDialog
SendDlgItemMessageW
GetDlgItem
SetWindowTextW
CopyRect
ReleaseDC
GetDC
EndPaint
BeginPaint
GetClientRect
GetMenu
DestroyWindow
EnumWindows
GetDesktopWindow
IsWindow
IsWindowEnabled
IsWindowVisible
EnableWindow
InvalidateRect
GetWindowLongW
GetWindowThreadProcessId
AttachThreadInput
GetFocus
GetWindowTextW
ScreenToClient
SendMessageTimeoutW
EnumChildWindows
CharUpperBuffW
GetParent
GetDlgCtrlID
SendMessageW
MapVirtualKeyW
PostMessageW
GetWindowRect
SetUserObjectSecurity
CloseDesktop
CloseWindowStation
OpenDesktopW
SetProcessWindowStation
GetProcessWindowStation
OpenWindowStationW
GetUserObjectSecurity
MessageBoxW
DefWindowProcW
SetClipboardData
EmptyClipboard
CountClipboardFormats
CloseClipboard
GetClipboardData
IsClipboardFormatAvailable
OpenClipboard
BlockInput
GetMessageW
LockWindowUpdate
DispatchMessageW
TranslateMessage
PeekMessageW
UnregisterHotKey
CheckMenuRadioItem
CharLowerBuffW
MoveWindow
SetFocus
PostQuitMessage
KillTimer
CreatePopupMenu
RegisterWindowMessageW
SetTimer
ShowWindow
CreateWindowExW
RegisterClassExW
LoadIconW
LoadCursorW
GetSysColorBrush
GetForegroundWindow
MessageBoxA
DestroyIcon
SystemParametersInfoW
LoadImageW
GetClassNameW

gdi32

StrokePath
DeleteObject
GetTextExtentPoint32W
ExtCreatePen
GetDeviceCaps
EndPath
SetPixel
CloseFigure
CreateCompatibleBitmap
CreateCompatibleDC
SelectObject
StretchBlt
GetDIBits
LineTo
AngleArc
MoveToEx
Ellipse
DeleteDC
GetPixel
CreateDCW
GetStockObject
GetTextFaceW
CreateFontW
SetTextColor
PolyDraw
BeginPath
Rectangle
SetViewportOrgEx
GetObjectW
SetBkMode
RoundRect
SetBkColor
CreatePen
CreateSolidBrush
StrokeAndFillPath

comdlg32

GetOpenFileNameW
GetSaveFileNameW

advapi32

GetAce
RegEnumValueW
RegDeleteValueW
RegDeleteKeyW
RegEnumKeyExW
RegSetValueExW
RegOpenKeyExW
RegCloseKey
RegQueryValueExW
RegConnectRegistryW
InitializeSecurityDescriptor
InitializeAcl
AdjustTokenPrivileges
OpenThreadToken
OpenProcessToken
LookupPrivilegeValueW
DuplicateTokenEx
CreateProcessAsUserW
CreateProcessWithLogonW
GetLengthSid
CopySid
LogonUserW
AllocateAndInitializeSid
CheckTokenMembership
RegCreateKeyExW
FreeSid
GetTokenInformation
GetSecurityDescriptorDacl
GetAclInformation
AddAce
SetSecurityDescriptorDacl
GetUserNameW
InitiateSystemShutdownExW

shell32

DragQueryPoint
ShellExecuteExW
DragQueryFileW
SHEmptyRecycleBinW
SHGetPathFromIDListW
SHBrowseForFolderW
SHCreateShellItem
SHGetDesktopFolder
SHGetSpecialFolderLocation
SHGetFolderPathW
SHFileOperationW
ExtractIconExW
Shell_NotifyIconW
ShellExecuteW
DragFinish

ole32

CoTaskMemAlloc
CoTaskMemFree
CLSIDFromString
ProgIDFromCLSID
CLSIDFromProgID
OleSetMenuDescriptor
MkParseDisplayName
OleSetContainedObject
CoCreateInstance
IIDFromString
StringFromGUID2
CreateStreamOnHGlobal
OleInitialize
OleUninitialize
CoInitialize
CoUninitialize
GetRunningObjectTable
CoGetInstanceFromFile
CoGetObject
CoSetProxyBlanket
CoCreateInstanceEx
CoInitializeSecurity

oleaut32

LoadTypeLibEx
VariantCopyInd
SysReAllocString
SysFreeString
SafeArrayDestroyDescriptor
SafeArrayDestroyData
SafeArrayUnaccessData
SafeArrayAccessData
SafeArrayAllocData
SafeArrayAllocDescriptorEx
SafeArrayCreateVector
RegisterTypeLi
CreateStdDispatch
DispCallFunc
VariantChangeType
SysStringLen
VariantTimeToSystemTime
VarR8FromDec
SafeArrayGetVartype
VariantCopy
VariantClear
OleLoadPicture
QueryPathOfRegTypeLi
RegisterTypeLibForUser
UnRegisterTypeLibForUser
UnRegisterTypeLi
CreateDispTypeInfo
SysAllocString
VariantInit

Sections

.text
Size: 568KB - Virtual size: 567KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 191KB - Virtual size: 191KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 214KB - Virtual size: 214KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 28KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/AgentTesla/Dubai UAE Project.wsf
.wsf .js .xml polyglot
BastianHein Malware samples/AgentTesla/EMAILMING BANK PAPER PAYMENT OF USD 8,8867.06.vbs
.vbs
BastianHein Malware samples/AgentTesla/FEBSOA_7645200097.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 713KB - Virtual size: 713KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/AgentTesla/INQ No.KP-44-00-PS-PI-INQ-0026.exe
.exe windows:5 windows x86 arch:x86

eb97e4fc5518ac300a92a11673825e0b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

wsock32

WSACleanup
socket
inet_ntoa
setsockopt
ntohs
recvfrom
ioctlsocket
htons
WSAStartup
__WSAFDIsSet
select
accept
listen
bind
closesocket
WSAGetLastError
recv
sendto
send
inet_addr
gethostbyname
gethostname
connect

version

GetFileVersionInfoW
GetFileVersionInfoSizeW
VerQueryValueW

winmm

timeGetTime
waveOutSetVolume
mciSendStringW

comctl32

ImageList_ReplaceIcon
ImageList_Destroy
ImageList_Remove
ImageList_SetDragCursorImage
ImageList_BeginDrag
ImageList_DragEnter
ImageList_DragLeave
ImageList_EndDrag
ImageList_DragMove
InitCommonControlsEx
ImageList_Create

mpr

WNetUseConnectionW
WNetCancelConnection2W
WNetGetConnectionW
WNetAddConnection2W

wininet

InternetQueryDataAvailable
InternetCloseHandle
InternetOpenW
InternetSetOptionW
InternetCrackUrlW
HttpQueryInfoW
InternetQueryOptionW
HttpOpenRequestW
HttpSendRequestW
FtpOpenFileW
FtpGetFileSize
InternetOpenUrlW
InternetReadFile
InternetConnectW

psapi

GetProcessMemoryInfo

iphlpapi

IcmpCreateFile
IcmpCloseHandle
IcmpSendEcho

userenv

DestroyEnvironmentBlock
UnloadUserProfile
CreateEnvironmentBlock
LoadUserProfileW

uxtheme

IsThemeActive

kernel32

DuplicateHandle
CreateThread
WaitForSingleObject
HeapAlloc
GetProcessHeap
HeapFree
Sleep
GetCurrentThreadId
MultiByteToWideChar
MulDiv
GetVersionExW
IsWow64Process
GetSystemInfo
FreeLibrary
LoadLibraryA
GetProcAddress
SetErrorMode
GetModuleFileNameW
WideCharToMultiByte
lstrcpyW
lstrlenW
GetModuleHandleW
QueryPerformanceCounter
VirtualFreeEx
OpenProcess
VirtualAllocEx
WriteProcessMemory
ReadProcessMemory
CreateFileW
SetFilePointerEx
SetEndOfFile
ReadFile
WriteFile
FlushFileBuffers
TerminateProcess
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
SetFileTime
GetFileAttributesW
FindFirstFileW
SetCurrentDirectoryW
GetLongPathNameW
GetShortPathNameW
DeleteFileW
FindNextFileW
CopyFileExW
MoveFileW
CreateDirectoryW
RemoveDirectoryW
SetSystemPowerState
QueryPerformanceFrequency
FindResourceW
LoadResource
LockResource
SizeofResource
EnumResourceNamesW
OutputDebugStringW
GetTempPathW
GetTempFileNameW
DeviceIoControl
GetLocalTime
CompareStringW
GetCurrentProcess
EnterCriticalSection
LeaveCriticalSection
GetStdHandle
CreatePipe
InterlockedExchange
TerminateThread
LoadLibraryExW
FindResourceExW
CopyFileW
VirtualFree
FormatMessageW
GetExitCodeProcess
GetPrivateProfileStringW
WritePrivateProfileStringW
GetPrivateProfileSectionW
WritePrivateProfileSectionW
GetPrivateProfileSectionNamesW
FileTimeToLocalFileTime
FileTimeToSystemTime
SystemTimeToFileTime
LocalFileTimeToFileTime
GetDriveTypeW
GetDiskFreeSpaceExW
GetDiskFreeSpaceW
GetVolumeInformationW
SetVolumeLabelW
CreateHardLinkW
SetFileAttributesW
CreateEventW
SetEvent
GetEnvironmentVariableW
SetEnvironmentVariableW
GlobalLock
GlobalUnlock
GlobalAlloc
GetFileSize
GlobalFree
GlobalMemoryStatusEx
Beep
GetSystemDirectoryW
HeapReAlloc
HeapSize
GetComputerNameW
GetWindowsDirectoryW
GetCurrentProcessId
GetProcessIoCounters
CreateProcessW
GetProcessId
SetPriorityClass
LoadLibraryW
VirtualAlloc
IsDebuggerPresent
GetCurrentDirectoryW
lstrcmpiW
DecodePointer
GetLastError
RaiseException
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
InterlockedDecrement
InterlockedIncrement
GetCurrentThread
CloseHandle
GetFullPathNameW
EncodePointer
ExitProcess
GetModuleHandleExW
ExitThread
GetSystemTimeAsFileTime
ResumeThread
GetCommandLineW
IsProcessorFeaturePresent
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
SetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetStartupInfoW
GetStringTypeW
SetStdHandle
GetFileType
GetConsoleCP
GetConsoleMode
RtlUnwind
ReadConsoleW
GetTimeZoneInformation
GetDateFormatW
GetTimeFormatW
LCMapStringW
GetEnvironmentStringsW
FreeEnvironmentStringsW
WriteConsoleW
FindClose
SetEnvironmentVariableA

user32

AdjustWindowRectEx
CopyImage
SetWindowPos
GetCursorInfo
RegisterHotKey
ClientToScreen
GetKeyboardLayoutNameW
IsCharAlphaW
IsCharAlphaNumericW
IsCharLowerW
IsCharUpperW
GetMenuStringW
GetSubMenu
GetCaretPos
IsZoomed
MonitorFromPoint
GetMonitorInfoW
SetWindowLongW
SetLayeredWindowAttributes
FlashWindow
GetClassLongW
TranslateAcceleratorW
IsDialogMessageW
GetSysColor
InflateRect
DrawFocusRect
DrawTextW
FrameRect
DrawFrameControl
FillRect
PtInRect
DestroyAcceleratorTable
CreateAcceleratorTableW
SetCursor
GetWindowDC
GetSystemMetrics
GetActiveWindow
CharNextW
wsprintfW
RedrawWindow
DrawMenuBar
DestroyMenu
SetMenu
GetWindowTextLengthW
CreateMenu
IsDlgButtonChecked
DefDlgProcW
CallWindowProcW
ReleaseCapture
SetCapture
CreateIconFromResourceEx
mouse_event
ExitWindowsEx
SetActiveWindow
FindWindowExW
EnumThreadWindows
SetMenuDefaultItem
InsertMenuItemW
IsMenu
TrackPopupMenuEx
GetCursorPos
DeleteMenu
SetRect
GetMenuItemID
GetMenuItemCount
SetMenuItemInfoW
GetMenuItemInfoW
SetForegroundWindow
IsIconic
FindWindowW
MonitorFromRect
keybd_event
SendInput
GetAsyncKeyState
SetKeyboardState
GetKeyboardState
GetKeyState
VkKeyScanW
LoadStringW
DialogBoxParamW
MessageBeep
EndDialog
SendDlgItemMessageW
GetDlgItem
SetWindowTextW
CopyRect
ReleaseDC
GetDC
EndPaint
BeginPaint
GetClientRect
GetMenu
DestroyWindow
EnumWindows
GetDesktopWindow
IsWindow
IsWindowEnabled
IsWindowVisible
EnableWindow
InvalidateRect
GetWindowLongW
GetWindowThreadProcessId
AttachThreadInput
GetFocus
GetWindowTextW
ScreenToClient
SendMessageTimeoutW
EnumChildWindows
CharUpperBuffW
GetParent
GetDlgCtrlID
SendMessageW
MapVirtualKeyW
PostMessageW
GetWindowRect
SetUserObjectSecurity
CloseDesktop
CloseWindowStation
OpenDesktopW
SetProcessWindowStation
GetProcessWindowStation
OpenWindowStationW
GetUserObjectSecurity
MessageBoxW
DefWindowProcW
SetClipboardData
EmptyClipboard
CountClipboardFormats
CloseClipboard
GetClipboardData
IsClipboardFormatAvailable
OpenClipboard
BlockInput
GetMessageW
LockWindowUpdate
DispatchMessageW
TranslateMessage
PeekMessageW
UnregisterHotKey
CheckMenuRadioItem
CharLowerBuffW
MoveWindow
SetFocus
PostQuitMessage
KillTimer
CreatePopupMenu
RegisterWindowMessageW
SetTimer
ShowWindow
CreateWindowExW
RegisterClassExW
LoadIconW
LoadCursorW
GetSysColorBrush
GetForegroundWindow
MessageBoxA
DestroyIcon
SystemParametersInfoW
LoadImageW
GetClassNameW

gdi32

StrokePath
DeleteObject
GetTextExtentPoint32W
ExtCreatePen
GetDeviceCaps
EndPath
SetPixel
CloseFigure
CreateCompatibleBitmap
CreateCompatibleDC
SelectObject
StretchBlt
GetDIBits
LineTo
AngleArc
MoveToEx
Ellipse
DeleteDC
GetPixel
CreateDCW
GetStockObject
GetTextFaceW
CreateFontW
SetTextColor
PolyDraw
BeginPath
Rectangle
SetViewportOrgEx
GetObjectW
SetBkMode
RoundRect
SetBkColor
CreatePen
CreateSolidBrush
StrokeAndFillPath

comdlg32

GetOpenFileNameW
GetSaveFileNameW

advapi32

GetAce
RegEnumValueW
RegDeleteValueW
RegDeleteKeyW
RegEnumKeyExW
RegSetValueExW
RegOpenKeyExW
RegCloseKey
RegQueryValueExW
RegConnectRegistryW
InitializeSecurityDescriptor
InitializeAcl
AdjustTokenPrivileges
OpenThreadToken
OpenProcessToken
LookupPrivilegeValueW
DuplicateTokenEx
CreateProcessAsUserW
CreateProcessWithLogonW
GetLengthSid
CopySid
LogonUserW
AllocateAndInitializeSid
CheckTokenMembership
RegCreateKeyExW
FreeSid
GetTokenInformation
GetSecurityDescriptorDacl
GetAclInformation
AddAce
SetSecurityDescriptorDacl
GetUserNameW
InitiateSystemShutdownExW

shell32

DragQueryPoint
ShellExecuteExW
DragQueryFileW
SHEmptyRecycleBinW
SHGetPathFromIDListW
SHBrowseForFolderW
SHCreateShellItem
SHGetDesktopFolder
SHGetSpecialFolderLocation
SHGetFolderPathW
SHFileOperationW
ExtractIconExW
Shell_NotifyIconW
ShellExecuteW
DragFinish

ole32

CoTaskMemAlloc
CoTaskMemFree
CLSIDFromString
ProgIDFromCLSID
CLSIDFromProgID
OleSetMenuDescriptor
MkParseDisplayName
OleSetContainedObject
CoCreateInstance
IIDFromString
StringFromGUID2
CreateStreamOnHGlobal
OleInitialize
OleUninitialize
CoInitialize
CoUninitialize
GetRunningObjectTable
CoGetInstanceFromFile
CoGetObject
CoSetProxyBlanket
CoCreateInstanceEx
CoInitializeSecurity

oleaut32

LoadTypeLibEx
VariantCopyInd
SysReAllocString
SysFreeString
SafeArrayDestroyDescriptor
SafeArrayDestroyData
SafeArrayUnaccessData
SafeArrayAccessData
SafeArrayAllocData
SafeArrayAllocDescriptorEx
SafeArrayCreateVector
RegisterTypeLi
CreateStdDispatch
DispCallFunc
VariantChangeType
SysStringLen
VariantTimeToSystemTime
VarR8FromDec
SafeArrayGetVartype
VariantCopy
VariantClear
OleLoadPicture
QueryPathOfRegTypeLi
RegisterTypeLibForUser
UnRegisterTypeLibForUser
UnRegisterTypeLi
CreateDispTypeInfo
SysAllocString
VariantInit

Sections

.text
Size: 568KB - Virtual size: 567KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 191KB - Virtual size: 191KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 210KB - Virtual size: 209KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 28KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/AgentTesla/Invoice.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

ZTWX.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 717KB - Virtual size: 717KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/AgentTesla/NewOrder568330.GZ.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 212KB - Virtual size: 211KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/AgentTesla/ODEME DEKONTU 000887890087889000990000.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

C:\Users\Nova\source\repos\childish\childish\obj\Debug\childish.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 344KB - Virtual size: 344KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/AgentTesla/Orden de compra 36530 PI-18789.exe
.exe windows:5 windows x86 arch:x86

eb97e4fc5518ac300a92a11673825e0b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

wsock32

WSACleanup
socket
inet_ntoa
setsockopt
ntohs
recvfrom
ioctlsocket
htons
WSAStartup
__WSAFDIsSet
select
accept
listen
bind
closesocket
WSAGetLastError
recv
sendto
send
inet_addr
gethostbyname
gethostname
connect

version

GetFileVersionInfoW
GetFileVersionInfoSizeW
VerQueryValueW

winmm

timeGetTime
waveOutSetVolume
mciSendStringW

comctl32

ImageList_ReplaceIcon
ImageList_Destroy
ImageList_Remove
ImageList_SetDragCursorImage
ImageList_BeginDrag
ImageList_DragEnter
ImageList_DragLeave
ImageList_EndDrag
ImageList_DragMove
InitCommonControlsEx
ImageList_Create

mpr

WNetUseConnectionW
WNetCancelConnection2W
WNetGetConnectionW
WNetAddConnection2W

wininet

InternetQueryDataAvailable
InternetCloseHandle
InternetOpenW
InternetSetOptionW
InternetCrackUrlW
HttpQueryInfoW
InternetQueryOptionW
HttpOpenRequestW
HttpSendRequestW
FtpOpenFileW
FtpGetFileSize
InternetOpenUrlW
InternetReadFile
InternetConnectW

psapi

GetProcessMemoryInfo

iphlpapi

IcmpCreateFile
IcmpCloseHandle
IcmpSendEcho

userenv

DestroyEnvironmentBlock
UnloadUserProfile
CreateEnvironmentBlock
LoadUserProfileW

uxtheme

IsThemeActive

kernel32

DuplicateHandle
CreateThread
WaitForSingleObject
HeapAlloc
GetProcessHeap
HeapFree
Sleep
GetCurrentThreadId
MultiByteToWideChar
MulDiv
GetVersionExW
IsWow64Process
GetSystemInfo
FreeLibrary
LoadLibraryA
GetProcAddress
SetErrorMode
GetModuleFileNameW
WideCharToMultiByte
lstrcpyW
lstrlenW
GetModuleHandleW
QueryPerformanceCounter
VirtualFreeEx
OpenProcess
VirtualAllocEx
WriteProcessMemory
ReadProcessMemory
CreateFileW
SetFilePointerEx
SetEndOfFile
ReadFile
WriteFile
FlushFileBuffers
TerminateProcess
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
SetFileTime
GetFileAttributesW
FindFirstFileW
SetCurrentDirectoryW
GetLongPathNameW
GetShortPathNameW
DeleteFileW
FindNextFileW
CopyFileExW
MoveFileW
CreateDirectoryW
RemoveDirectoryW
SetSystemPowerState
QueryPerformanceFrequency
FindResourceW
LoadResource
LockResource
SizeofResource
EnumResourceNamesW
OutputDebugStringW
GetTempPathW
GetTempFileNameW
DeviceIoControl
GetLocalTime
CompareStringW
GetCurrentProcess
EnterCriticalSection
LeaveCriticalSection
GetStdHandle
CreatePipe
InterlockedExchange
TerminateThread
LoadLibraryExW
FindResourceExW
CopyFileW
VirtualFree
FormatMessageW
GetExitCodeProcess
GetPrivateProfileStringW
WritePrivateProfileStringW
GetPrivateProfileSectionW
WritePrivateProfileSectionW
GetPrivateProfileSectionNamesW
FileTimeToLocalFileTime
FileTimeToSystemTime
SystemTimeToFileTime
LocalFileTimeToFileTime
GetDriveTypeW
GetDiskFreeSpaceExW
GetDiskFreeSpaceW
GetVolumeInformationW
SetVolumeLabelW
CreateHardLinkW
SetFileAttributesW
CreateEventW
SetEvent
GetEnvironmentVariableW
SetEnvironmentVariableW
GlobalLock
GlobalUnlock
GlobalAlloc
GetFileSize
GlobalFree
GlobalMemoryStatusEx
Beep
GetSystemDirectoryW
HeapReAlloc
HeapSize
GetComputerNameW
GetWindowsDirectoryW
GetCurrentProcessId
GetProcessIoCounters
CreateProcessW
GetProcessId
SetPriorityClass
LoadLibraryW
VirtualAlloc
IsDebuggerPresent
GetCurrentDirectoryW
lstrcmpiW
DecodePointer
GetLastError
RaiseException
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
InterlockedDecrement
InterlockedIncrement
GetCurrentThread
CloseHandle
GetFullPathNameW
EncodePointer
ExitProcess
GetModuleHandleExW
ExitThread
GetSystemTimeAsFileTime
ResumeThread
GetCommandLineW
IsProcessorFeaturePresent
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
SetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetStartupInfoW
GetStringTypeW
SetStdHandle
GetFileType
GetConsoleCP
GetConsoleMode
RtlUnwind
ReadConsoleW
GetTimeZoneInformation
GetDateFormatW
GetTimeFormatW
LCMapStringW
GetEnvironmentStringsW
FreeEnvironmentStringsW
WriteConsoleW
FindClose
SetEnvironmentVariableA

user32

AdjustWindowRectEx
CopyImage
SetWindowPos
GetCursorInfo
RegisterHotKey
ClientToScreen
GetKeyboardLayoutNameW
IsCharAlphaW
IsCharAlphaNumericW
IsCharLowerW
IsCharUpperW
GetMenuStringW
GetSubMenu
GetCaretPos
IsZoomed
MonitorFromPoint
GetMonitorInfoW
SetWindowLongW
SetLayeredWindowAttributes
FlashWindow
GetClassLongW
TranslateAcceleratorW
IsDialogMessageW
GetSysColor
InflateRect
DrawFocusRect
DrawTextW
FrameRect
DrawFrameControl
FillRect
PtInRect
DestroyAcceleratorTable
CreateAcceleratorTableW
SetCursor
GetWindowDC
GetSystemMetrics
GetActiveWindow
CharNextW
wsprintfW
RedrawWindow
DrawMenuBar
DestroyMenu
SetMenu
GetWindowTextLengthW
CreateMenu
IsDlgButtonChecked
DefDlgProcW
CallWindowProcW
ReleaseCapture
SetCapture
CreateIconFromResourceEx
mouse_event
ExitWindowsEx
SetActiveWindow
FindWindowExW
EnumThreadWindows
SetMenuDefaultItem
InsertMenuItemW
IsMenu
TrackPopupMenuEx
GetCursorPos
DeleteMenu
SetRect
GetMenuItemID
GetMenuItemCount
SetMenuItemInfoW
GetMenuItemInfoW
SetForegroundWindow
IsIconic
FindWindowW
MonitorFromRect
keybd_event
SendInput
GetAsyncKeyState
SetKeyboardState
GetKeyboardState
GetKeyState
VkKeyScanW
LoadStringW
DialogBoxParamW
MessageBeep
EndDialog
SendDlgItemMessageW
GetDlgItem
SetWindowTextW
CopyRect
ReleaseDC
GetDC
EndPaint
BeginPaint
GetClientRect
GetMenu
DestroyWindow
EnumWindows
GetDesktopWindow
IsWindow
IsWindowEnabled
IsWindowVisible
EnableWindow
InvalidateRect
GetWindowLongW
GetWindowThreadProcessId
AttachThreadInput
GetFocus
GetWindowTextW
ScreenToClient
SendMessageTimeoutW
EnumChildWindows
CharUpperBuffW
GetParent
GetDlgCtrlID
SendMessageW
MapVirtualKeyW
PostMessageW
GetWindowRect
SetUserObjectSecurity
CloseDesktop
CloseWindowStation
OpenDesktopW
SetProcessWindowStation
GetProcessWindowStation
OpenWindowStationW
GetUserObjectSecurity
MessageBoxW
DefWindowProcW
SetClipboardData
EmptyClipboard
CountClipboardFormats
CloseClipboard
GetClipboardData
IsClipboardFormatAvailable
OpenClipboard
BlockInput
GetMessageW
LockWindowUpdate
DispatchMessageW
TranslateMessage
PeekMessageW
UnregisterHotKey
CheckMenuRadioItem
CharLowerBuffW
MoveWindow
SetFocus
PostQuitMessage
KillTimer
CreatePopupMenu
RegisterWindowMessageW
SetTimer
ShowWindow
CreateWindowExW
RegisterClassExW
LoadIconW
LoadCursorW
GetSysColorBrush
GetForegroundWindow
MessageBoxA
DestroyIcon
SystemParametersInfoW
LoadImageW
GetClassNameW

gdi32

StrokePath
DeleteObject
GetTextExtentPoint32W
ExtCreatePen
GetDeviceCaps
EndPath
SetPixel
CloseFigure
CreateCompatibleBitmap
CreateCompatibleDC
SelectObject
StretchBlt
GetDIBits
LineTo
AngleArc
MoveToEx
Ellipse
DeleteDC
GetPixel
CreateDCW
GetStockObject
GetTextFaceW
CreateFontW
SetTextColor
PolyDraw
BeginPath
Rectangle
SetViewportOrgEx
GetObjectW
SetBkMode
RoundRect
SetBkColor
CreatePen
CreateSolidBrush
StrokeAndFillPath

comdlg32

GetOpenFileNameW
GetSaveFileNameW

advapi32

GetAce
RegEnumValueW
RegDeleteValueW
RegDeleteKeyW
RegEnumKeyExW
RegSetValueExW
RegOpenKeyExW
RegCloseKey
RegQueryValueExW
RegConnectRegistryW
InitializeSecurityDescriptor
InitializeAcl
AdjustTokenPrivileges
OpenThreadToken
OpenProcessToken
LookupPrivilegeValueW
DuplicateTokenEx
CreateProcessAsUserW
CreateProcessWithLogonW
GetLengthSid
CopySid
LogonUserW
AllocateAndInitializeSid
CheckTokenMembership
RegCreateKeyExW
FreeSid
GetTokenInformation
GetSecurityDescriptorDacl
GetAclInformation
AddAce
SetSecurityDescriptorDacl
GetUserNameW
InitiateSystemShutdownExW

shell32

DragQueryPoint
ShellExecuteExW
DragQueryFileW
SHEmptyRecycleBinW
SHGetPathFromIDListW
SHBrowseForFolderW
SHCreateShellItem
SHGetDesktopFolder
SHGetSpecialFolderLocation
SHGetFolderPathW
SHFileOperationW
ExtractIconExW
Shell_NotifyIconW
ShellExecuteW
DragFinish

ole32

CoTaskMemAlloc
CoTaskMemFree
CLSIDFromString
ProgIDFromCLSID
CLSIDFromProgID
OleSetMenuDescriptor
MkParseDisplayName
OleSetContainedObject
CoCreateInstance
IIDFromString
StringFromGUID2
CreateStreamOnHGlobal
OleInitialize
OleUninitialize
CoInitialize
CoUninitialize
GetRunningObjectTable
CoGetInstanceFromFile
CoGetObject
CoSetProxyBlanket
CoCreateInstanceEx
CoInitializeSecurity

oleaut32

LoadTypeLibEx
VariantCopyInd
SysReAllocString
SysFreeString
SafeArrayDestroyDescriptor
SafeArrayDestroyData
SafeArrayUnaccessData
SafeArrayAccessData
SafeArrayAllocData
SafeArrayAllocDescriptorEx
SafeArrayCreateVector
RegisterTypeLi
CreateStdDispatch
DispCallFunc
VariantChangeType
SysStringLen
VariantTimeToSystemTime
VarR8FromDec
SafeArrayGetVartype
VariantCopy
VariantClear
OleLoadPicture
QueryPathOfRegTypeLi
RegisterTypeLibForUser
UnRegisterTypeLibForUser
UnRegisterTypeLi
CreateDispTypeInfo
SysAllocString
VariantInit

Sections

.text
Size: 568KB - Virtual size: 567KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 191KB - Virtual size: 191KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 197KB - Virtual size: 196KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 28KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/AgentTesla/Orden de compra 834290125.exe
.exe windows:5 windows x86 arch:x86

eb97e4fc5518ac300a92a11673825e0b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

wsock32

WSACleanup
socket
inet_ntoa
setsockopt
ntohs
recvfrom
ioctlsocket
htons
WSAStartup
__WSAFDIsSet
select
accept
listen
bind
closesocket
WSAGetLastError
recv
sendto
send
inet_addr
gethostbyname
gethostname
connect

version

GetFileVersionInfoW
GetFileVersionInfoSizeW
VerQueryValueW

winmm

timeGetTime
waveOutSetVolume
mciSendStringW

comctl32

ImageList_ReplaceIcon
ImageList_Destroy
ImageList_Remove
ImageList_SetDragCursorImage
ImageList_BeginDrag
ImageList_DragEnter
ImageList_DragLeave
ImageList_EndDrag
ImageList_DragMove
InitCommonControlsEx
ImageList_Create

mpr

WNetUseConnectionW
WNetCancelConnection2W
WNetGetConnectionW
WNetAddConnection2W

wininet

InternetQueryDataAvailable
InternetCloseHandle
InternetOpenW
InternetSetOptionW
InternetCrackUrlW
HttpQueryInfoW
InternetQueryOptionW
HttpOpenRequestW
HttpSendRequestW
FtpOpenFileW
FtpGetFileSize
InternetOpenUrlW
InternetReadFile
InternetConnectW

psapi

GetProcessMemoryInfo

iphlpapi

IcmpCreateFile
IcmpCloseHandle
IcmpSendEcho

userenv

DestroyEnvironmentBlock
UnloadUserProfile
CreateEnvironmentBlock
LoadUserProfileW

uxtheme

IsThemeActive

kernel32

DuplicateHandle
CreateThread
WaitForSingleObject
HeapAlloc
GetProcessHeap
HeapFree
Sleep
GetCurrentThreadId
MultiByteToWideChar
MulDiv
GetVersionExW
IsWow64Process
GetSystemInfo
FreeLibrary
LoadLibraryA
GetProcAddress
SetErrorMode
GetModuleFileNameW
WideCharToMultiByte
lstrcpyW
lstrlenW
GetModuleHandleW
QueryPerformanceCounter
VirtualFreeEx
OpenProcess
VirtualAllocEx
WriteProcessMemory
ReadProcessMemory
CreateFileW
SetFilePointerEx
SetEndOfFile
ReadFile
WriteFile
FlushFileBuffers
TerminateProcess
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
SetFileTime
GetFileAttributesW
FindFirstFileW
SetCurrentDirectoryW
GetLongPathNameW
GetShortPathNameW
DeleteFileW
FindNextFileW
CopyFileExW
MoveFileW
CreateDirectoryW
RemoveDirectoryW
SetSystemPowerState
QueryPerformanceFrequency
FindResourceW
LoadResource
LockResource
SizeofResource
EnumResourceNamesW
OutputDebugStringW
GetTempPathW
GetTempFileNameW
DeviceIoControl
GetLocalTime
CompareStringW
GetCurrentProcess
EnterCriticalSection
LeaveCriticalSection
GetStdHandle
CreatePipe
InterlockedExchange
TerminateThread
LoadLibraryExW
FindResourceExW
CopyFileW
VirtualFree
FormatMessageW
GetExitCodeProcess
GetPrivateProfileStringW
WritePrivateProfileStringW
GetPrivateProfileSectionW
WritePrivateProfileSectionW
GetPrivateProfileSectionNamesW
FileTimeToLocalFileTime
FileTimeToSystemTime
SystemTimeToFileTime
LocalFileTimeToFileTime
GetDriveTypeW
GetDiskFreeSpaceExW
GetDiskFreeSpaceW
GetVolumeInformationW
SetVolumeLabelW
CreateHardLinkW
SetFileAttributesW
CreateEventW
SetEvent
GetEnvironmentVariableW
SetEnvironmentVariableW
GlobalLock
GlobalUnlock
GlobalAlloc
GetFileSize
GlobalFree
GlobalMemoryStatusEx
Beep
GetSystemDirectoryW
HeapReAlloc
HeapSize
GetComputerNameW
GetWindowsDirectoryW
GetCurrentProcessId
GetProcessIoCounters
CreateProcessW
GetProcessId
SetPriorityClass
LoadLibraryW
VirtualAlloc
IsDebuggerPresent
GetCurrentDirectoryW
lstrcmpiW
DecodePointer
GetLastError
RaiseException
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
InterlockedDecrement
InterlockedIncrement
GetCurrentThread
CloseHandle
GetFullPathNameW
EncodePointer
ExitProcess
GetModuleHandleExW
ExitThread
GetSystemTimeAsFileTime
ResumeThread
GetCommandLineW
IsProcessorFeaturePresent
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
SetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetStartupInfoW
GetStringTypeW
SetStdHandle
GetFileType
GetConsoleCP
GetConsoleMode
RtlUnwind
ReadConsoleW
GetTimeZoneInformation
GetDateFormatW
GetTimeFormatW
LCMapStringW
GetEnvironmentStringsW
FreeEnvironmentStringsW
WriteConsoleW
FindClose
SetEnvironmentVariableA

user32

AdjustWindowRectEx
CopyImage
SetWindowPos
GetCursorInfo
RegisterHotKey
ClientToScreen
GetKeyboardLayoutNameW
IsCharAlphaW
IsCharAlphaNumericW
IsCharLowerW
IsCharUpperW
GetMenuStringW
GetSubMenu
GetCaretPos
IsZoomed
MonitorFromPoint
GetMonitorInfoW
SetWindowLongW
SetLayeredWindowAttributes
FlashWindow
GetClassLongW
TranslateAcceleratorW
IsDialogMessageW
GetSysColor
InflateRect
DrawFocusRect
DrawTextW
FrameRect
DrawFrameControl
FillRect
PtInRect
DestroyAcceleratorTable
CreateAcceleratorTableW
SetCursor
GetWindowDC
GetSystemMetrics
GetActiveWindow
CharNextW
wsprintfW
RedrawWindow
DrawMenuBar
DestroyMenu
SetMenu
GetWindowTextLengthW
CreateMenu
IsDlgButtonChecked
DefDlgProcW
CallWindowProcW
ReleaseCapture
SetCapture
CreateIconFromResourceEx
mouse_event
ExitWindowsEx
SetActiveWindow
FindWindowExW
EnumThreadWindows
SetMenuDefaultItem
InsertMenuItemW
IsMenu
TrackPopupMenuEx
GetCursorPos
DeleteMenu
SetRect
GetMenuItemID
GetMenuItemCount
SetMenuItemInfoW
GetMenuItemInfoW
SetForegroundWindow
IsIconic
FindWindowW
MonitorFromRect
keybd_event
SendInput
GetAsyncKeyState
SetKeyboardState
GetKeyboardState
GetKeyState
VkKeyScanW
LoadStringW
DialogBoxParamW
MessageBeep
EndDialog
SendDlgItemMessageW
GetDlgItem
SetWindowTextW
CopyRect
ReleaseDC
GetDC
EndPaint
BeginPaint
GetClientRect
GetMenu
DestroyWindow
EnumWindows
GetDesktopWindow
IsWindow
IsWindowEnabled
IsWindowVisible
EnableWindow
InvalidateRect
GetWindowLongW
GetWindowThreadProcessId
AttachThreadInput
GetFocus
GetWindowTextW
ScreenToClient
SendMessageTimeoutW
EnumChildWindows
CharUpperBuffW
GetParent
GetDlgCtrlID
SendMessageW
MapVirtualKeyW
PostMessageW
GetWindowRect
SetUserObjectSecurity
CloseDesktop
CloseWindowStation
OpenDesktopW
SetProcessWindowStation
GetProcessWindowStation
OpenWindowStationW
GetUserObjectSecurity
MessageBoxW
DefWindowProcW
SetClipboardData
EmptyClipboard
CountClipboardFormats
CloseClipboard
GetClipboardData
IsClipboardFormatAvailable
OpenClipboard
BlockInput
GetMessageW
LockWindowUpdate
DispatchMessageW
TranslateMessage
PeekMessageW
UnregisterHotKey
CheckMenuRadioItem
CharLowerBuffW
MoveWindow
SetFocus
PostQuitMessage
KillTimer
CreatePopupMenu
RegisterWindowMessageW
SetTimer
ShowWindow
CreateWindowExW
RegisterClassExW
LoadIconW
LoadCursorW
GetSysColorBrush
GetForegroundWindow
MessageBoxA
DestroyIcon
SystemParametersInfoW
LoadImageW
GetClassNameW

gdi32

StrokePath
DeleteObject
GetTextExtentPoint32W
ExtCreatePen
GetDeviceCaps
EndPath
SetPixel
CloseFigure
CreateCompatibleBitmap
CreateCompatibleDC
SelectObject
StretchBlt
GetDIBits
LineTo
AngleArc
MoveToEx
Ellipse
DeleteDC
GetPixel
CreateDCW
GetStockObject
GetTextFaceW
CreateFontW
SetTextColor
PolyDraw
BeginPath
Rectangle
SetViewportOrgEx
GetObjectW
SetBkMode
RoundRect
SetBkColor
CreatePen
CreateSolidBrush
StrokeAndFillPath

comdlg32

GetOpenFileNameW
GetSaveFileNameW

advapi32

GetAce
RegEnumValueW
RegDeleteValueW
RegDeleteKeyW
RegEnumKeyExW
RegSetValueExW
RegOpenKeyExW
RegCloseKey
RegQueryValueExW
RegConnectRegistryW
InitializeSecurityDescriptor
InitializeAcl
AdjustTokenPrivileges
OpenThreadToken
OpenProcessToken
LookupPrivilegeValueW
DuplicateTokenEx
CreateProcessAsUserW
CreateProcessWithLogonW
GetLengthSid
CopySid
LogonUserW
AllocateAndInitializeSid
CheckTokenMembership
RegCreateKeyExW
FreeSid
GetTokenInformation
GetSecurityDescriptorDacl
GetAclInformation
AddAce
SetSecurityDescriptorDacl
GetUserNameW
InitiateSystemShutdownExW

shell32

DragQueryPoint
ShellExecuteExW
DragQueryFileW
SHEmptyRecycleBinW
SHGetPathFromIDListW
SHBrowseForFolderW
SHCreateShellItem
SHGetDesktopFolder
SHGetSpecialFolderLocation
SHGetFolderPathW
SHFileOperationW
ExtractIconExW
Shell_NotifyIconW
ShellExecuteW
DragFinish

ole32

CoTaskMemAlloc
CoTaskMemFree
CLSIDFromString
ProgIDFromCLSID
CLSIDFromProgID
OleSetMenuDescriptor
MkParseDisplayName
OleSetContainedObject
CoCreateInstance
IIDFromString
StringFromGUID2
CreateStreamOnHGlobal
OleInitialize
OleUninitialize
CoInitialize
CoUninitialize
GetRunningObjectTable
CoGetInstanceFromFile
CoGetObject
CoSetProxyBlanket
CoCreateInstanceEx
CoInitializeSecurity

oleaut32

LoadTypeLibEx
VariantCopyInd
SysReAllocString
SysFreeString
SafeArrayDestroyDescriptor
SafeArrayDestroyData
SafeArrayUnaccessData
SafeArrayAccessData
SafeArrayAllocData
SafeArrayAllocDescriptorEx
SafeArrayCreateVector
RegisterTypeLi
CreateStdDispatch
DispCallFunc
VariantChangeType
SysStringLen
VariantTimeToSystemTime
VarR8FromDec
SafeArrayGetVartype
VariantCopy
VariantClear
OleLoadPicture
QueryPathOfRegTypeLi
RegisterTypeLibForUser
UnRegisterTypeLibForUser
UnRegisterTypeLi
CreateDispTypeInfo
SysAllocString
VariantInit

Sections

.text
Size: 568KB - Virtual size: 567KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 191KB - Virtual size: 191KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 205KB - Virtual size: 205KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 28KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/AgentTesla/PO 28737-RM.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/AgentTesla/PO-67642.exe
.exe windows:5 windows x86 arch:x86

c4540f421523fe2dc591e50be5ad7d0b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

wsock32

gethostbyname
recv
send
socket
inet_ntoa
setsockopt
ntohs
WSACleanup
WSAStartup
sendto
htons
__WSAFDIsSet
select
accept
listen
bind
inet_addr
ioctlsocket
recvfrom
WSAGetLastError
closesocket
gethostname
connect

version

GetFileVersionInfoW
VerQueryValueW
GetFileVersionInfoSizeW

winmm

timeGetTime
waveOutSetVolume
mciSendStringW

comctl32

ImageList_ReplaceIcon
ImageList_Destroy
ImageList_Remove
ImageList_SetDragCursorImage
ImageList_BeginDrag
ImageList_DragEnter
ImageList_DragLeave
ImageList_EndDrag
ImageList_DragMove
InitCommonControlsEx
ImageList_Create

mpr

WNetGetConnectionW
WNetCancelConnection2W
WNetUseConnectionW
WNetAddConnection2W

wininet

HttpOpenRequestW
InternetCloseHandle
InternetOpenW
InternetSetOptionW
InternetCrackUrlW
HttpQueryInfoW
InternetQueryOptionW
InternetConnectW
HttpSendRequestW
FtpOpenFileW
FtpGetFileSize
InternetOpenUrlW
InternetReadFile
InternetQueryDataAvailable

psapi

GetProcessMemoryInfo

iphlpapi

IcmpSendEcho
IcmpCloseHandle
IcmpCreateFile

userenv

DestroyEnvironmentBlock
LoadUserProfileW
CreateEnvironmentBlock
UnloadUserProfile

uxtheme

IsThemeActive

kernel32

DuplicateHandle
CreateThread
WaitForSingleObject
HeapAlloc
GetProcessHeap
HeapFree
Sleep
GetCurrentThreadId
MultiByteToWideChar
MulDiv
GetVersionExW
IsWow64Process
GetSystemInfo
FreeLibrary
LoadLibraryA
GetProcAddress
SetErrorMode
GetModuleFileNameW
WideCharToMultiByte
lstrcpyW
lstrlenW
GetModuleHandleW
QueryPerformanceCounter
VirtualFreeEx
OpenProcess
VirtualAllocEx
WriteProcessMemory
ReadProcessMemory
CreateFileW
SetFilePointerEx
SetEndOfFile
ReadFile
WriteFile
FlushFileBuffers
TerminateProcess
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
SetFileTime
GetFileAttributesW
FindFirstFileW
FindClose
GetLongPathNameW
GetShortPathNameW
DeleteFileW
IsDebuggerPresent
CopyFileExW
MoveFileW
CreateDirectoryW
RemoveDirectoryW
SetSystemPowerState
QueryPerformanceFrequency
LoadResource
LockResource
SizeofResource
OutputDebugStringW
GetTempPathW
GetTempFileNameW
DeviceIoControl
LoadLibraryW
GetLocalTime
CompareStringW
GetCurrentThread
EnterCriticalSection
LeaveCriticalSection
GetStdHandle
CreatePipe
InterlockedExchange
TerminateThread
LoadLibraryExW
FindResourceExW
CopyFileW
VirtualFree
FormatMessageW
GetExitCodeProcess
GetPrivateProfileStringW
WritePrivateProfileStringW
GetPrivateProfileSectionW
WritePrivateProfileSectionW
GetPrivateProfileSectionNamesW
FileTimeToLocalFileTime
FileTimeToSystemTime
SystemTimeToFileTime
LocalFileTimeToFileTime
GetDriveTypeW
GetDiskFreeSpaceExW
GetDiskFreeSpaceW
GetVolumeInformationW
SetVolumeLabelW
CreateHardLinkW
SetFileAttributesW
CreateEventW
SetEvent
GetEnvironmentVariableW
SetEnvironmentVariableW
GlobalLock
GlobalUnlock
GlobalAlloc
GetFileSize
GlobalFree
GlobalMemoryStatusEx
Beep
GetSystemDirectoryW
HeapReAlloc
HeapSize
GetComputerNameW
GetWindowsDirectoryW
GetCurrentProcessId
GetProcessIoCounters
CreateProcessW
GetProcessId
SetPriorityClass
VirtualAlloc
GetCurrentDirectoryW
lstrcmpiW
DecodePointer
GetLastError
RaiseException
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
InterlockedDecrement
InterlockedIncrement
ResetEvent
WaitForSingleObjectEx
IsProcessorFeaturePresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
CloseHandle
GetFullPathNameW
GetStartupInfoW
GetSystemTimeAsFileTime
InitializeSListHead
RtlUnwind
SetLastError
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
EncodePointer
ExitProcess
GetModuleHandleExW
ExitThread
ResumeThread
FreeLibraryAndExitThread
GetACP
GetDateFormatW
GetTimeFormatW
LCMapStringW
GetStringTypeW
GetFileType
SetStdHandle
GetConsoleCP
GetConsoleMode
ReadConsoleW
GetTimeZoneInformation
FindFirstFileExW
IsValidCodePage
GetOEMCP
GetCPInfo
GetCommandLineA
GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableA
SetCurrentDirectoryW
FindNextFileW
WriteConsoleW

user32

GetKeyboardLayoutNameW
IsCharAlphaW
IsCharAlphaNumericW
IsCharLowerW
IsCharUpperW
GetMenuStringW
GetSubMenu
GetCaretPos
IsZoomed
GetMonitorInfoW
SetWindowLongW
SetLayeredWindowAttributes
FlashWindow
GetClassLongW
TranslateAcceleratorW
IsDialogMessageW
GetSysColor
InflateRect
DrawFocusRect
DrawTextW
FrameRect
DrawFrameControl
FillRect
PtInRect
DestroyAcceleratorTable
CreateAcceleratorTableW
SetCursor
GetWindowDC
GetSystemMetrics
GetActiveWindow
CharNextW
wsprintfW
RedrawWindow
DrawMenuBar
DestroyMenu
SetMenu
GetWindowTextLengthW
CreateMenu
IsDlgButtonChecked
DefDlgProcW
CallWindowProcW
ReleaseCapture
SetCapture
PeekMessageW
GetInputState
UnregisterHotKey
CharLowerBuffW
MonitorFromPoint
MonitorFromRect
LoadImageW
mouse_event
ExitWindowsEx
SetActiveWindow
FindWindowExW
EnumThreadWindows
SetMenuDefaultItem
InsertMenuItemW
IsMenu
ClientToScreen
GetCursorPos
DeleteMenu
CheckMenuRadioItem
GetMenuItemID
GetMenuItemCount
SetMenuItemInfoW
GetMenuItemInfoW
SetForegroundWindow
IsIconic
FindWindowW
SystemParametersInfoW
LockWindowUpdate
SendInput
GetAsyncKeyState
SetKeyboardState
GetKeyboardState
GetKeyState
VkKeyScanW
LoadStringW
DialogBoxParamW
MessageBeep
EndDialog
SendDlgItemMessageW
GetDlgItem
SetWindowTextW
CopyRect
ReleaseDC
GetDC
EndPaint
BeginPaint
GetClientRect
GetMenu
DestroyWindow
EnumWindows
GetDesktopWindow
IsWindow
IsWindowEnabled
IsWindowVisible
EnableWindow
InvalidateRect
GetWindowLongW
GetWindowThreadProcessId
AttachThreadInput
GetFocus
GetWindowTextW
SendMessageTimeoutW
EnumChildWindows
CharUpperBuffW
GetClassNameW
GetParent
GetDlgCtrlID
SendMessageW
MapVirtualKeyW
PostMessageW
GetWindowRect
SetUserObjectSecurity
CloseDesktop
CloseWindowStation
OpenDesktopW
RegisterHotKey
GetCursorInfo
SetWindowPos
CopyImage
AdjustWindowRectEx
SetRect
SetClipboardData
EmptyClipboard
CountClipboardFormats
CloseClipboard
GetClipboardData
IsClipboardFormatAvailable
OpenClipboard
BlockInput
TrackPopupMenuEx
GetMessageW
SetProcessWindowStation
GetProcessWindowStation
OpenWindowStationW
GetUserObjectSecurity
MessageBoxW
DefWindowProcW
MoveWindow
SetFocus
PostQuitMessage
KillTimer
CreatePopupMenu
RegisterWindowMessageW
SetTimer
ShowWindow
CreateWindowExW
RegisterClassExW
LoadIconW
LoadCursorW
GetSysColorBrush
GetForegroundWindow
MessageBoxA
DestroyIcon
DispatchMessageW
keybd_event
TranslateMessage
ScreenToClient

gdi32

EndPath
DeleteObject
GetTextExtentPoint32W
ExtCreatePen
StrokeAndFillPath
GetDeviceCaps
SetPixel
CloseFigure
LineTo
AngleArc
MoveToEx
Ellipse
CreateCompatibleBitmap
CreateCompatibleDC
PolyDraw
BeginPath
Rectangle
SetViewportOrgEx
GetObjectW
SetBkMode
RoundRect
SetBkColor
CreatePen
SelectObject
StretchBlt
CreateSolidBrush
SetTextColor
CreateFontW
GetTextFaceW
GetStockObject
CreateDCW
GetPixel
DeleteDC
GetDIBits
StrokePath

comdlg32

GetSaveFileNameW
GetOpenFileNameW

advapi32

GetAce
RegEnumValueW
RegDeleteValueW
RegDeleteKeyW
RegEnumKeyExW
RegSetValueExW
RegOpenKeyExW
RegCloseKey
RegQueryValueExW
RegConnectRegistryW
InitializeSecurityDescriptor
InitializeAcl
AdjustTokenPrivileges
OpenThreadToken
OpenProcessToken
LookupPrivilegeValueW
DuplicateTokenEx
CreateProcessAsUserW
CreateProcessWithLogonW
GetLengthSid
CopySid
LogonUserW
AllocateAndInitializeSid
CheckTokenMembership
FreeSid
GetTokenInformation
RegCreateKeyExW
GetSecurityDescriptorDacl
GetAclInformation
GetUserNameW
AddAce
SetSecurityDescriptorDacl
InitiateSystemShutdownExW

shell32

DragFinish
DragQueryPoint
ShellExecuteExW
DragQueryFileW
SHEmptyRecycleBinW
SHGetPathFromIDListW
SHBrowseForFolderW
SHCreateShellItem
SHGetDesktopFolder
SHGetSpecialFolderLocation
SHGetFolderPathW
SHFileOperationW
ExtractIconExW
Shell_NotifyIconW
ShellExecuteW

ole32

CoTaskMemAlloc
CoTaskMemFree
CLSIDFromString
ProgIDFromCLSID
CLSIDFromProgID
OleSetMenuDescriptor
MkParseDisplayName
OleSetContainedObject
CoCreateInstance
IIDFromString
StringFromGUID2
CreateStreamOnHGlobal
OleInitialize
OleUninitialize
CoInitialize
CoUninitialize
GetRunningObjectTable
CoGetInstanceFromFile
CoGetObject
CoInitializeSecurity
CoCreateInstanceEx
CoSetProxyBlanket

oleaut32

CreateStdDispatch
CreateDispTypeInfo
UnRegisterTypeLi
UnRegisterTypeLibForUser
RegisterTypeLibForUser
RegisterTypeLi
LoadTypeLibEx
VariantCopyInd
SysReAllocString
SysFreeString
VariantChangeType
SafeArrayDestroyData
SafeArrayUnaccessData
SafeArrayAccessData
SafeArrayAllocData
SafeArrayAllocDescriptorEx
SafeArrayCreateVector
SysStringLen
QueryPathOfRegTypeLi
SysAllocString
VariantInit
VariantClear
DispCallFunc
VariantTimeToSystemTime
VarR8FromDec
SafeArrayGetVartype
SafeArrayDestroyDescriptor
VariantCopy
OleLoadPicture

Sections

.text
Size: 619KB - Virtual size: 618KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 191KB - Virtual size: 190KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 18KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 537KB - Virtual size: 536KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 29KB - Virtual size: 29KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/AgentTesla/PO490102811.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

XbXt.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 809KB - Virtual size: 809KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/AgentTesla/PU6789000980.bat.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

Pdho.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 888KB - Virtual size: 887KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/AgentTesla/RFQ_Product_Service Name_Priority_Order_Deadline_This_Week.scr
.exe windows:5 windows x86 arch:x86

eb97e4fc5518ac300a92a11673825e0b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

wsock32

WSACleanup
socket
inet_ntoa
setsockopt
ntohs
recvfrom
ioctlsocket
htons
WSAStartup
__WSAFDIsSet
select
accept
listen
bind
closesocket
WSAGetLastError
recv
sendto
send
inet_addr
gethostbyname
gethostname
connect

version

GetFileVersionInfoW
GetFileVersionInfoSizeW
VerQueryValueW

winmm

timeGetTime
waveOutSetVolume
mciSendStringW

comctl32

ImageList_ReplaceIcon
ImageList_Destroy
ImageList_Remove
ImageList_SetDragCursorImage
ImageList_BeginDrag
ImageList_DragEnter
ImageList_DragLeave
ImageList_EndDrag
ImageList_DragMove
InitCommonControlsEx
ImageList_Create

mpr

WNetUseConnectionW
WNetCancelConnection2W
WNetGetConnectionW
WNetAddConnection2W

wininet

InternetQueryDataAvailable
InternetCloseHandle
InternetOpenW
InternetSetOptionW
InternetCrackUrlW
HttpQueryInfoW
InternetQueryOptionW
HttpOpenRequestW
HttpSendRequestW
FtpOpenFileW
FtpGetFileSize
InternetOpenUrlW
InternetReadFile
InternetConnectW

psapi

GetProcessMemoryInfo

iphlpapi

IcmpCreateFile
IcmpCloseHandle
IcmpSendEcho

userenv

DestroyEnvironmentBlock
UnloadUserProfile
CreateEnvironmentBlock
LoadUserProfileW

uxtheme

IsThemeActive

kernel32

DuplicateHandle
CreateThread
WaitForSingleObject
HeapAlloc
GetProcessHeap
HeapFree
Sleep
GetCurrentThreadId
MultiByteToWideChar
MulDiv
GetVersionExW
IsWow64Process
GetSystemInfo
FreeLibrary
LoadLibraryA
GetProcAddress
SetErrorMode
GetModuleFileNameW
WideCharToMultiByte
lstrcpyW
lstrlenW
GetModuleHandleW
QueryPerformanceCounter
VirtualFreeEx
OpenProcess
VirtualAllocEx
WriteProcessMemory
ReadProcessMemory
CreateFileW
SetFilePointerEx
SetEndOfFile
ReadFile
WriteFile
FlushFileBuffers
TerminateProcess
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
SetFileTime
GetFileAttributesW
FindFirstFileW
SetCurrentDirectoryW
GetLongPathNameW
GetShortPathNameW
DeleteFileW
FindNextFileW
CopyFileExW
MoveFileW
CreateDirectoryW
RemoveDirectoryW
SetSystemPowerState
QueryPerformanceFrequency
FindResourceW
LoadResource
LockResource
SizeofResource
EnumResourceNamesW
OutputDebugStringW
GetTempPathW
GetTempFileNameW
DeviceIoControl
GetLocalTime
CompareStringW
GetCurrentProcess
EnterCriticalSection
LeaveCriticalSection
GetStdHandle
CreatePipe
InterlockedExchange
TerminateThread
LoadLibraryExW
FindResourceExW
CopyFileW
VirtualFree
FormatMessageW
GetExitCodeProcess
GetPrivateProfileStringW
WritePrivateProfileStringW
GetPrivateProfileSectionW
WritePrivateProfileSectionW
GetPrivateProfileSectionNamesW
FileTimeToLocalFileTime
FileTimeToSystemTime
SystemTimeToFileTime
LocalFileTimeToFileTime
GetDriveTypeW
GetDiskFreeSpaceExW
GetDiskFreeSpaceW
GetVolumeInformationW
SetVolumeLabelW
CreateHardLinkW
SetFileAttributesW
CreateEventW
SetEvent
GetEnvironmentVariableW
SetEnvironmentVariableW
GlobalLock
GlobalUnlock
GlobalAlloc
GetFileSize
GlobalFree
GlobalMemoryStatusEx
Beep
GetSystemDirectoryW
HeapReAlloc
HeapSize
GetComputerNameW
GetWindowsDirectoryW
GetCurrentProcessId
GetProcessIoCounters
CreateProcessW
GetProcessId
SetPriorityClass
LoadLibraryW
VirtualAlloc
IsDebuggerPresent
GetCurrentDirectoryW
lstrcmpiW
DecodePointer
GetLastError
RaiseException
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
InterlockedDecrement
InterlockedIncrement
GetCurrentThread
CloseHandle
GetFullPathNameW
EncodePointer
ExitProcess
GetModuleHandleExW
ExitThread
GetSystemTimeAsFileTime
ResumeThread
GetCommandLineW
IsProcessorFeaturePresent
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
SetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetStartupInfoW
GetStringTypeW
SetStdHandle
GetFileType
GetConsoleCP
GetConsoleMode
RtlUnwind
ReadConsoleW
GetTimeZoneInformation
GetDateFormatW
GetTimeFormatW
LCMapStringW
GetEnvironmentStringsW
FreeEnvironmentStringsW
WriteConsoleW
FindClose
SetEnvironmentVariableA

user32

AdjustWindowRectEx
CopyImage
SetWindowPos
GetCursorInfo
RegisterHotKey
ClientToScreen
GetKeyboardLayoutNameW
IsCharAlphaW
IsCharAlphaNumericW
IsCharLowerW
IsCharUpperW
GetMenuStringW
GetSubMenu
GetCaretPos
IsZoomed
MonitorFromPoint
GetMonitorInfoW
SetWindowLongW
SetLayeredWindowAttributes
FlashWindow
GetClassLongW
TranslateAcceleratorW
IsDialogMessageW
GetSysColor
InflateRect
DrawFocusRect
DrawTextW
FrameRect
DrawFrameControl
FillRect
PtInRect
DestroyAcceleratorTable
CreateAcceleratorTableW
SetCursor
GetWindowDC
GetSystemMetrics
GetActiveWindow
CharNextW
wsprintfW
RedrawWindow
DrawMenuBar
DestroyMenu
SetMenu
GetWindowTextLengthW
CreateMenu
IsDlgButtonChecked
DefDlgProcW
CallWindowProcW
ReleaseCapture
SetCapture
CreateIconFromResourceEx
mouse_event
ExitWindowsEx
SetActiveWindow
FindWindowExW
EnumThreadWindows
SetMenuDefaultItem
InsertMenuItemW
IsMenu
TrackPopupMenuEx
GetCursorPos
DeleteMenu
SetRect
GetMenuItemID
GetMenuItemCount
SetMenuItemInfoW
GetMenuItemInfoW
SetForegroundWindow
IsIconic
FindWindowW
MonitorFromRect
keybd_event
SendInput
GetAsyncKeyState
SetKeyboardState
GetKeyboardState
GetKeyState
VkKeyScanW
LoadStringW
DialogBoxParamW
MessageBeep
EndDialog
SendDlgItemMessageW
GetDlgItem
SetWindowTextW
CopyRect
ReleaseDC
GetDC
EndPaint
BeginPaint
GetClientRect
GetMenu
DestroyWindow
EnumWindows
GetDesktopWindow
IsWindow
IsWindowEnabled
IsWindowVisible
EnableWindow
InvalidateRect
GetWindowLongW
GetWindowThreadProcessId
AttachThreadInput
GetFocus
GetWindowTextW
ScreenToClient
SendMessageTimeoutW
EnumChildWindows
CharUpperBuffW
GetParent
GetDlgCtrlID
SendMessageW
MapVirtualKeyW
PostMessageW
GetWindowRect
SetUserObjectSecurity
CloseDesktop
CloseWindowStation
OpenDesktopW
SetProcessWindowStation
GetProcessWindowStation
OpenWindowStationW
GetUserObjectSecurity
MessageBoxW
DefWindowProcW
SetClipboardData
EmptyClipboard
CountClipboardFormats
CloseClipboard
GetClipboardData
IsClipboardFormatAvailable
OpenClipboard
BlockInput
GetMessageW
LockWindowUpdate
DispatchMessageW
TranslateMessage
PeekMessageW
UnregisterHotKey
CheckMenuRadioItem
CharLowerBuffW
MoveWindow
SetFocus
PostQuitMessage
KillTimer
CreatePopupMenu
RegisterWindowMessageW
SetTimer
ShowWindow
CreateWindowExW
RegisterClassExW
LoadIconW
LoadCursorW
GetSysColorBrush
GetForegroundWindow
MessageBoxA
DestroyIcon
SystemParametersInfoW
LoadImageW
GetClassNameW

gdi32

StrokePath
DeleteObject
GetTextExtentPoint32W
ExtCreatePen
GetDeviceCaps
EndPath
SetPixel
CloseFigure
CreateCompatibleBitmap
CreateCompatibleDC
SelectObject
StretchBlt
GetDIBits
LineTo
AngleArc
MoveToEx
Ellipse
DeleteDC
GetPixel
CreateDCW
GetStockObject
GetTextFaceW
CreateFontW
SetTextColor
PolyDraw
BeginPath
Rectangle
SetViewportOrgEx
GetObjectW
SetBkMode
RoundRect
SetBkColor
CreatePen
CreateSolidBrush
StrokeAndFillPath

comdlg32

GetOpenFileNameW
GetSaveFileNameW

advapi32

GetAce
RegEnumValueW
RegDeleteValueW
RegDeleteKeyW
RegEnumKeyExW
RegSetValueExW
RegOpenKeyExW
RegCloseKey
RegQueryValueExW
RegConnectRegistryW
InitializeSecurityDescriptor
InitializeAcl
AdjustTokenPrivileges
OpenThreadToken
OpenProcessToken
LookupPrivilegeValueW
DuplicateTokenEx
CreateProcessAsUserW
CreateProcessWithLogonW
GetLengthSid
CopySid
LogonUserW
AllocateAndInitializeSid
CheckTokenMembership
RegCreateKeyExW
FreeSid
GetTokenInformation
GetSecurityDescriptorDacl
GetAclInformation
AddAce
SetSecurityDescriptorDacl
GetUserNameW
InitiateSystemShutdownExW

shell32

DragQueryPoint
ShellExecuteExW
DragQueryFileW
SHEmptyRecycleBinW
SHGetPathFromIDListW
SHBrowseForFolderW
SHCreateShellItem
SHGetDesktopFolder
SHGetSpecialFolderLocation
SHGetFolderPathW
SHFileOperationW
ExtractIconExW
Shell_NotifyIconW
ShellExecuteW
DragFinish

ole32

CoTaskMemAlloc
CoTaskMemFree
CLSIDFromString
ProgIDFromCLSID
CLSIDFromProgID
OleSetMenuDescriptor
MkParseDisplayName
OleSetContainedObject
CoCreateInstance
IIDFromString
StringFromGUID2
CreateStreamOnHGlobal
OleInitialize
OleUninitialize
CoInitialize
CoUninitialize
GetRunningObjectTable
CoGetInstanceFromFile
CoGetObject
CoSetProxyBlanket
CoCreateInstanceEx
CoInitializeSecurity

oleaut32

LoadTypeLibEx
VariantCopyInd
SysReAllocString
SysFreeString
SafeArrayDestroyDescriptor
SafeArrayDestroyData
SafeArrayUnaccessData
SafeArrayAccessData
SafeArrayAllocData
SafeArrayAllocDescriptorEx
SafeArrayCreateVector
RegisterTypeLi
CreateStdDispatch
DispCallFunc
VariantChangeType
SysStringLen
VariantTimeToSystemTime
VarR8FromDec
SafeArrayGetVartype
VariantCopy
VariantClear
OleLoadPicture
QueryPathOfRegTypeLi
RegisterTypeLibForUser
UnRegisterTypeLibForUser
UnRegisterTypeLi
CreateDispTypeInfo
SysAllocString
VariantInit

Sections

.text
Size: 568KB - Virtual size: 567KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 191KB - Virtual size: 191KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 223KB - Virtual size: 222KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 28KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/AgentTesla/SHIPPINGDOCUMENT.exe
.exe windows:5 windows x86 arch:x86

eb97e4fc5518ac300a92a11673825e0b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

wsock32

WSACleanup
socket
inet_ntoa
setsockopt
ntohs
recvfrom
ioctlsocket
htons
WSAStartup
__WSAFDIsSet
select
accept
listen
bind
closesocket
WSAGetLastError
recv
sendto
send
inet_addr
gethostbyname
gethostname
connect

version

GetFileVersionInfoW
GetFileVersionInfoSizeW
VerQueryValueW

winmm

timeGetTime
waveOutSetVolume
mciSendStringW

comctl32

ImageList_ReplaceIcon
ImageList_Destroy
ImageList_Remove
ImageList_SetDragCursorImage
ImageList_BeginDrag
ImageList_DragEnter
ImageList_DragLeave
ImageList_EndDrag
ImageList_DragMove
InitCommonControlsEx
ImageList_Create

mpr

WNetUseConnectionW
WNetCancelConnection2W
WNetGetConnectionW
WNetAddConnection2W

wininet

InternetQueryDataAvailable
InternetCloseHandle
InternetOpenW
InternetSetOptionW
InternetCrackUrlW
HttpQueryInfoW
InternetQueryOptionW
HttpOpenRequestW
HttpSendRequestW
FtpOpenFileW
FtpGetFileSize
InternetOpenUrlW
InternetReadFile
InternetConnectW

psapi

GetProcessMemoryInfo

iphlpapi

IcmpCreateFile
IcmpCloseHandle
IcmpSendEcho

userenv

DestroyEnvironmentBlock
UnloadUserProfile
CreateEnvironmentBlock
LoadUserProfileW

uxtheme

IsThemeActive

kernel32

DuplicateHandle
CreateThread
WaitForSingleObject
HeapAlloc
GetProcessHeap
HeapFree
Sleep
GetCurrentThreadId
MultiByteToWideChar
MulDiv
GetVersionExW
IsWow64Process
GetSystemInfo
FreeLibrary
LoadLibraryA
GetProcAddress
SetErrorMode
GetModuleFileNameW
WideCharToMultiByte
lstrcpyW
lstrlenW
GetModuleHandleW
QueryPerformanceCounter
VirtualFreeEx
OpenProcess
VirtualAllocEx
WriteProcessMemory
ReadProcessMemory
CreateFileW
SetFilePointerEx
SetEndOfFile
ReadFile
WriteFile
FlushFileBuffers
TerminateProcess
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
SetFileTime
GetFileAttributesW
FindFirstFileW
SetCurrentDirectoryW
GetLongPathNameW
GetShortPathNameW
DeleteFileW
FindNextFileW
CopyFileExW
MoveFileW
CreateDirectoryW
RemoveDirectoryW
SetSystemPowerState
QueryPerformanceFrequency
FindResourceW
LoadResource
LockResource
SizeofResource
EnumResourceNamesW
OutputDebugStringW
GetTempPathW
GetTempFileNameW
DeviceIoControl
GetLocalTime
CompareStringW
GetCurrentProcess
EnterCriticalSection
LeaveCriticalSection
GetStdHandle
CreatePipe
InterlockedExchange
TerminateThread
LoadLibraryExW
FindResourceExW
CopyFileW
VirtualFree
FormatMessageW
GetExitCodeProcess
GetPrivateProfileStringW
WritePrivateProfileStringW
GetPrivateProfileSectionW
WritePrivateProfileSectionW
GetPrivateProfileSectionNamesW
FileTimeToLocalFileTime
FileTimeToSystemTime
SystemTimeToFileTime
LocalFileTimeToFileTime
GetDriveTypeW
GetDiskFreeSpaceExW
GetDiskFreeSpaceW
GetVolumeInformationW
SetVolumeLabelW
CreateHardLinkW
SetFileAttributesW
CreateEventW
SetEvent
GetEnvironmentVariableW
SetEnvironmentVariableW
GlobalLock
GlobalUnlock
GlobalAlloc
GetFileSize
GlobalFree
GlobalMemoryStatusEx
Beep
GetSystemDirectoryW
HeapReAlloc
HeapSize
GetComputerNameW
GetWindowsDirectoryW
GetCurrentProcessId
GetProcessIoCounters
CreateProcessW
GetProcessId
SetPriorityClass
LoadLibraryW
VirtualAlloc
IsDebuggerPresent
GetCurrentDirectoryW
lstrcmpiW
DecodePointer
GetLastError
RaiseException
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
InterlockedDecrement
InterlockedIncrement
GetCurrentThread
CloseHandle
GetFullPathNameW
EncodePointer
ExitProcess
GetModuleHandleExW
ExitThread
GetSystemTimeAsFileTime
ResumeThread
GetCommandLineW
IsProcessorFeaturePresent
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
SetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetStartupInfoW
GetStringTypeW
SetStdHandle
GetFileType
GetConsoleCP
GetConsoleMode
RtlUnwind
ReadConsoleW
GetTimeZoneInformation
GetDateFormatW
GetTimeFormatW
LCMapStringW
GetEnvironmentStringsW
FreeEnvironmentStringsW
WriteConsoleW
FindClose
SetEnvironmentVariableA

user32

AdjustWindowRectEx
CopyImage
SetWindowPos
GetCursorInfo
RegisterHotKey
ClientToScreen
GetKeyboardLayoutNameW
IsCharAlphaW
IsCharAlphaNumericW
IsCharLowerW
IsCharUpperW
GetMenuStringW
GetSubMenu
GetCaretPos
IsZoomed
MonitorFromPoint
GetMonitorInfoW
SetWindowLongW
SetLayeredWindowAttributes
FlashWindow
GetClassLongW
TranslateAcceleratorW
IsDialogMessageW
GetSysColor
InflateRect
DrawFocusRect
DrawTextW
FrameRect
DrawFrameControl
FillRect
PtInRect
DestroyAcceleratorTable
CreateAcceleratorTableW
SetCursor
GetWindowDC
GetSystemMetrics
GetActiveWindow
CharNextW
wsprintfW
RedrawWindow
DrawMenuBar
DestroyMenu
SetMenu
GetWindowTextLengthW
CreateMenu
IsDlgButtonChecked
DefDlgProcW
CallWindowProcW
ReleaseCapture
SetCapture
CreateIconFromResourceEx
mouse_event
ExitWindowsEx
SetActiveWindow
FindWindowExW
EnumThreadWindows
SetMenuDefaultItem
InsertMenuItemW
IsMenu
TrackPopupMenuEx
GetCursorPos
DeleteMenu
SetRect
GetMenuItemID
GetMenuItemCount
SetMenuItemInfoW
GetMenuItemInfoW
SetForegroundWindow
IsIconic
FindWindowW
MonitorFromRect
keybd_event
SendInput
GetAsyncKeyState
SetKeyboardState
GetKeyboardState
GetKeyState
VkKeyScanW
LoadStringW
DialogBoxParamW
MessageBeep
EndDialog
SendDlgItemMessageW
GetDlgItem
SetWindowTextW
CopyRect
ReleaseDC
GetDC
EndPaint
BeginPaint
GetClientRect
GetMenu
DestroyWindow
EnumWindows
GetDesktopWindow
IsWindow
IsWindowEnabled
IsWindowVisible
EnableWindow
InvalidateRect
GetWindowLongW
GetWindowThreadProcessId
AttachThreadInput
GetFocus
GetWindowTextW
ScreenToClient
SendMessageTimeoutW
EnumChildWindows
CharUpperBuffW
GetParent
GetDlgCtrlID
SendMessageW
MapVirtualKeyW
PostMessageW
GetWindowRect
SetUserObjectSecurity
CloseDesktop
CloseWindowStation
OpenDesktopW
SetProcessWindowStation
GetProcessWindowStation
OpenWindowStationW
GetUserObjectSecurity
MessageBoxW
DefWindowProcW
SetClipboardData
EmptyClipboard
CountClipboardFormats
CloseClipboard
GetClipboardData
IsClipboardFormatAvailable
OpenClipboard
BlockInput
GetMessageW
LockWindowUpdate
DispatchMessageW
TranslateMessage
PeekMessageW
UnregisterHotKey
CheckMenuRadioItem
CharLowerBuffW
MoveWindow
SetFocus
PostQuitMessage
KillTimer
CreatePopupMenu
RegisterWindowMessageW
SetTimer
ShowWindow
CreateWindowExW
RegisterClassExW
LoadIconW
LoadCursorW
GetSysColorBrush
GetForegroundWindow
MessageBoxA
DestroyIcon
SystemParametersInfoW
LoadImageW
GetClassNameW

gdi32

StrokePath
DeleteObject
GetTextExtentPoint32W
ExtCreatePen
GetDeviceCaps
EndPath
SetPixel
CloseFigure
CreateCompatibleBitmap
CreateCompatibleDC
SelectObject
StretchBlt
GetDIBits
LineTo
AngleArc
MoveToEx
Ellipse
DeleteDC
GetPixel
CreateDCW
GetStockObject
GetTextFaceW
CreateFontW
SetTextColor
PolyDraw
BeginPath
Rectangle
SetViewportOrgEx
GetObjectW
SetBkMode
RoundRect
SetBkColor
CreatePen
CreateSolidBrush
StrokeAndFillPath

comdlg32

GetOpenFileNameW
GetSaveFileNameW

advapi32

GetAce
RegEnumValueW
RegDeleteValueW
RegDeleteKeyW
RegEnumKeyExW
RegSetValueExW
RegOpenKeyExW
RegCloseKey
RegQueryValueExW
RegConnectRegistryW
InitializeSecurityDescriptor
InitializeAcl
AdjustTokenPrivileges
OpenThreadToken
OpenProcessToken
LookupPrivilegeValueW
DuplicateTokenEx
CreateProcessAsUserW
CreateProcessWithLogonW
GetLengthSid
CopySid
LogonUserW
AllocateAndInitializeSid
CheckTokenMembership
RegCreateKeyExW
FreeSid
GetTokenInformation
GetSecurityDescriptorDacl
GetAclInformation
AddAce
SetSecurityDescriptorDacl
GetUserNameW
InitiateSystemShutdownExW

shell32

DragQueryPoint
ShellExecuteExW
DragQueryFileW
SHEmptyRecycleBinW
SHGetPathFromIDListW
SHBrowseForFolderW
SHCreateShellItem
SHGetDesktopFolder
SHGetSpecialFolderLocation
SHGetFolderPathW
SHFileOperationW
ExtractIconExW
Shell_NotifyIconW
ShellExecuteW
DragFinish

ole32

CoTaskMemAlloc
CoTaskMemFree
CLSIDFromString
ProgIDFromCLSID
CLSIDFromProgID
OleSetMenuDescriptor
MkParseDisplayName
OleSetContainedObject
CoCreateInstance
IIDFromString
StringFromGUID2
CreateStreamOnHGlobal
OleInitialize
OleUninitialize
CoInitialize
CoUninitialize
GetRunningObjectTable
CoGetInstanceFromFile
CoGetObject
CoSetProxyBlanket
CoCreateInstanceEx
CoInitializeSecurity

oleaut32

LoadTypeLibEx
VariantCopyInd
SysReAllocString
SysFreeString
SafeArrayDestroyDescriptor
SafeArrayDestroyData
SafeArrayUnaccessData
SafeArrayAccessData
SafeArrayAllocData
SafeArrayAllocDescriptorEx
SafeArrayCreateVector
RegisterTypeLi
CreateStdDispatch
DispCallFunc
VariantChangeType
SysStringLen
VariantTimeToSystemTime
VarR8FromDec
SafeArrayGetVartype
VariantCopy
VariantClear
OleLoadPicture
QueryPathOfRegTypeLi
RegisterTypeLibForUser
UnRegisterTypeLibForUser
UnRegisterTypeLi
CreateDispTypeInfo
SysAllocString
VariantInit

Sections

.text
Size: 568KB - Virtual size: 567KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 191KB - Virtual size: 191KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 194KB - Virtual size: 193KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 28KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/AgentTesla/Swift copy.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Code Sign

4c:aa:f9:ca:db:63:6f:e0:1f:f7:4e:d8:5b:03:86:9d
Certificate

Issuer

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

19/01/2010, 00:00

Not After

18/01/2038, 23:59

Subject

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:af
Certificate

Issuer

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

09/05/2013, 00:00

Not After

08/05/2028, 23:59

Subject

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

7c:11:18:cb:ba:dc:95:da:37:52:c4:6e:47:a2:74:38
Certificate

Issuer

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

13/11/2018, 00:00

Not After

08/11/2021, 23:59

Subject

CN=Simon Tatham,O=Simon Tatham,L=Cambridge,ST=Cambridgeshire,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0b
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

31/12/2015, 00:00

Not After

09/07/2019, 18:40

Subject

CN=COMODO SHA-1 Time Stamping Signer,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

4c:aa:f9:ca:db:63:6f:e0:1f:f7:4e:d8:5b:03:86:9d
Certificate

Issuer

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

19/01/2010, 00:00

Not After

18/01/2038, 23:59

Subject

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:af
Certificate

Issuer

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

09/05/2013, 00:00

Not After

08/05/2028, 23:59

Subject

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

7c:11:18:cb:ba:dc:95:da:37:52:c4:6e:47:a2:74:38
Certificate

Issuer

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

13/11/2018, 00:00

Not After

08/11/2021, 23:59

Subject

CN=Simon Tatham,O=Simon Tatham,L=Cambridge,ST=Cambridgeshire,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0b
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

31/12/2015, 00:00

Not After

09/07/2019, 18:40

Subject

CN=COMODO SHA-1 Time Stamping Signer,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

20:3b:c9:12:8e:d0:7b:4b:07:fa:d7:8e:ea:fc:5d:70:7e:f2:43:59:73:83:5c:c4:b2:7f:0b:35:db:a7:ea:fb
Signer

Actual PE Digest

20:3b:c9:12:8e:d0:7b:4b:07:fa:d7:8e:ea:fc:5d:70:7e:f2:43:59:73:83:5c:c4:b2:7f:0b:35:db:a7:ea:fb

Digest Algorithm

sha256

PE Digest Matches

false

7d:9e:0d:b8:4b:6d:45:3e:54:c5:28:e4:2e:70:0a:4c:9a:7e:18:94
Signer

Actual PE Digest

7d:9e:0d:b8:4b:6d:45:3e:54:c5:28:e4:2e:70:0a:4c:9a:7e:18:94

Digest Algorithm

sha1

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

yzjJ.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 887KB - Virtual size: 887KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 234KB - Virtual size: 234KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/AgentTesla/a43a6421f9f5f7ac6ce878ceff99e594fadc983275f4f2f464341e5564784c70.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

Vxqo.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 629KB - Virtual size: 629KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/AgentTesla/a5ef1fcb74fc781a1900ae1f6cfc12e410d27e97828be0e55b4e83beb6d35dbd
.exe windows:4 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

.text
Size: 461KB - Virtual size: 460KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/AgentTesla/a689d2c7fa2cc3712ff115a0dce0cd90c5d55c92bc87e7f24dcd05ad4a38db63.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 785KB - Virtual size: 785KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/AgentTesla/a9811a63013f9a7fc654c88ab730f86187ef992231b230968c6d82a1e5ae5482.exe
.exe windows:5 windows x86 arch:x86

