RailwayEmpire[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

RailwayEmpire.exe
Size

13.7MB
MD5

909df02e93224f5550ae29caaf514ccb
SHA1

b7d113176f04e520df062240f6513454eb95d5b2
SHA256

fd940ec78725ea0ddb43bfb648f1f05f51fa92d9cf201887154b3391e1e14860
SHA512

3c12e1f963e052f6c2d0fe73ee644ae0f8e210493e0fca950b75bd2f5c13cf3a0911e3182f15165a2f524bbd57d62e2cc3ed8ff55ab89b24562281246d5ff6e7
SSDEEP

98304:ppJ0FzmrP7/coUuxYIM5H3ErZYPnaCm/sLYy9ysg7HvsPXZ3OGsm:pD0xg7/coUu9Md3E1QnIeg3kPJ3Dsm

Score

1^/10

Malware Config

Signatures

Files

RailwayEmpire.exe
.exe windows x64

2637add211cbb4155002ad90243c7044

Code Sign

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0b
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

31/12/2015, 00:00

Not After

09/07/2019, 18:40

Subject

CN=COMODO SHA-1 Time Stamping Signer,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:af
Certificate

Issuer

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

09/05/2013, 00:00

Not After

08/05/2028, 23:59

Subject

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

e7:b5:26:c8:bc:4b:3d:5c:3b:55:24:7c:dd:ee:93:e2
Certificate

Issuer

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

26/10/2017, 00:00

Not After

26/10/2018, 23:59

Subject

CN=Kalypso Media Group,O=Kalypso Media Group,POSTALCODE=67547,STREET=Wilhelm-Leuschner-Strasse 11-13,L=Worms,ST=Rheinland-Pfalz,C=DE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

ea:8f:73:dc:d6:9f:ba:97:77:99:68:15:48:ff:6f:18:06:e4:f3:10
Signer

Actual PE Digest

ea:8f:73:dc:d6:9f:ba:97:77:99:68:15:48:ff:6f:18:06:e4:f3:10

Digest Algorithm

sha1

PE Digest Matches

true

Signature Validations

Trusted

true

Verification

Signing Certificate

CN=Kalypso Media Group,O=Kalypso Media Group,POSTALCODE=67547,STREET=Wilhelm-Leuschner-Strasse 11-13,L=Worms,ST=Rheinland-Pfalz,C=DE

25/01/2018, 18:59
Valid: true

Chain 1

CN=Kalypso Media Group,O=Kalypso Media Group,POSTALCODE=67547,STREET=Wilhelm-Leuschner-Strasse 11-13,L=Worms,ST=Rheinland-Pfalz,C=DE

CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

CreateWaitableTimerA
SetWaitableTimer
OpenEventA
GetVersionExA
GetWindowsDirectoryA
GetSystemDirectoryA
CreateEventA
DeviceIoControl
GetDriveTypeA
SetFilePointer
GetTempPathA
SystemTimeToTzSpecificLocalTime
GetFullPathNameA
VirtualFree
VirtualAlloc
LoadLibraryA
GetModuleHandleA
GetSystemRegistryQuota
GlobalMemoryStatus
GlobalMemoryStatusEx
GetVersion
GetSystemTimes
TerminateThread
GetProcessTimes
GetFullPathNameW
GetDriveTypeW
PeekNamedPipe
CreateProcessW
CreateDirectoryW
SetEndOfFile
WaitForSingleObject
GetLastError
CloseHandle
DebugBreak
GetModuleHandleW
GetModuleFileNameW
CreateFileA
ExitProcess
WriteConsoleW
HeapSize
GetConsoleCP
SetEnvironmentVariableA
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
FindNextFileA
FindFirstFileExW
FindFirstFileExA
GetProcessHeap
GetOEMCP
IsValidCodePage
SetThreadPriority
Sleep
QueryPerformanceCounter
QueryPerformanceFrequency
ReleaseSemaphore
GetCurrentProcess
TerminateProcess
CreateSemaphoreW
MultiByteToWideChar
WideCharToMultiByte
GetStdHandle
GetCurrentProcessId
GetCurrentThread
GetConsoleScreenBufferInfo
SetConsoleScreenBufferSize
AttachConsole
AllocConsole
OutputDebugStringA
GetSystemInfo
GetTickCount
GetCurrentDirectoryW
CreateFileW
DeleteFileW
FindClose
FindFirstFileW
FindNextFileW
FlushFileBuffers
GetFileSize
GetFileTime
ReadFile
SetFilePointerEx
WriteFile
GetOverlappedResult
CancelIo
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
CreateEventW
ReadDirectoryChangesW
RaiseException
CreateThread
GetExitCodeThread
GetThreadId
SwitchToFiber
DeleteFiber
CreateFiber
RtlCaptureContext
GetEnvironmentVariableA
GetEnvironmentVariableW
GetCurrentDirectoryA
GetFileAttributesW
SetLastError
SuspendThread
ResumeThread
GetThreadContext
ReadProcessMemory
FreeLibrary
GetModuleFileNameA
GetProcAddress
LoadLibraryW
LoadResource
LockResource
SizeofResource
FindResourceW
EnumResourceNamesW
ConvertFiberToThread
ConvertThreadToFiber
GetComputerNameW
GetLocaleInfoA
GetThreadLocale
FileTimeToLocalFileTime
FileTimeToSystemTime
GetSystemTime
GlobalAlloc
GlobalLock
GlobalUnlock
GetFileAttributesExW
EncodePointer
DecodePointer
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetSystemTimeAsFileTime
CompareStringW
LCMapStringW
GetLocaleInfoW
GetStringTypeW
GetCPInfo
SetEvent
ResetEvent
WaitForSingleObjectEx
RtlLookupFunctionEntry
RtlVirtualUnwind
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoW
IsProcessorFeaturePresent
GetCurrentThreadId
InitializeSListHead
RtlUnwindEx
RtlPcToFileHeader
LoadLibraryExW
ExitThread
FreeLibraryAndExitThread
GetModuleHandleExW
SetStdHandle
GetFileType
GetACP
GetTimeZoneInformation
HeapAlloc
HeapFree
HeapReAlloc
GetDateFormatW
GetTimeFormatW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
GetConsoleMode
ReadConsoleW

