comrat | 80a693047e680f035cdaf43be22f028b0e6a9b505f2b9f76880c556b7c44cd44

Sharing

Copy URL

Twitter E-mail

General

Target

80a693047e680f035cdaf43be22f028b0e6a9b505f2b9f76880c556b7c44cd44
Size

2.1MB
MD5

15cc14b87da73661d0abc9f5aaa34350
SHA1

408df0b361e8e6369069478b9908ed52335f4be9
SHA256

80a693047e680f035cdaf43be22f028b0e6a9b505f2b9f76880c556b7c44cd44
SHA512

a99d6663cb61583176ec0ce6cb95f47fea1450b8ece18de09e72e2e43c6f678c5a3c18ecd1b527802aaccde17d22b269fd4bf0c9970803bd9371274c6c100b57
SSDEEP

49152:VTRjrgdOU9p1PZH/JNTFTJT5dwIwzQJHlJz:1RCBNTBwAHlJz

Score

10^/10

comrat

Malware Config

Signatures

ComRAT v4 (Orchestrator DLL) 1 IoCs

File contains strings specific to ComRAT v4 samples first seen in 2017.

resource	yara_rule
sample	ComRAT

Comrat family
comrat

Files

80a693047e680f035cdaf43be22f028b0e6a9b505f2b9f76880c556b7c44cd44
.dll windows x64

d9d661a606c9d1c23b47672d1067de68

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

CreateFileW
ExpandEnvironmentStringsW
IsBadStringPtrA
MapViewOfFile
UnmapViewOfFile
SetEvent
FlushViewOfFile
GetCurrentProcess
OpenProcess
GetLocalTime
SetHandleInformation
ReadFile
MultiByteToWideChar
SetFileTime
GetOEMCP
GetProcAddress
LoadLibraryA
OpenEventW
GetFileSize
SetFilePointer
WriteFile
GetModuleHandleW
LoadLibraryW
GetVersionExW
VirtualProtectEx
GetExitCodeThread
lstrcmpiW
VirtualFreeEx
ReadProcessMemory
VirtualAllocEx
GetModuleHandleA
WriteProcessMemory
CreateThread
WideCharToMultiByte
CreateDirectoryW
DeleteFileW
CloseHandle
CreateEventW
TerminateProcess
Sleep
CreateProcessW
GetLastError
GetTickCount
WaitForSingleObject
GetNativeSystemInfo
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
CreatePipe
InitializeCriticalSection
SetStdHandle
OutputDebugStringW
GetCurrentProcessId
QueryPerformanceCounter
GetModuleFileNameA
GetSystemTimeAsFileTime
GetFileAttributesExW
GetStringTypeW
EncodePointer
DecodePointer
HeapFree
HeapAlloc
IsDebuggerPresent
IsProcessorFeaturePresent
ExitProcess
GetModuleHandleExW
HeapReAlloc
GetCPInfo
GetCommandLineA
GetCurrentThreadId
GetStdHandle
GetFileType
GetModuleFileNameW
WriteConsoleW
RtlPcToFileHeader
RaiseException
RtlLookupFunctionEntry
RtlUnwindEx
GetDateFormatW
GetTimeFormatW
CompareStringW
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
SetEnvironmentVariableW
SetEnvironmentVariableA
RtlCaptureContext
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
SetLastError
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetStartupInfoW
FreeLibrary
LoadLibraryExW
HeapSize
GetProcessHeap
GetTimeZoneInformation
SetFilePointerEx
FlushFileBuffers
GetConsoleCP
GetConsoleMode
IsValidCodePage
GetACP
GetEnvironmentStringsW
FreeEnvironmentStringsW
ReadConsoleW
SetEndOfFile

advapi32

CryptDestroyHash
CryptCreateHash
CryptGenRandom
CryptGetHashParam
CryptDecrypt
CryptDestroyKey
CryptImportKey
CryptReleaseContext
CryptSetKeyParam
CryptAcquireContextW
RegSetValueExW
RegCloseKey
RegQueryValueExW
RegCreateKeyExW
CryptHashData

psapi

GetModuleBaseNameA
EnumProcessModulesEx
EnumProcessModules

Exports

Exports

UMEP
VFEP

Sections

.fqmjex
Size: 1003KB - Virtual size: 1003KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 470KB - Virtual size: 469KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 258KB - Virtual size: 305KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 46KB - Virtual size: 45KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.text
Size: 405KB - Virtual size: 405KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

d9d661a606c9d1c23b47672d1067de68

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

advapi32

psapi

Exports

Exports

Sections

.fqmjex Size: 1003KB - Virtual size: 1003KB

.rdata Size: 470KB - Virtual size: 469KB

.data Size: 258KB - Virtual size: 305KB

.pdata Size: 46KB - Virtual size: 45KB

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 5KB - Virtual size: 5KB

.text Size: 405KB - Virtual size: 405KB

.fqmjex
Size: 1003KB - Virtual size: 1003KB

.rdata
Size: 470KB - Virtual size: 469KB

.data
Size: 258KB - Virtual size: 305KB

.pdata
Size: 46KB - Virtual size: 45KB

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 5KB - Virtual size: 5KB

.text
Size: 405KB - Virtual size: 405KB