04b4eec1b14791bf23f31173f27a5df0

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

wsock32

__WSAFDIsSet
setsockopt
ntohs
recvfrom
sendto
htons
select
listen
WSAStartup
bind
closesocket
connect
socket
send
WSACleanup
ioctlsocket
accept
WSAGetLastError
inet_addr
gethostbyname
gethostname
recv

version

VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW

winmm

timeGetTime
waveOutSetVolume
mciSendStringW

comctl32

ImageList_Remove
ImageList_SetDragCursorImage
ImageList_BeginDrag
ImageList_DragEnter
ImageList_DragLeave
ImageList_EndDrag
ImageList_DragMove
ImageList_ReplaceIcon
ImageList_Create
InitCommonControlsEx
ImageList_Destroy

mpr

WNetCancelConnection2W
WNetGetConnectionW
WNetAddConnection2W
WNetUseConnectionW

wininet

InternetReadFile
InternetCloseHandle
InternetOpenW
InternetSetOptionW
InternetCrackUrlW
HttpQueryInfoW
InternetConnectW
HttpOpenRequestW
HttpSendRequestW
FtpOpenFileW
FtpGetFileSize
InternetOpenUrlW
InternetQueryOptionW
InternetQueryDataAvailable

psapi

EnumProcesses
GetModuleBaseNameW
GetProcessMemoryInfo
EnumProcessModules

userenv

CreateEnvironmentBlock
DestroyEnvironmentBlock
UnloadUserProfile
LoadUserProfileW

kernel32

HeapAlloc
Sleep
GetCurrentThreadId
RaiseException
MulDiv
GetVersionExW
GetSystemInfo
InterlockedIncrement
InterlockedDecrement
WideCharToMultiByte
lstrcpyW
MultiByteToWideChar
lstrlenW
lstrcmpiW
GetModuleHandleW
QueryPerformanceCounter
VirtualFreeEx
OpenProcess
VirtualAllocEx
WriteProcessMemory
ReadProcessMemory
CreateFileW
SetFilePointerEx
ReadFile
WriteFile
FlushFileBuffers
TerminateProcess
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
SetFileTime
GetFileAttributesW
FindFirstFileW
FindClose
DeleteFileW
FindNextFileW
MoveFileW
CopyFileW
CreateDirectoryW
RemoveDirectoryW
GetProcessHeap
QueryPerformanceFrequency
FindResourceW
LoadResource
LockResource
SizeofResource
EnumResourceNamesW
OutputDebugStringW
GetLocalTime
CompareStringW
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
GetStdHandle
CreatePipe
InterlockedExchange
TerminateThread
GetTempPathW
GetTempFileNameW
VirtualFree
FormatMessageW
GetExitCodeProcess
SetErrorMode
GetPrivateProfileStringW
WritePrivateProfileStringW
GetPrivateProfileSectionW
WritePrivateProfileSectionW
GetPrivateProfileSectionNamesW
FileTimeToLocalFileTime
FileTimeToSystemTime
SystemTimeToFileTime
LocalFileTimeToFileTime
GetDriveTypeW
GetDiskFreeSpaceExW
GetDiskFreeSpaceW
GetVolumeInformationW
SetVolumeLabelW
CreateHardLinkW
DeviceIoControl
SetFileAttributesW
GetShortPathNameW
CreateEventW
SetEvent
GetEnvironmentVariableW
SetEnvironmentVariableW
GlobalLock
GlobalUnlock
GlobalAlloc
GetFileSize
GlobalFree
GlobalMemoryStatusEx
Beep
GetSystemDirectoryW
GetComputerNameW
GetWindowsDirectoryW
GetCurrentProcessId
GetCurrentThread
GetProcessIoCounters
CreateProcessW
SetPriorityClass
LoadLibraryW
VirtualAlloc
LoadLibraryExW
HeapFree
WaitForSingleObject
CreateThread
DuplicateHandle
GetLastError
CloseHandle
GetCurrentProcess
GetProcAddress
LoadLibraryA
FreeLibrary
GetModuleFileNameW
GetFullPathNameW
SetCurrentDirectoryW
IsDebuggerPresent
GetCurrentDirectoryW
ExitProcess
ExitThread
GetSystemTimeAsFileTime
ResumeThread
GetTimeFormatW
GetDateFormatW
GetCommandLineW
GetStartupInfoW
IsProcessorFeaturePresent
HeapSize
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
SetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStringTypeW
HeapCreate
SetHandleCount
GetFileType
SetStdHandle
GetConsoleCP
GetConsoleMode
LCMapStringW
RtlUnwind
SetFilePointer
GetTimeZoneInformation
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetTickCount
HeapReAlloc
WriteConsoleW
SetEndOfFile
SetSystemPowerState
SetEnvironmentVariableA

user32

GetCursorInfo
RegisterHotKey
ClientToScreen
GetKeyboardLayoutNameW
IsCharAlphaW
IsCharAlphaNumericW
IsCharLowerW
IsCharUpperW
GetMenuStringW
GetSubMenu
GetCaretPos
IsZoomed
MonitorFromPoint
GetMonitorInfoW
SetWindowLongW
SetLayeredWindowAttributes
FlashWindow
GetClassLongW
TranslateAcceleratorW
IsDialogMessageW
GetSysColor
InflateRect
DrawFocusRect
DrawTextW
FrameRect
DrawFrameControl
FillRect
PtInRect
DestroyAcceleratorTable
CreateAcceleratorTableW
SetCursor
GetWindowDC
GetSystemMetrics
GetActiveWindow
CharNextW
wsprintfW
RedrawWindow
DrawMenuBar
DestroyMenu
SetMenu
GetWindowTextLengthW
CreateMenu
IsDlgButtonChecked
DefDlgProcW
ReleaseCapture
SetCapture
WindowFromPoint
LoadImageW
CreateIconFromResourceEx
mouse_event
ExitWindowsEx
SetActiveWindow
FindWindowExW
EnumThreadWindows
SetMenuDefaultItem
InsertMenuItemW
IsMenu
TrackPopupMenuEx
GetCursorPos
DeleteMenu
CheckMenuRadioItem
SetWindowPos
GetMenuItemCount
SetMenuItemInfoW
GetMenuItemInfoW
SetForegroundWindow
IsIconic
FindWindowW
SystemParametersInfoW
TranslateMessage
SendInput
GetAsyncKeyState
SetKeyboardState
GetKeyboardState
GetKeyState
VkKeyScanW
LoadStringW
DialogBoxParamW
MessageBeep
EndDialog
SendDlgItemMessageW
GetDlgItem
SetWindowTextW
CopyRect
ReleaseDC
GetDC
EndPaint
BeginPaint
GetClientRect
GetMenu
DestroyWindow
EnumWindows
GetDesktopWindow
IsWindow
IsWindowEnabled
IsWindowVisible
EnableWindow
InvalidateRect
GetWindowLongW
AttachThreadInput
GetFocus
GetWindowTextW
ScreenToClient
SendMessageTimeoutW
EnumChildWindows
CharUpperBuffW
GetClassNameW
GetParent
GetDlgCtrlID
SendMessageW
MapVirtualKeyW
PostMessageW
GetWindowRect
SetUserObjectSecurity
GetUserObjectSecurity
CloseDesktop
CloseWindowStation
OpenDesktopW
SetProcessWindowStation
GetProcessWindowStation
OpenWindowStationW
MessageBoxW
DefWindowProcW
CopyImage
AdjustWindowRectEx
SetRect
SetClipboardData
EmptyClipboard
CountClipboardFormats
CloseClipboard
GetClipboardData
IsClipboardFormatAvailable
OpenClipboard
BlockInput
GetMessageW
LockWindowUpdate
GetMenuItemID
DispatchMessageW
MoveWindow
SetFocus
PostQuitMessage
KillTimer
CreatePopupMenu
RegisterWindowMessageW
SetTimer
ShowWindow
CreateWindowExW
RegisterClassExW
LoadIconW
LoadCursorW
GetSysColorBrush
GetForegroundWindow
MessageBoxA
DestroyIcon
PeekMessageW
UnregisterHotKey
CharLowerBuffW
keybd_event
MonitorFromRect
GetWindowThreadProcessId

gdi32

DeleteObject
AngleArc
GetTextExtentPoint32W
ExtCreatePen
StrokeAndFillPath
StrokePath
EndPath
SetPixel
CloseFigure
CreateCompatibleBitmap
CreateCompatibleDC
SelectObject
StretchBlt
GetDIBits
GetDeviceCaps
MoveToEx
DeleteDC
GetPixel
CreateDCW
Ellipse
PolyDraw
BeginPath
Rectangle
SetViewportOrgEx
GetObjectW
SetBkMode
RoundRect
SetBkColor
CreatePen
CreateSolidBrush
SetTextColor
CreateFontW
GetTextFaceW
GetStockObject
LineTo

comdlg32

GetSaveFileNameW
GetOpenFileNameW

advapi32

RegEnumValueW
RegDeleteValueW
RegDeleteKeyW
RegEnumKeyExW
RegSetValueExW
RegCreateKeyExW
GetUserNameW
RegConnectRegistryW
CloseServiceHandle
UnlockServiceDatabase
OpenThreadToken
OpenProcessToken
LookupPrivilegeValueW
DuplicateTokenEx
CreateProcessAsUserW
CreateProcessWithLogonW
InitializeSecurityDescriptor
InitializeAcl
GetLengthSid
CopySid
LogonUserW
LockServiceDatabase
GetTokenInformation
GetSecurityDescriptorDacl
GetAclInformation
GetAce
AddAce
SetSecurityDescriptorDacl
RegOpenKeyExW
RegQueryValueExW
AdjustTokenPrivileges
InitiateSystemShutdownExW
OpenSCManagerW
RegCloseKey

shell32

DragQueryPoint
ShellExecuteExW
SHGetFolderPathW
DragQueryFileW
SHEmptyRecycleBinW
SHBrowseForFolderW
SHFileOperationW
SHGetPathFromIDListW
SHGetDesktopFolder
SHGetMalloc
ExtractIconExW
Shell_NotifyIconW
ShellExecuteW
DragFinish

ole32

OleSetMenuDescriptor
MkParseDisplayName
OleSetContainedObject
CLSIDFromString
StringFromGUID2
CoInitialize
CoUninitialize
CoCreateInstance
CreateStreamOnHGlobal
CoTaskMemAlloc
CoTaskMemFree
ProgIDFromCLSID
OleInitialize
CreateBindCtx
CLSIDFromProgID
CoInitializeSecurity
CoCreateInstanceEx
CoSetProxyBlanket
OleUninitialize
IIDFromString

oleaut32

VariantChangeType
VariantCopyInd
DispCallFunc
CreateStdDispatch
CreateDispTypeInfo
SysFreeString
SafeArrayDestroyDescriptor
SafeArrayDestroyData
SafeArrayUnaccessData
SysStringLen
SafeArrayAllocData
GetActiveObject
QueryPathOfRegTypeLi
SafeArrayAllocDescriptorEx
SafeArrayCreateVector
SysAllocString
VariantCopy
VariantClear
VariantTimeToSystemTime
VarR8FromDec
SafeArrayGetVartype
OleLoadPicture
SafeArrayAccessData
VariantInit

Sections

.text
Size: 514KB - Virtual size: 513KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 56KB - Virtual size: 55KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 26KB - Virtual size: 105KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 177KB - Virtual size: 176KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/AgentTesla/ac0c869888d9501a709cb33762d8062ecf7139116a4c0dbe07171f2c5a77b96c
.exe windows:5 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Sections

UPX0
Size: - Virtual size: 712KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 345KB - Virtual size: 348KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 196KB - Virtual size: 196KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
out.upx
.exe windows:5 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 568KB - Virtual size: 567KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 191KB - Virtual size: 191KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 203KB - Virtual size: 203KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 28KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/AgentTesla/ad269d354d181fb136d667589d1df4f9402585070c6385afad354fcb204bbabe.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/AgentTesla/dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Code Sign

4c:aa:f9:ca:db:63:6f:e0:1f:f7:4e:d8:5b:03:86:9d
Certificate

Issuer

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

19/01/2010, 00:00

Not After

18/01/2038, 23:59

Subject

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:af
Certificate

Issuer

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

09/05/2013, 00:00

Not After

08/05/2028, 23:59

Subject

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

7c:11:18:cb:ba:dc:95:da:37:52:c4:6e:47:a2:74:38
Certificate

Issuer

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

13/11/2018, 00:00

Not After

08/11/2021, 23:59

Subject

CN=Simon Tatham,O=Simon Tatham,L=Cambridge,ST=Cambridgeshire,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0b
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

31/12/2015, 00:00

Not After

09/07/2019, 18:40

Subject

CN=COMODO SHA-1 Time Stamping Signer,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

4c:aa:f9:ca:db:63:6f:e0:1f:f7:4e:d8:5b:03:86:9d
Certificate

Issuer

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

19/01/2010, 00:00

Not After

18/01/2038, 23:59

Subject

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:af
Certificate

Issuer

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

09/05/2013, 00:00

Not After

08/05/2028, 23:59

Subject

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

7c:11:18:cb:ba:dc:95:da:37:52:c4:6e:47:a2:74:38
Certificate

Issuer

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

13/11/2018, 00:00

Not After

08/11/2021, 23:59

Subject

CN=Simon Tatham,O=Simon Tatham,L=Cambridge,ST=Cambridgeshire,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0b
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

31/12/2015, 00:00

Not After

09/07/2019, 18:40

Subject

CN=COMODO SHA-1 Time Stamping Signer,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

6b:a6:6b:d2:7b:28:3f:24:08:50:de:ee:14:40:ec:ad:00:61:2f:79:9c:2f:c8:c8:c9:a3:66:5c:db:c8:a0:6d
Signer

Actual PE Digest

6b:a6:6b:d2:7b:28:3f:24:08:50:de:ee:14:40:ec:ad:00:61:2f:79:9c:2f:c8:c8:c9:a3:66:5c:db:c8:a0:6d

Digest Algorithm

sha256

PE Digest Matches

false

e9:13:a8:68:9b:d1:f1:8c:a5:a4:6b:50:cc:c3:db:a8:f3:5a:3f:05
Signer

Actual PE Digest

e9:13:a8:68:9b:d1:f1:8c:a5:a4:6b:50:cc:c3:db:a8:f3:5a:3f:05

Digest Algorithm

sha1

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 910KB - Virtual size: 909KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 128KB - Virtual size: 127KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/AgentTesla/doc02902501025.exe
.exe windows:5 windows x86 arch:x86

eb97e4fc5518ac300a92a11673825e0b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

wsock32

WSACleanup
socket
inet_ntoa
setsockopt
ntohs
recvfrom
ioctlsocket
htons
WSAStartup
__WSAFDIsSet
select
accept
listen
bind
closesocket
WSAGetLastError
recv
sendto
send
inet_addr
gethostbyname
gethostname
connect

version

GetFileVersionInfoW
GetFileVersionInfoSizeW
VerQueryValueW

winmm

timeGetTime
waveOutSetVolume
mciSendStringW

comctl32

ImageList_ReplaceIcon
ImageList_Destroy
ImageList_Remove
ImageList_SetDragCursorImage
ImageList_BeginDrag
ImageList_DragEnter
ImageList_DragLeave
ImageList_EndDrag
ImageList_DragMove
InitCommonControlsEx
ImageList_Create

mpr

WNetUseConnectionW
WNetCancelConnection2W
WNetGetConnectionW
WNetAddConnection2W

wininet

InternetQueryDataAvailable
InternetCloseHandle
InternetOpenW
InternetSetOptionW
InternetCrackUrlW
HttpQueryInfoW
InternetQueryOptionW
HttpOpenRequestW
HttpSendRequestW
FtpOpenFileW
FtpGetFileSize
InternetOpenUrlW
InternetReadFile
InternetConnectW

psapi

GetProcessMemoryInfo

iphlpapi

IcmpCreateFile
IcmpCloseHandle
IcmpSendEcho

userenv

DestroyEnvironmentBlock
UnloadUserProfile
CreateEnvironmentBlock
LoadUserProfileW

uxtheme

IsThemeActive

kernel32

DuplicateHandle
CreateThread
WaitForSingleObject
HeapAlloc
GetProcessHeap
HeapFree
Sleep
GetCurrentThreadId
MultiByteToWideChar
MulDiv
GetVersionExW
IsWow64Process
GetSystemInfo
FreeLibrary
LoadLibraryA
GetProcAddress
SetErrorMode
GetModuleFileNameW
WideCharToMultiByte
lstrcpyW
lstrlenW
GetModuleHandleW
QueryPerformanceCounter
VirtualFreeEx
OpenProcess
VirtualAllocEx
WriteProcessMemory
ReadProcessMemory
CreateFileW
SetFilePointerEx
SetEndOfFile
ReadFile
WriteFile
FlushFileBuffers
TerminateProcess
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
SetFileTime
GetFileAttributesW
FindFirstFileW
SetCurrentDirectoryW
GetLongPathNameW
GetShortPathNameW
DeleteFileW
FindNextFileW
CopyFileExW
MoveFileW
CreateDirectoryW
RemoveDirectoryW
SetSystemPowerState
QueryPerformanceFrequency
FindResourceW
LoadResource
LockResource
SizeofResource
EnumResourceNamesW
OutputDebugStringW
GetTempPathW
GetTempFileNameW
DeviceIoControl
GetLocalTime
CompareStringW
GetCurrentProcess
EnterCriticalSection
LeaveCriticalSection
GetStdHandle
CreatePipe
InterlockedExchange
TerminateThread
LoadLibraryExW
FindResourceExW
CopyFileW
VirtualFree
FormatMessageW
GetExitCodeProcess
GetPrivateProfileStringW
WritePrivateProfileStringW
GetPrivateProfileSectionW
WritePrivateProfileSectionW
GetPrivateProfileSectionNamesW
FileTimeToLocalFileTime
FileTimeToSystemTime
SystemTimeToFileTime
LocalFileTimeToFileTime
GetDriveTypeW
GetDiskFreeSpaceExW
GetDiskFreeSpaceW
GetVolumeInformationW
SetVolumeLabelW
CreateHardLinkW
SetFileAttributesW
CreateEventW
SetEvent
GetEnvironmentVariableW
SetEnvironmentVariableW
GlobalLock
GlobalUnlock
GlobalAlloc
GetFileSize
GlobalFree
GlobalMemoryStatusEx
Beep
GetSystemDirectoryW
HeapReAlloc
HeapSize
GetComputerNameW
GetWindowsDirectoryW
GetCurrentProcessId
GetProcessIoCounters
CreateProcessW
GetProcessId
SetPriorityClass
LoadLibraryW
VirtualAlloc
IsDebuggerPresent
GetCurrentDirectoryW
lstrcmpiW
DecodePointer
GetLastError
RaiseException
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
InterlockedDecrement
InterlockedIncrement
GetCurrentThread
CloseHandle
GetFullPathNameW
EncodePointer
ExitProcess
GetModuleHandleExW
ExitThread
GetSystemTimeAsFileTime
ResumeThread
GetCommandLineW
IsProcessorFeaturePresent
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
SetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetStartupInfoW
GetStringTypeW
SetStdHandle
GetFileType
GetConsoleCP
GetConsoleMode
RtlUnwind
ReadConsoleW
GetTimeZoneInformation
GetDateFormatW
GetTimeFormatW
LCMapStringW
GetEnvironmentStringsW
FreeEnvironmentStringsW
WriteConsoleW
FindClose
SetEnvironmentVariableA

user32

AdjustWindowRectEx
CopyImage
SetWindowPos
GetCursorInfo
RegisterHotKey
ClientToScreen
GetKeyboardLayoutNameW
IsCharAlphaW
IsCharAlphaNumericW
IsCharLowerW
IsCharUpperW
GetMenuStringW
GetSubMenu
GetCaretPos
IsZoomed
MonitorFromPoint
GetMonitorInfoW
SetWindowLongW
SetLayeredWindowAttributes
FlashWindow
GetClassLongW
TranslateAcceleratorW
IsDialogMessageW
GetSysColor
InflateRect
DrawFocusRect
DrawTextW
FrameRect
DrawFrameControl
FillRect
PtInRect
DestroyAcceleratorTable
CreateAcceleratorTableW
SetCursor
GetWindowDC
GetSystemMetrics
GetActiveWindow
CharNextW
wsprintfW
RedrawWindow
DrawMenuBar
DestroyMenu
SetMenu
GetWindowTextLengthW
CreateMenu
IsDlgButtonChecked
DefDlgProcW
CallWindowProcW
ReleaseCapture
SetCapture
CreateIconFromResourceEx
mouse_event
ExitWindowsEx
SetActiveWindow
FindWindowExW
EnumThreadWindows
SetMenuDefaultItem
InsertMenuItemW
IsMenu
TrackPopupMenuEx
GetCursorPos
DeleteMenu
SetRect
GetMenuItemID
GetMenuItemCount
SetMenuItemInfoW
GetMenuItemInfoW
SetForegroundWindow
IsIconic
FindWindowW
MonitorFromRect
keybd_event
SendInput
GetAsyncKeyState
SetKeyboardState
GetKeyboardState
GetKeyState
VkKeyScanW
LoadStringW
DialogBoxParamW
MessageBeep
EndDialog
SendDlgItemMessageW
GetDlgItem
SetWindowTextW
CopyRect
ReleaseDC
GetDC
EndPaint
BeginPaint
GetClientRect
GetMenu
DestroyWindow
EnumWindows
GetDesktopWindow
IsWindow
IsWindowEnabled
IsWindowVisible
EnableWindow
InvalidateRect
GetWindowLongW
GetWindowThreadProcessId
AttachThreadInput
GetFocus
GetWindowTextW
ScreenToClient
SendMessageTimeoutW
EnumChildWindows
CharUpperBuffW
GetParent
GetDlgCtrlID
SendMessageW
MapVirtualKeyW
PostMessageW
GetWindowRect
SetUserObjectSecurity
CloseDesktop
CloseWindowStation
OpenDesktopW
SetProcessWindowStation
GetProcessWindowStation
OpenWindowStationW
GetUserObjectSecurity
MessageBoxW
DefWindowProcW
SetClipboardData
EmptyClipboard
CountClipboardFormats
CloseClipboard
GetClipboardData
IsClipboardFormatAvailable
OpenClipboard
BlockInput
GetMessageW
LockWindowUpdate
DispatchMessageW
TranslateMessage
PeekMessageW
UnregisterHotKey
CheckMenuRadioItem
CharLowerBuffW
MoveWindow
SetFocus
PostQuitMessage
KillTimer
CreatePopupMenu
RegisterWindowMessageW
SetTimer
ShowWindow
CreateWindowExW
RegisterClassExW
LoadIconW
LoadCursorW
GetSysColorBrush
GetForegroundWindow
MessageBoxA
DestroyIcon
SystemParametersInfoW
LoadImageW
GetClassNameW

gdi32

StrokePath
DeleteObject
GetTextExtentPoint32W
ExtCreatePen
GetDeviceCaps
EndPath
SetPixel
CloseFigure
CreateCompatibleBitmap
CreateCompatibleDC
SelectObject
StretchBlt
GetDIBits
LineTo
AngleArc
MoveToEx
Ellipse
DeleteDC
GetPixel
CreateDCW
GetStockObject
GetTextFaceW
CreateFontW
SetTextColor
PolyDraw
BeginPath
Rectangle
SetViewportOrgEx
GetObjectW
SetBkMode
RoundRect
SetBkColor
CreatePen
CreateSolidBrush
StrokeAndFillPath

comdlg32

GetOpenFileNameW
GetSaveFileNameW

advapi32

GetAce
RegEnumValueW
RegDeleteValueW
RegDeleteKeyW
RegEnumKeyExW
RegSetValueExW
RegOpenKeyExW
RegCloseKey
RegQueryValueExW
RegConnectRegistryW
InitializeSecurityDescriptor
InitializeAcl
AdjustTokenPrivileges
OpenThreadToken
OpenProcessToken
LookupPrivilegeValueW
DuplicateTokenEx
CreateProcessAsUserW
CreateProcessWithLogonW
GetLengthSid
CopySid
LogonUserW
AllocateAndInitializeSid
CheckTokenMembership
RegCreateKeyExW
FreeSid
GetTokenInformation
GetSecurityDescriptorDacl
GetAclInformation
AddAce
SetSecurityDescriptorDacl
GetUserNameW
InitiateSystemShutdownExW

shell32

DragQueryPoint
ShellExecuteExW
DragQueryFileW
SHEmptyRecycleBinW
SHGetPathFromIDListW
SHBrowseForFolderW
SHCreateShellItem
SHGetDesktopFolder
SHGetSpecialFolderLocation
SHGetFolderPathW
SHFileOperationW
ExtractIconExW
Shell_NotifyIconW
ShellExecuteW
DragFinish

ole32

CoTaskMemAlloc
CoTaskMemFree
CLSIDFromString
ProgIDFromCLSID
CLSIDFromProgID
OleSetMenuDescriptor
MkParseDisplayName
OleSetContainedObject
CoCreateInstance
IIDFromString
StringFromGUID2
CreateStreamOnHGlobal
OleInitialize
OleUninitialize
CoInitialize
CoUninitialize
GetRunningObjectTable
CoGetInstanceFromFile
CoGetObject
CoSetProxyBlanket
CoCreateInstanceEx
CoInitializeSecurity

oleaut32

LoadTypeLibEx
VariantCopyInd
SysReAllocString
SysFreeString
SafeArrayDestroyDescriptor
SafeArrayDestroyData
SafeArrayUnaccessData
SafeArrayAccessData
SafeArrayAllocData
SafeArrayAllocDescriptorEx
SafeArrayCreateVector
RegisterTypeLi
CreateStdDispatch
DispCallFunc
VariantChangeType
SysStringLen
VariantTimeToSystemTime
VarR8FromDec
SafeArrayGetVartype
VariantCopy
VariantClear
OleLoadPicture
QueryPathOfRegTypeLi
RegisterTypeLibForUser
UnRegisterTypeLibForUser
UnRegisterTypeLi
CreateDispTypeInfo
SysAllocString
VariantInit

Sections

.text
Size: 568KB - Virtual size: 567KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 191KB - Virtual size: 191KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 328KB - Virtual size: 327KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 28KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/AgentTesla/e36d729fa02b3afcd3c60faf4e223ded54941dbc10c71cdd85fa9b202f05c4bb.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 339KB - Virtual size: 339KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/AgentTesla/ea182b46e91f32537a6220caf8c6afab856db2a1f54ff078d2505fce84886317
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

C:\Users\Nova\source\repos\childish\childish\obj\Debug\childish.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 344KB - Virtual size: 344KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/AgentTesla/shipment documents 0009405950609000799700000.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

rTCQ.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 856KB - Virtual size: 856KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/AsyncRAT/AsyncRAT-0e1c49b6f18f737c17423eed597f37bab695ef39a605c4273757e6f00438e14b.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 223KB - Virtual size: 223KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/AsyncRAT/AsyncRAT-1bc071f4c896be8efa58f95700af9335d7fe356a49356be84cbd28bf205a9959.exe
.exe windows:4 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Size: 29KB - Virtual size: 64KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Size: 1KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.idata
Size: 512B - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 3KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.themida
Size: - Virtual size: 5.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.boot
Size: 3.6MB - Virtual size: 3.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/AsyncRAT/AsyncRAT-89bb879c72817b511d415cef263f4303784a3f8737a6bbf2b745887522b46ed6.ps1
.ps1
BastianHein Malware samples/AsyncRAT/AsyncRAT-ebdd545410d74a5b7d323f4742f7bc9f056d3e5a00ce72095fc6f475bba0723a.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 58KB - Virtual size: 58KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/AsyncRAT/AsyncRAT-f51ead138a3878cf9583205d32a173a3a2aba042da75fa87f6e0c4dd7b4504a9.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 44KB - Virtual size: 44KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/AzoRult/3a4a38ed839a1f73825b8456fc1efa73a65a7af25ba3513472d05cfac5ecef78.exe
.exe windows:5 windows x86 arch:x86

eb97e4fc5518ac300a92a11673825e0b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

wsock32

WSACleanup
socket
inet_ntoa
setsockopt
ntohs
recvfrom
ioctlsocket
htons
WSAStartup
__WSAFDIsSet
select
accept
listen
bind
closesocket
WSAGetLastError
recv
sendto
send
inet_addr
gethostbyname
gethostname
connect

version

GetFileVersionInfoW
GetFileVersionInfoSizeW
VerQueryValueW

winmm

timeGetTime
waveOutSetVolume
mciSendStringW

comctl32

ImageList_ReplaceIcon
ImageList_Destroy
ImageList_Remove
ImageList_SetDragCursorImage
ImageList_BeginDrag
ImageList_DragEnter
ImageList_DragLeave
ImageList_EndDrag
ImageList_DragMove
InitCommonControlsEx
ImageList_Create

mpr

WNetUseConnectionW
WNetCancelConnection2W
WNetGetConnectionW
WNetAddConnection2W

wininet

InternetQueryDataAvailable
InternetCloseHandle
InternetOpenW
InternetSetOptionW
InternetCrackUrlW
HttpQueryInfoW
InternetQueryOptionW
HttpOpenRequestW
HttpSendRequestW
FtpOpenFileW
FtpGetFileSize
InternetOpenUrlW
InternetReadFile
InternetConnectW

psapi

GetProcessMemoryInfo

iphlpapi

IcmpCreateFile
IcmpCloseHandle
IcmpSendEcho

userenv

DestroyEnvironmentBlock
UnloadUserProfile
CreateEnvironmentBlock
LoadUserProfileW

uxtheme

IsThemeActive

kernel32

DuplicateHandle
CreateThread
WaitForSingleObject
HeapAlloc
GetProcessHeap
HeapFree
Sleep
GetCurrentThreadId
MultiByteToWideChar
MulDiv
GetVersionExW
IsWow64Process
GetSystemInfo
FreeLibrary
LoadLibraryA
GetProcAddress
SetErrorMode
GetModuleFileNameW
WideCharToMultiByte
lstrcpyW
lstrlenW
GetModuleHandleW
QueryPerformanceCounter
VirtualFreeEx
OpenProcess
VirtualAllocEx
WriteProcessMemory
ReadProcessMemory
CreateFileW
SetFilePointerEx
SetEndOfFile
ReadFile
WriteFile
FlushFileBuffers
TerminateProcess
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
SetFileTime
GetFileAttributesW
FindFirstFileW
SetCurrentDirectoryW
GetLongPathNameW
GetShortPathNameW
DeleteFileW
FindNextFileW
CopyFileExW
MoveFileW
CreateDirectoryW
RemoveDirectoryW
SetSystemPowerState
QueryPerformanceFrequency
FindResourceW
LoadResource
LockResource
SizeofResource
EnumResourceNamesW
OutputDebugStringW
GetTempPathW
GetTempFileNameW
DeviceIoControl
GetLocalTime
CompareStringW
GetCurrentProcess
EnterCriticalSection
LeaveCriticalSection
GetStdHandle
CreatePipe
InterlockedExchange
TerminateThread
LoadLibraryExW
FindResourceExW
CopyFileW
VirtualFree
FormatMessageW
GetExitCodeProcess
GetPrivateProfileStringW
WritePrivateProfileStringW
GetPrivateProfileSectionW
WritePrivateProfileSectionW
GetPrivateProfileSectionNamesW
FileTimeToLocalFileTime
FileTimeToSystemTime
SystemTimeToFileTime
LocalFileTimeToFileTime
GetDriveTypeW
GetDiskFreeSpaceExW
GetDiskFreeSpaceW
GetVolumeInformationW
SetVolumeLabelW
CreateHardLinkW
SetFileAttributesW
CreateEventW
SetEvent
GetEnvironmentVariableW
SetEnvironmentVariableW
GlobalLock
GlobalUnlock
GlobalAlloc
GetFileSize
GlobalFree
GlobalMemoryStatusEx
Beep
GetSystemDirectoryW
HeapReAlloc
HeapSize
GetComputerNameW
GetWindowsDirectoryW
GetCurrentProcessId
GetProcessIoCounters
CreateProcessW
GetProcessId
SetPriorityClass
LoadLibraryW
VirtualAlloc
IsDebuggerPresent
GetCurrentDirectoryW
lstrcmpiW
DecodePointer
GetLastError
RaiseException
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
InterlockedDecrement
InterlockedIncrement
GetCurrentThread
CloseHandle
GetFullPathNameW
EncodePointer
ExitProcess
GetModuleHandleExW
ExitThread
GetSystemTimeAsFileTime
ResumeThread
GetCommandLineW
IsProcessorFeaturePresent
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
SetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetStartupInfoW
GetStringTypeW
SetStdHandle
GetFileType
GetConsoleCP
GetConsoleMode
RtlUnwind
ReadConsoleW
GetTimeZoneInformation
GetDateFormatW
GetTimeFormatW
LCMapStringW
GetEnvironmentStringsW
FreeEnvironmentStringsW
WriteConsoleW
FindClose
SetEnvironmentVariableA

user32

AdjustWindowRectEx
CopyImage
SetWindowPos
GetCursorInfo
RegisterHotKey
ClientToScreen
GetKeyboardLayoutNameW
IsCharAlphaW
IsCharAlphaNumericW
IsCharLowerW
IsCharUpperW
GetMenuStringW
GetSubMenu
GetCaretPos
IsZoomed
MonitorFromPoint
GetMonitorInfoW
SetWindowLongW
SetLayeredWindowAttributes
FlashWindow
GetClassLongW
TranslateAcceleratorW
IsDialogMessageW
GetSysColor
InflateRect
DrawFocusRect
DrawTextW
FrameRect
DrawFrameControl
FillRect
PtInRect
DestroyAcceleratorTable
CreateAcceleratorTableW
SetCursor
GetWindowDC
GetSystemMetrics
GetActiveWindow
CharNextW
wsprintfW
RedrawWindow
DrawMenuBar
DestroyMenu
SetMenu
GetWindowTextLengthW
CreateMenu
IsDlgButtonChecked
DefDlgProcW
CallWindowProcW
ReleaseCapture
SetCapture
CreateIconFromResourceEx
mouse_event
ExitWindowsEx
SetActiveWindow
FindWindowExW
EnumThreadWindows
SetMenuDefaultItem
InsertMenuItemW
IsMenu
TrackPopupMenuEx
GetCursorPos
DeleteMenu
SetRect
GetMenuItemID
GetMenuItemCount
SetMenuItemInfoW
GetMenuItemInfoW
SetForegroundWindow
IsIconic
FindWindowW
MonitorFromRect
keybd_event
SendInput
GetAsyncKeyState
SetKeyboardState
GetKeyboardState
GetKeyState
VkKeyScanW
LoadStringW
DialogBoxParamW
MessageBeep
EndDialog
SendDlgItemMessageW
GetDlgItem
SetWindowTextW
CopyRect
ReleaseDC
GetDC
EndPaint
BeginPaint
GetClientRect
GetMenu
DestroyWindow
EnumWindows
GetDesktopWindow
IsWindow
IsWindowEnabled
IsWindowVisible
EnableWindow
InvalidateRect
GetWindowLongW
GetWindowThreadProcessId
AttachThreadInput
GetFocus
GetWindowTextW
ScreenToClient
SendMessageTimeoutW
EnumChildWindows
CharUpperBuffW
GetParent
GetDlgCtrlID
SendMessageW
MapVirtualKeyW
PostMessageW
GetWindowRect
SetUserObjectSecurity
CloseDesktop
CloseWindowStation
OpenDesktopW
SetProcessWindowStation
GetProcessWindowStation
OpenWindowStationW
GetUserObjectSecurity
MessageBoxW
DefWindowProcW
SetClipboardData
EmptyClipboard
CountClipboardFormats
CloseClipboard
GetClipboardData
IsClipboardFormatAvailable
OpenClipboard
BlockInput
GetMessageW
LockWindowUpdate
DispatchMessageW
TranslateMessage
PeekMessageW
UnregisterHotKey
CheckMenuRadioItem
CharLowerBuffW
MoveWindow
SetFocus
PostQuitMessage
KillTimer
CreatePopupMenu
RegisterWindowMessageW
SetTimer
ShowWindow
CreateWindowExW
RegisterClassExW
LoadIconW
LoadCursorW
GetSysColorBrush
GetForegroundWindow
MessageBoxA
DestroyIcon
SystemParametersInfoW
LoadImageW
GetClassNameW

gdi32

StrokePath
DeleteObject
GetTextExtentPoint32W
ExtCreatePen
GetDeviceCaps
EndPath
SetPixel
CloseFigure
CreateCompatibleBitmap
CreateCompatibleDC
SelectObject
StretchBlt
GetDIBits
LineTo
AngleArc
MoveToEx
Ellipse
DeleteDC
GetPixel
CreateDCW
GetStockObject
GetTextFaceW
CreateFontW
SetTextColor
PolyDraw
BeginPath
Rectangle
SetViewportOrgEx
GetObjectW
SetBkMode
RoundRect
SetBkColor
CreatePen
CreateSolidBrush
StrokeAndFillPath

comdlg32

GetOpenFileNameW
GetSaveFileNameW

advapi32

GetAce
RegEnumValueW
RegDeleteValueW
RegDeleteKeyW
RegEnumKeyExW
RegSetValueExW
RegOpenKeyExW
RegCloseKey
RegQueryValueExW
RegConnectRegistryW
InitializeSecurityDescriptor
InitializeAcl
AdjustTokenPrivileges
OpenThreadToken
OpenProcessToken
LookupPrivilegeValueW
DuplicateTokenEx
CreateProcessAsUserW
CreateProcessWithLogonW
GetLengthSid
CopySid
LogonUserW
AllocateAndInitializeSid
CheckTokenMembership
RegCreateKeyExW
FreeSid
GetTokenInformation
GetSecurityDescriptorDacl
GetAclInformation
AddAce
SetSecurityDescriptorDacl
GetUserNameW
InitiateSystemShutdownExW

shell32

DragQueryPoint
ShellExecuteExW
DragQueryFileW
SHEmptyRecycleBinW
SHGetPathFromIDListW
SHBrowseForFolderW
SHCreateShellItem
SHGetDesktopFolder
SHGetSpecialFolderLocation
SHGetFolderPathW
SHFileOperationW
ExtractIconExW
Shell_NotifyIconW
ShellExecuteW
DragFinish

ole32

CoTaskMemAlloc
CoTaskMemFree
CLSIDFromString
ProgIDFromCLSID
CLSIDFromProgID
OleSetMenuDescriptor
MkParseDisplayName
OleSetContainedObject
CoCreateInstance
IIDFromString
StringFromGUID2
CreateStreamOnHGlobal
OleInitialize
OleUninitialize
CoInitialize
CoUninitialize
GetRunningObjectTable
CoGetInstanceFromFile
CoGetObject
CoSetProxyBlanket
CoCreateInstanceEx
CoInitializeSecurity

oleaut32

LoadTypeLibEx
VariantCopyInd
SysReAllocString
SysFreeString
SafeArrayDestroyDescriptor
SafeArrayDestroyData
SafeArrayUnaccessData
SafeArrayAccessData
SafeArrayAllocData
SafeArrayAllocDescriptorEx
SafeArrayCreateVector
RegisterTypeLi
CreateStdDispatch
DispCallFunc
VariantChangeType
SysStringLen
VariantTimeToSystemTime
VarR8FromDec
SafeArrayGetVartype
VariantCopy
VariantClear
OleLoadPicture
QueryPathOfRegTypeLi
RegisterTypeLibForUser
UnRegisterTypeLibForUser
UnRegisterTypeLi
CreateDispTypeInfo
SysAllocString
VariantInit

Sections

.text
Size: 567KB - Virtual size: 567KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 184KB - Virtual size: 184KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1.2MB - Virtual size: 1.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 28KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/BlackGuard/f47db48129530cf19f3c42f0c9f38ce1915f403469483661999dc2b19e12650b
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

C:\Users\BlackGuard\Desktop\new project steal\bin\Release\obfuscated_514105684\Hushikan.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 1.7MB - Virtual size: 1.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 20KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/Cobaltstrike/2025-01-20_07bc98d5c9bd592d763109b1d8c6b93c_cobalt-strike_cobaltstrike_poet-rat
.exe windows:6 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: 724KB - Virtual size: 3.0MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 272KB - Virtual size: 272KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.imports
Size: 7KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/Cobaltstrike/2025-01-23_0b786960662ee07f2283af45c9f333a3_cobalt-strike_cobaltstrike_poet-rat
.exe windows:6 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: 724KB - Virtual size: 3.0MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 272KB - Virtual size: 272KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.imports
Size: 7KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/Cobaltstrike/2025-01-23_1bc77af5cda61769d36985b36b813e8f_cobalt-strike_cobaltstrike_poet-rat
.exe windows:6 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: 724KB - Virtual size: 3.0MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 272KB - Virtual size: 272KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.imports
Size: 7KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/Cobaltstrike/2025-01-23_3bc05a287de51e1cfe5d51ab73e3042f_cobalt-strike_cobaltstrike_poet-rat
.exe windows:6 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: 724KB - Virtual size: 3.0MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 272KB - Virtual size: 272KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.imports
Size: 7KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/Cobaltstrike/2025-01-23_747627c33118f775c37ca927a1cd671d_cobalt-strike_cobaltstrike_poet-rat
.exe windows:6 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: 724KB - Virtual size: 3.0MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 272KB - Virtual size: 272KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.imports
Size: 7KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/Cobaltstrike/2025-01-23_98c1e0ec4dc2b7c0eb37ac383bbd8ae0_cobalt-strike_cobaltstrike_poet-rat
.exe windows:6 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: 724KB - Virtual size: 3.0MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 272KB - Virtual size: 272KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.imports
Size: 7KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/Cobaltstrike/2025-01-23_e3547c7a0790c549109ce0abb2839b80_cobalt-strike_cobaltstrike_poet-rat
.exe windows:6 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: 724KB - Virtual size: 3.0MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 272KB - Virtual size: 272KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.imports
Size: 7KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/Cobaltstrike/2025-01-23_e4ee45b3511305ada6d78e651eb3e03d_cobalt-strike_cobaltstrike_poet-rat
.exe windows:6 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: 724KB - Virtual size: 3.0MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 272KB - Virtual size: 272KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.imports
Size: 7KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/Cobaltstrike/2025-01-23_f02e8c800922ad581bd49db9053c5ad4_cobalt-strike_cobaltstrike_poet-rat
.exe windows:6 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: 724KB - Virtual size: 3.0MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 272KB - Virtual size: 272KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.imports
Size: 7KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/Cobaltstrike/2025-01-25_c8ca6508ae4f1a87d47b8a531f3daa35_cobalt-strike_ryuk
.exe windows:10 windows x64 arch:x64

5a0fbbd7d063dfb9c2c0946ed8fbb559

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

setup.exe.pdb

Imports

advapi32

AdjustTokenPrivileges
BuildExplicitAccessWithNameW
BuildSecurityDescriptorW
BuildTrusteeWithSidW
ChangeServiceConfig2W
ChangeServiceConfigW
CheckTokenMembership
CloseServiceHandle
ConvertSidToStringSidW
ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertStringSidToSidW
CreateProcessAsUserW
CreateServiceW
CreateWellKnownSid
DeleteService
DeregisterEventSource
DuplicateTokenEx
GetLengthSid
GetNamedSecurityInfoW
GetSecurityDescriptorControl
GetSecurityDescriptorDacl
GetSecurityDescriptorGroup
GetSecurityDescriptorOwner
GetSecurityDescriptorSacl
GetSidSubAuthority
GetSidSubAuthorityCount
GetTokenInformation
GetTraceEnableFlags
GetTraceEnableLevel
GetTraceLoggerHandle
GetUserNameW
ImpersonateNamedPipeClient
IsValidAcl
IsValidSecurityDescriptor
IsValidSid
LookupPrivilegeValueW
OpenProcessToken
OpenSCManagerW
OpenServiceW
QueryServiceConfigW
RegCloseKey
RegCreateKeyExW
RegDeleteKeyExW
RegDeleteValueW
RegEnumKeyExW
RegEnumValueA
RegEnumValueW
RegLoadKeyW
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryValueExA
RegQueryValueExW
RegSetValueExW
RegUnLoadKeyW
RegisterEventSourceA
RegisterTraceGuidsW
ReportEventA
RevertToSelf
SetEntriesInAclW
SetNamedSecurityInfoW
SetSecurityInfo
TraceEvent
UnregisterTraceGuids

dbghelp

SymCleanup
SymFromAddr
SymGetLineFromAddr64
SymGetSearchPathW
SymInitialize
SymSetOptions
SymSetSearchPathW

shell32

CommandLineToArgvW
ord190
ord155
ord680
SHChangeNotify
SHCreateAssociationRegistration
SHGetFolderPathW
SHGetKnownFolderPath
ShellExecuteExW
ShellExecuteW

user32

AllowSetForegroundWindow
CallNextHookEx
CharUpperW
CreateWindowExW
DefWindowProcW
DestroyWindow
DispatchMessageW
GetActiveWindow
GetMessageW
GetMonitorInfoW
GetQueueStatus
GetWindowLongPtrW
KillTimer
LoadIconW
MessageBoxW
MonitorFromWindow
MoveWindow
MsgWaitForMultipleObjectsEx
PeekMessageW
PostMessageW
PostQuitMessage
RegisterClassExW
RegisterClassW
SendMessageW
SetForegroundWindow
SetTimer
SetWindowLongPtrW
SetWindowsHookExW
TranslateMessage
UnhookWindowsHookEx
UnregisterClassW

ws2_32

ntohl

kernel32

AcquireSRWLockExclusive
AcquireSRWLockShared
AddVectoredExceptionHandler
AssignProcessToJobObject
CloseHandle
CompareStringW
ConnectNamedPipe
CopyFileW
CreateDirectoryW
CreateEventW
CreateFileA
CreateFileMappingW
CreateFileW
CreateIoCompletionPort
CreateMutexW
CreateNamedPipeW
CreateProcessW
CreateSemaphoreW
CreateThread
CreateToolhelp32Snapshot
DeleteCriticalSection
DeleteFileW
DeleteProcThreadAttributeList
DisconnectNamedPipe
DuplicateHandle
EncodePointer
EnterCriticalSection
EnumSystemLocalesW
ExitProcess
ExpandEnvironmentStringsW
FileTimeToSystemTime
FindClose
FindFirstFileExW
FindNextFileW
FindResourceW
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FlushFileBuffers
FlushViewOfFile
FormatMessageA
FormatMessageW
FreeEnvironmentStringsW
FreeLibrary
GetACP
GetCPInfo
GetCommandLineA
GetCommandLineW
GetConsoleMode
GetConsoleOutputCP
GetCurrentDirectoryW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetDateFormatW
GetDriveTypeW
GetEnvironmentStringsW
GetEnvironmentVariableW
GetExitCodeProcess
GetFileAttributesExW
GetFileAttributesW
GetFileInformationByHandle
GetFileInformationByHandleEx
GetFileSizeEx
GetFileTime
GetFileType
GetFullPathNameW
GetLastError
GetLocalTime
GetLocaleInfoW
GetLogicalProcessorInformation
GetLongPathNameW
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleExW
GetModuleHandleW
GetNativeSystemInfo
GetOEMCP
GetPriorityClass
GetProcAddress
GetProcessHandleCount
GetProcessHeap
GetProcessId
GetProcessMitigationPolicy
GetProcessTimes
GetProductInfo
GetQueuedCompletionStatus
GetShortPathNameW
GetStartupInfoW
GetStdHandle
GetStringTypeW
GetSystemDefaultLCID
GetSystemDirectoryW
GetSystemInfo
GetSystemTimeAsFileTime
GetSystemTimePreciseAsFileTime
GetTempPathW
GetThreadContext
GetThreadId
GetThreadLocale
GetThreadPreferredUILanguages
GetThreadPriority
GetTickCount
GetTimeFormatW
GetTimeZoneInformation
GetUserDefaultLCID
GetUserDefaultLangID
GetVersionExW
GetWindowsDirectoryW
GlobalAlloc
GlobalFree
GlobalMemoryStatusEx
HeapSetInformation
InitOnceExecuteOnce
InitializeConditionVariable
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
InitializeProcThreadAttributeList
InitializeSListHead
InitializeSRWLock
IsDebuggerPresent
IsProcessorFeaturePresent
IsValidCodePage
IsValidLocale
IsWow64Process
K32GetModuleInformation
K32GetPerformanceInfo
K32GetProcessMemoryInfo
K32QueryWorkingSetEx
LCMapStringW
LeaveCriticalSection
LoadLibraryExA
LoadLibraryExW
LoadLibraryW
LoadResource
LocalFree
LockFileEx
LockResource
MapViewOfFile
MoveFileExW
MoveFileW
MultiByteToWideChar
OpenMutexW
OpenProcess
OutputDebugStringA
PeekNamedPipe
PostQueuedCompletionStatus
Process32FirstW
Process32NextW
QueryFullProcessImageNameW
QueryPerformanceCounter
QueryPerformanceFrequency
QueryThreadCycleTime
QueueUserAPC
RaiseException
ReadConsoleW
ReadFile
ReadProcessMemory
RegisterWaitForSingleObject
ReleaseMutex
ReleaseSRWLockExclusive
ReleaseSRWLockShared
ReleaseSemaphore
RemoveDirectoryW
RemoveVectoredExceptionHandler
ReplaceFileW
ResetEvent
ResumeThread
RtlCaptureContext
RtlCaptureStackBackTrace
RtlLookupFunctionEntry
RtlPcToFileHeader
RtlUnwind
RtlUnwindEx
RtlVirtualUnwind
SetConsoleCtrlHandler
SetCurrentDirectoryW
SetEndOfFile
SetEnvironmentVariableW
SetEvent
SetFileAttributesW
SetFileInformationByHandle
SetFilePointerEx
SetFileTime
SetHandleInformation
SetLastError
SetNamedPipeHandleState
SetPriorityClass
SetProcessShutdownParameters
SetStdHandle
SetThreadInformation
SetThreadPriority
SetUnhandledExceptionFilter
SizeofResource
Sleep
SleepConditionVariableSRW
SleepEx
SuspendThread
SwitchToThread
SystemTimeToTzSpecificLocalTime
TerminateProcess
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
TransactNamedPipe
TryAcquireSRWLockExclusive
UnhandledExceptionFilter
UnlockFileEx
UnmapViewOfFile
UnregisterWaitEx
UpdateProcThreadAttribute
VerSetConditionMask
VerifyVersionInfoW
VirtualAlloc
VirtualAllocEx
VirtualFree
VirtualProtect
VirtualQuery
VirtualQueryEx
WaitForMultipleObjects
WaitForSingleObject
WaitNamedPipeW
WakeAllConditionVariable
WakeConditionVariable
WerRegisterRuntimeExceptionModule
WideCharToMultiByte
Wow64GetThreadContext
WriteConsoleW
WriteFile
WriteProcessMemory
lstrcmpiW

winhttp

WinHttpAddRequestHeaders
WinHttpCloseHandle
WinHttpConnect
WinHttpCrackUrl
WinHttpGetProxyForUrl
WinHttpOpen
WinHttpOpenRequest
WinHttpQueryHeaders
WinHttpReadData
WinHttpReceiveResponse
WinHttpSendRequest
WinHttpSetOption
WinHttpSetStatusCallback
WinHttpSetTimeouts
WinHttpWriteData

ole32

CoAllowSetForegroundWindow
CoCreateInstance
CoInitializeEx
CoRegisterInitializeSpy
CoRevokeInitializeSpy
CoSetProxyBlanket
CoTaskMemAlloc
CoTaskMemFree
CoUninitialize
PropVariantClear

oleaut32

SysAllocString
SysAllocStringLen
SysFreeString
SysStringLen
VariantClear
VariantInit

propsys

InitPropVariantFromCLSID

shlwapi

ord437
PathMatchSpecW
UrlCanonicalizeW

ntdll

NtClose
NtDeleteKey
NtOpenKeyEx
NtQueryValueKey
RtlFormatCurrentUserKeyPath
RtlFreeUnicodeString
RtlInitUnicodeString

winmm

timeBeginPeriod
timeEndPeriod
timeGetTime

userenv

CreateEnvironmentBlock
DestroyEnvironmentBlock

version

GetFileVersionInfoSizeW
GetFileVersionInfoW
VerQueryValueW

urlmon

CreateURLMonikerEx

ncrypt

NCryptCreatePersistedKey
NCryptExportKey
NCryptFinalizeKey
NCryptFreeObject
NCryptGetProperty
NCryptImportKey
NCryptIsAlgSupported
NCryptOpenStorageProvider
NCryptSignHash

api-ms-win-core-winrt-l1-1-0

RoInitialize
RoUninitialize

Exports

Exports

GetHandleVerifier
sqlite3_dbdata_init

Sections

.text
Size: 4.3MB - Virtual size: 4.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 734KB - Virtual size: 733KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 69KB - Virtual size: 142KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 108KB - Virtual size: 107KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.gxfg
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.retplne
Size: 512B - Virtual size: 200B

.rodata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.tls
Size: 1024B - Virtual size: 609B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

CPADinfo
Size: 512B - Virtual size: 56B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

LZMADEC
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 500B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

malloc_h
Size: 512B - Virtual size: 228B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 557KB - Virtual size: 557KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 580KB - Virtual size: 584KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/Cobaltstrike/2025-01-25_e12131df52f9767d151b87d429e7091d_cobalt-strike_cobaltstrike_poet-rat.exe
.exe windows:6 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: 724KB - Virtual size: 3.0MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 272KB - Virtual size: 272KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.imports
Size: 7KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/Cobaltstrike/2025-01-27_56f77a2a3a97469c694f466c81c7dc0f_cobalt-strike_cobaltstrike_poet-rat.exe
.exe windows:6 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: 724KB - Virtual size: 3.0MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 272KB - Virtual size: 272KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.imports
Size: 7KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/Cobaltstrike/2025-01-27_8fe7246cad8c25f7be284ceb1638f8d1_cobalt-strike_cobaltstrike_poet-rat.exe
.exe windows:6 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: 724KB - Virtual size: 3.0MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 272KB - Virtual size: 272KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.imports
Size: 7KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/Cobaltstrike/2025-01-27_c4c3e600067a77381eb7ee3ea84df4a2_cobalt-strike_cobaltstrike_poet-rat.exe
.exe windows:6 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: 724KB - Virtual size: 3.0MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 272KB - Virtual size: 272KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.imports
Size: 7KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/Cobaltstrike/2025-01-27_c81f31bdddc564f059c63088074fea6d_cobalt-strike_cobaltstrike_poet-rat
.exe windows:6 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: 724KB - Virtual size: 3.0MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 272KB - Virtual size: 272KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.imports
Size: 7KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/Cobaltstrike/2025-01-28_df939c4cef1865d9ab2573984d14b444_cobalt-strike_cobaltstrike_poet-rat.exe
.exe windows:6 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: 724KB - Virtual size: 3.0MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 272KB - Virtual size: 272KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.imports
Size: 7KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/Cobaltstrike/2025-01-29_23324854d7a957ed61b0d1e9c8d3787d_cobalt-strike_cobaltstrike_poet-rat.exe
.exe windows:6 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: 724KB - Virtual size: 3.0MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 272KB - Virtual size: 272KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.imports
Size: 7KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/Cobaltstrike/2025-01-29_4ef9d670f043c1bbf5847b79e6990201_cobalt-strike_cobaltstrike_poet-rat.exe
.exe windows:6 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: 724KB - Virtual size: 3.0MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 272KB - Virtual size: 272KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.imports
Size: 7KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/Cobaltstrike/2025-01-29_5dddc97aa8de9118d357945b407b9cdf_cobalt-strike_cobaltstrike_poet-rat.exe
.exe windows:6 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: 724KB - Virtual size: 3.0MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 272KB - Virtual size: 272KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.imports
Size: 7KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/Cobaltstrike/2025-01-29_8db813fda6e07735cc26f178a165ddae_cobalt-strike_cobaltstrike_poet-rat.exe
.exe windows:6 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: 724KB - Virtual size: 3.0MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 272KB - Virtual size: 272KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.imports
Size: 7KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/Cobaltstrike/2025-01-29_94e7b6e64fbd2db94cf600eabdb90c66_cobalt-strike_cobaltstrike_poet-rat.exe
.exe windows:6 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: 724KB - Virtual size: 3.0MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 272KB - Virtual size: 272KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.imports
Size: 7KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/Cobaltstrike/2025-01-30_82bb28ed6217161f2dc8d9dcc825484b_cobalt-strike_cobaltstrike_poet-rat.exe
.exe windows:6 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: 724KB - Virtual size: 3.0MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 272KB - Virtual size: 272KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.imports
Size: 7KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/Cobaltstrike/2025-01-30_8608d0f5072ffd3f75b4b6ffc0f86f28_cobalt-strike_cobaltstrike_poet-rat.exe
.exe windows:6 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: 724KB - Virtual size: 3.0MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 272KB - Virtual size: 272KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.imports
Size: 7KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/Cobaltstrike/2025-01-30_b0baaa3b72d0580dc23840131ff41985_cobalt-strike_cobaltstrike_poet-rat.exe
.exe windows:6 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: 724KB - Virtual size: 3.0MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 272KB - Virtual size: 272KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.imports
Size: 7KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/Cobaltstrike/2025-02-01_432095b88894c4d3bb99c6a90403429b_cobalt-strike_cobaltstrike_poet-rat.exe
.exe windows:6 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: 724KB - Virtual size: 3.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 272KB - Virtual size: 272KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.imports
Size: 7KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/Cobaltstrike/2025-02-04_0ee70892c83663e033ee9bd29d5b0fff_cobalt-strike_cobaltstrike_poet-rat_snatch.exe
.exe windows:4 windows x86 arch:x86

96c44fa1eee2c4e9b9e77d7bf42d59e6

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Imports

winmm

timeEndPeriod
timeBeginPeriod

ws2_32

WSAGetOverlappedResult

kernel32

WriteFile
WriteConsoleW
WaitForSingleObject
VirtualFree
VirtualAlloc
SwitchToThread
SetWaitableTimer
SetUnhandledExceptionFilter
SetProcessPriorityBoost
SetEvent
SetErrorMode
SetConsoleCtrlHandler
LoadLibraryA
LoadLibraryW
GetSystemInfo
GetStdHandle
GetQueuedCompletionStatus
GetProcessAffinityMask
GetProcAddress
GetEnvironmentStringsW
GetConsoleMode
FreeEnvironmentStringsW
ExitProcess
DuplicateHandle
CreateThread
CreateIoCompletionPort
CreateEventA
CloseHandle
AddVectoredExceptionHandler

Sections

.text
Size: 2.9MB - Virtual size: 2.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 192KB - Virtual size: 281KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

/4
Size: 512B - Virtual size: 278B

IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/18
Size: 183KB - Virtual size: 183KB

IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/30
Size: 148KB - Virtual size: 147KB

IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/43
Size: 76KB - Virtual size: 76KB

IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/59
Size: 123KB - Virtual size: 123KB

IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/75
Size: 512B - Virtual size: 32B

IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/90
Size: 512B - Virtual size: 34B

IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/109
Size: 749KB - Virtual size: 748KB

IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.idata
Size: 1024B - Virtual size: 882B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.symtab
Size: 317KB - Virtual size: 316KB

IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.rsrc
Size: 95KB - Virtual size: 94KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/Cobaltstrike/2025-02-04_1f6236cf265f053f7dd5d9a6db70d8c7_cobalt-strike_cobaltstrike_poet-rat_snatch.exe
.exe windows:4 windows x86 arch:x86

96c44fa1eee2c4e9b9e77d7bf42d59e6

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Imports

winmm

timeEndPeriod
timeBeginPeriod

ws2_32

WSAGetOverlappedResult

kernel32

WriteFile
WriteConsoleW
WaitForSingleObject
VirtualFree
VirtualAlloc
SwitchToThread
SetWaitableTimer
SetUnhandledExceptionFilter
SetProcessPriorityBoost
SetEvent
SetErrorMode
SetConsoleCtrlHandler
LoadLibraryA
LoadLibraryW
GetSystemInfo
GetStdHandle
GetQueuedCompletionStatus
GetProcessAffinityMask
GetProcAddress
GetEnvironmentStringsW
GetConsoleMode
FreeEnvironmentStringsW
ExitProcess
DuplicateHandle
CreateThread
CreateIoCompletionPort
CreateEventA
CloseHandle
AddVectoredExceptionHandler

Sections

.text
Size: 2.9MB - Virtual size: 2.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 192KB - Virtual size: 281KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

/4
Size: 512B - Virtual size: 278B

IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/18
Size: 183KB - Virtual size: 183KB

IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/30
Size: 148KB - Virtual size: 147KB

IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/43
Size: 76KB - Virtual size: 76KB

IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/59
Size: 123KB - Virtual size: 123KB

IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/75
Size: 512B - Virtual size: 32B

IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/90
Size: 512B - Virtual size: 34B

IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/109
Size: 749KB - Virtual size: 748KB

IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.idata
Size: 1024B - Virtual size: 882B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.symtab
Size: 317KB - Virtual size: 316KB

IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.rsrc
Size: 95KB - Virtual size: 94KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/Cobaltstrike/5d3c35291437efc8eb055aabf2d049992397f9c3016e33b0e2524f9ac35f847b
.exe windows:4 windows x64 arch:x64

8e86b589d9c371bca47e40c80f4a1b77

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

CreateThread
DeleteCriticalSection
EnterCriticalSection
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetLastError
GetStartupInfoA
GetSystemTimeAsFileTime
GetTickCount
InitializeCriticalSection
LeaveCriticalSection
QueryPerformanceCounter
RtlAddFunctionTable
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
SetUnhandledExceptionFilter
Sleep
TerminateProcess
TlsGetValue
UnhandledExceptionFilter
VirtualAlloc
VirtualProtect
VirtualQuery
WaitForSingleObject

msvcrt

__C_specific_handler
__getmainargs
__initenv
__iob_func
__lconv_init
__set_app_type
__setusermatherr
_acmdln
_amsg_exit
_cexit
_fmode
_initterm
_onexit
abort
calloc
exit
fprintf
free
fwrite
malloc
memcpy
signal
strlen
strncmp
vfprintf

Sections

.text
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 208B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.pdata
Size: 1024B - Virtual size: 624B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.xdata
Size: 512B - Virtual size: 500B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 2KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 104B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

/4
Size: 512B - Virtual size: 80B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/19
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/31
Size: 512B - Virtual size: 329B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/45
Size: 1024B - Virtual size: 546B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/57
Size: 512B - Virtual size: 72B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/70
Size: 512B - Virtual size: 155B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/Cobaltstrike/a4ce886d170153cfb5b8d74ad0186d9966e32e5408e3bd3e940717fc16c6810f
.exe windows:4 windows x64 arch:x64

8892181748c61660b1283058a8498a12

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

AddAtomA
AddVectoredExceptionHandler
CloseHandle
CreateEventA
CreateMutexA
CreateSemaphoreA
DeleteAtom
DeleteCriticalSection
DuplicateHandle
EnterCriticalSection
FindAtomA
FormatMessageA
GetAtomNameA
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetHandleInformation
GetLastError
GetProcessAffinityMask
GetStartupInfoA
GetSystemTimeAsFileTime
GetThreadContext
GetThreadPriority
GetTickCount
InitializeCriticalSection
IsDBCSLeadByteEx
IsDebuggerPresent
LeaveCriticalSection
LocalFree
MultiByteToWideChar
OpenProcess
OutputDebugStringA
QueryPerformanceCounter
QueryPerformanceFrequency
RaiseException
ReleaseMutex
ReleaseSemaphore
RemoveVectoredExceptionHandler
ResetEvent
ResumeThread
SetEvent
SetLastError
SetProcessAffinityMask
SetThreadContext
SetThreadPriority
SetUnhandledExceptionFilter
Sleep
SuspendThread
TlsAlloc
TlsGetValue
TlsSetValue
TryEnterCriticalSection
VirtualAlloc
VirtualProtect
VirtualQuery
WaitForMultipleObjects
WaitForSingleObject
WideCharToMultiByte
__C_specific_handler

msvcrt

___lc_codepage_func
___mb_cur_max_func
__getmainargs
__initenv
__iob_func
__lconv_init
__set_app_type
__setusermatherr
_acmdln
_amsg_exit
_beginthreadex
_cexit
_commode
_endthreadex
_errno
_fmode
_initterm
_lock
_memccpy
_onexit
_setjmp
_strdup
_ultoa
_unlock
abort
atoi
calloc
clock
exit
fprintf
fputc
free
fwrite
getc
islower
isspace
isupper
isxdigit
localeconv
longjmp
malloc
memcpy
memmove
memset
printf
realloc
signal
strcat
strcpy
strerror
strlen
strncmp
strtol
strtoul
tolower
ungetc
vfprintf
wcslen

Sections

.text
Size: 99KB - Virtual size: 99KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 400B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.pdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.xdata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 3KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 112B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 512B - Virtual size: 156B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/4
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/19
Size: 110KB - Virtual size: 109KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/31
Size: 17KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/45
Size: 56KB - Virtual size: 56KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/57
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/70
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/81
Size: 169KB - Virtual size: 168KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/92
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/Cobaltstrike/d2695ffe116958dca9625d2bc5a67d136ed12a0a267dafd05810a22384c1a866.exe
.exe windows:6 windows x64 arch:x64

0b9e983bd9d5c74ab08df203a85f95ee

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

\\192.168.130.131\visualstudio\av\Project2\x64\Release\Project2.pdb

Imports

kernel32

VirtualAlloc
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetModuleHandleW
RtlCaptureContext

msvcp140

??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??Bios_base@std@@QEBA_NXZ
?_Xbad_alloc@std@@YAXXZ
?_Xinvalid_argument@std@@YAXPEBD@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?_Xout_of_range@std@@YAXPEBD@Z
?_Xlength_error@std@@YAXPEBD@Z
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z

vcruntime140_1

__CxxFrameHandler4

vcruntime140

memset
_CxxThrowException
__C_specific_handler
__current_exception_context
__current_exception
__std_terminate
__std_exception_destroy
memcpy
memmove
__std_exception_copy

api-ms-win-crt-stdio-l1-1-0

_set_fmode
__acrt_iob_func
__p__commode
__stdio_common_vfprintf

api-ms-win-crt-runtime-l1-1-0

_initialize_onexit_table
_register_onexit_function
_crt_atexit
_exit
_register_thread_local_exe_atexit_callback
_c_exit
exit
__p___argv
_initterm
_get_initial_narrow_environment
_initialize_narrow_environment
_configure_narrow_argv
__p___argc
_set_app_type
_seh_filter_exe
terminate
_cexit
_errno
_invalid_parameter_noinfo_noreturn
_initterm_e

api-ms-win-crt-convert-l1-1-0

strtol

api-ms-win-crt-heap-l1-1-0

malloc
_set_new_mode
free
_callnewh

api-ms-win-crt-math-l1-1-0

__setusermatherr

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

Sections

.text
Size: 21KB - Virtual size: 20KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 15KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 152B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/DcRat/AIMWARE CRACK 1.3.2.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 66KB - Virtual size: 65KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.bsS
Size: 2.4MB - Virtual size: 2.4MB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/DcRat/AIMWARE CRACK 1.3.2.zip
.zip
BastianHein Malware samples/DcRat/DarkCristalRAT-72f0a6f04fa93d4749d2ddd68d24c8323e0832341b278add88b8716e245c3a1b.exe
.exe windows:5 windows x86 arch:x86

12e12319f1029ec4f8fcbed7e82df162

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

Imports

kernel32

GetLastError
SetLastError
FormatMessageW
GetCurrentProcess
DeviceIoControl
SetFileTime
CloseHandle
CreateDirectoryW
RemoveDirectoryW
CreateFileW
DeleteFileW
CreateHardLinkW
GetShortPathNameW
GetLongPathNameW
MoveFileW
GetFileType
GetStdHandle
WriteFile
ReadFile
FlushFileBuffers
SetEndOfFile
SetFilePointer
SetFileAttributesW
GetFileAttributesW
FindClose
FindFirstFileW
FindNextFileW
InterlockedDecrement
GetVersionExW
GetCurrentDirectoryW
GetFullPathNameW
FoldStringW
GetModuleFileNameW
GetModuleHandleW
FindResourceW
FreeLibrary
GetProcAddress
GetCurrentProcessId
ExitProcess
SetThreadExecutionState
Sleep
LoadLibraryW
GetSystemDirectoryW
CompareStringW
AllocConsole
FreeConsole
AttachConsole
WriteConsoleW
GetProcessAffinityMask
CreateThread
SetThreadPriority
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
SetEvent
ResetEvent
ReleaseSemaphore
WaitForSingleObject
CreateEventW
CreateSemaphoreW
GetSystemTime
SystemTimeToTzSpecificLocalTime
TzSpecificLocalTimeToSystemTime
SystemTimeToFileTime
FileTimeToLocalFileTime
LocalFileTimeToFileTime
FileTimeToSystemTime
GetCPInfo
IsDBCSLeadByte
MultiByteToWideChar
WideCharToMultiByte
GlobalAlloc
LockResource
GlobalLock
GlobalUnlock
GlobalFree
LoadResource
SizeofResource
SetCurrentDirectoryW
GetExitCodeProcess
GetLocalTime
GetTickCount
MapViewOfFile
UnmapViewOfFile
CreateFileMappingW
OpenFileMappingW
GetCommandLineW
SetEnvironmentVariableW
ExpandEnvironmentStringsW
GetTempPathW
MoveFileExW
GetLocaleInfoW
GetTimeFormatW
GetDateFormatW
GetNumberFormatW
DecodePointer
SetFilePointerEx
GetConsoleMode
GetConsoleCP
HeapSize
SetStdHandle
GetProcessHeap
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineA
GetOEMCP
RaiseException
GetSystemInfo
VirtualProtect
VirtualQuery
LoadLibraryExA
IsProcessorFeaturePresent
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoW
QueryPerformanceCounter
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
TerminateProcess
LocalFree
RtlUnwind
EncodePointer
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
LoadLibraryExW
QueryPerformanceFrequency
GetModuleHandleExW
GetModuleFileNameA
GetACP
HeapFree
HeapAlloc
HeapReAlloc
GetStringTypeW
LCMapStringW
FindFirstFileExA
FindNextFileA
IsValidCodePage

oleaut32

SysAllocString
SysFreeString
VariantClear

gdiplus

GdipAlloc
GdipDisposeImage
GdipCloneImage
GdipCreateBitmapFromStream
GdipCreateBitmapFromStreamICM
GdipCreateHBITMAPFromBitmap
GdiplusStartup
GdiplusShutdown
GdipFree

Sections

.text
Size: 199KB - Virtual size: 198KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 44KB - Virtual size: 43KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 145KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.didat
Size: 512B - Virtual size: 400B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 56KB - Virtual size: 55KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/DcRat/DarkCristalRAT-7f435bef5663b3d191b82230b2c96d50cdd1d5aec7b516dd0152ff8f2f8a0667.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 501KB - Virtual size: 501KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 800B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/DcRat/HEUR.Trojan-Spy.MSIL.Stealer.gen-40603df340cee8c3d00939469470a28acbf64401ec12d32ba68fe54e7f04c6d4.exe
.exe windows:5 windows x86 arch:x86

fcf1390e9ce472c7270447fc5c61a0c1

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

Imports

kernel32

GetLastError
SetLastError
FormatMessageW
GetCurrentProcess
DeviceIoControl
SetFileTime
CloseHandle
CreateDirectoryW
RemoveDirectoryW
CreateFileW
DeleteFileW
CreateHardLinkW
GetShortPathNameW
GetLongPathNameW
MoveFileW
GetFileType
GetStdHandle
WriteFile
ReadFile
FlushFileBuffers
SetEndOfFile
SetFilePointer
SetFileAttributesW
GetFileAttributesW
FindClose
FindFirstFileW
FindNextFileW
GetVersionExW
GetCurrentDirectoryW
GetFullPathNameW
FoldStringW
GetModuleFileNameW
GetModuleHandleW
FindResourceW
FreeLibrary
GetProcAddress
GetCurrentProcessId
ExitProcess
SetThreadExecutionState
Sleep
LoadLibraryW
GetSystemDirectoryW
CompareStringW
AllocConsole
FreeConsole
AttachConsole
WriteConsoleW
GetProcessAffinityMask
CreateThread
SetThreadPriority
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
SetEvent
ResetEvent
ReleaseSemaphore
WaitForSingleObject
CreateEventW
CreateSemaphoreW
GetSystemTime
SystemTimeToTzSpecificLocalTime
TzSpecificLocalTimeToSystemTime
SystemTimeToFileTime
FileTimeToLocalFileTime
LocalFileTimeToFileTime
FileTimeToSystemTime
GetCPInfo
IsDBCSLeadByte
MultiByteToWideChar
WideCharToMultiByte
GlobalAlloc
LockResource
GlobalLock
GlobalUnlock
GlobalFree
LoadResource
SizeofResource
SetCurrentDirectoryW
GetExitCodeProcess
GetLocalTime
GetTickCount
MapViewOfFile
UnmapViewOfFile
CreateFileMappingW
OpenFileMappingW
GetCommandLineW
SetEnvironmentVariableW
ExpandEnvironmentStringsW
GetTempPathW
MoveFileExW
GetLocaleInfoW
GetTimeFormatW
GetDateFormatW
GetNumberFormatW
SetFilePointerEx
GetConsoleMode
GetConsoleCP
HeapSize
SetStdHandle
GetProcessHeap
RaiseException
GetSystemInfo
VirtualProtect
VirtualQuery
LoadLibraryExA
IsProcessorFeaturePresent
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoW
QueryPerformanceCounter
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
TerminateProcess
RtlUnwind
EncodePointer
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
LoadLibraryExW
QueryPerformanceFrequency
GetModuleHandleExW
GetModuleFileNameA
GetACP
HeapFree
HeapAlloc
HeapReAlloc
GetStringTypeW
LCMapStringW
FindFirstFileExA
FindNextFileA
IsValidCodePage
GetOEMCP
GetCommandLineA
GetEnvironmentStringsW
FreeEnvironmentStringsW
DecodePointer

gdiplus

GdiplusShutdown
GdiplusStartup
GdipCreateHBITMAPFromBitmap
GdipCreateBitmapFromStreamICM
GdipCreateBitmapFromStream
GdipDisposeImage
GdipCloneImage
GdipFree
GdipAlloc

Sections

.text
Size: 196KB - Virtual size: 196KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 42KB - Virtual size: 41KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 141KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.didat
Size: 512B - Virtual size: 392B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 56KB - Virtual size: 55KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/DcRat/mega porno.exe
.exe windows:5 windows x86 arch:x86

fcf1390e9ce472c7270447fc5c61a0c1

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

Imports

kernel32

GetLastError
SetLastError
FormatMessageW
GetCurrentProcess
DeviceIoControl
SetFileTime
CloseHandle
CreateDirectoryW
RemoveDirectoryW
CreateFileW
DeleteFileW
CreateHardLinkW
GetShortPathNameW
GetLongPathNameW
MoveFileW
GetFileType
GetStdHandle
WriteFile
ReadFile
FlushFileBuffers
SetEndOfFile
SetFilePointer
SetFileAttributesW
GetFileAttributesW
FindClose
FindFirstFileW
FindNextFileW
GetVersionExW
GetCurrentDirectoryW
GetFullPathNameW
FoldStringW
GetModuleFileNameW
GetModuleHandleW
FindResourceW
FreeLibrary
GetProcAddress
GetCurrentProcessId
ExitProcess
SetThreadExecutionState
Sleep
LoadLibraryW
GetSystemDirectoryW
CompareStringW
AllocConsole
FreeConsole
AttachConsole
WriteConsoleW
GetProcessAffinityMask
CreateThread
SetThreadPriority
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
SetEvent
ResetEvent
ReleaseSemaphore
WaitForSingleObject
CreateEventW
CreateSemaphoreW
GetSystemTime
SystemTimeToTzSpecificLocalTime
TzSpecificLocalTimeToSystemTime
SystemTimeToFileTime
FileTimeToLocalFileTime
LocalFileTimeToFileTime
FileTimeToSystemTime
GetCPInfo
IsDBCSLeadByte
MultiByteToWideChar
WideCharToMultiByte
GlobalAlloc
LockResource
GlobalLock
GlobalUnlock
GlobalFree
LoadResource
SizeofResource
SetCurrentDirectoryW
GetExitCodeProcess
GetLocalTime
GetTickCount
MapViewOfFile
UnmapViewOfFile
CreateFileMappingW
OpenFileMappingW
GetCommandLineW
SetEnvironmentVariableW
ExpandEnvironmentStringsW
GetTempPathW
MoveFileExW
GetLocaleInfoW
GetTimeFormatW
GetDateFormatW
GetNumberFormatW
SetFilePointerEx
GetConsoleMode
GetConsoleCP
HeapSize
SetStdHandle
GetProcessHeap
RaiseException
GetSystemInfo
VirtualProtect
VirtualQuery
LoadLibraryExA
IsProcessorFeaturePresent
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoW
QueryPerformanceCounter
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
TerminateProcess
RtlUnwind
EncodePointer
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
LoadLibraryExW
QueryPerformanceFrequency
GetModuleHandleExW
GetModuleFileNameA
GetACP
HeapFree
HeapAlloc
HeapReAlloc
GetStringTypeW
LCMapStringW
FindFirstFileExA
FindNextFileA
IsValidCodePage
GetOEMCP
GetCommandLineA
GetEnvironmentStringsW
FreeEnvironmentStringsW
DecodePointer

gdiplus

GdiplusShutdown
GdiplusStartup
GdipCreateHBITMAPFromBitmap
GdipCreateBitmapFromStreamICM
GdipCreateBitmapFromStream
GdipDisposeImage
GdipCloneImage
GdipFree
GdipAlloc

Sections

.text
Size: 196KB - Virtual size: 196KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 42KB - Virtual size: 41KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 141KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.didat
Size: 512B - Virtual size: 392B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 56KB - Virtual size: 55KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/DcRat/pass.txt
BastianHein Malware samples/DcRat/zapret.exe
.exe windows:5 windows x64 arch:x64

b1c5b1beabd90d9fdabd1df0779ea832

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb

Imports

kernel32

LocalFree
GetLastError
SetLastError
FormatMessageW
GetCurrentProcess
DeviceIoControl
SetFileTime
CloseHandle
RemoveDirectoryW
CreateFileW
DeleteFileW
CreateHardLinkW
GetShortPathNameW
GetLongPathNameW
MoveFileW
GetFileType
GetStdHandle
WriteFile
ReadFile
FlushFileBuffers
SetEndOfFile
SetFilePointer
GetCurrentProcessId
CreateDirectoryW
SetFileAttributesW
GetFileAttributesW
FindClose
FindFirstFileW
FindNextFileW
GetVersionExW
GetModuleFileNameW
SetCurrentDirectoryW
GetCurrentDirectoryW
GetFullPathNameW
FoldStringW
GetModuleHandleW
FindResourceW
FreeLibrary
GetProcAddress
ExpandEnvironmentStringsW
ExitProcess
SetThreadExecutionState
Sleep
LoadLibraryW
GetSystemDirectoryW
CompareStringW
AllocConsole
FreeConsole
AttachConsole
WriteConsoleW
GetProcessAffinityMask
CreateThread
SetThreadPriority
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
SetEvent
ResetEvent
ReleaseSemaphore
WaitForSingleObject
CreateEventW
CreateSemaphoreW
GetSystemTime
SystemTimeToTzSpecificLocalTime
TzSpecificLocalTimeToSystemTime
SystemTimeToFileTime
FileTimeToLocalFileTime
LocalFileTimeToFileTime
FileTimeToSystemTime
GetCPInfo
IsDBCSLeadByte
MultiByteToWideChar
WideCharToMultiByte
GlobalAlloc
LockResource
GlobalLock
GlobalUnlock
GlobalFree
GlobalMemoryStatusEx
LoadResource
SizeofResource
GetTimeFormatW
GetDateFormatW
GetExitCodeProcess
GetLocalTime
GetTickCount
MapViewOfFile
UnmapViewOfFile
CreateFileMappingW
OpenFileMappingW
GetCommandLineW
SetEnvironmentVariableW
GetTempPathW
MoveFileExW
GetLocaleInfoW
GetNumberFormatW
SetFilePointerEx
GetConsoleMode
GetConsoleCP
HeapSize
SetStdHandle
GetProcessHeap
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineA
GetOEMCP
IsValidCodePage
FindNextFileA
RaiseException
GetSystemInfo
VirtualProtect
VirtualQuery
LoadLibraryExA
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
InitializeCriticalSectionAndSpinCount
WaitForSingleObjectEx
IsDebuggerPresent
GetStartupInfoW
QueryPerformanceCounter
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
RtlPcToFileHeader
RtlUnwindEx
EncodePointer
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
LoadLibraryExW
QueryPerformanceFrequency
GetModuleHandleExW
GetModuleFileNameA
GetACP
HeapFree
HeapAlloc
GetStringTypeW
HeapReAlloc
LCMapStringW
FindFirstFileExA

oleaut32

SysAllocString
SysFreeString
VariantClear

gdiplus

GdipCloneImage
GdipFree
GdipDisposeImage
GdipCreateBitmapFromStream
GdipCreateHBITMAPFromBitmap
GdiplusStartup
GdiplusShutdown
GdipAlloc