ole32

CoInitialize
CoSetProxyBlanket
CoUninitialize
PropVariantClear
CoInitializeEx
CoCreateInstance
CoTaskMemFree

ws2_32

inet_ntoa
closesocket
ioctlsocket
getsockname
getsockopt
recvfrom
sendto
ntohs
getaddrinfo
shutdown
inet_addr
select
__WSAFDIsSet
htons
htonl
freeaddrinfo
send
recv
listen
connect
accept
setsockopt
socket
gethostbyname
gethostname
WSAStartup
WSACleanup
WSAAsyncGetHostByName
WSACancelAsyncRequest
WSAGetLastError
bind

steam_api64

SteamAPI_GetHSteamPipe
SteamAPI_GetHSteamUser
SteamAPI_IsSteamRunning
SteamInternal_CreateInterface
SteamAPI_RegisterCallback
SteamAPI_UnregisterCallback
SteamAPI_RegisterCallResult
SteamAPI_UnregisterCallResult
SteamAPI_RunCallbacks
SteamAPI_Shutdown
SteamAPI_Init
SteamInternal_ContextInit

galaxy64

?GetInstance@GalaxyFactory@api@galaxy@@SAPEAVIGalaxy@23@XZ
?GetErrorManager@GalaxyFactory@api@galaxy@@SAPEAVIErrorManager@23@XZ
?ResetInstance@GalaxyFactory@api@galaxy@@SAXXZ
?CreateInstance@GalaxyFactory@api@galaxy@@SAPEAVIGalaxy@23@XZ

shlwapi

PathIsRelativeW
PathFileExistsA

dxva2

GetNumberOfPhysicalMonitorsFromHMONITOR
GetPhysicalMonitorsFromHMONITOR
DestroyPhysicalMonitors

d3d11

D3D11CreateDeviceAndSwapChain

dxgi

CreateDXGIFactory

version

GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueW

msi

ord113

user32

PeekMessageW
DefWindowProcW
PostQuitMessage
RegisterClassExW
CreateWindowExW
DestroyWindow
ShowWindow
SetWindowPos
GetWindowPlacement
IsIconic
GetForegroundWindow
GetClientRect
GetWindowRect
GetWindowLongW
SetWindowLongW
GetWindowLongPtrW
SetWindowLongPtrW
GetMonitorInfoW
GetAsyncKeyState
GetKeyboardState
DispatchMessageW
GetCapture
SetCapture
ReleaseCapture
ClipCursor
ClientToScreen
ShowCursor
SetCursor
LoadCursorW
DestroyCursor
LoadImageW
OpenClipboard
CloseClipboard
SetClipboardData
GetClipboardData
EmptyClipboard
IsClipboardFormatAvailable
InvalidateRect
GetDesktopWindow
MapVirtualKeyA
GetCursorInfo
TranslateMessage
MessageBoxW
MessageBoxA
GetCursorPos
ToAscii
LoadCursorA
CreateCursor
MapVirtualKeyW

