Behavioral task
behavioral1
Sample
dd6bc911e6b6fec41c0981c15950a289cc264449ee866143830efe04ce7cc4cf.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
dd6bc911e6b6fec41c0981c15950a289cc264449ee866143830efe04ce7cc4cf.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
Target
dd6bc911e6b6fec41c0981c15950a289cc264449ee866143830efe04ce7cc4cf
Size
1.2MB
MD5
47911ea47d89c486f2dd5d9bb2f7ab2f
SHA1
5dbf541ba60bc3afdd7b2b81a2f484c3f4f4e4d4
SHA256
dd6bc911e6b6fec41c0981c15950a289cc264449ee866143830efe04ce7cc4cf
SHA512
4038758896cdfd3aa9b8b40aaa74da5455611d04965051cb2ee4fb55fbf29048f488b76918079e076f8d7a7582070901a95d1172a66864d6321783853f16d525
SSDEEP
24576:ntE3sGtTYcwjRq5ZhBHcd0GPux0JPQg8DS4YkgbJ7V8:8DZYcIQ53B8ruibV7y
Detects the payload of the r77 rootkit.
| resource | yara_rule |
|---|---|
| sample | r77_payload |
KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign
KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign
ExtKeyUsageTimeStamping
KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign
ExtKeyUsageTimeStamping
KeyUsageDigitalSignature
ExtKeyUsageCodeSigning
KeyUsageDigitalSignature
ExtKeyUsageCodeSigning
KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign
KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign
KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign
ExtKeyUsageCodeSigning
KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign
ExtKeyUsageCodeSigning
KeyUsageDigitalSignature
ExtKeyUsageTimeStamping
KeyUsageDigitalSignature
ExtKeyUsageTimeStamping
KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign
KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
GetCurrentProcessId
LoadLibraryW
GetProcAddress
WaitNamedPipeW
GetLastError
CreateFileW
ReadFile
WriteFile
GetModuleHandleA
LoadLibraryA
GetPrivateProfileStringW
WritePrivateProfileStringW
GetModuleHandleW
FindResourceW
LoadResource
SizeofResource
LockResource
InitializeCriticalSectionEx
DeleteCriticalSection
DecodePointer
HeapAlloc
Sleep
HeapReAlloc
HeapSize
GetProcessHeap
GetTempPathW
GetFileAttributesW
GetModuleFileNameW
LoadLibraryExW
FreeLibrary
MultiByteToWideChar
GetCurrentProcess
IsWow64Process
SetLastError
ResumeThread
WaitForSingleObject
LocalFree
CreateDirectoryW
WriteConsoleW
SetEnvironmentVariableW
FreeEnvironmentStringsW
GetEnvironmentStringsW
MapViewOfFile
CreateFileMappingW
UnmapViewOfFile
HeapFree
CloseHandle
GetCommandLineW
GetCommandLineA
GetOEMCP
GetACP
IsValidCodePage
FindNextFileW
FindFirstFileExW
FindClose
GetTimeZoneInformation
SetStdHandle
GetFullPathNameW
GetCurrentDirectoryW
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetLocaleInfoW
LCMapStringW
CompareStringW
WideCharToMultiByte
GetStringTypeW
WaitForSingleObjectEx
GetCurrentThreadId
GetExitCodeThread
InitializeSRWLock
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
EnterCriticalSection
LeaveCriticalSection
TryEnterCriticalSection
EncodePointer
LCMapStringEx
QueryPerformanceCounter
GetSystemTimeAsFileTime
CompareStringEx
GetCPInfo
InitializeCriticalSectionAndSpinCount
CreateEventW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
GetStartupInfoW
InitializeSListHead
OutputDebugStringW
RaiseException
RtlUnwindEx
RtlPcToFileHeader
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetDriveTypeW
GetFileInformationByHandle
GetFileType
PeekNamedPipe
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
ExitProcess
GetModuleHandleExW
CreateThread
ExitThread
FreeLibraryAndExitThread
GetStdHandle
SetFilePointerEx
FlushFileBuffers
GetConsoleCP
GetConsoleMode
MessageBoxW
MessageBoxA
SetEntriesInAclW
ConvertStringSidToSidW
GetNamedSecurityInfoW
SetNamedSecurityInfoW
SHGetFolderPathW
CoInitializeEx
CoUninitialize
SysFreeString
SysAllocString
CorBindToRuntime
CLRCreateInstance
InternetOpenUrlA
InternetReadFile
InternetOpenA
VerQueryValueW
GetFileVersionInfoSizeW
GetFileVersionInfoW
PlaySoundW
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