Sections

.text
Size: 282KB - Virtual size: 281KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 74KB - Virtual size: 74KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 57KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 1024B - Virtual size: 864B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

_RDATA
Size: 512B - Virtual size: 348B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 57KB - Virtual size: 56KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/DcRat/zapret.rar
.rar
BastianHein Malware samples/DcRat/zapret.zip
.zip
BastianHein Malware samples/DiscordRat/16e0775352021a90c3dec5a4d75d5db0b444ed8cae060fccdb86fde2080bdc82.exe
.exe windows:4 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

.text
Size: 76KB - Virtual size: 76KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/DiscordRat/Nixware Loader.exe
.exe windows:4 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

.text
Size: 76KB - Virtual size: 76KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/DiscordRat/WzAio.exe
.exe windows:4 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

.text
Size: 76KB - Virtual size: 76KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 266KB - Virtual size: 265KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/DiscordRat/Zedfilter.exe
.exe windows:4 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

.text
Size: 76KB - Virtual size: 76KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/DiscordRat/seba.exe
.exe windows:4 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

.text
Size: 76KB - Virtual size: 76KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/Dridex/0e0d4494780c9010ece88f39f65bfbfcb13236e1652f7fe41e9c84a5b16583a5N.exe
.dll windows:5 windows x86 arch:x86

33296e9aed55b8de95081e21cf80eb98

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

advapi32

RegRestoreKeyA

kernel32

GetConsoleCP
GetExitCodeProcess
GetCommState
GetModuleHandleA

user32

ShowOwnedPopups
SetFocus

wininet

GetUrlCacheEntryInfoExA

Exports

Exports

DisplaySYSDMCPL
EditEnvironmentVariables
EditUserProfiles
EnableExecuteProtectionSupportW
ModifyExecuteProtectionSupportW
NoExecuteAddFileOptOutList
NoExecuteAddFileOptOutListW
NoExecuteProcessExceptionW
NoExecuteRemoveFileOptOutList
NoExecuteRemoveFileOptOutListW

Sections

.text
Size: 20KB - Virtual size: 18KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 332KB - Virtual size: 331KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.DAta
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.crt
Size: 48KB - Virtual size: 45KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.crt0
Size: 108KB - Virtual size: 105KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 64KB - Virtual size: 60KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Size: 4KB - Virtual size: 503B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 4KB - Virtual size: 318B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 28KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 4KB - Virtual size: 431B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/Dridex/123a833c6ad4fefb0e612a93c8bfb2fda9525414b308f18c9d3ea56a5ea37fff.exe
.dll windows:5 windows x64 arch:x64

fbcff5951ad0c204f4744c629548c6c6

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

psapi

GetModuleFileNameExW

advapi32

GetWindowsAccountDomainSid
EnumServicesStatusW
DeleteService
GetFileSecurityW
InitializeSecurityDescriptor

gdi32

GetFontData
GetRandomRgn

winspool.drv

GetPrinterDataExW
DeletePrinterConnectionW
DeletePrinterDriverW

powrprof

WriteProcessorPwrScheme

shell32

ExtractAssociatedIconW

urlmon

FaultInIEFeature

msvcrt

system
vfwprintf
ungetwc
fwprintf
memset
strncmp
srand

wininet

GetUrlCacheEntryInfoA
FindCloseUrlCache

user32

ChildWindowFromPointEx
DdeUnaccessData
GetScrollPos
GetKeyState
GetWindow
GetFocus
GetDlgItemInt
GetMenu
DrawStateA
GetMenuBarInfo
GetKeyboardLayout
GetMenuItemInfoW
GetSystemMenu
FillRect
GetSysColor
LoadBitmapW
GetOpenClipboardWindow
GetMenuState

secur32

InitializeSecurityContextW

kernel32

lstrcmpiW
GetErrorMode
IsProcessorFeaturePresent
GetCurrentConsoleFontEx
SetConsoleDisplayMode
GetConsoleWindow
FileTimeToDosDateTime
SetProcessAffinityMask
SetHandleCount
GetLastError
GetBinaryTypeW
GetCurrentProcess
GetLocaleInfoA
GetCurrentConsoleFont
FindResourceA
FormatMessageA
LocalAlloc
FileTimeToSystemTime
GetStringTypeExW
DebugActiveProcess
LockFile
GetAtomNameW
LocalSize
GetVolumePathNamesForVolumeNameW
VirtualProtect
GlobalFree
GetFileAttributesW
GetShortPathNameW

Exports

Exports

??0?$PatternProvider@VExpandCollapseProvider@DirectUI@@UIExpandCollapseProvider@@$00@DirectUI@@QEAA@XZ
??0?$PatternProvider@VGridItemProvider@DirectUI@@UIGridItemProvider@@$01@DirectUI@@QEAA@XZ
??0?$PatternProvider@VGridProvider@DirectUI@@UIGridProvider@@$02@DirectUI@@QEAA@XZ
??0?$PatternProvider@VInvokeProvider@DirectUI@@UIInvokeProvider@@$0A@@DirectUI@@QEAA@XZ
??0?$PatternProvider@VRangeValueProvider@DirectUI@@UIRangeValueProvider@@$03@DirectUI@@QEAA@XZ
??0?$PatternProvider@VScrollItemProvider@DirectUI@@UIScrollItemProvider@@$05@DirectUI@@QEAA@XZ
??0?$PatternProvider@VScrollProvider@DirectUI@@UIScrollProvider@@$04@DirectUI@@QEAA@XZ
??0?$PatternProvider@VSelectionItemProvider@DirectUI@@UISelectionItemProvider@@$06@DirectUI@@QEAA@XZ
??0?$PatternProvider@VSelectionProvider@DirectUI@@UISelectionProvider@@$07@DirectUI@@QEAA@XZ
??0?$PatternProvider@VTableItemProvider@DirectUI@@UITableItemProvider@@$09@DirectUI@@QEAA@XZ
??0?$PatternProvider@VTableProvider@DirectUI@@UITableProvider@@$08@DirectUI@@QEAA@XZ
??0?$PatternProvider@VToggleProvider@DirectUI@@UIToggleProvider@@$0L@@DirectUI@@QEAA@XZ
??0?$PatternProvider@VValueProvider@DirectUI@@UIValueProvider@@$0M@@DirectUI@@QEAA@XZ
??0?$SafeArrayAccessor@H@DirectUI@@QEAA@XZ
??0AccessibleButton@DirectUI@@QEAA@AEBV01@@Z
??0AccessibleButton@DirectUI@@QEAA@XZ
??0AnimationStrip@DirectUI@@QEAA@AEBV01@@Z
??0AnimationStrip@DirectUI@@QEAA@XZ
??0AutoButton@DirectUI@@QEAA@AEBV01@@Z
??0AutoButton@DirectUI@@QEAA@XZ
??0AutoLock@DirectUI@@QEAA@PEAU_RTL_CRITICAL_SECTION@@@Z
??0AutoThread@DirectUI@@QEAA@XZ
??0AutoVariant@DirectUI@@QEAA@XZ
??0BaseScrollBar@DirectUI@@QEAA@AEBV01@@Z
??0BaseScrollBar@DirectUI@@QEAA@XZ
??0BaseScrollViewer@DirectUI@@QEAA@AEBV01@@Z
??0BaseScrollViewer@DirectUI@@QEAA@XZ
??0Bind@DirectUI@@QEAA@AEBV01@@Z
??0Bind@DirectUI@@QEAA@XZ
??0BorderLayout@DirectUI@@QEAA@AEBV01@@Z
??0BorderLayout@DirectUI@@QEAA@XZ
??0Browser@DirectUI@@QEAA@AEBV01@@Z
??0Browser@DirectUI@@QEAA@XZ
??0BrowserSelectionProxy@DirectUI@@QEAA@AEBV01@@Z
??0BrowserSelectionProxy@DirectUI@@QEAA@XZ
??0Button@DirectUI@@QEAA@AEBV01@@Z
??0Button@DirectUI@@QEAA@XZ
??0CCAVI@DirectUI@@QEAA@AEBV01@@Z
??0CCAVI@DirectUI@@QEAA@XZ
??0CCBase@DirectUI@@QEAA@AEBV01@@Z
??0CCBase@DirectUI@@QEAA@KPEBG@Z
??0CCBaseCheckRadioButton@DirectUI@@QEAA@AEBV01@@Z
??0CCBaseCheckRadioButton@DirectUI@@QEAA@K@Z
??0CCBaseScrollBar@DirectUI@@QEAA@AEBV01@@Z
??0CCBaseScrollBar@DirectUI@@QEAA@K@Z
??0CCCheckBox@DirectUI@@QEAA@AEBV01@@Z
??0CCCheckBox@DirectUI@@QEAA@K@Z
??0CCCommandLink@DirectUI@@QEAA@AEBV01@@Z
??0CCCommandLink@DirectUI@@QEAA@K@Z
??0CCHScrollBar@DirectUI@@QEAA@AEBV01@@Z
??0CCHScrollBar@DirectUI@@QEAA@XZ
??0CCListBox@DirectUI@@QEAA@AEBV01@@Z
??0CCListBox@DirectUI@@QEAA@XZ
??0CCListView@DirectUI@@QEAA@AEBV01@@Z
??0CCListView@DirectUI@@QEAA@XZ
??0CCProgressBar@DirectUI@@QEAA@AEBV01@@Z
??0CCProgressBar@DirectUI@@QEAA@XZ
??0CCPushButton@DirectUI@@QEAA@AEBV01@@Z
??0CCPushButton@DirectUI@@QEAA@K@Z
??0CCRadioButton@DirectUI@@QEAA@AEBV01@@Z
??0CCRadioButton@DirectUI@@QEAA@XZ
??0CCSysLink@DirectUI@@QEAA@AEBV01@@Z
??0CCSysLink@DirectUI@@QEAA@XZ
??0CCTrackBar@DirectUI@@QEAA@AEBV01@@Z
??0CCTrackBar@DirectUI@@QEAA@XZ
??0CCTreeView@DirectUI@@QEAA@AEBV01@@Z
??0CCTreeView@DirectUI@@QEAA@K@Z
??0CCVScrollBar@DirectUI@@QEAA@AEBV01@@Z
??0CCVScrollBar@DirectUI@@QEAA@XZ
??0CallstackTracker@DirectUI@@QEAA@XZ
??0CheckBoxGlyph@DirectUI@@QEAA@AEBV01@@Z
??0CheckBoxGlyph@DirectUI@@QEAA@XZ
??0ClassInfoBase@DirectUI@@QEAA@AEBV01@@Z
??0ClassInfoBase@DirectUI@@QEAA@XZ
??0Clipper@DirectUI@@QEAA@AEBV01@@Z
??0Clipper@DirectUI@@QEAA@XZ
??0Combobox@DirectUI@@QEAA@AEBV01@@Z
??0Combobox@DirectUI@@QEAA@XZ
??0CritSecLock@DirectUI@@QEAA@PEAU_RTL_CRITICAL_SECTION@@@Z
??0DCSurface@DirectUI@@QEAA@AEBV01@@Z
??0DCSurface@DirectUI@@QEAA@PEAUHDC__@@@Z
??0DUIFactory@DirectUI@@QEAA@PEAUHWND__@@@Z
??0DUIXmlParser@DirectUI@@QEAA@AEBV01@@Z
??0DUIXmlParser@DirectUI@@QEAA@XZ
??0DialogElement@DirectUI@@QEAA@AEBV01@@Z
??0DialogElement@DirectUI@@QEAA@XZ
??0DuiAccessible@DirectUI@@QEAA@XZ
??0Edit@DirectUI@@QEAA@AEBV01@@Z
??0Edit@DirectUI@@QEAA@XZ
??0Element@DirectUI@@QEAA@AEBV01@@Z
??0Element@DirectUI@@QEAA@XZ
??0ElementProvider@DirectUI@@QEAA@XZ
??0ElementProxy@DirectUI@@QEAA@AEBV01@@Z
??0ElementProxy@DirectUI@@QEAA@XZ
??0ElementWithHWND@DirectUI@@QEAA@AEBV01@@Z
??0ElementWithHWND@DirectUI@@QEAA@XZ
??0ExpandCollapseProvider@DirectUI@@QEAA@XZ
??0ExpandCollapseProxy@DirectUI@@QEAA@AEBV01@@Z
??0ExpandCollapseProxy@DirectUI@@QEAA@XZ
??0Expandable@DirectUI@@QEAA@AEBV01@@Z
??0Expandable@DirectUI@@QEAA@XZ
??0Expando@DirectUI@@QEAA@AEBV01@@Z
??0Expando@DirectUI@@QEAA@XZ
??0ExpandoButtonGlyph@DirectUI@@QEAA@AEBV01@@Z
??0ExpandoButtonGlyph@DirectUI@@QEAA@XZ
??0FillLayout@DirectUI@@QEAA@AEBV01@@Z
??0FillLayout@DirectUI@@QEAA@XZ
??0FlowLayout@DirectUI@@QEAA@AEBV01@@Z
??0FlowLayout@DirectUI@@QEAA@XZ
??0FontCache@DirectUI@@QEAA@AEBV01@@Z
??0FontCache@DirectUI@@QEAA@XZ
??0FontCheckOut@DirectUI@@QEAA@PEAVElement@1@PEAUHDC__@@@Z
??0GridItemProvider@DirectUI@@QEAA@XZ
??0GridItemProxy@DirectUI@@QEAA@AEBV01@@Z
??0GridItemProxy@DirectUI@@QEAA@XZ
??0GridLayout@DirectUI@@QEAA@AEBV01@@Z
??0GridLayout@DirectUI@@QEAA@XZ
??0GridProvider@DirectUI@@QEAA@XZ
??0GridProxy@DirectUI@@QEAA@AEBV01@@Z
??0GridProxy@DirectUI@@QEAA@XZ
??0HWNDElement@DirectUI@@QEAA@AEBV01@@Z
??0HWNDElement@DirectUI@@QEAA@XZ
??0HWNDElementAccessible@DirectUI@@QEAA@XZ
??0HWNDElementProvider@DirectUI@@QEAA@XZ
??0HWNDElementProxy@DirectUI@@QEAA@AEBV01@@Z
??0HWNDElementProxy@DirectUI@@QEAA@XZ
??0HWNDHost@DirectUI@@QEAA@AEBV01@@Z
??0HWNDHost@DirectUI@@QEAA@XZ
??0HWNDHostAccessible@DirectUI@@QEAA@XZ
??0HWNDHostClientAccessible@DirectUI@@QEAA@XZ
??0IDataEngine@DirectUI@@QEAA@AEBU01@@Z
??0IDataEngine@DirectUI@@QEAA@XZ
??0IDataEntry@DirectUI@@QEAA@AEBU01@@Z
??0IDataEntry@DirectUI@@QEAA@XZ
??0IProvider@DirectUI@@QEAA@AEBV01@@Z
??0IProvider@DirectUI@@QEAA@XZ
??0ISBLeak@DirectUI@@QEAA@AEBU01@@Z
??0ISBLeak@DirectUI@@QEAA@XZ
??0IXElementCP@DirectUI@@QEAA@AEBV01@@Z
??0IXElementCP@DirectUI@@QEAA@XZ
??0IXProviderCP@DirectUI@@QEAA@AEBV01@@Z
??0IXProviderCP@DirectUI@@QEAA@XZ
??0InvokeHelper@DirectUI@@QEAA@XZ
??0InvokeProvider@DirectUI@@QEAA@XZ
??0InvokeProxy@DirectUI@@QEAA@AEBV01@@Z
??0InvokeProxy@DirectUI@@QEAA@XZ
??0Layout@DirectUI@@QEAA@AEBV01@@Z
??0Layout@DirectUI@@QEAA@XZ
??0LinkedList@DirectUI@@QEAA@XZ
??0Macro@DirectUI@@QEAA@AEBV01@@Z
??0Macro@DirectUI@@QEAA@XZ
??0Movie@DirectUI@@QEAA@AEBV01@@Z
??0Movie@DirectUI@@QEAA@XZ
??0NativeHWNDHost@DirectUI@@QEAA@AEBV01@@Z
??0NativeHWNDHost@DirectUI@@QEAA@XZ
??0Navigator@DirectUI@@QEAA@AEBV01@@Z
??0Navigator@DirectUI@@QEAA@XZ
??0NavigatorSelectionItemProxy@DirectUI@@QEAA@AEBV01@@Z
??0NavigatorSelectionItemProxy@DirectUI@@QEAA@XZ
??0NineGridLayout@DirectUI@@QEAA@AEBV01@@Z
??0NineGridLayout@DirectUI@@QEAA@XZ
??0PText@DirectUI@@QEAA@AEBV01@@Z
??0PText@DirectUI@@QEAA@XZ
??0Page@DirectUI@@QEAA@AEBV01@@Z
??0Page@DirectUI@@QEAA@XZ
??0Pages@DirectUI@@QEAA@AEBV01@@Z
??0Pages@DirectUI@@QEAA@XZ
??0Progress@DirectUI@@QEAA@AEBV01@@Z
??0Progress@DirectUI@@QEAA@XZ
??0ProgressRangeValueProxy@DirectUI@@QEAA@AEBV01@@Z
??0ProgressRangeValueProxy@DirectUI@@QEAA@XZ
??0ProviderProxy@DirectUI@@IEAA@XZ
??0ProviderProxy@DirectUI@@QEAA@AEBV01@@Z
??0Proxy@DirectUI@@QEAA@AEBV01@@Z
??0Proxy@DirectUI@@QEAA@XZ
??0PushButton@DirectUI@@QEAA@AEBV01@@Z
??0PushButton@DirectUI@@QEAA@XZ
??0RadioButtonGlyph@DirectUI@@QEAA@AEBV01@@Z
??0RadioButtonGlyph@DirectUI@@QEAA@XZ
??0RangeValueProvider@DirectUI@@QEAA@XZ
??0RangeValueProxy@DirectUI@@IEAA@XZ
??0RangeValueProxy@DirectUI@@QEAA@AEBV01@@Z
??0RefPointElement@DirectUI@@QEAA@AEBV01@@Z
??0RefPointElement@DirectUI@@QEAA@XZ
??0RefcountBase@DirectUI@@QEAA@XZ
??0RepeatButton@DirectUI@@QEAA@AEBV01@@Z
??0RepeatButton@DirectUI@@QEAA@XZ
??0Repeater@DirectUI@@QEAA@AEBV01@@Z
??0Repeater@DirectUI@@QEAA@XZ
??0ResourceModuleHandles@DirectUI@@QEAA@XZ
??0RowLayout@DirectUI@@QEAA@AEBV01@@Z
??0RowLayout@DirectUI@@QEAA@XZ
??0ScrollBar@DirectUI@@QEAA@AEBV01@@Z
??0ScrollBar@DirectUI@@QEAA@XZ
??0ScrollBarRangeValueProxy@DirectUI@@QEAA@AEBV01@@Z
??0ScrollBarRangeValueProxy@DirectUI@@QEAA@XZ
??0ScrollItemProvider@DirectUI@@QEAA@XZ
??0ScrollItemProxy@DirectUI@@QEAA@AEBV01@@Z
??0ScrollItemProxy@DirectUI@@QEAA@XZ
??0ScrollProvider@DirectUI@@QEAA@XZ
??0ScrollProxy@DirectUI@@QEAA@AEBV01@@Z
??0ScrollProxy@DirectUI@@QEAA@XZ
??0ScrollViewer@DirectUI@@QEAA@AEBV01@@Z
??0ScrollViewer@DirectUI@@QEAA@XZ
??0SelectionItemProvider@DirectUI@@QEAA@XZ
??0SelectionItemProxy@DirectUI@@IEAA@XZ
??0SelectionItemProxy@DirectUI@@QEAA@AEBV01@@Z
??0SelectionProvider@DirectUI@@QEAA@XZ
??0SelectionProxy@DirectUI@@IEAA@XZ
??0SelectionProxy@DirectUI@@QEAA@AEBV01@@Z
??0Selector@DirectUI@@QEAA@AEBV01@@Z
??0Selector@DirectUI@@QEAA@XZ
??0SelectorNoDefault@DirectUI@@QEAA@AEBV01@@Z
??0SelectorNoDefault@DirectUI@@QEAA@XZ
??0SelectorSelectionItemProxy@DirectUI@@QEAA@AEBV01@@Z
??0SelectorSelectionItemProxy@DirectUI@@QEAA@XZ
??0SelectorSelectionProxy@DirectUI@@QEAA@AEBV01@@Z
??0SelectorSelectionProxy@DirectUI@@QEAA@XZ
??0ShellBorderLayout@DirectUI@@QEAA@AEBV01@@Z
??0ShellBorderLayout@DirectUI@@QEAA@XZ
??0StyleSheet@DirectUI@@QEAA@AEBV01@@Z
??0StyleSheet@DirectUI@@QEAA@XZ
??0StyledScrollViewer@DirectUI@@QEAA@AEBV01@@Z
??0StyledScrollViewer@DirectUI@@QEAA@XZ
??0Surface@DirectUI@@QEAA@AEBV01@@Z
??0Surface@DirectUI@@QEAA@XZ
??0TableItemProvider@DirectUI@@QEAA@XZ
??0TableItemProxy@DirectUI@@QEAA@AEBV01@@Z
??0TableItemProxy@DirectUI@@QEAA@XZ
??0TableLayout@DirectUI@@QEAA@AEBV01@@Z
??0TableLayout@DirectUI@@QEAA@XZ
??0TableProvider@DirectUI@@QEAA@XZ
??0TableProxy@DirectUI@@QEAA@AEBV01@@Z
??0TableProxy@DirectUI@@QEAA@XZ
??0TaskPage@DirectUI@@QEAA@AEBV01@@Z
??0TaskPage@DirectUI@@QEAA@XZ
??0TextGraphic@DirectUI@@QEAA@AEBV01@@Z
??0TextGraphic@DirectUI@@QEAA@XZ
??0Thumb@DirectUI@@QEAA@AEBV01@@Z
??0Thumb@DirectUI@@QEAA@XZ
??0ToggleProvider@DirectUI@@QEAA@XZ
??0ToggleProxy@DirectUI@@QEAA@AEBV01@@Z
??0ToggleProxy@DirectUI@@QEAA@XZ
??0UnknownElement@DirectUI@@QEAA@AEBV01@@Z
??0UnknownElement@DirectUI@@QEAA@XZ
??0ValueProvider@DirectUI@@QEAA@XZ
??0ValueProxy@DirectUI@@QEAA@AEBV01@@Z
??0ValueProxy@DirectUI@@QEAA@XZ
??0VerticalFlowLayout@DirectUI@@QEAA@AEBV01@@Z
??0VerticalFlowLayout@DirectUI@@QEAA@XZ
??0Viewer@DirectUI@@QEAA@AEBV01@@Z
??0Viewer@DirectUI@@QEAA@XZ
??0XBaby@DirectUI@@QEAA@AEBV01@@Z
??0XBaby@DirectUI@@QEAA@XZ
??0XElement@DirectUI@@QEAA@AEBV01@@Z
??0XElement@DirectUI@@QEAA@XZ
??0XHost@DirectUI@@QEAA@XZ
??0XProvider@DirectUI@@QEAA@AEBV01@@Z
??0XProvider@DirectUI@@QEAA@XZ
??0XResourceProvider@DirectUI@@QEAA@AEBV01@@Z
??0XResourceProvider@DirectUI@@QEAA@XZ
??1?$PatternProvider@VExpandCollapseProvider@DirectUI@@UIExpandCollapseProvider@@$00@DirectUI@@UEAA@XZ
??1?$PatternProvider@VGridItemProvider@DirectUI@@UIGridItemProvider@@$01@DirectUI@@UEAA@XZ
??1?$PatternProvider@VGridProvider@DirectUI@@UIGridProvider@@$02@DirectUI@@UEAA@XZ
??1?$PatternProvider@VInvokeProvider@DirectUI@@UIInvokeProvider@@$0A@@DirectUI@@UEAA@XZ
??1?$PatternProvider@VRangeValueProvider@DirectUI@@UIRangeValueProvider@@$03@DirectUI@@UEAA@XZ
??1?$PatternProvider@VScrollItemProvider@DirectUI@@UIScrollItemProvider@@$05@DirectUI@@UEAA@XZ
??1?$PatternProvider@VScrollProvider@DirectUI@@UIScrollProvider@@$04@DirectUI@@UEAA@XZ
??1?$PatternProvider@VSelectionItemProvider@DirectUI@@UISelectionItemProvider@@$06@DirectUI@@UEAA@XZ
??1?$PatternProvider@VSelectionProvider@DirectUI@@UISelectionProvider@@$07@DirectUI@@UEAA@XZ
??1?$PatternProvider@VTableItemProvider@DirectUI@@UITableItemProvider@@$09@DirectUI@@UEAA@XZ
??1?$PatternProvider@VTableProvider@DirectUI@@UITableProvider@@$08@DirectUI@@UEAA@XZ
??1?$PatternProvider@VToggleProvider@DirectUI@@UIToggleProvider@@$0L@@DirectUI@@UEAA@XZ
??1?$PatternProvider@VValueProvider@DirectUI@@UIValueProvider@@$0M@@DirectUI@@UEAA@XZ
??1?$SafeArrayAccessor@H@DirectUI@@QEAA@XZ
??1AccessibleButton@DirectUI@@UEAA@XZ
??1AnimationStrip@DirectUI@@UEAA@XZ
??1AutoButton@DirectUI@@UEAA@XZ
??1AutoLock@DirectUI@@QEAA@XZ
??1AutoThread@DirectUI@@QEAA@XZ
??1AutoVariant@DirectUI@@QEAA@XZ
??1BaseScrollViewer@DirectUI@@UEAA@XZ
??1Bind@DirectUI@@UEAA@XZ
??1BorderLayout@DirectUI@@UEAA@XZ
??1Browser@DirectUI@@UEAA@XZ
??1Button@DirectUI@@UEAA@XZ
??1CCAVI@DirectUI@@UEAA@XZ
??1CCBase@DirectUI@@UEAA@XZ
??1CCBaseCheckRadioButton@DirectUI@@UEAA@XZ
??1CCBaseScrollBar@DirectUI@@UEAA@XZ
??1CCCheckBox@DirectUI@@UEAA@XZ
??1CCCommandLink@DirectUI@@UEAA@XZ
??1CCHScrollBar@DirectUI@@UEAA@XZ
??1CCListBox@DirectUI@@UEAA@XZ
??1CCListView@DirectUI@@UEAA@XZ
??1CCProgressBar@DirectUI@@UEAA@XZ
??1CCPushButton@DirectUI@@UEAA@XZ
??1CCRadioButton@DirectUI@@UEAA@XZ
??1CCSysLink@DirectUI@@UEAA@XZ
??1CCTrackBar@DirectUI@@UEAA@XZ
??1CCTreeView@DirectUI@@UEAA@XZ
??1CCVScrollBar@DirectUI@@UEAA@XZ
??1CallstackTracker@DirectUI@@QEAA@XZ
??1CheckBoxGlyph@DirectUI@@UEAA@XZ
??1ClassInfoBase@DirectUI@@UEAA@XZ
??1Clipper@DirectUI@@UEAA@XZ
??1Combobox@DirectUI@@UEAA@XZ
??1CritSecLock@DirectUI@@QEAA@XZ
??1DCSurface@DirectUI@@UEAA@XZ
??1DUIFactory@DirectUI@@QEAA@XZ
??1DUIXmlParser@DirectUI@@UEAA@XZ
??1DialogElement@DirectUI@@UEAA@XZ
??1DuiAccessible@DirectUI@@UEAA@XZ
??1Edit@DirectUI@@UEAA@XZ
??1Element@DirectUI@@UEAA@XZ
??1ElementProvider@DirectUI@@UEAA@XZ
??1ElementWithHWND@DirectUI@@UEAA@XZ
??1ExpandCollapseProvider@DirectUI@@UEAA@XZ
??1Expandable@DirectUI@@UEAA@XZ
??1Expando@DirectUI@@UEAA@XZ
??1ExpandoButtonGlyph@DirectUI@@UEAA@XZ
??1FillLayout@DirectUI@@UEAA@XZ
??1FlowLayout@DirectUI@@UEAA@XZ
??1FontCheckOut@DirectUI@@QEAA@XZ
??1GridItemProvider@DirectUI@@UEAA@XZ
??1GridLayout@DirectUI@@UEAA@XZ
??1GridProvider@DirectUI@@UEAA@XZ
??1HWNDElement@DirectUI@@UEAA@XZ
??1HWNDElementAccessible@DirectUI@@UEAA@XZ
??1HWNDElementProvider@DirectUI@@UEAA@XZ
??1HWNDHost@DirectUI@@UEAA@XZ
??1HWNDHostAccessible@DirectUI@@UEAA@XZ
??1HWNDHostClientAccessible@DirectUI@@UEAA@XZ
??1IDataEngine@DirectUI@@UEAA@XZ
??1IDataEntry@DirectUI@@UEAA@XZ
??1InvokeHelper@DirectUI@@UEAA@XZ
??1InvokeProvider@DirectUI@@UEAA@XZ
??1Layout@DirectUI@@UEAA@XZ
??1LinkedList@DirectUI@@QEAA@XZ
??1Macro@DirectUI@@UEAA@XZ
??1Movie@DirectUI@@UEAA@XZ
??1NativeHWNDHost@DirectUI@@UEAA@XZ
??1Navigator@DirectUI@@UEAA@XZ
??1NineGridLayout@DirectUI@@UEAA@XZ
??1PText@DirectUI@@UEAA@XZ
??1Page@DirectUI@@UEAA@XZ
??1Pages@DirectUI@@UEAA@XZ
??1Progress@DirectUI@@UEAA@XZ
??1Proxy@DirectUI@@UEAA@XZ
??1PushButton@DirectUI@@UEAA@XZ
??1RadioButtonGlyph@DirectUI@@UEAA@XZ
??1RangeValueProvider@DirectUI@@UEAA@XZ
??1RefPointElement@DirectUI@@UEAA@XZ
??1RefcountBase@DirectUI@@UEAA@XZ
??1RepeatButton@DirectUI@@UEAA@XZ
??1Repeater@DirectUI@@UEAA@XZ
??1ResourceModuleHandles@DirectUI@@QEAA@XZ
??1RowLayout@DirectUI@@UEAA@XZ
??1ScrollBar@DirectUI@@UEAA@XZ
??1ScrollItemProvider@DirectUI@@UEAA@XZ
??1ScrollProvider@DirectUI@@UEAA@XZ
??1ScrollViewer@DirectUI@@UEAA@XZ
??1SelectionItemProvider@DirectUI@@UEAA@XZ
??1SelectionProvider@DirectUI@@UEAA@XZ
??1Selector@DirectUI@@UEAA@XZ
??1SelectorNoDefault@DirectUI@@UEAA@XZ
??1ShellBorderLayout@DirectUI@@UEAA@XZ
??1StyledScrollViewer@DirectUI@@UEAA@XZ
??1Surface@DirectUI@@UEAA@XZ
??1TableItemProvider@DirectUI@@UEAA@XZ
??1TableLayout@DirectUI@@UEAA@XZ
??1TableProvider@DirectUI@@UEAA@XZ
??1TaskPage@DirectUI@@UEAA@XZ
??1TextGraphic@DirectUI@@UEAA@XZ
??1Thumb@DirectUI@@UEAA@XZ
??1ToggleProvider@DirectUI@@UEAA@XZ
??1UnknownElement@DirectUI@@UEAA@XZ
??1ValueProvider@DirectUI@@UEAA@XZ
??1VerticalFlowLayout@DirectUI@@UEAA@XZ
??1Viewer@DirectUI@@UEAA@XZ
??1XBaby@DirectUI@@UEAA@XZ
??1XElement@DirectUI@@UEAA@XZ
??1XHost@DirectUI@@QEAA@XZ
??1XProvider@DirectUI@@UEAA@XZ
??4?$FunctionDefinition@H@DUIXmlParser@DirectUI@@QEAAAEAU012@AEBU012@@Z
??4?$FunctionDefinition@K@DUIXmlParser@DirectUI@@QEAAAEAU012@AEBU012@@Z
??4?$FunctionDefinition@PEAVValue@DirectUI@@@DUIXmlParser@DirectUI@@QEAAAEAU012@AEBU012@@Z
??4?$FunctionDefinition@UtagRECT@@@DUIXmlParser@DirectUI@@QEAAAEAU012@AEBU012@@Z
??4ACCESSIBLEROLE@AccessibleButton@DirectUI@@QEAAAEAU012@AEBU012@@Z
??4AccessibleButton@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4AnimationStrip@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4AutoButton@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4AutoLock@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4AutoThread@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4AutoVariant@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4BaseScrollBar@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4BaseScrollViewer@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4Bind@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4BorderLayout@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4Browser@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4BrowserSelectionProxy@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4Button@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4CCAVI@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4CCBase@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4CCBaseCheckRadioButton@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4CCBaseScrollBar@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4CCCheckBox@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4CCCommandLink@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4CCHScrollBar@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4CCListBox@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4CCListView@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4CCProgressBar@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4CCPushButton@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4CCRadioButton@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4CCSysLink@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4CCTrackBar@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4CCTreeView@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4CCVScrollBar@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4CallstackTracker@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4CheckBoxGlyph@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4ClassInfoBase@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4Clipper@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4Combobox@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4CritSecLock@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4DCSurface@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4DUIFactory@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4DUIXmlParser@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4DialogElement@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4DuiNavigate@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4Edit@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4Element@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4ElementProviderManager@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4ElementProxy@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4ElementWithHWND@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4EventManager@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4ExpandCollapseProxy@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4Expandable@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4Expando@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4ExpandoButtonGlyph@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4Expression@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4FillLayout@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4FlowLayout@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4FontCache@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4FontCheckOut@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4GridItemProxy@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4GridLayout@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4GridProxy@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4HWNDElement@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4HWNDElementProxy@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4HWNDHost@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4IDataEngine@DirectUI@@QEAAAEAU01@AEBU01@@Z
??4IDataEntry@DirectUI@@QEAAAEAU01@AEBU01@@Z
??4IProvider@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4ISBLeak@DirectUI@@QEAAAEAU01@AEBU01@@Z
??4IXElementCP@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4IXProviderCP@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4InvokeManager@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4InvokeProxy@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4Layout@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4LinkedList@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4LinkedListNode@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4Macro@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4Movie@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4NativeHWNDHost@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4NavReference@DirectUI@@QEAAAEAU01@AEBU01@@Z
??4NavScoring@DirectUI@@QEAAAEAU01@AEBU01@@Z
??4Navigator@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4NavigatorSelectionItemProxy@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4NineGridLayout@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4PText@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4Page@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4Pages@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4Progress@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4ProgressRangeValueProxy@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4ProviderProxy@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4Proxy@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4PushButton@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4RadioButtonGlyph@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4RangeValueProxy@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4RefPointElement@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4RepeatButton@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4Repeater@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4ResourceModuleHandles@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4RowLayout@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4Schema@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4ScrollBar@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4ScrollBarRangeValueProxy@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4ScrollItemProxy@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4ScrollProxy@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4ScrollViewer@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4SelectionItemProxy@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4SelectionProxy@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4Selector@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4SelectorNoDefault@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4SelectorSelectionItemProxy@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4SelectorSelectionProxy@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4ShellBorderLayout@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4StyleSheet@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4StyledScrollViewer@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4Surface@DirectUI@@QEAAAEAV01@AEBV01@@Z

Sections

.text
Size: 32KB - Virtual size: 31KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 496KB - Virtual size: 492KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 336B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.EXP
Size: 220KB - Virtual size: 218KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 976B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.zfo
Size: 208KB - Virtual size: 205KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/Dridex/138cd54735f5ce4b638c5bb68c9e0bf5776cf81d776e46592ef10a9bc58b0277.exe
.dll windows:5 windows x64 arch:x64

fbcff5951ad0c204f4744c629548c6c6

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

psapi

GetModuleFileNameExW

advapi32

GetWindowsAccountDomainSid
EnumServicesStatusW
DeleteService
GetFileSecurityW
InitializeSecurityDescriptor

gdi32

GetFontData
GetRandomRgn

winspool.drv

GetPrinterDataExW
DeletePrinterConnectionW
DeletePrinterDriverW

powrprof

WriteProcessorPwrScheme

shell32

ExtractAssociatedIconW

urlmon

FaultInIEFeature

msvcrt

system
vfwprintf
ungetwc
fwprintf
memset
strncmp
srand

wininet

GetUrlCacheEntryInfoA
FindCloseUrlCache

user32

ChildWindowFromPointEx
DdeUnaccessData
GetScrollPos
GetKeyState
GetWindow
GetFocus
GetDlgItemInt
GetMenu
DrawStateA
GetMenuBarInfo
GetKeyboardLayout
GetMenuItemInfoW
GetSystemMenu
FillRect
GetSysColor
LoadBitmapW
GetOpenClipboardWindow
GetMenuState

secur32

InitializeSecurityContextW

kernel32

lstrcmpiW
GetErrorMode
IsProcessorFeaturePresent
GetCurrentConsoleFontEx
SetConsoleDisplayMode
GetConsoleWindow
FileTimeToDosDateTime
SetProcessAffinityMask
SetHandleCount
GetLastError
GetBinaryTypeW
GetCurrentProcess
GetLocaleInfoA
GetCurrentConsoleFont
FindResourceA
FormatMessageA
LocalAlloc
FileTimeToSystemTime
GetStringTypeExW
DebugActiveProcess
LockFile
GetAtomNameW
LocalSize
GetVolumePathNamesForVolumeNameW
VirtualProtect
GlobalFree
GetFileAttributesW
GetShortPathNameW

Exports

Exports

??0?$PatternProvider@VExpandCollapseProvider@DirectUI@@UIExpandCollapseProvider@@$00@DirectUI@@QEAA@XZ
??0?$PatternProvider@VGridItemProvider@DirectUI@@UIGridItemProvider@@$01@DirectUI@@QEAA@XZ
??0?$PatternProvider@VGridProvider@DirectUI@@UIGridProvider@@$02@DirectUI@@QEAA@XZ
??0?$PatternProvider@VInvokeProvider@DirectUI@@UIInvokeProvider@@$0A@@DirectUI@@QEAA@XZ
??0?$PatternProvider@VRangeValueProvider@DirectUI@@UIRangeValueProvider@@$03@DirectUI@@QEAA@XZ
??0?$PatternProvider@VScrollItemProvider@DirectUI@@UIScrollItemProvider@@$05@DirectUI@@QEAA@XZ
??0?$PatternProvider@VScrollProvider@DirectUI@@UIScrollProvider@@$04@DirectUI@@QEAA@XZ
??0?$PatternProvider@VSelectionItemProvider@DirectUI@@UISelectionItemProvider@@$06@DirectUI@@QEAA@XZ
??0?$PatternProvider@VSelectionProvider@DirectUI@@UISelectionProvider@@$07@DirectUI@@QEAA@XZ
??0?$PatternProvider@VTableItemProvider@DirectUI@@UITableItemProvider@@$09@DirectUI@@QEAA@XZ
??0?$PatternProvider@VTableProvider@DirectUI@@UITableProvider@@$08@DirectUI@@QEAA@XZ
??0?$PatternProvider@VToggleProvider@DirectUI@@UIToggleProvider@@$0L@@DirectUI@@QEAA@XZ
??0?$PatternProvider@VValueProvider@DirectUI@@UIValueProvider@@$0M@@DirectUI@@QEAA@XZ
??0?$SafeArrayAccessor@H@DirectUI@@QEAA@XZ
??0AccessibleButton@DirectUI@@QEAA@AEBV01@@Z
??0AccessibleButton@DirectUI@@QEAA@XZ
??0AnimationStrip@DirectUI@@QEAA@AEBV01@@Z
??0AnimationStrip@DirectUI@@QEAA@XZ
??0AutoButton@DirectUI@@QEAA@AEBV01@@Z
??0AutoButton@DirectUI@@QEAA@XZ
??0AutoLock@DirectUI@@QEAA@PEAU_RTL_CRITICAL_SECTION@@@Z
??0AutoThread@DirectUI@@QEAA@XZ
??0AutoVariant@DirectUI@@QEAA@XZ
??0BaseScrollBar@DirectUI@@QEAA@AEBV01@@Z
??0BaseScrollBar@DirectUI@@QEAA@XZ
??0BaseScrollViewer@DirectUI@@QEAA@AEBV01@@Z
??0BaseScrollViewer@DirectUI@@QEAA@XZ
??0Bind@DirectUI@@QEAA@AEBV01@@Z
??0Bind@DirectUI@@QEAA@XZ
??0BorderLayout@DirectUI@@QEAA@AEBV01@@Z
??0BorderLayout@DirectUI@@QEAA@XZ
??0Browser@DirectUI@@QEAA@AEBV01@@Z
??0Browser@DirectUI@@QEAA@XZ
??0BrowserSelectionProxy@DirectUI@@QEAA@AEBV01@@Z
??0BrowserSelectionProxy@DirectUI@@QEAA@XZ
??0Button@DirectUI@@QEAA@AEBV01@@Z
??0Button@DirectUI@@QEAA@XZ
??0CCAVI@DirectUI@@QEAA@AEBV01@@Z
??0CCAVI@DirectUI@@QEAA@XZ
??0CCBase@DirectUI@@QEAA@AEBV01@@Z
??0CCBase@DirectUI@@QEAA@KPEBG@Z
??0CCBaseCheckRadioButton@DirectUI@@QEAA@AEBV01@@Z
??0CCBaseCheckRadioButton@DirectUI@@QEAA@K@Z
??0CCBaseScrollBar@DirectUI@@QEAA@AEBV01@@Z
??0CCBaseScrollBar@DirectUI@@QEAA@K@Z
??0CCCheckBox@DirectUI@@QEAA@AEBV01@@Z
??0CCCheckBox@DirectUI@@QEAA@K@Z
??0CCCommandLink@DirectUI@@QEAA@AEBV01@@Z
??0CCCommandLink@DirectUI@@QEAA@K@Z
??0CCHScrollBar@DirectUI@@QEAA@AEBV01@@Z
??0CCHScrollBar@DirectUI@@QEAA@XZ
??0CCListBox@DirectUI@@QEAA@AEBV01@@Z
??0CCListBox@DirectUI@@QEAA@XZ
??0CCListView@DirectUI@@QEAA@AEBV01@@Z
??0CCListView@DirectUI@@QEAA@XZ
??0CCProgressBar@DirectUI@@QEAA@AEBV01@@Z
??0CCProgressBar@DirectUI@@QEAA@XZ
??0CCPushButton@DirectUI@@QEAA@AEBV01@@Z
??0CCPushButton@DirectUI@@QEAA@K@Z
??0CCRadioButton@DirectUI@@QEAA@AEBV01@@Z
??0CCRadioButton@DirectUI@@QEAA@XZ
??0CCSysLink@DirectUI@@QEAA@AEBV01@@Z
??0CCSysLink@DirectUI@@QEAA@XZ
??0CCTrackBar@DirectUI@@QEAA@AEBV01@@Z
??0CCTrackBar@DirectUI@@QEAA@XZ
??0CCTreeView@DirectUI@@QEAA@AEBV01@@Z
??0CCTreeView@DirectUI@@QEAA@K@Z
??0CCVScrollBar@DirectUI@@QEAA@AEBV01@@Z
??0CCVScrollBar@DirectUI@@QEAA@XZ
??0CallstackTracker@DirectUI@@QEAA@XZ
??0CheckBoxGlyph@DirectUI@@QEAA@AEBV01@@Z
??0CheckBoxGlyph@DirectUI@@QEAA@XZ
??0ClassInfoBase@DirectUI@@QEAA@AEBV01@@Z
??0ClassInfoBase@DirectUI@@QEAA@XZ
??0Clipper@DirectUI@@QEAA@AEBV01@@Z
??0Clipper@DirectUI@@QEAA@XZ
??0Combobox@DirectUI@@QEAA@AEBV01@@Z
??0Combobox@DirectUI@@QEAA@XZ
??0CritSecLock@DirectUI@@QEAA@PEAU_RTL_CRITICAL_SECTION@@@Z
??0DCSurface@DirectUI@@QEAA@AEBV01@@Z
??0DCSurface@DirectUI@@QEAA@PEAUHDC__@@@Z
??0DUIFactory@DirectUI@@QEAA@PEAUHWND__@@@Z
??0DUIXmlParser@DirectUI@@QEAA@AEBV01@@Z
??0DUIXmlParser@DirectUI@@QEAA@XZ
??0DialogElement@DirectUI@@QEAA@AEBV01@@Z
??0DialogElement@DirectUI@@QEAA@XZ
??0DuiAccessible@DirectUI@@QEAA@XZ
??0Edit@DirectUI@@QEAA@AEBV01@@Z
??0Edit@DirectUI@@QEAA@XZ
??0Element@DirectUI@@QEAA@AEBV01@@Z
??0Element@DirectUI@@QEAA@XZ
??0ElementProvider@DirectUI@@QEAA@XZ
??0ElementProxy@DirectUI@@QEAA@AEBV01@@Z
??0ElementProxy@DirectUI@@QEAA@XZ
??0ElementWithHWND@DirectUI@@QEAA@AEBV01@@Z
??0ElementWithHWND@DirectUI@@QEAA@XZ
??0ExpandCollapseProvider@DirectUI@@QEAA@XZ
??0ExpandCollapseProxy@DirectUI@@QEAA@AEBV01@@Z
??0ExpandCollapseProxy@DirectUI@@QEAA@XZ
??0Expandable@DirectUI@@QEAA@AEBV01@@Z
??0Expandable@DirectUI@@QEAA@XZ
??0Expando@DirectUI@@QEAA@AEBV01@@Z
??0Expando@DirectUI@@QEAA@XZ
??0ExpandoButtonGlyph@DirectUI@@QEAA@AEBV01@@Z
??0ExpandoButtonGlyph@DirectUI@@QEAA@XZ
??0FillLayout@DirectUI@@QEAA@AEBV01@@Z
??0FillLayout@DirectUI@@QEAA@XZ
??0FlowLayout@DirectUI@@QEAA@AEBV01@@Z
??0FlowLayout@DirectUI@@QEAA@XZ
??0FontCache@DirectUI@@QEAA@AEBV01@@Z
??0FontCache@DirectUI@@QEAA@XZ
??0FontCheckOut@DirectUI@@QEAA@PEAVElement@1@PEAUHDC__@@@Z
??0GridItemProvider@DirectUI@@QEAA@XZ
??0GridItemProxy@DirectUI@@QEAA@AEBV01@@Z
??0GridItemProxy@DirectUI@@QEAA@XZ
??0GridLayout@DirectUI@@QEAA@AEBV01@@Z
??0GridLayout@DirectUI@@QEAA@XZ
??0GridProvider@DirectUI@@QEAA@XZ
??0GridProxy@DirectUI@@QEAA@AEBV01@@Z
??0GridProxy@DirectUI@@QEAA@XZ
??0HWNDElement@DirectUI@@QEAA@AEBV01@@Z
??0HWNDElement@DirectUI@@QEAA@XZ
??0HWNDElementAccessible@DirectUI@@QEAA@XZ
??0HWNDElementProvider@DirectUI@@QEAA@XZ
??0HWNDElementProxy@DirectUI@@QEAA@AEBV01@@Z
??0HWNDElementProxy@DirectUI@@QEAA@XZ
??0HWNDHost@DirectUI@@QEAA@AEBV01@@Z
??0HWNDHost@DirectUI@@QEAA@XZ
??0HWNDHostAccessible@DirectUI@@QEAA@XZ
??0HWNDHostClientAccessible@DirectUI@@QEAA@XZ
??0IDataEngine@DirectUI@@QEAA@AEBU01@@Z
??0IDataEngine@DirectUI@@QEAA@XZ
??0IDataEntry@DirectUI@@QEAA@AEBU01@@Z
??0IDataEntry@DirectUI@@QEAA@XZ
??0IProvider@DirectUI@@QEAA@AEBV01@@Z
??0IProvider@DirectUI@@QEAA@XZ
??0ISBLeak@DirectUI@@QEAA@AEBU01@@Z
??0ISBLeak@DirectUI@@QEAA@XZ
??0IXElementCP@DirectUI@@QEAA@AEBV01@@Z
??0IXElementCP@DirectUI@@QEAA@XZ
??0IXProviderCP@DirectUI@@QEAA@AEBV01@@Z
??0IXProviderCP@DirectUI@@QEAA@XZ
??0InvokeHelper@DirectUI@@QEAA@XZ
??0InvokeProvider@DirectUI@@QEAA@XZ
??0InvokeProxy@DirectUI@@QEAA@AEBV01@@Z
??0InvokeProxy@DirectUI@@QEAA@XZ
??0Layout@DirectUI@@QEAA@AEBV01@@Z
??0Layout@DirectUI@@QEAA@XZ
??0LinkedList@DirectUI@@QEAA@XZ
??0Macro@DirectUI@@QEAA@AEBV01@@Z
??0Macro@DirectUI@@QEAA@XZ
??0Movie@DirectUI@@QEAA@AEBV01@@Z
??0Movie@DirectUI@@QEAA@XZ
??0NativeHWNDHost@DirectUI@@QEAA@AEBV01@@Z
??0NativeHWNDHost@DirectUI@@QEAA@XZ
??0Navigator@DirectUI@@QEAA@AEBV01@@Z
??0Navigator@DirectUI@@QEAA@XZ
??0NavigatorSelectionItemProxy@DirectUI@@QEAA@AEBV01@@Z
??0NavigatorSelectionItemProxy@DirectUI@@QEAA@XZ
??0NineGridLayout@DirectUI@@QEAA@AEBV01@@Z
??0NineGridLayout@DirectUI@@QEAA@XZ
??0PText@DirectUI@@QEAA@AEBV01@@Z
??0PText@DirectUI@@QEAA@XZ
??0Page@DirectUI@@QEAA@AEBV01@@Z
??0Page@DirectUI@@QEAA@XZ
??0Pages@DirectUI@@QEAA@AEBV01@@Z
??0Pages@DirectUI@@QEAA@XZ
??0Progress@DirectUI@@QEAA@AEBV01@@Z
??0Progress@DirectUI@@QEAA@XZ
??0ProgressRangeValueProxy@DirectUI@@QEAA@AEBV01@@Z
??0ProgressRangeValueProxy@DirectUI@@QEAA@XZ
??0ProviderProxy@DirectUI@@IEAA@XZ
??0ProviderProxy@DirectUI@@QEAA@AEBV01@@Z
??0Proxy@DirectUI@@QEAA@AEBV01@@Z
??0Proxy@DirectUI@@QEAA@XZ
??0PushButton@DirectUI@@QEAA@AEBV01@@Z
??0PushButton@DirectUI@@QEAA@XZ
??0RadioButtonGlyph@DirectUI@@QEAA@AEBV01@@Z
??0RadioButtonGlyph@DirectUI@@QEAA@XZ
??0RangeValueProvider@DirectUI@@QEAA@XZ
??0RangeValueProxy@DirectUI@@IEAA@XZ
??0RangeValueProxy@DirectUI@@QEAA@AEBV01@@Z
??0RefPointElement@DirectUI@@QEAA@AEBV01@@Z
??0RefPointElement@DirectUI@@QEAA@XZ
??0RefcountBase@DirectUI@@QEAA@XZ
??0RepeatButton@DirectUI@@QEAA@AEBV01@@Z
??0RepeatButton@DirectUI@@QEAA@XZ
??0Repeater@DirectUI@@QEAA@AEBV01@@Z
??0Repeater@DirectUI@@QEAA@XZ
??0ResourceModuleHandles@DirectUI@@QEAA@XZ
??0RowLayout@DirectUI@@QEAA@AEBV01@@Z
??0RowLayout@DirectUI@@QEAA@XZ
??0ScrollBar@DirectUI@@QEAA@AEBV01@@Z
??0ScrollBar@DirectUI@@QEAA@XZ
??0ScrollBarRangeValueProxy@DirectUI@@QEAA@AEBV01@@Z
??0ScrollBarRangeValueProxy@DirectUI@@QEAA@XZ
??0ScrollItemProvider@DirectUI@@QEAA@XZ
??0ScrollItemProxy@DirectUI@@QEAA@AEBV01@@Z
??0ScrollItemProxy@DirectUI@@QEAA@XZ
??0ScrollProvider@DirectUI@@QEAA@XZ
??0ScrollProxy@DirectUI@@QEAA@AEBV01@@Z
??0ScrollProxy@DirectUI@@QEAA@XZ
??0ScrollViewer@DirectUI@@QEAA@AEBV01@@Z
??0ScrollViewer@DirectUI@@QEAA@XZ
??0SelectionItemProvider@DirectUI@@QEAA@XZ
??0SelectionItemProxy@DirectUI@@IEAA@XZ
??0SelectionItemProxy@DirectUI@@QEAA@AEBV01@@Z
??0SelectionProvider@DirectUI@@QEAA@XZ
??0SelectionProxy@DirectUI@@IEAA@XZ
??0SelectionProxy@DirectUI@@QEAA@AEBV01@@Z
??0Selector@DirectUI@@QEAA@AEBV01@@Z
??0Selector@DirectUI@@QEAA@XZ
??0SelectorNoDefault@DirectUI@@QEAA@AEBV01@@Z
??0SelectorNoDefault@DirectUI@@QEAA@XZ
??0SelectorSelectionItemProxy@DirectUI@@QEAA@AEBV01@@Z
??0SelectorSelectionItemProxy@DirectUI@@QEAA@XZ
??0SelectorSelectionProxy@DirectUI@@QEAA@AEBV01@@Z
??0SelectorSelectionProxy@DirectUI@@QEAA@XZ
??0ShellBorderLayout@DirectUI@@QEAA@AEBV01@@Z
??0ShellBorderLayout@DirectUI@@QEAA@XZ
??0StyleSheet@DirectUI@@QEAA@AEBV01@@Z
??0StyleSheet@DirectUI@@QEAA@XZ
??0StyledScrollViewer@DirectUI@@QEAA@AEBV01@@Z
??0StyledScrollViewer@DirectUI@@QEAA@XZ
??0Surface@DirectUI@@QEAA@AEBV01@@Z
??0Surface@DirectUI@@QEAA@XZ
??0TableItemProvider@DirectUI@@QEAA@XZ
??0TableItemProxy@DirectUI@@QEAA@AEBV01@@Z
??0TableItemProxy@DirectUI@@QEAA@XZ
??0TableLayout@DirectUI@@QEAA@AEBV01@@Z
??0TableLayout@DirectUI@@QEAA@XZ
??0TableProvider@DirectUI@@QEAA@XZ
??0TableProxy@DirectUI@@QEAA@AEBV01@@Z
??0TableProxy@DirectUI@@QEAA@XZ
??0TaskPage@DirectUI@@QEAA@AEBV01@@Z
??0TaskPage@DirectUI@@QEAA@XZ
??0TextGraphic@DirectUI@@QEAA@AEBV01@@Z
??0TextGraphic@DirectUI@@QEAA@XZ
??0Thumb@DirectUI@@QEAA@AEBV01@@Z
??0Thumb@DirectUI@@QEAA@XZ
??0ToggleProvider@DirectUI@@QEAA@XZ
??0ToggleProxy@DirectUI@@QEAA@AEBV01@@Z
??0ToggleProxy@DirectUI@@QEAA@XZ
??0UnknownElement@DirectUI@@QEAA@AEBV01@@Z
??0UnknownElement@DirectUI@@QEAA@XZ
??0ValueProvider@DirectUI@@QEAA@XZ
??0ValueProxy@DirectUI@@QEAA@AEBV01@@Z
??0ValueProxy@DirectUI@@QEAA@XZ
??0VerticalFlowLayout@DirectUI@@QEAA@AEBV01@@Z
??0VerticalFlowLayout@DirectUI@@QEAA@XZ
??0Viewer@DirectUI@@QEAA@AEBV01@@Z
??0Viewer@DirectUI@@QEAA@XZ
??0XBaby@DirectUI@@QEAA@AEBV01@@Z
??0XBaby@DirectUI@@QEAA@XZ
??0XElement@DirectUI@@QEAA@AEBV01@@Z
??0XElement@DirectUI@@QEAA@XZ
??0XHost@DirectUI@@QEAA@XZ
??0XProvider@DirectUI@@QEAA@AEBV01@@Z
??0XProvider@DirectUI@@QEAA@XZ
??0XResourceProvider@DirectUI@@QEAA@AEBV01@@Z
??0XResourceProvider@DirectUI@@QEAA@XZ
??1?$PatternProvider@VExpandCollapseProvider@DirectUI@@UIExpandCollapseProvider@@$00@DirectUI@@UEAA@XZ
??1?$PatternProvider@VGridItemProvider@DirectUI@@UIGridItemProvider@@$01@DirectUI@@UEAA@XZ
??1?$PatternProvider@VGridProvider@DirectUI@@UIGridProvider@@$02@DirectUI@@UEAA@XZ
??1?$PatternProvider@VInvokeProvider@DirectUI@@UIInvokeProvider@@$0A@@DirectUI@@UEAA@XZ
??1?$PatternProvider@VRangeValueProvider@DirectUI@@UIRangeValueProvider@@$03@DirectUI@@UEAA@XZ
??1?$PatternProvider@VScrollItemProvider@DirectUI@@UIScrollItemProvider@@$05@DirectUI@@UEAA@XZ
??1?$PatternProvider@VScrollProvider@DirectUI@@UIScrollProvider@@$04@DirectUI@@UEAA@XZ
??1?$PatternProvider@VSelectionItemProvider@DirectUI@@UISelectionItemProvider@@$06@DirectUI@@UEAA@XZ
??1?$PatternProvider@VSelectionProvider@DirectUI@@UISelectionProvider@@$07@DirectUI@@UEAA@XZ
??1?$PatternProvider@VTableItemProvider@DirectUI@@UITableItemProvider@@$09@DirectUI@@UEAA@XZ
??1?$PatternProvider@VTableProvider@DirectUI@@UITableProvider@@$08@DirectUI@@UEAA@XZ
??1?$PatternProvider@VToggleProvider@DirectUI@@UIToggleProvider@@$0L@@DirectUI@@UEAA@XZ
??1?$PatternProvider@VValueProvider@DirectUI@@UIValueProvider@@$0M@@DirectUI@@UEAA@XZ
??1?$SafeArrayAccessor@H@DirectUI@@QEAA@XZ
??1AccessibleButton@DirectUI@@UEAA@XZ
??1AnimationStrip@DirectUI@@UEAA@XZ
??1AutoButton@DirectUI@@UEAA@XZ
??1AutoLock@DirectUI@@QEAA@XZ
??1AutoThread@DirectUI@@QEAA@XZ
??1AutoVariant@DirectUI@@QEAA@XZ
??1BaseScrollViewer@DirectUI@@UEAA@XZ
??1Bind@DirectUI@@UEAA@XZ
??1BorderLayout@DirectUI@@UEAA@XZ
??1Browser@DirectUI@@UEAA@XZ
??1Button@DirectUI@@UEAA@XZ
??1CCAVI@DirectUI@@UEAA@XZ
??1CCBase@DirectUI@@UEAA@XZ
??1CCBaseCheckRadioButton@DirectUI@@UEAA@XZ
??1CCBaseScrollBar@DirectUI@@UEAA@XZ
??1CCCheckBox@DirectUI@@UEAA@XZ
??1CCCommandLink@DirectUI@@UEAA@XZ
??1CCHScrollBar@DirectUI@@UEAA@XZ
??1CCListBox@DirectUI@@UEAA@XZ
??1CCListView@DirectUI@@UEAA@XZ
??1CCProgressBar@DirectUI@@UEAA@XZ
??1CCPushButton@DirectUI@@UEAA@XZ
??1CCRadioButton@DirectUI@@UEAA@XZ
??1CCSysLink@DirectUI@@UEAA@XZ
??1CCTrackBar@DirectUI@@UEAA@XZ
??1CCTreeView@DirectUI@@UEAA@XZ
??1CCVScrollBar@DirectUI@@UEAA@XZ
??1CallstackTracker@DirectUI@@QEAA@XZ
??1CheckBoxGlyph@DirectUI@@UEAA@XZ
??1ClassInfoBase@DirectUI@@UEAA@XZ
??1Clipper@DirectUI@@UEAA@XZ
??1Combobox@DirectUI@@UEAA@XZ
??1CritSecLock@DirectUI@@QEAA@XZ
??1DCSurface@DirectUI@@UEAA@XZ
??1DUIFactory@DirectUI@@QEAA@XZ
??1DUIXmlParser@DirectUI@@UEAA@XZ
??1DialogElement@DirectUI@@UEAA@XZ
??1DuiAccessible@DirectUI@@UEAA@XZ
??1Edit@DirectUI@@UEAA@XZ
??1Element@DirectUI@@UEAA@XZ
??1ElementProvider@DirectUI@@UEAA@XZ
??1ElementWithHWND@DirectUI@@UEAA@XZ
??1ExpandCollapseProvider@DirectUI@@UEAA@XZ
??1Expandable@DirectUI@@UEAA@XZ
??1Expando@DirectUI@@UEAA@XZ
??1ExpandoButtonGlyph@DirectUI@@UEAA@XZ
??1FillLayout@DirectUI@@UEAA@XZ
??1FlowLayout@DirectUI@@UEAA@XZ
??1FontCheckOut@DirectUI@@QEAA@XZ
??1GridItemProvider@DirectUI@@UEAA@XZ
??1GridLayout@DirectUI@@UEAA@XZ
??1GridProvider@DirectUI@@UEAA@XZ
??1HWNDElement@DirectUI@@UEAA@XZ
??1HWNDElementAccessible@DirectUI@@UEAA@XZ
??1HWNDElementProvider@DirectUI@@UEAA@XZ
??1HWNDHost@DirectUI@@UEAA@XZ
??1HWNDHostAccessible@DirectUI@@UEAA@XZ
??1HWNDHostClientAccessible@DirectUI@@UEAA@XZ
??1IDataEngine@DirectUI@@UEAA@XZ
??1IDataEntry@DirectUI@@UEAA@XZ
??1InvokeHelper@DirectUI@@UEAA@XZ
??1InvokeProvider@DirectUI@@UEAA@XZ
??1Layout@DirectUI@@UEAA@XZ
??1LinkedList@DirectUI@@QEAA@XZ
??1Macro@DirectUI@@UEAA@XZ
??1Movie@DirectUI@@UEAA@XZ
??1NativeHWNDHost@DirectUI@@UEAA@XZ
??1Navigator@DirectUI@@UEAA@XZ
??1NineGridLayout@DirectUI@@UEAA@XZ
??1PText@DirectUI@@UEAA@XZ
??1Page@DirectUI@@UEAA@XZ
??1Pages@DirectUI@@UEAA@XZ
??1Progress@DirectUI@@UEAA@XZ
??1Proxy@DirectUI@@UEAA@XZ
??1PushButton@DirectUI@@UEAA@XZ
??1RadioButtonGlyph@DirectUI@@UEAA@XZ
??1RangeValueProvider@DirectUI@@UEAA@XZ
??1RefPointElement@DirectUI@@UEAA@XZ
??1RefcountBase@DirectUI@@UEAA@XZ
??1RepeatButton@DirectUI@@UEAA@XZ
??1Repeater@DirectUI@@UEAA@XZ
??1ResourceModuleHandles@DirectUI@@QEAA@XZ
??1RowLayout@DirectUI@@UEAA@XZ
??1ScrollBar@DirectUI@@UEAA@XZ
??1ScrollItemProvider@DirectUI@@UEAA@XZ
??1ScrollProvider@DirectUI@@UEAA@XZ
??1ScrollViewer@DirectUI@@UEAA@XZ
??1SelectionItemProvider@DirectUI@@UEAA@XZ
??1SelectionProvider@DirectUI@@UEAA@XZ
??1Selector@DirectUI@@UEAA@XZ
??1SelectorNoDefault@DirectUI@@UEAA@XZ
??1ShellBorderLayout@DirectUI@@UEAA@XZ
??1StyledScrollViewer@DirectUI@@UEAA@XZ
??1Surface@DirectUI@@UEAA@XZ
??1TableItemProvider@DirectUI@@UEAA@XZ
??1TableLayout@DirectUI@@UEAA@XZ
??1TableProvider@DirectUI@@UEAA@XZ
??1TaskPage@DirectUI@@UEAA@XZ
??1TextGraphic@DirectUI@@UEAA@XZ
??1Thumb@DirectUI@@UEAA@XZ
??1ToggleProvider@DirectUI@@UEAA@XZ
??1UnknownElement@DirectUI@@UEAA@XZ
??1ValueProvider@DirectUI@@UEAA@XZ
??1VerticalFlowLayout@DirectUI@@UEAA@XZ
??1Viewer@DirectUI@@UEAA@XZ
??1XBaby@DirectUI@@UEAA@XZ
??1XElement@DirectUI@@UEAA@XZ
??1XHost@DirectUI@@QEAA@XZ
??1XProvider@DirectUI@@UEAA@XZ
??4?$FunctionDefinition@H@DUIXmlParser@DirectUI@@QEAAAEAU012@AEBU012@@Z
??4?$FunctionDefinition@K@DUIXmlParser@DirectUI@@QEAAAEAU012@AEBU012@@Z
??4?$FunctionDefinition@PEAVValue@DirectUI@@@DUIXmlParser@DirectUI@@QEAAAEAU012@AEBU012@@Z
??4?$FunctionDefinition@UtagRECT@@@DUIXmlParser@DirectUI@@QEAAAEAU012@AEBU012@@Z
??4ACCESSIBLEROLE@AccessibleButton@DirectUI@@QEAAAEAU012@AEBU012@@Z
??4AccessibleButton@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4AnimationStrip@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4AutoButton@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4AutoLock@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4AutoThread@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4AutoVariant@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4BaseScrollBar@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4BaseScrollViewer@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4Bind@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4BorderLayout@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4Browser@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4BrowserSelectionProxy@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4Button@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4CCAVI@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4CCBase@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4CCBaseCheckRadioButton@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4CCBaseScrollBar@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4CCCheckBox@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4CCCommandLink@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4CCHScrollBar@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4CCListBox@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4CCListView@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4CCProgressBar@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4CCPushButton@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4CCRadioButton@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4CCSysLink@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4CCTrackBar@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4CCTreeView@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4CCVScrollBar@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4CallstackTracker@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4CheckBoxGlyph@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4ClassInfoBase@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4Clipper@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4Combobox@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4CritSecLock@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4DCSurface@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4DUIFactory@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4DUIXmlParser@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4DialogElement@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4DuiNavigate@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4Edit@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4Element@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4ElementProviderManager@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4ElementProxy@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4ElementWithHWND@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4EventManager@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4ExpandCollapseProxy@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4Expandable@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4Expando@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4ExpandoButtonGlyph@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4Expression@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4FillLayout@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4FlowLayout@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4FontCache@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4FontCheckOut@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4GridItemProxy@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4GridLayout@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4GridProxy@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4HWNDElement@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4HWNDElementProxy@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4HWNDHost@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4IDataEngine@DirectUI@@QEAAAEAU01@AEBU01@@Z
??4IDataEntry@DirectUI@@QEAAAEAU01@AEBU01@@Z
??4IProvider@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4ISBLeak@DirectUI@@QEAAAEAU01@AEBU01@@Z
??4IXElementCP@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4IXProviderCP@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4InvokeManager@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4InvokeProxy@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4Layout@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4LinkedList@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4LinkedListNode@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4Macro@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4Movie@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4NativeHWNDHost@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4NavReference@DirectUI@@QEAAAEAU01@AEBU01@@Z
??4NavScoring@DirectUI@@QEAAAEAU01@AEBU01@@Z
??4Navigator@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4NavigatorSelectionItemProxy@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4NineGridLayout@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4PText@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4Page@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4Pages@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4Progress@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4ProgressRangeValueProxy@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4ProviderProxy@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4Proxy@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4PushButton@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4RadioButtonGlyph@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4RangeValueProxy@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4RefPointElement@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4RepeatButton@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4Repeater@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4ResourceModuleHandles@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4RowLayout@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4Schema@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4ScrollBar@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4ScrollBarRangeValueProxy@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4ScrollItemProxy@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4ScrollProxy@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4ScrollViewer@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4SelectionItemProxy@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4SelectionProxy@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4Selector@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4SelectorNoDefault@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4SelectorSelectionItemProxy@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4SelectorSelectionProxy@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4ShellBorderLayout@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4StyleSheet@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4StyledScrollViewer@DirectUI@@QEAAAEAV01@AEBV01@@Z
??4Surface@DirectUI@@QEAAAEAV01@AEBV01@@Z

Sections

.text
Size: 32KB - Virtual size: 31KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 496KB - Virtual size: 492KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 336B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.EXP
Size: 220KB - Virtual size: 218KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 976B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.zfo
Size: 208KB - Virtual size: 205KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/Gcleaner/1ada4287ce3b32605a713ee1c2d77ffe06f3b1309c2022f6eee4d2047177e2d6
.exe windows:5 windows x86 arch:x86

2eabe9054cad5152567f0699947a2c5b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

lstrcpy

Sections

Size: 147KB - Virtual size: 4.0MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 28KB - Virtual size: 43KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 512B - Virtual size: 2.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

txnbtmaa
Size: 1.7MB - Virtual size: 1.7MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

wbjvzhts
Size: 1024B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.taggant
Size: 8KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/GhostRat/2cba103a4023e6be7f5285499150fe00.exe
.dll windows:4 windows x86 arch:x86

Code Sign

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

10/01/1997, 07:00

Not After

31/12/2020, 07:00

Subject

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

10/01/1997, 07:00

Not After

31/12/2020, 07:00

Subject

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

61:47:52:ba:00:00:00:00:00:04
Certificate

Issuer

CN=Microsoft Timestamping PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

16/09/2006, 01:53

Not After

16/09/2011, 02:03

Subject

CN=Microsoft Timestamping Service,OU=nCipher DSE ESN:D8A9-CFCC-579C,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

61:47:52:ba:00:00:00:00:00:04
Certificate

Issuer

CN=Microsoft Timestamping PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

16/09/2006, 01:53

Not After

16/09/2011, 02:03

Subject

CN=Microsoft Timestamping Service,OU=nCipher DSE ESN:D8A9-CFCC-579C,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

6a:0b:99:4f:c0:00:25:ab:11:db:45:1f:58:7a:67:a2
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

16/09/2006, 01:04

Not After

15/09/2019, 07:00

Subject

CN=Microsoft Timestamping PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:02:30:7e:00:00:00:00:00:06
Certificate

Issuer

CN=Microsoft Windows Verification Intermediate PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

10/03/2008, 21:57

Not After

10/06/2009, 22:07

Subject

CN=Microsoft Windows Component Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

6a:0b:99:4f:c0:00:1b:ab:11:da:3a:a1:b6:df:ec:88
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

11/10/2005, 21:55

Not After

26/04/2010, 07:00

Subject

CN=Microsoft Windows Verification Intermediate PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment
KeyUsageCertSign
KeyUsageCRLSign

4e:60:d6:2b:ea:d5:4c:51:50:4a:01:bd:8b:d4:e4:f3:a6:e3:77:df
Signer

Actual PE Digest

4e:60:d6:2b:ea:d5:4c:51:50:4a:01:bd:8b:d4:e4:f3:a6:e3:77:df

Digest Algorithm

sha1

PE Digest Matches

false

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Exports

Exports

ServiceMain

Sections

.text
Size: 88KB - Virtual size: 87KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 960B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.Silvana
Size: 661B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

afds
Size: 512B - Virtual size: 512B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/GravityRat/2025-02-02_3349e5b5a57a12b60f96529f8a2fdb57_poet-rat_snatch.exe
.exe windows:4 windows x64 arch:x64

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED

Sections

.text
Size: 2.1MB - Virtual size: 2.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3.2MB - Virtual size: 3.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 205KB - Virtual size: 333KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 1024B - Virtual size: 914B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.symtab
Size: 512B - Virtual size: 4B

IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/LummaStealer/1ffd04c4a58b2294203e7c08225ab9c921b3afa8944d65ada62795789d6f5d4e
.exe windows:6 windows x86 arch:x86

2eabe9054cad5152567f0699947a2c5b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

lstrcpy

Sections

Size: 164KB - Virtual size: 352KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 688B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 512B - Virtual size: 2.7MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

nirehejt
Size: 1.6MB - Virtual size: 1.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

rgfncuuf
Size: 1024B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.taggant
Size: 8KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/LummaStealer/2025-01-31_df1e3d66392952a819b4be0b09668315_frostygoop_poet-rat_snatch.exe
.exe windows:6 windows x86 arch:x86

9cbefe68f395e67356e2a5d8d1b285c0

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Imports

kernel32

WriteFile
WriteConsoleW
WaitForMultipleObjects
WaitForSingleObject
VirtualQuery
VirtualFree
VirtualAlloc
SwitchToThread
SuspendThread
SetWaitableTimer
SetUnhandledExceptionFilter
SetProcessPriorityBoost
SetEvent
SetErrorMode
SetConsoleCtrlHandler
ResumeThread
PostQueuedCompletionStatus
LoadLibraryA
LoadLibraryW
SetThreadContext
GetThreadContext
GetSystemInfo
GetSystemDirectoryA
GetStdHandle
GetQueuedCompletionStatusEx
GetProcessAffinityMask
GetProcAddress
GetEnvironmentStringsW
GetConsoleMode
FreeEnvironmentStringsW
ExitProcess
DuplicateHandle
CreateWaitableTimerExW
CreateThread
CreateIoCompletionPort
CreateFileA
CreateEventA
CloseHandle
AddVectoredExceptionHandler

Sections

.text
Size: 3.3MB - Virtual size: 3.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3.5MB - Virtual size: 3.5MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 683KB - Virtual size: 883KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 1024B - Virtual size: 988B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 180KB - Virtual size: 180KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.symtab
Size: 512B - Virtual size: 4B

IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.rsrc
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/LummaStealer/IUIUBostrapperl.exe
.exe windows:5 windows x86 arch:x86

be41bf7b8cc010b614bd36bbca606973

Code Sign

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

29/04/2021, 00:00

Not After

28/04/2036, 23:59

Subject

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

06:0e:2f:8f:9e:1b:8b:e5:18:d5:fe:2b:69:cf:cc:b1
Certificate

Issuer

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Not Before

09/03/2023, 00:00

Not After

11/03/2025, 23:59

Subject

CN=Oracle America\, Inc.,O=Oracle America\, Inc.,L=Redwood City,ST=California,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16
Certificate

Issuer

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Not Before

14/07/2023, 00:00

Not After

13/10/2034, 23:59

Subject

CN=DigiCert Timestamp 2023,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

23/03/2022, 00:00

Not After

22/03/2037, 23:59

Subject

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/08/2022, 00:00

Not After

09/11/2031, 23:59

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

6d:05:69:2f:95:f8:45:df:e8:af:0c:ef:5f:3c:4f:e0:7d:bc:86:cb:c3:a9:9b:ff:46:04:f0:f4:9d:bc:26:88
Signer

Actual PE Digest

6d:05:69:2f:95:f8:45:df:e8:af:0c:ef:5f:3c:4f:e0:7d:bc:86:cb:c3:a9:9b:ff:46:04:f0:f4:9d:bc:26:88

Digest Algorithm

sha256

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

SetFileTime
CompareFileTime
SearchPathW
GetShortPathNameW
GetFullPathNameW
MoveFileW
SetCurrentDirectoryW
GetFileAttributesW
GetLastError
CreateDirectoryW
SetFileAttributesW
Sleep
GetTickCount
GetFileSize
GetModuleFileNameW
GetCurrentProcess
CopyFileW
ExitProcess
GetWindowsDirectoryW
GetTempPathW
GetCommandLineW
SetErrorMode
lstrcpynA
CloseHandle
lstrcpynW
GetDiskFreeSpaceW
GlobalUnlock
GlobalLock
CreateThread
LoadLibraryW
CreateProcessW
lstrcmpiA
CreateFileW
GetTempFileNameW
lstrcatW
GetProcAddress
LoadLibraryA
GetModuleHandleA
OpenProcess
lstrcpyW
GetVersionExW
GetSystemDirectoryW
GetVersion
lstrcpyA
RemoveDirectoryW
lstrcmpA
lstrcmpiW
lstrcmpW
ExpandEnvironmentStringsW
GlobalAlloc
WaitForSingleObject
GetExitCodeProcess
GlobalFree
GetModuleHandleW
LoadLibraryExW
FreeLibrary
WritePrivateProfileStringW
GetPrivateProfileStringW
WideCharToMultiByte
lstrlenA
MulDiv
WriteFile
ReadFile
MultiByteToWideChar
SetFilePointer
FindClose
FindNextFileW
FindFirstFileW
DeleteFileW
lstrlenW

user32

GetAsyncKeyState
IsDlgButtonChecked
ScreenToClient
GetMessagePos
CallWindowProcW
IsWindowVisible
LoadBitmapW
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
TrackPopupMenu
GetWindowRect
AppendMenuW
CreatePopupMenu
GetSystemMetrics
EndDialog
EnableMenuItem
GetSystemMenu
SetClassLongW
IsWindowEnabled
SetWindowPos
DialogBoxParamW
CheckDlgButton
CreateWindowExW
SystemParametersInfoW
RegisterClassW
SetDlgItemTextW
GetDlgItemTextW
MessageBoxIndirectW
CharNextA
CharUpperW
CharPrevW
wvsprintfW
DispatchMessageW
PeekMessageW
wsprintfA
DestroyWindow
CreateDialogParamW
SetTimer
SetWindowTextW
PostQuitMessage
SetForegroundWindow
ShowWindow
wsprintfW
SendMessageTimeoutW
LoadCursorW
SetCursor
GetWindowLongW
GetSysColor
CharNextW
GetClassInfoW
ExitWindowsEx
IsWindow
GetDlgItem
SetWindowLongW
LoadImageW
GetDC
EnableWindow
InvalidateRect
SendMessageW
DefWindowProcW
BeginPaint
GetClientRect
FillRect
DrawTextW
EndPaint
FindWindowExW

gdi32

SetBkColor
GetDeviceCaps
DeleteObject
CreateBrushIndirect
CreateFontIndirectW
SetBkMode
SetTextColor
SelectObject

shell32

SHBrowseForFolderW
SHGetPathFromIDListW
SHGetFileInfoW
ShellExecuteW
SHFileOperationW
SHGetSpecialFolderLocation

advapi32

RegEnumKeyW
RegOpenKeyExW
RegCloseKey
RegDeleteKeyW
RegDeleteValueW
RegCreateKeyExW
RegSetValueExW
RegQueryValueExW
RegEnumValueW

comctl32

ImageList_AddMasked
ImageList_Destroy
ord17
ImageList_Create

ole32

CoTaskMemFree
OleInitialize
OleUninitialize
CoCreateInstance

version

GetFileVersionInfoSizeW
GetFileVersionInfoW
VerQueryValueW

Sections

.text
Size: 29KB - Virtual size: 28KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 458KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.ndata
Size: - Virtual size: 516KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 78KB - Virtual size: 78KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/LummaStealer/LummaC2-40_2025-01-24_18-38.exe
.exe windows:5 windows x86 arch:x86

