RegScanner[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

RegScanner.exe
Size

159KB
MD5

3aab1e790e03dcd12ae192ac062907b6
SHA1

7f9b4ff6fa72d66e06cab33bf2dad14dd8bbafc4
SHA256

121e5480010adb6a81a8ecbcf91177ac2a0cc0969a65500c2db2287ddd584bc8
SHA512

938cfb2d4b15976c25a00d1b971ec0256df4aaefe7dc3900c5d8981768025d84ff60b938641b85bd6a832ef9aea44e9cf9239669aa856b463199d72eb6811b05
SSDEEP

3072:HNoVuYtWg4OW+ywaWFOv113/ywSwoWp6O0hBS99jtys4kXSAtdqConM7UqJqFsa+:+HvYWAvD/rQu69Y740NoX+

Score

10^/10

Malware Config

Signatures

Nirsoft 1 IoCs

resource	yara_rule
sample	Nirsoft

Files

RegScanner.exe
.exe windows x64

596a08e71ada4d3d9e254a6ca2433d1d

Code Sign

f7:a0:a7:30:c8:7d:94:cd:83:02:e3:ea:7f:66:1b:b7
Certificate

Issuer

CN=Sectigo RSA Code Signing CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

09/09/2019, 00:00

Not After

09/09/2023, 23:59

Subject

CN=Nir Sofer,O=Nir Sofer,POSTALCODE=7135117,STREET=Dakar 21\, Unit 82,L=Lod,C=IL

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

1d:a2:48:30:6f:9b:26:18:d0:82:e0:96:7d:33:d3:6a
Certificate

Issuer

CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US

Not Before

02/11/2018, 00:00

Not After

31/12/2030, 23:59

Subject

CN=Sectigo RSA Code Signing CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

90:39:7f:9a:d2:4a:3a:13:f2:bd:91:5f:08:38:a9:43
Certificate

Issuer

CN=Sectigo RSA Time Stamping CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

11/05/2022, 00:00

Not After

10/08/2033, 23:59

Subject

CN=Sectigo RSA Time Stamping Signer #3,O=Sectigo Limited,ST=Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9
Certificate

Issuer

CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US

Not Before

02/05/2019, 00:00

Not After

18/01/2038, 23:59

Subject

CN=Sectigo RSA Time Stamping CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

34:7d:ce:8d:57:fe:20:8e:c5:94:e5:cf:05:5c:08:03:db:49:1b:7a:a7:25:87:c9:a5:bf:65:fb:94:13:23:37
Signer

Actual PE Digest

34:7d:ce:8d:57:fe:20:8e:c5:94:e5:cf:05:5c:08:03:db:49:1b:7a:a7:25:87:c9:a5:bf:65:fb:94:13:23:37

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

true

Verification

Signing Certificate

CN=Nir Sofer,O=Nir Sofer,POSTALCODE=7135117,STREET=Dakar 21\, Unit 82,L=Lod,C=IL

07/02/2023, 20:40
Valid: true

Chain 1

CN=Nir Sofer,O=Nir Sofer,POSTALCODE=7135117,STREET=Dakar 21\, Unit 82,L=Lod,C=IL

CN=Sectigo RSA Code Signing CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

__getmainargs
_acmdln
exit
_cexit
_exit
_c_exit
_initterm
__C_specific_handler
_onexit
__dllonexit
??_U@YAPEAX_K@Z
??_V@YAXPEAX@Z
__setusermatherr
_commode
_fmode
__set_app_type
_XcptFilter
calloc
isdigit
strncmp
_strlwr
_purecall
_itoa
_strnicmp
_memicmp
_mbctoupper
strcmp
strrchr
malloc
strtol
free
_snprintf
atoi
strtoul
_strcmpi
strchr
_ultoa
??3@YAXPEAX@Z
??2@YAPEAX_K@Z
memmove
memcmp
_mbsicmp
_stricmp
memcpy
_mbschr
strlen
strcpy
memset
strncat
sprintf
strcat

comctl32

ImageList_SetImageCount
ImageList_AddMasked
ord6
CreateToolbarEx
ImageList_Create
ord17
ImageList_ReplaceIcon

kernel32

CreateToolhelp32Snapshot
Process32First
Process32Next
SetEnvironmentVariableA
GetCurrentThreadId
Sleep
GetStartupInfoA
SystemTimeToFileTime
FreeLibrary
GetProcAddress
CompareFileTime
GetLocalTime
GetTickCount
GetSystemTimeAsFileTime
MultiByteToWideChar
GetDriveTypeA
CloseHandle
GetLastError
FileTimeToSystemTime
LoadLibraryA
SetFilePointer
GetFileAttributesA
lstrlenA
GetModuleFileNameA
lstrcpyA
GetNumberFormatA
GetLocaleInfoA
GetModuleHandleA
FormatMessageA
LoadLibraryExA
GetWindowsDirectoryA
GetTempFileNameA
ReadFile
GetDateFormatA
GetSystemDirectoryA
WriteFile
SystemTimeToTzSpecificLocalTime
GlobalAlloc
GlobalLock
CreateFileA
GetVersionExA
WideCharToMultiByte
GetFileSize
GlobalUnlock
GetTimeFormatA
FileTimeToLocalFileTime
GetTempPathA
LocalFree
GetPrivateProfileIntA
GetPrivateProfileStringA
WritePrivateProfileStringA
EnumResourceNamesA
DeleteFileA
OpenProcess
CreateProcessA
GetModuleFileNameW
GetCurrentDirectoryA
ExpandEnvironmentStringsA
GetSystemTime
ExitProcess
GetCurrentProcess
ReadProcessMemory
GetCurrentProcessId
RaiseException

