RootkitRevealer[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

RootkitRevealer.exe
Size

326KB
MD5

ee738fe9bcdd605821002cec8c7206db
SHA1

d39e8a3fe92adc7d7fbc5293edf8a7b965484a59
SHA256

0b3dfd1d00a0d5da5a88ee2b4734e817ee9c9b13f61eb04dc81660c22051fc27
SHA512

03895a34b4d75e73c18097bd74d2fa515a248b6a9030c78015864120c372a735b39ec74f79e3f572cf5a114fd64f4f022307f354d35003b5ed6922543c20ac04
SSDEEP

3072:9wUjnavdsrBd7o54RJ1Gf1eQWNswtU5bYKx0b4Ilgz9t8NLBs3Rvhp04gbCfl:9f4Qd7BRTGteQ2elrzvxf04gql

Score

1^/10

Malware Config

Signatures

Files

RootkitRevealer.exe
.exe windows:4 windows x86

c2971e27e558678b614d78284a46f77e

Code Sign

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04-12-2003 00:00

Not After

03-12-2013 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

04-12-2003 00:00

Not After

03-12-2008 23:59

Subject

CN=VeriSign Time Stamping Services Signer,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

10-01-1997 07:00

Not After

31-12-2020 07:00

Subject

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

6a:0b:99:4f:c0:00:1d:ab:11:da:c4:02:a1:66:27:ba
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

04-04-2006 17:44

Not After

26-04-2012 07:00

Subject

CN=Microsoft Code Signing PCA,OU=Copyright (c) 2000 Microsoft Corp.,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageContentCommitment
KeyUsageCertSign
KeyUsageCRLSign

61:46:9e:cb:00:04:00:00:00:65
Certificate

Issuer

CN=Microsoft Code Signing PCA,OU=Copyright (c) 2000 Microsoft Corp.,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

04-04-2006 19:43

Not After

04-10-2007 19:53

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

01:c2:d8:95:ba:79:32:68:57:54:49:ab:f3:e2:ce:96:01:b8:ed:fc
Signer

Actual PE Digest

01:c2:d8:95:ba:79:32:68:57:54:49:ab:f3:e2:ce:96:01:b8:ed:fc

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

version

GetFileVersionInfoSizeW
VerQueryValueW
GetFileVersionInfoW

kernel32

SystemTimeToTzSpecificLocalTime
GetTimeZoneInformation
TerminateProcess
CreateProcessW
GetDriveTypeW
GetLogicalDrives
CreateThread
ResetEvent
OpenEventW
SetEvent
LoadLibraryW
CreateEventW
InitializeCriticalSection
GetFullPathNameW
GetSystemDirectoryW
WaitForMultipleObjects
GetTempPathW
GetCommandLineW
GetVersion
GetModuleFileNameW
FlushFileBuffers
LocalAlloc
SetConsoleCtrlHandler
SetEndOfFile
IsBadCodePtr
SetUnhandledExceptionFilter
SetStdHandle
GetStringTypeW
GetStringTypeA
GetVersionExA
GetUserDefaultLCID
EnumSystemLocalesA
GetLocaleInfoA
IsValidCodePage
IsValidLocale
GetCPInfo
GetModuleFileNameA
ReadFile
GetFileType
GetStdHandle
SetHandleCount
GetCommandLineA
GetEnvironmentStrings
GetEnvironmentStringsW
FreeEnvironmentStringsW
FreeEnvironmentStringsA
UnhandledExceptionFilter
SystemTimeToFileTime
GetCurrentThread
TlsGetValue
TlsFree
TlsAlloc
TlsSetValue
GetCurrentThreadId
IsBadWritePtr
VirtualAlloc
VirtualFree
HeapCreate
HeapDestroy
LCMapStringW
LCMapStringA
FatalAppExitA
DeleteCriticalSection
ExitProcess
GetStartupInfoW
GetModuleHandleA
WideCharToMultiByte
RtlUnwind
HeapFree
HeapAlloc
HeapReAlloc
LoadLibraryA
FindFirstFileW
FindNextFileW
FindClose
CompareFileTime
FileTimeToLocalFileTime
SetEnvironmentVariableA
lstrlenW
CreateFileMappingW
MapViewOfFile
GetFileSize
UnmapViewOfFile
GetTickCount
VirtualProtect
IsBadReadPtr
GetCurrentDirectoryW
GetOEMCP
DeviceIoControl
SetFileAttributesW
DeleteFileW
CopyFileW
InterlockedIncrement
InterlockedDecrement
WaitForSingleObject
EnterCriticalSection
LeaveCriticalSection
WriteFile
MultiByteToWideChar
DosDateTimeToFileTime
LocalFileTimeToFileTime
FileTimeToSystemTime
GetDateFormatW
GetTimeFormatW
GetLocaleInfoW
GlobalAlloc
GlobalLock
GlobalUnlock
GetFileAttributesW
LocalFree
FormatMessageW
Sleep
HeapSize
DebugBreak
GetModuleHandleW
GetProcAddress
InterlockedExchange
SetLastError
CreateFileW
FindResourceW
LoadResource
SizeofResource
LockResource
GetCurrentProcess
CloseHandle
GetVersionExW
CreateFileA
SetFilePointer
GetLastError
CompareStringA
CompareStringW
GetACP
GetStartupInfoA
RaiseException