2a8ae1743d49ac4c74d72ae06ae94148

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

SearchPathW
TlsGetValue
MoveFileExA
DebugActiveProcessStop
CallNamedPipeA
CreateProcessW
InterlockedIncrement
GetEnvironmentStringsW
GetProfileSectionA
InterlockedCompareExchange
GetTimeFormatA
GetModuleHandleW
GetConsoleAliasesLengthA
CancelDeviceWakeupRequest
GetDateFormatA
EnumTimeFormatsW
GetVolumePathNameW
GetEnvironmentStrings
LoadLibraryW
GetCommandLineW
GetACP
DeactivateActCtx
GetStartupInfoA
SetLastError
SetVolumeLabelW
SetComputerNameA
EnterCriticalSection
BuildCommDCBW
GetAtomNameA
LocalAlloc
MoveFileA
AddAtomW
FreeEnvironmentStringsW
VirtualProtect
Module32Next
FileTimeToLocalFileTime
DeleteTimerQueueTimer
ResumeThread
GetAtomNameW
DebugActiveProcess
GetLastError
HeapFree
HeapReAlloc
HeapAlloc
Sleep
GetProcAddress
ExitProcess
GetCommandLineA
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
HeapCreate
VirtualFree
DeleteCriticalSection
LeaveCriticalSection
VirtualAlloc
TlsAlloc
TlsSetValue
TlsFree
GetCurrentThreadId
InterlockedDecrement
WriteFile
GetStdHandle
GetModuleFileNameA
LoadLibraryA
InitializeCriticalSectionAndSpinCount
FreeEnvironmentStringsA
WideCharToMultiByte
SetHandleCount
GetFileType
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
RtlUnwind
GetCPInfo
GetOEMCP
IsValidCodePage
HeapSize
GetLocaleInfoA
LCMapStringA
MultiByteToWideChar
LCMapStringW
GetStringTypeA
GetStringTypeW
GetConsoleCP
GetConsoleMode
FlushFileBuffers
SetFilePointer
CloseHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
SetStdHandle
CreateFileA

gdi32

GetBitmapBits

Sections

.text
Size: 261KB - Virtual size: 261KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 21KB - Virtual size: 434KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 70KB - Virtual size: 70KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/MetaSploit/JaffaCakes118_679fb6c69999038d8ba7c11ac9ea88ce
.exe windows:4 windows x86 arch:x86

ec9c9c57e09b71b87abe6015c9582819

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

ws2_32

WSAGetLastError
gethostname
accept

kernel32

VirtualFree
SetStdHandle
SetFilePointer
GetLocaleInfoA
GetProcAddress
LoadLibraryA
LockResource
SizeofResource
LoadResource
FindResourceA
GetTickCount
GetModuleHandleA
GetStartupInfoA
GetCommandLineA
GetVersionExA
DebugBreak
RaiseException
TerminateProcess
GetCurrentProcess
ExitProcess
UnhandledExceptionFilter
GetModuleFileNameA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
WideCharToMultiByte
GetLastError
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
HeapDestroy
HeapCreate
HeapFree
FlushFileBuffers
RtlUnwind
WriteFile
HeapAlloc
GetProcessHeap
CloseHandle
FreeLibrary
InterlockedDecrement
OutputDebugStringA
InterlockedIncrement
IsBadWritePtr
IsBadReadPtr
HeapValidate
GetCPInfo
GetACP
GetOEMCP
VirtualAlloc
HeapReAlloc
VirtualQuery
InterlockedExchange
MultiByteToWideChar
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
QueryPerformanceCounter
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
VirtualProtect
GetSystemInfo

Sections

.text
Size: 52KB - Virtual size: 49KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 108KB - Virtual size: 104KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/Mirai/20532ed3491434bbef9fff1b8165827dd665ccfb7bc96443f5f15e75332567b0.elf
.elf linux arm
BastianHein Malware samples/Mirai/56e6d7119496690bdc6671854235ed981812ab4e0b21027dbf938df0bf42edae.elf
.elf linux sparc
BastianHein Malware samples/Mirai/ca5672e67dde27ccdd3b6b20b27f56f0b9919e5731e2164d05bc4a6808f12fc4.elf
.elf linux arm
BastianHein Malware samples/NjRat/Camage.exe
.exe windows:1 windows x86 arch:x86

140094f13383e9ae168c4b35b6af3356

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

CreateThread
ExitProcess
GetComputerNameA
GetModuleFileNameA
GetModuleHandleW
GetProcAddress
SetErrorMode
Sleep
VirtualAllocExNuma

shlwapi

PathFindFileNameA

msvcrt

malloc
free
memset
strcmp
_strcmpi
strcpy

Sections

.text
Size: 6.4MB - Virtual size: 6.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.idata
Size: 512B - Virtual size: 508B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 172KB - Virtual size: 171KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/Prometei/1fc2e9c09273238015bbb12b66bf78c1e0b31f543c0c4b1a4c1c085b9baf95c4.elf
.elf linux x64
BastianHein Malware samples/Prometei/716585e00bd74b0215ac99053cda914e58dd90af2d1be1cc2e94ac5324994e59.elf
.elf linux x64
BastianHein Malware samples/Prometei/a1e6670136be672dcadbf4d5b4e69e72832b869c84d73a13a7181b75657c6ece.elf
.elf linux mipsbe
BastianHein Malware samples/Prometei/f5222424c27095ff4a71a3b3b9e14dd2ba001a89a4c44ece9877ee4cbc368050.elf
.elf linux x64
BastianHein Malware samples/Prometei/fe1f096ec8b228265af05d76901fd0125f67a88ddc4dfd2e486c1ee6504227cc.elf
.elf linux x64
BastianHein Malware samples/Ransomware/2025-01-27_0b85d9244eec7abe32681316ef673c11_virlock.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 2.5MB - Virtual size: 2.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 512B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/Ransomware/7182b75194b976c5aa46654baca5c2736309a9ee6108d76c6fe10a171083d6db.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

UPX0
Size: - Virtual size: 24KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 4KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/Ransomware/7cd7c04c62d2a8b4697ceebbe7dd95c910d687e4a6989c1d839117e55c1cafd7.exe
.exe windows:5 windows x86 arch:x86

0a32a60a7d695fc0a2a3beca0fb3ec8b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetModuleHandleW
WinExec
WideCharToMultiByte
GetLogicalDrives
GetCurrentProcess
Wow64RevertWow64FsRedirection
GetModuleHandleA
MultiByteToWideChar
GetCurrentThread
GetProcAddress
GetTickCount
Sleep
FindClose
Wow64DisableWow64FsRedirection
FindNextFileW
FindFirstFileW
MapViewOfFile
CreateFileMappingW
GetCurrentProcessId
MoveFileExW
GetSystemInfo
CloseHandle
GetLastError
OpenProcess
UnmapViewOfFile
CreateFileW
WaitForSingleObject
TerminateProcess
WriteFile
GetFileSizeEx
SetEndOfFile
HeapSize
SetEnvironmentVariableA
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetOEMCP
IsValidCodePage
FindNextFileA
DuplicateHandle
WaitForSingleObjectEx
GetCurrentThreadId
GetNativeSystemInfo
EncodePointer
DecodePointer
RaiseException
GetStringTypeW
EnterCriticalSection
LeaveCriticalSection
TryEnterCriticalSection
DeleteCriticalSection
QueryPerformanceCounter
SetLastError
InitializeCriticalSectionAndSpinCount
CreateEventW
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetSystemTimeAsFileTime
CompareStringW
LCMapStringW
GetLocaleInfoW
GetCPInfo
CreateTimerQueue
SetEvent
SignalObjectAndWait
SwitchToThread
CreateThread
SetThreadPriority
GetThreadPriority
GetLogicalProcessorInformation
CreateTimerQueueTimer
ChangeTimerQueueTimer
DeleteTimerQueueTimer
GetNumaHighestNodeNumber
GetProcessAffinityMask
SetThreadAffinityMask
RegisterWaitForSingleObject
UnregisterWait
GetThreadTimes
FreeLibrary
FreeLibraryAndExitThread
GetModuleFileNameW
LoadLibraryExW
GetVersionExW
VirtualAlloc
VirtualFree
VirtualProtect
ReleaseSemaphore
InitializeSListHead
InterlockedPopEntrySList
InterlockedPushEntrySList
InterlockedFlushSList
QueryDepthSList
UnregisterWaitEx
LoadLibraryW
ResetEvent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
IsDebuggerPresent
GetStartupInfoW
RtlUnwind
ReadFile
GetConsoleMode
ReadConsoleW
GetConsoleCP
ExitProcess
GetModuleHandleExW
ExitThread
HeapAlloc
HeapFree
HeapReAlloc
GetModuleFileNameA
GetStdHandle
GetCommandLineA
GetCommandLineW
GetACP
GetFileType
SetStdHandle
SetFilePointerEx
WriteConsoleW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
FlushFileBuffers
GetProcessHeap
FindFirstFileExA

advapi32

RegCloseKey
EqualSid
CloseServiceHandle
AllocateAndInitializeSid
OpenSCManagerA
RegCreateKeyExW
ControlService
RegSetValueExW
OpenProcessToken
FreeSid
OpenServiceW
OpenThreadToken
QueryServiceStatusEx
OpenServiceA
GetTokenInformation
CryptAcquireContextW
CryptGenRandom
CryptReleaseContext
EnumDependentServicesA

shell32

SHChangeNotify

mpr

WNetCloseEnum
WNetEnumResourceW
WNetOpenEnumW

rstrtmgr

RmRegisterResources
RmGetList
RmStartSession
RmEndSession

bcrypt

BCryptGenRandom

Sections

.text
Size: 433KB - Virtual size: 433KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 157KB - Virtual size: 156KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 13KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gfids
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 25KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.data
Size: 19KB - Virtual size: 19KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/Ransomware/8b60d946a1e6e850db92da6e21a39fbf182c660c9c089d48b1d547f24b4abc36.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: 21KB - Virtual size: 24KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 4KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.imports
Size: 1024B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/Ransomware/fed4bc35216d2788c03c47bbcb71aa99a2714ab803999066df98eb52a2fd1057N.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: 21KB - Virtual size: 24KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 4KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.imports
Size: 1024B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/RedLineStealer/33933960a12c42cfc5240325d9cb332b6f609ebeafa257f3fa7603cd82436552.exe
.exe windows:5 windows x86 arch:x86

eb97e4fc5518ac300a92a11673825e0b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

wsock32

WSACleanup
socket
inet_ntoa
setsockopt
ntohs
recvfrom
ioctlsocket
htons
WSAStartup
__WSAFDIsSet
select
accept
listen
bind
closesocket
WSAGetLastError
recv
sendto
send
inet_addr
gethostbyname
gethostname
connect

version

GetFileVersionInfoW
GetFileVersionInfoSizeW
VerQueryValueW

winmm

timeGetTime
waveOutSetVolume
mciSendStringW

comctl32

ImageList_ReplaceIcon
ImageList_Destroy
ImageList_Remove
ImageList_SetDragCursorImage
ImageList_BeginDrag
ImageList_DragEnter
ImageList_DragLeave
ImageList_EndDrag
ImageList_DragMove
InitCommonControlsEx
ImageList_Create

mpr

WNetUseConnectionW
WNetCancelConnection2W
WNetGetConnectionW
WNetAddConnection2W

wininet

InternetQueryDataAvailable
InternetCloseHandle
InternetOpenW
InternetSetOptionW
InternetCrackUrlW
HttpQueryInfoW
InternetQueryOptionW
HttpOpenRequestW
HttpSendRequestW
FtpOpenFileW
FtpGetFileSize
InternetOpenUrlW
InternetReadFile
InternetConnectW

psapi

GetProcessMemoryInfo

iphlpapi

IcmpCreateFile
IcmpCloseHandle
IcmpSendEcho

userenv

DestroyEnvironmentBlock
UnloadUserProfile
CreateEnvironmentBlock
LoadUserProfileW

uxtheme

IsThemeActive

kernel32

DuplicateHandle
CreateThread
WaitForSingleObject
HeapAlloc
GetProcessHeap
HeapFree
Sleep
GetCurrentThreadId
MultiByteToWideChar
MulDiv
GetVersionExW
IsWow64Process
GetSystemInfo
FreeLibrary
LoadLibraryA
GetProcAddress
SetErrorMode
GetModuleFileNameW
WideCharToMultiByte
lstrcpyW
lstrlenW
GetModuleHandleW
QueryPerformanceCounter
VirtualFreeEx
OpenProcess
VirtualAllocEx
WriteProcessMemory
ReadProcessMemory
CreateFileW
SetFilePointerEx
SetEndOfFile
ReadFile
WriteFile
FlushFileBuffers
TerminateProcess
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
SetFileTime
GetFileAttributesW
FindFirstFileW
SetCurrentDirectoryW
GetLongPathNameW
GetShortPathNameW
DeleteFileW
FindNextFileW
CopyFileExW
MoveFileW
CreateDirectoryW
RemoveDirectoryW
SetSystemPowerState
QueryPerformanceFrequency
FindResourceW
LoadResource
LockResource
SizeofResource
EnumResourceNamesW
OutputDebugStringW
GetTempPathW
GetTempFileNameW
DeviceIoControl
GetLocalTime
CompareStringW
GetCurrentProcess
EnterCriticalSection
LeaveCriticalSection
GetStdHandle
CreatePipe
InterlockedExchange
TerminateThread
LoadLibraryExW
FindResourceExW
CopyFileW
VirtualFree
FormatMessageW
GetExitCodeProcess
GetPrivateProfileStringW
WritePrivateProfileStringW
GetPrivateProfileSectionW
WritePrivateProfileSectionW
GetPrivateProfileSectionNamesW
FileTimeToLocalFileTime
FileTimeToSystemTime
SystemTimeToFileTime
LocalFileTimeToFileTime
GetDriveTypeW
GetDiskFreeSpaceExW
GetDiskFreeSpaceW
GetVolumeInformationW
SetVolumeLabelW
CreateHardLinkW
SetFileAttributesW
CreateEventW
SetEvent
GetEnvironmentVariableW
SetEnvironmentVariableW
GlobalLock
GlobalUnlock
GlobalAlloc
GetFileSize
GlobalFree
GlobalMemoryStatusEx
Beep
GetSystemDirectoryW
HeapReAlloc
HeapSize
GetComputerNameW
GetWindowsDirectoryW
GetCurrentProcessId
GetProcessIoCounters
CreateProcessW
GetProcessId
SetPriorityClass
LoadLibraryW
VirtualAlloc
IsDebuggerPresent
GetCurrentDirectoryW
lstrcmpiW
DecodePointer
GetLastError
RaiseException
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
InterlockedDecrement
InterlockedIncrement
GetCurrentThread
CloseHandle
GetFullPathNameW
EncodePointer
ExitProcess
GetModuleHandleExW
ExitThread
GetSystemTimeAsFileTime
ResumeThread
GetCommandLineW
IsProcessorFeaturePresent
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
SetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetStartupInfoW
GetStringTypeW
SetStdHandle
GetFileType
GetConsoleCP
GetConsoleMode
RtlUnwind
ReadConsoleW
GetTimeZoneInformation
GetDateFormatW
GetTimeFormatW
LCMapStringW
GetEnvironmentStringsW
FreeEnvironmentStringsW
WriteConsoleW
FindClose
SetEnvironmentVariableA

user32

AdjustWindowRectEx
CopyImage
SetWindowPos
GetCursorInfo
RegisterHotKey
ClientToScreen
GetKeyboardLayoutNameW
IsCharAlphaW
IsCharAlphaNumericW
IsCharLowerW
IsCharUpperW
GetMenuStringW
GetSubMenu
GetCaretPos
IsZoomed
MonitorFromPoint
GetMonitorInfoW
SetWindowLongW
SetLayeredWindowAttributes
FlashWindow
GetClassLongW
TranslateAcceleratorW
IsDialogMessageW
GetSysColor
InflateRect
DrawFocusRect
DrawTextW
FrameRect
DrawFrameControl
FillRect
PtInRect
DestroyAcceleratorTable
CreateAcceleratorTableW
SetCursor
GetWindowDC
GetSystemMetrics
GetActiveWindow
CharNextW
wsprintfW
RedrawWindow
DrawMenuBar
DestroyMenu
SetMenu
GetWindowTextLengthW
CreateMenu
IsDlgButtonChecked
DefDlgProcW
CallWindowProcW
ReleaseCapture
SetCapture
CreateIconFromResourceEx
mouse_event
ExitWindowsEx
SetActiveWindow
FindWindowExW
EnumThreadWindows
SetMenuDefaultItem
InsertMenuItemW
IsMenu
TrackPopupMenuEx
GetCursorPos
DeleteMenu
SetRect
GetMenuItemID
GetMenuItemCount
SetMenuItemInfoW
GetMenuItemInfoW
SetForegroundWindow
IsIconic
FindWindowW
MonitorFromRect
keybd_event
SendInput
GetAsyncKeyState
SetKeyboardState
GetKeyboardState
GetKeyState
VkKeyScanW
LoadStringW
DialogBoxParamW
MessageBeep
EndDialog
SendDlgItemMessageW
GetDlgItem
SetWindowTextW
CopyRect
ReleaseDC
GetDC
EndPaint
BeginPaint
GetClientRect
GetMenu
DestroyWindow
EnumWindows
GetDesktopWindow
IsWindow
IsWindowEnabled
IsWindowVisible
EnableWindow
InvalidateRect
GetWindowLongW
GetWindowThreadProcessId
AttachThreadInput
GetFocus
GetWindowTextW
ScreenToClient
SendMessageTimeoutW
EnumChildWindows
CharUpperBuffW
GetParent
GetDlgCtrlID
SendMessageW
MapVirtualKeyW
PostMessageW
GetWindowRect
SetUserObjectSecurity
CloseDesktop
CloseWindowStation
OpenDesktopW
SetProcessWindowStation
GetProcessWindowStation
OpenWindowStationW
GetUserObjectSecurity
MessageBoxW
DefWindowProcW
SetClipboardData
EmptyClipboard
CountClipboardFormats
CloseClipboard
GetClipboardData
IsClipboardFormatAvailable
OpenClipboard
BlockInput
GetMessageW
LockWindowUpdate
DispatchMessageW
TranslateMessage
PeekMessageW
UnregisterHotKey
CheckMenuRadioItem
CharLowerBuffW
MoveWindow
SetFocus
PostQuitMessage
KillTimer
CreatePopupMenu
RegisterWindowMessageW
SetTimer
ShowWindow
CreateWindowExW
RegisterClassExW
LoadIconW
LoadCursorW
GetSysColorBrush
GetForegroundWindow
MessageBoxA
DestroyIcon
SystemParametersInfoW
LoadImageW
GetClassNameW

gdi32

StrokePath
DeleteObject
GetTextExtentPoint32W
ExtCreatePen
GetDeviceCaps
EndPath
SetPixel
CloseFigure
CreateCompatibleBitmap
CreateCompatibleDC
SelectObject
StretchBlt
GetDIBits
LineTo
AngleArc
MoveToEx
Ellipse
DeleteDC
GetPixel
CreateDCW
GetStockObject
GetTextFaceW
CreateFontW
SetTextColor
PolyDraw
BeginPath
Rectangle
SetViewportOrgEx
GetObjectW
SetBkMode
RoundRect
SetBkColor
CreatePen
CreateSolidBrush
StrokeAndFillPath

comdlg32

GetOpenFileNameW
GetSaveFileNameW

advapi32

GetAce
RegEnumValueW
RegDeleteValueW
RegDeleteKeyW
RegEnumKeyExW
RegSetValueExW
RegOpenKeyExW
RegCloseKey
RegQueryValueExW
RegConnectRegistryW
InitializeSecurityDescriptor
InitializeAcl
AdjustTokenPrivileges
OpenThreadToken
OpenProcessToken
LookupPrivilegeValueW
DuplicateTokenEx
CreateProcessAsUserW
CreateProcessWithLogonW
GetLengthSid
CopySid
LogonUserW
AllocateAndInitializeSid
CheckTokenMembership
RegCreateKeyExW
FreeSid
GetTokenInformation
GetSecurityDescriptorDacl
GetAclInformation
AddAce
SetSecurityDescriptorDacl
GetUserNameW
InitiateSystemShutdownExW

shell32

DragQueryPoint
ShellExecuteExW
DragQueryFileW
SHEmptyRecycleBinW
SHGetPathFromIDListW
SHBrowseForFolderW
SHCreateShellItem
SHGetDesktopFolder
SHGetSpecialFolderLocation
SHGetFolderPathW
SHFileOperationW
ExtractIconExW
Shell_NotifyIconW
ShellExecuteW
DragFinish

ole32

CoTaskMemAlloc
CoTaskMemFree
CLSIDFromString
ProgIDFromCLSID
CLSIDFromProgID
OleSetMenuDescriptor
MkParseDisplayName
OleSetContainedObject
CoCreateInstance
IIDFromString
StringFromGUID2
CreateStreamOnHGlobal
OleInitialize
OleUninitialize
CoInitialize
CoUninitialize
GetRunningObjectTable
CoGetInstanceFromFile
CoGetObject
CoSetProxyBlanket
CoCreateInstanceEx
CoInitializeSecurity

oleaut32

LoadTypeLibEx
VariantCopyInd
SysReAllocString
SysFreeString
SafeArrayDestroyDescriptor
SafeArrayDestroyData
SafeArrayUnaccessData
SafeArrayAccessData
SafeArrayAllocData
SafeArrayAllocDescriptorEx
SafeArrayCreateVector
RegisterTypeLi
CreateStdDispatch
DispCallFunc
VariantChangeType
SysStringLen
VariantTimeToSystemTime
VarR8FromDec
SafeArrayGetVartype
VariantCopy
VariantClear
OleLoadPicture
QueryPathOfRegTypeLi
RegisterTypeLibForUser
UnRegisterTypeLibForUser
UnRegisterTypeLi
CreateDispTypeInfo
SysAllocString
VariantInit

Sections

.text
Size: 568KB - Virtual size: 567KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 191KB - Virtual size: 191KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 298KB - Virtual size: 297KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 28KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/RedLineStealer/8e10fe5a2aeb3e337b184bfbb2c8ef2f256115c287ba664523ff91eb9181f56c.dll.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 93KB - Virtual size: 92KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/RedLineStealer/Fortnitevbucks.exe
.exe windows:4 windows x86 arch:x86

2eabe9054cad5152567f0699947a2c5b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

lstrcpy

Sections

Size: 85KB - Virtual size: 192KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 28KB - Virtual size: 114KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 512B - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 512B - Virtual size: 2.7MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

nmgyppmi
Size: 1.8MB - Virtual size: 1.8MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

saqsnqau
Size: 1024B - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.taggant
Size: 8KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/RedLineStealer/GodsFxckTools1.3.exe
.exe windows:5 windows x86 arch:x86

7aa10e77f9dfc4304021ef0bbf288b2c

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetACP
WaitForSingleObject
Sleep
CreateThread
lstrlenW
VirtualProtect
GetProcAddress
LoadLibraryA
VirtualAlloc
LockResource
LoadResource
SizeofResource
FindResourceW
GetModuleHandleW
GetLastError
CreateMutexA
GetModuleHandleA
GetNamedPipeInfo
FreeConsole
RtlUnwind
HeapAlloc
GetCommandLineA
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
HeapFree
VirtualFree
HeapReAlloc
HeapCreate
ExitProcess
WriteFile
GetStdHandle
GetModuleFileNameA
SetUnhandledExceptionFilter
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStringsW
SetHandleCount
GetFileType
GetStartupInfoA
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
IsDebuggerPresent
RaiseException
GetCPInfo
GetOEMCP
IsValidCodePage
InitializeCriticalSectionAndSpinCount
GetLocaleInfoA
GetStringTypeA
MultiByteToWideChar
GetStringTypeW
LCMapStringA
LCMapStringW
HeapSize

Sections

.text
Size: 40KB - Virtual size: 40KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 138KB - Virtual size: 138KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/RedLineStealer/Redline Stealer v30.2 Cracked.zip
.rar
BastianHein Malware samples/RemcosRat/1218876bc6c34ebcc73be253436e4a48e83c36ddc71b35cc10265073adce380c
.exe windows:5 windows x86 arch:x86

7f2222d75bcebeb591b7d884c5b9299b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

wsock32

__WSAFDIsSet
recv
send
setsockopt
ntohs
recvfrom
select
WSAStartup
htons
accept
listen
bind
closesocket
connect
WSACleanup
ioctlsocket
sendto
WSAGetLastError
inet_addr
gethostbyname
gethostname
socket

version

GetFileVersionInfoW
VerQueryValueW
GetFileVersionInfoSizeW

winmm

timeGetTime
waveOutSetVolume
mciSendStringW

comctl32

ImageList_Destroy
ImageList_Remove
ImageList_SetDragCursorImage
ImageList_BeginDrag
ImageList_DragEnter
ImageList_DragLeave
ImageList_EndDrag
ImageList_DragMove
ImageList_Create
InitCommonControlsEx
ImageList_ReplaceIcon

mpr

WNetUseConnectionW
WNetCancelConnection2W
WNetGetConnectionW
WNetAddConnection2W

wininet

InternetReadFile
InternetCloseHandle
InternetOpenW
InternetSetOptionW
InternetCrackUrlW
HttpQueryInfoW
InternetQueryOptionW
HttpOpenRequestW
HttpSendRequestW
FtpOpenFileW
FtpGetFileSize
InternetOpenUrlW
InternetConnectW
InternetQueryDataAvailable

psapi

GetProcessMemoryInfo

iphlpapi

IcmpCreateFile
IcmpCloseHandle
IcmpSendEcho

userenv

UnloadUserProfile
DestroyEnvironmentBlock
CreateEnvironmentBlock
LoadUserProfileW

uxtheme

IsThemeActive

kernel32

HeapAlloc
GetProcessHeap
HeapFree
Sleep
GetCurrentThreadId
MultiByteToWideChar
MulDiv
GetVersionExW
GetSystemInfo
FreeLibrary
LoadLibraryA
GetProcAddress
SetErrorMode
GetModuleFileNameW
WideCharToMultiByte
lstrcpyW
lstrlenW
GetModuleHandleW
QueryPerformanceCounter
VirtualFreeEx
OpenProcess
VirtualAllocEx
WriteProcessMemory
ReadProcessMemory
CreateFileW
SetFilePointerEx
ReadFile
WriteFile
FlushFileBuffers
TerminateProcess
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
SetFileTime
GetFileAttributesW
FindFirstFileW
FindClose
GetLongPathNameW
GetCurrentThread
FindNextFileW
MoveFileW
CopyFileW
CreateDirectoryW
RemoveDirectoryW
SetSystemPowerState
QueryPerformanceFrequency
FindResourceW
LoadResource
LockResource
SizeofResource
EnumResourceNamesW
OutputDebugStringW
GetTempPathW
GetTempFileNameW
DeviceIoControl
GetLocalTime
CompareStringW
DeleteCriticalSection
WaitForSingleObject
LeaveCriticalSection
GetStdHandle
CreatePipe
InterlockedExchange
TerminateThread
LoadLibraryExW
FindResourceExW
VirtualFree
FormatMessageW
GetExitCodeProcess
GetPrivateProfileStringW
WritePrivateProfileStringW
GetPrivateProfileSectionW
WritePrivateProfileSectionW
GetPrivateProfileSectionNamesW
FileTimeToLocalFileTime
FileTimeToSystemTime
SystemTimeToFileTime
LocalFileTimeToFileTime
GetDriveTypeW
GetDiskFreeSpaceExW
GetDiskFreeSpaceW
GetVolumeInformationW
SetVolumeLabelW
CreateHardLinkW
SetFileAttributesW
GetShortPathNameW
CreateEventW
SetEvent
GetEnvironmentVariableW
SetEnvironmentVariableW
GlobalLock
GlobalUnlock
GlobalAlloc
GetFileSize
GlobalFree
GlobalMemoryStatusEx
Beep
GetSystemDirectoryW
GetComputerNameW
GetWindowsDirectoryW
GetCurrentProcessId
GetProcessIoCounters
CreateProcessW
SetPriorityClass
LoadLibraryW
VirtualAlloc
CloseHandle
GetLastError
GetFullPathNameW
SetCurrentDirectoryW
IsDebuggerPresent
GetCurrentDirectoryW
lstrcmpiW
RaiseException
InitializeCriticalSectionAndSpinCount
InterlockedDecrement
InterlockedIncrement
CreateThread
DuplicateHandle
EnterCriticalSection
GetCurrentProcess
ExitProcess
GetModuleHandleExW
ExitThread
GetSystemTimeAsFileTime
ResumeThread
GetCommandLineW
IsProcessorFeaturePresent
HeapSize
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
SetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetStartupInfoW
GetStringTypeW
SetStdHandle
GetFileType
GetConsoleCP
GetConsoleMode
RtlUnwind
ReadConsoleW
SetFilePointer
GetTimeZoneInformation
GetDateFormatW
GetTimeFormatW
LCMapStringW
GetEnvironmentStringsW
FreeEnvironmentStringsW
HeapReAlloc
WriteConsoleW
SetEndOfFile
DeleteFileW
SetEnvironmentVariableA

user32

SetWindowPos
GetCursorInfo
RegisterHotKey
ClientToScreen
GetKeyboardLayoutNameW
IsCharAlphaW
IsCharAlphaNumericW
IsCharLowerW
IsCharUpperW
GetMenuStringW
GetSubMenu
GetCaretPos
IsZoomed
MonitorFromPoint
GetMonitorInfoW
SetWindowLongW
SetLayeredWindowAttributes
FlashWindow
GetClassLongW
TranslateAcceleratorW
IsDialogMessageW
GetSysColor
InflateRect
DrawFocusRect
DrawTextW
FrameRect
DrawFrameControl
FillRect
PtInRect
DestroyAcceleratorTable
CreateAcceleratorTableW
SetCursor
GetWindowDC
GetSystemMetrics
DrawMenuBar
GetActiveWindow
CharNextW
wsprintfW
RedrawWindow
DestroyMenu
SetMenu
GetWindowTextLengthW
CreateMenu
IsDlgButtonChecked
DefDlgProcW
CallWindowProcW
ReleaseCapture
SetCapture
MonitorFromRect
LoadImageW
CreateIconFromResourceEx
mouse_event
ExitWindowsEx
SetActiveWindow
FindWindowExW
EnumThreadWindows
SetMenuDefaultItem
InsertMenuItemW
IsMenu
TrackPopupMenuEx
GetCursorPos
CopyImage
CheckMenuRadioItem
GetMenuItemID
GetMenuItemCount
SetMenuItemInfoW
GetMenuItemInfoW
SetForegroundWindow
IsIconic
FindWindowW
UnregisterHotKey
keybd_event
SendInput
GetAsyncKeyState
SetKeyboardState
GetKeyboardState
GetKeyState
VkKeyScanW
LoadStringW
DialogBoxParamW
MessageBeep
EndDialog
SendDlgItemMessageW
GetDlgItem
SetWindowTextW
CopyRect
ReleaseDC
GetDC
EndPaint
BeginPaint
GetClientRect
GetMenu
DestroyWindow
EnumWindows
GetDesktopWindow
IsWindow
IsWindowEnabled
IsWindowVisible
EnableWindow
InvalidateRect
GetWindowLongW
GetWindowThreadProcessId
AttachThreadInput
GetFocus
ScreenToClient
SendMessageTimeoutW
EnumChildWindows
CharUpperBuffW
GetClassNameW
GetParent
GetDlgCtrlID
SendMessageW
MapVirtualKeyW
PostMessageW
GetWindowRect
SetUserObjectSecurity
CloseDesktop
CloseWindowStation
OpenDesktopW
SetProcessWindowStation
GetProcessWindowStation
OpenWindowStationW
GetUserObjectSecurity
AdjustWindowRectEx
SetRect
SetClipboardData
EmptyClipboard
CountClipboardFormats
CloseClipboard
GetClipboardData
IsClipboardFormatAvailable
OpenClipboard
BlockInput
GetMessageW
LockWindowUpdate
DispatchMessageW
TranslateMessage
DeleteMenu
PeekMessageW
MessageBoxW
DefWindowProcW
MoveWindow
SetFocus
PostQuitMessage
KillTimer
CreatePopupMenu
RegisterWindowMessageW
SetTimer
ShowWindow
CreateWindowExW
RegisterClassExW
LoadIconW
LoadCursorW
GetSysColorBrush
GetForegroundWindow
MessageBoxA
DestroyIcon
SystemParametersInfoW
CharLowerBuffW
GetWindowTextW

gdi32

SetPixel
DeleteObject
GetTextExtentPoint32W
ExtCreatePen
StrokeAndFillPath
StrokePath
GetDeviceCaps
CloseFigure
LineTo
AngleArc
CreateCompatibleBitmap
CreateCompatibleDC
MoveToEx
Ellipse
PolyDraw
BeginPath
SelectObject
StretchBlt
GetDIBits
DeleteDC
GetPixel
CreateDCW
GetStockObject
Rectangle
SetViewportOrgEx
GetObjectW
SetBkMode
RoundRect
SetBkColor
CreatePen
CreateSolidBrush
SetTextColor
CreateFontW
GetTextFaceW
EndPath

comdlg32

GetSaveFileNameW
GetOpenFileNameW

advapi32

GetAclInformation
RegEnumValueW
RegDeleteValueW
RegDeleteKeyW
RegEnumKeyExW
RegSetValueExW
RegCreateKeyExW
GetUserNameW
RegOpenKeyExW
RegCloseKey
RegQueryValueExW
RegConnectRegistryW
InitializeSecurityDescriptor
InitializeAcl
AdjustTokenPrivileges
OpenThreadToken
OpenProcessToken
LookupPrivilegeValueW
DuplicateTokenEx
CreateProcessAsUserW
CreateProcessWithLogonW
GetLengthSid
CopySid
InitiateSystemShutdownExW
LogonUserW
AllocateAndInitializeSid
CheckTokenMembership
FreeSid
GetTokenInformation
GetSecurityDescriptorDacl
SetSecurityDescriptorDacl
AddAce
GetAce

shell32

DragQueryPoint
ShellExecuteExW
DragQueryFileW
SHEmptyRecycleBinW
SHGetPathFromIDListW
SHBrowseForFolderW
SHCreateShellItem
SHGetDesktopFolder
SHGetSpecialFolderLocation
SHGetFolderPathW
SHFileOperationW
ExtractIconExW
Shell_NotifyIconW
ShellExecuteW
DragFinish

ole32

CoTaskMemAlloc
CoTaskMemFree
CLSIDFromString
ProgIDFromCLSID
CLSIDFromProgID
OleSetMenuDescriptor
MkParseDisplayName
OleSetContainedObject
CoCreateInstance
IIDFromString
StringFromGUID2
CreateStreamOnHGlobal
CoInitialize
CoUninitialize
GetRunningObjectTable
CoGetInstanceFromFile
CoGetObject
CoInitializeSecurity
CoCreateInstanceEx
CoSetProxyBlanket

oleaut32

RegisterTypeLi
LoadTypeLibEx
VariantCopyInd
SysReAllocString
SysFreeString
SafeArrayDestroyDescriptor
SafeArrayDestroyData
SafeArrayUnaccessData
SafeArrayAccessData
SafeArrayAllocData
UnRegisterTypeLi
SafeArrayCreateVector
SysAllocString
SysStringLen
VariantTimeToSystemTime
VarR8FromDec
SafeArrayGetVartype
OleLoadPicture
QueryPathOfRegTypeLi
VariantCopy
VariantClear
CreateDispTypeInfo
CreateStdDispatch
DispCallFunc
VariantChangeType
SafeArrayAllocDescriptorEx
VariantInit

Sections

.text
Size: 557KB - Virtual size: 557KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 179KB - Virtual size: 179KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 24KB - Virtual size: 39KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 41KB - Virtual size: 41KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/RemcosRat/1738015563919361d039476f160f7ec710cd59ae63288c5e3374a8a01175bfa08f734a7436492.dat-decoded.exe
.exe windows:5 windows x86 arch:x86

e77512f955eaf60ccff45e02d69234de

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

ExpandEnvironmentStringsA
GetLongPathNameW
CopyFileW
GetLocaleInfoA
CreateToolhelp32Snapshot
Process32NextW
Process32FirstW
VirtualProtect
SetLastError
VirtualFree
VirtualAlloc
LoadLibraryA
GetNativeSystemInfo
HeapAlloc
GetProcessHeap
FreeLibrary
IsBadReadPtr
GetTempPathW
OpenProcess
OpenMutexA
lstrcatW
GetCurrentProcessId
GetTempFileNameW
GetSystemDirectoryA
GlobalAlloc
GlobalLock
GetTickCount
GlobalUnlock
WriteProcessMemory
ResumeThread
GetThreadContext
ReadProcessMemory
CreateProcessW
SetThreadContext
LocalAlloc
GlobalFree
MulDiv
SizeofResource
QueryDosDeviceW
FindFirstVolumeW
GetConsoleScreenBufferInfo
SetConsoleTextAttribute
lstrlenW
GetStdHandle
SetFilePointer
FindResourceA
LockResource
LoadResource
LocalFree
FindVolumeClose
GetVolumePathNamesForVolumeNameW
lstrcpyW
SetConsoleOutputCP
FormatMessageA
FindFirstFileA
AllocConsole
lstrcmpW
GetModuleFileNameA
lstrcpynA
QueryPerformanceFrequency
QueryPerformanceCounter
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
DeleteCriticalSection
HeapSize
WriteConsoleW
SetStdHandle
SetEnvironmentVariableW
SetEnvironmentVariableA
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
GetOEMCP
IsValidCodePage
FindFirstFileExA
HeapReAlloc
ReadConsoleW
GetConsoleMode
GetConsoleCP
FlushFileBuffers
GetFileType
GetTimeZoneInformation
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetTimeFormatW
GetDateFormatW
GetACP
GetModuleHandleExW
MoveFileExW
LoadLibraryExW
RaiseException
RtlUnwind
GetCPInfo
GetStringTypeW
GetLocaleInfoW
LCMapStringW
CompareStringW
MultiByteToWideChar
DecodePointer
EncodePointer
TlsFree
TlsSetValue
GetFileSize
TerminateThread
GetLastError
GetModuleHandleA
RemoveDirectoryW
MoveFileW
SetFilePointerEx
CreateDirectoryW
GetLogicalDriveStringsA
DeleteFileW
FindNextFileA
DeleteFileA
SetFileAttributesW
GetFileAttributesW
FindClose
lstrlenA
GetDriveTypeA
FindNextFileW
GetFileSizeEx
FindFirstFileW
GetModuleHandleW
ExitProcess
GetProcAddress
CreateMutexA
GetCurrentProcess
CreateProcessA
PeekNamedPipe
CreatePipe
TerminateProcess
ReadFile
HeapFree
HeapCreate
CreateEventA
GetLocalTime
CreateThread
SetEvent
CreateEventW
WaitForSingleObject
Sleep
GetModuleFileNameW
CloseHandle
ExitThread
CreateFileW
WriteFile
FindNextVolumeW
TlsGetValue
TlsAlloc
SwitchToThread
WideCharToMultiByte
InitializeSListHead
GetSystemTimeAsFileTime
GetCurrentThreadId
IsProcessorFeaturePresent
GetStartupInfoW
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent
WaitForSingleObjectEx
ResetEvent
InitializeCriticalSectionAndSpinCount
SetEndOfFile

user32

DefWindowProcA
TranslateMessage
DispatchMessageA
GetMessageA
GetWindowTextW
wsprintfW
GetClipboardData
UnhookWindowsHookEx
GetForegroundWindow
ToUnicodeEx
GetKeyboardLayout
SetWindowsHookExA
CloseClipboard
OpenClipboard
GetKeyboardState
CallNextHookEx
GetKeyboardLayoutNameA
GetKeyState
GetWindowTextLengthW
GetWindowThreadProcessId
SetForegroundWindow
SetClipboardData
EnumWindows
ExitWindowsEx
EmptyClipboard
ShowWindow
SetWindowTextW
MessageBoxW
IsWindowVisible
CreateWindowExA
SendInput
EnumDisplaySettingsW
mouse_event
MapVirtualKeyA
TrackPopupMenu
CreatePopupMenu
AppendMenuA
RegisterClassExA
GetCursorPos
SystemParametersInfoW
GetIconInfo
GetSystemMetrics
CloseWindow
DrawIcon

gdi32

BitBlt
CreateCompatibleBitmap
CreateCompatibleDC
StretchBlt
GetDIBits
DeleteDC
DeleteObject
CreateDCA
GetObjectA
SelectObject

advapi32

LookupPrivilegeValueA
CryptAcquireContextA
CryptGenRandom
CryptReleaseContext
GetUserNameW
RegEnumKeyExA
QueryServiceStatus
CloseServiceHandle
OpenSCManagerW
OpenSCManagerA
ControlService
StartServiceW
QueryServiceConfigW
ChangeServiceConfigW
OpenServiceW
EnumServicesStatusW
AdjustTokenPrivileges
RegDeleteKeyA
OpenProcessToken
RegCreateKeyA
RegCloseKey
RegQueryInfoKeyW
RegQueryValueExA
RegCreateKeyExW
RegEnumKeyExW
RegSetValueExW
RegSetValueExA
RegOpenKeyExA
RegOpenKeyExW
RegCreateKeyW
RegDeleteValueW
RegEnumValueW
RegQueryValueExW

shell32

ShellExecuteExA
Shell_NotifyIconA
ExtractIconA
ShellExecuteW

ole32

CoInitializeEx
CoGetObject
CoUninitialize

shlwapi

StrToIntA
PathFileExistsW
PathFileExistsA

winmm

mciSendStringA
mciSendStringW
waveInClose
waveInStop
waveInStart
waveInUnprepareHeader
waveInOpen
waveInAddBuffer
waveInPrepareHeader
PlaySoundW

ws2_32

send
WSAStartup
socket
connect
WSAGetLastError
recv
closesocket
inet_ntoa
htons
htonl
getservbyname
ntohs
getservbyport
gethostbyaddr
inet_addr
WSASetLastError
gethostbyname

urlmon

URLOpenBlockingStreamW
URLDownloadToFileW

gdiplus

GdipAlloc
GdiplusStartup
GdipGetImageEncoders
GdipLoadImageFromStream
GdipSaveImageToStream
GdipGetImageEncodersSize
GdipFree
GdipDisposeImage
GdipCloneImage

wininet

InternetOpenUrlW
InternetOpenW
InternetCloseHandle
InternetReadFile

Sections

.text
Size: 344KB - Virtual size: 344KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 99KB - Virtual size: 98KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 19KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 15KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/RemcosRat/2025-01-25_8bb245bdfd9248935b898fdc750244cd_avoslocker_luca-stealer.exe
.exe windows:6 windows x86 arch:x86

5bf7e763ccf9c352a68ccdf335b6cd41

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARM.pdb

Imports

msi

ord114
ord16
ord120
ord123
ord205
ord159
ord160
ord141
ord8
ord118
ord171
ord92
ord116
ord115
ord119
ord88
ord240
ord131
ord150
ord78
ord70
ord181
ord195
ord32
ord281

psapi

GetModuleBaseNameW
EnumProcessModules
EnumProcesses
GetModuleFileNameExW

version

VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW

wininet

DeleteUrlCacheEntryW
HttpQueryInfoW
InternetReadFile
InternetCrackUrlW
InternetOpenW
InternetConnectW
HttpOpenRequestW
HttpSendRequestW
InternetErrorDlg
InternetSetOptionW
InternetCloseHandle

sensapi

IsNetworkAlive

secur32

LsaGetLogonSessionData
LsaFreeReturnBuffer

kernel32

GlobalLock
GlobalUnlock
GlobalFree
MulDiv
FlushFileBuffers
GetFullPathNameW
LockFile
UnlockFile
DuplicateHandle
LoadLibraryExW
LoadLibraryA
GetCurrentThreadId
GetVersionExW
FreeLibrary
GlobalDeleteAtom
SetThreadPriority
SuspendThread
ResumeThread
GetPrivateProfileIntW
GlobalAddAtomW
EncodePointer
GetSystemDirectoryW
GlobalFindAtomW
GetModuleHandleA
FileTimeToLocalFileTime
FindNextFileW
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
GetFileAttributesExW
GetFileSizeEx
GetFileTime
InitializeCriticalSection
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GlobalReAlloc
GlobalHandle
LocalReAlloc
SetErrorMode
GetCurrentDirectoryW
GetLocaleInfoW
GetSystemDefaultUILanguage
GetUserDefaultUILanguage
GlobalFlags
GetUserDefaultLCID
ResetEvent
WaitForSingleObjectEx
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
GetModuleFileNameW
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
EnterCriticalSection
OutputDebugStringA
GetACP
ExpandEnvironmentStringsW
GetCurrentProcessId
ProcessIdToSessionId
GlobalMemoryStatusEx
GetEnvironmentVariableW
GetSystemInfo
WideCharToMultiByte
DeleteCriticalSection
DecodePointer
RaiseException
InitializeCriticalSectionEx
Module32NextW
Module32FirstW
GetNativeSystemInfo
Process32NextW
GetLongPathNameW
Process32FirstW
CreateToolhelp32Snapshot
LoadLibraryW
FindResourceExW
GetProcessHeap
HeapAlloc
HeapFree
HeapReAlloc
HeapSize
HeapDestroy
lstrcmpA
lstrcmpW
LocalAlloc
GetExitCodeProcess
CreateProcessW
GetFileInformationByHandle
OpenMutexW
CreateMutexW
SystemTimeToFileTime
SetEndOfFile
RemoveDirectoryW
GetFileSize
SetFilePointer
GetThreadLocale
GetPrivateProfileSectionNamesW
MoveFileW
WaitNamedPipeW
CreateNamedPipeW
ConnectNamedPipe
SetNamedPipeHandleState
DisconnectNamedPipe
ReadFile
LocalFree
GetUserDefaultLangID
UnmapViewOfFile
OpenFileMappingW
MapViewOfFile
FormatMessageW
GetLocalTime
GetModuleHandleW
GetProcAddress
GetVolumeInformationW
GetPrivateProfileStringW
WritePrivateProfileStringW
MoveFileExW
CreateFileW
GetCurrentThread
GetCurrentProcess
OpenProcess
CopyFileW
GetTickCount64
GetTempPathW
SetLastError
WaitForSingleObject
SetEvent
OpenEventW
CloseHandle
CreateEventW
Sleep
GetThreadPriority
MultiByteToWideChar
FindClose
FindFirstFileW
DeleteFileW
lstrlenW
SetFileAttributesW
SetFileTime
WriteFile
GetLastError
GlobalAlloc
CreateDirectoryW
GetFileAttributesW
FindResourceW
LoadResource
LockResource
SizeofResource
OutputDebugStringW
GetStringTypeW
LCMapStringW
GetCPInfo
RtlUnwind
GetDriveTypeW
SetEnvironmentVariableW
SetCurrentDirectoryW
CreateThread
ExitThread
FreeLibraryAndExitThread
GetModuleHandleExW
GetCommandLineA
GetCommandLineW
SetStdHandle
GetFileType
HeapQueryInformation
GetStdHandle
ExitProcess
GetDateFormatW
GetTimeFormatW
IsValidLocale
EnumSystemLocalesW
GetTimeZoneInformation
GetConsoleCP
GetConsoleMode
ReadConsoleW
SetFilePointerEx
FindFirstFileExW
IsValidCodePage
GetOEMCP
GetEnvironmentStringsW
FreeEnvironmentStringsW
WriteConsoleW
CompareStringW

user32

DestroyMenu
GetMonitorInfoW
MonitorFromWindow
WinHelpW
UnhookWindowsHookEx
GetTopWindow
GetClassNameW
GetClassLongW
PtInRect
MapWindowPoints
AdjustWindowRectEx
RemovePropW
GetPropW
SetPropW
ShowScrollBar
GetScrollPos
RedrawWindow
TrackPopupMenu
SetMenu
GetMenu
GetCapture
EndDeferWindowPos
DeferWindowPos
BeginDeferWindowPos
IsChild
IsMenu
CreateWindowExW
GetClassInfoExW
GetClassInfoW
RegisterClassW
CallWindowProcW
DefWindowProcW
GetMessageTime
GetMessagePos
CopyRect
GetSysColor
ScreenToClient
EndPaint
BeginPaint
ReleaseDC
GetDC
TabbedTextOutW
GrayStringW
DrawTextExW
DrawTextW
GetDesktopWindow
GetNextDlgTabItem
EndDialog
CreateDialogIndirectParamW
IsDialogMessageW
SetWindowLongW
GetWindowTextLengthW
SetFocus
GetDlgCtrlID
SetDlgItemTextW
GetSysColorBrush
ShowWindow
GetLastActivePopup
GetWindowLongW
IsWindowEnabled
LoadBitmapW
SetMenuItemInfoW
GetMenuCheckMarkDimensions
SetMenuItemBitmaps
EnableMenuItem
CheckMenuItem
CallNextHookEx
SetWindowsHookExW
ValidateRect
GetKeyState
DispatchMessageW
TranslateMessage
GetMessageW
PostQuitMessage
CharUpperW
GetMenuStringW
OffsetRect
SendDlgItemMessageA
UnregisterClassW
GetWindow
FindWindowW
ExitWindowsEx
RegisterWindowMessageW
RealChildWindowFromPoint
InvalidateRect
EnumWindows
GetWindowTextW
IsWindowVisible
GetWindowThreadProcessId
FindWindowExW
SystemParametersInfoW
SetActiveWindow
DrawAnimatedRects
SetForegroundWindow
SetMenuDefaultItem
ModifyMenuW
GetMenuItemID
GetMenuItemCount
GetSubMenu
ClientToScreen
GetCursorPos
LoadMenuW
SetCursor
DrawFocusRect
InflateRect
SetRectEmpty
GetParent
SetWindowTextW
LoadCursorW
GetActiveWindow
DrawIcon
GetClientRect
GetSystemMetrics
IsIconic
PeekMessageW
UpdateWindow
GetFocus
IsWindow
SetTimer
GetWindowRect
SendMessageW
LoadIconW
EnableWindow
PostMessageW
SetWindowPos
GetForegroundWindow
KillTimer
MessageBoxW
GetDlgItem
DestroyWindow

gdi32

ScaleWindowExtEx
ScaleViewportExtEx
OffsetViewportOrgEx
CreateBitmap
GetDeviceCaps
DeleteDC
SetWindowExtEx
SetViewportOrgEx
SetViewportExtEx
ExtTextOutW
TextOutW
SetTextColor
GetTextExtentPoint32W
CreateFontIndirectW
GetObjectW
SetMapMode
SetBkMode
SetBkColor
SelectObject
SaveDC
RestoreDC
RectVisible
PtVisible
GetStockObject
GetClipBox
Escape
DeleteObject

winspool.drv

OpenPrinterW
DocumentPropertiesW
ClosePrinter

advapi32

RegEnumKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumValueW
RegCloseKey
RegDeleteTreeW
CopySid
GetLengthSid
IsValidSid
GetSidSubAuthority
InitializeSid
GetSidLengthRequired
OpenProcessToken
RegQueryValueW
RegEnumKeyW
RegDeleteKeyW
RegFlushKey
ConvertSidToStringSidW
LookupAccountNameW
ControlService
QueryServiceStatusEx
CloseServiceHandle
OpenServiceW
OpenSCManagerW
CreateWellKnownSid
RegCreateKeyW
RegDeleteKeyExW
LookupAccountSidW
GetTokenInformation
DuplicateTokenEx
CreateProcessAsUserW
AdjustTokenPrivileges
LookupPrivilegeValueW
GetUserNameW
RegCreateKeyExW
RegQueryValueExW
RegSetValueExW
RegDeleteValueW
ConvertStringSecurityDescriptorToSecurityDescriptorW
CheckTokenMembership
DuplicateToken
OpenThreadToken

shell32

ShellExecuteW
SHCreateDirectoryExW
ShellExecuteExW
SHFileOperationW
Shell_NotifyIconW
SHAppBarMessage
SHGetFolderPathW

comctl32

_TrackMouseEvent
InitCommonControlsEx

shlwapi

PathIsUNCW
PathStripToRootW
PathFindExtensionW
PathFindFileNameW
SHDeleteKeyW

ole32

CoInitialize
CoUninitialize
CoTaskMemFree
CoInitializeEx
CoInitializeSecurity
CoCreateInstance
OleRun
CoCreateGuid

oleaut32

SysAllocString
SysFreeString
VariantClear
SysAllocStringByteLen
SysStringByteLen
VariantInit
VariantCopy
VariantChangeType
GetErrorInfo

urlmon

URLDownloadToFileW

userenv

DestroyEnvironmentBlock
CreateEnvironmentBlock
UnloadUserProfile

crypt32

CryptUnprotectData
CryptProtectData
CryptDecodeObject
CryptMsgClose
CertCloseStore
CertFreeCertificateContext
CertGetNameStringW
CertFindCertificateInStore
CryptQueryObject
CryptMsgGetParam

wintrust

WinVerifyTrust

oleacc

LresultFromObject
CreateStdAccessibleObject

Sections

.text
Size: 739KB - Virtual size: 740KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 362KB - Virtual size: 364KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 11KB - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1.8MB - Virtual size: 1.8MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 49KB - Virtual size: 52KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.tls
Size: 233KB - Virtual size: 236KB

IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/RemcosRat/2c9e0f36dceb0c4a806dc23512747ee70a487fce3ad4a38474ea31f321e0f438.exe
.exe windows:5 windows x86 arch:x86

eb97e4fc5518ac300a92a11673825e0b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

wsock32

WSACleanup
socket
inet_ntoa
setsockopt
ntohs
recvfrom
ioctlsocket
htons
WSAStartup
__WSAFDIsSet
select
accept
listen
bind
closesocket
WSAGetLastError
recv
sendto
send
inet_addr
gethostbyname
gethostname
connect

version

GetFileVersionInfoW
GetFileVersionInfoSizeW
VerQueryValueW

winmm

timeGetTime
waveOutSetVolume
mciSendStringW

comctl32

ImageList_ReplaceIcon
ImageList_Destroy
ImageList_Remove
ImageList_SetDragCursorImage
ImageList_BeginDrag
ImageList_DragEnter
ImageList_DragLeave
ImageList_EndDrag
ImageList_DragMove
InitCommonControlsEx
ImageList_Create

mpr

WNetUseConnectionW
WNetCancelConnection2W
WNetGetConnectionW
WNetAddConnection2W

wininet

InternetQueryDataAvailable
InternetCloseHandle
InternetOpenW
InternetSetOptionW
InternetCrackUrlW
HttpQueryInfoW
InternetQueryOptionW
HttpOpenRequestW
HttpSendRequestW
FtpOpenFileW
FtpGetFileSize
InternetOpenUrlW
InternetReadFile
InternetConnectW

psapi

GetProcessMemoryInfo

iphlpapi

IcmpCreateFile
IcmpCloseHandle
IcmpSendEcho

userenv

DestroyEnvironmentBlock
UnloadUserProfile
CreateEnvironmentBlock
LoadUserProfileW

uxtheme

IsThemeActive

kernel32

DuplicateHandle
CreateThread
WaitForSingleObject
HeapAlloc
GetProcessHeap
HeapFree
Sleep
GetCurrentThreadId
MultiByteToWideChar
MulDiv
GetVersionExW
IsWow64Process
GetSystemInfo
FreeLibrary
LoadLibraryA
GetProcAddress
SetErrorMode
GetModuleFileNameW
WideCharToMultiByte
lstrcpyW
lstrlenW
GetModuleHandleW
QueryPerformanceCounter
VirtualFreeEx
OpenProcess
VirtualAllocEx
WriteProcessMemory
ReadProcessMemory
CreateFileW
SetFilePointerEx
SetEndOfFile
ReadFile
WriteFile
FlushFileBuffers
TerminateProcess
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
SetFileTime
GetFileAttributesW
FindFirstFileW
SetCurrentDirectoryW
GetLongPathNameW
GetShortPathNameW
DeleteFileW
FindNextFileW
CopyFileExW
MoveFileW
CreateDirectoryW
RemoveDirectoryW
SetSystemPowerState
QueryPerformanceFrequency
FindResourceW
LoadResource
LockResource
SizeofResource
EnumResourceNamesW
OutputDebugStringW
GetTempPathW
GetTempFileNameW
DeviceIoControl
GetLocalTime
CompareStringW
GetCurrentProcess
EnterCriticalSection
LeaveCriticalSection
GetStdHandle
CreatePipe
InterlockedExchange
TerminateThread
LoadLibraryExW
FindResourceExW
CopyFileW
VirtualFree
FormatMessageW
GetExitCodeProcess
GetPrivateProfileStringW
WritePrivateProfileStringW
GetPrivateProfileSectionW
WritePrivateProfileSectionW
GetPrivateProfileSectionNamesW
FileTimeToLocalFileTime
FileTimeToSystemTime
SystemTimeToFileTime
LocalFileTimeToFileTime
GetDriveTypeW
GetDiskFreeSpaceExW
GetDiskFreeSpaceW
GetVolumeInformationW
SetVolumeLabelW
CreateHardLinkW
SetFileAttributesW
CreateEventW
SetEvent
GetEnvironmentVariableW
SetEnvironmentVariableW
GlobalLock
GlobalUnlock
GlobalAlloc
GetFileSize
GlobalFree
GlobalMemoryStatusEx
Beep
GetSystemDirectoryW
HeapReAlloc
HeapSize
GetComputerNameW
GetWindowsDirectoryW
GetCurrentProcessId
GetProcessIoCounters
CreateProcessW
GetProcessId
SetPriorityClass
LoadLibraryW
VirtualAlloc
IsDebuggerPresent
GetCurrentDirectoryW
lstrcmpiW
DecodePointer
GetLastError
RaiseException
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
InterlockedDecrement
InterlockedIncrement
GetCurrentThread
CloseHandle
GetFullPathNameW
EncodePointer
ExitProcess
GetModuleHandleExW
ExitThread
GetSystemTimeAsFileTime
ResumeThread
GetCommandLineW
IsProcessorFeaturePresent
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
SetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetStartupInfoW
GetStringTypeW
SetStdHandle
GetFileType
GetConsoleCP
GetConsoleMode
RtlUnwind
ReadConsoleW
GetTimeZoneInformation
GetDateFormatW
GetTimeFormatW
LCMapStringW
GetEnvironmentStringsW
FreeEnvironmentStringsW
WriteConsoleW
FindClose
SetEnvironmentVariableA

user32

AdjustWindowRectEx
CopyImage
SetWindowPos
GetCursorInfo
RegisterHotKey
ClientToScreen
GetKeyboardLayoutNameW
IsCharAlphaW
IsCharAlphaNumericW
IsCharLowerW
IsCharUpperW
GetMenuStringW
GetSubMenu
GetCaretPos
IsZoomed
MonitorFromPoint
GetMonitorInfoW
SetWindowLongW
SetLayeredWindowAttributes
FlashWindow
GetClassLongW
TranslateAcceleratorW
IsDialogMessageW
GetSysColor
InflateRect
DrawFocusRect
DrawTextW
FrameRect
DrawFrameControl
FillRect
PtInRect
DestroyAcceleratorTable
CreateAcceleratorTableW
SetCursor
GetWindowDC
GetSystemMetrics
GetActiveWindow
CharNextW
wsprintfW
RedrawWindow
DrawMenuBar
DestroyMenu
SetMenu
GetWindowTextLengthW
CreateMenu
IsDlgButtonChecked
DefDlgProcW
CallWindowProcW
ReleaseCapture
SetCapture
CreateIconFromResourceEx
mouse_event
ExitWindowsEx
SetActiveWindow
FindWindowExW
EnumThreadWindows
SetMenuDefaultItem
InsertMenuItemW
IsMenu
TrackPopupMenuEx
GetCursorPos
DeleteMenu
SetRect
GetMenuItemID
GetMenuItemCount
SetMenuItemInfoW
GetMenuItemInfoW
SetForegroundWindow
IsIconic
FindWindowW
MonitorFromRect
keybd_event
SendInput
GetAsyncKeyState
SetKeyboardState
GetKeyboardState
GetKeyState
VkKeyScanW
LoadStringW
DialogBoxParamW
MessageBeep
EndDialog
SendDlgItemMessageW
GetDlgItem
SetWindowTextW
CopyRect
ReleaseDC
GetDC
EndPaint
BeginPaint
GetClientRect
GetMenu
DestroyWindow
EnumWindows
GetDesktopWindow
IsWindow
IsWindowEnabled
IsWindowVisible
EnableWindow
InvalidateRect
GetWindowLongW
GetWindowThreadProcessId
AttachThreadInput
GetFocus
GetWindowTextW
ScreenToClient
SendMessageTimeoutW
EnumChildWindows
CharUpperBuffW
GetParent
GetDlgCtrlID
SendMessageW
MapVirtualKeyW
PostMessageW
GetWindowRect
SetUserObjectSecurity
CloseDesktop
CloseWindowStation
OpenDesktopW
SetProcessWindowStation
GetProcessWindowStation
OpenWindowStationW
GetUserObjectSecurity
MessageBoxW
DefWindowProcW
SetClipboardData
EmptyClipboard
CountClipboardFormats
CloseClipboard
GetClipboardData
IsClipboardFormatAvailable
OpenClipboard
BlockInput
GetMessageW
LockWindowUpdate
DispatchMessageW
TranslateMessage
PeekMessageW
UnregisterHotKey
CheckMenuRadioItem
CharLowerBuffW
MoveWindow
SetFocus
PostQuitMessage
KillTimer
CreatePopupMenu
RegisterWindowMessageW
SetTimer
ShowWindow
CreateWindowExW
RegisterClassExW
LoadIconW
LoadCursorW
GetSysColorBrush
GetForegroundWindow
MessageBoxA
DestroyIcon
SystemParametersInfoW
LoadImageW
GetClassNameW

gdi32

StrokePath
DeleteObject
GetTextExtentPoint32W
ExtCreatePen
GetDeviceCaps
EndPath
SetPixel
CloseFigure
CreateCompatibleBitmap
CreateCompatibleDC
SelectObject
StretchBlt
GetDIBits
LineTo
AngleArc
MoveToEx
Ellipse
DeleteDC
GetPixel
CreateDCW
GetStockObject
GetTextFaceW
CreateFontW
SetTextColor
PolyDraw
BeginPath
Rectangle
SetViewportOrgEx
GetObjectW
SetBkMode
RoundRect
SetBkColor
CreatePen
CreateSolidBrush
StrokeAndFillPath

comdlg32

GetOpenFileNameW
GetSaveFileNameW

advapi32

GetAce
RegEnumValueW
RegDeleteValueW
RegDeleteKeyW
RegEnumKeyExW
RegSetValueExW
RegOpenKeyExW
RegCloseKey
RegQueryValueExW
RegConnectRegistryW
InitializeSecurityDescriptor
InitializeAcl
AdjustTokenPrivileges
OpenThreadToken
OpenProcessToken
LookupPrivilegeValueW
DuplicateTokenEx
CreateProcessAsUserW
CreateProcessWithLogonW
GetLengthSid
CopySid
LogonUserW
AllocateAndInitializeSid
CheckTokenMembership
RegCreateKeyExW
FreeSid
GetTokenInformation
GetSecurityDescriptorDacl
GetAclInformation
AddAce
SetSecurityDescriptorDacl
GetUserNameW
InitiateSystemShutdownExW

shell32

DragQueryPoint
ShellExecuteExW
DragQueryFileW
SHEmptyRecycleBinW
SHGetPathFromIDListW
SHBrowseForFolderW
SHCreateShellItem
SHGetDesktopFolder
SHGetSpecialFolderLocation
SHGetFolderPathW
SHFileOperationW
ExtractIconExW
Shell_NotifyIconW
ShellExecuteW
DragFinish

ole32

CoTaskMemAlloc
CoTaskMemFree
CLSIDFromString
ProgIDFromCLSID
CLSIDFromProgID
OleSetMenuDescriptor
MkParseDisplayName
OleSetContainedObject
CoCreateInstance
IIDFromString
StringFromGUID2
CreateStreamOnHGlobal
OleInitialize
OleUninitialize
CoInitialize
CoUninitialize
GetRunningObjectTable
CoGetInstanceFromFile
CoGetObject
CoSetProxyBlanket
CoCreateInstanceEx
CoInitializeSecurity

oleaut32

LoadTypeLibEx
VariantCopyInd
SysReAllocString
SysFreeString
SafeArrayDestroyDescriptor
SafeArrayDestroyData
SafeArrayUnaccessData
SafeArrayAccessData
SafeArrayAllocData
SafeArrayAllocDescriptorEx
SafeArrayCreateVector
RegisterTypeLi
CreateStdDispatch
DispCallFunc
VariantChangeType
SysStringLen
VariantTimeToSystemTime
VarR8FromDec
SafeArrayGetVartype
VariantCopy
VariantClear
OleLoadPicture
QueryPathOfRegTypeLi
RegisterTypeLibForUser
UnRegisterTypeLibForUser
UnRegisterTypeLi
CreateDispTypeInfo
SysAllocString
VariantInit

Sections

.text
Size: 567KB - Virtual size: 567KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 184KB - Virtual size: 184KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 286KB - Virtual size: 286KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 28KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/RemcosRat/38052ddd9c64e44bd2631ae021c1e973bed0ddfc8be6c3b2714011647c551d53.exe
.exe windows:5 windows x86 arch:x86

eb97e4fc5518ac300a92a11673825e0b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

wsock32

WSACleanup
socket
inet_ntoa
setsockopt
ntohs
recvfrom
ioctlsocket
htons
WSAStartup
__WSAFDIsSet
select
accept
listen
bind
closesocket
WSAGetLastError
recv
sendto
send
inet_addr
gethostbyname
gethostname
connect

version

GetFileVersionInfoW
GetFileVersionInfoSizeW
VerQueryValueW

winmm

timeGetTime
waveOutSetVolume
mciSendStringW

comctl32

ImageList_ReplaceIcon
ImageList_Destroy
ImageList_Remove
ImageList_SetDragCursorImage
ImageList_BeginDrag
ImageList_DragEnter
ImageList_DragLeave
ImageList_EndDrag
ImageList_DragMove
InitCommonControlsEx
ImageList_Create

mpr

WNetUseConnectionW
WNetCancelConnection2W
WNetGetConnectionW
WNetAddConnection2W

wininet

InternetQueryDataAvailable
InternetCloseHandle
InternetOpenW
InternetSetOptionW
InternetCrackUrlW
HttpQueryInfoW
InternetQueryOptionW
HttpOpenRequestW
HttpSendRequestW
FtpOpenFileW
FtpGetFileSize
InternetOpenUrlW
InternetReadFile
InternetConnectW

psapi

GetProcessMemoryInfo

iphlpapi

IcmpCreateFile
IcmpCloseHandle
IcmpSendEcho

userenv

DestroyEnvironmentBlock
UnloadUserProfile
CreateEnvironmentBlock
LoadUserProfileW

uxtheme

IsThemeActive

kernel32

DuplicateHandle
CreateThread
WaitForSingleObject
HeapAlloc
GetProcessHeap
HeapFree
Sleep
GetCurrentThreadId
MultiByteToWideChar
MulDiv
GetVersionExW
IsWow64Process
GetSystemInfo
FreeLibrary
LoadLibraryA
GetProcAddress
SetErrorMode
GetModuleFileNameW
WideCharToMultiByte
lstrcpyW
lstrlenW
GetModuleHandleW
QueryPerformanceCounter
VirtualFreeEx
OpenProcess
VirtualAllocEx
WriteProcessMemory
ReadProcessMemory
CreateFileW
SetFilePointerEx
SetEndOfFile
ReadFile
WriteFile
FlushFileBuffers
TerminateProcess
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
SetFileTime
GetFileAttributesW
FindFirstFileW
SetCurrentDirectoryW
GetLongPathNameW
GetShortPathNameW
DeleteFileW
FindNextFileW
CopyFileExW
MoveFileW
CreateDirectoryW
RemoveDirectoryW
SetSystemPowerState
QueryPerformanceFrequency
FindResourceW
LoadResource
LockResource
SizeofResource
EnumResourceNamesW
OutputDebugStringW
GetTempPathW
GetTempFileNameW
DeviceIoControl
GetLocalTime
CompareStringW
GetCurrentProcess
EnterCriticalSection
LeaveCriticalSection
GetStdHandle
CreatePipe
InterlockedExchange
TerminateThread
LoadLibraryExW
FindResourceExW
CopyFileW
VirtualFree
FormatMessageW
GetExitCodeProcess
GetPrivateProfileStringW
WritePrivateProfileStringW
GetPrivateProfileSectionW
WritePrivateProfileSectionW
GetPrivateProfileSectionNamesW
FileTimeToLocalFileTime
FileTimeToSystemTime
SystemTimeToFileTime
LocalFileTimeToFileTime
GetDriveTypeW
GetDiskFreeSpaceExW
GetDiskFreeSpaceW
GetVolumeInformationW
SetVolumeLabelW
CreateHardLinkW
SetFileAttributesW
CreateEventW
SetEvent
GetEnvironmentVariableW
SetEnvironmentVariableW
GlobalLock
GlobalUnlock
GlobalAlloc
GetFileSize
GlobalFree
GlobalMemoryStatusEx
Beep
GetSystemDirectoryW
HeapReAlloc
HeapSize
GetComputerNameW
GetWindowsDirectoryW
GetCurrentProcessId
GetProcessIoCounters
CreateProcessW
GetProcessId
SetPriorityClass
LoadLibraryW
VirtualAlloc
IsDebuggerPresent
GetCurrentDirectoryW
lstrcmpiW
DecodePointer
GetLastError
RaiseException
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
InterlockedDecrement
InterlockedIncrement
GetCurrentThread
CloseHandle
GetFullPathNameW
EncodePointer
ExitProcess
GetModuleHandleExW
ExitThread
GetSystemTimeAsFileTime
ResumeThread
GetCommandLineW
IsProcessorFeaturePresent
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
SetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetStartupInfoW
GetStringTypeW
SetStdHandle
GetFileType
GetConsoleCP
GetConsoleMode
RtlUnwind
ReadConsoleW
GetTimeZoneInformation
GetDateFormatW
GetTimeFormatW
LCMapStringW
GetEnvironmentStringsW
FreeEnvironmentStringsW
WriteConsoleW
FindClose
SetEnvironmentVariableA

user32

AdjustWindowRectEx
CopyImage
SetWindowPos
GetCursorInfo
RegisterHotKey
ClientToScreen
GetKeyboardLayoutNameW
IsCharAlphaW
IsCharAlphaNumericW
IsCharLowerW
IsCharUpperW
GetMenuStringW
GetSubMenu
GetCaretPos
IsZoomed
MonitorFromPoint
GetMonitorInfoW
SetWindowLongW
SetLayeredWindowAttributes
FlashWindow
GetClassLongW
TranslateAcceleratorW
IsDialogMessageW
GetSysColor
InflateRect
DrawFocusRect
DrawTextW
FrameRect
DrawFrameControl
FillRect
PtInRect
DestroyAcceleratorTable
CreateAcceleratorTableW
SetCursor
GetWindowDC
GetSystemMetrics
GetActiveWindow
CharNextW
wsprintfW
RedrawWindow
DrawMenuBar
DestroyMenu
SetMenu
GetWindowTextLengthW
CreateMenu
IsDlgButtonChecked
DefDlgProcW
CallWindowProcW
ReleaseCapture
SetCapture
CreateIconFromResourceEx
mouse_event
ExitWindowsEx
SetActiveWindow
FindWindowExW
EnumThreadWindows
SetMenuDefaultItem
InsertMenuItemW
IsMenu
TrackPopupMenuEx
GetCursorPos
DeleteMenu
SetRect
GetMenuItemID
GetMenuItemCount
SetMenuItemInfoW
GetMenuItemInfoW
SetForegroundWindow
IsIconic
FindWindowW
MonitorFromRect
keybd_event
SendInput
GetAsyncKeyState
SetKeyboardState
GetKeyboardState
GetKeyState
VkKeyScanW
LoadStringW
DialogBoxParamW
MessageBeep
EndDialog
SendDlgItemMessageW
GetDlgItem
SetWindowTextW
CopyRect
ReleaseDC
GetDC
EndPaint
BeginPaint
GetClientRect
GetMenu
DestroyWindow
EnumWindows
GetDesktopWindow
IsWindow
IsWindowEnabled
IsWindowVisible
EnableWindow
InvalidateRect
GetWindowLongW
GetWindowThreadProcessId
AttachThreadInput
GetFocus
GetWindowTextW
ScreenToClient
SendMessageTimeoutW
EnumChildWindows
CharUpperBuffW
GetParent
GetDlgCtrlID
SendMessageW
MapVirtualKeyW
PostMessageW
GetWindowRect
SetUserObjectSecurity
CloseDesktop
CloseWindowStation
OpenDesktopW
SetProcessWindowStation
GetProcessWindowStation
OpenWindowStationW
GetUserObjectSecurity
MessageBoxW
DefWindowProcW
SetClipboardData
EmptyClipboard
CountClipboardFormats
CloseClipboard
GetClipboardData
IsClipboardFormatAvailable
OpenClipboard
BlockInput
GetMessageW
LockWindowUpdate
DispatchMessageW
TranslateMessage
PeekMessageW
UnregisterHotKey
CheckMenuRadioItem
CharLowerBuffW
MoveWindow
SetFocus
PostQuitMessage
KillTimer
CreatePopupMenu
RegisterWindowMessageW
SetTimer
ShowWindow
CreateWindowExW
RegisterClassExW
LoadIconW
LoadCursorW
GetSysColorBrush
GetForegroundWindow
MessageBoxA
DestroyIcon
SystemParametersInfoW
LoadImageW
GetClassNameW

gdi32

StrokePath
DeleteObject
GetTextExtentPoint32W
ExtCreatePen
GetDeviceCaps
EndPath
SetPixel
CloseFigure
CreateCompatibleBitmap
CreateCompatibleDC
SelectObject
StretchBlt
GetDIBits
LineTo
AngleArc
MoveToEx
Ellipse
DeleteDC
GetPixel
CreateDCW
GetStockObject
GetTextFaceW
CreateFontW
SetTextColor
PolyDraw
BeginPath
Rectangle
SetViewportOrgEx
GetObjectW
SetBkMode
RoundRect
SetBkColor
CreatePen
CreateSolidBrush
StrokeAndFillPath

comdlg32

GetOpenFileNameW
GetSaveFileNameW

advapi32

GetAce
RegEnumValueW
RegDeleteValueW
RegDeleteKeyW
RegEnumKeyExW
RegSetValueExW
RegOpenKeyExW
RegCloseKey
RegQueryValueExW
RegConnectRegistryW
InitializeSecurityDescriptor
InitializeAcl
AdjustTokenPrivileges
OpenThreadToken
OpenProcessToken
LookupPrivilegeValueW
DuplicateTokenEx
CreateProcessAsUserW
CreateProcessWithLogonW
GetLengthSid
CopySid
LogonUserW
AllocateAndInitializeSid
CheckTokenMembership
RegCreateKeyExW
FreeSid
GetTokenInformation
GetSecurityDescriptorDacl
GetAclInformation
AddAce
SetSecurityDescriptorDacl
GetUserNameW
InitiateSystemShutdownExW

shell32

DragQueryPoint
ShellExecuteExW
DragQueryFileW
SHEmptyRecycleBinW
SHGetPathFromIDListW
SHBrowseForFolderW
SHCreateShellItem
SHGetDesktopFolder
SHGetSpecialFolderLocation
SHGetFolderPathW
SHFileOperationW
ExtractIconExW
Shell_NotifyIconW
ShellExecuteW
DragFinish

ole32

CoTaskMemAlloc
CoTaskMemFree
CLSIDFromString
ProgIDFromCLSID
CLSIDFromProgID
OleSetMenuDescriptor
MkParseDisplayName
OleSetContainedObject
CoCreateInstance
IIDFromString
StringFromGUID2
CreateStreamOnHGlobal
OleInitialize
OleUninitialize
CoInitialize
CoUninitialize
GetRunningObjectTable
CoGetInstanceFromFile
CoGetObject
CoSetProxyBlanket
CoCreateInstanceEx
CoInitializeSecurity

oleaut32

LoadTypeLibEx
VariantCopyInd
SysReAllocString
SysFreeString
SafeArrayDestroyDescriptor
SafeArrayDestroyData
SafeArrayUnaccessData
SafeArrayAccessData
SafeArrayAllocData
SafeArrayAllocDescriptorEx
SafeArrayCreateVector
RegisterTypeLi
CreateStdDispatch
DispCallFunc
VariantChangeType
SysStringLen
VariantTimeToSystemTime
VarR8FromDec
SafeArrayGetVartype
VariantCopy
VariantClear
OleLoadPicture
QueryPathOfRegTypeLi
RegisterTypeLibForUser
UnRegisterTypeLibForUser
UnRegisterTypeLi
CreateDispTypeInfo
SysAllocString
VariantInit

Sections

.text
Size: 567KB - Virtual size: 567KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 184KB - Virtual size: 184KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 286KB - Virtual size: 286KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 28KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/RemcosRat/Document53374pdf.exe
.exe windows:4 windows x86 arch:x86

d4b94e8ee3f620a89d114b9da4b31873

Code Sign

06:35:75:3f:4a:8e:f5:16:d6:75:a3:34:a0:b1:38:03:4a:e8:cd:00
Certificate

Issuer

CN=Overmgtigt,OU=dissyllabise Smelten\ ,O=Overmgtigt,L=Nevada,ST=Iowa,C=US,1.2.840.113549.1.9.1=#0c165564626c647465404f7574637261776c65642e456674

Not Before

16/06/2024, 06:23

Not After

16/06/2025, 06:23

Subject

CN=Overmgtigt,OU=dissyllabise Smelten\ ,O=Overmgtigt,L=Nevada,ST=Iowa,C=US,1.2.840.113549.1.9.1=#0c165564626c647465404f7574637261776c65642e456674

84:b1:d8:bb:bb:f8:48:4e:08:e1:11:56:a1:2b:b5:6d:cc:24:82:1e:9b:4f:ec:7f:cb:b4:94:ae:b6:b7:c9:e0
Signer

Actual PE Digest

84:b1:d8:bb:bb:f8:48:4e:08:e1:11:56:a1:2b:b5:6d:cc:24:82:1e:9b:4f:ec:7f:cb:b4:94:ae:b6:b7:c9:e0

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

SetCurrentDirectoryW
GetFileAttributesW
GetFullPathNameW
Sleep
GetTickCount
GetFileSize
GetModuleFileNameW
MoveFileW
SetFileAttributesW
GetCurrentProcess
ExitProcess
SetEnvironmentVariableW
GetWindowsDirectoryW
GetTempPathW
GetCommandLineW
GetVersion
SetErrorMode
lstrlenW
lstrcpynW
CopyFileW
CompareFileTime
GlobalLock
CreateThread
GetLastError
CreateDirectoryW
CreateProcessW
RemoveDirectoryW
lstrcmpiA
CreateFileW
GetTempFileNameW
WriteFile
lstrcpyA
lstrcpyW
MoveFileExW
lstrcatW
GetSystemDirectoryW
LoadLibraryW
GetProcAddress
GetModuleHandleA
ExpandEnvironmentStringsW
GetShortPathNameW
SearchPathW
lstrcmpiW
SetFileTime
CloseHandle
GlobalFree
lstrcmpW
GlobalAlloc
WaitForSingleObject
GlobalUnlock
GetDiskFreeSpaceW
GetExitCodeProcess
FindFirstFileW
FindNextFileW
DeleteFileW
SetFilePointer
ReadFile
FindClose
MulDiv
MultiByteToWideChar
lstrlenA
WideCharToMultiByte
GetPrivateProfileStringW
WritePrivateProfileStringW
FreeLibrary
LoadLibraryExW
GetModuleHandleW

user32

GetSystemMenu
SetClassLongW
IsWindowEnabled
EnableMenuItem
SetWindowPos
GetSysColor
GetWindowLongW
SetCursor
LoadCursorW
CheckDlgButton
GetMessagePos
LoadBitmapW
CallWindowProcW
IsWindowVisible
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
wsprintfW
ScreenToClient
GetWindowRect
GetSystemMetrics
SetDlgItemTextW
GetDlgItemTextW
MessageBoxIndirectW
CharPrevW
CharNextA
wsprintfA
DispatchMessageW
PeekMessageW
ReleaseDC
EnableWindow
InvalidateRect
SendMessageW
DefWindowProcW
BeginPaint
GetClientRect
FillRect
DrawTextW
EndDialog
RegisterClassW
SystemParametersInfoW
CreateWindowExW
GetClassInfoW
DialogBoxParamW
CharNextW
ExitWindowsEx
DestroyWindow
CreateDialogParamW
GetDC
SetWindowTextW
PostQuitMessage
ShowWindow
GetDlgItem
IsWindow
LoadImageW
SetWindowLongW
TrackPopupMenu
AppendMenuW
CreatePopupMenu
EndPaint
SetTimer
FindWindowExW
SendMessageTimeoutW
SetForegroundWindow

gdi32

SelectObject
SetBkMode
CreateFontIndirectW
SetTextColor
DeleteObject
GetDeviceCaps
CreateBrushIndirect
SetBkColor

shell32

SHGetSpecialFolderLocation
SHGetPathFromIDListW
SHBrowseForFolderW
SHGetFileInfoW
ShellExecuteW
SHFileOperationW

advapi32

RegDeleteKeyW
SetFileSecurityW
OpenProcessToken
LookupPrivilegeValueW
AdjustTokenPrivileges
RegOpenKeyExW
RegEnumValueW
RegDeleteValueW
RegCloseKey
RegCreateKeyExW
RegSetValueExW
RegQueryValueExW
RegEnumKeyW

comctl32

ImageList_Create
ImageList_AddMasked
ImageList_Destroy
ord17

ole32

OleUninitialize
OleInitialize
CoTaskMemFree
CoCreateInstance

Sections

.text
Size: 25KB - Virtual size: 24KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 171KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.ndata
Size: - Virtual size: 152KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 25KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/RemcosRat/Vendor Questionnaire and EOI.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 512KB - Virtual size: 512KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 97KB - Virtual size: 96KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/RemcosRat/calc.exe
.exe windows:4 windows x86 arch:x86

b34f154ec913d2d2c435cbd644e91687

Code Sign

77:bd:0e:05:b7:59:0b:b6:1d:47:61:53:1e:3f:75:ed
Certificate

Issuer

CN=GlobalSign Code Signing Root R45,O=GlobalSign nv-sa,C=BE

Not Before

28/07/2020, 00:00

Not After

28/07/2030, 00:00

Subject

CN=GlobalSign GCC R45 EV CodeSigning CA 2020,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

