RdpSa[.]exe | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

RdpSa.exe
Size

47KB
MD5

44115db687adfaca18d50640913fe87f
SHA1

29a65983ab40c3993d986460969058247f5a24e4
SHA256

47b333f35b84f5a13563c74d6bdb0e59d21627757c4ac3458e3515ccc7b3dd59
SHA512

cd458ea3c53d646cf881f87f0f765608af9619ed891a2f5e2bd2808578c1eb33b69d669899afcfd77d74d8071dc59c8dad637759786d908f8d62847182d4ff2e
SSDEEP

768:6lU1oEkGtETVP006mrmn4ILt3EHViyatq6qQ4ZIs1o2k:6+13kGtETt007rmn4Iy1iA6QZIs1oF

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
RdpSa.exe

Files

RdpSa.exe
.exe windows:10 windows x86

4d86ce84e4eb6ce9e7c94f1e0f629bc5

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

advapi32

TraceMessage
GetTraceLoggerHandle
GetTraceEnableLevel
GetTraceEnableFlags
RegisterTraceGuidsW
UnregisterTraceGuids
OpenProcessToken
RegOpenKeyExW
RegNotifyChangeKeyValue
RegGetValueW
GetTokenInformation
GetSecurityInfo
GetLengthSid
InitializeAcl
AddAccessDeniedAce
GetAce
AddAce
SetSecurityInfo

kernel32

FormatMessageW
LocalFree
GetCurrentProcessId
ProcessIdToSessionId
CloseHandle
GetCurrentProcess
HeapSetInformation
SetProcessMitigationPolicy
HeapReAlloc
GetLastError
GetModuleHandleExA
GetProcAddress
FreeLibrary
HeapAlloc
UnmapViewOfFile
LocalAlloc
DelayLoadFailureHook
ResolveDelayLoadedAPI
Sleep
SetEvent
MapViewOfFile
WaitForSingleObject
GetProcessHeap
HeapFree
CreateEventW

user32

RegisterClassExW
LoadStringW
PostQuitMessage
DispatchMessageW
TranslateMessage
GetMessageW
SetTimer
DefWindowProcW
GetWindowLongW
SetWindowLongW
DestroyWindow
KillTimer
CreateWindowExW

msvcrt

??1type_info@@UAE@XZ
memmove
_CxxThrowException
memcmp
?what@exception@@UBEPBDXZ
??1exception@@UAE@XZ
memcpy
??0exception@@QAE@ABV0@@Z
??0exception@@QAE@ABQBDH@Z
??0exception@@QAE@ABQBD@Z
_callnewh
malloc
memset
??3@YAXPAX@Z
_except_handler4_common
_controlfp
?terminate@@YAXXZ
__CxxFrameHandler3
_onexit
__dllonexit
_unlock
_lock
_wcmdln
_initterm
__setusermatherr
__p__fmode
_cexit
_exit
exit
__set_app_type
__wgetmainargs
_amsg_exit
__p__commode
_XcptFilter
_purecall
??_V@YAXPAX@Z
_vsnwprintf

oleaut32

SysAllocStringByteLen
SysStringLen
SysAllocString
SysFreeString

ntdll

EtwEventWriteFull
EtwEventUnregister
EtwEventRegister

api-ms-win-core-com-l1-1-0

CoInitializeSecurity
CoUninitialize
CoInitializeEx
StringFromCLSID
CoTaskMemFree
CoCreateInstance

sspicli

GetUserNameExW

ws2_32

GetAddrInfoW
GetNameInfoW
FreeAddrInfoW

api-ms-win-core-processthreads-l1-1-0

GetCurrentThreadId
TerminateProcess
GetStartupInfoW

api-ms-win-core-errorhandling-l1-1-0

UnhandledExceptionFilter
SetUnhandledExceptionFilter

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleW

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemTimeAsFileTime

winsta

WinStationShadowStop2
WinStationSendMessageW

Sections

.text
Size: 35KB - Virtual size: 34KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

4d86ce84e4eb6ce9e7c94f1e0f629bc5

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

kernel32

user32

msvcrt

oleaut32

ntdll

api-ms-win-core-com-l1-1-0

sspicli

ws2_32

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

winsta

Sections

.text Size: 35KB - Virtual size: 34KB

.data Size: 512B - Virtual size: 1KB

.idata Size: 4KB - Virtual size: 3KB

.didat Size: 512B - Virtual size: 12B

.rsrc Size: 2KB - Virtual size: 2KB

.reloc Size: 3KB - Virtual size: 3KB

.text
Size: 35KB - Virtual size: 34KB

.data
Size: 512B - Virtual size: 1KB

.idata
Size: 4KB - Virtual size: 3KB

.didat
Size: 512B - Virtual size: 12B

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 3KB - Virtual size: 3KB