Behavioral task
behavioral1
Sample
4e6bccd94552190533e28058092b989e.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
4e6bccd94552190533e28058092b989e.exe
Resource
win10v2004-20231215-en
General
-
Target
4e6bccd94552190533e28058092b989e
-
Size
1.2MB
-
MD5
4e6bccd94552190533e28058092b989e
-
SHA1
b76e030c15bcc91a1336c820db04b76350b7b512
-
SHA256
a3662b8fdd77511e2b5bb91e2797ff4076555fe3360b88198e078932d131e53d
-
SHA512
4c65b55963d48d7ddabecd8df36c6541b65857de063ee9407126adee9f7f475c6a10ca812bc9c681750f03290cc393116a7a8c2d4542ffa41315b4832d21e71e
-
SSDEEP
24576:dHtFjGDfUmf6oIDADj41g3gpzQn65O5C9OkLBlgVIH06iyx:AyDcVJU4qB2IU6iO
Malware Config
Extracted
rustybuer
https://serevalutinoffice.com/
Signatures
-
Rustybuer family
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource 4e6bccd94552190533e28058092b989e
Files
-
4e6bccd94552190533e28058092b989e.exe windows:6 windows x86 arch:x86
b29ae267f5b16be88167085dab75c353
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE
Imports
ntdll
NtQueryDefaultLocale
RtlCaptureContext
RtlUnwind
kernel32
SetLastError
GetModuleFileNameW
GetLastError
GetProcessHeap
HeapFree
CreateFileW
Sleep
AddVectoredExceptionHandler
SetThreadStackGuarantee
HeapAlloc
HeapReAlloc
GetVolumePathNameW
GetDiskFreeSpaceW
GetModuleHandleA
GetProcAddress
TlsGetValue
TlsSetValue
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
AcquireSRWLockShared
ReleaseSRWLockShared
GetEnvironmentVariableW
CloseHandle
GetConsoleMode
WriteFile
WriteConsoleW
GetCurrentDirectoryW
GetCurrentThread
ReleaseMutex
WaitForSingleObjectEx
LoadLibraryA
CreateMutexA
TlsAlloc
GetModuleHandleW
FormatMessageW
InitializeCriticalSection
TryEnterCriticalSection
LeaveCriticalSection
EnterCriticalSection
SetHandleInformation
ExitProcess
QueryPerformanceCounter
QueryPerformanceFrequency
GetSystemTimeAsFileTime
CreateThread
GetCurrentProcess
VirtualAlloc
GetSystemInfo
GetVolumeInformationA
GetStdHandle
DecodePointer
SetFilePointerEx
LCMapStringW
CompareStringW
HeapSize
GetStringTypeW
GetFileType
SetStdHandle
SetEnvironmentVariableW
FreeEnvironmentStringsW
GetEnvironmentStringsW
WideCharToMultiByte
MultiByteToWideChar
GetCPInfo
GetOEMCP
GetACP
IsValidCodePage
FindNextFileW
FindFirstFileExW
FindClose
GetCommandLineW
GetConsoleCP
FlushFileBuffers
GetCurrentProcessId
GetCurrentThreadId
InitializeSListHead
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoW
IsProcessorFeaturePresent
TerminateProcess
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsFree
FreeLibrary
LoadLibraryExW
RaiseException
GetModuleHandleExW
GetCommandLineA
advapi32
RegQueryValueExW
RegOpenKeyExW
GetUserNameW
GetTokenInformation
OpenProcessToken
GetCurrentHwProfileW
SystemFunction036
bcrypt
BCryptGenRandom
netapi32
NetWkstaGetInfo
user32
GetSystemMetrics
ws2_32
getsockname
accept
ioctlsocket
WSASend
send
WSARecv
recv
listen
WSASocketW
freeaddrinfo
getaddrinfo
WSACleanup
WSAStartup
WSAGetLastError
bind
closesocket
getpeername
select
connect
setsockopt
getsockopt
gethostname
Sections
.text Size: 602KB - Virtual size: 602KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 580KB - Virtual size: 579KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 2KB - Virtual size: 5KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.reloc Size: 33KB - Virtual size: 33KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