r77 | 23959954af5f41d4f6ce084e0a2a6f60eb54a9f53665c7fe6002e58a467694de

Sharing

Copy URL

Twitter E-mail

General

Target

23959954af5f41d4f6ce084e0a2a6f60eb54a9f53665c7fe6002e58a467694de
Size

104KB
MD5

865ce075cce792e78ff5e291d9d04ef3
SHA1

fd693a5ca7fdff54698132e0e96e25d724c7b2cb
SHA256

23959954af5f41d4f6ce084e0a2a6f60eb54a9f53665c7fe6002e58a467694de
SHA512

4c520e8345fa6f16e8baec442a0bb7f3f99155d70362cc8bab62cb2bd9ab80cb37d435e8a0b76c2be24171c729dd06cc008a7a80c4297bc177754eaf0190872f
SSDEEP

3072:xPJV4GGcvsOr8H8WZwm1W1k1ahrczJkq1uM:CGt1wclZNyiq1u

Score

10^/10

r77

Malware Config

Signatures

R77 family
r77

r77 rootkit payload 1 IoCs

Detects the payload of the r77 rootkit.

resource	yara_rule
sample	r77_payload

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
23959954af5f41d4f6ce084e0a2a6f60eb54a9f53665c7fe6002e58a467694de

Files

23959954af5f41d4f6ce084e0a2a6f60eb54a9f53665c7fe6002e58a467694de
.dll windows:6 windows x64 arch:x64

6eb7db438dabc7075269340e334667e4

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

kernel32

LoadLibraryA
CreateThread
GetProcAddress
FreeLibrary
FreeConsole
AllocConsole
SetUnhandledExceptionFilter
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
GetLastError
DeleteCriticalSection
VirtualFree
VirtualAlloc
GetSystemInfo
VirtualQuery
HeapCreate
HeapFree
GetCurrentProcess
Thread32Next
Thread32First
GetSystemDirectoryA
SuspendThread
ResumeThread
CreateToolhelp32Snapshot
HeapReAlloc
CloseHandle
HeapAlloc
GetThreadContext
GetCurrentProcessId
FlushInstructionCache
SetThreadContext
OpenThread
RtlLookupFunctionEntry
IsDebuggerPresent
InitializeSListHead
GetSystemTimeAsFileTime
QueryPerformanceCounter
IsProcessorFeaturePresent
TerminateProcess
UnhandledExceptionFilter
DisableThreadLibraryCalls
Sleep
GetModuleHandleA
GetCurrentThreadId
VirtualProtect
RtlVirtualUnwind
RtlCaptureContext

user32

MessageBoxA
SetRect
GetWindowLongPtrA
FillRect
DefWindowProcA
CreateWindowExA
RegisterClassExA

gdi32

CreateSolidBrush
GetCurrentObject
GetObjectA
DeleteObject

msvcp140

?_Xlength_error@std@@YAXPEBD@Z

d3d11

D3D11CreateDeviceAndSwapChain

vcruntime140

__std_type_info_destroy_list
_CxxThrowException
__std_exception_destroy
memmove
memcpy
__CxxFrameHandler3
__std_exception_copy
__C_specific_handler
_purecall
__std_terminate
memset

api-ms-win-crt-string-l1-1-0

strcat_s

api-ms-win-crt-runtime-l1-1-0

_cexit
exit
_invalid_parameter_noinfo_noreturn
_initterm
_initterm_e
_seh_filter_dll
_execute_onexit_table
_initialize_onexit_table
_initialize_narrow_environment
_configure_narrow_argv

api-ms-win-crt-stdio-l1-1-0

__acrt_iob_func
__stdio_common_vfwprintf_s
freopen_s

api-ms-win-crt-heap-l1-1-0

_callnewh
malloc
free

api-ms-win-crt-math-l1-1-0

floorf
ceilf

Exports

Exports

D3D11CoreCreateDevice
D3D11CoreCreateLayeredDevice
D3D11CoreGetLayeredDeviceSize
D3D11CoreRegisterLayers
D3D11CreateDevice
D3D11CreateDeviceAndSwapChain
D3D11On12CreateDevice
EnableFeatureLevelUpgrade
FW1CreateFactory

Sections

.text
Size: 63KB - Virtual size: 62KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 32KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 190KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 720B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

6eb7db438dabc7075269340e334667e4

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

msvcp140

d3d11

vcruntime140

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-math-l1-1-0

Exports

Exports

Sections

.text Size: 63KB - Virtual size: 62KB

.rdata Size: 32KB - Virtual size: 32KB

.data Size: 3KB - Virtual size: 190KB

.pdata Size: 4KB - Virtual size: 3KB

.reloc Size: 1024B - Virtual size: 720B

.text
Size: 63KB - Virtual size: 62KB

.rdata
Size: 32KB - Virtual size: 32KB

.data
Size: 3KB - Virtual size: 190KB

.pdata
Size: 4KB - Virtual size: 3KB

.reloc
Size: 1024B - Virtual size: 720B