57:81:e1:df:1c:57:60:15:41:dc:6f:c9
Certificate

Issuer

CN=GlobalSign GCC R45 EV CodeSigning CA 2020,O=GlobalSign nv-sa,C=BE

Not Before

03/10/2024, 15:36

Not After

04/10/2025, 15:36

Subject

SERIALNUMBER=000-224-897,CN=DRSSOFT INC,O=DRSSOFT INC,L=Birmingham,ST=Alabama,C=US,1.3.6.1.4.1.311.60.2.1.2=#1307416c6162616d61,1.3.6.1.4.1.311.60.2.1.3=#13025553,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

f7:10:37:bb:d6:38:0f:12:10:07:2c:f5:df:5e:40:e2:e0:05:6a:1b:c8:fc:08:95:f5:28:df:4b:14:df:78:15
Signer

Actual PE Digest

f7:10:37:bb:d6:38:0f:12:10:07:2c:f5:df:5e:40:e2:e0:05:6a:1b:c8:fc:08:95:f5:28:df:4b:14:df:78:15

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

SetEnvironmentVariableW
SetFileAttributesW
Sleep
GetTickCount
GetFileSize
GetModuleFileNameW
GetCurrentProcess
CopyFileW
SetCurrentDirectoryW
GetFileAttributesW
GetWindowsDirectoryW
GetTempPathW
GetCommandLineW
GetVersion
SetErrorMode
lstrlenW
lstrcpynW
GetDiskFreeSpaceW
ExitProcess
GetShortPathNameW
CreateThread
GetLastError
CreateDirectoryW
CreateProcessW
RemoveDirectoryW
lstrcmpiA
CreateFileW
GetTempFileNameW
WriteFile
lstrcpyA
MoveFileExW
lstrcatW
GetSystemDirectoryW
GetProcAddress
GetModuleHandleA
GetExitCodeProcess
WaitForSingleObject
lstrcmpiW
MoveFileW
GetFullPathNameW
SetFileTime
SearchPathW
CompareFileTime
lstrcmpW
CloseHandle
ExpandEnvironmentStringsW
GlobalFree
GlobalLock
GlobalUnlock
GlobalAlloc
FindFirstFileW
FindNextFileW
DeleteFileW
SetFilePointer
ReadFile
FindClose
lstrlenA
MulDiv
MultiByteToWideChar
WideCharToMultiByte
GetPrivateProfileStringW
WritePrivateProfileStringW
FreeLibrary
LoadLibraryExW
GetModuleHandleW

user32

GetSystemMenu
SetClassLongW
EnableMenuItem
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongW
SetCursor
LoadCursorW
CheckDlgButton
GetMessagePos
LoadBitmapW
CallWindowProcW
IsWindowVisible
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
ScreenToClient
GetWindowRect
GetDlgItem
GetSystemMetrics
SetDlgItemTextW
GetDlgItemTextW
MessageBoxIndirectW
CharPrevW
CharNextA
wsprintfA
DispatchMessageW
PeekMessageW
ReleaseDC
EnableWindow
InvalidateRect
SendMessageW
DefWindowProcW
BeginPaint
GetClientRect
FillRect
DrawTextW
EndDialog
RegisterClassW
SystemParametersInfoW
CreateWindowExW
GetClassInfoW
DialogBoxParamW
CharNextW
ExitWindowsEx
DestroyWindow
GetDC
SetTimer
SetWindowTextW
LoadImageW
SetForegroundWindow
ShowWindow
IsWindow
SetWindowLongW
FindWindowExW
TrackPopupMenu
AppendMenuW
CreatePopupMenu
EndPaint
CreateDialogParamW
SendMessageTimeoutW
wsprintfW
PostQuitMessage

gdi32

SelectObject
SetBkMode
CreateFontIndirectW
SetTextColor
DeleteObject
GetDeviceCaps
CreateBrushIndirect
SetBkColor

shell32

SHGetSpecialFolderLocation
ShellExecuteExW
SHGetPathFromIDListW
SHBrowseForFolderW
SHGetFileInfoW
SHFileOperationW

advapi32

AdjustTokenPrivileges
RegCreateKeyExW
RegOpenKeyExW
SetFileSecurityW
OpenProcessToken
LookupPrivilegeValueW
RegEnumValueW
RegDeleteKeyW
RegDeleteValueW
RegCloseKey
RegSetValueExW
RegQueryValueExW
RegEnumKeyW

comctl32

ImageList_Create
ImageList_AddMasked
ImageList_Destroy
ord17

ole32

OleUninitialize
OleInitialize
CoTaskMemFree
CoCreateInstance

Sections

.text
Size: 26KB - Virtual size: 25KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 451KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.ndata
Size: - Virtual size: 1.1MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 183KB - Virtual size: 183KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/RemcosRat/completed payment Swift.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 515KB - Virtual size: 515KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 89KB - Virtual size: 89KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/RemcosRat/completed payment Swift.zip
.zip
BastianHein Malware samples/RemcosRat/payments.exe
.exe windows:5 windows x86 arch:x86

eb665920934ca039342f01db8bae1225

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

SearchPathW
TlsGetValue
MoveFileExA
DebugActiveProcessStop
GetDefaultCommConfigW
CallNamedPipeA
CreateProcessW
InterlockedIncrement
GetEnvironmentStringsW
GetProfileSectionA
InterlockedCompareExchange
GetTimeFormatA
FreeEnvironmentStringsA
GetModuleHandleW
GetConsoleAliasesLengthA
GetDateFormatA
EnumTimeFormatsW
GetVolumePathNameW
GetEnvironmentStrings
SetVolumeLabelA
GetAtomNameW
DeactivateActCtx
GetStartupInfoA
SetLastError
GetLongPathNameA
SetComputerNameA
EnterCriticalSection
BuildCommDCBW
GetAtomNameA
LocalAlloc
MoveFileA
AddAtomW
VirtualProtect
Module32Next
FileTimeToLocalFileTime
DeleteTimerQueueTimer
OpenFileMappingA
ResumeThread
LoadLibraryW
GetCommandLineW
GetLastError
HeapFree
HeapReAlloc
HeapAlloc
Sleep
GetProcAddress
ExitProcess
GetCommandLineA
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
HeapCreate
VirtualFree
DeleteCriticalSection
LeaveCriticalSection
VirtualAlloc
TlsAlloc
TlsSetValue
TlsFree
GetCurrentThreadId
InterlockedDecrement
WriteFile
GetStdHandle
GetModuleFileNameA
LoadLibraryA
InitializeCriticalSectionAndSpinCount
FreeEnvironmentStringsW
WideCharToMultiByte
SetHandleCount
GetFileType
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
RtlUnwind
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
HeapSize
GetLocaleInfoA
LCMapStringA
MultiByteToWideChar
LCMapStringW
GetStringTypeA
GetStringTypeW
GetConsoleCP
GetConsoleMode
FlushFileBuffers
SetFilePointer
CloseHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
SetStdHandle
CreateFileA

gdi32

GetBitmapBits

Sections

.text
Size: 338KB - Virtual size: 337KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 414KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 17KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 97KB - Virtual size: 96KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/RemcosRat/remcos_a_encrypted_decrypted.exe
.exe windows:5 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

UPX0
Size: - Virtual size: 300KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 178KB - Virtual size: 180KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 18KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/Ryuk/2024-12-17_67164c4680d767fcc5dbe48c3586444c_luca-stealer_ryuk
.exe windows:5 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 43KB - Virtual size: 43KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 22KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 312KB - Virtual size: 314KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gfids
Size: 512B - Virtual size: 180B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/Ryuk/241217-w2srlatphz_pw_infected.zip
.zip
BastianHein Malware samples/SmokeLoader/004d58bf34da683aacf652abc4bf89317d4f0333b0aa0f134b257c4cc95fbcfa.exe
.exe windows:10 windows x86 arch:x86

646167cce332c1c252cdcb1839e0cf48

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

wextract.pdb

Imports

advapi32

GetTokenInformation
RegDeleteValueA
RegOpenKeyExA
RegQueryInfoKeyA
FreeSid
OpenProcessToken
RegSetValueExA
RegCreateKeyExA
LookupPrivilegeValueA
AllocateAndInitializeSid
RegQueryValueExA
EqualSid
RegCloseKey
AdjustTokenPrivileges

kernel32

_lopen
_llseek
CompareStringA
GetLastError
GetFileAttributesA
GetSystemDirectoryA
LoadLibraryA
DeleteFileA
GlobalAlloc
GlobalFree
CloseHandle
WritePrivateProfileStringA
IsDBCSLeadByte
GetWindowsDirectoryA
SetFileAttributesA
GetProcAddress
GlobalLock
LocalFree
RemoveDirectoryA
FreeLibrary
_lclose
CreateDirectoryA
GetPrivateProfileIntA
GetPrivateProfileStringA
GlobalUnlock
ReadFile
SizeofResource
WriteFile
GetDriveTypeA
lstrcmpA
SetFileTime
SetFilePointer
FindResourceA
CreateMutexA
GetVolumeInformationA
ExpandEnvironmentStringsA
GetCurrentDirectoryA
FreeResource
GetVersion
SetCurrentDirectoryA
GetTempPathA
LocalFileTimeToFileTime
CreateFileA
SetEvent
TerminateThread
GetVersionExA
LockResource
GetSystemInfo
CreateThread
ResetEvent
LoadResource
ExitProcess
GetModuleHandleW
CreateProcessA
FormatMessageA
GetTempFileNameA
DosDateTimeToFileTime
CreateEventA
GetExitCodeProcess
FindNextFileA
LocalAlloc
GetShortPathNameA
MulDiv
GetDiskFreeSpaceA
EnumResourceLanguagesA
GetTickCount
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetStartupInfoW
Sleep
FindClose
GetCurrentProcess
FindFirstFileA
WaitForSingleObject
GetModuleFileNameA
LoadLibraryExA

gdi32

GetDeviceCaps

user32

SetWindowLongA
GetDlgItemTextA
DialogBoxIndirectParamA
ShowWindow
MsgWaitForMultipleObjects
SetWindowPos
GetDC
GetWindowRect
DispatchMessageA
GetDesktopWindow
CharUpperA
SetDlgItemTextA
ExitWindowsEx
MessageBeep
EndDialog
CharPrevA
LoadStringA
CharNextA
EnableWindow
ReleaseDC
SetForegroundWindow
PeekMessageA
GetDlgItem
SendMessageA
SendDlgItemMessageA
MessageBoxA
SetWindowTextA
GetWindowLongA
CallWindowProcA
GetSystemMetrics

msvcrt

_controlfp
?terminate@@YAXXZ
_acmdln
_initterm
__setusermatherr
_except_handler4_common
memcpy
_ismbblead
__p__fmode
_cexit
_exit
exit
__set_app_type
__getmainargs
_amsg_exit
__p__commode
_XcptFilter
memcpy_s
_vsnprintf
memset

comctl32

ord17

cabinet

ord22
ord23
ord21
ord20

version

GetFileVersionInfoA
VerQueryValueA
GetFileVersionInfoSizeA

Sections

.text
Size: 25KB - Virtual size: 24KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 481KB - Virtual size: 484KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/SmokeLoader/8ba0b30450c0c8e065f665ef3a8c1181b5d669480964211a89a20c42e87af1d0
.exe windows:5 windows x86 arch:x86

61fc52df2134948a61cd128f53825acc

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

EnumCalendarInfoA
InterlockedIncrement
GetCurrentProcess
GetLogicalDriveStringsW
InterlockedCompareExchange
WriteConsoleInputA
FindNextVolumeMountPointA
EscapeCommFunction
GetWindowsDirectoryA
EnumTimeFormatsW
CopyFileW
GetConsoleAliasExesLengthW
CreateSemaphoreA
SetComputerNameExW
GetShortPathNameA
LCMapStringA
InterlockedExchange
GetLastError
GetCurrentDirectoryW
SetLastError
GetProcAddress
VirtualAlloc
GetAtomNameA
LoadLibraryA
InterlockedExchangeAdd
SetCalendarInfoW
OpenEventA
GlobalUnWire
GetModuleHandleA
FreeEnvironmentStringsW
EnumDateFormatsW
GetVersionExA
ReadConsoleInputW
TerminateJobObject
GetCurrentProcessId
EnumCalendarInfoExA
CreateFileA
WriteConsoleW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
MultiByteToWideChar
HeapReAlloc
HeapAlloc
GetCommandLineA
GetStartupInfoA
TerminateProcess
IsDebuggerPresent
GetModuleHandleW
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
GetCurrentThreadId
InterlockedDecrement
Sleep
HeapSize
ExitProcess
ReadFile
EnterCriticalSection
LeaveCriticalSection
SetHandleCount
GetStdHandle
GetFileType
DeleteCriticalSection
HeapFree
WriteFile
GetModuleFileNameA
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
SetFilePointer
HeapCreate
VirtualFree
CloseHandle
FreeEnvironmentStringsA
GetEnvironmentStrings
WideCharToMultiByte
GetEnvironmentStringsW
QueryPerformanceCounter
GetTickCount
GetSystemTimeAsFileTime
RaiseException
InitializeCriticalSectionAndSpinCount
RtlUnwind
SetStdHandle
LCMapStringW
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
GetConsoleCP
GetConsoleMode
FlushFileBuffers
WriteConsoleA
GetConsoleOutputCP

shell32

DragQueryPoint

ole32

CoRegisterPSClsid

Sections

.text
Size: 267KB - Virtual size: 266KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 25KB - Virtual size: 43KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/SmokeLoader/d4b767b57f453d599559532d7351feeecd4027b89b0b117552b7a3432ed4a158.exe
.exe windows:5 windows x86 arch:x86

5556ca45183493f7eae5ee3a6643f505

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

ReadConsoleA
CompareFileTime
_lcreat
GetProcessPriorityBoost
GetModuleHandleW
GetTickCount
TzSpecificLocalTimeToSystemTime
GlobalAlloc
TerminateThread
SetConsoleMode
CreateSemaphoreA
GetBinaryTypeA
lstrlenW
GetNamedPipeHandleStateW
GetPrivateProfileIntW
WriteTapemark
SetVolumeLabelW
DisableThreadLibraryCalls
GetLocalTime
LoadLibraryA
GetConsoleScreenBufferInfo
AddAtomW
GetProfileStringA
GetPrivateProfileStructA
GetTapeParameters
SetSystemTime
VirtualProtect
CloseHandle
DebugBreak
lstrcpyW
SetPriorityClass
TlsGetValue
SetCurrentDirectoryA
GetThreadContext
HeapAlloc
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetStartupInfoW
RaiseException
RtlUnwind
GetLastError
HeapFree
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
VirtualFree
VirtualAlloc
HeapReAlloc
HeapCreate
Sleep
GetProcAddress
ExitProcess
WriteFile
GetStdHandle
GetModuleFileNameA
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
GetModuleFileNameW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
SetHandleCount
GetFileType
GetStartupInfoA
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
InitializeCriticalSectionAndSpinCount
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
HeapSize
GetLocaleInfoA
WideCharToMultiByte
GetStringTypeA
MultiByteToWideChar
GetStringTypeW
LCMapStringA
LCMapStringW
GetModuleHandleA

gdi32

GetBitmapDimensionEx

advapi32

RevertToSelf

Sections

.text
Size: 83KB - Virtual size: 82KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 43.5MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/SnakeKeyLogger/16a43aa836bfc334a9c67a4a6cbd25aa461b9332b7dbc5271afd75119c2a3521.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

WUCf.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 889KB - Virtual size: 888KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/SnakeKeyLogger/35c15f0e2e558228afbff51b637bfd6e206c0d388a9296590b08d0b64bc6297a.exe
.exe windows:5 windows x86 arch:x86

eb97e4fc5518ac300a92a11673825e0b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

wsock32

WSACleanup
socket
inet_ntoa
setsockopt
ntohs
recvfrom
ioctlsocket
htons
WSAStartup
__WSAFDIsSet
select
accept
listen
bind
closesocket
WSAGetLastError
recv
sendto
send
inet_addr
gethostbyname
gethostname
connect

version

GetFileVersionInfoW
GetFileVersionInfoSizeW
VerQueryValueW

winmm

timeGetTime
waveOutSetVolume
mciSendStringW

comctl32

ImageList_ReplaceIcon
ImageList_Destroy
ImageList_Remove
ImageList_SetDragCursorImage
ImageList_BeginDrag
ImageList_DragEnter
ImageList_DragLeave
ImageList_EndDrag
ImageList_DragMove
InitCommonControlsEx
ImageList_Create

mpr

WNetUseConnectionW
WNetCancelConnection2W
WNetGetConnectionW
WNetAddConnection2W

wininet

InternetQueryDataAvailable
InternetCloseHandle
InternetOpenW
InternetSetOptionW
InternetCrackUrlW
HttpQueryInfoW
InternetQueryOptionW
HttpOpenRequestW
HttpSendRequestW
FtpOpenFileW
FtpGetFileSize
InternetOpenUrlW
InternetReadFile
InternetConnectW

psapi

GetProcessMemoryInfo

iphlpapi

IcmpCreateFile
IcmpCloseHandle
IcmpSendEcho

userenv

DestroyEnvironmentBlock
UnloadUserProfile
CreateEnvironmentBlock
LoadUserProfileW

uxtheme

IsThemeActive

kernel32

DuplicateHandle
CreateThread
WaitForSingleObject
HeapAlloc
GetProcessHeap
HeapFree
Sleep
GetCurrentThreadId
MultiByteToWideChar
MulDiv
GetVersionExW
IsWow64Process
GetSystemInfo
FreeLibrary
LoadLibraryA
GetProcAddress
SetErrorMode
GetModuleFileNameW
WideCharToMultiByte
lstrcpyW
lstrlenW
GetModuleHandleW
QueryPerformanceCounter
VirtualFreeEx
OpenProcess
VirtualAllocEx
WriteProcessMemory
ReadProcessMemory
CreateFileW
SetFilePointerEx
SetEndOfFile
ReadFile
WriteFile
FlushFileBuffers
TerminateProcess
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
SetFileTime
GetFileAttributesW
FindFirstFileW
SetCurrentDirectoryW
GetLongPathNameW
GetShortPathNameW
DeleteFileW
FindNextFileW
CopyFileExW
MoveFileW
CreateDirectoryW
RemoveDirectoryW
SetSystemPowerState
QueryPerformanceFrequency
FindResourceW
LoadResource
LockResource
SizeofResource
EnumResourceNamesW
OutputDebugStringW
GetTempPathW
GetTempFileNameW
DeviceIoControl
GetLocalTime
CompareStringW
GetCurrentProcess
EnterCriticalSection
LeaveCriticalSection
GetStdHandle
CreatePipe
InterlockedExchange
TerminateThread
LoadLibraryExW
FindResourceExW
CopyFileW
VirtualFree
FormatMessageW
GetExitCodeProcess
GetPrivateProfileStringW
WritePrivateProfileStringW
GetPrivateProfileSectionW
WritePrivateProfileSectionW
GetPrivateProfileSectionNamesW
FileTimeToLocalFileTime
FileTimeToSystemTime
SystemTimeToFileTime
LocalFileTimeToFileTime
GetDriveTypeW
GetDiskFreeSpaceExW
GetDiskFreeSpaceW
GetVolumeInformationW
SetVolumeLabelW
CreateHardLinkW
SetFileAttributesW
CreateEventW
SetEvent
GetEnvironmentVariableW
SetEnvironmentVariableW
GlobalLock
GlobalUnlock
GlobalAlloc
GetFileSize
GlobalFree
GlobalMemoryStatusEx
Beep
GetSystemDirectoryW
HeapReAlloc
HeapSize
GetComputerNameW
GetWindowsDirectoryW
GetCurrentProcessId
GetProcessIoCounters
CreateProcessW
GetProcessId
SetPriorityClass
LoadLibraryW
VirtualAlloc
IsDebuggerPresent
GetCurrentDirectoryW
lstrcmpiW
DecodePointer
GetLastError
RaiseException
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
InterlockedDecrement
InterlockedIncrement
GetCurrentThread
CloseHandle
GetFullPathNameW
EncodePointer
ExitProcess
GetModuleHandleExW
ExitThread
GetSystemTimeAsFileTime
ResumeThread
GetCommandLineW
IsProcessorFeaturePresent
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
SetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetStartupInfoW
GetStringTypeW
SetStdHandle
GetFileType
GetConsoleCP
GetConsoleMode
RtlUnwind
ReadConsoleW
GetTimeZoneInformation
GetDateFormatW
GetTimeFormatW
LCMapStringW
GetEnvironmentStringsW
FreeEnvironmentStringsW
WriteConsoleW
FindClose
SetEnvironmentVariableA

user32

AdjustWindowRectEx
CopyImage
SetWindowPos
GetCursorInfo
RegisterHotKey
ClientToScreen
GetKeyboardLayoutNameW
IsCharAlphaW
IsCharAlphaNumericW
IsCharLowerW
IsCharUpperW
GetMenuStringW
GetSubMenu
GetCaretPos
IsZoomed
MonitorFromPoint
GetMonitorInfoW
SetWindowLongW
SetLayeredWindowAttributes
FlashWindow
GetClassLongW
TranslateAcceleratorW
IsDialogMessageW
GetSysColor
InflateRect
DrawFocusRect
DrawTextW
FrameRect
DrawFrameControl
FillRect
PtInRect
DestroyAcceleratorTable
CreateAcceleratorTableW
SetCursor
GetWindowDC
GetSystemMetrics
GetActiveWindow
CharNextW
wsprintfW
RedrawWindow
DrawMenuBar
DestroyMenu
SetMenu
GetWindowTextLengthW
CreateMenu
IsDlgButtonChecked
DefDlgProcW
CallWindowProcW
ReleaseCapture
SetCapture
CreateIconFromResourceEx
mouse_event
ExitWindowsEx
SetActiveWindow
FindWindowExW
EnumThreadWindows
SetMenuDefaultItem
InsertMenuItemW
IsMenu
TrackPopupMenuEx
GetCursorPos
DeleteMenu
SetRect
GetMenuItemID
GetMenuItemCount
SetMenuItemInfoW
GetMenuItemInfoW
SetForegroundWindow
IsIconic
FindWindowW
MonitorFromRect
keybd_event
SendInput
GetAsyncKeyState
SetKeyboardState
GetKeyboardState
GetKeyState
VkKeyScanW
LoadStringW
DialogBoxParamW
MessageBeep
EndDialog
SendDlgItemMessageW
GetDlgItem
SetWindowTextW
CopyRect
ReleaseDC
GetDC
EndPaint
BeginPaint
GetClientRect
GetMenu
DestroyWindow
EnumWindows
GetDesktopWindow
IsWindow
IsWindowEnabled
IsWindowVisible
EnableWindow
InvalidateRect
GetWindowLongW
GetWindowThreadProcessId
AttachThreadInput
GetFocus
GetWindowTextW
ScreenToClient
SendMessageTimeoutW
EnumChildWindows
CharUpperBuffW
GetParent
GetDlgCtrlID
SendMessageW
MapVirtualKeyW
PostMessageW
GetWindowRect
SetUserObjectSecurity
CloseDesktop
CloseWindowStation
OpenDesktopW
SetProcessWindowStation
GetProcessWindowStation
OpenWindowStationW
GetUserObjectSecurity
MessageBoxW
DefWindowProcW
SetClipboardData
EmptyClipboard
CountClipboardFormats
CloseClipboard
GetClipboardData
IsClipboardFormatAvailable
OpenClipboard
BlockInput
GetMessageW
LockWindowUpdate
DispatchMessageW
TranslateMessage
PeekMessageW
UnregisterHotKey
CheckMenuRadioItem
CharLowerBuffW
MoveWindow
SetFocus
PostQuitMessage
KillTimer
CreatePopupMenu
RegisterWindowMessageW
SetTimer
ShowWindow
CreateWindowExW
RegisterClassExW
LoadIconW
LoadCursorW
GetSysColorBrush
GetForegroundWindow
MessageBoxA
DestroyIcon
SystemParametersInfoW
LoadImageW
GetClassNameW

gdi32

StrokePath
DeleteObject
GetTextExtentPoint32W
ExtCreatePen
GetDeviceCaps
EndPath
SetPixel
CloseFigure
CreateCompatibleBitmap
CreateCompatibleDC
SelectObject
StretchBlt
GetDIBits
LineTo
AngleArc
MoveToEx
Ellipse
DeleteDC
GetPixel
CreateDCW
GetStockObject
GetTextFaceW
CreateFontW
SetTextColor
PolyDraw
BeginPath
Rectangle
SetViewportOrgEx
GetObjectW
SetBkMode
RoundRect
SetBkColor
CreatePen
CreateSolidBrush
StrokeAndFillPath

comdlg32

GetOpenFileNameW
GetSaveFileNameW

advapi32

GetAce
RegEnumValueW
RegDeleteValueW
RegDeleteKeyW
RegEnumKeyExW
RegSetValueExW
RegOpenKeyExW
RegCloseKey
RegQueryValueExW
RegConnectRegistryW
InitializeSecurityDescriptor
InitializeAcl
AdjustTokenPrivileges
OpenThreadToken
OpenProcessToken
LookupPrivilegeValueW
DuplicateTokenEx
CreateProcessAsUserW
CreateProcessWithLogonW
GetLengthSid
CopySid
LogonUserW
AllocateAndInitializeSid
CheckTokenMembership
RegCreateKeyExW
FreeSid
GetTokenInformation
GetSecurityDescriptorDacl
GetAclInformation
AddAce
SetSecurityDescriptorDacl
GetUserNameW
InitiateSystemShutdownExW

shell32

DragQueryPoint
ShellExecuteExW
DragQueryFileW
SHEmptyRecycleBinW
SHGetPathFromIDListW
SHBrowseForFolderW
SHCreateShellItem
SHGetDesktopFolder
SHGetSpecialFolderLocation
SHGetFolderPathW
SHFileOperationW
ExtractIconExW
Shell_NotifyIconW
ShellExecuteW
DragFinish

ole32

CoTaskMemAlloc
CoTaskMemFree
CLSIDFromString
ProgIDFromCLSID
CLSIDFromProgID
OleSetMenuDescriptor
MkParseDisplayName
OleSetContainedObject
CoCreateInstance
IIDFromString
StringFromGUID2
CreateStreamOnHGlobal
OleInitialize
OleUninitialize
CoInitialize
CoUninitialize
GetRunningObjectTable
CoGetInstanceFromFile
CoGetObject
CoSetProxyBlanket
CoCreateInstanceEx
CoInitializeSecurity

oleaut32

LoadTypeLibEx
VariantCopyInd
SysReAllocString
SysFreeString
SafeArrayDestroyDescriptor
SafeArrayDestroyData
SafeArrayUnaccessData
SafeArrayAccessData
SafeArrayAllocData
SafeArrayAllocDescriptorEx
SafeArrayCreateVector
RegisterTypeLi
CreateStdDispatch
DispCallFunc
VariantChangeType
SysStringLen
VariantTimeToSystemTime
VarR8FromDec
SafeArrayGetVartype
VariantCopy
VariantClear
OleLoadPicture
QueryPathOfRegTypeLi
RegisterTypeLibForUser
UnRegisterTypeLibForUser
UnRegisterTypeLi
CreateDispTypeInfo
SysAllocString
VariantInit

Sections

.text
Size: 568KB - Virtual size: 567KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 191KB - Virtual size: 191KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 194KB - Virtual size: 194KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 28KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/SnakeKeyLogger/Updated Price List for 2025 Business Year.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

aSym.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 595KB - Virtual size: 595KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/SnakeKeyLogger/b8f672498d679dcb998685dcc8fcb5251d5a2dd45bd53636f76e6ee422d9b161.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 248KB - Virtual size: 248KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/StealC/90208d9829610c65880196d3e28539b95394639d9b2c6a86c57d6f54d8962e60
.exe windows:5 windows x86 arch:x86

2eabe9054cad5152567f0699947a2c5b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

lstrcpy

Sections

Size: 90KB - Virtual size: 2.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 788B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 512B - Virtual size: 2.7MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

psmndnck
Size: 1.6MB - Virtual size: 1.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

ftfluxxw
Size: 1KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.taggant
Size: 8KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/StealC/bba4cd97ea9a1dbe8b1bb1dc19474a22c4f3427ff8ae695f64e93af58ce16eaa
.exe windows:5 windows x86 arch:x86

2eabe9054cad5152567f0699947a2c5b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

lstrcpy

Sections

Size: 90KB - Virtual size: 2.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 788B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 512B - Virtual size: 2.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

nnzptles
Size: 1.6MB - Virtual size: 1.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

whjeqgcr
Size: 1024B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.taggant
Size: 8KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/VipKeyLogger/Keronal Trading Company - RFQ.dot
.rtf .dot
BastianHein Malware samples/VipKeyLogger/ODEME.01.28.202557KB.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 806KB - Virtual size: 805KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/XMRIG/2025-01-30_bc04d3d67bd15341a38cc82816740acd_cobalt-strike_polyvice_xmrig
.exe windows:4 windows x64 arch:x64

9f0db3fd697182cb1172c254f4b63da6

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED

Imports

advapi32

AdjustTokenPrivileges
AllocateAndInitializeSid
CloseServiceHandle
ControlService
CreateServiceW
CryptAcquireContextW
CryptCreateHash
CryptDecrypt
CryptDestroyHash
CryptDestroyKey
CryptEnumProvidersW
CryptExportKey
CryptGenRandom
CryptGetProvParam
CryptGetUserKey
CryptReleaseContext
CryptSetHashParam
CryptSignHashW
DeleteService
DeregisterEventSource
FreeSid
GetSecurityInfo
GetTokenInformation
GetUserNameW
LookupPrivilegeValueW
LsaAddAccountRights
LsaClose
LsaOpenPolicy
OpenProcessToken
OpenSCManagerW
OpenServiceW
QueryServiceConfigA
QueryServiceStatus
RegCloseKey
RegGetValueW
RegOpenKeyExW
RegQueryValueExW
RegisterEventSourceW
ReportEventW
SetEntriesInAclA
SetSecurityInfo
StartServiceW
SystemFunction036

crypt32

CertCloseStore
CertDuplicateCertificateContext
CertEnumCertificatesInStore
CertFindCertificateInStore
CertFreeCertificateContext
CertGetCertificateContextProperty
CertOpenStore

iphlpapi

ConvertInterfaceIndexToLuid
ConvertInterfaceLuidToNameW
GetAdaptersAddresses

kernel32

AddVectoredExceptionHandler
AssignProcessToJobObject
CancelIo
CancelIoEx
CancelSynchronousIo
CloseHandle
ConnectNamedPipe
ConvertFiberToThread
ConvertThreadToFiber
CopyFileW
CreateDirectoryW
CreateEventA
CreateFiber
CreateFileA
CreateFileMappingA
CreateFileW
CreateHardLinkW
CreateIoCompletionPort
CreateJobObjectW
CreateNamedPipeA
CreateNamedPipeW
CreateProcessW
CreateSemaphoreA
CreateSemaphoreW
CreateSymbolicLinkW
CreateToolhelp32Snapshot
DebugBreak
DeleteCriticalSection
DeleteFiber
DeviceIoControl
DuplicateHandle
EnterCriticalSection
ExpandEnvironmentStringsA
FileTimeToSystemTime
FillConsoleOutputAttribute
FillConsoleOutputCharacterW
FindClose
FindFirstFileW
FindNextFileW
FindResourceW
FlushFileBuffers
FlushInstructionCache
FlushViewOfFile
FormatMessageA
FormatMessageW
FreeConsole
FreeEnvironmentStringsW
FreeLibrary
GetConsoleCursorInfo
GetConsoleMode
GetConsoleScreenBufferInfo
GetConsoleTitleW
GetConsoleWindow
GetCurrentDirectoryW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetDiskFreeSpaceW
GetEnvironmentStringsW
GetEnvironmentVariableW
GetExitCodeProcess
GetFileAttributesA
GetFileAttributesW
GetFileInformationByHandle
GetFileInformationByHandleEx
GetFileSizeEx
GetFileType
GetFinalPathNameByHandleW
GetFullPathNameW
GetHandleInformation
GetLargePageMinimum
GetLastError
GetLongPathNameW
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleExW
GetModuleHandleW
GetNamedPipeHandleStateA
GetNativeSystemInfo
GetNumberOfConsoleInputEvents
GetPriorityClass
GetProcAddress
GetProcessAffinityMask
GetProcessIoCounters
GetProcessTimes
GetQueuedCompletionStatus
GetShortPathNameW
GetStartupInfoA
GetStartupInfoW
GetStdHandle
GetSystemInfo
GetSystemPowerStatus
GetSystemTime
GetSystemTimeAdjustment
GetSystemTimeAsFileTime
GetTempPathW
GetThreadContext
GetThreadPriority
GetThreadTimes
GetTickCount64
GetVersion
GetVersionExW
GlobalMemoryStatusEx
InitializeConditionVariable
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
IsDBCSLeadByteEx
IsDebuggerPresent
LCMapStringW
LeaveCriticalSection
LoadLibraryA
LoadLibraryExW
LoadLibraryW
LoadResource
LocalAlloc
LocalFree
LockResource
MapViewOfFile
MoveFileExW
MultiByteToWideChar
OpenProcess
OutputDebugStringA
PeekNamedPipe
PostQueuedCompletionStatus
Process32First
Process32Next
QueryPerformanceCounter
QueryPerformanceFrequency
QueueUserWorkItem
RaiseException
ReOpenFile
ReadConsoleA
ReadConsoleInputW
ReadConsoleW
ReadDirectoryChangesW
ReadFile
RegisterWaitForSingleObject
ReleaseSemaphore
RemoveDirectoryW
RemoveVectoredExceptionHandler
ResetEvent
ResumeThread
RtlCaptureContext
RtlLookupFunctionEntry
RtlUnwindEx
RtlVirtualUnwind
SetConsoleCtrlHandler
SetConsoleCursorInfo
SetConsoleCursorPosition
SetConsoleMode
SetConsoleTextAttribute
SetConsoleTitleA
SetConsoleTitleW
SetCurrentDirectoryW
SetEnvironmentVariableW
SetErrorMode
SetEvent
SetFileCompletionNotificationModes
SetFilePointerEx
SetFileTime
SetHandleInformation
SetInformationJobObject
SetLastError
SetNamedPipeHandleState
SetPriorityClass
SetProcessAffinityMask
SetSystemTime
SetThreadAffinityMask
SetThreadContext
SetThreadPriority
SetUnhandledExceptionFilter
SizeofResource
Sleep
SleepConditionVariableCS
SuspendThread
SwitchToFiber
SwitchToThread
SystemTimeToFileTime
TerminateProcess
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
TryEnterCriticalSection
UnmapViewOfFile
UnregisterWait
UnregisterWaitEx
VerSetConditionMask
VerifyVersionInfoA
VirtualAlloc
VirtualFree
VirtualProtect
VirtualQuery
WaitForMultipleObjects
WaitForSingleObject
WaitNamedPipeW
WakeAllConditionVariable
WakeConditionVariable
WideCharToMultiByte
WriteConsoleInputW
WriteConsoleW
WriteFile
__C_specific_handler

msvcrt

___lc_codepage_func
___mb_cur_max_func
__argv
__doserrno
__getmainargs
__initenv
__iob_func
__lconv_init
__set_app_type
__setusermatherr
_acmdln
_aligned_free
_aligned_malloc
_amsg_exit
_assert
_beginthreadex
_cexit
_close
_commode
_close
_endthreadex
_errno
_exit
_fdopen
_filelengthi64
_fileno
_findclose
_findfirst64
_fileno
_findnext64
_fmode
_fstat64
_fullpath
_get_osfhandle
_gmtime64
_initterm
_localtime64
_lock
_lseeki64
_mkdir
_onexit
_open
_open_osfhandle
_read
_read
_setjmp
_setmode
_snwprintf
_stat64
_strdup
_strdup
_stricmp
_strnicmp
_time64
_ultoa
_umask
_unlock
_vscprintf
_vsnprintf
_vsnwprintf
_wchmod
_wcsdup
_wcsnicmp
_wcsrev
_wfopen
_wmkdir
_wopen
_write
_write
_wrmdir
abort
atof
atoi
calloc
exit
fclose
feof
ferror
fflush
fgetpos
fgets
fopen
fprintf
fputc
fputs
fread
free
fseek
fsetpos
ftell
fwrite
getc
getenv
getwc
islower
isspace
isupper
iswctype
localeconv
longjmp
malloc
memchr
memcmp
memcpy
memmove
memset
printf
putc
putchar
puts
putwc
qsort
raise
rand
realloc
setlocale
setvbuf
signal
sprintf
srand
sscanf
strcat
strchr
strcmp
strcoll
strcpy
strcspn
strerror
strftime
strlen
strncmp
strncpy
strrchr
strspn
strstr
strtol
strtoul
strxfrm
tolower
toupper
towlower
towupper
ungetc
ungetwc
vfprintf
wcschr
wcscmp
wcscoll
wcscpy
wcsftime
wcslen
wcsncmp
wcsncpy
wcspbrk
wcsrchr
wcsstr
wcstombs
wcsxfrm

psapi

GetProcessMemoryInfo

shell32

SHGetSpecialFolderPathA

user32

DispatchMessageA
GetMessageA
GetProcessWindowStation
GetSystemMetrics
GetUserObjectInformationW
MapVirtualKeyW
MessageBoxW
ShowWindow
TranslateMessage

userenv

GetUserProfileDirectoryW

ws2_32

FreeAddrInfoW
GetAddrInfoW
WSACleanup
WSADuplicateSocketW
WSAGetLastError
WSAIoctl
WSARecv
WSARecvFrom
WSASend
WSASendTo
WSASetLastError
WSASocketW
WSAStartup
accept
bind
closesocket
connect
freeaddrinfo
getaddrinfo
gethostbyname
gethostname
getnameinfo
getpeername
getsockname
getsockopt
htonl
htons
ioctlsocket
listen
ntohs
recv
select
send
setsockopt
shutdown
socket

Sections

.text
Size: 4.9MB - Virtual size: 4.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 60KB - Virtual size: 60KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.pdata
Size: 173KB - Virtual size: 173KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.xdata
Size: 212KB - Virtual size: 211KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 3.1MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 17KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 112B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 23KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/XMRIG/adivina.exe
.exe windows:4 windows x64 arch:x64

cbb5c50c3979132267b3a4ba523e4586

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED

Imports

api-ms-win-core-synch-l1-2-0

WaitOnAddress
WakeByAddressAll
WakeByAddressSingle

bcryptprimitives

ProcessPrng

kernel32

AddVectoredExceptionHandler
CancelIo
CloseHandle
CompareStringOrdinal
CopyFileExW
CreateDirectoryW
CreateEventW
CreateFileMappingA
CreateFileW
CreateHardLinkW
CreateNamedPipeW
CreatePipe
CreateProcessW
CreateSymbolicLinkW
CreateThread
CreateToolhelp32Snapshot
CreateWaitableTimerExW
DeleteCriticalSection
DeleteFileW
DeleteProcThreadAttributeList
DeviceIoControl
DuplicateHandle
EnterCriticalSection
ExitProcess
FindClose
FindFirstFileExW
FindNextFileW
FlushFileBuffers
FormatMessageW
FreeEnvironmentStringsW
FreeLibrary
GetCommandLineW
GetConsoleMode
GetCurrentDirectoryW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetEnvironmentStringsW
GetEnvironmentVariableW
GetExitCodeProcess
GetFileAttributesW
GetFileInformationByHandle
GetFileInformationByHandleEx
GetFileType
GetFinalPathNameByHandleW
GetFullPathNameW
GetLastError
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleW
GetOverlappedResult
GetProcAddress
GetProcessHeap
GetProcessId
GetStdHandle
GetSystemDirectoryW
GetSystemInfo
GetSystemTimePreciseAsFileTime
GetTempPathW
GetWindowsDirectoryW
HeapAlloc
HeapFree
HeapReAlloc
InitOnceBeginInitialize
InitOnceComplete
InitializeCriticalSection
InitializeProcThreadAttributeList
LeaveCriticalSection
LoadLibraryA
LockFileEx
MapViewOfFile
Module32FirstW
Module32NextW
MoveFileExW
MultiByteToWideChar
QueryPerformanceCounter
QueryPerformanceFrequency
RaiseException
ReadConsoleW
ReadFile
ReadFileEx
RemoveDirectoryW
RtlCaptureContext
RtlLookupFunctionEntry
RtlUnwindEx
RtlVirtualUnwind
SetCurrentDirectoryW
SetEnvironmentVariableW
SetFileAttributesW
SetFileInformationByHandle
SetFilePointerEx
SetFileTime
SetHandleInformation
SetLastError
SetThreadStackGuarantee
SetUnhandledExceptionFilter
SetWaitableTimer
Sleep
SleepEx
SwitchToThread
TerminateProcess
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
UnlockFile
UnmapViewOfFile
UpdateProcThreadAttribute
VirtualProtect
VirtualQuery
WaitForMultipleObjects
WaitForSingleObject
WideCharToMultiByte
WriteConsoleW
WriteFileEx
__C_specific_handler

api-ms-win-crt-environment-l1-1-0

__p__environ
__p__wenviron

api-ms-win-crt-heap-l1-1-0

_set_new_mode
calloc
free
malloc

api-ms-win-crt-math-l1-1-0

__setusermatherr

api-ms-win-crt-private-l1-1-0

memcmp
memcpy
memmove

api-ms-win-crt-runtime-l1-1-0

_set_app_type
__p___argc
__p___argv
__p___wargv
_cexit
_configure_narrow_argv
_configure_wide_argv
_crt_at_quick_exit
_crt_atexit
_exit
_fpreset
_initialize_narrow_environment
_initialize_wide_environment
_initterm
_set_invalid_parameter_handler
abort
exit
signal

api-ms-win-crt-stdio-l1-1-0

__acrt_iob_func
__p__commode
__p__fmode
__stdio_common_vfprintf
__stdio_common_vfwprintf
fwrite

api-ms-win-crt-string-l1-1-0

memset
strlen
strncmp

api-ms-win-crt-time-l1-1-0

__daylight
__timezone
__tzname
_tzset

ntdll

NtOpenFile
NtReadFile
NtWriteFile
RtlNtStatusToDosError

userenv

GetUserProfileDirectoryW

ws2_32

WSACleanup
WSADuplicateSocketW
WSAGetLastError
WSARecv
WSASend
WSASocketW
WSAStartup
accept
bind
closesocket
connect
freeaddrinfo
getaddrinfo
getpeername
getsockname
getsockopt
ioctlsocket
listen
recv
recvfrom
select
send
sendto
setsockopt
shutdown

Sections

.text
Size: 628KB - Virtual size: 628KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 752B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 149KB - Virtual size: 149KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.eh_fram
Size: 512B - Virtual size: 4B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 25KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.xdata
Size: 44KB - Virtual size: 43KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 832B

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 104B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/Xorbot/bins.sh
.sh linux
BastianHein Malware samples/XwormRAT/XwormRAT-0bc94f9af6482d43ef7a579986827a1d5dd54236.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 1.0MB - Virtual size: 1.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 107KB - Virtual size: 107KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/XwormRAT/XwormRAT-38944e7579d5fcd2263e7212954619c496d4ff087360b8db6e190e1bdf5358ce.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 320KB - Virtual size: 319KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/XwormRAT/XwormRAT-4f7c6539db5778bc0fb3980846786a8d08ff96989d3692e9cb09016a647bbcdb.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 87KB - Virtual size: 87KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/XwormRAT/XwormRAT-6ffec2e3e08096b1a19ed5cbb931590c3b0c2c5fef87c2f221bdf00099736fe1.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 323KB - Virtual size: 322KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/XwormRAT/XwormRAT-760a3b7f4efe07c216e3a317f04ddc0f1e3f89c48997503bde708cff81fad7ad.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

UPX0
Size: - Virtual size: 40KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 20KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/XwormRAT/XwormRAT-ffc9cbd3d4b61402ddbbb7596e5929a1c0952a0fe35a4537cdca8bc6a65d7c37.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 63KB - Virtual size: 63KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/berbew/049a809c1c5e53d2d2a267937d86dadf91fd64ccc63920df3b358d5341dd10b1.exe
.exe windows:1 windows x86 arch:x86

95e6f8741083e0c7d9a63d45e2472360

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

ole32

CoCreateInstance
CLSIDFromString
CoInitialize
CoUninitialize

oleaut32

SysAllocString

wininet

DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA

kernel32

ExitProcess
ExpandEnvironmentStringsA
GetCommandLineA
GetCurrentProcessId
GetCurrentThreadId
GetExitCodeThread
GetFileSize
GetModuleFileNameA
GetModuleHandleA
CloseHandle
GetProcAddress
GetSystemDirectoryA
GetTempPathA
GetTickCount
GetVersion
GetVersionExA
GetWindowsDirectoryA
GlobalMemoryStatus
CopyFileA
InterlockedIncrement
IsBadReadPtr
IsBadWritePtr
LoadLibraryA
LocalAlloc
LocalFree
OpenMutexA
CreateFileA
ReadFile
RtlUnwind
SetFilePointer
CreateMutexA
Sleep
TerminateProcess
VirtualQuery
CreateProcessA
WaitForSingleObject
WideCharToMultiByte
WinExec
WriteFile
lstrlenA
lstrlenW
CreateThread
DeleteFileA

user32

GetWindowTextA
GetWindowRect
FindWindowA
GetWindow
GetClassNameA
SetFocus
GetForegroundWindow
LoadCursorA
LoadIconA
SetTimer
RegisterClassA
MessageBoxA
GetMessageA
GetWindowLongA
SetWindowLongA
CreateDesktopA
SetThreadDesktop
GetThreadDesktop
TranslateMessage
DispatchMessageA
SendMessageA
PostQuitMessage
ShowWindow
CreateWindowExA
DestroyWindow
MoveWindow
DefWindowProcA
CallWindowProcA

gdi32

GetStockObject
SetBkColor
SetTextColor
CreateBrushIndirect
CreateFontA

advapi32

RegCreateKeyExA
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
GetSecurityInfo
SetSecurityInfo
SetEntriesInAclA

crtdll

__GetMainArgs
_sleep
_stricmp
atoi
exit
memcpy
memset
printf
raise
rand
signal
sprintf
srand
sscanf
strcat
strchr
strncmp
vsprintf

Sections

.text
Size: 27KB - Virtual size: 27KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 132KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.embm
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

nfPkwtvc
Size: 512B - Virtual size: 487B

uwWrxqiH
Size: 98KB - Virtual size: 98KB

gmrzWSsQ
Size: 12KB - Virtual size: 12KB

eRKmqCRi
Size: 3KB - Virtual size: 2KB

gXNIVLrm
Size: 512B - Virtual size: 171B

PCCaMLTv
Size: 512B - Virtual size: 258B

ZPDtsBwo
Size: 132KB - Virtual size: 132KB

SPhmSLev
Size: 5KB - Virtual size: 5KB

fvKywPSi
Size: 41KB - Virtual size: 41KB

VODroDxF
Size: 9KB - Virtual size: 8KB
BastianHein Malware samples/berbew/06874f91f3b93d937f680f71dfe3de140b93cf5e1309f6f4bcb46b82ff0ac62d
.exe windows:1 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

.rdata
Size: 51KB - Virtual size: 51KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 122KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.flh
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.idata
Size: 1024B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 6KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.text
Size: 9KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 8KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/berbew/06ef6e2ffa0fdffb2ea1087200d5e283c94d06e98877543a3f45e30f0b02c933N.exe
.exe windows:1 windows x86 arch:x86

0b36fc85e0cb5e337c80982db5210969

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

ole32

CoCreateInstance
CLSIDFromString
CoInitialize
CoUninitialize

oleaut32

SysAllocString

wininet

DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA

kernel32

ExitProcess
ExpandEnvironmentStringsA
GetCommandLineA
GetComputerNameA
GetCurrentProcessId
GetCurrentThreadId
GetExitCodeThread
GetFileSize
GetModuleFileNameA
GetModuleHandleA
CloseHandle
GetProcAddress
GetSystemDirectoryA
GetTempPathA
GetTickCount
GetVersion
GetVersionExA
GetWindowsDirectoryA
GlobalMemoryStatus
CopyFileA
InterlockedIncrement
IsBadReadPtr
IsBadWritePtr
LoadLibraryA
LocalAlloc
LocalFree
OpenMutexA
CreateFileA
ReadFile
RtlUnwind
SetFilePointer
CreateMutexA
Sleep
TerminateProcess
VirtualQuery
CreateProcessA
WaitForSingleObject
WideCharToMultiByte
WinExec
WriteFile
lstrlenA
lstrlenW
CreateThread
DeleteFileA

user32

GetWindowTextA
GetWindowRect
FindWindowA
GetWindow
GetClassNameA
SetFocus
GetForegroundWindow
LoadCursorA
LoadIconA
SetTimer
RegisterClassA
MessageBoxA
GetMessageA
GetWindowLongA
SetWindowLongA
CreateDesktopA
SetThreadDesktop
GetThreadDesktop
TranslateMessage
DispatchMessageA
SendMessageA
PostQuitMessage
ShowWindow
CreateWindowExA
DestroyWindow
MoveWindow
DefWindowProcA
CallWindowProcA

gdi32

GetStockObject
SetBkColor
SetTextColor
CreateBrushIndirect
CreateFontA

advapi32

GetUserNameA
RegCreateKeyExA
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
GetSecurityInfo
SetSecurityInfo
SetEntriesInAclA

crtdll

__GetMainArgs
_sleep
_stricmp
atoi
exit
memcpy
memset
printf
raise
rand
signal
sprintf
srand
sscanf
strcat
strchr
strncmp
vsprintf

ntdll

LdrUnloadDll

Sections

.text
Size: 31KB - Virtual size: 31KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 132KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.fldo
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.l1
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/berbew/06f2cd69693cc7ba8860a0a0e77c2bf0158638a180d5e3100cb3a7f7bbdc8904
.exe windows:1 windows x86 arch:x86

26babd76bbb7f9c516a338b0601b4c9f

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

wsock32

WSAGetLastError
WSAStartup
__WSAFDIsSet
accept
bind
closesocket
connect
gethostbyname
htonl
htons
inet_addr
ioctlsocket
listen
recv
select
send
socket

ole32

CoCreateInstance
CLSIDFromString
CoTaskMemFree
CoInitialize
CoUninitialize

oleaut32

SysAllocString

wininet

DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA

kernel32

ExitProcess
ExitThread
ExpandEnvironmentStringsA
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindFirstFileA
FindNextFileA
FreeLibrary
GetCommandLineA
GetCurrentProcessId
GetCurrentThreadId
GetExitCodeProcess
GetExitCodeThread
GetFileAttributesA
GetFileSize
GetFileTime
GetLocalTime
GetModuleFileNameA
GetModuleHandleA
CloseHandle
GetProcAddress
GetSystemDirectoryA
GetTempPathA
GetTickCount
GetTimeZoneInformation
GetVersion
GetVersionExA
GetWindowsDirectoryA
GlobalMemoryStatus
CopyFileA
InterlockedIncrement
IsBadReadPtr
IsBadWritePtr
LoadLibraryA
CreateDirectoryA
LocalAlloc
LocalFree
OpenFile
OpenMutexA
OpenProcess
PeekNamedPipe
CreateFileA
ReadFile
RemoveDirectoryA
RtlUnwind
SetFileAttributesA
SetFilePointer
CreateMutexA
Sleep
TerminateProcess
TerminateThread
CreatePipe
VirtualQuery
CreateProcessA
WaitForSingleObject
WideCharToMultiByte
WinExec
WriteFile
lstrlenA
lstrlenW
CreateThread
DeleteFileA

user32

GetWindowTextA
GetWindowRect
FindWindowA
GetWindow
IsWindowVisible
GetClassNameA
GetForegroundWindow
LoadCursorA
SetTimer
KillTimer
RegisterClassA
GetMessageA
CreateDesktopA
SetThreadDesktop
GetThreadDesktop
TranslateMessage
DispatchMessageA
SendMessageA
CharUpperBuffA
OemToCharA
PostQuitMessage
ShowWindow
CreateWindowExA
DestroyWindow
DefWindowProcA

gdi32

GetStockObject
DeleteObject

advapi32

RegCreateKeyExA
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
GetSecurityInfo
SetSecurityInfo
SetEntriesInAclA

crtdll

_itoa
__GetMainArgs
_sleep
_strcmpi
_stricmp
atoi
exit
memcpy
memset
raise
rand
signal
sprintf
srand
sscanf
strcat
strchr
strncmp

Sections

.text
Size: 51KB - Virtual size: 51KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 122KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.flh
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/berbew/0b553552b81d4a48baafaf4faaea37c60aedaeae9eeea0a0af4dc4430023cb50
.exe windows:1 windows x86 arch:x86

26babd76bbb7f9c516a338b0601b4c9f

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

wsock32

WSAGetLastError
WSAStartup
__WSAFDIsSet
accept
bind
closesocket
connect
gethostbyname
htonl
htons
inet_addr
ioctlsocket
listen
recv
select
send
socket

ole32

CoCreateInstance
CLSIDFromString
CoTaskMemFree
CoInitialize
CoUninitialize

oleaut32

SysAllocString

wininet

DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA

kernel32

ExitProcess
ExitThread
ExpandEnvironmentStringsA
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindFirstFileA
FindNextFileA
FreeLibrary
GetCommandLineA
GetCurrentProcessId
GetCurrentThreadId
GetExitCodeProcess
GetExitCodeThread
GetFileAttributesA
GetFileSize
GetFileTime
GetLocalTime
GetModuleFileNameA
GetModuleHandleA
CloseHandle
GetProcAddress
GetSystemDirectoryA
GetTempPathA
GetTickCount
GetTimeZoneInformation
GetVersion
GetVersionExA
GetWindowsDirectoryA
GlobalMemoryStatus
CopyFileA
InterlockedIncrement
IsBadReadPtr
IsBadWritePtr
LoadLibraryA
CreateDirectoryA
LocalAlloc
LocalFree
OpenFile
OpenMutexA
OpenProcess
PeekNamedPipe
CreateFileA
ReadFile
RemoveDirectoryA
RtlUnwind
SetFileAttributesA
SetFilePointer
CreateMutexA
Sleep
TerminateProcess
TerminateThread
CreatePipe
VirtualQuery
CreateProcessA
WaitForSingleObject
WideCharToMultiByte
WinExec
WriteFile
lstrlenA
lstrlenW
CreateThread
DeleteFileA

user32

GetWindowTextA
GetWindowRect
FindWindowA
GetWindow
IsWindowVisible
GetClassNameA
GetForegroundWindow
LoadCursorA
SetTimer
KillTimer
RegisterClassA
GetMessageA
CreateDesktopA
SetThreadDesktop
GetThreadDesktop
TranslateMessage
DispatchMessageA
SendMessageA
CharUpperBuffA
OemToCharA
PostQuitMessage
ShowWindow
CreateWindowExA
DestroyWindow
DefWindowProcA

gdi32

GetStockObject
DeleteObject

advapi32

RegCreateKeyExA
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
GetSecurityInfo
SetSecurityInfo
SetEntriesInAclA

crtdll

_itoa
__GetMainArgs
_sleep
_strcmpi
_stricmp
atoi
exit
memcpy
memset
raise
rand
signal
sprintf
srand
sscanf
strcat
strchr
strncmp

Sections

.text
Size: 51KB - Virtual size: 51KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 122KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.flh
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/berbew/0b8b510151a5276d1edac7940a4ddd386712e529904e269b522da80a8df205b2.exe
.exe windows:1 windows x86 arch:x86

0b36fc85e0cb5e337c80982db5210969

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

ole32

CoCreateInstance
CLSIDFromString
CoInitialize
CoUninitialize

oleaut32

SysAllocString

wininet

DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA

kernel32

ExitProcess
ExpandEnvironmentStringsA
GetCommandLineA
GetComputerNameA
GetCurrentProcessId
GetCurrentThreadId
GetExitCodeThread
GetFileSize
GetModuleFileNameA
GetModuleHandleA
CloseHandle
GetProcAddress
GetSystemDirectoryA
GetTempPathA
GetTickCount
GetVersion
GetVersionExA
GetWindowsDirectoryA
GlobalMemoryStatus
CopyFileA
InterlockedIncrement
IsBadReadPtr
IsBadWritePtr
LoadLibraryA
LocalAlloc
LocalFree
OpenMutexA
CreateFileA
ReadFile
RtlUnwind
SetFilePointer
CreateMutexA
Sleep
TerminateProcess
VirtualQuery
CreateProcessA
WaitForSingleObject
WideCharToMultiByte
WinExec
WriteFile
lstrlenA
lstrlenW
CreateThread
DeleteFileA

user32

GetWindowTextA
GetWindowRect
FindWindowA
GetWindow
GetClassNameA
SetFocus
GetForegroundWindow
LoadCursorA
LoadIconA
SetTimer
RegisterClassA
MessageBoxA
GetMessageA
GetWindowLongA
SetWindowLongA
CreateDesktopA
SetThreadDesktop
GetThreadDesktop
TranslateMessage
DispatchMessageA
SendMessageA
PostQuitMessage
ShowWindow
CreateWindowExA
DestroyWindow
MoveWindow
DefWindowProcA
CallWindowProcA

gdi32

GetStockObject
SetBkColor
SetTextColor
CreateBrushIndirect
CreateFontA

advapi32

GetUserNameA
RegCreateKeyExA
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
GetSecurityInfo
SetSecurityInfo
SetEntriesInAclA

crtdll

__GetMainArgs
_sleep
_stricmp
atoi
exit
memcpy
memset
printf
raise
rand
signal
sprintf
srand
sscanf
strcat
strchr
strncmp
vsprintf

ntdll

LdrUnloadDll

Sections

.text
Size: 31KB - Virtual size: 31KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 132KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.fldo
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.l1
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/berbew/0bb217915a9029f0822f5c7c34b0097c6c735443b748f0e3ef6ccde7b756f4fc.exe
.exe windows:1 windows x86 arch:x86

95e6f8741083e0c7d9a63d45e2472360

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

ole32

CoCreateInstance
CLSIDFromString
CoInitialize
CoUninitialize

oleaut32

SysAllocString

wininet

DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA

kernel32

ExitProcess
ExpandEnvironmentStringsA
GetCommandLineA
GetCurrentProcessId
GetCurrentThreadId
GetExitCodeThread
GetFileSize
GetModuleFileNameA
GetModuleHandleA
CloseHandle
GetProcAddress
GetSystemDirectoryA
GetTempPathA
GetTickCount
GetVersion
GetVersionExA
GetWindowsDirectoryA
GlobalMemoryStatus
CopyFileA
InterlockedIncrement
IsBadReadPtr
IsBadWritePtr
LoadLibraryA
LocalAlloc
LocalFree
OpenMutexA
CreateFileA
ReadFile
RtlUnwind
SetFilePointer
CreateMutexA
Sleep
TerminateProcess
VirtualQuery
CreateProcessA
WaitForSingleObject
WideCharToMultiByte
WinExec
WriteFile
lstrlenA
lstrlenW
CreateThread
DeleteFileA

user32

GetWindowTextA
GetWindowRect
FindWindowA
GetWindow
GetClassNameA
SetFocus
GetForegroundWindow
LoadCursorA
LoadIconA
SetTimer
RegisterClassA
MessageBoxA
GetMessageA
GetWindowLongA
SetWindowLongA
CreateDesktopA
SetThreadDesktop
GetThreadDesktop
TranslateMessage
DispatchMessageA
SendMessageA
PostQuitMessage
ShowWindow
CreateWindowExA
DestroyWindow
MoveWindow
DefWindowProcA
CallWindowProcA

gdi32

GetStockObject
SetBkColor
SetTextColor
CreateBrushIndirect
CreateFontA

advapi32

RegCreateKeyExA
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
GetSecurityInfo
SetSecurityInfo
SetEntriesInAclA

crtdll

__GetMainArgs
_sleep
_stricmp
atoi
exit
memcpy
memset
printf
raise
rand
signal
sprintf
srand
sscanf
strcat
strchr
strncmp
vsprintf

Sections

.text
Size: 27KB - Virtual size: 27KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 132KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.embm
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/berbew/0bfd26288e3ac10b73349743bdba9758b4ce36b075b4e9c4252d4610a891a2eb.exe
.exe windows:1 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 51KB - Virtual size: 51KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 122KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.idata
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.idata
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 9KB - Virtual size: 12KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.text
Size: 1024B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.pdata
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.idata
Size: 1024B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/berbew/0c3642c76401c11eae68361a8b5e92cf1810e82bce89eedee3aa8898b9b79e17.exe
.exe windows:1 windows x86 arch:x86

95e6f8741083e0c7d9a63d45e2472360

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

ole32

CoCreateInstance
CLSIDFromString
CoInitialize
CoUninitialize

oleaut32

SysAllocString

wininet

DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA

kernel32

ExitProcess
ExpandEnvironmentStringsA
GetCommandLineA
GetCurrentProcessId
GetCurrentThreadId
GetExitCodeThread
GetFileSize
GetModuleFileNameA
GetModuleHandleA
CloseHandle
GetProcAddress
GetSystemDirectoryA
GetTempPathA
GetTickCount
GetVersion
GetVersionExA
GetWindowsDirectoryA
GlobalMemoryStatus
CopyFileA
InterlockedIncrement
IsBadReadPtr
IsBadWritePtr
LoadLibraryA
LocalAlloc
LocalFree
OpenMutexA
CreateFileA
ReadFile
RtlUnwind
SetFilePointer
CreateMutexA
Sleep
TerminateProcess
VirtualQuery
CreateProcessA
WaitForSingleObject
WideCharToMultiByte
WinExec
WriteFile
lstrlenA
lstrlenW
CreateThread
DeleteFileA

user32

GetWindowTextA
GetWindowRect
FindWindowA
GetWindow
GetClassNameA
SetFocus
GetForegroundWindow
LoadCursorA
LoadIconA
SetTimer
RegisterClassA
MessageBoxA
GetMessageA
GetWindowLongA
SetWindowLongA
CreateDesktopA
SetThreadDesktop
GetThreadDesktop
TranslateMessage
DispatchMessageA
SendMessageA
PostQuitMessage
ShowWindow
CreateWindowExA
DestroyWindow
MoveWindow
DefWindowProcA
CallWindowProcA

gdi32

GetStockObject
SetBkColor
SetTextColor
CreateBrushIndirect
CreateFontA

advapi32

RegCreateKeyExA
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
GetSecurityInfo
SetSecurityInfo
SetEntriesInAclA

crtdll

__GetMainArgs
_sleep
_stricmp
atoi
exit
memcpy
memset
printf
raise
rand
signal
sprintf
srand
sscanf
strcat
strchr
strncmp
vsprintf

Sections

.text
Size: 27KB - Virtual size: 27KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 132KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.embm
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/berbew/0c4beb54f98c1c500de52c7f5295355648a76769e5124d3a85966cd869c7a947.exe
.exe windows:1 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 51KB - Virtual size: 51KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 122KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.idata
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.idata
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 9KB - Virtual size: 12KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.text
Size: 1024B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.pdata
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.idata
Size: 1024B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/berbew/0d19f4f35171417d64abeab367f4e2db102e1e1b7f0b3369ea7e5d873f32f234
.exe windows:1 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 51KB - Virtual size: 51KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 122KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.flh
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.idata
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/berbew/0d2d116a3642b6caf7c716e54551aba54c69d4d4c8449b9854b229502dd9adce
.exe windows:1 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

.rdata
Size: 27KB - Virtual size: 27KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 132KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

_RDATA
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.idata
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.idata
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 1024B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 1024B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 7KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/berbew/0dfe0718e47a54219e8315af90b9c0144faea5724016a67505218045e037ed3c
.exe windows:1 windows x86 arch:x86

26babd76bbb7f9c516a338b0601b4c9f

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

wsock32

WSAGetLastError
WSAStartup
__WSAFDIsSet
accept
bind
closesocket
connect
gethostbyname
htonl
htons
inet_addr
ioctlsocket
listen
recv
select
send
socket

ole32

CoCreateInstance
CLSIDFromString
CoTaskMemFree
CoInitialize
CoUninitialize

oleaut32

SysAllocString

wininet

DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA

kernel32

ExitProcess
ExitThread
ExpandEnvironmentStringsA
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindFirstFileA
FindNextFileA
FreeLibrary
GetCommandLineA
GetCurrentProcessId
GetCurrentThreadId
GetExitCodeProcess
GetExitCodeThread
GetFileAttributesA
GetFileSize
GetFileTime
GetLocalTime
GetModuleFileNameA
GetModuleHandleA
CloseHandle
GetProcAddress
GetSystemDirectoryA
GetTempPathA
GetTickCount
GetTimeZoneInformation
GetVersion
GetVersionExA
GetWindowsDirectoryA
GlobalMemoryStatus
CopyFileA
InterlockedIncrement
IsBadReadPtr
IsBadWritePtr
LoadLibraryA
CreateDirectoryA
LocalAlloc
LocalFree
OpenFile
OpenMutexA
OpenProcess
PeekNamedPipe
CreateFileA
ReadFile
RemoveDirectoryA
RtlUnwind
SetFileAttributesA
SetFilePointer
CreateMutexA
Sleep
TerminateProcess
TerminateThread
CreatePipe
VirtualQuery
CreateProcessA
WaitForSingleObject
WideCharToMultiByte
WinExec
WriteFile
lstrlenA
lstrlenW
CreateThread
DeleteFileA

user32

GetWindowTextA
GetWindowRect
FindWindowA
GetWindow
IsWindowVisible
GetClassNameA
GetForegroundWindow
LoadCursorA
SetTimer
KillTimer
RegisterClassA
GetMessageA
CreateDesktopA
SetThreadDesktop
GetThreadDesktop
TranslateMessage
DispatchMessageA
SendMessageA
CharUpperBuffA
OemToCharA
PostQuitMessage
ShowWindow
CreateWindowExA
DestroyWindow
DefWindowProcA

gdi32

GetStockObject
DeleteObject

advapi32

RegCreateKeyExA
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
GetSecurityInfo
SetSecurityInfo
SetEntriesInAclA

crtdll

_itoa
__GetMainArgs
_sleep
_strcmpi
_stricmp
atoi
exit
memcpy
memset
raise
rand
signal
sprintf
srand
sscanf
strcat
strchr
strncmp

Sections

.text
Size: 51KB - Virtual size: 51KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 122KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.flh
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PGllPZFG
Size: 512B - Virtual size: 287B

etmQYOzq
Size: 3KB - Virtual size: 2KB

NkQDFVfl
Size: 2KB - Virtual size: 1KB

BzRWgoYq
Size: 6KB - Virtual size: 5KB

WZWPbjOL
Size: 2KB - Virtual size: 1KB

zheByWMr
Size: 512B - Virtual size: 264B

DVisYruV
Size: 10KB - Virtual size: 9KB

AlHQobmf
Size: 1KB - Virtual size: 1KB

jWJDgZrN
Size: 7KB - Virtual size: 6KB

ywcYPteW
Size: 3KB - Virtual size: 3KB
BastianHein Malware samples/berbew/0e28a80c7e7e014ea2f12d0ac7b9759a7337f8c2717fc827ed9be7c4ad56024a.exe
.exe windows:1 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 31KB - Virtual size: 31KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 132KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.l1
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 7KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.idata
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rdata
Size: 6KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/berbew/13d885ffe6d92bbcd2a8aa655b1ff528df12a0c42958e4ccc6030cc601208e3e.exe
.exe windows:1 windows x86 arch:x86

95e6f8741083e0c7d9a63d45e2472360

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

ole32

CoCreateInstance
CLSIDFromString
CoInitialize
CoUninitialize

oleaut32

SysAllocString

wininet

DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA

kernel32

ExitProcess
ExpandEnvironmentStringsA
GetCommandLineA
GetCurrentProcessId
GetCurrentThreadId
GetExitCodeThread
GetFileSize
GetModuleFileNameA
GetModuleHandleA
CloseHandle
GetProcAddress
GetSystemDirectoryA
GetTempPathA
GetTickCount
GetVersion
GetVersionExA
GetWindowsDirectoryA
GlobalMemoryStatus
CopyFileA
InterlockedIncrement
IsBadReadPtr
IsBadWritePtr
LoadLibraryA
LocalAlloc
LocalFree
OpenMutexA
CreateFileA
ReadFile
RtlUnwind
SetFilePointer
CreateMutexA
Sleep
TerminateProcess
VirtualQuery
CreateProcessA
WaitForSingleObject
WideCharToMultiByte
WinExec
WriteFile
lstrlenA
lstrlenW
CreateThread
DeleteFileA

user32

GetWindowTextA
GetWindowRect
FindWindowA
GetWindow
GetClassNameA
SetFocus
GetForegroundWindow
LoadCursorA
LoadIconA
SetTimer
RegisterClassA
MessageBoxA
GetMessageA
GetWindowLongA
SetWindowLongA
CreateDesktopA
SetThreadDesktop
GetThreadDesktop
TranslateMessage
DispatchMessageA
SendMessageA
PostQuitMessage
ShowWindow
CreateWindowExA
DestroyWindow
MoveWindow
DefWindowProcA
CallWindowProcA

gdi32

GetStockObject
SetBkColor
SetTextColor
CreateBrushIndirect
CreateFontA

advapi32

RegCreateKeyExA
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
GetSecurityInfo
SetSecurityInfo
SetEntriesInAclA

crtdll

__GetMainArgs
_sleep
_stricmp
atoi
exit
memcpy
memset
printf
raise
rand
signal
sprintf
srand
sscanf
strcat
strchr
strncmp
vsprintf

Sections

.text
Size: 27KB - Virtual size: 27KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 132KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.embm
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/berbew/1b825081afb73860c0dd018d14788183ea23907f8a2e43eb26a25431b1167fbeN.exe
.exe windows:1 windows x86 arch:x86

26babd76bbb7f9c516a338b0601b4c9f

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

wsock32

WSAGetLastError
WSAStartup
__WSAFDIsSet
accept
bind
closesocket
connect
gethostbyname
htonl
htons
inet_addr
ioctlsocket
listen
recv
select
send
socket

ole32

CoCreateInstance
CLSIDFromString
CoTaskMemFree
CoInitialize
CoUninitialize

oleaut32

SysAllocString

wininet

DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA

kernel32

ExitProcess
ExitThread
ExpandEnvironmentStringsA
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindFirstFileA
FindNextFileA
FreeLibrary
GetCommandLineA
GetCurrentProcessId
GetCurrentThreadId
GetExitCodeProcess
GetExitCodeThread
GetFileAttributesA
GetFileSize
GetFileTime
GetLocalTime
GetModuleFileNameA
GetModuleHandleA
CloseHandle
GetProcAddress
GetSystemDirectoryA
GetTempPathA
GetTickCount
GetTimeZoneInformation
GetVersion
GetVersionExA
GetWindowsDirectoryA
GlobalMemoryStatus
CopyFileA
InterlockedIncrement
IsBadReadPtr
IsBadWritePtr
LoadLibraryA
CreateDirectoryA
LocalAlloc
LocalFree
OpenFile
OpenMutexA
OpenProcess
PeekNamedPipe
CreateFileA
ReadFile
RemoveDirectoryA
RtlUnwind
SetFileAttributesA
SetFilePointer
CreateMutexA
Sleep
TerminateProcess
TerminateThread
CreatePipe
VirtualQuery
CreateProcessA
WaitForSingleObject
WideCharToMultiByte
WinExec
WriteFile
lstrlenA
lstrlenW
CreateThread
DeleteFileA

user32

GetWindowTextA
GetWindowRect
FindWindowA
GetWindow
IsWindowVisible
GetClassNameA
GetForegroundWindow
LoadCursorA
SetTimer
KillTimer
RegisterClassA
GetMessageA
CreateDesktopA
SetThreadDesktop
GetThreadDesktop
TranslateMessage
DispatchMessageA
SendMessageA
CharUpperBuffA
OemToCharA
PostQuitMessage
ShowWindow
CreateWindowExA
DestroyWindow
DefWindowProcA

gdi32

GetStockObject
DeleteObject

advapi32

RegCreateKeyExA
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
GetSecurityInfo
SetSecurityInfo
SetEntriesInAclA

crtdll

_itoa
__GetMainArgs
_sleep
_strcmpi
_stricmp
atoi
exit
memcpy
memset
raise
rand
signal
sprintf
srand
sscanf
strcat
strchr
strncmp

Sections

.text
Size: 51KB - Virtual size: 51KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 122KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.flh
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/berbew/3fa253556b56edc736f40c14a791de12ac0b489ed0b15463ccf29608148d5a53N.exe
.exe windows:1 windows x86 arch:x86

95e6f8741083e0c7d9a63d45e2472360

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

ole32

CoCreateInstance
CLSIDFromString
CoInitialize
CoUninitialize

oleaut32

SysAllocString

wininet

DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA

kernel32

ExitProcess
ExpandEnvironmentStringsA
GetCommandLineA
GetCurrentProcessId
GetCurrentThreadId
GetExitCodeThread
GetFileSize
GetModuleFileNameA
GetModuleHandleA
CloseHandle
GetProcAddress
GetSystemDirectoryA
GetTempPathA
GetTickCount
GetVersion
GetVersionExA
GetWindowsDirectoryA
GlobalMemoryStatus
CopyFileA
InterlockedIncrement
IsBadReadPtr
IsBadWritePtr
LoadLibraryA
LocalAlloc
LocalFree
OpenMutexA
CreateFileA
ReadFile
RtlUnwind
SetFilePointer
CreateMutexA
Sleep
TerminateProcess
VirtualQuery
CreateProcessA
WaitForSingleObject
WideCharToMultiByte
WinExec
WriteFile
lstrlenA
lstrlenW
CreateThread
DeleteFileA

user32

GetWindowTextA
GetWindowRect
FindWindowA
GetWindow
GetClassNameA
SetFocus
GetForegroundWindow
LoadCursorA
LoadIconA
SetTimer
RegisterClassA
MessageBoxA
GetMessageA
GetWindowLongA
SetWindowLongA
CreateDesktopA
SetThreadDesktop
GetThreadDesktop
TranslateMessage
DispatchMessageA
SendMessageA
PostQuitMessage
ShowWindow
CreateWindowExA
DestroyWindow
MoveWindow
DefWindowProcA
CallWindowProcA

gdi32

GetStockObject
SetBkColor
SetTextColor
CreateBrushIndirect
CreateFontA

advapi32

RegCreateKeyExA
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
GetSecurityInfo
SetSecurityInfo
SetEntriesInAclA

crtdll

__GetMainArgs
_sleep
_stricmp
atoi
exit
memcpy
memset
printf
raise
rand
signal
sprintf
srand
sscanf
strcat
strchr
strncmp
vsprintf

Sections

.text
Size: 27KB - Virtual size: 27KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 132KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.embm
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/berbew/45892b76358de15a286a8095419bf22eb39787018e83deac8772d4fec8c5b7afN.exe
.exe windows:1 windows x86 arch:x86

95e6f8741083e0c7d9a63d45e2472360

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

ole32

CoCreateInstance
CLSIDFromString
CoInitialize
CoUninitialize

oleaut32

SysAllocString

wininet

DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA

kernel32

ExitProcess
ExpandEnvironmentStringsA
GetCommandLineA
GetCurrentProcessId
GetCurrentThreadId
GetExitCodeThread
GetFileSize
GetModuleFileNameA
GetModuleHandleA
CloseHandle
GetProcAddress
GetSystemDirectoryA
GetTempPathA
GetTickCount
GetVersion
GetVersionExA
GetWindowsDirectoryA
GlobalMemoryStatus
CopyFileA
InterlockedIncrement
IsBadReadPtr
IsBadWritePtr
LoadLibraryA
LocalAlloc
LocalFree
OpenMutexA
CreateFileA
ReadFile
RtlUnwind
SetFilePointer
CreateMutexA
Sleep
TerminateProcess
VirtualQuery
CreateProcessA
WaitForSingleObject
WideCharToMultiByte
WinExec
WriteFile
lstrlenA
lstrlenW
CreateThread
DeleteFileA

user32

GetWindowTextA
GetWindowRect
FindWindowA
GetWindow
GetClassNameA
SetFocus
GetForegroundWindow
LoadCursorA
LoadIconA
SetTimer
RegisterClassA
MessageBoxA
GetMessageA
GetWindowLongA
SetWindowLongA
CreateDesktopA
SetThreadDesktop
GetThreadDesktop
TranslateMessage
DispatchMessageA
SendMessageA
PostQuitMessage
ShowWindow
CreateWindowExA
DestroyWindow
MoveWindow
DefWindowProcA
CallWindowProcA

gdi32

GetStockObject
SetBkColor
SetTextColor
CreateBrushIndirect
CreateFontA

advapi32

RegCreateKeyExA
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
GetSecurityInfo
SetSecurityInfo
SetEntriesInAclA

crtdll

__GetMainArgs
_sleep
_stricmp
atoi
exit
memcpy
memset
printf
raise
rand
signal
sprintf
srand
sscanf
strcat
strchr
strncmp
vsprintf

Sections

.text
Size: 27KB - Virtual size: 27KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 132KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.embm
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/berbew/5a2ea52f812a17e0376c7c5236b44992c55d55257a97b1af99a0909094db39a0
.exe windows:1 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 51KB - Virtual size: 51KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 122KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.text
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.idata
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 9KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 1024B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 1024B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/berbew/6c13e929927013ada99437d81eb7a8ce.exe
.exe windows:1 windows x86 arch:x86

95e6f8741083e0c7d9a63d45e2472360

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

ole32

CoCreateInstance
CLSIDFromString
CoInitialize
CoUninitialize

oleaut32

SysAllocString

wininet

DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA

kernel32

ExitProcess
ExpandEnvironmentStringsA
GetCommandLineA
GetCurrentProcessId
GetCurrentThreadId
GetExitCodeThread
GetFileSize
GetModuleFileNameA
GetModuleHandleA
CloseHandle
GetProcAddress
GetSystemDirectoryA
GetTempPathA
GetTickCount
GetVersion
GetVersionExA
GetWindowsDirectoryA
GlobalMemoryStatus
CopyFileA
InterlockedIncrement
IsBadReadPtr
IsBadWritePtr
LoadLibraryA
LocalAlloc
LocalFree
OpenMutexA
CreateFileA
ReadFile
RtlUnwind
SetFilePointer
CreateMutexA
Sleep
TerminateProcess
VirtualQuery
CreateProcessA
WaitForSingleObject
WideCharToMultiByte
WinExec
WriteFile
lstrlenA
lstrlenW
CreateThread
DeleteFileA

user32

GetWindowTextA
GetWindowRect
FindWindowA
GetWindow
GetClassNameA
SetFocus
GetForegroundWindow
LoadCursorA
LoadIconA
SetTimer
RegisterClassA
MessageBoxA
GetMessageA
GetWindowLongA
SetWindowLongA
CreateDesktopA
SetThreadDesktop
GetThreadDesktop
TranslateMessage
DispatchMessageA
SendMessageA
PostQuitMessage
ShowWindow
CreateWindowExA
DestroyWindow
MoveWindow
DefWindowProcA
CallWindowProcA

gdi32

GetStockObject
SetBkColor
SetTextColor
CreateBrushIndirect
CreateFontA

advapi32

RegCreateKeyExA
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
GetSecurityInfo
SetSecurityInfo
SetEntriesInAclA

crtdll

__GetMainArgs
_sleep
_stricmp
atoi
exit
memcpy
memset
printf
raise
rand
signal
sprintf
srand
sscanf
strcat
strchr
strncmp
vsprintf

