P[.]O#2321-0347CN_pdf[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

P.O#2321-0347CN_pdf.exe
Size

715KB
MD5

04cad877951c86043088bc0b4261040c
SHA1

f5ea9e202641f24994b558a784a5af0ed905e17e
SHA256

d1698bf562afeb9d40e79a3ed0acc152abb2dfed815e0f6d8a91346916815a7f
SHA512

1c4383f3fa7a3eeb3b01ffb7657a7dc3783aa933e048aad745dfda14175296584b1a3f2301b27f91a9dc815863eefdd1aac49fff57d0101b6576bf65f1a20b43
SSDEEP

12288:SyH1rQq4EgjtdnKeTSjsh2yp/Czk/37MUL/G9vlSgUkdmG7GwldE:Vhb4Eg2eMsh2yp/7/3wNvoGPlu

Score

7^/10

Malware Config

Signatures

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
sample	net_reactor

Files

P.O#2321-0347CN_pdf.exe
.exe windows x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 707KB - Virtual size: 706KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