gdi32

GetStockObject

advapi32

GetUserNameW
RegOpenKeyExA
RegCloseKey
CryptGenRandom
CryptReleaseContext
CryptAcquireContextW
GetCurrentHwProfileW
GetUserNameA
RegQueryValueExA

shell32

ShellExecuteExW
ShellExecuteW
SHGetFolderPathA
SHCreateDirectoryExA
SHPathPrepareForWriteW
SHGetFolderPathW
SHCreateDirectoryExW
ShellExecuteA

winmm

timeBeginPeriod
timeGetTime
waveInGetNumDevs
waveOutGetNumDevs
mciSendCommandA
waveOutGetDevCapsA
waveOutGetDevCapsW
timeEndPeriod
waveInReset
waveInStart
waveInAddBuffer
waveInUnprepareHeader
waveInPrepareHeader
waveInClose
waveInOpen
waveInGetDevCapsW
waveInGetDevCapsA
waveOutGetPosition
waveOutReset
waveOutWrite
waveOutUnprepareHeader
waveOutPrepareHeader
waveOutClose
waveOutOpen

dinput8

DirectInput8Create

iphlpapi

GetAdaptersInfo

bink2w64

BinkSetMemory
BinkOpenDirectSound
BinkSetSoundSystem
BinkSetSoundTrack
BinkWaitStopAsyncThread
BinkRequestStopAsyncThread
BinkDoFrameAsyncWait
BinkDoFrameAsyncMulti
BinkOpen
BinkSetWillLoop
BinkShouldSkip
BinkSetVolume
BinkGetRects
BinkClose
BinkWait
BinkNextFrame
BinkGetFrameBuffersInfo
BinkStartAsyncThread

oleaut32

SysFreeString
SysAllocString

msacm32

acmFormatSuggest
acmStreamOpen
acmStreamSize
acmStreamConvert
acmStreamPrepareHeader
acmStreamUnprepareHeader

Exports

Exports

AmdPowerXpressRequestHighPerformance
NvOptimusEnablement

Sections

.text
Size: 10.3MB - Virtual size: 10.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.code
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.5MB - Virtual size: 1.5MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 168KB - Virtual size: 1.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 667KB - Virtual size: 666KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 297B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gfids
Size: 512B - Virtual size: 496B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 36KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

2637add211cbb4155002ad90243c7044

Code Sign

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0bCertificate

Extended Key Usages

Key Usages

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:afCertificate

Extended Key Usages

Key Usages

e7:b5:26:c8:bc:4b:3d:5c:3b:55:24:7c:dd:ee:93:e2Certificate

Extended Key Usages

Key Usages

ea:8f:73:dc:d6:9f:ba:97:77:99:68:15:48:ff:6f:18:06:e4:f3:10Signer

Signature Validations

Verification

25/01/2018, 18:59 Valid: true

Chain 1

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

ole32

ws2_32

steam_api64

galaxy64

shlwapi

dxva2

d3d11

dxgi

version

msi

user32

gdi32

advapi32

shell32

winmm

dinput8

iphlpapi

bink2w64

oleaut32

msacm32

Exports

Exports

Sections

.text Size: 10.3MB - Virtual size: 10.3MB

.code Size: 2KB - Virtual size: 1KB

.rdata Size: 1.5MB - Virtual size: 1.5MB

.data Size: 168KB - Virtual size: 1.1MB

.pdata Size: 667KB - Virtual size: 666KB

.tls Size: 512B - Virtual size: 297B

.gfids Size: 512B - Virtual size: 496B

_RDATA Size: 36KB - Virtual size: 35KB

.rsrc Size: 1.1MB - Virtual size: 1.1MB

16:88:f0:39:25:5e:63:8e:69:14:39:07:e6:33:0b
Certificate

2e:7c:87:cc:0e:93:4a:52:fe:94:fd:1c:b7:cd:34:af
Certificate

e7:b5:26:c8:bc:4b:3d:5c:3b:55:24:7c:dd:ee:93:e2
Certificate

ea:8f:73:dc:d6:9f:ba:97:77:99:68:15:48:ff:6f:18:06:e4:f3:10
Signer

25/01/2018, 18:59
Valid: true

.text
Size: 10.3MB - Virtual size: 10.3MB

.code
Size: 2KB - Virtual size: 1KB

.rdata
Size: 1.5MB - Virtual size: 1.5MB

.data
Size: 168KB - Virtual size: 1.1MB

.pdata
Size: 667KB - Virtual size: 666KB

.tls
Size: 512B - Virtual size: 297B

.gfids
Size: 512B - Virtual size: 496B

_RDATA
Size: 36KB - Virtual size: 35KB

.rsrc
Size: 1.1MB - Virtual size: 1.1MB