Sections

.text
Size: 27KB - Virtual size: 27KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 132KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.cacbeb
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/berbew/6eec2ad6647ca277576cd2ec606bb948a70fad1f9da1f75cc106b039d92c5fb9.exe
.exe windows:1 windows x86 arch:x86

95e6f8741083e0c7d9a63d45e2472360

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

ole32

CoCreateInstance
CLSIDFromString
CoInitialize
CoUninitialize

oleaut32

SysAllocString

wininet

DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA

kernel32

ExitProcess
ExpandEnvironmentStringsA
GetCommandLineA
GetCurrentProcessId
GetCurrentThreadId
GetExitCodeThread
GetFileSize
GetModuleFileNameA
GetModuleHandleA
CloseHandle
GetProcAddress
GetSystemDirectoryA
GetTempPathA
GetTickCount
GetVersion
GetVersionExA
GetWindowsDirectoryA
GlobalMemoryStatus
CopyFileA
InterlockedIncrement
IsBadReadPtr
IsBadWritePtr
LoadLibraryA
LocalAlloc
LocalFree
OpenMutexA
CreateFileA
ReadFile
RtlUnwind
SetFilePointer
CreateMutexA
Sleep
TerminateProcess
VirtualQuery
CreateProcessA
WaitForSingleObject
WideCharToMultiByte
WinExec
WriteFile
lstrlenA
lstrlenW
CreateThread
DeleteFileA

user32

GetWindowTextA
GetWindowRect
FindWindowA
GetWindow
GetClassNameA
SetFocus
GetForegroundWindow
LoadCursorA
LoadIconA
SetTimer
RegisterClassA
MessageBoxA
GetMessageA
GetWindowLongA
SetWindowLongA
CreateDesktopA
SetThreadDesktop
GetThreadDesktop
TranslateMessage
DispatchMessageA
SendMessageA
PostQuitMessage
ShowWindow
CreateWindowExA
DestroyWindow
MoveWindow
DefWindowProcA
CallWindowProcA

gdi32

GetStockObject
SetBkColor
SetTextColor
CreateBrushIndirect
CreateFontA

advapi32

RegCreateKeyExA
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
GetSecurityInfo
SetSecurityInfo
SetEntriesInAclA

crtdll

__GetMainArgs
_sleep
_stricmp
atoi
exit
memcpy
memset
printf
raise
rand
signal
sprintf
srand
sscanf
strcat
strchr
strncmp
vsprintf

Sections

.text
Size: 27KB - Virtual size: 27KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 132KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.embm
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/berbew/8384367e4d16496e3ae32a611a271e1647bb2c4d8b64b25d84fff290b02d080e.exe
.exe windows:1 windows x86 arch:x86

26babd76bbb7f9c516a338b0601b4c9f

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

wsock32

WSAGetLastError
WSAStartup
__WSAFDIsSet
accept
bind
closesocket
connect
gethostbyname
htonl
htons
inet_addr
ioctlsocket
listen
recv
select
send
socket

ole32

CoCreateInstance
CLSIDFromString
CoTaskMemFree
CoInitialize
CoUninitialize

oleaut32

SysAllocString

wininet

DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA

kernel32

ExitProcess
ExitThread
ExpandEnvironmentStringsA
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindFirstFileA
FindNextFileA
FreeLibrary
GetCommandLineA
GetCurrentProcessId
GetCurrentThreadId
GetExitCodeProcess
GetExitCodeThread
GetFileAttributesA
GetFileSize
GetFileTime
GetLocalTime
GetModuleFileNameA
GetModuleHandleA
CloseHandle
GetProcAddress
GetSystemDirectoryA
GetTempPathA
GetTickCount
GetTimeZoneInformation
GetVersion
GetVersionExA
GetWindowsDirectoryA
GlobalMemoryStatus
CopyFileA
InterlockedIncrement
IsBadReadPtr
IsBadWritePtr
LoadLibraryA
CreateDirectoryA
LocalAlloc
LocalFree
OpenFile
OpenMutexA
OpenProcess
PeekNamedPipe
CreateFileA
ReadFile
RemoveDirectoryA
RtlUnwind
SetFileAttributesA
SetFilePointer
CreateMutexA
Sleep
TerminateProcess
TerminateThread
CreatePipe
VirtualQuery
CreateProcessA
WaitForSingleObject
WideCharToMultiByte
WinExec
WriteFile
lstrlenA
lstrlenW
CreateThread
DeleteFileA

user32

GetWindowTextA
GetWindowRect
FindWindowA
GetWindow
IsWindowVisible
GetClassNameA
GetForegroundWindow
LoadCursorA
SetTimer
KillTimer
RegisterClassA
GetMessageA
CreateDesktopA
SetThreadDesktop
GetThreadDesktop
TranslateMessage
DispatchMessageA
SendMessageA
CharUpperBuffA
OemToCharA
PostQuitMessage
ShowWindow
CreateWindowExA
DestroyWindow
DefWindowProcA

gdi32

GetStockObject
DeleteObject

advapi32

RegCreateKeyExA
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
GetSecurityInfo
SetSecurityInfo
SetEntriesInAclA

crtdll

_itoa
__GetMainArgs
_sleep
_strcmpi
_stricmp
atoi
exit
memcpy
memset
raise
rand
signal
sprintf
srand
sscanf
strcat
strchr
strncmp

Sections

.text
Size: 45KB - Virtual size: 45KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 122KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.ajelhf
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/berbew/89adf30332271727c270458e062204ded7a1e192ea6c2a23e0549c2974a4ca82N.exe
.exe windows:1 windows x86 arch:x86

26babd76bbb7f9c516a338b0601b4c9f

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

wsock32

WSAGetLastError
WSAStartup
__WSAFDIsSet
accept
bind
closesocket
connect
gethostbyname
htonl
htons
inet_addr
ioctlsocket
listen
recv
select
send
socket

ole32

CoCreateInstance
CLSIDFromString
CoTaskMemFree
CoInitialize
CoUninitialize

oleaut32

SysAllocString

wininet

DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA

kernel32

ExitProcess
ExitThread
ExpandEnvironmentStringsA
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindFirstFileA
FindNextFileA
FreeLibrary
GetCommandLineA
GetCurrentProcessId
GetCurrentThreadId
GetExitCodeProcess
GetExitCodeThread
GetFileAttributesA
GetFileSize
GetFileTime
GetLocalTime
GetModuleFileNameA
GetModuleHandleA
CloseHandle
GetProcAddress
GetSystemDirectoryA
GetTempPathA
GetTickCount
GetTimeZoneInformation
GetVersion
GetVersionExA
GetWindowsDirectoryA
GlobalMemoryStatus
CopyFileA
InterlockedIncrement
IsBadReadPtr
IsBadWritePtr
LoadLibraryA
CreateDirectoryA
LocalAlloc
LocalFree
OpenFile
OpenMutexA
OpenProcess
PeekNamedPipe
CreateFileA
ReadFile
RemoveDirectoryA
RtlUnwind
SetFileAttributesA
SetFilePointer
CreateMutexA
Sleep
TerminateProcess
TerminateThread
CreatePipe
VirtualQuery
CreateProcessA
WaitForSingleObject
WideCharToMultiByte
WinExec
WriteFile
lstrlenA
lstrlenW
CreateThread
DeleteFileA

user32

GetWindowTextA
GetWindowRect
FindWindowA
GetWindow
IsWindowVisible
GetClassNameA
GetForegroundWindow
LoadCursorA
SetTimer
KillTimer
RegisterClassA
GetMessageA
CreateDesktopA
SetThreadDesktop
GetThreadDesktop
TranslateMessage
DispatchMessageA
SendMessageA
CharUpperBuffA
OemToCharA
PostQuitMessage
ShowWindow
CreateWindowExA
DestroyWindow
DefWindowProcA

gdi32

GetStockObject
DeleteObject

advapi32

RegCreateKeyExA
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
GetSecurityInfo
SetSecurityInfo
SetEntriesInAclA

crtdll

_itoa
__GetMainArgs
_sleep
_strcmpi
_stricmp
atoi
exit
memcpy
memset
raise
rand
signal
sprintf
srand
sscanf
strcat
strchr
strncmp

Sections

.text
Size: 51KB - Virtual size: 51KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.didat
Size: - Virtual size: 122KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.flh
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/berbew/9690762cb106ae66e3318eff75d1b40fe5699408d02f6a97d6679fc554cbab52.exe
.exe windows:1 windows x86 arch:x86

26babd76bbb7f9c516a338b0601b4c9f

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

wsock32

WSAGetLastError
WSAStartup
__WSAFDIsSet
accept
bind
closesocket
connect
gethostbyname
htonl
htons
inet_addr
ioctlsocket
listen
recv
select
send
socket

ole32

CoCreateInstance
CLSIDFromString
CoTaskMemFree
CoInitialize
CoUninitialize

oleaut32

SysAllocString

wininet

DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA

kernel32

ExitProcess
ExitThread
ExpandEnvironmentStringsA
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindFirstFileA
FindNextFileA
FreeLibrary
GetCommandLineA
GetCurrentProcessId
GetCurrentThreadId
GetExitCodeProcess
GetExitCodeThread
GetFileAttributesA
GetFileSize
GetFileTime
GetLocalTime
GetModuleFileNameA
GetModuleHandleA
CloseHandle
GetProcAddress
GetSystemDirectoryA
GetTempPathA
GetTickCount
GetTimeZoneInformation
GetVersion
GetVersionExA
GetWindowsDirectoryA
GlobalMemoryStatus
CopyFileA
InterlockedIncrement
IsBadReadPtr
IsBadWritePtr
LoadLibraryA
CreateDirectoryA
LocalAlloc
LocalFree
OpenFile
OpenMutexA
OpenProcess
PeekNamedPipe
CreateFileA
ReadFile
RemoveDirectoryA
RtlUnwind
SetFileAttributesA
SetFilePointer
CreateMutexA
Sleep
TerminateProcess
TerminateThread
CreatePipe
VirtualQuery
CreateProcessA
WaitForSingleObject
WideCharToMultiByte
WinExec
WriteFile
lstrlenA
lstrlenW
CreateThread
DeleteFileA

user32

GetWindowTextA
GetWindowRect
FindWindowA
GetWindow
IsWindowVisible
GetClassNameA
GetForegroundWindow
LoadCursorA
SetTimer
KillTimer
RegisterClassA
GetMessageA
CreateDesktopA
SetThreadDesktop
GetThreadDesktop
TranslateMessage
DispatchMessageA
SendMessageA
CharUpperBuffA
OemToCharA
PostQuitMessage
ShowWindow
CreateWindowExA
DestroyWindow
DefWindowProcA

gdi32

GetStockObject
DeleteObject

advapi32

RegCreateKeyExA
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
GetSecurityInfo
SetSecurityInfo
SetEntriesInAclA

crtdll

_itoa
__GetMainArgs
_sleep
_strcmpi
_stricmp
atoi
exit
memcpy
memset
raise
rand
signal
sprintf
srand
sscanf
strcat
strchr
strncmp

Sections

.text
Size: 51KB - Virtual size: 51KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 122KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.flh
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/berbew/9dad2cc0de2d90404a457d9298fd1a66a8bcd38667e124442cd2ea75a60b2f7dN.exe
.exe windows:1 windows x86 arch:x86

2fab100e73dccce3c372ff3389e461b0

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

ole32

CoCreateInstance
CLSIDFromString
CoInitialize
CoUninitialize

oleaut32

SysAllocString

wininet

DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA

kernel32

ExitProcess
ExpandEnvironmentStringsA
GetCommandLineA
GetComputerNameA
GetCurrentProcessId
GetCurrentThreadId
GetExitCodeThread
GetFileSize
GetModuleFileNameA
GetModuleHandleA
CloseHandle
GetProcAddress
GetSystemDirectoryA
GetTempPathA
GetTickCount
GetVersion
GetVersionExA
GetWindowsDirectoryA
GlobalMemoryStatus
CopyFileA
InterlockedIncrement
IsBadReadPtr
IsBadWritePtr
LoadLibraryA
LocalAlloc
LocalFree
OpenMutexA
CreateFileA
ReadFile
RtlUnwind
SetFilePointer
CreateMutexA
Sleep
TerminateProcess
VirtualQuery
CreateProcessA
WaitForSingleObject
WideCharToMultiByte
WinExec
WriteFile
lstrlenA
lstrlenW
CreateThread
DeleteFileA

user32

GetWindowTextA
GetWindowRect
FindWindowA
GetWindow
GetClassNameA
SetFocus
GetForegroundWindow
LoadCursorA
LoadIconA
SetTimer
RegisterClassA
MessageBoxA
GetMessageA
GetWindowLongA
SetWindowLongA
CreateDesktopA
SetThreadDesktop
GetThreadDesktop
TranslateMessage
DispatchMessageA
SendMessageA
PostQuitMessage
ShowWindow
CreateWindowExA
DestroyWindow
MoveWindow
DefWindowProcA
CallWindowProcA

gdi32

GetStockObject
SetBkColor
SetTextColor
CreateBrushIndirect
CreateFontA

advapi32

GetUserNameA
RegCreateKeyExA
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
GetSecurityInfo
SetSecurityInfo
SetEntriesInAclA

crtdll

__GetMainArgs
_sleep
_stricmp
atoi
exit
memcpy
memset
printf
raise
rand
signal
sprintf
srand
sscanf
strcat
strchr
strncmp
vsprintf

msvcrt

_wgetcwd

rpcrt4

I_RpcSystemFunction001

Sections

.idata
Size: 32KB - Virtual size: 32KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

rdata
Size: - Virtual size: 132KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gfcd
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.l1
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.l1
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

L\rfcW
Size: 512B - Virtual size: 64B
BastianHein Malware samples/berbew/ac96e79727fd5b19e0aad939d1616f7ac35b9bb63c279563feefe55a68174138N.exe
.exe windows:1 windows x86 arch:x86

95e6f8741083e0c7d9a63d45e2472360

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

ole32

CoCreateInstance
CLSIDFromString
CoInitialize
CoUninitialize

oleaut32

SysAllocString

wininet

DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA

kernel32

ExitProcess
ExpandEnvironmentStringsA
GetCommandLineA
GetCurrentProcessId
GetCurrentThreadId
GetExitCodeThread
GetFileSize
GetModuleFileNameA
GetModuleHandleA
CloseHandle
GetProcAddress
GetSystemDirectoryA
GetTempPathA
GetTickCount
GetVersion
GetVersionExA
GetWindowsDirectoryA
GlobalMemoryStatus
CopyFileA
InterlockedIncrement
IsBadReadPtr
IsBadWritePtr
LoadLibraryA
LocalAlloc
LocalFree
OpenMutexA
CreateFileA
ReadFile
RtlUnwind
SetFilePointer
CreateMutexA
Sleep
TerminateProcess
VirtualQuery
CreateProcessA
WaitForSingleObject
WideCharToMultiByte
WinExec
WriteFile
lstrlenA
lstrlenW
CreateThread
DeleteFileA

user32

GetWindowTextA
GetWindowRect
FindWindowA
GetWindow
GetClassNameA
SetFocus
GetForegroundWindow
LoadCursorA
LoadIconA
SetTimer
RegisterClassA
MessageBoxA
GetMessageA
GetWindowLongA
SetWindowLongA
CreateDesktopA
SetThreadDesktop
GetThreadDesktop
TranslateMessage
DispatchMessageA
SendMessageA
PostQuitMessage
ShowWindow
CreateWindowExA
DestroyWindow
MoveWindow
DefWindowProcA
CallWindowProcA

gdi32

GetStockObject
SetBkColor
SetTextColor
CreateBrushIndirect
CreateFontA

advapi32

RegCreateKeyExA
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
GetSecurityInfo
SetSecurityInfo
SetEntriesInAclA

crtdll

__GetMainArgs
_sleep
_stricmp
atoi
exit
memcpy
memset
printf
raise
rand
signal
sprintf
srand
sscanf
strcat
strchr
strncmp
vsprintf

Sections

.text
Size: 27KB - Virtual size: 27KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 132KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.embm
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/berbew/b2f30da91885af6a2d178e18304a4cd6e0635689074590ce68b2f065f49d8c5fN.exe
.exe windows:1 windows x86 arch:x86

26babd76bbb7f9c516a338b0601b4c9f

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

wsock32

WSAGetLastError
WSAStartup
__WSAFDIsSet
accept
bind
closesocket
connect
gethostbyname
htonl
htons
inet_addr
ioctlsocket
listen
recv
select
send
socket

ole32

CoCreateInstance
CLSIDFromString
CoTaskMemFree
CoInitialize
CoUninitialize

oleaut32

SysAllocString

wininet

DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA

kernel32

ExitProcess
ExitThread
ExpandEnvironmentStringsA
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindFirstFileA
FindNextFileA
FreeLibrary
GetCommandLineA
GetCurrentProcessId
GetCurrentThreadId
GetExitCodeProcess
GetExitCodeThread
GetFileAttributesA
GetFileSize
GetFileTime
GetLocalTime
GetModuleFileNameA
GetModuleHandleA
CloseHandle
GetProcAddress
GetSystemDirectoryA
GetTempPathA
GetTickCount
GetTimeZoneInformation
GetVersion
GetVersionExA
GetWindowsDirectoryA
GlobalMemoryStatus
CopyFileA
InterlockedIncrement
IsBadReadPtr
IsBadWritePtr
LoadLibraryA
CreateDirectoryA
LocalAlloc
LocalFree
OpenFile
OpenMutexA
OpenProcess
PeekNamedPipe
CreateFileA
ReadFile
RemoveDirectoryA
RtlUnwind
SetFileAttributesA
SetFilePointer
CreateMutexA
Sleep
TerminateProcess
TerminateThread
CreatePipe
VirtualQuery
CreateProcessA
WaitForSingleObject
WideCharToMultiByte
WinExec
WriteFile
lstrlenA
lstrlenW
CreateThread
DeleteFileA

user32

GetWindowTextA
GetWindowRect
FindWindowA
GetWindow
IsWindowVisible
GetClassNameA
GetForegroundWindow
LoadCursorA
SetTimer
KillTimer
RegisterClassA
GetMessageA
CreateDesktopA
SetThreadDesktop
GetThreadDesktop
TranslateMessage
DispatchMessageA
SendMessageA
CharUpperBuffA
OemToCharA
PostQuitMessage
ShowWindow
CreateWindowExA
DestroyWindow
DefWindowProcA

gdi32

GetStockObject
DeleteObject

advapi32

RegCreateKeyExA
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
GetSecurityInfo
SetSecurityInfo
SetEntriesInAclA

crtdll

_itoa
__GetMainArgs
_sleep
_strcmpi
_stricmp
atoi
exit
memcpy
memset
raise
rand
signal
sprintf
srand
sscanf
strcat
strchr
strncmp

Sections

.text
Size: 51KB - Virtual size: 51KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 122KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.flh
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

GoZrzQFH
Size: 5KB - Virtual size: 5KB

EGuPgZfz
Size: 11KB - Virtual size: 10KB

QVGIUvfH
Size: 17KB - Virtual size: 16KB

WgpSSHxQ
Size: 7KB - Virtual size: 6KB

KdKFbRjf
Size: 512B - Virtual size: 43B

hVxhYcGf
Size: 1024B - Virtual size: 826B

VeOMGofh
Size: 58KB - Virtual size: 57KB

RCStecFq
Size: 1KB - Virtual size: 1KB

kiTCDuCT
Size: 20KB - Virtual size: 19KB

kgLqQaPB
Size: 28KB - Virtual size: 28KB
BastianHein Malware samples/berbew/c2467140be88d84e53b2e94257955ecf4c15ac048eb0ee671add10b921877cf7.exe
.exe windows:1 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 31KB - Virtual size: 31KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 132KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.jfbbql
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.l1
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/berbew/e9b8c2f4799b1f5cf8014afabcb7325fea2dcf5f5d0d46af1166151727742e84.exe
.exe windows:1 windows x86 arch:x86

c2a87fabf96470db507b2e6b43bd92eb

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

ole32

CoCreateInstance
CLSIDFromString
CoInitialize
CoUninitialize

oleaut32

SysAllocString

wininet

DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA

kernel32

ExitProcess
ExpandEnvironmentStringsA
GetCommandLineA
GetComputerNameA
GetCurrentProcessId
GetCurrentThreadId
GetExitCodeThread
GetFileSize
GetModuleFileNameA
GetModuleHandleA
CloseHandle
GetProcAddress
GetSystemDirectoryA
GetTempPathA
GetTickCount
GetVersion
GetVersionExA
GetWindowsDirectoryA
GlobalMemoryStatus
CopyFileA
InterlockedIncrement
IsBadReadPtr
IsBadWritePtr
LoadLibraryA
LocalAlloc
LocalFree
OpenMutexA
CreateFileA
ReadFile
RtlUnwind
SetFilePointer
CreateMutexA
Sleep
TerminateProcess
VirtualQuery
CreateProcessA
WaitForSingleObject
WideCharToMultiByte
WinExec
WriteFile
lstrlenA
lstrlenW
CreateThread
DeleteFileA

user32

GetWindowTextA
GetWindowRect
FindWindowA
GetWindow
GetClassNameA
SetFocus
GetForegroundWindow
LoadCursorA
LoadIconA
SetTimer
RegisterClassA
MessageBoxA
GetMessageA
GetWindowLongA
SetWindowLongA
CreateDesktopA
SetThreadDesktop
GetThreadDesktop
TranslateMessage
DispatchMessageA
SendMessageA
PostQuitMessage
ShowWindow
CreateWindowExA
DestroyWindow
MoveWindow
DefWindowProcA
CallWindowProcA

gdi32

GetStockObject
SetBkColor
SetTextColor
CreateBrushIndirect
CreateFontA

advapi32

GetUserNameA
RegCreateKeyExA
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
GetSecurityInfo
SetSecurityInfo
SetEntriesInAclA

crtdll

__GetMainArgs
_sleep
_stricmp
atoi
exit
memcpy
memset
printf
raise
rand
signal
sprintf
srand
sscanf
strcat
strchr
strncmp
vsprintf

msvcrt

_wgetcwd

Sections

.text
Size: 32KB - Virtual size: 32KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 132KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gfcd
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.l1
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/berbew/e9bb0e6d7aa1368285df7658cb892d6f20a1bc7716baeae15fe4f0570a212685N.exe
.exe windows:1 windows x86 arch:x86

26babd76bbb7f9c516a338b0601b4c9f

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

wsock32

WSAGetLastError
WSAStartup
__WSAFDIsSet
accept
bind
closesocket
connect
gethostbyname
htonl
htons
inet_addr
ioctlsocket
listen
recv
select
send
socket

ole32

CoCreateInstance
CLSIDFromString
CoTaskMemFree
CoInitialize
CoUninitialize

oleaut32

SysAllocString

wininet

DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA

kernel32

ExitProcess
ExitThread
ExpandEnvironmentStringsA
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindFirstFileA
FindNextFileA
FreeLibrary
GetCommandLineA
GetCurrentProcessId
GetCurrentThreadId
GetExitCodeProcess
GetExitCodeThread
GetFileAttributesA
GetFileSize
GetFileTime
GetLocalTime
GetModuleFileNameA
GetModuleHandleA
CloseHandle
GetProcAddress
GetSystemDirectoryA
GetTempPathA
GetTickCount
GetTimeZoneInformation
GetVersion
GetVersionExA
GetWindowsDirectoryA
GlobalMemoryStatus
CopyFileA
InterlockedIncrement
IsBadReadPtr
IsBadWritePtr
LoadLibraryA
CreateDirectoryA
LocalAlloc
LocalFree
OpenFile
OpenMutexA
OpenProcess
PeekNamedPipe
CreateFileA
ReadFile
RemoveDirectoryA
RtlUnwind
SetFileAttributesA
SetFilePointer
CreateMutexA
Sleep
TerminateProcess
TerminateThread
CreatePipe
VirtualQuery
CreateProcessA
WaitForSingleObject
WideCharToMultiByte
WinExec
WriteFile
lstrlenA
lstrlenW
CreateThread
DeleteFileA

user32

GetWindowTextA
GetWindowRect
FindWindowA
GetWindow
IsWindowVisible
GetClassNameA
GetForegroundWindow
LoadCursorA
SetTimer
KillTimer
RegisterClassA
GetMessageA
CreateDesktopA
SetThreadDesktop
GetThreadDesktop
TranslateMessage
DispatchMessageA
SendMessageA
CharUpperBuffA
OemToCharA
PostQuitMessage
ShowWindow
CreateWindowExA
DestroyWindow
DefWindowProcA

gdi32

GetStockObject
DeleteObject

advapi32

RegCreateKeyExA
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
GetSecurityInfo
SetSecurityInfo
SetEntriesInAclA

crtdll

_itoa
__GetMainArgs
_sleep
_strcmpi
_stricmp
atoi
exit
memcpy
memset
raise
rand
signal
sprintf
srand
sscanf
strcat
strchr
strncmp

Sections

.text
Size: 51KB - Virtual size: 51KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 122KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.flh
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/berbew/ffed0b49c573e6a4c62f94df29b198b348c9a847d0cd84f03465e74e0543d8a8.exe
.exe windows:1 windows x86 arch:x86

26babd76bbb7f9c516a338b0601b4c9f

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

wsock32

WSAGetLastError
WSAStartup
__WSAFDIsSet
accept
bind
closesocket
connect
gethostbyname
htonl
htons
inet_addr
ioctlsocket
listen
recv
select
send
socket

ole32

CoCreateInstance
CLSIDFromString
CoTaskMemFree
CoInitialize
CoUninitialize

oleaut32

SysAllocString

wininet

DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA

kernel32

ExitProcess
ExitThread
ExpandEnvironmentStringsA
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindFirstFileA
FindNextFileA
FreeLibrary
GetCommandLineA
GetCurrentProcessId
GetCurrentThreadId
GetExitCodeProcess
GetExitCodeThread
GetFileAttributesA
GetFileSize
GetFileTime
GetLocalTime
GetModuleFileNameA
GetModuleHandleA
CloseHandle
GetProcAddress
GetSystemDirectoryA
GetTempPathA
GetTickCount
GetTimeZoneInformation
GetVersion
GetVersionExA
GetWindowsDirectoryA
GlobalMemoryStatus
CopyFileA
InterlockedIncrement
IsBadReadPtr
IsBadWritePtr
LoadLibraryA
CreateDirectoryA
LocalAlloc
LocalFree
OpenFile
OpenMutexA
OpenProcess
PeekNamedPipe
CreateFileA
ReadFile
RemoveDirectoryA
RtlUnwind
SetFileAttributesA
SetFilePointer
CreateMutexA
Sleep
TerminateProcess
TerminateThread
CreatePipe
VirtualQuery
CreateProcessA
WaitForSingleObject
WideCharToMultiByte
WinExec
WriteFile
lstrlenA
lstrlenW
CreateThread
DeleteFileA

user32

GetWindowTextA
GetWindowRect
FindWindowA
GetWindow
IsWindowVisible
GetClassNameA
GetForegroundWindow
LoadCursorA
SetTimer
KillTimer
RegisterClassA
GetMessageA
CreateDesktopA
SetThreadDesktop
GetThreadDesktop
TranslateMessage
DispatchMessageA
SendMessageA
CharUpperBuffA
OemToCharA
PostQuitMessage
ShowWindow
CreateWindowExA
DestroyWindow
DefWindowProcA

gdi32

GetStockObject
DeleteObject

advapi32

RegCreateKeyExA
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
GetSecurityInfo
SetSecurityInfo
SetEntriesInAclA

crtdll

_itoa
__GetMainArgs
_sleep
_strcmpi
_stricmp
atoi
exit
memcpy
memset
raise
rand
signal
sprintf
srand
sscanf
strcat
strchr
strncmp

Sections

.text
Size: 51KB - Virtual size: 51KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.didat
Size: - Virtual size: 122KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.flh
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/blackmoon/06b6063b216ecc1865b786a82c00f630302fc31fedf834c136ca000a61b872d0.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

.rsrc
Size: 155KB - Virtual size: 156KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 7KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/blackmoon/0aae46a9cf0b487605e3e4f1fe5785d6d59b5a8c523d949bd0e7aa2679f3e866
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

L_XE0P
Size: - Virtual size: 2.3MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

L_NowG
Size: 715KB - Virtual size: 716KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/blackmoon/0ae46f38474a45b01cb872afee8fba36a8434e8e4841ad9d47b6244a731ea94c.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

L_oee2
Size: - Virtual size: 1.5MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

L_oIKz
Size: 4.7MB - Virtual size: 4.7MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/blackmoon/2025-01-28_35490cab569419795dfb2018f9a17976_icedid_xiaobaminer.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 108KB - Virtual size: 105KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 20KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 155KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 20KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/blackmoon/2025-01-28_4a7df03a574c6271c839684f540a7a4d_icedid_xiaobaminer.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 108KB - Virtual size: 105KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 20KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 155KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 20KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/blackmoon/2025-01-29_69b41cf98c265e6dcc00161fd0f300c0_icedid_xmrig.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 108KB - Virtual size: 105KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 20KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1.8MB - Virtual size: 1.9MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 800B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/blackmoon/2025-01-29_73793810b24bed54a0d892dd76b3baab_luca-stealer_mafia_metamorfo.exe
.exe windows:5 windows x86 arch:x86

f7d15d43ae80dd0f936ce5a1146865b1

Code Sign

33:00:00:01:54:2e:70:4e:cb:27:61:72:e2:00:00:00:00:01:54
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/05/2019, 21:37

Not After

02/05/2020, 21:37

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/07/2011, 20:59

Not After

08/07/2026, 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0d:12:0d:bb:da:1b:a5:f5:32:f1:ee:bd:5f:d5:51:c3:f7:5b:a2:a8:69:f7:21:88:c9:3d:25:f6:02:08:68:1f
Signer

Actual PE Digest

0d:12:0d:bb:da:1b:a5:f5:32:f1:ee:bd:5f:d5:51:c3:f7:5b:a2:a8:69:f7:21:88:c9:3d:25:f6:02:08:68:1f

Digest Algorithm

sha256

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

MicrosoftEdgeUpdate_unsigned.pdb

Imports

kernel32

GetModuleFileNameW
GetLastError
CloseHandle
GetProcAddress
CreateProcessW
FreeLibrary
GetTempFileNameW
LoadLibraryExW
GetCommandLineW
GetModuleHandleW
WriteConsoleW
RaiseException
GetSystemInfo
VirtualProtect
VirtualQuery
LoadLibraryExA
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
CreateDirectoryW
CreateFileW
DeleteFileW
FindClose
FindFirstFileExW
FindNextFileW
GetFileAttributesExW
GetFileInformationByHandle
RemoveDirectoryW
AreFileApisANSI
SetLastError
CopyFileW
MultiByteToWideChar
WideCharToMultiByte
FormatMessageW
InitializeCriticalSectionAndSpinCount
SwitchToThread
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
RtlUnwind
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
EncodePointer
GetStdHandle
WriteFile
ExitProcess
GetModuleHandleExW
GetCPInfo
HeapAlloc
HeapFree
IsValidCodePage
GetACP
GetOEMCP
GetCommandLineA
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetStdHandle
GetFileType
GetStringTypeW
LCMapStringW
GetProcessHeap
HeapSize
HeapReAlloc
FlushFileBuffers
GetConsoleCP
GetConsoleMode
SetFilePointerEx
DecodePointer

ole32

CoTaskMemFree

Sections

.text
Size: 94KB - Virtual size: 94KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 102KB - Virtual size: 102KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/blackmoon/21f0dfe59dc34878ad7833b71132aecd4db3bdb6001d06863ac5e662435ad420.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

L_jXSZ
Size: - Virtual size: 2.3MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

L_2XML
Size: 664KB - Virtual size: 668KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/blackmoon/38803273f78fddff5d8a05f62926f3f557f58ea1455658864d54425a75d88398N.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: - Virtual size: 104KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 40KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX2
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/blackmoon/3c38484012098f618aeee76ffb6fdd4bc37a03cbfa0b24c2e35a634b6a789516.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

L_1jHi
Size: - Virtual size: 2.3MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

L_97Kh
Size: 681KB - Virtual size: 684KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/blackmoon/3ce66a1fbd937f66e09dd930ff9810085df5c2cfcbf73b7222e2fd72e375be79.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

.rsrc
Size: 155KB - Virtual size: 156KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 7KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/blackmoon/4615496d4e7df4170805f0b7a79adaf5.exe
.exe windows:5 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

UPX0
Size: - Virtual size: 212KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 139KB - Virtual size: 140KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 17KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/blackmoon/4f86220b8e25e6be7b9227b38dc84d74.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

_/l 0
Size: - Virtual size: 1.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

_/l 1
Size: 348KB - Virtual size: 352KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

_/l 2
Size: - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/blackmoon/52d15941e802177643ad69635bcb4cb98279cc50c0094eb6c4c906813f2a35cf.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

.rsrc
Size: 155KB - Virtual size: 156KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 7KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/blackmoon/647f0959a8d2dda683e7f247068f8090dcd8958d255d36bcea55b4f09d493c06.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

L_O8ET
Size: - Virtual size: 2.3MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

L_tlKJ
Size: 1.2MB - Virtual size: 1.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/blackmoon/7557555463f2aea8f9500cb65dc35ca20c59ac0742beda6494240e993d8d0549.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

.rsrc
Size: 155KB - Virtual size: 156KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 7KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/blackmoon/758172e802c500fcce2a9d66c729341022ced17627524b5a19b4e4b67871b34f.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

.rsrc
Size: 155KB - Virtual size: 156KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 7KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/blackmoon/79272f405999d6971d9a6b4cf6c497990988db06c74b31550f93e8dfeb1b35b4.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: - Virtual size: 104KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 40KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX2
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/blackmoon/7cbe384f2bb818d7cd52193df8057b70642aa33887722e459a89edce6f2e1d3aN.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

.rsrc
Size: 155KB - Virtual size: 156KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 7KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/blackmoon/865a86014e8dfcee36bd075f93878b302343b1e85a9f94e9342259daeddc55ca.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

.rsrc
Size: 155KB - Virtual size: 156KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 7KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/blackmoon/9d2b3a2393486c144d86fe2a7e3d7d391fa6edac393b383b056c0194283b28e1N.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

.rsrc
Size: 155KB - Virtual size: 156KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 7KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/blackmoon/ae9e31e6e4e5390c99aca9898960a0fa8f4f67bb6cad3b5b25a7ed397639545b.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

L_QGhm
Size: - Virtual size: 2.3MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

L_zVJS
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/blackmoon/b5a9af06923518ef67d61ecb5aefe586360ab8a8f2c9230729e21cae65455c70.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

.rsrc
Size: 155KB - Virtual size: 156KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 7KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/blackmoon/bef267458b28aaa912120a4f42da4308f71f4aab0f236d634ffd2f47c9147d53.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

.rsrc
Size: 155KB - Virtual size: 156KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 7KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/blackmoon/cee04887f82b4ad4c27e7b237d34bd4251c9cf5c1344aee179e904a4c877ed42.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

.rsrc
Size: 155KB - Virtual size: 156KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 7KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/blackmoon/d9e640f73a96f69c8de36c6dfbcb6153f891ca72dd1cdbf85e83bed3d11fd132.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

.rsrc
Size: 155KB - Virtual size: 156KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 7KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/blackmoon/f00a9ad47c668be84e718d75bad6fab553221c1272276b6548785102898ea6c4N.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

.rsrc
Size: 155KB - Virtual size: 156KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 7KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/blackmoon/f00c41e45afaa99e16104e6c78dc3f6d6c593240fc93c76a75f57f5483c62970.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

.rsrc
Size: 155KB - Virtual size: 156KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 7KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/darkcomet/3db2660d7cffcb682ce00e0bde927517.exe
.exe windows:4 windows x86 arch:x86

16fa7ae7301e34a1385f2287e1a81313

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

user32

CallWindowProcA

msvbvm60.dll

ord516
ord632
ord526
EVENT_SINK_AddRef
DllFunctionCall
EVENT_SINK_Release
EVENT_SINK_QueryInterface
__vbaExceptHandler
ord711
ord608
ord717
ProcCallEngine
ord537
ord644
ord681
ord578
ord100
ord616

Sections

.text
Size: 56KB - Virtual size: 56KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

�rsrc
Size: 800KB - Virtual size: 797KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/darkcomet/3e84c4c586e9ffb493a92f1c040ad576.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 1.0MB - Virtual size: 1.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 24KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/darkcomet/432239af3b4ba67d938ffc6bfb22956e.exe
.exe windows:4 windows x86 arch:x86

e5b4359a3773764a372173074ae9b6bd

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Imports

oleaut32

SysFreeString
SysReAllocStringLen
SysAllocStringLen
GetErrorInfo
GetActiveObject
SysFreeString
SafeArrayPtrOfIndex
SafeArrayGetUBound
SafeArrayGetLBound
SafeArrayCreate
VariantChangeType
VariantCopy
VariantClear
VariantInit

advapi32

RegQueryValueExA
RegOpenKeyExA
RegCloseKey
RegSetValueExA
RegQueryValueExA
RegQueryInfoKeyA
RegOpenKeyExA
RegOpenKeyA
RegFlushKey
RegEnumValueA
RegEnumKeyExA
RegDeleteValueA
RegDeleteKeyA
RegCreateKeyExA
RegCreateKeyA
RegCloseKey
OpenThreadToken
OpenProcessToken
LookupPrivilegeValueA
LookupPrivilegeNameA
LookupPrivilegeDisplayNameA
LookupAccountSidA
IsValidSid
GetUserNameA
GetTokenInformation
GetSidSubAuthorityCount
GetSidSubAuthority
GetSidIdentifierAuthority
GetCurrentHwProfileA
AdjustTokenPrivileges
StartServiceA
QueryServiceStatus
OpenServiceA
OpenSCManagerA
EnumServicesStatusA
DeleteService
CreateServiceA
ControlService
CloseServiceHandle

user32

GetKeyboardType
DestroyWindow
LoadStringA
MessageBoxA
CharNextA
CreateWindowExA
mouse_event
keybd_event
WindowFromPoint
WaitMessage
VkKeyScanA
UpdateWindow
UnregisterClassA
UnhookWindowsHookEx
TranslateMessage
TranslateMDISysAccel
TrackPopupMenu
ToAscii
SystemParametersInfoA
ShowWindow
ShowScrollBar
ShowOwnedPopups
SetWindowsHookExA
SetWindowTextA
SetWindowPos
SetWindowPlacement
SetWindowLongW
SetWindowLongA
SetTimer
SetScrollRange
SetScrollPos
SetScrollInfo
SetRect
SetPropA
SetParent
SetMenuItemInfoA
SetMenu
SetForegroundWindow
SetFocus
SetCursorPos
SetCursor
SetClipboardData
SetClassLongA
SetCapture
SetActiveWindow
SendMessageW
SendMessageA
ScrollWindow
ScreenToClient
RemovePropA
RemoveMenu
ReleaseDC
ReleaseCapture
RegisterWindowMessageA
RegisterClipboardFormatA
RegisterClassA
RedrawWindow
PtInRect
PostQuitMessage
PostMessageA
PeekMessageW
PeekMessageA
OpenClipboard
OffsetRect
OemToCharA
MsgWaitForMultipleObjectsEx
MsgWaitForMultipleObjects
MessageBoxA
MapWindowPoints
MapVirtualKeyA
LockWorkStation
LoadStringA
LoadKeyboardLayoutA
LoadIconA
LoadCursorA
LoadBitmapA
KillTimer
IsZoomed
IsWindowVisible
IsWindowUnicode
IsWindowEnabled
IsWindow
IsRectEmpty
IsIconic
IsDialogMessageW
IsDialogMessageA
IsClipboardFormatAvailable
IsChild
InvalidateRect
IntersectRect
InsertMenuItemA
InsertMenuA
InflateRect
GetWindowThreadProcessId
GetWindowTextLengthA
GetWindowTextA
GetWindowRect
GetWindowPlacement
GetWindowLongW
GetWindowLongA
GetWindowDC
GetTopWindow
GetSystemMetrics
GetSystemMenu
GetSysColorBrush
GetSysColor
GetSubMenu
GetScrollRange
GetScrollPos
GetScrollInfo
GetPropA
GetParent
GetWindow
GetMessagePos
GetMessageA
GetMenuStringA
GetMenuState
GetMenuItemInfoA
GetMenuItemID
GetMenuItemCount
GetMenu
GetLastInputInfo
GetLastActivePopup
GetKeyboardState
GetKeyboardLayoutNameA
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
GetIconInfo
GetForegroundWindow
GetFocus
GetDesktopWindow
GetDCEx
GetDC
GetCursorPos
GetCursor
GetClipboardData
GetClientRect
GetClassNameA
GetClassLongA
GetClassInfoA
GetCapture
GetActiveWindow
FrameRect
FindWindowExA
FindWindowA
FillRect
ExitWindowsEx
EqualRect
EnumWindows
EnumThreadWindows
EnumDisplayDevicesA
EnumClipboardFormats
EnumChildWindows
EndPaint
EnableWindow
EnableScrollBar
EnableMenuItem
EmptyClipboard
DrawTextA
DrawMenuBar
DrawIconEx
DrawIcon
DrawFrameControl
DrawEdge
DispatchMessageW
DispatchMessageA
DestroyWindow
DestroyMenu
DestroyIcon
DestroyCursor
DeleteMenu
DefWindowProcA
DefMDIChildProcA
DefFrameProcA
CreatePopupMenu
CreateMenu
CreateIcon
CloseClipboard
ClientToScreen
CheckMenuItem
CallWindowProcA
CallNextHookEx
BeginPaint
CharNextA
CharLowerBuffA
CharLowerA
CharUpperBuffA
CharToOemA
AdjustWindowRectEx
ActivateKeyboardLayout
EnumDisplayMonitors
GetMonitorInfoA

kernel32

GetACP
Sleep
VirtualFree
VirtualAlloc
GetTickCount
QueryPerformanceCounter
GetCurrentThreadId
InterlockedDecrement
InterlockedIncrement
VirtualQuery
WideCharToMultiByte
MultiByteToWideChar
lstrlenA
lstrcpynA
LoadLibraryExA
GetThreadLocale
GetStartupInfoA
GetProcAddress
GetModuleHandleA
GetModuleFileNameA
GetLocaleInfoA
GetLastError
GetCommandLineA
FreeLibrary
FindFirstFileA
FindClose
ExitProcess
ExitThread
CreateThread
CompareStringA
WriteFile
UnhandledExceptionFilter
SetFilePointer
SetEndOfFile
RtlUnwind
ReadFile
RaiseException
GetStdHandle
GetFileSize
GetFileType
CreateFileA
CloseHandle
TlsSetValue
TlsGetValue
LocalAlloc
GetModuleHandleA
lstrcpyA
WriteProcessMemory
WriteFile
WinExec
WaitForSingleObject
WaitForMultipleObjectsEx
VirtualQuery
VirtualProtectEx
VirtualProtect
VirtualFreeEx
VirtualFree
VirtualAllocEx
VirtualAlloc
VerLanguageNameA
UnmapViewOfFile
TerminateProcess
Sleep
SizeofResource
SetThreadPriority
SetThreadLocale
SetThreadContext
SetLastError
SetFileTime
SetFilePointer
SetFileAttributesA
SetEvent
SetErrorMode
SetEndOfFile
ResumeThread
ResetEvent
ReadProcessMemory
ReadFile
PeekNamedPipe
OpenProcess
MultiByteToWideChar
MulDiv
MoveFileA
MapViewOfFile
LockResource
LocalFileTimeToFileTime
LocalAlloc
LoadResource
LoadLibraryA
LeaveCriticalSection
IsBadReadPtr
InitializeCriticalSection
HeapFree
HeapAlloc
GlobalUnlock
GlobalMemoryStatus
GlobalLock
GlobalFree
GlobalFindAtomA
GlobalDeleteAtom
GlobalAlloc
GlobalAddAtomA
GetWindowsDirectoryA
GetVolumeInformationA
GetVersionExA
GetVersion
GetUserDefaultLangID
GetTickCount
GetThreadLocale
GetThreadContext
GetTempPathA
GetSystemPowerStatus
GetSystemDirectoryA
GetStdHandle
GetProcessHeap
GetProcAddress
GetModuleHandleA
GetModuleFileNameA
GetLocaleInfoA
GetLocalTime
GetLastError
GetFullPathNameA
GetFileTime
GetFileSize
GetFileAttributesA
GetExitCodeThread
GetExitCodeProcess
GetEnvironmentVariableA
GetDriveTypeA
GetDiskFreeSpaceA
GetDateFormatA
GetCurrentThreadId
GetCurrentThread
GetCurrentProcessId
GetCurrentProcess
GetComputerNameA
GetCPInfo
FreeResource
InterlockedIncrement
InterlockedExchange
InterlockedDecrement
FreeLibrary
FormatMessageA
FindResourceA
FindNextFileA
FindFirstFileA
FindClose
FileTimeToSystemTime
FileTimeToLocalFileTime
FileTimeToDosDateTime
ExitThread
ExitProcess
EnumResourceNamesA
EnumCalendarInfoA
EnterCriticalSection
DosDateTimeToFileTime
DeleteFileA
DeleteCriticalSection
CreateThread
CreateRemoteThread
CreateProcessA
CreatePipe
CreateMutexA
CreateFileMappingA
CreateFileA
CreateEventA
CreateDirectoryA
CopyFileA
CompareStringA
CloseHandle
Beep
Sleep

gdi32

UnrealizeObject
StretchBlt
SetWindowOrgEx
SetWinMetaFileBits
SetViewportOrgEx
SetTextColor
SetStretchBltMode
SetROP2
SetPixel
SetEnhMetaFileBits
SetDIBColorTable
SetBrushOrgEx
SetBkMode
SetBkColor
SelectPalette
SelectObject
SaveDC
RestoreDC
RectVisible
RealizePalette
PlayEnhMetaFile
PatBlt
MoveToEx
MaskBlt
LineTo
IntersectClipRect
GetWindowOrgEx
GetWinMetaFileBits
GetTextMetricsA
GetTextExtentPoint32A
GetSystemPaletteEntries
GetStockObject
GetRgnBox
GetPixel
GetPaletteEntries
GetObjectA
GetEnhMetaFilePaletteEntries
GetEnhMetaFileHeader
GetEnhMetaFileBits
GetDeviceCaps
GetDIBits
GetDIBColorTable
GetDCOrgEx
GetCurrentPositionEx
GetClipBox
GetBrushOrgEx
GetBitmapBits
GdiFlush
ExtTextOutA
ExcludeClipRect
DeleteObject
DeleteEnhMetaFile
DeleteDC
CreateSolidBrush
CreatePenIndirect
CreatePalette
CreateHalftonePalette
CreateFontIndirectA
CreateDIBitmap
CreateDIBSection
CreateDCA
CreateCompatibleDC
CreateCompatibleBitmap
CreateBrushIndirect
CreateBitmap
CopyEnhMetaFileA
BitBlt

version

VerQueryValueA
GetFileVersionInfoSizeA
GetFileVersionInfoA

wsock32

__WSAFDIsSet
WSACleanup
WSAStartup
WSAGetLastError
gethostname
getservbyname
gethostbyname
gethostbyaddr
socket
shutdown
sendto
send
select
recv
ntohs
listen
ioctlsocket
inet_ntoa
inet_addr
htons
getsockname
connect
closesocket
bind
accept

ole32

CoTaskMemFree
StringFromCLSID
CoTaskMemFree
CLSIDFromProgID
ProgIDFromCLSID
StringFromCLSID
CoCreateInstance
CoUninitialize
CoInitialize
IsEqualGUID

shell32

ShellExecuteExA
ShellExecuteA
SHGetFileInfoA
SHFileOperationA
DragQueryFileA
SHGetSpecialFolderLocation
SHGetPathFromIDListA
SHEmptyRecycleBinA

urlmon

URLDownloadToFileA

comctl32

_TrackMouseEvent
ImageList_SetIconSize
ImageList_GetIconSize
ImageList_Write
ImageList_Read
ImageList_DragShowNolock
ImageList_DragMove
ImageList_DragLeave
ImageList_DragEnter
ImageList_EndDrag
ImageList_BeginDrag
ImageList_Remove
ImageList_DrawEx
ImageList_Draw
ImageList_GetBkColor
ImageList_SetBkColor
ImageList_Add
ImageList_GetImageCount
ImageList_Destroy
ImageList_Create

wininet

InternetReadFile
InternetOpenUrlA
InternetOpenA
InternetConnectA
InternetCloseHandle
HttpQueryInfoA
FtpPutFileA

winmm

waveInUnprepareHeader
waveInStart
waveInReset
waveInPrepareHeader
waveInOpen
waveInClose
waveInAddBuffer
PlaySoundA
mciSendStringA

netapi32

Netbios
NetApiBufferFree
NetShareGetInfo
NetShareEnum

gdiplus

GdipGetImageEncoders
GdipGetImageEncodersSize
GdipDrawImageRectI
GdipSetInterpolationMode
GdipDeleteGraphics
GdipCreateBitmapFromHBITMAP
GdipCreateBitmapFromScan0
GdipGetImagePixelFormat
GdipGetImageGraphicsContext
GdipSaveImageToStream
GdipDisposeImage
GdiplusShutdown
GdiplusStartup
GdipFree
GdipAlloc

msacm32

acmStreamUnprepareHeader
acmStreamPrepareHeader
acmStreamConvert
acmStreamReset
acmStreamSize
acmStreamClose
acmStreamOpen

ntdll

NtQuerySystemInformation
NtUnmapViewOfSection

ws2_32

WSAIoctl

shfolder

SHGetFolderPathA

avicap32

capGetDriverDescriptionA

Sections

.text
Size: 566KB - Virtual size: 566KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.itext
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 15KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 29KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 16KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: - Virtual size: 56B

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 35KB - Virtual size: 34KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.rsrc
Size: 17KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/darkcomet/6c25921d6c5ef5bb788d2f2ab7dcda29.exe
.exe windows:4 windows x86 arch:x86

de39dc68941cc6307e3b2590c857a907

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_BYTES_REVERSED_HI

Imports

kernel32

GetModuleHandleA

user32

wsprintfA

advapi32

RegCloseKey

ole32

OleRun

Sections

.MPRESS1
Size: 227KB - Virtual size: 720KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.MPRESS2
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.adata
Size: 68KB - Virtual size: 114KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/darkcomet/6ed9ff5400c6d67dd68f7bdbb5842e72.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Sections

UPX0
Size: - Virtual size: 472KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 243KB - Virtual size: 244KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/elf/854c15bb9b1de19135cf4cbbc5a9f5f573d64596588d88df577aaa8f15163bcd.elf
.elf linux sparc
BastianHein Malware samples/elf/87f8d9ad3fd82330867356aa83bf533f29913955dd749e8102fbfe406db6394d.elf
.elf linux mipsbe
BastianHein Malware samples/elf/Fantazy.x86_64.elf
.elf linux x64
BastianHein Malware samples/elf/adivina
.elf linux x64
BastianHein Malware samples/elf/e1b1d31d583ef58cd42cf5ee9e5d8ca97e314e256556ade1c65fcc657c1738a4.elf
.elf linux arm
BastianHein Malware samples/emotet/2025-01-24_d8eb33b79f6ce4c816ee223e302def1f_icedid.exe
.exe windows:4 windows x86 arch:x86

20580d681e86f3cab367f8648b67138d

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetSystemInfo
VirtualQuery
GetStartupInfoA
GetCommandLineA
HeapReAlloc
TerminateProcess
HeapSize
LCMapStringA
LCMapStringW
HeapDestroy
HeapCreate
VirtualFree
IsBadWritePtr
GetStdHandle
UnhandledExceptionFilter
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
VirtualProtect
GetFileType
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
SetUnhandledExceptionFilter
GetStringTypeA
GetStringTypeW
IsBadReadPtr
IsBadCodePtr
SetStdHandle
HeapFree
HeapAlloc
RtlUnwind
SetErrorMode
GetCurrentProcess
FlushFileBuffers
SetFilePointer
WriteFile
ReadFile
WritePrivateProfileStringA
RaiseException
GetOEMCP
GetCPInfo
InterlockedIncrement
GlobalFlags
TlsFree
DeleteCriticalSection
LocalReAlloc
TlsSetValue
TlsAlloc
InitializeCriticalSection
TlsGetValue
EnterCriticalSection
GlobalHandle
GlobalReAlloc
LeaveCriticalSection
LocalAlloc
CloseHandle
GetCurrentThread
lstrcmpA
GetModuleFileNameA
ConvertDefaultLocale
EnumResourceLanguagesA
InterlockedDecrement
GlobalFree
GlobalAlloc
FormatMessageA
LocalFree
GlobalLock
GlobalUnlock
MulDiv
SetLastError
FreeResource
GetCurrentThreadId
GlobalGetAtomNameA
GlobalAddAtomA
GlobalFindAtomA
GlobalDeleteAtom
lstrcmpW
lstrcpynA
GetModuleHandleA
GetProcAddress
lstrcmpiA
GetVersion
MultiByteToWideChar
GetWindowsDirectoryA
LoadLibraryA
FreeLibrary
lstrcatA
lstrlenA
WinExec
lstrcpyA
VirtualAlloc
GetLastError
ExitProcess
WideCharToMultiByte
FindResourceA
LoadResource
LockResource
SizeofResource
GetVersionExA
GetThreadLocale
GetLocaleInfoA
GetACP
SetHandleCount
InterlockedExchange

user32

GetSysColorBrush
wsprintfA
GetDesktopWindow
CreateDialogIndirectParamA
EndDialog
GetMessageA
TranslateMessage
ValidateRect
PostQuitMessage
GetCursorPos
SetMenuItemBitmaps
ModifyMenuA
EnableMenuItem
CheckMenuItem
GetMenuCheckMarkDimensions
LoadBitmapA
IsWindowEnabled
SetWindowTextA
IsDialogMessageA
GetMenuState
EndPaint
BeginPaint
GrayStringA
DrawTextExA
DrawTextA
TabbedTextOutA
RegisterWindowMessageA
WinHelpA
SetWindowsHookExA
CallNextHookEx
GetClassLongA
GetClassInfoExA
GetClassNameA
SetPropA
GetPropA
RemovePropA
SendDlgItemMessageA
GetFocus
SetFocus
GetWindowTextLengthA
GetWindowTextA
GetLastActivePopup
SetActiveWindow
DispatchMessageA
GetDlgItem
GetTopWindow
DestroyWindow
UnhookWindowsHookEx
GetMessageTime
PeekMessageA
MapWindowPoints
MessageBoxA
GetKeyState
SetForegroundWindow
IsWindowVisible
UpdateWindow
GetMenu
GetMenuItemID
GetMenuItemCount
AdjustWindowRectEx
DestroyIcon
DrawStateA
ReleaseDC
CreateIconIndirect
GetDC
GetIconInfo
GetSysColor
CopyRect
InflateRect
OffsetRect
FillRect
FrameRect
DrawFocusRect
SendMessageA
GetClassInfoA
RegisterClassA
UnregisterClassA
GetDlgCtrlID
DefWindowProcA
CallWindowProcA
SetWindowPos
SystemParametersInfoA
IsIconic
GetWindowPlacement
GetSystemMetrics
GetWindow
SetWindowLongA
LoadCursorA
CopyIcon
MessageBeep
IsWindow
GetMessagePos
KillTimer
SetTimer
GetForegroundWindow
GetWindowRect
GetClientRect
ClientToScreen
InvalidateRect
GetActiveWindow
GetNextDlgTabItem
GetParent
WindowFromPoint
EnableWindow
GetWindowLongA
DestroyMenu
DestroyCursor
SetCursor
PostMessageA
TrackPopupMenuEx
GetSubMenu
LoadImageA
ScreenToClient
PtInRect
ShowWindow
CreateWindowExA
InSendMessage
LoadIconA
GetCapture

gdi32

GetDeviceCaps
CreatePen
CreateSolidBrush
ScaleWindowExtEx
SetWindowExtEx
ScaleViewportExtEx
SetViewportExtEx
OffsetViewportOrgEx
SetViewportOrgEx
Escape
ExtTextOutA
TextOutA
RectVisible
PtVisible
DeleteObject
MoveToEx
LineTo
SetMapMode
SetBkMode
RestoreDC
SaveDC
GetClipBox
GetTextExtentPoint32A
CreateFontIndirectA
CreateCompatibleBitmap
GetObjectA
GetPixel
SetPixel
CreateBitmap
CreateCompatibleDC
SelectObject
SetBkColor
BitBlt
SetTextColor
DeleteDC
GetStockObject

winspool.drv

OpenPrinterA
DocumentPropertiesA
ClosePrinter

advapi32

RegQueryValueA
RegOpenKeyExA
RegOpenKeyA
RegQueryValueExA
RegDeleteKeyA
RegEnumKeyA
RegCreateKeyExA
RegSetValueExA
RegCloseKey

shell32

ShellExecuteA
ShellExecuteExA

comctl32

_TrackMouseEvent
ord17

shlwapi

PathFindFileNameA
PathFindExtensionA

oleaut32

VariantClear
VariantChangeType
VariantInit

Sections

.text
Size: 168KB - Virtual size: 166KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 32KB - Virtual size: 30KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 444KB - Virtual size: 440KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/emotet/7e4f5b16ee4b4eae020cb097a515f827985bdeba25b0acfcc5fbc181ecaab888
.exe windows:4 windows x86 arch:x86

fafaaed45b3ff76ce34b36dc8fa53ed6

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

VirtualQuery
GetStartupInfoA
GetCommandLineA
ExitProcess
HeapReAlloc
TerminateProcess
ExitThread
CreateThread
HeapSize
FatalAppExitA
SetUnhandledExceptionFilter
LCMapStringA
LCMapStringW
HeapDestroy
HeapCreate
VirtualFree
IsBadWritePtr
GetStdHandle
UnhandledExceptionFilter
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetSystemInfo
SetHandleCount
GetFileType
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
GetTimeZoneInformation
GetDriveTypeA
GetStringTypeA
GetStringTypeW
IsBadReadPtr
IsBadCodePtr
SetStdHandle
GetTimeFormatA
GetDateFormatA
GetUserDefaultLCID
EnumSystemLocalesA
IsValidLocale
IsValidCodePage
SetConsoleCtrlHandler
GetLocaleInfoW
SetEnvironmentVariableA
VirtualAlloc
VirtualProtect
HeapFree
HeapAlloc
RtlUnwind
GetTickCount
SetErrorMode
LocalLock
LocalUnlock
SetFileAttributesA
LocalFileTimeToFileTime
GetShortPathNameA
CreateFileA
GetVolumeInformationA
GetCurrentProcess
DuplicateHandle
GetFileSize
SetEndOfFile
UnlockFile
LockFile
FlushFileBuffers
SetFilePointer
WriteFile
ReadFile
DeleteFileA
MoveFileA
SystemTimeToFileTime
GetOEMCP
GetCPInfo
InterlockedIncrement
RaiseException
TlsFree
DeleteCriticalSection
LocalReAlloc
TlsSetValue
TlsAlloc
InitializeCriticalSection
TlsGetValue
EnterCriticalSection
GlobalHandle
GlobalReAlloc
LeaveCriticalSection
LocalAlloc
GlobalFlags
GetDiskFreeSpaceA
GetFullPathNameA
GetTempFileNameA
GetFileTime
SetFileTime
GetFileAttributesA
GetPrivateProfileStringA
WritePrivateProfileStringA
GetPrivateProfileIntA
CreateEventA
SuspendThread
SetEvent
WaitForSingleObject
ResumeThread
SetThreadPriority
CloseHandle
GetCurrentThread
ConvertDefaultLocale
EnumResourceLanguagesA
lstrcmpA
lstrcpyA
FindFirstFileA
FileTimeToLocalFileTime
FileTimeToSystemTime
FindNextFileA
FindClose
GetModuleFileNameA
InterlockedDecrement
SetLastError
GlobalFree
CopyFileA
MulDiv
GlobalSize
FormatMessageA
LocalFree
FreeResource
GetCurrentThreadId
GlobalFindAtomA
GlobalDeleteAtom
LoadLibraryA
FreeLibrary
lstrcatA
lstrcmpW
GetProcAddress
lstrcpynA
GlobalGetAtomNameA
GlobalAddAtomA
GetModuleHandleA
GetStringTypeExW
GetStringTypeExA
GetEnvironmentVariableW
GetEnvironmentVariableA
CompareStringW
CompareStringA
lstrlenA
lstrcmpiW
lstrlenW
lstrcmpiA
GetVersion
GetLastError
MultiByteToWideChar
GetCurrentDirectoryA
SetCurrentDirectoryA
GlobalAlloc
GlobalLock
GlobalUnlock
WideCharToMultiByte
FindResourceA
LoadResource
LockResource
SizeofResource
GetVersionExA
GetThreadLocale
GetLocaleInfoA
GetACP
GetEnvironmentStringsW
InterlockedExchange

user32

GetDialogBaseUnits
DestroyIcon
CharNextA
CopyAcceleratorTableA
InvalidateRgn
GetNextDlgGroupItem
IsClipboardFormatAvailable
GetTabbedTextExtentA
RegisterClipboardFormatA
PostThreadMessageA
GetMenuItemInfoA
InflateRect
EndPaint
BeginPaint
GetWindowDC
ClientToScreen
GrayStringA
DrawTextExA
DrawTextA
TabbedTextOutA
FillRect
MapVirtualKeyA
GetKeyNameTextA
SetParent
GetSystemMenu
DeleteMenu
IsRectEmpty
GetMenuStringA
AppendMenuA
InsertMenuA
RemoveMenu
GetDC
ReleaseDC
IsZoomed
SetMenuItemBitmaps
ModifyMenuA
GetMenuState
EnableMenuItem
CheckMenuItem
GetMenuCheckMarkDimensions
ScrollWindowEx
MoveWindow
SetWindowTextA
IsDialogMessageA
SetDlgItemTextA
SetDlgItemInt
GetDlgItemTextA
CheckDlgButton
SetWindowsHookExA
CallNextHookEx
GetClassLongA
GetClassInfoExA
SetPropA
GetPropA
RemovePropA
IsChild
GetWindowTextLengthA
GetWindowTextA
GetForegroundWindow
BeginDeferWindowPos
EndDeferWindowPos
GetTopWindow
DestroyWindow
UnhookWindowsHookEx
GetMessageTime
GetMessagePos
MapWindowPoints
ScrollWindow
MessageBoxA
TrackPopupMenuEx
TrackPopupMenu
LockWindowUpdate
GetScrollRange
SetScrollPos
GetScrollPos
SetForegroundWindow
ShowScrollBar
AdjustWindowRectEx
DeferWindowPos
GetScrollInfo
SetScrollInfo
RegisterClassA
UnregisterClassA
SetWindowPlacement
DefWindowProcA
CallWindowProcA
SystemParametersInfoA
GetWindowPlacement
GetWindowRect
GetSystemMetrics
PtInRect
RegisterWindowMessageA
wsprintfA
DestroyMenu
GetClassNameA
GetSysColor
SetWindowPos
WinHelpA
SetFocus
GetActiveWindow
GetFocus
EqualRect
SetWindowLongA
SendMessageA
LoadBitmapA
GetSubMenu
LoadMenuA
ScreenToClient
SetTimer
KillTimer
GetDlgItemInt
SetCapture
OpenClipboard
LoadCursorA
EnableWindow
CloseClipboard
SetClipboardData
GetDlgCtrlID
GetMenu
UnpackDDElParam
ReuseDDElParam
LoadIconA
GetClassInfoA
PeekMessageA
GetCapture
LoadAcceleratorsA
GetParent
SetActiveWindow
IsWindowVisible
InvalidateRect
IsIconic
InsertMenuItemA
GetDCEx
WindowFromPoint
SetRect
UnionRect
GetSysColorBrush
SetWindowContextHelpId
MapDialogRect
GetMessageA
ValidateRect
GetMenuItemID
GetMenuItemCount
CreatePopupMenu
IntersectRect
OffsetRect
SetRectEmpty
CopyRect
GetLastActivePopup
BringWindowToTop
PostMessageA
SetMenu
ShowWindow
GetWindowLongA
ShowOwnedPopups
PostQuitMessage
CreateDialogIndirectParamA
GetNextDlgTabItem
SetScrollRange
EndDialog
EmptyClipboard
SetCursor
GetKeyState
GetCursorPos
ReleaseCapture
MessageBeep
GetClipboardData
SetCursorPos
DispatchMessageA
TranslateMessage
CharLowerA
CharLowerW
CharUpperA
CharUpperW
CreateWindowExA
InSendMessage
UpdateWindow
IsDlgButtonChecked
CheckRadioButton
GetDlgItem
SendDlgItemMessageA
GetClientRect
TranslateAcceleratorA
IsWindowEnabled
GetWindow
GetDesktopWindow
IsWindow

gdi32

GetStockObject
SelectPalette
PlayMetaFileRecord
GetObjectType
EnumMetaFile
PlayMetaFile
CreatePen
ExtCreatePen
CreateSolidBrush
CreateHatchBrush
CreateFontIndirectA
CreatePatternBrush
CombineRgn
GetMapMode
DPtoLP
GetBkColor
GetTextColor
GetRgnBox
StartPage
EndPage
SetAbortProc
AbortDoc
EndDoc
CreateDIBPatternBrushPt
ExtSelectClipRgn
PolyBezierTo
PolylineTo
PolyDraw
ArcTo
GetCurrentPositionEx
ScaleWindowExtEx
SetWindowExtEx
OffsetWindowOrgEx
SetWindowOrgEx
ScaleViewportExtEx
SetViewportExtEx
OffsetViewportOrgEx
SetViewportOrgEx
Escape
ExtTextOutA
TextOutA
RectVisible
PtVisible
StartDocA
GetPixel
BitBlt
GetWindowExtEx
GetViewportExtEx
SelectClipPath
SetRectRgn
GetObjectA
GetClipRgn
SelectClipRgn
SetColorAdjustment
SetArcDirection
SetMapperFlags
SetTextCharacterExtra
SetTextJustification
SetTextAlign
MoveToEx
LineTo
OffsetClipRgn
IntersectClipRect
ExcludeClipRect
SetMapMode
SetStretchBltMode
SetROP2
SetPolyFillMode
SetBkMode
RestoreDC
SaveDC
PatBlt
CreateRectRgnIndirect
CreateDCA
CopyMetaFileA
GetDeviceCaps
CreateFontA
GetCharWidthA
DeleteObject
StretchDIBits
DeleteDC
GetTextExtentPoint32A
GetTextMetricsA
SelectObject
CreateBitmap
SetBkColor
SetTextColor
GetClipBox
GetDCOrgEx
CreateCompatibleDC
CreateCompatibleBitmap
CreateRectRgn

comdlg32

GetFileTitleA
PrintDlgA
PageSetupDlgA
ReplaceTextA
FindTextA
GetOpenFileNameA
GetSaveFileNameA
CommDlgExtendedError

winspool.drv

OpenPrinterA
DocumentPropertiesA
ClosePrinter
GetJobA

advapi32

RegCreateKeyA
RegSetValueA
RegOpenKeyA
RegQueryValueExA
RegOpenKeyExA
RegDeleteKeyA
RegEnumKeyA
RegQueryValueA
RegCreateKeyExA
RegSetValueExA
RegDeleteValueA
SetFileSecurityA
RegCloseKey
GetFileSecurityA

shell32

ExtractIconA
DragAcceptFiles
SHGetMalloc
SHGetPathFromIDListA
SHBrowseForFolderA
SHGetFileInfoA
DragQueryFileA
DragFinish

comctl32

ImageList_AddMasked
ImageList_Draw
ImageList_GetImageInfo
ord17
ord13
ImageList_Read
ImageList_Write
ord14
ImageList_Destroy
ImageList_Create
ImageList_LoadImageA
ImageList_Merge

shlwapi

PathRemoveExtensionA
PathFindFileNameA
PathStripToRootA
PathFindExtensionA
PathIsUNCA

oledlg

ord8

ole32

StgOpenStorageOnILockBytes
CoGetClassObject
StringFromGUID2
CoCreateInstance
CoDisconnectObject
CLSIDFromString
CLSIDFromProgID
OleDuplicateData
ReleaseStgMedium
StgCreateDocfileOnILockBytes
CreateBindCtx
CoTreatAsClass
StringFromCLSID
ReadClassStg
ReadFmtUserTypeStg
OleRegGetUserType
WriteClassStg
WriteFmtUserTypeStg
SetConvertStg
CoTaskMemFree
CreateILockBytesOnHGlobal
OleRun
OleUninitialize
CoFreeUnusedLibraries
CreateStreamOnHGlobal
CoRegisterMessageFilter
OleFlushClipboard
OleIsCurrentClipboard
OleSetClipboard
CoRevokeClassObject
CoRegisterClassObject
CoTaskMemAlloc
OleInitialize

oleaut32

VariantChangeType
VariantInit
SysAllocStringLen
SysFreeString
SysStringLen
SysAllocStringByteLen
SysStringByteLen
SafeArrayUnaccessData
SafeArrayAccessData
SafeArrayGetUBound
SafeArrayGetLBound
SafeArrayGetElemsize
SafeArrayGetDim
SafeArrayCreate
SafeArrayRedim
VariantCopy
SafeArrayAllocData
SafeArrayAllocDescriptor
SafeArrayCopy
SafeArrayGetElement
SafeArrayPtrOfIndex
SafeArrayPutElement
SafeArrayLock
SafeArrayUnlock
SafeArrayDestroy
SafeArrayDestroyData
SafeArrayDestroyDescriptor
VariantTimeToSystemTime
SystemTimeToVariantTime
SysAllocString
SysReAllocStringLen
VarDateFromStr
VarBstrFromDec
VarDecFromStr
VarCyFromStr
VarBstrFromCy
VarBstrFromDate
OleCreateFontIndirect
LoadTypeLi
VariantClear

Sections

.text
Size: 556KB - Virtual size: 555KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 120KB - Virtual size: 116KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 20KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.didat
Size: 4KB - Virtual size: 793B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 128KB - Virtual size: 126KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/emotet/ISmm7Q94U.dll
.dll regsvr32 windows:4 windows x64 arch:x64

733e4ccf9ef47c6e471d93270b5eb898

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_DLL

Imports

kernel32

AddAtomA
CloseHandle
CreateMutexA
CreateSemaphoreA
DeleteCriticalSection
EnterCriticalSection
FindAtomA
GetAtomNameA
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetLastError
GetModuleHandleA
GetProcAddress
GetSystemTimeAsFileTime
GetTickCount
InitializeCriticalSection
IsDBCSLeadByteEx
LeaveCriticalSection
LoadLibraryW
MultiByteToWideChar
QueryPerformanceCounter
ReleaseMutex
ReleaseSemaphore
RtlAddFunctionTable
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
SetLastError
SetUnhandledExceptionFilter
Sleep
TerminateProcess
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
UnhandledExceptionFilter
VirtualAlloc
VirtualProtect
VirtualQuery
WaitForSingleObject
WideCharToMultiByte

msvcrt

_fdopen
_fileno
_read
_write
__dllonexit
__doserrno
__iob_func
__mb_cur_max
__pioinfo
_amsg_exit
_errno
_filelengthi64
_fileno
_fstat64
_initterm
_lock
_lseeki64
_onexit
_strnicmp
_unlock
_vsnprintf
_write
abort
atoi
calloc
fclose
fflush
fgetpos
fopen
fputc
fputs
fread
free
fsetpos
fwrite
getc
getwc
isspace
iswctype
localeconv
malloc
memchr
memcpy
memmove
memset
printf
putc
putwc
realloc
setlocale
setvbuf
signal
sprintf
strchr
strcmp
strcoll
strcpy
strerror
strftime
strlen
strncmp
strxfrm
towlower
towupper
ungetc
ungetwc
vfprintf
wcscoll
wcsftime
wcslen
wcsxfrm

user32

ShowWindow

ole32

CoLoadLibrary

Exports

Exports

ConsoleInput
DllRegisterServer
_ZN8DllClassC1Ev
_ZN8DllClassC2Ev
_ZN8DllClassD0Ev
_ZN8DllClassD1Ev
_ZN8DllClassD2Ev
_ZTV8DllClass

Sections

.text
Size: 531KB - Virtual size: 531KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 52KB - Virtual size: 52KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 17KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.pdata
Size: 26KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.xdata
Size: 25KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 5KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 512B - Virtual size: 263B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 88B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 72B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 158KB - Virtual size: 158KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/formbook/10a5c29d6a44de5b996598f71820bff8c29cc6b5229d2c7ec0664b601d81068d.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Code Sign

4c:aa:f9:ca:db:63:6f:e0:1f:f7:4e:d8:5b:03:86:9d
Certificate

Issuer

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

19/01/2010, 00:00

Not After

18/01/2038, 23:59

Subject

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:af
Certificate

Issuer

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

09/05/2013, 00:00

Not After

08/05/2028, 23:59

Subject

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

7c:11:18:cb:ba:dc:95:da:37:52:c4:6e:47:a2:74:38
Certificate

Issuer

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

13/11/2018, 00:00

Not After

08/11/2021, 23:59

Subject

CN=Simon Tatham,O=Simon Tatham,L=Cambridge,ST=Cambridgeshire,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0b
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

31/12/2015, 00:00

Not After

09/07/2019, 18:40

Subject

CN=COMODO SHA-1 Time Stamping Signer,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

4c:aa:f9:ca:db:63:6f:e0:1f:f7:4e:d8:5b:03:86:9d
Certificate

Issuer

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

19/01/2010, 00:00

Not After

18/01/2038, 23:59

Subject

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:af
Certificate

Issuer

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

09/05/2013, 00:00

Not After

08/05/2028, 23:59

Subject

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

7c:11:18:cb:ba:dc:95:da:37:52:c4:6e:47:a2:74:38
Certificate

Issuer

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

13/11/2018, 00:00

Not After

08/11/2021, 23:59

Subject

CN=Simon Tatham,O=Simon Tatham,L=Cambridge,ST=Cambridgeshire,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0b
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

31/12/2015, 00:00

Not After

09/07/2019, 18:40

Subject

CN=COMODO SHA-1 Time Stamping Signer,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

0d:3f:7a:67:b3:e2:b7:0d:e4:be:97:74:7b:1c:b9:25:db:a8:e0:39:44:4d:71:8a:4d:ab:87:d9:ba:0c:ee:0a
Signer

Actual PE Digest

0d:3f:7a:67:b3:e2:b7:0d:e4:be:97:74:7b:1c:b9:25:db:a8:e0:39:44:4d:71:8a:4d:ab:87:d9:ba:0c:ee:0a

Digest Algorithm

sha256

PE Digest Matches

false

82:a6:a8:ae:cf:fa:b6:ec:37:ef:03:c9:5d:33:ef:b4:5f:70:86:49
Signer

Actual PE Digest

82:a6:a8:ae:cf:fa:b6:ec:37:ef:03:c9:5d:33:ef:b4:5f:70:86:49

Digest Algorithm

sha1

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 829KB - Virtual size: 829KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/formbook/2656-25-0x0000000000400000-0x000000000042F000-memory.exe
.exe windows:5 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 180KB - Virtual size: 180KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/formbook/42a78ab84a5fc43e1b379a2968a32f272492c860f0602649d25374d521b4b83c.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

zEvO.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 899KB - Virtual size: 898KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/formbook/5a5ecb542145e7b9cc78d7f3d55a3b5d5183b8c5e7fb604c35085485127de7f4.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 923KB - Virtual size: 922KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/formbook/6f706398207b1fd3a00de5f859dc840cf8e100175fdabe260ebb96db5980f03c.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 733KB - Virtual size: 732KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/formbook/94fbf90615b1baf84da26854c9c7b72115eaa12eb8392d898c7689f433980120.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

tzyR.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 830KB - Virtual size: 830KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/formbook/FormBook-34517e69384b6b82ef9411783dc2683d6d7ae0f4b298370dd3b489f9ccd817fa.exe
.exe windows:5 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 180KB - Virtual size: 180KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/formbook/MtpEVOhIlX08ZbN.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

vQkj.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 833KB - Virtual size: 832KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/formbook/Payment 013125.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/formbook/ordre de virement..exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

foQj.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 691KB - Virtual size: 691KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/hamm/FF120262860500BAD3236F6E5BA5646F9A4152A9EB4CBFE837EDA4776A03F9EF .bat
.apk android
BastianHein Malware samples/revengeRat/11b31f68b9814fdc512c0ddcffad6ea8c67231e18d0b8ed7924b7a525eb35ee8
.exe windows:4 windows x86 arch:x86

5dc882c2547d7b74ff2e563856f72620

Code Sign

0d:16:0b:82:52:a4:f0:a1:6f:e1:25:5f:a0:a2:2e:2b
Certificate

Issuer

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Not Before

25/02/2014, 00:00

Not After

25/02/2015, 23:59

Subject

CN=CHIP Digital GmbH,O=CHIP Digital GmbH,L=Muenchen,ST=Bayern,C=DE

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageMicrosoftCommercialCodeSigning

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5e
Certificate

Issuer

CN=thawte Primary Root CA,OU=Certification Services Division+OU=(c) 2006 thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

21:3c:d2:85:35:da:89:65:96:bc:82:51:23:6b:ac:dd:43:ba:d2:07
Signer

Actual PE Digest

21:3c:d2:85:35:da:89:65:96:bc:82:51:23:6b:ac:dd:43:ba:d2:07

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvbvm60

__vbaVarTstGt
__vbaVarSub
_CIcos
_adj_fptan
__vbaVarMove
__vbaVarVargNofree
__vbaFreeVar
__vbaAryMove
__vbaLenBstr
__vbaStrVarMove
__vbaFreeVarList
__vbaEnd
_adj_fdiv_m64
__vbaStrErrVarCopy
_adj_fprem1
__vbaStrCat
__vbaSetSystemError
__vbaHresultCheckObj
_adj_fdiv_m32
__vbaAryDestruct
ord593
ord594
__vbaOnError
__vbaObjSet
ord595
_adj_fdiv_m16i
_adj_fdivr_m16i
ord520
_CIsin
ord632
__vbaChkstk
ord526
__vbaFileClose
EVENT_SINK_AddRef
ord527
__vbaStrCmp
__vbaVarTstEq
__vbaPutOwner4
DllFunctionCall
ord563
_adj_fpatan
EVENT_SINK_Release
ord600
_CIsqrt
EVENT_SINK_QueryInterface
__vbaExceptHandler
__vbaStrToUnicode
__vbaPrintFile
ord606
_adj_fprem
_adj_fdivr_m64
ord608
ord531
__vbaFPException
__vbaInStrVar
ord645
_CIlog
__vbaErrorOverflow
__vbaFileOpen
__vbaVar2Vec
__vbaNew2
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaStrCopy
__vbaFreeStrList
_adj_fdivr_m32
_adj_fdiv_r
ord100
ord579
__vbaVarAdd
__vbaStrToAnsi
ord613
ord616
__vbaFpI4
ord617
_CIatan
__vbaStrMove
ord618
_allmul
_CItan
__vbaFPInt
_CIexp
__vbaFreeStr
__vbaI4ErrVar
__vbaFreeObj

Sections

.text
Size: 96KB - Virtual size: 95KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 508KB - Virtual size: 506KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/revengeRat/1541b2f47de33e0e3eb10a82ff2e3d97eec0edbce8ca2fb46cb59ebd6e420440N.exe
.exe windows:4 windows x86 arch:x86

5dc882c2547d7b74ff2e563856f72620

Code Sign

0d:16:0b:82:52:a4:f0:a1:6f:e1:25:5f:a0:a2:2e:2b
Certificate

Issuer

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Not Before

25/02/2014, 00:00

Not After

25/02/2015, 23:59

Subject

CN=CHIP Digital GmbH,O=CHIP Digital GmbH,L=Muenchen,ST=Bayern,C=DE

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageMicrosoftCommercialCodeSigning

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5e
Certificate

Issuer

CN=thawte Primary Root CA,OU=Certification Services Division+OU=(c) 2006 thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

