General
-
Target
PDF-XChange Editor.exe
-
Size
934.8MB
-
MD5
e82ef992eeeeec1bbc8de527cdc21308
-
SHA1
3ae08f550ba020438f5acc55e3bec7082fff6665
-
SHA256
7b8b18aaadda64716be41c564b1c667b6bfdc1004f459e0897a584132a5ff02b
-
SHA512
34c1f4ca50898e1e63e8b15ffb0a9ee062d61c5871cc703cc0d2db36e161ddb25722bebec0740979c2e24ecf43c9ca481c6096077a2f588ced1970a8913ecf33
-
SSDEEP
6291456:OWkTG4WIOM0cnsBFwGSubcrxSFu5yV4mUL9WPD5HRW:XkTG4WIOs+n/crxSg+4mQWPVHRW
Malware Config
Extracted
raccoon
Signatures
-
Privateloader family
-
Raccoon family
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource PDF-XChange Editor.exe
Files
-
PDF-XChange Editor.exe.exe windows x64
4ff73005de4182db4b8810c301e6b83d
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
Imports
kernel32
WaitForSingleObject
Sleep
CloseHandle
DuplicateHandle
CreateProcessW
GetStartupInfoW
GetEnvironmentVariableW
GetCurrentProcess
GetFileAttributesW
DeleteFileW
FindFirstFileW
FindNextFileW
CopyFileW
MoveFileW
MoveFileExW
SetEnvironmentVariableW
GetCommandLineW
GetModuleHandleW
GetModuleFileNameW
GetLastError
ExpandEnvironmentStringsW
CreateFileW
FlushFileBuffers
WriteConsoleW
SetStdHandle
OutputDebugStringW
LCMapStringW
SetFilePointerEx
GetConsoleMode
GetConsoleCP
HeapReAlloc
LoadLibraryExW
WriteFile
LeaveCriticalSection
EnterCriticalSection
HeapSize
GetStringTypeW
GetCPInfo
GetOEMCP
GetACP
IsValidCodePage
HeapAlloc
IsProcessorFeaturePresent
IsDebuggerPresent
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
TerminateProcess
InitializeCriticalSectionAndSpinCount
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlCaptureContext
GetSystemTimeAsFileTime
GetCurrentProcessId
QueryPerformanceCounter
HeapFree
DeleteCriticalSection
GetFileType
GetStdHandle
GetProcessHeap
WideCharToMultiByte
MultiByteToWideChar
GetModuleHandleExW
DecodePointer
EncodePointer
RaiseException
RtlPcToFileHeader
RtlUnwindEx
RtlLookupFunctionEntry
GetCommandLineA
LoadLibraryW
GetProcAddress
GetCurrentThreadId
ExitProcess
FormatMessageW
SetLastError
LocalFree
user32
wsprintfW
MessageBoxW
ntdll
RtlSetSaclSecurityDescriptor
RtlSetDaclSecurityDescriptor
RtlFreeSid
RtlCreateAcl
RtlLengthSid
RtlCreateSecurityDescriptor
RtlAllocateAndInitializeSid
NtReadVirtualMemory
NtSetInformationProcess
NtRaiseHardError
NtTerminateProcess
NtQueryInformationProcess
RtlFreeHeap
RtlAllocateHeap
RtlRaiseException
NtReleaseMutant
NtCreateMutant
NtSetEvent
NtOpenEvent
NtQueryVirtualMemory
NtSetInformationFile
NtQueryDirectoryFile
NtClearEvent
NtWriteVirtualMemory
LdrUnloadDll
LdrLoadDll
NtReadFile
NtQueryFullAttributesFile
NtQueryInformationFile
NtOpenFile
NtMapViewOfSection
NtCreateSection
RtlMultiByteToUnicodeN
LdrGetProcedureAddress
RtlQueryEnvironmentVariable_U
RtlCompareUnicodeString
RtlInitAnsiString
NtAllocateVirtualMemory
RtlGetVersion
RtlLeaveCriticalSection
RtlEnterCriticalSection
RtlInitializeCriticalSection
NtDuplicateObject
NtWaitForSingleObject
LdrGetDllHandle
NtDelayExecution
RtlFreeAnsiString
RtlUnicodeStringToAnsiString
NtOpenDirectoryObject
RtlInitUnicodeString
NtQuerySystemInformation
NtOpenSection
NtProtectVirtualMemory
NtUnmapViewOfSection
NtClose
RtlNtStatusToDosError
NtCreateEvent
RtlAddAccessAllowedAce
Sections
.text Size: 113KB - Virtual size: 112KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 53KB - Virtual size: 53KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 176KB - Virtual size: 185KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.pdata Size: 6KB - Virtual size: 6KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.rsrc Size: 730KB - Virtual size: 730KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