Roaming[.]eXE | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Roaming.eXE
Size

122KB
MD5

0c4d9c939edfc95dfa7a2f34921c4def
SHA1

b8c5fa4f099523fcff2e6de31d1f534f78f9200c
SHA256

03dd3046eac457ef18d189eb944d29ee85fe8914f2f97f19c1364d5e2f31c4b4
SHA512

c33e167a1794efc79b9a0a6f885f684798cdb6c9c46c369890a9e59b5d539b92c67a599d31d3254681919f88752231c6941462991a1ad709f457cf0bb0e09841
SSDEEP

3072:KaIefWLfXv8ZLXjjTrsvOH2c1LYZDUem3w/OAAA:KJeOSLHTBH26LYZDVgA

Score

N/A

Malware Config

Signatures

Files

Roaming.eXE
.exe windows x86

367b50beacf44deca79ee21e7d286153

Code Sign

04:00:00:00:00:01:21:58:53:08:a2
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Not Before

18/03/2009, 10:00

Not After

18/03/2029, 10:00

Subject

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

48:1b:6a:07:a9:42:4c:1e:aa:fe:f3:cd:f1:0f
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Not Before

15/06/2016, 00:00

Not After

15/06/2024, 00:00

Subject

CN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G3,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageOCSPSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

32:58:e8:ee:54:af:5c:27
Certificate

Issuer

CN=Starfield Services Root Certificate Authority,OU=http://certificates.starfieldtech.com/repository/,O=Starfield Technologies\, Inc.,L=Scottsdale,ST=Arizona,C=US

Not Before

13/12/2016, 07:00

Not After

13/12/2021, 07:00

Subject

CN=Starfield Services Timestamp Authority - G1,O=Starfield Technologies\, Inc.,L=Scottsdale,ST=Arizona,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

40:6e:c6:2e:46:9a:88:d3:60:e5:5c:2a
Certificate

Issuer

CN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G3,O=GlobalSign nv-sa,C=BE

Not Before

08/11/2016, 15:19

Not After

09/11/2017, 15:19

Subject

SERIALNUMBER=5147746266377,CN=Liberta LLC,OU=Software development,O=Liberta LLC,STREET=ul. Yamskogo Polya 3-Ya\, d. 18,L=Moscow,ST=Moscow,C=RU,1.3.6.1.4.1.311.60.2.1.2=#13064d6f73636f77,1.3.6.1.4.1.311.60.2.1.3=#13025255,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

d4:25:df:c7:27:a6:92:4a:eb:11:01:14:cd:93:3c:86:aa:de:d2:10
Signer

Actual PE Digest

d4:25:df:c7:27:a6:92:4a:eb:11:01:14:cd:93:3c:86:aa:de:d2:10

Digest Algorithm

sha1

PE Digest Matches

true

Signature Validations

Trusted

true

Verification

Signing Certificate

SERIALNUMBER=5147746266377,CN=Liberta LLC,OU=Software development,O=Liberta LLC,STREET=ul. Yamskogo Polya 3-Ya\, d. 18,L=Moscow,ST=Moscow,C=RU,1.3.6.1.4.1.311.60.2.1.2=#13064d6f73636f77,1.3.6.1.4.1.311.60.2.1.3=#13025255,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

18/12/2016, 18:37
Valid: true

Chain 1

SERIALNUMBER=5147746266377,CN=Liberta LLC,OU=Software development,O=Liberta LLC,STREET=ul. Yamskogo Polya 3-Ya\, d. 18,L=Moscow,ST=Moscow,C=RU,1.3.6.1.4.1.311.60.2.1.2=#13064d6f73636f77,1.3.6.1.4.1.311.60.2.1.3=#13025255,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

CN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G3,O=GlobalSign nv-sa,C=BE

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

WritePrivateProfileStructA
WaitNamedPipeW
CreateConsoleScreenBuffer
GetModuleHandleA
GetModuleFileNameA
GetBinaryTypeA
VirtualQuery
GetLastError
GetCompressedFileSizeA
GetProcAddress

msvcrt

atoi
ferror
memcpy

user32

wsprintfA

Exports

Exports

?INamedPropertyBag@@3HA

Sections

.text
Size: 96KB - Virtual size: 95KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.code
Size: 8KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

367b50beacf44deca79ee21e7d286153

Code Sign

04:00:00:00:00:01:21:58:53:08:a2Certificate

Key Usages

48:1b:6a:07:a9:42:4c:1e:aa:fe:f3:cd:f1:0fCertificate

Extended Key Usages

Key Usages

32:58:e8:ee:54:af:5c:27Certificate

Extended Key Usages

Key Usages

40:6e:c6:2e:46:9a:88:d3:60:e5:5c:2aCertificate

Extended Key Usages

Key Usages

d4:25:df:c7:27:a6:92:4a:eb:11:01:14:cd:93:3c:86:aa:de:d2:10Signer

Signature Validations

Verification

18/12/2016, 18:37 Valid: true

Chain 1

Headers

File Characteristics

Imports

kernel32

msvcrt

user32

Exports

Exports

Sections

.text Size: 96KB - Virtual size: 95KB

.code Size: 8KB - Virtual size: 6KB

.rdata Size: 4KB - Virtual size: 1KB

.data Size: 4KB - Virtual size: 5KB

04:00:00:00:00:01:21:58:53:08:a2
Certificate

48:1b:6a:07:a9:42:4c:1e:aa:fe:f3:cd:f1:0f
Certificate

32:58:e8:ee:54:af:5c:27
Certificate

40:6e:c6:2e:46:9a:88:d3:60:e5:5c:2a
Certificate

d4:25:df:c7:27:a6:92:4a:eb:11:01:14:cd:93:3c:86:aa:de:d2:10
Signer

18/12/2016, 18:37
Valid: true

.text
Size: 96KB - Virtual size: 95KB

.code
Size: 8KB - Virtual size: 6KB

.rdata
Size: 4KB - Virtual size: 1KB

.data
Size: 4KB - Virtual size: 5KB