79:59:98:74:e8:69:85:c4:23:e3:38:85:3e:c8:90:c0:5f:58:85:b8
Signer

Actual PE Digest

79:59:98:74:e8:69:85:c4:23:e3:38:85:3e:c8:90:c0:5f:58:85:b8

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvbvm60

__vbaVarTstGt
__vbaVarSub
_CIcos
_adj_fptan
__vbaVarMove
__vbaVarVargNofree
__vbaFreeVar
__vbaAryMove
__vbaLenBstr
__vbaStrVarMove
__vbaFreeVarList
__vbaEnd
_adj_fdiv_m64
__vbaStrErrVarCopy
_adj_fprem1
__vbaStrCat
__vbaSetSystemError
__vbaHresultCheckObj
_adj_fdiv_m32
__vbaAryDestruct
ord593
ord594
__vbaOnError
__vbaObjSet
ord595
_adj_fdiv_m16i
_adj_fdivr_m16i
ord520
_CIsin
ord632
__vbaChkstk
ord526
__vbaFileClose
EVENT_SINK_AddRef
ord527
__vbaStrCmp
__vbaVarTstEq
__vbaPutOwner4
DllFunctionCall
ord563
_adj_fpatan
EVENT_SINK_Release
ord600
_CIsqrt
EVENT_SINK_QueryInterface
__vbaExceptHandler
__vbaStrToUnicode
__vbaPrintFile
ord606
_adj_fprem
_adj_fdivr_m64
ord608
ord531
__vbaFPException
__vbaInStrVar
ord645
_CIlog
__vbaErrorOverflow
__vbaFileOpen
__vbaVar2Vec
__vbaNew2
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaStrCopy
__vbaFreeStrList
_adj_fdivr_m32
_adj_fdiv_r
ord100
ord579
__vbaVarAdd
__vbaStrToAnsi
ord613
ord616
__vbaFpI4
ord617
_CIatan
__vbaStrMove
ord618
_allmul
_CItan
__vbaFPInt
_CIexp
__vbaFreeStr
__vbaI4ErrVar
__vbaFreeObj

Sections

.text
Size: 96KB - Virtual size: 95KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 492KB - Virtual size: 490KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/revengeRat/15d1728d90b6d681582443959406fa6a84451219e576e4d15ff969d0f87790b7N.exe
.exe windows:4 windows x86 arch:x86

e0de7315beb7d48fb04bf841b6f31c90

Code Sign

0d:16:0b:82:52:a4:f0:a1:6f:e1:25:5f:a0:a2:2e:2b
Certificate

Issuer

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Not Before

25/02/2014, 00:00

Not After

25/02/2015, 23:59

Subject

CN=CHIP Digital GmbH,O=CHIP Digital GmbH,L=Muenchen,ST=Bayern,C=DE

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageMicrosoftCommercialCodeSigning

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5e
Certificate

Issuer

CN=thawte Primary Root CA,OU=Certification Services Division+OU=(c) 2006 thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

ed:84:48:12:3b:3e:ab:8a:84:21:46:b8:46:53:4b:98:03:0d:60:49
Signer

Actual PE Digest

ed:84:48:12:3b:3e:ab:8a:84:21:46:b8:46:53:4b:98:03:0d:60:49

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvbvm60

__vbaVarTstGt
__vbaVarSub
_CIcos
_adj_fptan
__vbaVarMove
__vbaVarVargNofree
__vbaFreeVar
__vbaAryMove
__vbaLenBstr
__vbaStrVarMove
__vbaFreeVarList
__vbaEnd
_adj_fdiv_m64
__vbaStrErrVarCopy
_adj_fprem1
__vbaRecAnsiToUni
__vbaStrCat
__vbaLsetFixstr
__vbaSetSystemError
__vbaHresultCheckObj
_adj_fdiv_m32
__vbaAryDestruct
ord593
ord594
__vbaOnError
__vbaObjSet
ord595
_adj_fdiv_m16i
_adj_fdivr_m16i
ord598
ord520
_CIsin
ord632
ord525
__vbaChkstk
ord526
__vbaFileClose
EVENT_SINK_AddRef
ord527
__vbaStrCmp
__vbaVarTstEq
__vbaPutOwner4
__vbaI2I4
DllFunctionCall
ord563
_adj_fpatan
__vbaRecUniToAnsi
EVENT_SINK_Release
ord600
_CIsqrt
EVENT_SINK_QueryInterface
__vbaExceptHandler
__vbaStrToUnicode
__vbaPrintFile
ord606
_adj_fprem
_adj_fdivr_m64
ord608
ord531
__vbaFPException
__vbaInStrVar
ord645
_CIlog
__vbaErrorOverflow
__vbaFileOpen
__vbaVar2Vec
__vbaNew2
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaStrCopy
__vbaFreeStrList
_adj_fdivr_m32
_adj_fdiv_r
ord100
ord579
__vbaVarAdd
__vbaStrToAnsi
ord613
ord616
__vbaFpI4
ord617
_CIatan
__vbaStrMove
ord618
_allmul
_CItan
__vbaFPInt
_CIexp
__vbaFreeStr
__vbaI4ErrVar
__vbaFreeObj

Sections

.text
Size: 100KB - Virtual size: 98KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 828KB - Virtual size: 826KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/revengeRat/1db3d85ef789b75927ac2670f38ea844ad535e51aac76a5020bd2710c834e163N.exe
.exe windows:4 windows x86 arch:x86

5dc882c2547d7b74ff2e563856f72620

Code Sign

0d:16:0b:82:52:a4:f0:a1:6f:e1:25:5f:a0:a2:2e:2b
Certificate

Issuer

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Not Before

25/02/2014, 00:00

Not After

25/02/2015, 23:59

Subject

CN=CHIP Digital GmbH,O=CHIP Digital GmbH,L=Muenchen,ST=Bayern,C=DE

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageMicrosoftCommercialCodeSigning

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5e
Certificate

Issuer

CN=thawte Primary Root CA,OU=Certification Services Division+OU=(c) 2006 thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

15:0f:5b:7c:71:c3:8b:29:3b:e5:a5:65:ac:6e:0e:b2:1a:77:26:94
Signer

Actual PE Digest

15:0f:5b:7c:71:c3:8b:29:3b:e5:a5:65:ac:6e:0e:b2:1a:77:26:94

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvbvm60

__vbaVarTstGt
__vbaVarSub
_CIcos
_adj_fptan
__vbaVarMove
__vbaVarVargNofree
__vbaFreeVar
__vbaAryMove
__vbaLenBstr
__vbaStrVarMove
__vbaFreeVarList
__vbaEnd
_adj_fdiv_m64
__vbaStrErrVarCopy
_adj_fprem1
__vbaStrCat
__vbaSetSystemError
__vbaHresultCheckObj
_adj_fdiv_m32
__vbaAryDestruct
ord593
ord594
__vbaOnError
__vbaObjSet
ord595
_adj_fdiv_m16i
_adj_fdivr_m16i
ord520
_CIsin
ord632
__vbaChkstk
ord526
__vbaFileClose
EVENT_SINK_AddRef
ord527
__vbaStrCmp
__vbaVarTstEq
__vbaPutOwner4
DllFunctionCall
ord563
_adj_fpatan
EVENT_SINK_Release
ord600
_CIsqrt
EVENT_SINK_QueryInterface
__vbaExceptHandler
__vbaStrToUnicode
__vbaPrintFile
ord606
_adj_fprem
_adj_fdivr_m64
ord608
ord531
__vbaFPException
__vbaInStrVar
ord645
_CIlog
__vbaErrorOverflow
__vbaFileOpen
__vbaVar2Vec
__vbaNew2
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaStrCopy
__vbaFreeStrList
_adj_fdivr_m32
_adj_fdiv_r
ord100
ord579
__vbaVarAdd
__vbaStrToAnsi
ord613
ord616
__vbaFpI4
ord617
_CIatan
__vbaStrMove
ord618
_allmul
_CItan
__vbaFPInt
_CIexp
__vbaFreeStr
__vbaI4ErrVar
__vbaFreeObj

Sections

.text
Size: 96KB - Virtual size: 95KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 492KB - Virtual size: 490KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/revengeRat/1fc91c262c218999db6df5f661e8605109613e6e7ed087e5abd131b16fc697abN.exe
.exe windows:4 windows x86 arch:x86

5dc882c2547d7b74ff2e563856f72620

Code Sign

0d:16:0b:82:52:a4:f0:a1:6f:e1:25:5f:a0:a2:2e:2b
Certificate

Issuer

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Not Before

25/02/2014, 00:00

Not After

25/02/2015, 23:59

Subject

CN=CHIP Digital GmbH,O=CHIP Digital GmbH,L=Muenchen,ST=Bayern,C=DE

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageMicrosoftCommercialCodeSigning

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5e
Certificate

Issuer

CN=thawte Primary Root CA,OU=Certification Services Division+OU=(c) 2006 thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

7d:28:cb:cf:5b:64:34:07:ca:b6:d4:80:c7:1d:df:1f:aa:d9:94:99
Signer

Actual PE Digest

7d:28:cb:cf:5b:64:34:07:ca:b6:d4:80:c7:1d:df:1f:aa:d9:94:99

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvbvm60

__vbaVarTstGt
__vbaVarSub
_CIcos
_adj_fptan
__vbaVarMove
__vbaVarVargNofree
__vbaFreeVar
__vbaAryMove
__vbaLenBstr
__vbaStrVarMove
__vbaFreeVarList
__vbaEnd
_adj_fdiv_m64
__vbaStrErrVarCopy
_adj_fprem1
__vbaStrCat
__vbaSetSystemError
__vbaHresultCheckObj
_adj_fdiv_m32
__vbaAryDestruct
ord593
ord594
__vbaOnError
__vbaObjSet
ord595
_adj_fdiv_m16i
_adj_fdivr_m16i
ord520
_CIsin
ord632
__vbaChkstk
ord526
__vbaFileClose
EVENT_SINK_AddRef
ord527
__vbaStrCmp
__vbaVarTstEq
__vbaPutOwner4
DllFunctionCall
ord563
_adj_fpatan
EVENT_SINK_Release
ord600
_CIsqrt
EVENT_SINK_QueryInterface
__vbaExceptHandler
__vbaStrToUnicode
__vbaPrintFile
ord606
_adj_fprem
_adj_fdivr_m64
ord608
ord531
__vbaFPException
__vbaInStrVar
ord645
_CIlog
__vbaErrorOverflow
__vbaFileOpen
__vbaVar2Vec
__vbaNew2
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaStrCopy
__vbaFreeStrList
_adj_fdivr_m32
_adj_fdiv_r
ord100
ord579
__vbaVarAdd
__vbaStrToAnsi
ord613
ord616
__vbaFpI4
ord617
_CIatan
__vbaStrMove
ord618
_allmul
_CItan
__vbaFPInt
_CIexp
__vbaFreeStr
__vbaI4ErrVar
__vbaFreeObj

Sections

.text
Size: 96KB - Virtual size: 95KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 492KB - Virtual size: 490KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/revengeRat/259af5147b99b4c014aeb425aaf236fc76ab60f1aa06efa77027393854e5fff4N.exe
.exe windows:4 windows x86 arch:x86

5dc882c2547d7b74ff2e563856f72620

Code Sign

0d:16:0b:82:52:a4:f0:a1:6f:e1:25:5f:a0:a2:2e:2b
Certificate

Issuer

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Not Before

25/02/2014, 00:00

Not After

25/02/2015, 23:59

Subject

CN=CHIP Digital GmbH,O=CHIP Digital GmbH,L=Muenchen,ST=Bayern,C=DE

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageMicrosoftCommercialCodeSigning

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5e
Certificate

Issuer

CN=thawte Primary Root CA,OU=Certification Services Division+OU=(c) 2006 thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

d5:50:5b:d4:e7:ef:c3:96:96:1e:fb:9b:79:7f:aa:5c:e3:b3:01:d6
Signer

Actual PE Digest

d5:50:5b:d4:e7:ef:c3:96:96:1e:fb:9b:79:7f:aa:5c:e3:b3:01:d6

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvbvm60

__vbaVarTstGt
__vbaVarSub
_CIcos
_adj_fptan
__vbaVarMove
__vbaVarVargNofree
__vbaFreeVar
__vbaAryMove
__vbaLenBstr
__vbaStrVarMove
__vbaFreeVarList
__vbaEnd
_adj_fdiv_m64
__vbaStrErrVarCopy
_adj_fprem1
__vbaStrCat
__vbaSetSystemError
__vbaHresultCheckObj
_adj_fdiv_m32
__vbaAryDestruct
ord593
ord594
__vbaOnError
__vbaObjSet
ord595
_adj_fdiv_m16i
_adj_fdivr_m16i
ord520
_CIsin
ord632
__vbaChkstk
ord526
__vbaFileClose
EVENT_SINK_AddRef
ord527
__vbaStrCmp
__vbaVarTstEq
__vbaPutOwner4
DllFunctionCall
ord563
_adj_fpatan
EVENT_SINK_Release
ord600
_CIsqrt
EVENT_SINK_QueryInterface
__vbaExceptHandler
__vbaStrToUnicode
__vbaPrintFile
ord606
_adj_fprem
_adj_fdivr_m64
ord608
ord531
__vbaFPException
__vbaInStrVar
ord645
_CIlog
__vbaErrorOverflow
__vbaFileOpen
__vbaVar2Vec
__vbaNew2
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaStrCopy
__vbaFreeStrList
_adj_fdivr_m32
_adj_fdiv_r
ord100
ord579
__vbaVarAdd
__vbaStrToAnsi
ord613
ord616
__vbaFpI4
ord617
_CIatan
__vbaStrMove
ord618
_allmul
_CItan
__vbaFPInt
_CIexp
__vbaFreeStr
__vbaI4ErrVar
__vbaFreeObj

Sections

.text
Size: 96KB - Virtual size: 95KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 492KB - Virtual size: 490KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/revengeRat/4cce13ad0d0f35ef0fe324ddebb0f7d567611c407c0c0029419d73c049d4e6d8N.exe
.exe windows:5 windows x86 arch:x86

eb97e4fc5518ac300a92a11673825e0b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

wsock32

WSACleanup
socket
inet_ntoa
setsockopt
ntohs
recvfrom
ioctlsocket
htons
WSAStartup
__WSAFDIsSet
select
accept
listen
bind
closesocket
WSAGetLastError
recv
sendto
send
inet_addr
gethostbyname
gethostname
connect

version

GetFileVersionInfoW
GetFileVersionInfoSizeW
VerQueryValueW

winmm

timeGetTime
waveOutSetVolume
mciSendStringW

comctl32

ImageList_ReplaceIcon
ImageList_Destroy
ImageList_Remove
ImageList_SetDragCursorImage
ImageList_BeginDrag
ImageList_DragEnter
ImageList_DragLeave
ImageList_EndDrag
ImageList_DragMove
InitCommonControlsEx
ImageList_Create

mpr

WNetUseConnectionW
WNetCancelConnection2W
WNetGetConnectionW
WNetAddConnection2W

wininet

InternetQueryDataAvailable
InternetCloseHandle
InternetOpenW
InternetSetOptionW
InternetCrackUrlW
HttpQueryInfoW
InternetQueryOptionW
HttpOpenRequestW
HttpSendRequestW
FtpOpenFileW
FtpGetFileSize
InternetOpenUrlW
InternetReadFile
InternetConnectW

psapi

GetProcessMemoryInfo

iphlpapi

IcmpCreateFile
IcmpCloseHandle
IcmpSendEcho

userenv

DestroyEnvironmentBlock
UnloadUserProfile
CreateEnvironmentBlock
LoadUserProfileW

uxtheme

IsThemeActive

kernel32

DuplicateHandle
CreateThread
WaitForSingleObject
HeapAlloc
GetProcessHeap
HeapFree
Sleep
GetCurrentThreadId
MultiByteToWideChar
MulDiv
GetVersionExW
IsWow64Process
GetSystemInfo
FreeLibrary
LoadLibraryA
GetProcAddress
SetErrorMode
GetModuleFileNameW
WideCharToMultiByte
lstrcpyW
lstrlenW
GetModuleHandleW
QueryPerformanceCounter
VirtualFreeEx
OpenProcess
VirtualAllocEx
WriteProcessMemory
ReadProcessMemory
CreateFileW
SetFilePointerEx
SetEndOfFile
ReadFile
WriteFile
FlushFileBuffers
TerminateProcess
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
SetFileTime
GetFileAttributesW
FindFirstFileW
SetCurrentDirectoryW
GetLongPathNameW
GetShortPathNameW
DeleteFileW
FindNextFileW
CopyFileExW
MoveFileW
CreateDirectoryW
RemoveDirectoryW
SetSystemPowerState
QueryPerformanceFrequency
FindResourceW
LoadResource
LockResource
SizeofResource
EnumResourceNamesW
OutputDebugStringW
GetTempPathW
GetTempFileNameW
DeviceIoControl
GetLocalTime
CompareStringW
GetCurrentProcess
EnterCriticalSection
LeaveCriticalSection
GetStdHandle
CreatePipe
InterlockedExchange
TerminateThread
LoadLibraryExW
FindResourceExW
CopyFileW
VirtualFree
FormatMessageW
GetExitCodeProcess
GetPrivateProfileStringW
WritePrivateProfileStringW
GetPrivateProfileSectionW
WritePrivateProfileSectionW
GetPrivateProfileSectionNamesW
FileTimeToLocalFileTime
FileTimeToSystemTime
SystemTimeToFileTime
LocalFileTimeToFileTime
GetDriveTypeW
GetDiskFreeSpaceExW
GetDiskFreeSpaceW
GetVolumeInformationW
SetVolumeLabelW
CreateHardLinkW
SetFileAttributesW
CreateEventW
SetEvent
GetEnvironmentVariableW
SetEnvironmentVariableW
GlobalLock
GlobalUnlock
GlobalAlloc
GetFileSize
GlobalFree
GlobalMemoryStatusEx
Beep
GetSystemDirectoryW
HeapReAlloc
HeapSize
GetComputerNameW
GetWindowsDirectoryW
GetCurrentProcessId
GetProcessIoCounters
CreateProcessW
GetProcessId
SetPriorityClass
LoadLibraryW
VirtualAlloc
IsDebuggerPresent
GetCurrentDirectoryW
lstrcmpiW
DecodePointer
GetLastError
RaiseException
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
InterlockedDecrement
InterlockedIncrement
GetCurrentThread
CloseHandle
GetFullPathNameW
EncodePointer
ExitProcess
GetModuleHandleExW
ExitThread
GetSystemTimeAsFileTime
ResumeThread
GetCommandLineW
IsProcessorFeaturePresent
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
SetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetStartupInfoW
GetStringTypeW
SetStdHandle
GetFileType
GetConsoleCP
GetConsoleMode
RtlUnwind
ReadConsoleW
GetTimeZoneInformation
GetDateFormatW
GetTimeFormatW
LCMapStringW
GetEnvironmentStringsW
FreeEnvironmentStringsW
WriteConsoleW
FindClose
SetEnvironmentVariableA

user32

AdjustWindowRectEx
CopyImage
SetWindowPos
GetCursorInfo
RegisterHotKey
ClientToScreen
GetKeyboardLayoutNameW
IsCharAlphaW
IsCharAlphaNumericW
IsCharLowerW
IsCharUpperW
GetMenuStringW
GetSubMenu
GetCaretPos
IsZoomed
MonitorFromPoint
GetMonitorInfoW
SetWindowLongW
SetLayeredWindowAttributes
FlashWindow
GetClassLongW
TranslateAcceleratorW
IsDialogMessageW
GetSysColor
InflateRect
DrawFocusRect
DrawTextW
FrameRect
DrawFrameControl
FillRect
PtInRect
DestroyAcceleratorTable
CreateAcceleratorTableW
SetCursor
GetWindowDC
GetSystemMetrics
GetActiveWindow
CharNextW
wsprintfW
RedrawWindow
DrawMenuBar
DestroyMenu
SetMenu
GetWindowTextLengthW
CreateMenu
IsDlgButtonChecked
DefDlgProcW
CallWindowProcW
ReleaseCapture
SetCapture
CreateIconFromResourceEx
mouse_event
ExitWindowsEx
SetActiveWindow
FindWindowExW
EnumThreadWindows
SetMenuDefaultItem
InsertMenuItemW
IsMenu
TrackPopupMenuEx
GetCursorPos
DeleteMenu
SetRect
GetMenuItemID
GetMenuItemCount
SetMenuItemInfoW
GetMenuItemInfoW
SetForegroundWindow
IsIconic
FindWindowW
MonitorFromRect
keybd_event
SendInput
GetAsyncKeyState
SetKeyboardState
GetKeyboardState
GetKeyState
VkKeyScanW
LoadStringW
DialogBoxParamW
MessageBeep
EndDialog
SendDlgItemMessageW
GetDlgItem
SetWindowTextW
CopyRect
ReleaseDC
GetDC
EndPaint
BeginPaint
GetClientRect
GetMenu
DestroyWindow
EnumWindows
GetDesktopWindow
IsWindow
IsWindowEnabled
IsWindowVisible
EnableWindow
InvalidateRect
GetWindowLongW
GetWindowThreadProcessId
AttachThreadInput
GetFocus
GetWindowTextW
ScreenToClient
SendMessageTimeoutW
EnumChildWindows
CharUpperBuffW
GetParent
GetDlgCtrlID
SendMessageW
MapVirtualKeyW
PostMessageW
GetWindowRect
SetUserObjectSecurity
CloseDesktop
CloseWindowStation
OpenDesktopW
SetProcessWindowStation
GetProcessWindowStation
OpenWindowStationW
GetUserObjectSecurity
MessageBoxW
DefWindowProcW
SetClipboardData
EmptyClipboard
CountClipboardFormats
CloseClipboard
GetClipboardData
IsClipboardFormatAvailable
OpenClipboard
BlockInput
GetMessageW
LockWindowUpdate
DispatchMessageW
TranslateMessage
PeekMessageW
UnregisterHotKey
CheckMenuRadioItem
CharLowerBuffW
MoveWindow
SetFocus
PostQuitMessage
KillTimer
CreatePopupMenu
RegisterWindowMessageW
SetTimer
ShowWindow
CreateWindowExW
RegisterClassExW
LoadIconW
LoadCursorW
GetSysColorBrush
GetForegroundWindow
MessageBoxA
DestroyIcon
SystemParametersInfoW
LoadImageW
GetClassNameW

gdi32

StrokePath
DeleteObject
GetTextExtentPoint32W
ExtCreatePen
GetDeviceCaps
EndPath
SetPixel
CloseFigure
CreateCompatibleBitmap
CreateCompatibleDC
SelectObject
StretchBlt
GetDIBits
LineTo
AngleArc
MoveToEx
Ellipse
DeleteDC
GetPixel
CreateDCW
GetStockObject
GetTextFaceW
CreateFontW
SetTextColor
PolyDraw
BeginPath
Rectangle
SetViewportOrgEx
GetObjectW
SetBkMode
RoundRect
SetBkColor
CreatePen
CreateSolidBrush
StrokeAndFillPath

comdlg32

GetOpenFileNameW
GetSaveFileNameW

advapi32

GetAce
RegEnumValueW
RegDeleteValueW
RegDeleteKeyW
RegEnumKeyExW
RegSetValueExW
RegOpenKeyExW
RegCloseKey
RegQueryValueExW
RegConnectRegistryW
InitializeSecurityDescriptor
InitializeAcl
AdjustTokenPrivileges
OpenThreadToken
OpenProcessToken
LookupPrivilegeValueW
DuplicateTokenEx
CreateProcessAsUserW
CreateProcessWithLogonW
GetLengthSid
CopySid
LogonUserW
AllocateAndInitializeSid
CheckTokenMembership
RegCreateKeyExW
FreeSid
GetTokenInformation
GetSecurityDescriptorDacl
GetAclInformation
AddAce
SetSecurityDescriptorDacl
GetUserNameW
InitiateSystemShutdownExW

shell32

DragQueryPoint
ShellExecuteExW
DragQueryFileW
SHEmptyRecycleBinW
SHGetPathFromIDListW
SHBrowseForFolderW
SHCreateShellItem
SHGetDesktopFolder
SHGetSpecialFolderLocation
SHGetFolderPathW
SHFileOperationW
ExtractIconExW
Shell_NotifyIconW
ShellExecuteW
DragFinish

ole32

CoTaskMemAlloc
CoTaskMemFree
CLSIDFromString
ProgIDFromCLSID
CLSIDFromProgID
OleSetMenuDescriptor
MkParseDisplayName
OleSetContainedObject
CoCreateInstance
IIDFromString
StringFromGUID2
CreateStreamOnHGlobal
OleInitialize
OleUninitialize
CoInitialize
CoUninitialize
GetRunningObjectTable
CoGetInstanceFromFile
CoGetObject
CoSetProxyBlanket
CoCreateInstanceEx
CoInitializeSecurity

oleaut32

LoadTypeLibEx
VariantCopyInd
SysReAllocString
SysFreeString
SafeArrayDestroyDescriptor
SafeArrayDestroyData
SafeArrayUnaccessData
SafeArrayAccessData
SafeArrayAllocData
SafeArrayAllocDescriptorEx
SafeArrayCreateVector
RegisterTypeLi
CreateStdDispatch
DispCallFunc
VariantChangeType
SysStringLen
VariantTimeToSystemTime
VarR8FromDec
SafeArrayGetVartype
VariantCopy
VariantClear
OleLoadPicture
QueryPathOfRegTypeLi
RegisterTypeLibForUser
UnRegisterTypeLibForUser
UnRegisterTypeLi
CreateDispTypeInfo
SysAllocString
VariantInit

Sections

.text
Size: 568KB - Virtual size: 567KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 191KB - Virtual size: 191KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 91KB - Virtual size: 90KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 28KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/revengeRat/4ee0ec29adfa239c36143e772654ba2fc40cdbc15e3452e44e5148fdd96327da.exe
.exe windows:5 windows x86 arch:x86

eb97e4fc5518ac300a92a11673825e0b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

wsock32

WSACleanup
socket
inet_ntoa
setsockopt
ntohs
recvfrom
ioctlsocket
htons
WSAStartup
__WSAFDIsSet
select
accept
listen
bind
closesocket
WSAGetLastError
recv
sendto
send
inet_addr
gethostbyname
gethostname
connect

version

GetFileVersionInfoW
GetFileVersionInfoSizeW
VerQueryValueW

winmm

timeGetTime
waveOutSetVolume
mciSendStringW

comctl32

ImageList_ReplaceIcon
ImageList_Destroy
ImageList_Remove
ImageList_SetDragCursorImage
ImageList_BeginDrag
ImageList_DragEnter
ImageList_DragLeave
ImageList_EndDrag
ImageList_DragMove
InitCommonControlsEx
ImageList_Create

mpr

WNetUseConnectionW
WNetCancelConnection2W
WNetGetConnectionW
WNetAddConnection2W

wininet

InternetQueryDataAvailable
InternetCloseHandle
InternetOpenW
InternetSetOptionW
InternetCrackUrlW
HttpQueryInfoW
InternetQueryOptionW
HttpOpenRequestW
HttpSendRequestW
FtpOpenFileW
FtpGetFileSize
InternetOpenUrlW
InternetReadFile
InternetConnectW

psapi

GetProcessMemoryInfo

iphlpapi

IcmpCreateFile
IcmpCloseHandle
IcmpSendEcho

userenv

DestroyEnvironmentBlock
UnloadUserProfile
CreateEnvironmentBlock
LoadUserProfileW

uxtheme

IsThemeActive

kernel32

DuplicateHandle
CreateThread
WaitForSingleObject
HeapAlloc
GetProcessHeap
HeapFree
Sleep
GetCurrentThreadId
MultiByteToWideChar
MulDiv
GetVersionExW
IsWow64Process
GetSystemInfo
FreeLibrary
LoadLibraryA
GetProcAddress
SetErrorMode
GetModuleFileNameW
WideCharToMultiByte
lstrcpyW
lstrlenW
GetModuleHandleW
QueryPerformanceCounter
VirtualFreeEx
OpenProcess
VirtualAllocEx
WriteProcessMemory
ReadProcessMemory
CreateFileW
SetFilePointerEx
SetEndOfFile
ReadFile
WriteFile
FlushFileBuffers
TerminateProcess
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
SetFileTime
GetFileAttributesW
FindFirstFileW
SetCurrentDirectoryW
GetLongPathNameW
GetShortPathNameW
DeleteFileW
FindNextFileW
CopyFileExW
MoveFileW
CreateDirectoryW
RemoveDirectoryW
SetSystemPowerState
QueryPerformanceFrequency
FindResourceW
LoadResource
LockResource
SizeofResource
EnumResourceNamesW
OutputDebugStringW
GetTempPathW
GetTempFileNameW
DeviceIoControl
GetLocalTime
CompareStringW
GetCurrentProcess
EnterCriticalSection
LeaveCriticalSection
GetStdHandle
CreatePipe
InterlockedExchange
TerminateThread
LoadLibraryExW
FindResourceExW
CopyFileW
VirtualFree
FormatMessageW
GetExitCodeProcess
GetPrivateProfileStringW
WritePrivateProfileStringW
GetPrivateProfileSectionW
WritePrivateProfileSectionW
GetPrivateProfileSectionNamesW
FileTimeToLocalFileTime
FileTimeToSystemTime
SystemTimeToFileTime
LocalFileTimeToFileTime
GetDriveTypeW
GetDiskFreeSpaceExW
GetDiskFreeSpaceW
GetVolumeInformationW
SetVolumeLabelW
CreateHardLinkW
SetFileAttributesW
CreateEventW
SetEvent
GetEnvironmentVariableW
SetEnvironmentVariableW
GlobalLock
GlobalUnlock
GlobalAlloc
GetFileSize
GlobalFree
GlobalMemoryStatusEx
Beep
GetSystemDirectoryW
HeapReAlloc
HeapSize
GetComputerNameW
GetWindowsDirectoryW
GetCurrentProcessId
GetProcessIoCounters
CreateProcessW
GetProcessId
SetPriorityClass
LoadLibraryW
VirtualAlloc
IsDebuggerPresent
GetCurrentDirectoryW
lstrcmpiW
DecodePointer
GetLastError
RaiseException
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
InterlockedDecrement
InterlockedIncrement
GetCurrentThread
CloseHandle
GetFullPathNameW
EncodePointer
ExitProcess
GetModuleHandleExW
ExitThread
GetSystemTimeAsFileTime
ResumeThread
GetCommandLineW
IsProcessorFeaturePresent
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
SetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetStartupInfoW
GetStringTypeW
SetStdHandle
GetFileType
GetConsoleCP
GetConsoleMode
RtlUnwind
ReadConsoleW
GetTimeZoneInformation
GetDateFormatW
GetTimeFormatW
LCMapStringW
GetEnvironmentStringsW
FreeEnvironmentStringsW
WriteConsoleW
FindClose
SetEnvironmentVariableA

user32

AdjustWindowRectEx
CopyImage
SetWindowPos
GetCursorInfo
RegisterHotKey
ClientToScreen
GetKeyboardLayoutNameW
IsCharAlphaW
IsCharAlphaNumericW
IsCharLowerW
IsCharUpperW
GetMenuStringW
GetSubMenu
GetCaretPos
IsZoomed
MonitorFromPoint
GetMonitorInfoW
SetWindowLongW
SetLayeredWindowAttributes
FlashWindow
GetClassLongW
TranslateAcceleratorW
IsDialogMessageW
GetSysColor
InflateRect
DrawFocusRect
DrawTextW
FrameRect
DrawFrameControl
FillRect
PtInRect
DestroyAcceleratorTable
CreateAcceleratorTableW
SetCursor
GetWindowDC
GetSystemMetrics
GetActiveWindow
CharNextW
wsprintfW
RedrawWindow
DrawMenuBar
DestroyMenu
SetMenu
GetWindowTextLengthW
CreateMenu
IsDlgButtonChecked
DefDlgProcW
CallWindowProcW
ReleaseCapture
SetCapture
CreateIconFromResourceEx
mouse_event
ExitWindowsEx
SetActiveWindow
FindWindowExW
EnumThreadWindows
SetMenuDefaultItem
InsertMenuItemW
IsMenu
TrackPopupMenuEx
GetCursorPos
DeleteMenu
SetRect
GetMenuItemID
GetMenuItemCount
SetMenuItemInfoW
GetMenuItemInfoW
SetForegroundWindow
IsIconic
FindWindowW
MonitorFromRect
keybd_event
SendInput
GetAsyncKeyState
SetKeyboardState
GetKeyboardState
GetKeyState
VkKeyScanW
LoadStringW
DialogBoxParamW
MessageBeep
EndDialog
SendDlgItemMessageW
GetDlgItem
SetWindowTextW
CopyRect
ReleaseDC
GetDC
EndPaint
BeginPaint
GetClientRect
GetMenu
DestroyWindow
EnumWindows
GetDesktopWindow
IsWindow
IsWindowEnabled
IsWindowVisible
EnableWindow
InvalidateRect
GetWindowLongW
GetWindowThreadProcessId
AttachThreadInput
GetFocus
GetWindowTextW
ScreenToClient
SendMessageTimeoutW
EnumChildWindows
CharUpperBuffW
GetParent
GetDlgCtrlID
SendMessageW
MapVirtualKeyW
PostMessageW
GetWindowRect
SetUserObjectSecurity
CloseDesktop
CloseWindowStation
OpenDesktopW
SetProcessWindowStation
GetProcessWindowStation
OpenWindowStationW
GetUserObjectSecurity
MessageBoxW
DefWindowProcW
SetClipboardData
EmptyClipboard
CountClipboardFormats
CloseClipboard
GetClipboardData
IsClipboardFormatAvailable
OpenClipboard
BlockInput
GetMessageW
LockWindowUpdate
DispatchMessageW
TranslateMessage
PeekMessageW
UnregisterHotKey
CheckMenuRadioItem
CharLowerBuffW
MoveWindow
SetFocus
PostQuitMessage
KillTimer
CreatePopupMenu
RegisterWindowMessageW
SetTimer
ShowWindow
CreateWindowExW
RegisterClassExW
LoadIconW
LoadCursorW
GetSysColorBrush
GetForegroundWindow
MessageBoxA
DestroyIcon
SystemParametersInfoW
LoadImageW
GetClassNameW

gdi32

StrokePath
DeleteObject
GetTextExtentPoint32W
ExtCreatePen
GetDeviceCaps
EndPath
SetPixel
CloseFigure
CreateCompatibleBitmap
CreateCompatibleDC
SelectObject
StretchBlt
GetDIBits
LineTo
AngleArc
MoveToEx
Ellipse
DeleteDC
GetPixel
CreateDCW
GetStockObject
GetTextFaceW
CreateFontW
SetTextColor
PolyDraw
BeginPath
Rectangle
SetViewportOrgEx
GetObjectW
SetBkMode
RoundRect
SetBkColor
CreatePen
CreateSolidBrush
StrokeAndFillPath

comdlg32

GetOpenFileNameW
GetSaveFileNameW

advapi32

GetAce
RegEnumValueW
RegDeleteValueW
RegDeleteKeyW
RegEnumKeyExW
RegSetValueExW
RegOpenKeyExW
RegCloseKey
RegQueryValueExW
RegConnectRegistryW
InitializeSecurityDescriptor
InitializeAcl
AdjustTokenPrivileges
OpenThreadToken
OpenProcessToken
LookupPrivilegeValueW
DuplicateTokenEx
CreateProcessAsUserW
CreateProcessWithLogonW
GetLengthSid
CopySid
LogonUserW
AllocateAndInitializeSid
CheckTokenMembership
RegCreateKeyExW
FreeSid
GetTokenInformation
GetSecurityDescriptorDacl
GetAclInformation
AddAce
SetSecurityDescriptorDacl
GetUserNameW
InitiateSystemShutdownExW

shell32

DragQueryPoint
ShellExecuteExW
DragQueryFileW
SHEmptyRecycleBinW
SHGetPathFromIDListW
SHBrowseForFolderW
SHCreateShellItem
SHGetDesktopFolder
SHGetSpecialFolderLocation
SHGetFolderPathW
SHFileOperationW
ExtractIconExW
Shell_NotifyIconW
ShellExecuteW
DragFinish

ole32

CoTaskMemAlloc
CoTaskMemFree
CLSIDFromString
ProgIDFromCLSID
CLSIDFromProgID
OleSetMenuDescriptor
MkParseDisplayName
OleSetContainedObject
CoCreateInstance
IIDFromString
StringFromGUID2
CreateStreamOnHGlobal
OleInitialize
OleUninitialize
CoInitialize
CoUninitialize
GetRunningObjectTable
CoGetInstanceFromFile
CoGetObject
CoSetProxyBlanket
CoCreateInstanceEx
CoInitializeSecurity

oleaut32

LoadTypeLibEx
VariantCopyInd
SysReAllocString
SysFreeString
SafeArrayDestroyDescriptor
SafeArrayDestroyData
SafeArrayUnaccessData
SafeArrayAccessData
SafeArrayAllocData
SafeArrayAllocDescriptorEx
SafeArrayCreateVector
RegisterTypeLi
CreateStdDispatch
DispCallFunc
VariantChangeType
SysStringLen
VariantTimeToSystemTime
VarR8FromDec
SafeArrayGetVartype
VariantCopy
VariantClear
OleLoadPicture
QueryPathOfRegTypeLi
RegisterTypeLibForUser
UnRegisterTypeLibForUser
UnRegisterTypeLi
CreateDispTypeInfo
SysAllocString
VariantInit

Sections

.text
Size: 568KB - Virtual size: 567KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 191KB - Virtual size: 191KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 91KB - Virtual size: 90KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 28KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/revengeRat/569fb685eeb1ee6c537e4ebadf689d9ecf8ad9c9934c407f061ebfd0c71215e4.exe
.exe windows:4 windows x86 arch:x86

5dc882c2547d7b74ff2e563856f72620

Code Sign

0d:16:0b:82:52:a4:f0:a1:6f:e1:25:5f:a0:a2:2e:2b
Certificate

Issuer

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Not Before

25/02/2014, 00:00

Not After

25/02/2015, 23:59

Subject

CN=CHIP Digital GmbH,O=CHIP Digital GmbH,L=Muenchen,ST=Bayern,C=DE

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageMicrosoftCommercialCodeSigning

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5e
Certificate

Issuer

CN=thawte Primary Root CA,OU=Certification Services Division+OU=(c) 2006 thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

fb:b6:79:e4:59:cd:cf:0d:cd:d7:d8:be:20:87:16:73:45:c4:e8:9e
Signer

Actual PE Digest

fb:b6:79:e4:59:cd:cf:0d:cd:d7:d8:be:20:87:16:73:45:c4:e8:9e

Digest Algorithm

sha1

PE Digest Matches

false

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvbvm60

__vbaVarTstGt
__vbaVarSub
_CIcos
_adj_fptan
__vbaVarMove
__vbaVarVargNofree
__vbaFreeVar
__vbaAryMove
__vbaLenBstr
__vbaStrVarMove
__vbaFreeVarList
__vbaEnd
_adj_fdiv_m64
__vbaStrErrVarCopy
_adj_fprem1
__vbaStrCat
__vbaSetSystemError
__vbaHresultCheckObj
_adj_fdiv_m32
__vbaAryDestruct
ord593
ord594
__vbaOnError
__vbaObjSet
ord595
_adj_fdiv_m16i
_adj_fdivr_m16i
ord520
_CIsin
ord632
__vbaChkstk
ord526
__vbaFileClose
EVENT_SINK_AddRef
ord527
__vbaStrCmp
__vbaVarTstEq
__vbaPutOwner4
DllFunctionCall
ord563
_adj_fpatan
EVENT_SINK_Release
ord600
_CIsqrt
EVENT_SINK_QueryInterface
__vbaExceptHandler
__vbaStrToUnicode
__vbaPrintFile
ord606
_adj_fprem
_adj_fdivr_m64
ord608
ord531
__vbaFPException
__vbaInStrVar
ord645
_CIlog
__vbaErrorOverflow
__vbaFileOpen
__vbaVar2Vec
__vbaNew2
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaStrCopy
__vbaFreeStrList
_adj_fdivr_m32
_adj_fdiv_r
ord100
ord579
__vbaVarAdd
__vbaStrToAnsi
ord613
ord616
__vbaFpI4
ord617
_CIatan
__vbaStrMove
ord618
_allmul
_CItan
__vbaFPInt
_CIexp
__vbaFreeStr
__vbaI4ErrVar
__vbaFreeObj

Sections

.text
Size: 96KB - Virtual size: 95KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 492KB - Virtual size: 490KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/revengeRat/58da7a4ad635828299caaea5812fa8bf.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 744KB - Virtual size: 742KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 100KB - Virtual size: 96KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/revengeRat/81b66022dda0fd9ccdaf738fd7076495cefde25989593d31955cb203535d07fa.exe
.exe windows:4 windows x86 arch:x86

5dc882c2547d7b74ff2e563856f72620

Code Sign

0d:16:0b:82:52:a4:f0:a1:6f:e1:25:5f:a0:a2:2e:2b
Certificate

Issuer

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Not Before

25/02/2014, 00:00

Not After

25/02/2015, 23:59

Subject

CN=CHIP Digital GmbH,O=CHIP Digital GmbH,L=Muenchen,ST=Bayern,C=DE

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageMicrosoftCommercialCodeSigning

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5e
Certificate

Issuer

CN=thawte Primary Root CA,OU=Certification Services Division+OU=(c) 2006 thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

11:10:de:76:bf:5f:1e:7b:3c:b0:c8:35:24:ff:aa:eb:4f:4b:41:e5
Signer

Actual PE Digest

11:10:de:76:bf:5f:1e:7b:3c:b0:c8:35:24:ff:aa:eb:4f:4b:41:e5

Digest Algorithm

sha1

PE Digest Matches

false

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvbvm60

__vbaVarTstGt
__vbaVarSub
_CIcos
_adj_fptan
__vbaVarMove
__vbaVarVargNofree
__vbaFreeVar
__vbaAryMove
__vbaLenBstr
__vbaStrVarMove
__vbaFreeVarList
__vbaEnd
_adj_fdiv_m64
__vbaStrErrVarCopy
_adj_fprem1
__vbaStrCat
__vbaSetSystemError
__vbaHresultCheckObj
_adj_fdiv_m32
__vbaAryDestruct
ord593
ord594
__vbaOnError
__vbaObjSet
ord595
_adj_fdiv_m16i
_adj_fdivr_m16i
ord520
_CIsin
ord632
__vbaChkstk
ord526
__vbaFileClose
EVENT_SINK_AddRef
ord527
__vbaStrCmp
__vbaVarTstEq
__vbaPutOwner4
DllFunctionCall
ord563
_adj_fpatan
EVENT_SINK_Release
ord600
_CIsqrt
EVENT_SINK_QueryInterface
__vbaExceptHandler
__vbaStrToUnicode
__vbaPrintFile
ord606
_adj_fprem
_adj_fdivr_m64
ord608
ord531
__vbaFPException
__vbaInStrVar
ord645
_CIlog
__vbaErrorOverflow
__vbaFileOpen
__vbaVar2Vec
__vbaNew2
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaStrCopy
__vbaFreeStrList
_adj_fdivr_m32
_adj_fdiv_r
ord100
ord579
__vbaVarAdd
__vbaStrToAnsi
ord613
ord616
__vbaFpI4
ord617
_CIatan
__vbaStrMove
ord618
_allmul
_CItan
__vbaFPInt
_CIexp
__vbaFreeStr
__vbaI4ErrVar
__vbaFreeObj

Sections

.text
Size: 96KB - Virtual size: 95KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 492KB - Virtual size: 490KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/revengeRat/91527413a929193ca82cba1f856c5203355524ba588651bbe88a623a1125e51c.exe
.exe windows:5 windows x86 arch:x86

Code Sign

01:a0:c3:e3:bc:06:9f:71:b4:64:aa:d3:40:63:e2:09
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Code Signing CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

07/01/2015, 00:00

Not After

24/02/2016, 12:00

Subject

CN=CHIP Digital GmbH,O=CHIP Digital GmbH,L=München,ST=Bavaria,C=DE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

04:09:18:1b:5f:d5:bb:66:75:53:43:b5:6f:95:50:08
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

22/10/2013, 12:00

Not After

22/10/2028, 12:00

Subject

CN=DigiCert SHA2 Assured ID Code Signing CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

19:d9:00:89:60:56:54:b6:b9:ca:20:d3:32:12:d4:b7:1d:74:88:2b
Signer

Actual PE Digest

19:d9:00:89:60:56:54:b6:b9:ca:20:d3:32:12:d4:b7:1d:74:88:2b

Digest Algorithm

sha1

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Sections

UPX0
Size: - Virtual size: 1.3MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 335KB - Virtual size: 336KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 832KB - Virtual size: 832KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/revengeRat/ccfcd88a55fd550f63d8ba2c045c08522ec1b3815b22bac3d2ddaf1d392e35bbN.exe
.exe windows:5 windows x86 arch:x86

Code Sign

b0:56:4f:3f:bf:54:f6:26:95:17:86:4b:b2:43:29:fc
Certificate

Issuer

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

27/01/2016, 00:00

Not After

26/01/2017, 23:59

Subject

CN=CHIP Digital GmbH,OU=Download Development,O=CHIP Digital GmbH,POSTALCODE=81541,STREET=St.-Martin-Strasse 66,L=Munich,ST=Bavaria,C=DE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:af
Certificate

Issuer

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

09/05/2013, 00:00

Not After

08/05/2028, 23:59

Subject

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

a5:72:e2:c6:cf:3d:b3:fb:6f:c3:8c:49:0a:df:3a:7a:e1:06:c1:4c
Signer

Actual PE Digest

a5:72:e2:c6:cf:3d:b3:fb:6f:c3:8c:49:0a:df:3a:7a:e1:06:c1:4c

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Sections

UPX0
Size: - Virtual size: 1.6MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 335KB - Virtual size: 336KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/revengeRat/f20d8f0098f1dd3d70767c217b7e5cfad9c00ccc8abc5961dd37b7ff5a8dab64.exe
.exe windows:4 windows x86 arch:x86

5dc882c2547d7b74ff2e563856f72620

Code Sign

0d:16:0b:82:52:a4:f0:a1:6f:e1:25:5f:a0:a2:2e:2b
Certificate

Issuer

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Not Before

25/02/2014, 00:00

Not After

25/02/2015, 23:59

Subject

CN=CHIP Digital GmbH,O=CHIP Digital GmbH,L=Muenchen,ST=Bayern,C=DE

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageMicrosoftCommercialCodeSigning

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5e
Certificate

Issuer

CN=thawte Primary Root CA,OU=Certification Services Division+OU=(c) 2006 thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

f0:94:df:91:ec:24:9f:b7:7a:eb:59:a9:37:91:34:0e:c1:2d:f2:d7
Signer

Actual PE Digest

f0:94:df:91:ec:24:9f:b7:7a:eb:59:a9:37:91:34:0e:c1:2d:f2:d7

Digest Algorithm

sha1

PE Digest Matches

false

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvbvm60

__vbaVarTstGt
__vbaVarSub
_CIcos
_adj_fptan
__vbaVarMove
__vbaVarVargNofree
__vbaFreeVar
__vbaAryMove
__vbaLenBstr
__vbaStrVarMove
__vbaFreeVarList
__vbaEnd
_adj_fdiv_m64
__vbaStrErrVarCopy
_adj_fprem1
__vbaStrCat
__vbaSetSystemError
__vbaHresultCheckObj
_adj_fdiv_m32
__vbaAryDestruct
ord593
ord594
__vbaOnError
__vbaObjSet
ord595
_adj_fdiv_m16i
_adj_fdivr_m16i
ord520
_CIsin
ord632
__vbaChkstk
ord526
__vbaFileClose
EVENT_SINK_AddRef
ord527
__vbaStrCmp
__vbaVarTstEq
__vbaPutOwner4
DllFunctionCall
ord563
_adj_fpatan
EVENT_SINK_Release
ord600
_CIsqrt
EVENT_SINK_QueryInterface
__vbaExceptHandler
__vbaStrToUnicode
__vbaPrintFile
ord606
_adj_fprem
_adj_fdivr_m64
ord608
ord531
__vbaFPException
__vbaInStrVar
ord645
_CIlog
__vbaErrorOverflow
__vbaFileOpen
__vbaVar2Vec
__vbaNew2
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaStrCopy
__vbaFreeStrList
_adj_fdivr_m32
_adj_fdiv_r
ord100
ord579
__vbaVarAdd
__vbaStrToAnsi
ord613
ord616
__vbaFpI4
ord617
_CIatan
__vbaStrMove
ord618
_allmul
_CItan
__vbaFPInt
_CIexp
__vbaFreeStr
__vbaI4ErrVar
__vbaFreeObj

Sections

.text
Size: 96KB - Virtual size: 95KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 492KB - Virtual size: 490KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/revengeRat/f969be81588cd3dc768d000c96c5f6201d1e066b4154d51f086f4ffc2252a9eb.exe
.exe windows:4 windows x86 arch:x86

5dc882c2547d7b74ff2e563856f72620

Code Sign

0d:16:0b:82:52:a4:f0:a1:6f:e1:25:5f:a0:a2:2e:2b
Certificate

Issuer

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Not Before

25/02/2014, 00:00

Not After

25/02/2015, 23:59

Subject

CN=CHIP Digital GmbH,O=CHIP Digital GmbH,L=Muenchen,ST=Bayern,C=DE

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageMicrosoftCommercialCodeSigning

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5e
Certificate

Issuer

CN=thawte Primary Root CA,OU=Certification Services Division+OU=(c) 2006 thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=US

Not Before

08/02/2010, 00:00

Not After

07/02/2020, 23:59

Subject

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

ce:f4:94:7c:a1:3e:c5:77:aa:12:29:a9:a5:5f:5d:dc:fa:ff:bc:3f
Signer

Actual PE Digest

ce:f4:94:7c:a1:3e:c5:77:aa:12:29:a9:a5:5f:5d:dc:fa:ff:bc:3f

Digest Algorithm

sha1

PE Digest Matches

false

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvbvm60

__vbaVarTstGt
__vbaVarSub
_CIcos
_adj_fptan
__vbaVarMove
__vbaVarVargNofree
__vbaFreeVar
__vbaAryMove
__vbaLenBstr
__vbaStrVarMove
__vbaFreeVarList
__vbaEnd
_adj_fdiv_m64
__vbaStrErrVarCopy
_adj_fprem1
__vbaStrCat
__vbaSetSystemError
__vbaHresultCheckObj
_adj_fdiv_m32
__vbaAryDestruct
ord593
ord594
__vbaOnError
__vbaObjSet
ord595
_adj_fdiv_m16i
_adj_fdivr_m16i
ord520
_CIsin
ord632
__vbaChkstk
ord526
__vbaFileClose
EVENT_SINK_AddRef
ord527
__vbaStrCmp
__vbaVarTstEq
__vbaPutOwner4
DllFunctionCall
ord563
_adj_fpatan
EVENT_SINK_Release
ord600
_CIsqrt
EVENT_SINK_QueryInterface
__vbaExceptHandler
__vbaStrToUnicode
__vbaPrintFile
ord606
_adj_fprem
_adj_fdivr_m64
ord608
ord531
__vbaFPException
__vbaInStrVar
ord645
_CIlog
__vbaErrorOverflow
__vbaFileOpen
__vbaVar2Vec
__vbaNew2
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaStrCopy
__vbaFreeStrList
_adj_fdivr_m32
_adj_fdiv_r
ord100
ord579
__vbaVarAdd
__vbaStrToAnsi
ord613
ord616
__vbaFpI4
ord617
_CIatan
__vbaStrMove
ord618
_allmul
_CItan
__vbaFPInt
_CIexp
__vbaFreeStr
__vbaI4ErrVar
__vbaFreeObj

Sections

.text
Size: 96KB - Virtual size: 95KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 492KB - Virtual size: 490KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/spyware/1b93af61e6c7d2cbd71023f51c477ccbabf98f6d58ed4686e229e5fb8242fdcaN.exe
.exe windows:5 windows x86 arch:x86

d61ce839b7ea483e097cd797be55fc2c

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

wininet

InternetOpenUrlW
InternetCloseHandle
InternetSetStatusCallbackW
HttpQueryInfoW
InternetOpenW
InternetReadFileExA

kernel32

WaitForSingleObject
GetExitCodeProcess
CloseHandle
GetProcAddress
GetModuleHandleW
GetCurrentProcess
LoadLibraryW
WideCharToMultiByte
GetFileAttributesW
GetTempPathW
CreateFileW
GetFileSize
ReadFile
WriteFile
SetFilePointer
FindResourceW
LoadResource
LockResource
SizeofResource
GetTempFileNameW
Sleep
InitializeCriticalSection
DeleteCriticalSection
GetModuleFileNameW
DeleteFileW
WriteConsoleW
GetConsoleOutputCP
WriteConsoleA
SetStdHandle
GetLastError
LCMapStringA
InitializeCriticalSectionAndSpinCount
LoadLibraryA
GetStringTypeW
GetStringTypeA
GetLocaleInfoA
HeapReAlloc
VirtualAlloc
FlushFileBuffers
GetConsoleMode
GetConsoleCP
GetSystemTimeAsFileTime
GetCurrentProcessId
GetTickCount
QueryPerformanceCounter
VirtualFree
HeapCreate
GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetStartupInfoA
GetFileType
GetVersionExW
GetModuleFileNameA
LeaveCriticalSection
EnterCriticalSection
MultiByteToWideChar
CreateProcessA
CreateFileA
GetModuleHandleA
LCMapStringW
GetStdHandle
SetHandleCount
IsValidCodePage
GetOEMCP
GetACP
GetCPInfo
ExitProcess
HeapSize
GetCurrentThreadId
SetLastError
TlsFree
TlsSetValue
TlsAlloc
TlsGetValue
InterlockedIncrement
InterlockedDecrement
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetStartupInfoW
RaiseException
RtlUnwind
HeapFree
HeapAlloc

user32

IsWindowVisible
IsWindowEnabled
SendMessageW
SetWindowPos
GetWindowLongW
IsDlgButtonChecked
CheckDlgButton
KillTimer
LoadBitmapW
SetTimer
GetDlgItem
FillRect
GetAncestor
ShowWindow
MessageBoxW
DispatchMessageW
TranslateMessage
IsDialogMessageW
GetMessageW
GetWindowTextW
DestroyWindow
LoadIconW
CreateDialogParamW
DrawTextW
GetClientRect
GetDC
SetWindowLongW
SetWindowTextW
EnumChildWindows

gdi32

SelectObject
SetBkMode
CreateFontIndirectW
GetObjectW
CreatePatternBrush

advapi32

RegQueryValueExW
RegOpenKeyExW

shell32

SHBrowseForFolderW
ShellExecuteW
ord190
SHOpenFolderAndSelectItems
ord155
SHGetPathFromIDListW
ShellExecuteExW
SHGetSpecialFolderPathW
SHCreateDirectoryExW

ole32

CoUninitialize
CoCreateInstance
CoTaskMemFree
CoInitializeEx

Sections

.text
Size: 96KB - Virtual size: 95KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 21KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 806KB - Virtual size: 805KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/spyware/2025-01-25_ce88baef569a991be221f3078c5309d6_virlock
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 234KB - Virtual size: 233KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 512B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/spyware/21178fd1cb20560b93cfdce1c04d98305bf162ad2e22a0350d5056d23af6ae9cN.exe
.exe windows:5 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

UPX0
Size: - Virtual size: 1.0MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 593KB - Virtual size: 596KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 89KB - Virtual size: 92KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/spyware/2e554fb62d19f66f5f5d1457ba5f468e.exe
.exe windows:5 windows x86 arch:x86

3f2e0e8a2aaa3edb9f9b6ab55758582c

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

SleepEx
SetUnhandledExceptionFilter
GetCurrentProcessId
GetModuleHandleW
GetTickCount
GetModuleHandleA
GetModuleFileNameA
LocalFree
SetUnhandledExceptionFilter
VirtualAllocEx
GetCurrentThreadId
SetEvent

gdi32

GetTextMetricsW
DeleteDC
DeleteObject

user32

LockWindowStation
GetWindowRect
GetDlgItem
PostMessageW
ShowWindow

Sections

.data
Size: 16KB - Virtual size: 16KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 105KB - Virtual size: 108KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 120KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/spyware/3ff9f11f8f4ddcc7a2a2abfd5efd6e9e2f7c195036f841205f06f6cc4f69c020.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Exports

Exports

��t^��DHiTd��o��O1:?��W}|}��oz��>��L��-Y(bb0��s��]�rH��E��)�]��"��@� ��\�c�L^v�H��:��٢��L��#��6�rA��Gz�8�"\�!H��Pa��X5�p��3D6Zn�v� _1gK�Stk�P�"<LRa8�+"�ϐ�̲pw��:�P�iw~��G�Q�6��L@VF �}��+�~Qa��^��F_☝��n��D<Y�κ�ZwA4 bsI��?�픾��s)��L��]0!JmE��9�5�a3�v�/�\�1��g_�-J:pB8Y��0MW�O2$fH�L|�Dƨ� ��VYļB��%'�8��R�e]-@�H\�� <�ܞ50_��ma��){5�f{h�]��-U.��,7޺��z��:v8zg�� & � ua��{�� n/��c�j��Ǔ�#NGߴ3'#��o��3�z�2��cbnG�tʲq��y/J��et��B��d� �d��*eD�j�ҡ�zI4s��l�M�6xP�9��$^nb�ُ�8��袙��O��6變 ^��qbJi;�o�X�>H �b-� b�D�"�Qt%TVF�Z��э�_f`�/�pj��L�h8��}��ZR�l��^o-Ai��/�� S(��&��&�J��4��9�!�x&L �pRx�� T�%.�?m��A�R�"� �l�ϴS�p��L�[ϲ��&x�è�fݧp�^� S�w��)��쯹,��f1��K~�1s�0v�'�q0��W��X�fJR��l>T=�s�zi�"2 é�~��z��?��G��=� U�(�(y��#��Z�2��/��<�+��q��!�%��ovi��U�6��cP׻f��YrG&O��7[�V�֩��۲�I�MZ˹!��#]� us�� q��/�r�-?-B�_~�T�!>��,�&��7�A�ա8Qѕ�4��c��0O[�+�-�f,��WP6�$�1$�[�U=>��c ?6Lg��,�þ5n@�xT ��j�� ܮ�0��<aj��gv(k�4/8w��$�*�4�CP��:�T+9�(,��Q�Krb��n,�w�=c��$d��J&��i5�ɓ��6nn�L�-��b>��Q�~q�sM��^�u�ZT��M�� ae �dS��;�f1e�Ü�KX��?i*R z�\� �h��ts��~�u �P��6�A!{&�@�E��pY�F�,Y��h*�lYU��4��^er-(��~��ٽtI�� C�gw��6�#.��nN�8�:jI?i��b�[�� S��_��3�y�.��j��U|��!��l �n跶��T�H��vt�&� ��S�G��e�4�Ϟ�b0D��,b48o&z�T~�f��0,��H��;{��"q� ��&sx}9=e�잡�D=��<��]o�_��m�!��"��۵Ú�=q*��N�?o��[��!h��-3�)l-R�� I�5X�kF;B�f5��G0_R7��"��rVI5�[�L��6��L�� o�F�Ii��/��a��Z�ӯ��( h��6f׆-�_��V ��^/�v�hx�9o��sxG��H��^�ݿ�{P�`~C��.%d⑜m��^��U$̾��:�F�E��$�1��b�.sȓ��.��JX�� N�4W�L�h�e%SSf�9>�؁s�L�R�;��鶒��ب$�\F/ ≢��'}ބ�[l��B*̽��U�2N>:�C��-��q�;c��j�q-W$mg?Ͷ�1�Ù��Mw��tZ��w��{n�zd�U��:�_Ǐ@ ��g��%�%��2wn��ZF7�[g�[%|m^k!1o:�ZGcx׳�w&W��w�78d��-,銘��9��8�^��IO=v*��)5��fḶK��s��`W�Xp 3X܊i]�ڽ�󆅓h�Yt��x��v@3 ��XhZ҅�U�|xo|VI��v�E�� d�eJ��"�T�|�r�wN+C��1�F%7�/�f��$�V�!x��"鲃�ԞZ�<��|�Ǌ$��1��Sp:f��Bբ�,��`anC�<(�$�c�#��@�m�EH��i��XQ��ES� ��VY��o��f�hJ��qV8��"E�%,��o�a�ϙ��w�ch��S��J�%!��5�v�A��_�w��Li�|E�k"�;�5m��ȢN��8�#9 !(�c�� J�"�r�V3i7��$֮�\Ji ϡ=��&+�#��U|��S�v[��؛?ޠ��P��z=]� ��u �\��5�L�-�Xb<ۜ��T�gѼ,�hEY��k��7�]�J��b�kPi��J-��H\b�|\hJ��S ̏��4��K��/ X�e\q{�� *=8!w8ه׾��_YF��7�R�2��-q��fQ��q^b}O��[i�w,��5}��S�G��i�3N#j�� I<"��)�E�!��[� m�*U�L��f��޲()��K�g�Z;C��U��w�H�%"!�@��8ް��j_o��)o�� h��U��|]�]�+��hҚ�� M��2�"��u'"_��R�8&&�e�?�nT��C��<.]v�7ۏ�+.M�iĜs�lt�t�R��'mPH�0H��7#z@�&�x{��ؖ��iV˖�K#y>�� e�!�M{fi�r��v�~��71��P��Ѓ�Ÿ��Y�#�<B�<X��q6'_Z��&��fL9�r��Ϸ�<4UM[�J�"��b�Kv��ؚ1��b� �oS?��؊Y��v�A��n&̂6hl�9+��P�� En��@�9�k!t�'�N�K(i��!w��I�O��~��ֻ�1�|?�_�(㸐�c��3��ʹ�_��

Sections

ayc9jkyc
Size: 37KB - Virtual size: 76KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

k92klfby
Size: 5KB - Virtual size: 40KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

ha76uzrj
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 1KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 202KB - Virtual size: 7.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 2.1MB - Virtual size: 2.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/spyware/f8248bdd73d9a6cd4b0e15323803cc611e9ca2bf42b7b413c78cc811da07284bN.exe
.exe windows:4 windows x86 arch:x86

56a78d55f3f7af51443e58e0ce2fb5f6

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

advapi32

RegCreateKeyExW
RegEnumKeyW
RegQueryValueExW
RegSetValueExW
RegCloseKey
RegDeleteValueW
RegDeleteKeyW
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
SetFileSecurityW
RegOpenKeyExW
RegEnumValueW

shell32

SHGetSpecialFolderLocation
SHFileOperationW
SHBrowseForFolderW
SHGetPathFromIDListW
ShellExecuteExW
SHGetFileInfoW

ole32

OleInitialize
OleUninitialize
CoCreateInstance
IIDFromString
CoTaskMemFree

comctl32

ord17
ImageList_Create
ImageList_Destroy
ImageList_AddMasked

user32

GetClientRect
EndPaint
DrawTextW
IsWindowEnabled
DispatchMessageW
wsprintfA
CharNextA
CharPrevW
MessageBoxIndirectW
GetDlgItemTextW
SetDlgItemTextW
GetSystemMetrics
FillRect
AppendMenuW
TrackPopupMenu
OpenClipboard
SetClipboardData
CloseClipboard
IsWindowVisible
CallWindowProcW
GetMessagePos
CheckDlgButton
LoadCursorW
SetCursor
GetSysColor
SetWindowPos
GetWindowLongW
PeekMessageW
SetClassLongW
GetSystemMenu
EnableMenuItem
GetWindowRect
ScreenToClient
EndDialog
RegisterClassW
SystemParametersInfoW
CreateWindowExW
GetClassInfoW
DialogBoxParamW
CharNextW
ExitWindowsEx
DestroyWindow
CreateDialogParamW
SetTimer
SetWindowTextW
PostQuitMessage
SetForegroundWindow
ShowWindow
wsprintfW
SendMessageTimeoutW
FindWindowExW
IsWindow
GetDlgItem
SetWindowLongW
LoadImageW
GetDC
ReleaseDC
EnableWindow
InvalidateRect
SendMessageW
DefWindowProcW
BeginPaint
EmptyClipboard
CreatePopupMenu

gdi32

SetBkMode
SetBkColor
GetDeviceCaps
CreateFontIndirectW
CreateBrushIndirect
DeleteObject
SetTextColor
SelectObject

kernel32

GetExitCodeProcess
WaitForSingleObject
GetModuleHandleA
GetProcAddress
GetSystemDirectoryW
lstrcatW
Sleep
lstrcpyA
WriteFile
GetTempFileNameW
CreateFileW
lstrcmpiA
RemoveDirectoryW
CreateProcessW
CreateDirectoryW
GetLastError
CreateThread
GlobalLock
GlobalUnlock
GetDiskFreeSpaceW
WideCharToMultiByte
lstrcpynW
lstrlenW
SetErrorMode
GetVersionExW
GetCommandLineW
GetTempPathW
GetWindowsDirectoryW
SetEnvironmentVariableW
CopyFileW
ExitProcess
GetCurrentProcess
GetModuleFileNameW
GetFileSize
GetTickCount
MulDiv
SetFileAttributesW
GetFileAttributesW
SetCurrentDirectoryW
MoveFileW
GetFullPathNameW
GetShortPathNameW
SearchPathW
CompareFileTime
SetFileTime
CloseHandle
lstrcmpiW
lstrcmpW
ExpandEnvironmentStringsW
GlobalFree
GlobalAlloc
GetModuleHandleW
LoadLibraryExW
MoveFileExW
FreeLibrary
WritePrivateProfileStringW
GetPrivateProfileStringW
lstrlenA
MultiByteToWideChar
ReadFile
SetFilePointer
FindClose
FindNextFileW
FindFirstFileW
DeleteFileW

Sections

.text
Size: 26KB - Virtual size: 26KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 172KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.ndata
Size: - Virtual size: 216KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 35KB - Virtual size: 34KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/spyware/fa9309085ed972b923d9c92f7618dd53e1673953ccbe528efb3af8705754a3cdN.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Sections

CODE
Size: 29KB - Virtual size: 28KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

DATA
Size: 1024B - Virtual size: 536B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

BSS
Size: - Virtual size: 42KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: - Virtual size: 8B

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/tinba/00780717a0350d74c06b227f236f6826c4b53c19ca7e1a99187c6c11dd905fa9N.exe
.exe windows:4 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: 61KB - Virtual size: 64KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 42KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.imports
Size: 3KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/tinba/0c81de86734b9572a69818e7a3ebb50cacc4c460d676b5cf0f42b2647cfc7959.exe
.exe windows:4 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: - Virtual size: 52KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 31KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/tinba/13c56dbd6fc67255336e251cfa23944f5cbb31fb35d91ab470e69ec3b1e0128bN.exe
.exe windows:4 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: 52KB - Virtual size: 52KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 31KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.imports
Size: 3KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/tinba/1bb50e315211c0cb82c9ae5e8f8219591c6270bebcffce97cd7c68bf7d41bd53N.exe
.exe windows:4 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

.text
Size: 21KB - Virtual size: 21KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 11KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.WavfW
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 9KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/tinba/203fa5b045bcc12dfe50844639897dea253bbbc19a0480d10e6f73eac37323d8N.exe
.exe windows:4 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: 61KB - Virtual size: 64KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 42KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.imports
Size: 3KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/tinba/23448590187355c378a032145a230f65fddb9b7a8e47b2d27232b1334f93ee0eN.exe
.exe windows:5 windows x86 arch:x86

8d379991d6270032480b18bc9d790531

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Imports

kernel32

CreateFileW
SetEndOfFile
FlushFileBuffers
GetStringTypeW
SetStdHandle
MultiByteToWideChar
LCMapStringW
GetProcAddress
HeapSize
HeapReAlloc
LoadLibraryW
CreateFileA
GetFileSize
GetProcessHeap
HeapAlloc
ReadFile
CloseHandle
HeapFree
GetLastError
FindFirstFileA
FindClose
GetLogicalDrives
HeapCreate
GetSystemTime
OutputDebugStringW
WriteConsoleW
OutputDebugStringA
IsValidCodePage
GetCPInfo
GetOEMCP
GetACP
GetConsoleMode
GetConsoleCP
GetModuleHandleA
HeapQueryInformation
LoadLibraryA
SetFilePointer
WriteFile
SetLastError
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
DeleteCriticalSection
GetFileType
SetEnvironmentVariableA
GetCurrentDirectoryA
SetCurrentDirectoryA
GetCommandLineA
HeapSetInformation
GetStartupInfoW
DecodePointer
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
EncodePointer
GetModuleFileNameW
HeapValidate
IsBadReadPtr
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
RtlUnwind
IsProcessorFeaturePresent
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
InterlockedIncrement
InterlockedDecrement
GetModuleHandleW
ExitProcess
GetModuleFileNameA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
RaiseException

user32

LoadStringA
BeginPaint
EnableWindow
GetDlgItem
SetDlgItemTextA
IsDlgButtonChecked
CreateWindowExA
GetClientRect
GetDC
GetSystemMetrics
LoadBitmapA
CheckMenuRadioItem
SetWindowTextA
GetWindowLongA
InsertMenuItemA
ReleaseDC
FillRect
DefWindowProcA

gdi32

SelectObject
GetPixel
CreateRectRgn
CreateCompatibleBitmap
DPtoLP
TextOutA
CreateSolidBrush
FrameRgn
SetMapMode
SetViewportExtEx
DeleteObject
PatBlt
CreateCompatibleDC

ole32

CoInitialize
CoInitializeEx
CoUninitialize
CoCreateInstance

winmm

mmioClose
mmioWrite
mmioCreateChunk
mmioOpenA

comctl32

ord17
InitCommonControlsEx

gdiplus

GdipSaveImageToFile
GdipCreateBitmapFromFile
GdipCreateBitmapFromHBITMAP
GdipCreateHBITMAPFromBitmap
GdiplusStartup
GdipDisposeImage

Sections

.text
Size: 152KB - Virtual size: 151KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 64KB - Virtual size: 63KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/tinba/2f5f9c9f15797c49d14d61b9cbb83270333ec1a357c10d37ccc55d7ee7d1530aN.exe
.exe windows:5 windows x86 arch:x86

eb29527bc4a3140f4ce75eb5d2954101

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_AGGRESIVE_WS_TRIM
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_NET_RUN_FROM_SWAP
IMAGE_FILE_UP_SYSTEM_ONLY

Imports

kernel32

lstrcpyA
CloseHandle
CreateFileW
FlushFileBuffers
LCMapStringW
GetStringTypeW
SetStdHandle
RtlUnwind
HeapFree
HeapQueryInformation
HeapSize
HeapReAlloc
LoadLibraryW
OutputDebugStringW
WriteConsoleW
OutputDebugStringA
IsValidCodePage
GetCPInfo
GetOEMCP
GetACP
GetConsoleMode
GetConsoleCP
SetFilePointer
WriteFile
OpenEventW
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
DeleteCriticalSection
GetFileType
InitializeCriticalSectionAndSpinCount
SetHandleCount
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetModuleFileNameA
ExitProcess
GetModuleHandleW
GetProcAddress
InterlockedDecrement
InterlockedIncrement
GetSystemTimeAsFileTime
GetCurrentProcessId
GetCurrentThreadId
GetTickCount
QueryPerformanceCounter
LeaveCriticalSection
EnterCriticalSection
IsBadReadPtr
HeapValidate
GetModuleFileNameW
EncodePointer
DecodePointer
IsProcessorFeaturePresent
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
TerminateProcess
GetStartupInfoW
FillConsoleOutputAttribute
FindFirstChangeNotificationA
GetModuleHandleA
GetSystemInfo
FindNextChangeNotification
LockResource
GetConsoleScreenBufferInfo
GetPrivateProfileStringA
GetLastError
FillConsoleOutputCharacterA
GetStdHandle
SetCurrentDirectoryA
lstrlenW
MultiByteToWideChar
SetConsoleCursorPosition
HeapCreate
CreateEventA
SizeofResource
ReadConsoleInputA
WideCharToMultiByte
FindResourceExA
FlushConsoleInputBuffer
HeapSetInformation
GetCommandLineA
FindCloseChangeNotification
WaitForSingleObject
GetCurrentProcess
HeapAlloc
LoadResource
lstrlenA
SetLastError
RaiseException

user32

GetWindow
MoveWindow
CheckMenuItem
EndPaint
DestroyWindow
EnumDisplayMonitors
GetSystemMenu
SetTimer
ScreenToClient
GetWindowRect
RegisterClassExA
PostQuitMessage
SendDlgItemMessageA
GetWindowDC
IsIconic
FillRect
KillTimer
GetSubMenu
DrawIconEx
LoadBitmapA
GetParent
LoadIconA
wsprintfA
DrawIcon
FindWindowExA
GetClientRect
ExitWindowsEx
SetFocus
SendMessageA
BeginPaint
GetIconInfo
GetDC
TranslateMessage
GetMenu
SetRect
SetWindowLongA
MessageBoxA
UnionRect
InvalidateRect
UnregisterClassA
CreateWindowExA
PeekMessageA
ReleaseDC
GetDlgItem
EndDialog
DefWindowProcA
GetDesktopWindow
GetSysColor
SetWindowPos
GetMenuItemInfoA
CheckDlgButton
ShowWindow
IsDlgButtonChecked
IsWindow
DispatchMessageA
MessageBoxW
SystemParametersInfoA
GetSystemMetrics
SetWindowTextA
LoadImageA
UpdateWindow
LoadCursorA
SetDlgItemTextA

gdi32

BitBlt
PatBlt
GetTextExtentPoint32A
DeleteDC
CreateDIBSection
CreateFontIndirectA
DeleteObject
SelectObject
CreateCompatibleDC
DPtoLP
CreateCompatibleBitmap
CreatePen
GetObjectA
GetStockObject
CreateSolidBrush

advapi32

RegCreateKeyA
LookupPrivilegeValueA
RegQueryValueExA
RegSetValueExA
OpenProcessToken
RegCloseKey
AdjustTokenPrivileges

shell32

SHGetFolderPathW
ord727
SHGetFileInfoW
SHGetMalloc
SHGetFolderLocation
SHGetFolderPathA
SHGetDesktopFolder

ole32

CoInitialize
CoUninitialize
CoCreateInstance

odbc32

ord41

shlwapi

StrRetToBufA
PathCompactPathA

comctl32

ImageList_Create
ImageList_ReplaceIcon
ImageList_SetBkColor
ImageList_Add

activeds

ord17

secur32

InitSecurityInterfaceA

Sections

.text
Size: 132KB - Virtual size: 131KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 67KB - Virtual size: 66KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/tinba/33c3d0c4847980dc79536ef491e596c6365d75d736bf8aabb814f995f6deb6f8.exe
.exe windows:4 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: 52KB - Virtual size: 52KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 31KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.imports
Size: 3KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/tinba/3812c78639561f390c5830a0c3626d17456969e1a2998bdd4931617ca566aa1bN.exe
.exe windows:5 windows x86 arch:x86

eb29527bc4a3140f4ce75eb5d2954101

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_AGGRESIVE_WS_TRIM
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_NET_RUN_FROM_SWAP
IMAGE_FILE_UP_SYSTEM_ONLY

Imports

kernel32

lstrcpyA
CloseHandle
CreateFileW
FlushFileBuffers
LCMapStringW
GetStringTypeW
SetStdHandle
RtlUnwind
HeapFree
HeapQueryInformation
HeapSize
HeapReAlloc
LoadLibraryW
OutputDebugStringW
WriteConsoleW
OutputDebugStringA
IsValidCodePage
GetCPInfo
GetOEMCP
GetACP
GetConsoleMode
GetConsoleCP
SetFilePointer
WriteFile
OpenEventW
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
DeleteCriticalSection
GetFileType
InitializeCriticalSectionAndSpinCount
SetHandleCount
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetModuleFileNameA
ExitProcess
GetModuleHandleW
GetProcAddress
InterlockedDecrement
InterlockedIncrement
GetSystemTimeAsFileTime
GetCurrentProcessId
GetCurrentThreadId
GetTickCount
QueryPerformanceCounter
LeaveCriticalSection
EnterCriticalSection
IsBadReadPtr
HeapValidate
GetModuleFileNameW
EncodePointer
DecodePointer
IsProcessorFeaturePresent
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
TerminateProcess
GetStartupInfoW
FillConsoleOutputAttribute
FindFirstChangeNotificationA
GetModuleHandleA
GetSystemInfo
FindNextChangeNotification
LockResource
GetConsoleScreenBufferInfo
GetPrivateProfileStringA
GetLastError
FillConsoleOutputCharacterA
GetStdHandle
SetCurrentDirectoryA
lstrlenW
MultiByteToWideChar
SetConsoleCursorPosition
HeapCreate
CreateEventA
SizeofResource
ReadConsoleInputA
WideCharToMultiByte
FindResourceExA
FlushConsoleInputBuffer
HeapSetInformation
GetCommandLineA
FindCloseChangeNotification
WaitForSingleObject
GetCurrentProcess
HeapAlloc
LoadResource
lstrlenA
SetLastError
RaiseException

user32

GetWindow
MoveWindow
CheckMenuItem
EndPaint
DestroyWindow
EnumDisplayMonitors
GetSystemMenu
SetTimer
ScreenToClient
GetWindowRect
RegisterClassExA
PostQuitMessage
SendDlgItemMessageA
GetWindowDC
IsIconic
FillRect
KillTimer
GetSubMenu
DrawIconEx
LoadBitmapA
GetParent
LoadIconA
wsprintfA
DrawIcon
FindWindowExA
GetClientRect
ExitWindowsEx
SetFocus
SendMessageA
BeginPaint
GetIconInfo
GetDC
TranslateMessage
GetMenu
SetRect
SetWindowLongA
MessageBoxA
UnionRect
InvalidateRect
UnregisterClassA
CreateWindowExA
PeekMessageA
ReleaseDC
GetDlgItem
EndDialog
DefWindowProcA
GetDesktopWindow
GetSysColor
SetWindowPos
GetMenuItemInfoA
CheckDlgButton
ShowWindow
IsDlgButtonChecked
IsWindow
DispatchMessageA
MessageBoxW
SystemParametersInfoA
GetSystemMetrics
SetWindowTextA
LoadImageA
UpdateWindow
LoadCursorA
SetDlgItemTextA

gdi32

BitBlt
PatBlt
GetTextExtentPoint32A
DeleteDC
CreateDIBSection
CreateFontIndirectA
DeleteObject
SelectObject
CreateCompatibleDC
DPtoLP
CreateCompatibleBitmap
CreatePen
GetObjectA
GetStockObject
CreateSolidBrush

advapi32

RegCreateKeyA
LookupPrivilegeValueA
RegQueryValueExA
RegSetValueExA
OpenProcessToken
RegCloseKey
AdjustTokenPrivileges

shell32

SHGetFolderPathW
ord727
SHGetFileInfoW
SHGetMalloc
SHGetFolderLocation
SHGetFolderPathA
SHGetDesktopFolder

ole32

CoInitialize
CoUninitialize
CoCreateInstance

odbc32

ord41

shlwapi

StrRetToBufA
PathCompactPathA

comctl32

ImageList_Create
ImageList_ReplaceIcon
ImageList_SetBkColor
ImageList_Add

activeds

ord17

secur32

InitSecurityInterfaceA

Sections

.text
Size: 132KB - Virtual size: 131KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 67KB - Virtual size: 66KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/tinba/38a2f2d0fbb26e1f2ab109d4779cd31e79244298a6ceb83bf483a0268dc8e355N.exe
.exe windows:4 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: 61KB - Virtual size: 64KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 42KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.imports
Size: 3KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/tinba/3d31b34ad1ae466cb169d16c8fe3d4a0f3291aa58222adc35cd74460cb99630a.exe
.exe windows:4 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: 61KB - Virtual size: 64KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 42KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.imports
Size: 3KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/tinba/45ce9ba083c60e0f2380813fe568227101f324a85a6bad76a1687aeb1fdf89c2.exe
.exe windows:5 windows x86 arch:x86

eb29527bc4a3140f4ce75eb5d2954101

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_AGGRESIVE_WS_TRIM
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_NET_RUN_FROM_SWAP
IMAGE_FILE_UP_SYSTEM_ONLY