user32

EndPaint
BeginPaint
PtInRect
IsZoomed
CallWindowProcW
DrawFrameControl
CreateDialogParamW
UnionRect
OffsetRect
GetSystemMetrics
EndDeferWindowPos
EnumChildWindows
BeginDeferWindowPos
GetPropW
DeferWindowPos
GetClassNameW
SetWindowPlacement
UpdateWindow
LoadAcceleratorsW
GetMessageW
TranslateAcceleratorW
ScreenToClient
DrawTextW
GetWindowTextW
wsprintfW
IsDialogMessageW
TranslateMessage
DispatchMessageW
DialogBoxIndirectParamW
GetWindowLongW
SetWindowLongW
SetFocus
GetMenu
CheckMenuItem
GetWindowPlacement
GetDlgItemTextW
SetTimer
EnableWindow
DialogBoxParamW
KillTimer
DefWindowProcW
MsgWaitForMultipleObjects
LoadIconW
SetWindowTextW
DestroyIcon
PostQuitMessage
SetDlgItemTextW
IsWindowEnabled
CheckDlgButton
IsDlgButtonChecked
RegisterClassExW
ShowWindow
MapWindowPoints
CreateWindowExW
SetCapture
ReleaseCapture
EndDialog
GetParent
GetWindowRect
MoveWindow
GetDlgItem
LoadCursorW
GetSysColorBrush
GetSysColor
ChildWindowFromPoint
InvalidateRect
SetCursor
OpenClipboard
EmptyClipboard
SendMessageW
SetClipboardData
CloseClipboard
LoadStringW
PostMessageW
MessageBoxW
InflateRect
SetPropW
GetClientRect

gdi32

EndDoc
GetStockObject
GetObjectW
EndPage
SetBkMode
SetTextColor
SelectObject
StartPage
StartDocW
SetMapMode
CreateFontIndirectW
GetDeviceCaps

comdlg32

GetSaveFileNameW
PrintDlgW

advapi32

RegQueryInfoKeyW
GetSecurityDescriptorLength
MakeAbsoluteSD
MakeSelfRelativeSD
RegOpenKeyExW
RegQueryValueW
RegConnectRegistryW
RegEnumKeyExW
RegCreateKeyExW
RegCreateKeyW
RegSetValueExW
RegCloseKey
RegDeleteKeyW
OpenProcessToken
LookupPrivilegeValueW
AdjustTokenPrivileges
RegQueryValueExA
RegOpenKeyExA
RegQueryValueExW
RegGetKeySecurity
IsValidSecurityDescriptor
CloseServiceHandle
DeleteService
QueryServiceStatus
ControlService
OpenServiceW
OpenSCManagerW
StartServiceW
CreateServiceW
SetServiceStatus
RegEnumKeyW
RegDeleteValueW
FreeSid
EqualSid
GetTokenInformation
AllocateAndInitializeSid
RegisterServiceCtrlHandlerW
StartServiceCtrlDispatcherW
RegEnumValueW

shell32

CommandLineToArgvW
ShellExecuteW
ExtractIconExW

ole32

CreateBindCtx

oleaut32

SetErrorInfo
GetErrorInfo
CreateErrorInfo
VariantChangeType
VariantInit
VariantClear
VariantTimeToSystemTime
SysAllocStringByteLen
SysAllocString
SysFreeString
SysStringLen

comctl32

ImageList_Create
ImageList_ReplaceIcon
PropertySheetW
ord17

mpr

WNetEnumResourceW
WNetOpenEnumW
WNetCloseEnum

Sections

.text
Size: 140KB - Virtual size: 138KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 120KB - Virtual size: 140KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 28KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 12KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

c2971e27e558678b614d78284a46f77e

Code Sign

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88Certificate

Extended Key Usages

Key Usages

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40Certificate

6a:0b:99:4f:c0:00:1d:ab:11:da:c4:02:a1:66:27:baCertificate

Extended Key Usages

Key Usages

61:46:9e:cb:00:04:00:00:00:65Certificate

Extended Key Usages

Key Usages

01:c2:d8:95:ba:79:32:68:57:54:49:ab:f3:e2:ce:96:01:b8:ed:fcSigner

Headers

File Characteristics

Imports

version

kernel32

user32

gdi32

comdlg32

advapi32

shell32

ole32

oleaut32

comctl32

mpr

Sections

.text Size: 140KB - Virtual size: 138KB

.rdata Size: 16KB - Virtual size: 15KB

.data Size: 120KB - Virtual size: 140KB

.rsrc Size: 28KB - Virtual size: 26KB

.reloc Size: 12KB - Virtual size: 10KB

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88
Certificate

c1:00:8b:3c:3c:88:11:d1:3e:f6:63:ec:df:40
Certificate

6a:0b:99:4f:c0:00:1d:ab:11:da:c4:02:a1:66:27:ba
Certificate

61:46:9e:cb:00:04:00:00:00:65
Certificate

01:c2:d8:95:ba:79:32:68:57:54:49:ab:f3:e2:ce:96:01:b8:ed:fc
Signer

.text
Size: 140KB - Virtual size: 138KB

.rdata
Size: 16KB - Virtual size: 15KB

.data
Size: 120KB - Virtual size: 140KB

.rsrc
Size: 28KB - Virtual size: 26KB

.reloc
Size: 12KB - Virtual size: 10KB