user32

ChildWindowFromPoint
ReleaseDC
GetDC
GetSysColorBrush
LoadCursorA
ShowWindow
SetCursor
GetWindow
GetClientRect
SetDlgItemTextA
DrawFrameControl
GetDlgItemTextA
SetWindowTextA
GetSystemMetrics
DeferWindowPos
SendDlgItemMessageA
GetWindowRect
GetDlgItemInt
EndDialog
GetDlgItem
CreateWindowExA
EndPaint
InvalidateRect
SetDlgItemInt
BeginPaint
RegisterClassA
UpdateWindow
PostMessageA
SetMenu
LoadAcceleratorsA
SetWindowPos
DefWindowProcA
TranslateAcceleratorA
MessageBoxA
GetWindowPlacement
SendMessageA
DispatchMessageA
LoadIconA
TranslateMessage
LoadImageA
PeekMessageA
GetWindowLongA
SetWindowLongA
SetFocus
GetMenuStringA
GetCursorPos
SetClipboardData
EnableWindow
MapWindowPoints
GetSysColor
InsertMenuItemA
GetMenu
OpenClipboard
GetParent
MoveWindow
EmptyClipboard
EnableMenuItem
GetClassNameA
CheckMenuItem
GetSubMenu
CloseClipboard
GetMenuItemCount
EnumChildWindows
DestroyWindow
GetMenuItemInfoA
GetWindowTextA
LoadMenuA
ModifyMenuA
LoadStringA
DialogBoxParamA
GetDlgCtrlID
DestroyMenu
CreateDialogParamA
IsDialogMessageA
EndDeferWindowPos
TrackPopupMenu
PostQuitMessage
GetMessageA
RegisterWindowMessageA
GetFocus
BeginDeferWindowPos
DeleteMenu
GetWindowThreadProcessId
EnumWindows
AttachThreadInput
SetForegroundWindow
GetClipboardData

gdi32

GetStockObject
GetTextExtentPoint32A
SetBkColor
CreateFontIndirectA
SetBkMode
DeleteObject
SetTextColor
GetDeviceCaps

comdlg32

FindTextA
GetSaveFileNameA
GetOpenFileNameA
ChooseFontA

advapi32

ChangeServiceConfigA
StartServiceA
ControlService
OpenServiceA
OpenSCManagerA
CloseServiceHandle
RegEnumValueA
RegCreateKeyA
RegQueryValueExW
RegSetValueExA
RegOpenKeyExA
RegCreateKeyExA
RegEnumKeyExA
RegQueryInfoKeyA
RegDeleteKeyA
QueryServiceStatus
RegCloseKey
RegGetKeySecurity
RegConnectRegistryA
RegQueryValueExA
RegDeleteValueA

shell32

ShellExecuteA
ShellExecuteExA

Sections

.text
Size: 108KB - Virtual size: 107KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 18KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 19KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

596a08e71ada4d3d9e254a6ca2433d1d

Code Sign

f7:a0:a7:30:c8:7d:94:cd:83:02:e3:ea:7f:66:1b:b7Certificate

Extended Key Usages

Key Usages

1d:a2:48:30:6f:9b:26:18:d0:82:e0:96:7d:33:d3:6aCertificate

Extended Key Usages

Key Usages

90:39:7f:9a:d2:4a:3a:13:f2:bd:91:5f:08:38:a9:43Certificate

Extended Key Usages

Key Usages

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9Certificate

Extended Key Usages

Key Usages

34:7d:ce:8d:57:fe:20:8e:c5:94:e5:cf:05:5c:08:03:db:49:1b:7a:a7:25:87:c9:a5:bf:65:fb:94:13:23:37Signer

Signature Validations

Verification

07/02/2023, 20:40 Valid: true

Chain 1

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

comctl32

kernel32

user32

gdi32

comdlg32

advapi32

shell32

Sections

.text Size: 108KB - Virtual size: 107KB

.rdata Size: 18KB - Virtual size: 17KB

.data Size: 1024B - Virtual size: 4KB

.pdata Size: 4KB - Virtual size: 3KB

.rsrc Size: 19KB - Virtual size: 18KB

f7:a0:a7:30:c8:7d:94:cd:83:02:e3:ea:7f:66:1b:b7
Certificate

1d:a2:48:30:6f:9b:26:18:d0:82:e0:96:7d:33:d3:6a
Certificate

90:39:7f:9a:d2:4a:3a:13:f2:bd:91:5f:08:38:a9:43
Certificate

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9
Certificate

34:7d:ce:8d:57:fe:20:8e:c5:94:e5:cf:05:5c:08:03:db:49:1b:7a:a7:25:87:c9:a5:bf:65:fb:94:13:23:37
Signer

07/02/2023, 20:40
Valid: true

.text
Size: 108KB - Virtual size: 107KB

.rdata
Size: 18KB - Virtual size: 17KB

.data
Size: 1024B - Virtual size: 4KB

.pdata
Size: 4KB - Virtual size: 3KB

.rsrc
Size: 19KB - Virtual size: 18KB