Imports

kernel32

lstrcpyA
CloseHandle
CreateFileW
FlushFileBuffers
LCMapStringW
GetStringTypeW
SetStdHandle
RtlUnwind
HeapFree
HeapQueryInformation
HeapSize
HeapReAlloc
LoadLibraryW
OutputDebugStringW
WriteConsoleW
OutputDebugStringA
IsValidCodePage
GetCPInfo
GetOEMCP
GetACP
GetConsoleMode
GetConsoleCP
SetFilePointer
WriteFile
OpenEventW
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
DeleteCriticalSection
GetFileType
InitializeCriticalSectionAndSpinCount
SetHandleCount
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetModuleFileNameA
ExitProcess
GetModuleHandleW
GetProcAddress
InterlockedDecrement
InterlockedIncrement
GetSystemTimeAsFileTime
GetCurrentProcessId
GetCurrentThreadId
GetTickCount
QueryPerformanceCounter
LeaveCriticalSection
EnterCriticalSection
IsBadReadPtr
HeapValidate
GetModuleFileNameW
EncodePointer
DecodePointer
IsProcessorFeaturePresent
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
TerminateProcess
GetStartupInfoW
FillConsoleOutputAttribute
FindFirstChangeNotificationA
GetModuleHandleA
GetSystemInfo
FindNextChangeNotification
LockResource
GetConsoleScreenBufferInfo
GetPrivateProfileStringA
GetLastError
FillConsoleOutputCharacterA
GetStdHandle
SetCurrentDirectoryA
lstrlenW
MultiByteToWideChar
SetConsoleCursorPosition
HeapCreate
CreateEventA
SizeofResource
ReadConsoleInputA
WideCharToMultiByte
FindResourceExA
FlushConsoleInputBuffer
HeapSetInformation
GetCommandLineA
FindCloseChangeNotification
WaitForSingleObject
GetCurrentProcess
HeapAlloc
LoadResource
lstrlenA
SetLastError
RaiseException

user32

GetWindow
MoveWindow
CheckMenuItem
EndPaint
DestroyWindow
EnumDisplayMonitors
GetSystemMenu
SetTimer
ScreenToClient
GetWindowRect
RegisterClassExA
PostQuitMessage
SendDlgItemMessageA
GetWindowDC
IsIconic
FillRect
KillTimer
GetSubMenu
DrawIconEx
LoadBitmapA
GetParent
LoadIconA
wsprintfA
DrawIcon
FindWindowExA
GetClientRect
ExitWindowsEx
SetFocus
SendMessageA
BeginPaint
GetIconInfo
GetDC
TranslateMessage
GetMenu
SetRect
SetWindowLongA
MessageBoxA
UnionRect
InvalidateRect
UnregisterClassA
CreateWindowExA
PeekMessageA
ReleaseDC
GetDlgItem
EndDialog
DefWindowProcA
GetDesktopWindow
GetSysColor
SetWindowPos
GetMenuItemInfoA
CheckDlgButton
ShowWindow
IsDlgButtonChecked
IsWindow
DispatchMessageA
MessageBoxW
SystemParametersInfoA
GetSystemMetrics
SetWindowTextA
LoadImageA
UpdateWindow
LoadCursorA
SetDlgItemTextA

gdi32

BitBlt
PatBlt
GetTextExtentPoint32A
DeleteDC
CreateDIBSection
CreateFontIndirectA
DeleteObject
SelectObject
CreateCompatibleDC
DPtoLP
CreateCompatibleBitmap
CreatePen
GetObjectA
GetStockObject
CreateSolidBrush

advapi32

RegCreateKeyA
LookupPrivilegeValueA
RegQueryValueExA
RegSetValueExA
OpenProcessToken
RegCloseKey
AdjustTokenPrivileges

shell32

SHGetFolderPathW
ord727
SHGetFileInfoW
SHGetMalloc
SHGetFolderLocation
SHGetFolderPathA
SHGetDesktopFolder

ole32

CoInitialize
CoUninitialize
CoCreateInstance

odbc32

ord41

shlwapi

StrRetToBufA
PathCompactPathA

comctl32

ImageList_Create
ImageList_ReplaceIcon
ImageList_SetBkColor
ImageList_Add

activeds

ord17

secur32

InitSecurityInterfaceA

Sections

.text
Size: 132KB - Virtual size: 131KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 67KB - Virtual size: 66KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/tinba/45e3c909bef1c474eb68b11b1387be21c378d0d6caea8a3420ff8cf8306507c5.exe
.exe windows:5 windows x86 arch:x86

eb29527bc4a3140f4ce75eb5d2954101

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_AGGRESIVE_WS_TRIM
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_NET_RUN_FROM_SWAP
IMAGE_FILE_UP_SYSTEM_ONLY

Imports

kernel32

lstrcpyA
CloseHandle
CreateFileW
FlushFileBuffers
LCMapStringW
GetStringTypeW
SetStdHandle
RtlUnwind
HeapFree
HeapQueryInformation
HeapSize
HeapReAlloc
LoadLibraryW
OutputDebugStringW
WriteConsoleW
OutputDebugStringA
IsValidCodePage
GetCPInfo
GetOEMCP
GetACP
GetConsoleMode
GetConsoleCP
SetFilePointer
WriteFile
OpenEventW
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
DeleteCriticalSection
GetFileType
InitializeCriticalSectionAndSpinCount
SetHandleCount
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetModuleFileNameA
ExitProcess
GetModuleHandleW
GetProcAddress
InterlockedDecrement
InterlockedIncrement
GetSystemTimeAsFileTime
GetCurrentProcessId
GetCurrentThreadId
GetTickCount
QueryPerformanceCounter
LeaveCriticalSection
EnterCriticalSection
IsBadReadPtr
HeapValidate
GetModuleFileNameW
EncodePointer
DecodePointer
IsProcessorFeaturePresent
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
TerminateProcess
GetStartupInfoW
FillConsoleOutputAttribute
FindFirstChangeNotificationA
GetModuleHandleA
GetSystemInfo
FindNextChangeNotification
LockResource
GetConsoleScreenBufferInfo
GetPrivateProfileStringA
GetLastError
FillConsoleOutputCharacterA
GetStdHandle
SetCurrentDirectoryA
lstrlenW
MultiByteToWideChar
SetConsoleCursorPosition
HeapCreate
CreateEventA
SizeofResource
ReadConsoleInputA
WideCharToMultiByte
FindResourceExA
FlushConsoleInputBuffer
HeapSetInformation
GetCommandLineA
FindCloseChangeNotification
WaitForSingleObject
GetCurrentProcess
HeapAlloc
LoadResource
lstrlenA
SetLastError
RaiseException

user32

GetWindow
MoveWindow
CheckMenuItem
EndPaint
DestroyWindow
EnumDisplayMonitors
GetSystemMenu
SetTimer
ScreenToClient
GetWindowRect
RegisterClassExA
PostQuitMessage
SendDlgItemMessageA
GetWindowDC
IsIconic
FillRect
KillTimer
GetSubMenu
DrawIconEx
LoadBitmapA
GetParent
LoadIconA
wsprintfA
DrawIcon
FindWindowExA
GetClientRect
ExitWindowsEx
SetFocus
SendMessageA
BeginPaint
GetIconInfo
GetDC
TranslateMessage
GetMenu
SetRect
SetWindowLongA
MessageBoxA
UnionRect
InvalidateRect
UnregisterClassA
CreateWindowExA
PeekMessageA
ReleaseDC
GetDlgItem
EndDialog
DefWindowProcA
GetDesktopWindow
GetSysColor
SetWindowPos
GetMenuItemInfoA
CheckDlgButton
ShowWindow
IsDlgButtonChecked
IsWindow
DispatchMessageA
MessageBoxW
SystemParametersInfoA
GetSystemMetrics
SetWindowTextA
LoadImageA
UpdateWindow
LoadCursorA
SetDlgItemTextA

gdi32

BitBlt
PatBlt
GetTextExtentPoint32A
DeleteDC
CreateDIBSection
CreateFontIndirectA
DeleteObject
SelectObject
CreateCompatibleDC
DPtoLP
CreateCompatibleBitmap
CreatePen
GetObjectA
GetStockObject
CreateSolidBrush

advapi32

RegCreateKeyA
LookupPrivilegeValueA
RegQueryValueExA
RegSetValueExA
OpenProcessToken
RegCloseKey
AdjustTokenPrivileges

shell32

SHGetFolderPathW
ord727
SHGetFileInfoW
SHGetMalloc
SHGetFolderLocation
SHGetFolderPathA
SHGetDesktopFolder

ole32

CoInitialize
CoUninitialize
CoCreateInstance

odbc32

ord41

shlwapi

StrRetToBufA
PathCompactPathA

comctl32

ImageList_Create
ImageList_ReplaceIcon
ImageList_SetBkColor
ImageList_Add

activeds

ord17

secur32

InitSecurityInterfaceA

Sections

.text
Size: 132KB - Virtual size: 131KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 67KB - Virtual size: 66KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/tinba/49616b669ede0d88f952af00531ebec3351414ff965dfeff5b0964b4ac838049N.exe
.exe windows:4 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

UPX0
Size: - Virtual size: 64KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 42KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/tinba/4ed83478f1cd128443282f0735c777a0c2dae6513e1d9695891f83040f346818.exe
.exe windows:4 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: 61KB - Virtual size: 64KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 42KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.imports
Size: 3KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/tinba/564c64019c65c26232b2f26af788d03d8f23391bce41b190005c89d3c1c49b3e.exe
.exe windows:4 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

.MPRESS1
Size: 51KB - Virtual size: 88KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.MPRESS2
Size: 3KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 31KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.imports
Size: 3KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/tinba/577051e5764910b6f18d528013165a720356112dd338698280a76e7b2a6e24d1.exe
.exe windows:4 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: - Virtual size: 52KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 31KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/tinba/5a3e3f8b66b307f9fcc4ef8e6a68d3fd8e416b3716cfd5f6c0893a33b5169765N.exe
.exe windows:4 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: 61KB - Virtual size: 64KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 42KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.imports
Size: 3KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/tinba/5b2930f1c0cc9a040aee1c14eb6fa61072cc45d881994ed2975f6fd2354d8dde.exe
.exe windows:4 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

UPX0
Size: - Virtual size: 64KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 42KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/tinba/65a67b7e0bd34ae4c1de6de8b3c6c3db7c09ae526af4914bb012f13abf927d26.exe
.exe windows:4 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

UPX0
Size: - Virtual size: 64KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 42KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/tinba/694decb30226b8e3da044ce0ad963bbeff1af9af4a94c0527a954de6cbd08da6
.exe windows:4 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

UPX0
Size: - Virtual size: 56KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 39KB - Virtual size: 40KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/tinba/6b44063e2d46431859f99c03a54b4dedbab16814167019571dc7762159af4024N.exe
.exe windows:5 windows x86 arch:x86

eb29527bc4a3140f4ce75eb5d2954101

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_AGGRESIVE_WS_TRIM
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_NET_RUN_FROM_SWAP
IMAGE_FILE_UP_SYSTEM_ONLY

Imports

kernel32

lstrcpyA
CloseHandle
CreateFileW
FlushFileBuffers
LCMapStringW
GetStringTypeW
SetStdHandle
RtlUnwind
HeapFree
HeapQueryInformation
HeapSize
HeapReAlloc
LoadLibraryW
OutputDebugStringW
WriteConsoleW
OutputDebugStringA
IsValidCodePage
GetCPInfo
GetOEMCP
GetACP
GetConsoleMode
GetConsoleCP
SetFilePointer
WriteFile
OpenEventW
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
DeleteCriticalSection
GetFileType
InitializeCriticalSectionAndSpinCount
SetHandleCount
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetModuleFileNameA
ExitProcess
GetModuleHandleW
GetProcAddress
InterlockedDecrement
InterlockedIncrement
GetSystemTimeAsFileTime
GetCurrentProcessId
GetCurrentThreadId
GetTickCount
QueryPerformanceCounter
LeaveCriticalSection
EnterCriticalSection
IsBadReadPtr
HeapValidate
GetModuleFileNameW
EncodePointer
DecodePointer
IsProcessorFeaturePresent
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
TerminateProcess
GetStartupInfoW
FillConsoleOutputAttribute
FindFirstChangeNotificationA
GetModuleHandleA
GetSystemInfo
FindNextChangeNotification
LockResource
GetConsoleScreenBufferInfo
GetPrivateProfileStringA
GetLastError
FillConsoleOutputCharacterA
GetStdHandle
SetCurrentDirectoryA
lstrlenW
MultiByteToWideChar
SetConsoleCursorPosition
HeapCreate
CreateEventA
SizeofResource
ReadConsoleInputA
WideCharToMultiByte
FindResourceExA
FlushConsoleInputBuffer
HeapSetInformation
GetCommandLineA
FindCloseChangeNotification
WaitForSingleObject
GetCurrentProcess
HeapAlloc
LoadResource
lstrlenA
SetLastError
RaiseException

user32

GetWindow
MoveWindow
CheckMenuItem
EndPaint
DestroyWindow
EnumDisplayMonitors
GetSystemMenu
SetTimer
ScreenToClient
GetWindowRect
RegisterClassExA
PostQuitMessage
SendDlgItemMessageA
GetWindowDC
IsIconic
FillRect
KillTimer
GetSubMenu
DrawIconEx
LoadBitmapA
GetParent
LoadIconA
wsprintfA
DrawIcon
FindWindowExA
GetClientRect
ExitWindowsEx
SetFocus
SendMessageA
BeginPaint
GetIconInfo
GetDC
TranslateMessage
GetMenu
SetRect
SetWindowLongA
MessageBoxA
UnionRect
InvalidateRect
UnregisterClassA
CreateWindowExA
PeekMessageA
ReleaseDC
GetDlgItem
EndDialog
DefWindowProcA
GetDesktopWindow
GetSysColor
SetWindowPos
GetMenuItemInfoA
CheckDlgButton
ShowWindow
IsDlgButtonChecked
IsWindow
DispatchMessageA
MessageBoxW
SystemParametersInfoA
GetSystemMetrics
SetWindowTextA
LoadImageA
UpdateWindow
LoadCursorA
SetDlgItemTextA

gdi32

BitBlt
PatBlt
GetTextExtentPoint32A
DeleteDC
CreateDIBSection
CreateFontIndirectA
DeleteObject
SelectObject
CreateCompatibleDC
DPtoLP
CreateCompatibleBitmap
CreatePen
GetObjectA
GetStockObject
CreateSolidBrush

advapi32

RegCreateKeyA
LookupPrivilegeValueA
RegQueryValueExA
RegSetValueExA
OpenProcessToken
RegCloseKey
AdjustTokenPrivileges

shell32

SHGetFolderPathW
ord727
SHGetFileInfoW
SHGetMalloc
SHGetFolderLocation
SHGetFolderPathA
SHGetDesktopFolder

ole32

CoInitialize
CoUninitialize
CoCreateInstance

odbc32

ord41

shlwapi

StrRetToBufA
PathCompactPathA

comctl32

ImageList_Create
ImageList_ReplaceIcon
ImageList_SetBkColor
ImageList_Add

activeds

ord17

secur32

InitSecurityInterfaceA

Sections

.text
Size: 132KB - Virtual size: 131KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 67KB - Virtual size: 66KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/tinba/7087bf238addbd8ada881d9014fa1313e3286c3f24080400ad1560b4fbef52e1.exe
.exe windows:4 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: 61KB - Virtual size: 64KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 42KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.imports
Size: 3KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/tinba/7087bf238addbd8ada881d9014fa1313e3286c3f24080400ad1560b4fbef52e1N.exe
.exe windows:4 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: 61KB - Virtual size: 64KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 42KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.imports
Size: 3KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/tinba/73deb6fc408b72da99cd831db55a06a92230c6f834e3cf31fd8854bd6b93d68c
.exe windows:4 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: - Virtual size: 52KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 31KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/tinba/762984acc17f00c41045116b954ea047c665c391f0326101d46b640022037dd4.exe
.exe windows:4 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

UPX0
Size: - Virtual size: 64KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 42KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/tinba/7a9e50aefbe2bc256300765624aa7bd7e54b63061989f4a219c3111817be994f.exe
.exe windows:4 windows x86 arch:x86

d0faf1f829379ff4f83833223a663610

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

c:\Value\Which\A.pdb

Imports

kernel32

GetSystemDirectoryW
GetModuleHandleW
MultiByteToWideChar
CreateFileW
GetCurrentDirectoryW
GetDateFormatW
GetLocalTime
ExitProcess
GetVersion
CreateEventW
SetEvent
CloseHandle
WaitForSingleObject
Sleep
HeapSetInformation
GetConsoleOutputCP
GetCurrentProcess
GetTimeFormatW
TerminateProcess

user32

MsgWaitForMultipleObjects
GetWindowRect
UpdateWindow
GetClientRect
SetTimer
RedrawWindow
GetSystemMetrics
LoadIconW
ScreenToClient
GetSysColorBrush
IsIconic
GetSystemMenu
OffsetRect
ShowWindowAsync
CharToOemW
LoadStringW

comdlg32

CommDlgExtendedError

advapi32

AdjustTokenPrivileges
RegCloseKey
RegDeleteValueW
RegQueryValueExW
RegSetValueExW
RegOpenKeyExW
OpenProcessToken

shell32

ShellAboutW

version

GetFileVersionInfoSizeW
GetFileVersionInfoW
VerQueryValueW

msvcrt

wprintf
free
malloc
fflush
fclose
memset

crypt32

CertFreeCertificateContext

Sections

.text
Size: 72KB - Virtual size: 68KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 346KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 1008B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/tinba/88b28712851de70e68340527f01f8b108160b3ecb411a2fd232e15d2c9e19b37.exe
.exe windows:4 windows x86 arch:x86

29d8d235a94a2b373c600cecbe74db5d

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

AddAtomW
FreeConsole
GetCurrencyFormatW
IsProcessorFeaturePresent
CreateEventA
OpenFileMappingW
LocalHandle
HeapSize
MulDiv
WriteFile
GetTempFileNameW
SetLocaleInfoW
DosDateTimeToFileTime
EnumLanguageGroupLocalesW
CreatePipe
GetPrivateProfileSectionNamesA
SetConsoleTitleA
CancelDeviceWakeupRequest
GetVolumePathNameA
GetProfileIntA
GetDateFormatA
DebugBreak
SuspendThread
SetCommMask
EnumUILanguagesW
MoveFileWithProgressA
BackupRead
GetNumberOfConsoleInputEvents
GetLongPathNameA
FreeLibrary
GetFileAttributesW
EnumDateFormatsA
QueryDosDeviceA
UpdateResourceW
WritePrivateProfileStructA
lstrcpynA
GetExitCodeProcess
GlobalAddAtomW
GetShortPathNameW
UnlockFileEx
SetComputerNameExA
SetConsoleTitleA

gdi32

GetDeviceCaps

ole32

OleCreateFromData
HWND_UserMarshal
CreateAntiMoniker
CoInitialize
CoSetProxyBlanket
CoDisconnectObject
ReleaseStgMedium
HGLOBAL_UserSize
PropStgNameToFmtId

msvcrt

iswprint
_wgetenv
srand
strtok
iswupper
tolower
fputs
_swab
wcsncpy
_fputchar
iswctype
_strupr
bsearch
_strnicmp
memcmp
_wspawnl
_abnormal_termination
_rotl
_flsbuf
isdigit
memmove
_isctype
isalpha
isgraph
_wspawnvpe
_wexecve
_wcslwr
_wcsrev
fputwc
_fcvt
_ultoa
tmpnam
_wcreat

winmm

timeSetEvent
waveOutOpen
midiConnect
midiOutSetVolume
mmioOpenA
mmioWrite
DrvGetModuleHandle
mciGetDeviceIDFromElementIDW
waveOutGetErrorTextW
joyGetPosEx
mixerSetControlDetails
joySetThreshold
mmioRead
waveOutGetDevCapsA
DefDriverProc
mmioDescend
mixerGetLineInfoA
mciSendStringA
midiOutClose
midiInGetDevCapsW
midiStreamOut
mmioSetBuffer
midiInClose
waveOutReset
midiOutPrepareHeader
waveInGetPosition
GetDriverModuleHandle
mmioGetInfo
midiInMessage
mciGetCreatorTask
auxGetVolume
joyGetDevCapsW
waveInGetErrorTextA
mixerGetLineControlsW

mscms

GetColorProfileElement
UninstallColorProfileA
AssociateColorProfileWithDeviceA
EnumColorProfilesW
GetStandardColorSpaceProfileW
DisassociateColorProfileFromDeviceW
GetStandardColorSpaceProfileA
SetStandardColorSpaceProfileW
DeleteColorTransform
GetPS2ColorRenderingIntent
SetColorProfileHeader
TranslateBitmapBits
CreateColorTransformA
ConvertIndexToColorName
CreateProfileFromLogColorSpaceW
RegisterCMMW
GetColorProfileElementTag
GetColorProfileFromHandle
UninstallColorProfileW
CreateMultiProfileTransform
GetCountColorProfileElements
InstallColorProfileA
CreateColorTransformW
CheckColors
SetColorProfileElementReference

Sections

.text
Size: 24KB - Virtual size: 21KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.u
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 32KB - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/tinba/8c42f7d05da923d9e5ddf7ba268e421634a229b332c037b6cd6a1e81d7d58b6e.exe
.exe windows:5 windows x86 arch:x86

8d379991d6270032480b18bc9d790531

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Imports

kernel32

CreateFileW
SetEndOfFile
FlushFileBuffers
GetStringTypeW
SetStdHandle
MultiByteToWideChar
LCMapStringW
GetProcAddress
HeapSize
HeapReAlloc
LoadLibraryW
CreateFileA
GetFileSize
GetProcessHeap
HeapAlloc
ReadFile
CloseHandle
HeapFree
GetLastError
FindFirstFileA
FindClose
GetLogicalDrives
HeapCreate
GetSystemTime
OutputDebugStringW
WriteConsoleW
OutputDebugStringA
IsValidCodePage
GetCPInfo
GetOEMCP
GetACP
GetConsoleMode
GetConsoleCP
GetModuleHandleA
HeapQueryInformation
LoadLibraryA
SetFilePointer
WriteFile
SetLastError
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
DeleteCriticalSection
GetFileType
SetEnvironmentVariableA
GetCurrentDirectoryA
SetCurrentDirectoryA
GetCommandLineA
HeapSetInformation
GetStartupInfoW
DecodePointer
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
EncodePointer
GetModuleFileNameW
HeapValidate
IsBadReadPtr
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
RtlUnwind
IsProcessorFeaturePresent
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
InterlockedIncrement
InterlockedDecrement
GetModuleHandleW
ExitProcess
GetModuleFileNameA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
RaiseException

user32

LoadStringA
BeginPaint
EnableWindow
GetDlgItem
SetDlgItemTextA
IsDlgButtonChecked
CreateWindowExA
GetClientRect
GetDC
GetSystemMetrics
LoadBitmapA
CheckMenuRadioItem
SetWindowTextA
GetWindowLongA
InsertMenuItemA
ReleaseDC
FillRect
DefWindowProcA

gdi32

SelectObject
GetPixel
CreateRectRgn
CreateCompatibleBitmap
DPtoLP
TextOutA
CreateSolidBrush
FrameRgn
SetMapMode
SetViewportExtEx
DeleteObject
PatBlt
CreateCompatibleDC

ole32

CoInitialize
CoInitializeEx
CoUninitialize
CoCreateInstance

winmm

mmioClose
mmioWrite
mmioCreateChunk
mmioOpenA

comctl32

ord17
InitCommonControlsEx

gdiplus

GdipSaveImageToFile
GdipCreateBitmapFromFile
GdipCreateBitmapFromHBITMAP
GdipCreateHBITMAPFromBitmap
GdiplusStartup
GdipDisposeImage

Sections

.text
Size: 152KB - Virtual size: 151KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 64KB - Virtual size: 63KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/tinba/9071909cfd852693300404833275c708c789f1bc2d3588d2121c159ff1b479c0.exe
.exe windows:4 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

UPX0
Size: - Virtual size: 64KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 42KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/tinba/919ebd053037624564b29179ef6e0f58bd29ff9bffb98fe76856380266039ed6N.exe
.exe windows:4 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

UPX0
Size: - Virtual size: 64KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 42KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/tinba/98c895f9acf465a671d1dbaa13318b60060d37ae16481da3a6a9e483cb2b05ad.exe
.exe windows:4 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: 52KB - Virtual size: 52KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 31KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.imports
Size: 3KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/tinba/b97c1992b1a0dbbc8cb79dffb905624bd8d9063d35a00a991d7a7f0f97b46eb2N.exe
.exe windows:4 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

UPX0
Size: - Virtual size: 52KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 31KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/tinba/bd28276fd9ef4bddb3075cdf8453aed9f78da4e2713d5078bb001919f25919e8.exe
.exe windows:5 windows x86 arch:x86

8d379991d6270032480b18bc9d790531

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Imports

kernel32

CreateFileW
SetEndOfFile
FlushFileBuffers
GetStringTypeW
SetStdHandle
MultiByteToWideChar
LCMapStringW
GetProcAddress
HeapSize
HeapReAlloc
LoadLibraryW
CreateFileA
GetFileSize
GetProcessHeap
HeapAlloc
ReadFile
CloseHandle
HeapFree
GetLastError
FindFirstFileA
FindClose
GetLogicalDrives
HeapCreate
GetSystemTime
OutputDebugStringW
WriteConsoleW
OutputDebugStringA
IsValidCodePage
GetCPInfo
GetOEMCP
GetACP
GetConsoleMode
GetConsoleCP
GetModuleHandleA
HeapQueryInformation
LoadLibraryA
SetFilePointer
WriteFile
SetLastError
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
DeleteCriticalSection
GetFileType
SetEnvironmentVariableA
GetCurrentDirectoryA
SetCurrentDirectoryA
GetCommandLineA
HeapSetInformation
GetStartupInfoW
DecodePointer
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
EncodePointer
GetModuleFileNameW
HeapValidate
IsBadReadPtr
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
RtlUnwind
IsProcessorFeaturePresent
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
InterlockedIncrement
InterlockedDecrement
GetModuleHandleW
ExitProcess
GetModuleFileNameA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
RaiseException

user32

LoadStringA
BeginPaint
EnableWindow
GetDlgItem
SetDlgItemTextA
IsDlgButtonChecked
CreateWindowExA
GetClientRect
GetDC
GetSystemMetrics
LoadBitmapA
CheckMenuRadioItem
SetWindowTextA
GetWindowLongA
InsertMenuItemA
ReleaseDC
FillRect
DefWindowProcA

gdi32

SelectObject
GetPixel
CreateRectRgn
CreateCompatibleBitmap
DPtoLP
TextOutA
CreateSolidBrush
FrameRgn
SetMapMode
SetViewportExtEx
DeleteObject
PatBlt
CreateCompatibleDC

ole32

CoInitialize
CoInitializeEx
CoUninitialize
CoCreateInstance

winmm

mmioClose
mmioWrite
mmioCreateChunk
mmioOpenA

comctl32

ord17
InitCommonControlsEx

gdiplus

GdipSaveImageToFile
GdipCreateBitmapFromFile
GdipCreateBitmapFromHBITMAP
GdipCreateHBITMAPFromBitmap
GdiplusStartup
GdipDisposeImage

Sections

.text
Size: 152KB - Virtual size: 151KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 64KB - Virtual size: 63KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/tinba/c369cd31391c53e2eab7ca06d7d24e738073e221f3a1729c685a4a5fb1f564d9N.exe
.exe windows:5 windows x86 arch:x86

eb29527bc4a3140f4ce75eb5d2954101

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_AGGRESIVE_WS_TRIM
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_NET_RUN_FROM_SWAP
IMAGE_FILE_UP_SYSTEM_ONLY

Imports

kernel32

lstrcpyA
CloseHandle
CreateFileW
FlushFileBuffers
LCMapStringW
GetStringTypeW
SetStdHandle
RtlUnwind
HeapFree
HeapQueryInformation
HeapSize
HeapReAlloc
LoadLibraryW
OutputDebugStringW
WriteConsoleW
OutputDebugStringA
IsValidCodePage
GetCPInfo
GetOEMCP
GetACP
GetConsoleMode
GetConsoleCP
SetFilePointer
WriteFile
OpenEventW
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
DeleteCriticalSection
GetFileType
InitializeCriticalSectionAndSpinCount
SetHandleCount
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetModuleFileNameA
ExitProcess
GetModuleHandleW
GetProcAddress
InterlockedDecrement
InterlockedIncrement
GetSystemTimeAsFileTime
GetCurrentProcessId
GetCurrentThreadId
GetTickCount
QueryPerformanceCounter
LeaveCriticalSection
EnterCriticalSection
IsBadReadPtr
HeapValidate
GetModuleFileNameW
EncodePointer
DecodePointer
IsProcessorFeaturePresent
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
TerminateProcess
GetStartupInfoW
FillConsoleOutputAttribute
FindFirstChangeNotificationA
GetModuleHandleA
GetSystemInfo
FindNextChangeNotification
LockResource
GetConsoleScreenBufferInfo
GetPrivateProfileStringA
GetLastError
FillConsoleOutputCharacterA
GetStdHandle
SetCurrentDirectoryA
lstrlenW
MultiByteToWideChar
SetConsoleCursorPosition
HeapCreate
CreateEventA
SizeofResource
ReadConsoleInputA
WideCharToMultiByte
FindResourceExA
FlushConsoleInputBuffer
HeapSetInformation
GetCommandLineA
FindCloseChangeNotification
WaitForSingleObject
GetCurrentProcess
HeapAlloc
LoadResource
lstrlenA
SetLastError
RaiseException

user32

GetWindow
MoveWindow
CheckMenuItem
EndPaint
DestroyWindow
EnumDisplayMonitors
GetSystemMenu
SetTimer
ScreenToClient
GetWindowRect
RegisterClassExA
PostQuitMessage
SendDlgItemMessageA
GetWindowDC
IsIconic
FillRect
KillTimer
GetSubMenu
DrawIconEx
LoadBitmapA
GetParent
LoadIconA
wsprintfA
DrawIcon
FindWindowExA
GetClientRect
ExitWindowsEx
SetFocus
SendMessageA
BeginPaint
GetIconInfo
GetDC
TranslateMessage
GetMenu
SetRect
SetWindowLongA
MessageBoxA
UnionRect
InvalidateRect
UnregisterClassA
CreateWindowExA
PeekMessageA
ReleaseDC
GetDlgItem
EndDialog
DefWindowProcA
GetDesktopWindow
GetSysColor
SetWindowPos
GetMenuItemInfoA
CheckDlgButton
ShowWindow
IsDlgButtonChecked
IsWindow
DispatchMessageA
MessageBoxW
SystemParametersInfoA
GetSystemMetrics
SetWindowTextA
LoadImageA
UpdateWindow
LoadCursorA
SetDlgItemTextA

gdi32

BitBlt
PatBlt
GetTextExtentPoint32A
DeleteDC
CreateDIBSection
CreateFontIndirectA
DeleteObject
SelectObject
CreateCompatibleDC
DPtoLP
CreateCompatibleBitmap
CreatePen
GetObjectA
GetStockObject
CreateSolidBrush

advapi32

RegCreateKeyA
LookupPrivilegeValueA
RegQueryValueExA
RegSetValueExA
OpenProcessToken
RegCloseKey
AdjustTokenPrivileges

shell32

SHGetFolderPathW
ord727
SHGetFileInfoW
SHGetMalloc
SHGetFolderLocation
SHGetFolderPathA
SHGetDesktopFolder

ole32

CoInitialize
CoUninitialize
CoCreateInstance

odbc32

ord41

shlwapi

StrRetToBufA
PathCompactPathA

comctl32

ImageList_Create
ImageList_ReplaceIcon
ImageList_SetBkColor
ImageList_Add

activeds

ord17

secur32

InitSecurityInterfaceA

Sections

.text
Size: 132KB - Virtual size: 131KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 67KB - Virtual size: 66KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/tinba/c92607f14e44bb1f32adc2ed3bc1946dd2f61f7438438bf81d2e6dbe1712711d.exe
.exe windows:4 windows x86 arch:x86

d0f156be95b89ada5813326f915d62a1

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

AddAtomW
FreeConsole
GetCurrencyFormatW
IsProcessorFeaturePresent
CreateEventA
OpenFileMappingW
LocalHandle
HeapSize
MulDiv
WriteFile
GetTempFileNameW
SetLocaleInfoW
DosDateTimeToFileTime
EnumLanguageGroupLocalesW
CreatePipe
GetPrivateProfileSectionNamesA
SetConsoleTitleA
CancelDeviceWakeupRequest
GetVolumePathNameA
GetProfileIntA
GetDateFormatA
DebugBreak
SuspendThread
SetCommMask
EnumUILanguagesW
MoveFileWithProgressA
BackupRead
GetNumberOfConsoleInputEvents
GetLongPathNameA
FreeLibrary
GetFileAttributesW
EnumDateFormatsA
QueryDosDeviceA
UpdateResourceW
WritePrivateProfileStructA
lstrcpynA
GetExitCodeProcess
GlobalAddAtomW
GetShortPathNameW
UnlockFileEx
SetComputerNameExA
CancelDeviceWakeupRequest

gdi32

GetDeviceCaps

ole32

OleCreateFromData
HWND_UserMarshal
CreateAntiMoniker
CoInitialize
CoSetProxyBlanket
CoDisconnectObject
ReleaseStgMedium
HGLOBAL_UserSize
PropStgNameToFmtId

msvcrt

iswprint
_wgetenv
srand
strtok
iswupper
tolower
fputs
_swab
wcsncpy
_fputchar
iswctype
_strupr
bsearch
_strnicmp
memcmp
_wspawnl
_abnormal_termination
_rotl
_flsbuf
isdigit
memmove
_isctype
isalpha
isgraph
_wspawnvpe
_wexecve
_wcslwr
_wcsrev
fputwc
_fcvt
_ultoa
tmpnam
_wcreat

winmm

timeSetEvent
waveOutOpen
midiConnect
midiOutSetVolume
mmioOpenA
mmioWrite
DrvGetModuleHandle
mciGetDeviceIDFromElementIDW
waveOutGetErrorTextW
joyGetPosEx
mixerSetControlDetails
joySetThreshold
mmioRead
waveOutGetDevCapsA
DefDriverProc
mmioDescend
mixerGetLineInfoA
mciSendStringA
midiOutClose
midiInGetDevCapsW
midiStreamOut
mmioSetBuffer
midiInClose
waveOutReset
midiOutPrepareHeader
waveInGetPosition
GetDriverModuleHandle
mmioGetInfo
midiInMessage
mciGetCreatorTask
auxGetVolume
joyGetDevCapsW
waveInGetErrorTextA
mixerGetLineControlsW

mscms

GetColorProfileElement
UninstallColorProfileA
AssociateColorProfileWithDeviceA
EnumColorProfilesW
GetStandardColorSpaceProfileW
DisassociateColorProfileFromDeviceW
GetStandardColorSpaceProfileA
SetStandardColorSpaceProfileW
DeleteColorTransform
GetPS2ColorRenderingIntent
SetColorProfileHeader
TranslateBitmapBits
CreateColorTransformA
ConvertIndexToColorName
CreateProfileFromLogColorSpaceW
RegisterCMMW
GetColorProfileElementTag
GetColorProfileFromHandle
UninstallColorProfileW
CreateMultiProfileTransform
GetCountColorProfileElements
InstallColorProfileA
CreateColorTransformW
CheckColors
SetColorProfileElementReference

Sections

.text
Size: 24KB - Virtual size: 21KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.u
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 32KB - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/tinba/d2aa0f3e94249814cc9df7ce269e58036b8385efb86e1549e4636d2cbda29e7dN.exe
.exe windows:4 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

.text
Size: 21KB - Virtual size: 21KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 11KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.WavfW
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 9KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/tinba/d6bb21a00f146abeff3310c98c7fad1437b34de59e2bbd5c0bf2a08c2fff9081.exe
.exe windows:5 windows x86 arch:x86

eb29527bc4a3140f4ce75eb5d2954101

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_AGGRESIVE_WS_TRIM
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_NET_RUN_FROM_SWAP
IMAGE_FILE_UP_SYSTEM_ONLY

Imports

kernel32

lstrcpyA
CloseHandle
CreateFileW
FlushFileBuffers
LCMapStringW
GetStringTypeW
SetStdHandle
RtlUnwind
HeapFree
HeapQueryInformation
HeapSize
HeapReAlloc
LoadLibraryW
OutputDebugStringW
WriteConsoleW
OutputDebugStringA
IsValidCodePage
GetCPInfo
GetOEMCP
GetACP
GetConsoleMode
GetConsoleCP
SetFilePointer
WriteFile
OpenEventW
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
DeleteCriticalSection
GetFileType
InitializeCriticalSectionAndSpinCount
SetHandleCount
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetModuleFileNameA
ExitProcess
GetModuleHandleW
GetProcAddress
InterlockedDecrement
InterlockedIncrement
GetSystemTimeAsFileTime
GetCurrentProcessId
GetCurrentThreadId
GetTickCount
QueryPerformanceCounter
LeaveCriticalSection
EnterCriticalSection
IsBadReadPtr
HeapValidate
GetModuleFileNameW
EncodePointer
DecodePointer
IsProcessorFeaturePresent
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
TerminateProcess
GetStartupInfoW
FillConsoleOutputAttribute
FindFirstChangeNotificationA
GetModuleHandleA
GetSystemInfo
FindNextChangeNotification
LockResource
GetConsoleScreenBufferInfo
GetPrivateProfileStringA
GetLastError
FillConsoleOutputCharacterA
GetStdHandle
SetCurrentDirectoryA
lstrlenW
MultiByteToWideChar
SetConsoleCursorPosition
HeapCreate
CreateEventA
SizeofResource
ReadConsoleInputA
WideCharToMultiByte
FindResourceExA
FlushConsoleInputBuffer
HeapSetInformation
GetCommandLineA
FindCloseChangeNotification
WaitForSingleObject
GetCurrentProcess
HeapAlloc
LoadResource
lstrlenA
SetLastError
RaiseException

user32

GetWindow
MoveWindow
CheckMenuItem
EndPaint
DestroyWindow
EnumDisplayMonitors
GetSystemMenu
SetTimer
ScreenToClient
GetWindowRect
RegisterClassExA
PostQuitMessage
SendDlgItemMessageA
GetWindowDC
IsIconic
FillRect
KillTimer
GetSubMenu
DrawIconEx
LoadBitmapA
GetParent
LoadIconA
wsprintfA
DrawIcon
FindWindowExA
GetClientRect
ExitWindowsEx
SetFocus
SendMessageA
BeginPaint
GetIconInfo
GetDC
TranslateMessage
GetMenu
SetRect
SetWindowLongA
MessageBoxA
UnionRect
InvalidateRect
UnregisterClassA
CreateWindowExA
PeekMessageA
ReleaseDC
GetDlgItem
EndDialog
DefWindowProcA
GetDesktopWindow
GetSysColor
SetWindowPos
GetMenuItemInfoA
CheckDlgButton
ShowWindow
IsDlgButtonChecked
IsWindow
DispatchMessageA
MessageBoxW
SystemParametersInfoA
GetSystemMetrics
SetWindowTextA
LoadImageA
UpdateWindow
LoadCursorA
SetDlgItemTextA

gdi32

BitBlt
PatBlt
GetTextExtentPoint32A
DeleteDC
CreateDIBSection
CreateFontIndirectA
DeleteObject
SelectObject
CreateCompatibleDC
DPtoLP
CreateCompatibleBitmap
CreatePen
GetObjectA
GetStockObject
CreateSolidBrush

advapi32

RegCreateKeyA
LookupPrivilegeValueA
RegQueryValueExA
RegSetValueExA
OpenProcessToken
RegCloseKey
AdjustTokenPrivileges

shell32

SHGetFolderPathW
ord727
SHGetFileInfoW
SHGetMalloc
SHGetFolderLocation
SHGetFolderPathA
SHGetDesktopFolder

ole32

CoInitialize
CoUninitialize
CoCreateInstance

odbc32

ord41

shlwapi

StrRetToBufA
PathCompactPathA

comctl32

ImageList_Create
ImageList_ReplaceIcon
ImageList_SetBkColor
ImageList_Add

activeds

ord17

secur32

InitSecurityInterfaceA

Sections

.text
Size: 132KB - Virtual size: 131KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 67KB - Virtual size: 66KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/tinba/d75216d6201edc170f5bfa9821d4a9e56080d46d04e31a1a9cb74ced59ade32fN.exe
.exe windows:4 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

UPX0
Size: - Virtual size: 64KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 42KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/tinba/ed02cb9e1685ac20241c4136ec13613c89449d7f966712a5904d0938df518915N.exe
.exe windows:4 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

.MPRESS1
Size: 51KB - Virtual size: 88KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.MPRESS2
Size: 3KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 31KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.imports
Size: 3KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/tinba/f12b6dd2ea07de530f5f139dd06f33a5a57eed25db16fc06e8381190b2f295fd.exe
.exe windows:4 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

UPX0
Size: - Virtual size: 64KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 42KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/tinba/ff72623ff0898ab1ffae60e39ca079b01fb32a2be47eadeab57ea2c09cf80d7cN.exe
.exe windows:4 windows x86 arch:x86

541dcdb1e3ae072a7b19447b5ae69f35

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvbvm60

__vbaVarSub
__vbaVarTstGt
_CIcos
_adj_fptan
__vbaVarMove
__vbaAryMove
__vbaFreeVar
__vbaLenBstr
ord588
__vbaFreeVarList
__vbaEnd
_adj_fdiv_m64
ord516
_adj_fprem1
__vbaStrCat
__vbaSetSystemError
__vbaHresultCheckObj
_adj_fdiv_m32
__vbaAryVar
__vbaAryDestruct
ord593
__vbaVarPow
ord594
__vbaOnError
_adj_fdiv_m16i
__vbaObjSetAddref
_adj_fdivr_m16i
ord598
__vbaBoolVarNull
_CIsin
ord631
ord525
__vbaVarCmpGt
__vbaChkstk
__vbaFileClose
EVENT_SINK_AddRef
__vbaGenerateBoundsError
__vbaGet3
__vbaAryConstruct2
__vbaObjVar
DllFunctionCall
__vbaVarLateMemSt
__vbaVarOr
__vbaLbound
_adj_fpatan
__vbaRedim
EVENT_SINK_Release
__vbaUI1I2
_CIsqrt
EVENT_SINK_QueryInterface
__vbaUI1I4
__vbaVarMul
__vbaExceptHandler
ord711
ord713
_adj_fprem
_adj_fdivr_m64
__vbaVarDiv
__vbaFPException
ord717
__vbaUbound
ord535
__vbaI2Var
ord537
_CIlog
__vbaErrorOverflow
__vbaFileOpen
ord570
__vbaVar2Vec
__vbaNew2
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaStrCopy
__vbaI4Str
__vbaFreeStrList
__vbaVarCmpLt
_adj_fdivr_m32
__vbaR8Var
_adj_fdiv_r
ord100
ord689
__vbaLateMemCall
__vbaVarAdd
__vbaAryLock
__vbaVarCopy
__vbaVarLateMemCallLd
__vbaFpI4
_CIatan
__vbaAryCopy
__vbaStrMove
__vbaStrVarCopy
_allmul
_CItan
__vbaAryUnlock
_CIexp
__vbaFreeStr
__vbaFreeObj

Sections

.text
Size: 24KB - Virtual size: 23KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 8KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/unclasified/0d3cbacb3e2d1d41f1325b6486ccafa6077e4d103865f41e85238e6219147d1aN.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

UPX0
Size: - Virtual size: 56KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 7KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/unclasified/1a26eb0866d7621a88cd9cb7e1be4cec102d7b6a68b6f145c13a7799eb7c6e9a
.html .js polyglot
BastianHein Malware samples/unclasified/2025-01-25_775116ad03f7df6217efcca6c2b01c7e_cryptolocker.exe
.exe windows:5 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/unclasified/2025-01-25_a6980e543efa40771ed1dcf84b29d732_avoslocker_cobalt-strike_luca-stealer.exe
.exe windows:6 windows x86 arch:x86

82a8292007e682f1a127ba8dcebfae96

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

G:\Medusa\Release\gaze.pdb

Imports

kernel32

ReadFile
SetHandleInformation
lstrlenW
CreatePipe
GetFileAttributesW
SetFileAttributesW
GetLogicalDriveStringsW
Sleep
GetTickCount64
GetDiskFreeSpaceExW
CloseHandle
GetConsoleWindow
CreateProcessA
MoveFileW
GetDriveTypeW
GetSystemFirmwareTable
HeapSize
SetStdHandle
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetOEMCP
GetACP
IsValidCodePage
GetTimeZoneInformation
HeapReAlloc
FlushFileBuffers
GetFileSizeEx
GetConsoleCP
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetProcessHeap
HeapAlloc
WriteConsoleW
HeapFree
RaiseException
WaitForSingleObjectEx
SwitchToThread
GetCurrentThreadId
GetExitCodeThread
GetNativeSystemInfo
MultiByteToWideChar
LocalFree
FormatMessageA
CreateFileW
FindClose
FindFirstFileExW
FindNextFileW
GetFileAttributesExW
SetEndOfFile
SetFilePointerEx
AreFileApisANSI
GetLastError
WideCharToMultiByte
EnterCriticalSection
LeaveCriticalSection
TryEnterCriticalSection
DeleteCriticalSection
SetLastError
InitializeCriticalSectionAndSpinCount
CreateEventW
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetSystemTimeAsFileTime
GetTickCount
GetModuleHandleW
GetProcAddress
QueryPerformanceCounter
EncodePointer
DecodePointer
GetStringTypeW
CompareStringW
LCMapStringW
GetLocaleInfoW
GetCPInfo
SetEvent
ResetEvent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
GetStartupInfoW
GetCurrentProcessId
InitializeSListHead
CreateTimerQueue
SignalObjectAndWait
CreateThread
SetThreadPriority
GetThreadPriority
GetLogicalProcessorInformation
CreateTimerQueueTimer
ChangeTimerQueueTimer
DeleteTimerQueueTimer
GetNumaHighestNodeNumber
GetProcessAffinityMask
SetThreadAffinityMask
RegisterWaitForSingleObject
UnregisterWait
GetCurrentThread
GetThreadTimes
FreeLibrary
FreeLibraryAndExitThread
GetModuleFileNameW
GetModuleHandleA
LoadLibraryExW
GetVersionExW
VirtualAlloc
VirtualProtect
VirtualFree
DuplicateHandle
ReleaseSemaphore
InterlockedPopEntrySList
InterlockedPushEntrySList
InterlockedFlushSList
QueryDepthSList
UnregisterWaitEx
LoadLibraryW
RtlUnwind
ExitThread
GetModuleHandleExW
SetEnvironmentVariableW
ExitProcess
GetStdHandle
WriteFile
GetCommandLineA
GetCommandLineW
GetConsoleMode
ReadConsoleW
GetFileType
GetDateFormatW
GetTimeFormatW

user32

wsprintfW
ShowWindow

bcrypt

BCryptImportKeyPair
BCryptCloseAlgorithmProvider
BCryptFinishHash
BCryptSetProperty
BCryptGetProperty
BCryptDestroyKey
BCryptEncrypt
BCryptHashData
BCryptGenerateSymmetricKey
BCryptCreateHash
BCryptOpenAlgorithmProvider

crypt32

CryptStringToBinaryA
CryptDecodeObjectEx

Sections

.text
Size: 477KB - Virtual size: 477KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 104KB - Virtual size: 103KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 54KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 29KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/unclasified/24080bbd2f63473948d09f51599129896c653f1ce8d18bf853f7696a3584195aN.exe
.exe windows:5 windows x86 arch:x86

bf95d1fc1d10de18b32654b123ad5e1f

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

SetFileTime
CompareFileTime
SearchPathW
GetShortPathNameW
GetFullPathNameW
MoveFileW
SetCurrentDirectoryW
GetFileAttributesW
GetLastError
CreateDirectoryW
SetFileAttributesW
Sleep
GetTickCount
GetFileSize
GetModuleFileNameW
GetCurrentProcess
CopyFileW
ExitProcess
GetWindowsDirectoryW
GetTempPathW
GetCommandLineW
SetErrorMode
lstrcpynA
CloseHandle
lstrcpynW
GetDiskFreeSpaceW
GlobalUnlock
GlobalLock
CreateThread
LoadLibraryW
CreateProcessW
lstrcmpiA
CreateFileW
GetTempFileNameW
lstrcatW
GetProcAddress
LoadLibraryA
GetModuleHandleA
OpenProcess
lstrcpyW
GetVersionExW
GetSystemDirectoryW
GetVersion
lstrcpyA
RemoveDirectoryW
lstrcmpiW
lstrcmpW
ExpandEnvironmentStringsW
GlobalAlloc
WaitForSingleObject
GetExitCodeProcess
GlobalFree
GetModuleHandleW
LoadLibraryExW
FreeLibrary
WritePrivateProfileStringW
GetPrivateProfileStringW
WideCharToMultiByte
MulDiv
lstrlenA
WriteFile
ReadFile
MultiByteToWideChar
SetFilePointer
FindClose
FindNextFileW
FindFirstFileW
DeleteFileW
lstrlenW

user32

ScreenToClient
GetMessagePos
CallWindowProcW
IsWindowVisible
LoadBitmapW
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
TrackPopupMenu
GetWindowRect
AppendMenuW
CreatePopupMenu
GetSystemMetrics
EndDialog
EnableMenuItem
GetSystemMenu
SetClassLongW
IsWindowEnabled
SetWindowPos
DialogBoxParamW
CheckDlgButton
CreateWindowExW
SystemParametersInfoW
RegisterClassW
SetDlgItemTextW
GetDlgItemTextW
MessageBoxIndirectW
CharNextA
CharUpperW
CharPrevW
DispatchMessageW
PeekMessageW
wsprintfA
DestroyWindow
CreateDialogParamW
SetTimer
SetWindowTextW
PostQuitMessage
SetForegroundWindow
ShowWindow
wsprintfW
SendMessageTimeoutW
LoadCursorW
SetCursor
GetWindowLongW
GetSysColor
CharNextW
GetClassInfoW
ExitWindowsEx
FindWindowExW
GetDlgItem
SetWindowLongW
LoadImageW
GetDC
EnableWindow
InvalidateRect
SendMessageW
DefWindowProcW
BeginPaint
GetClientRect
FillRect
DrawTextW
EndPaint
IsWindow

gdi32

SetBkColor
GetDeviceCaps
DeleteObject
CreateBrushIndirect
CreateFontIndirectW
SetBkMode
SetTextColor
SelectObject

shell32

SHBrowseForFolderW
SHGetPathFromIDListW
SHGetFileInfoW
ShellExecuteW
SHFileOperationW
SHGetSpecialFolderLocation

advapi32

RegEnumKeyW
RegOpenKeyExW
RegCloseKey
RegDeleteKeyW
RegDeleteValueW
RegCreateKeyExW
RegSetValueExW
RegQueryValueExW
RegEnumValueW

comctl32

ImageList_AddMasked
ImageList_Destroy
ord17
ImageList_Create

ole32

CoTaskMemFree
OleInitialize
OleUninitialize
CoCreateInstance

version

GetFileVersionInfoSizeW
GetFileVersionInfoW
VerQueryValueW

Sections

.text
Size: 26KB - Virtual size: 25KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 452KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.ndata
Size: - Virtual size: 1.2MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/unclasified/25424b7e87163d21592ce14693a696536c7cd46a9abd7cc3fee2f0fa8eb727c0N.exe
.exe windows:5 windows x86 arch:x86

705958c97a1937f706c668a1c21fefdb

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

M:\TWRK\84162e5da40d452f\src\MicrogamingInstall\Release\MicrogamingInstall.pdb

Imports

kernel32

lstrcpyA
MapViewOfFile
UnmapViewOfFile
CreateFileMappingA
WideCharToMultiByte
OutputDebugStringA
CreateProcessW
WaitForSingleObject
OpenProcess
Sleep
CreateProcessA
lstrcmpiA
RemoveDirectoryA
CopyFileA
GetTempFileNameA
GetCurrentProcessId
GetTempPathA
DeleteFileA
GetComputerNameA
FormatMessageA
GetVolumePathNameW
CopyFileW
FormatMessageW
RemoveDirectoryW
GetModuleHandleA
ReleaseMutex
GetDiskFreeSpaceExA
GetVersionExA
DeleteFileW
SetFileAttributesW
SetEvent
GetPrivateProfileStringW
CreateEventA
LoadLibraryA
CreateMutexA
GetDriveTypeA
GetVolumeInformationA
DeviceIoControl
ResetEvent
InterlockedDecrement
MoveFileExA
Process32First
TerminateProcess
GetSystemDirectoryA
GetLocalTime
Process32Next
CreateToolhelp32Snapshot
InterlockedIncrement
GetPrivateProfileIntA
InterlockedExchange
GetExitCodeThread
WaitForMultipleObjects
GetCurrentThreadId
CreateThread
CreateSemaphoreA
ReleaseSemaphore
GetLogicalDriveStringsA
GlobalMemoryStatusEx
GetSystemInfo
GetEnvironmentVariableA
SetThreadPriority
GetCurrentThread
GetThreadTimes
ResumeThread
InterlockedCompareExchange
QueueUserWorkItem
OpenFileMappingA
lstrcatA
CompareStringW
GetProcessHeap
SetEndOfFile
SetStdHandle
GetStringTypeW
HeapSize
FlushFileBuffers
GetConsoleMode
GetConsoleCP
IsProcessorFeaturePresent
GetCurrentDirectoryW
PeekNamedPipe
GetFileInformationByHandle
GetTickCount
QueryPerformanceCounter
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetHandleCount
LCMapStringW
GetTimeZoneInformation
GetCurrentProcess
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
SetLastError
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
IsValidCodePage
GetOEMCP
GetACP
GetCPInfo
HeapCreate
GetStdHandle
GetFileType
WriteConsoleW
MoveFileA
RaiseException
RtlUnwind
GetFullPathNameA
GetDriveTypeW
SetCurrentDirectoryA
GetCurrentDirectoryA
SetEnvironmentVariableA
FindFirstFileExA
FileTimeToLocalFileTime
FileTimeToSystemTime
GetStartupInfoW
HeapSetInformation
FindNextFileA
GetModuleFileNameA
FindClose
FindFirstFileA
CreateDirectoryA
lstrlenW
GetFileAttributesW
GetModuleFileNameW
lstrcpynW
GetFileAttributesA
lstrcpynA
CreateFileA
lstrlenA
GetFileSize
LocalFree
GetProcAddress
MultiByteToWideChar
CreateFileW
LoadLibraryW
CreateDirectoryW
FreeLibrary
CloseHandle
GetLastError
ReadFile
WriteFile
SetFilePointer
GetCommandLineA
LeaveCriticalSection
EnterCriticalSection
HeapReAlloc
ExitThread
GetSystemTimeAsFileTime
ExitProcess
GetModuleHandleW
EncodePointer
DecodePointer
HeapAlloc
HeapFree
SetFileAttributesA

user32

PostMessageA
RegisterClassA
ShowWindow
DefWindowProcA
CreateWindowExA
FlashWindowEx
MoveWindow
DefWindowProcW
SetWindowTextA
LoadCursorA
AdjustWindowRect
EnableWindow
UpdateWindow
MapWindowPoints
LoadImageA
IsWindowVisible
GetSystemMetrics
RegisterClassW
MessageBoxW
MessageBoxA
SetFocus
CopyRect
wsprintfW
InvalidateRect
GetDlgCtrlID
GetActiveWindow
DispatchMessageA
CreateWindowExW
CreatePopupMenu
SetLayeredWindowAttributes
GetCursorPos
SetWindowPos
SetWindowLongW
ReleaseDC
PeekMessageA
AppendMenuW
GetWindowLongW
SetWindowLongA
OffsetRect
ChildWindowFromPoint
TranslateMessage
IsDialogMessageA
SendMessageA
GetClientRect
IsWindowEnabled
LoadIconA
SetForegroundWindow
PostThreadMessageA
wsprintfA
wvsprintfA
SendMessageTimeoutA
DestroyWindow
GetMessageA
GetWindowRect
TrackPopupMenu
GetWindowDC

gdi32

DeleteDC
CreateDIBSection
GetDIBits
DeleteObject
SelectObject
CreateCompatibleDC
GetStockObject
BitBlt

advapi32

RegQueryValueExA
RegEnumKeyW
OpenSCManagerA
CloseServiceHandle
OpenServiceA
RegSetValueExW
RegOpenKeyExW
RegQueryValueExW
RegSetValueW
RegSetValueA
RegQueryValueW
RegCloseKey
GetUserNameA
RegOpenKeyExA
RegCreateKeyExA
RegSetValueExA
FreeSid
SetEntriesInAclW

shell32

Shell_NotifyIconA
SHGetSpecialFolderLocation
ShellExecuteA
SHGetPathFromIDListW
SHGetFolderPathW
SHGetMalloc
SHChangeNotify
SHGetSpecialFolderPathA

ole32

OleInitialize
OleCreate
OleSetContainedObject
StringFromIID
OleUninitialize
CoCreateInstance
CoCreateGuid
CoTaskMemAlloc
CoSetProxyBlanket
CoUninitialize
CoInitialize
CoTaskMemFree
CLSIDFromProgID

oleaut32

VariantTimeToSystemTime
VariantCopy
VariantChangeType
SysStringLen
SafeArrayUnaccessData
VariantInit
SafeArrayAccessData
SysAllocString
SysAllocStringLen
SysFreeString
VariantClear
SafeArrayCreateVector

wsock32

gethostbyname
gethostbyaddr
inet_addr
ioctlsocket
WSACleanup
htonl
WSAGetLastError
htons
ntohs
getservbyport
getservbyname
WSASetLastError
WSAStartup

wininet

InternetCreateUrlA
InternetOpenW
InternetOpenUrlW
InternetReadFile
InternetConnectA
InternetGetLastResponseInfoA
InternetCrackUrlW
HttpSendRequestA
HttpQueryInfoA
InternetOpenUrlA
InternetQueryOptionA
InternetCloseHandle
InternetOpenA
HttpOpenRequestA
InternetSetOptionA
InternetCrackUrlA

shlwapi

PathAppendA
SHDeleteKeyA
PathCanonicalizeW
PathAppendW
StrStrA
PathCanonicalizeA

psapi

GetModuleFileNameExA

version

GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA

ws2_32

WSAAddressToStringA

urlmon

CoInternetGetSession

Exports

Exports

?CreateDefaultBrowserInfo@@YGPAVIDefaultBrowserInfo@@XZ
?CreateDirectXVersionInfo@@YGPAVIDirectXVersionInfo@@XZ
?CreateDisplaysDeviceInfo@@YGPAVIDisplayDevicesInfo@@XZ
?CreateFixedDriveInfo@@YGPAVIFixedDriveInfo@@XZ
?CreateFixedDrivesInfo@@YGPAVIFixedDrivesInfo@@XZ
?CreateFlashInfo@@YGPAVIFlashInfo@@XZ
?CreateIEVersionInfo@@YGPAVIIEVersionInfo@@XZ
?CreateMacAddress@@YGPAVIMacAddress@@XZ
?CreateMachineInfo@@YGPAVIMachineInfo@@XZ
?CreateMachineInfoXML@@YGPAVIMachineInfoXML@@XZ
?CreateOSInfo@@YGPAVIOSInfo@@XZ
?CreateProcessorsInfo@@YGPAVIProcessorsInfo@@XZ
?CreateRamInfo@@YGPAVIRamInfo@@XZ
?CreateSoundDevicesInfo@@YGPAVISoundDevicesInfo@@XZ
?CreateUserExperience@@YGPAVIUserExperience@@XZ
?CreateVMInfo@@YGPAVIVMInfo@@XZ

Sections

.text
Size: 419KB - Virtual size: 418KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 64KB - Virtual size: 63KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 80KB - Virtual size: 99KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/unclasified/282e810fd41b17ea190083e50f76072fe561baeddec0c5bb082b4ba8ceb8c4fc.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

UPX0
Size: - Virtual size: 56KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 7KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/unclasified/2cc9184002eac33ce183b8e6647ee7f4.exe.exe
.exe windows:4 windows x86 arch:x86

998e61d6710cb3a6dd7148e1a6e829e1

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

ExitProcess
LeaveCriticalSection
GetTempPathW
GetComputerNameW
GetHandleInformation
SetConsoleMode
RemoveDirectoryW
PrepareTape
WritePrivateProfileStructA
InitializeCriticalSection
lstrcmpiW
GetFileAttributesA
GetWindowsDirectoryA
PurgeComm
EnumDateFormatsW
GetCommandLineW
CompareStringA
WriteConsoleOutputW
FormatMessageA
SetThreadLocale
GetCurrentProcessId
OutputDebugStringA
CreateProcessA
GetLocaleInfoW
GetFileType
GetConsoleMode
WritePrivateProfileSectionW
CreateMutexA
SetMailslotInfo
IsValidLocale
PeekConsoleInputW
SearchPathW
IsDBCSLeadByteEx
ReadFile
GetTickCount
SetHandleCount
GetDriveTypeW
EnumCalendarInfoW
ReadDirectoryChangesW
GetThreadContext
VirtualAlloc
lstrcpynA
GetEnvironmentStringsW
GetSystemDefaultLangID
GlobalFlags
EnumSystemCodePagesA
SuspendThread
GetPrivateProfileStringA
OutputDebugStringW
GetVolumeInformationW

user32

ClientToScreen
DrawStateA
IsCharLowerA
CallNextHookEx
SetWinEventHook
TranslateMDISysAccel
UnhookWindowsHookEx
CheckMenuItem
SendMessageTimeoutA
MoveWindow
AppendMenuA
DrawTextExA

msvcrt

vfprintf
_mbslwr
_beginthread
_wctime
wcsspn
_mbsupr
freopen
toupper
abort
_spawnvp
iswascii
fseek
_ecvt
_mbsnextc
wctomb
_wcsicoll
_ltoa
_chsize
_tempnam
swprintf
fputc
_ui64tow
strchr

Sections

.text
Size: 8KB - Virtual size: 112KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 152KB - Virtual size: 150KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/unclasified/2e421206cea5dc3d51ccd136f55c3ccb.exe
.exe windows:4 windows x86 arch:x86

b41deb5f969b99278a38389c0be8c3d6

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

ntdll

NtGetContextThread
NtSetContextThread
NtResumeThread
NtWriteVirtualMemory
NtUnmapViewOfSection
NtAllocateVirtualMemory

urlmon

URLDownloadToFileW

shell32

ShellExecuteW

user32

CallWindowProcW
FindWindowW
PostMessageW

kernel32

GetFileAttributesW
DeleteFileW
CreateProcessW
GetModuleFileNameW
GetSystemDirectoryW
CopyFileW
Sleep
SetFileAttributesW
CreateDirectoryW
GetEnvironmentVariableW

msvbvm60

ord582
ord583
ord584
__vbaLenBstr
ord516
ord660
ord593
ord594
ord520
VarPtr
ord632
DllFunctionCall
ord601
__vbaExceptHandler
ord608
ProcCallEngine
ord535
ord573
ord575
ord100
ord546
ord581

Sections

.text
Size: 20KB - Virtual size: 17KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 100KB - Virtual size: 96KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.0data
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/unclasified/2e4c41fd9d7e488099334eb29a6a129ad8baf81e40fa70def98c98963fc6782cN.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Sections

.nsp0
Size: 33KB - Virtual size: 36KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.nsp1
Size: 12KB - Virtual size: 16KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.nsp2
Size: - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.imports
Size: 1KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/unclasified/38766f28fc038dd0ac0aef4aafed48cc.exe
.exe windows:5 windows x86 arch:x86

01c05e12ef4973c4e4634ede8277b706

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

oleaut32

LPSAFEARRAY_UserSize
VarCyInt
VarUI2FromUI8
VarI1FromI8
SafeArrayGetElement
VarUI2FromDate
VarUI2FromStr
VarR8FromI8
VarR8FromStr
VarDateFromI8
VarBoolFromDisp
VarDateFromR4
VarDateFromUI2
SafeArraySetRecordInfo
VarI8FromR4
VarUI1FromI1
SetVarConversionLocaleSetting
VarI8FromBool
VarUI4FromStr
VarI2FromUI4
ClearCustData
VarI2FromDec
SysFreeString
VarAnd
VarCyMulI4
SafeArrayAllocDescriptorEx
VarOr
VarI2FromUI1
VarI4FromDate
VectorFromBstr
VarUI2FromDisp
LPSAFEARRAY_UserFree
VarUI1FromI2
VarI2FromI4
VarI1FromDisp
VarUI1FromBool
VarUI1FromStr
VarFormatNumber
VarDecFix
VarCyFromUI8
VariantClear
VarCmp
VarBstrFromUI2
VarI1FromI2
VarI8FromR8

secur32

ImportSecurityContextA
ExportSecurityContext
GetComputerObjectNameW
DeleteSecurityContext
CredUnmarshalTargetInfo
LsaGetLogonSessionData
SaslAcceptSecurityContext
SaslIdentifyPackageA
GetComputerObjectNameA
FreeCredentialsHandle
SecpTranslateNameEx
QuerySecurityPackageInfoW
UnsealMessage
AcceptSecurityContext
ImportSecurityContextW
LsaLookupAuthenticationPackage
LsaEnumerateLogonSessions
InitSecurityInterfaceA
LsaFreeReturnBuffer
AddSecurityPackageW
LsaRegisterLogonProcess
InitSecurityInterfaceW
LsaUnregisterPolicyChangeNotification
AddCredentialsA
AcquireCredentialsHandleA
LsaConnectUntrusted
GetUserNameExA
QueryCredentialsAttributesA
VerifySignature
EnumerateSecurityPackagesW
SecpTranslateName
DeleteSecurityPackageW
DecryptMessage
ApplyControlToken
SaslInitializeSecurityContextA
EnumerateSecurityPackagesA
EncryptMessage

dnsapi

DnsAcquireContextHandle_W
DnsAsyncRegisterInit
DnsFree
Dns_AllocateMsgBuf
DnsFlushResolverCacheEntry_A
DnsGetDnsServerList
DnsIpv6StringToAddress
DnsUpdateTest_A
Dns_ReadPacketName
Dns_ParsePacketRecord
DnsNotifyResolver
DnsStatusString
BreakRecordsIntoBlob
Dns_RecvTcp
DnsQueryConfig
Dns_SkipPacketName
DnsModifyRecordsInSet_W
DnsNameCompareEx_W
Query_Main
DnsRecordSetCopyEx
DnsWriteReverseNameStringForIpAddress
DnsAsyncRegisterHostAddrs
DnsValidateName_W
DnsNotifyResolverClusterIp
Dns_CloseSocket
DnsQuery_A
Reg_ReadGlobalsEx
DnsGetBufferLengthForStringCopy
DnsReplaceRecordSetA
DnsAcquireContextHandle_A
Dns_CreateMulticastSocket

kernel32

BackupWrite
FillConsoleOutputCharacterW
FileTimeToLocalFileTime
LoadLibraryA
ReplaceFile
GlobalFindAtomA
SetLastConsoleEventActive
ReadConsoleA
InterlockedDecrement
GetTapeParameters
GetConsoleAliasA
GetCommModemStatus
SetHandleCount
SetFirmwareEnvironmentVariableW
CreateMutexW
WriteConsoleW
WritePrivateProfileStructA
VirtualAlloc
lstrcpynW
LeaveCriticalSection
BaseInitAppcompatCacheSupport
IsValidCodePage
InitializeCriticalSection
DeleteCriticalSection
GetFileSize
FindVolumeMountPointClose
CmdBatNotification
GetConsoleWindow
GetPrivateProfileIntW
lstrcmpA
CreateNamedPipeW
SetLocaleInfoW
OpenEventW
ConnectNamedPipe
HeapValidate
EnumResourceLanguagesW
ResetEvent
CallNamedPipeW
GetLongPathNameA
OpenWaitableTimerW
IsWow64Process
SetConsoleInputExeNameA
VirtualFree
GetPrivateProfileStringW

gdi32

DdEntry24
GetBkMode
DdEntry34
AnimatePalette
FONTOBJ_cGetGlyphs
GetWindowExtEx
GetEnhMetaFileBits
GetCharWidthI
AbortPath
SetTextAlign
EnumFontFamiliesExA
StartPage
GetCurrentObject
GetKerningPairsA
GetDIBColorTable
EngCreateBitmap
FloodFill
SelectClipPath
EnumFontsA
CreateHatchBrush
Rectangle
DeviceCapabilitiesExA
GetCharWidthA
GetColorSpace
GetCharWidth32W
PatBlt
CopyEnhMetaFileW
ExtEscape
DdEntry20
DdEntry27
DeleteObject
GetStringBitmapA

scecli

SceCloseProfile
SceEnumerateServices
SceOpenPolicy
SceSvcFree
SceSvcConvertTextToSD
SceCopyBaseProfile
SceStartTransaction
SceConfigureConvertedFileSecurity
SceSetupMoveSecurityFile
SceFreeMemory
SceGetObjectSecurity
SceWriteSecurityProfileInfo
SceSysPrep
SceDcPromoCreateGPOsInSysvol
SceCommitTransaction
SceSvcSetInformationTemplate
SceSetupUpdateSecurityService
SceGenerateRollback
SceEnforceSecurityPolicyPropagation
SceSetupUpdateSecurityFile
SceProcessSecurityPolicyGPO
SceDcPromoteSecurity
SceAddToNameStatusList
SceRegisterRegValues
SceAddToObjectList
SceAddToNameList
SceConfigureSystem
SceCompareSecurityDescriptors
SceSetupUpdateSecurityKey

msvcrt40

?ipfx@istream@@QAEHH@Z
__getmainargs
_execve
?pbump@streambuf@@IAEXH@Z
??1stdiobuf@@UAE@XZ
??_Gifstream@@UAEPAXI@Z
??0strstream@@QAE@XZ
?get@istream@@IAEAAV1@PADHH@Z
__unDName
_safe_fdiv
_msize
_safe_fdivr
?pbackfail@streambuf@@UAEHH@Z
_mbsspn
??_8strstream@@7Bistream@@@
?attach@ofstream@@QAEXH@Z
?fd@ofstream@@QBEHXZ
?fLockcInit@ios@@0HA
ldiv
_rotl
??9type_info@@QBEHABV0@@Z
?cout@@3Vostream_withassign@@A
_itoa
?sync@stdiobuf@@UAEHXZ
_heapchk
_fcvt
??_Eostrstream@@UAEPAXI@Z
??1istream@@UAE@XZ
?put@ostream@@QAEAAV1@D@Z
??0streambuf@@QAE@ABV0@@Z
?write@ostream@@QAEAAV1@PBDH@Z
ispunct
?sh_write@filebuf@@2HB
?seekp@ostream@@QAEAAV1@J@Z
sprintf
?attach@fstream@@QAEXH@Z
?_set_new_mode@@YAHH@Z
_mbctype
_mbsdec
tmpnam
?clrlock@streambuf@@QAEXXZ
_mktemp
__argv

Sections

.text
Size: 204KB - Virtual size: 204KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 197KB - Virtual size: 197KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 461KB - Virtual size: 1.9MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 1024B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/unclasified/493a0d2e26985360ef89cf7f29a7e45ba4f2f0ff.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Sections

CODE
Size: 828KB - Virtual size: 827KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

DATA
Size: 21KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

BSS
Size: - Virtual size: 15KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 13KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: - Virtual size: 16B

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 46KB - Virtual size: 46KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 258KB - Virtual size: 257KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/unclasified/4a645db21820664f4f3d9d23f2967d790180a7e027ac7d13c865042ed48085b4.exe
.exe windows:6 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

Size: 144KB - Virtual size: 60KB

Size: 224KB - Virtual size: 4B

��
Size: - Virtual size:

IMAGE_SCN_CNT_INITIALIZED_DATA

Size: - Virtual size:
BastianHein Malware samples/unclasified/626ba566046f09c91dde566ce4e5f594ccd136b5db37f598407b73c28a628b4a.exe
.exe windows:4 windows x86 arch:x86

23d47cbef5ef7b970f550a993e2e8f04

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Imports

kernel32

GetModuleHandleA
GetProcAddress

advapi32

RegOpenKeyA

iphlpapi

GetAdaptersInfo

wininet

InternetOpenA

user32

wsprintfA

Sections

.MPRESS1
Size: 21KB - Virtual size: 45KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.MPRESS2
Size: 1024B - Virtual size: 1021B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/unclasified/6939e5538a525c245cab0a90a55eeb824c4599f6c6b9318dd52cb83dca3d4ffd
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 20KB - Virtual size: 20KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 776B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/unclasified/754f642b7beff1d880f464a94ddbabba8ed3a8a20be9aa173d54f4b5f2def77a
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Sections

CODE
Size: 787KB - Virtual size: 786KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

DATA
Size: 20KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

BSS
Size: - Virtual size: 15KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: - Virtual size: 16B

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 44KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 209KB - Virtual size: 208KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
BastianHein Malware samples/unclasified/832e6b92829719243bfed205d197fcedf7212ffd25247c1f6e024a84e220598f.exe
.exe windows:5 windows x86 arch:x86

de58f4fc29c988fcef0248564284d0f7

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetModuleHandleW
GetComputerNameW
GetLocalTime
SystemTimeToFileTime
FileTimeToSystemTime
SizeofResource
LockResource
LoadResource
FindResourceW
FindResourceExW
MultiByteToWideChar
GetProcAddress
LoadLibraryW
GetCurrentProcess
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
InitializeCriticalSection
GetLastError
CloseHandle
WideCharToMultiByte
MoveFileW
DeleteFileW
CreateDirectoryW
SetFileAttributesW
GetTempPathW
GetTempFileNameW
MoveFileExW
lstrlenW
CreateFileW
GetFileSize
ReadFile
WriteFile
Sleep
GetComputerNameA
GetModuleFileNameW
CreateProcessW
GetSystemTime
FileTimeToLocalFileTime
RaiseException
InitializeCriticalSectionAndSpinCount
HeapDestroy
HeapAlloc
HeapFree
HeapReAlloc
HeapSize
GetProcessHeap
LocalAlloc
SetEndOfFile
SetStdHandle
WriteConsoleW
FreeLibrary
LoadLibraryA
InterlockedIncrement
InterlockedDecrement
InterlockedExchange
EncodePointer
DecodePointer
GetCommandLineW
HeapSetInformation
GetStartupInfoW
GetCurrentThreadId
RtlUnwind
LCMapStringW
GetCPInfo
SetUnhandledExceptionFilter
ExitProcess
GetStdHandle
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
GetFileType
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
SetLastError
HeapCreate
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
TerminateProcess
UnhandledExceptionFilter
IsDebuggerPresent
IsProcessorFeaturePresent
GetConsoleCP
GetConsoleMode
GetACP
GetOEMCP
IsValidCodePage
SetFilePointer
FlushFileBuffers
GetUserDefaultLCID
GetLocaleInfoW
GetLocaleInfoA
EnumSystemLocalesA
IsValidLocale
GetStringTypeW

ole32

BindMoniker
CoInitialize

shlwapi

PathIsRootW
PathFileExistsW
PathAppendW
PathAddExtensionW
PathRemoveExtensionW

Sections

.text
Size: 137KB - Virtual size: 136KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 24KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 262KB - Virtual size: 283KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 50KB - Virtual size: 50KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.iobf
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/unclasified/8670dfa9adc5e7fb564d9053b142fcf95a3250c60a037e91186f4147d3e99793
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 227KB - Virtual size: 226KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 512B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/unclasified/87c8e98802e59fd1badc1a761437111dac55078907e690fc5ed0f025647bbf82.elf
.elf linux arm
BastianHein Malware samples/unclasified/912edd7714e8e1f86fbe1cbf1614929dfaf2bf69ec7f29c7b18e84e2b81149e1N.exe
.exe windows:4 windows x86 arch:x86

23d47cbef5ef7b970f550a993e2e8f04

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Imports

kernel32

GetModuleHandleA
GetProcAddress

advapi32

RegOpenKeyA

iphlpapi

GetAdaptersInfo

wininet

InternetOpenA

user32

wsprintfA

Sections

.MPRESS1
Size: 21KB - Virtual size: 45KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.MPRESS2
Size: 1024B - Virtual size: 1021B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/unclasified/FluxusB.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

C:\Users\Blurzz\Desktop\FluxusB\obj\Debug\FluxusB.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 2.9MB - Virtual size: 2.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 170KB - Virtual size: 169KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
BastianHein Malware samples/unclasified/a236d1d48df7c0818ada17aa0a13bc7840e6d375ff2ebd8e2cd134aa66723b6b.exe
.exe windows:4 windows x86 arch:x86

2eabe9054cad5152567f0699947a2c5b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

lstrcpy

Sections

Size: 4KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 512B - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 512B - Virtual size: 2.7MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

nmuaptno
Size: 1.6MB - Virtual size: 1.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

ymhyyffo
Size: 1024B - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.taggant
Size: 8KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/unclasified/d2d5be7fa6010b6e5769864823dc8ed1ea253cab28ac506c2527dda658eedf82.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 263KB - Virtual size: 1.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/unclasified/d840b1492c71258a40c6ed9e9041b017cf05bee98093c343e56f3e00e5f6965bN.exe
.exe windows:4 windows x86 arch:x86

87bed5a7cba00c7e1f4015f1bdae2183

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

LoadLibraryA
GetProcAddress

Sections

kkrunchy
Size: 52KB - Virtual size: 6.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
BastianHein Malware samples/unclasified/e34e6b097e4bcb66a6919057de46185303f55d3aaa33269889d601a1161157aaN.exe
.exe windows:4 windows x86 arch:x86

23d47cbef5ef7b970f550a993e2e8f04

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Imports

kernel32

GetModuleHandleA
GetProcAddress

advapi32

RegOpenKeyA

iphlpapi

GetAdaptersInfo

wininet

InternetOpenA

user32

wsprintfA

Sections

.MPRESS1
Size: 21KB - Virtual size: 45KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.MPRESS2
Size: 1024B - Virtual size: 1021B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Files

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

.text Size: 339KB - Virtual size: 339KB

.rsrc Size: 9KB - Virtual size: 9KB

.reloc Size: 512B - Virtual size: 12B

eb97e4fc5518ac300a92a11673825e0b

Headers

DLL Characteristics

File Characteristics

Imports

wsock32

version

winmm

comctl32

mpr

wininet

psapi

iphlpapi

userenv

uxtheme

kernel32

user32

gdi32

comdlg32

advapi32

shell32

ole32

oleaut32

Sections

.text Size: 568KB - Virtual size: 567KB

.rdata Size: 191KB - Virtual size: 191KB

.data Size: 20KB - Virtual size: 35KB

.rsrc Size: 213KB - Virtual size: 213KB

.reloc Size: 28KB - Virtual size: 28KB

eb97e4fc5518ac300a92a11673825e0b

Headers

DLL Characteristics

File Characteristics

Imports

wsock32

version

winmm

comctl32

mpr

wininet

psapi

iphlpapi

userenv

uxtheme

kernel32

user32

gdi32

comdlg32

advapi32

.text
Size: 339KB - Virtual size: 339KB

.rsrc
Size: 9KB - Virtual size: 9KB

.reloc
Size: 512B - Virtual size: 12B

.text
Size: 568KB - Virtual size: 567KB

.rdata
Size: 191KB - Virtual size: 191KB

.data
Size: 20KB - Virtual size: 35KB

.rsrc
Size: 213KB - Virtual size: 213KB

.reloc
Size: 28KB - Virtual size: 28KB

.text
Size: 568KB - Virtual size: 567KB

.rdata
Size: 191KB - Virtual size: 191KB

.data
Size: 20KB - Virtual size: 35KB

.rsrc
Size: 213KB - Virtual size: 213KB

.reloc
Size: 28KB - Virtual size: 28KB

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9
Certificate

0d:1a:34:0f:78:d7:d0:00:e0:89:fd:ba:ad:65:22:df
Certificate

0b:ae:66:bc:5a:ba:7f:95:87:c6:f9:e9:04:e3:33:04
Certificate

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

c3:8f:d7:cb:0a:b4:72:fb:e4:b7:cd:22:8a:2f:48:9f:56:2f:72:32:03:f4:bf:66:28:44:34:1b:84:fb:a9:b4
Signer

.text
Size: 1.1MB - Virtual size: 1.1MB

.rsrc
Size: 363KB - Virtual size: 363KB

.reloc
Size: 512B - Virtual size: 12B

.text
Size: 637KB - Virtual size: 636KB

.rsrc
Size: 2KB - Virtual size: 1KB

.text
Size: 514KB - Virtual size: 513KB

.rdata
Size: 56KB - Virtual size: 55KB

.data
Size: 26KB - Virtual size: 105KB

.rsrc
Size: 103KB - Virtual size: 102KB