RdpSa[.]exe | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

RdpSa.exe
Size

48KB
MD5

0f15ef0adc248a282af3b5a151c7a2ce
SHA1

a03b5c013c17b740902f7a0eead9d92e624dc569
SHA256

89fcff7ee05e4905517bb342841511d05939df0bb3d2e5671905e07ea4931c70
SHA512

d084b915f8de0f84f30f6d16107d1dd8dea471ca784c8e80d33d1599b13727c9a2ea4e62b56fc5b362a21b7e79eb047e8fe593ff64cb1ed3d2c7940f88bf36cc
SSDEEP

768:ynlU1oEny0A3hJGcaVN2XUz3DjOGXVBsqRy+Z4ZxkFZgeyl:u+13y0AxJLa+XUz3DjOG35k1ZxkFZge

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
RdpSa.exe

Files

RdpSa.exe
.exe windows:10 windows x86 arch:x86

4d86ce84e4eb6ce9e7c94f1e0f629bc5

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

RdpSa.pdb

Imports

advapi32

TraceMessage
GetTraceLoggerHandle
GetTraceEnableLevel
GetTraceEnableFlags
RegisterTraceGuidsW
UnregisterTraceGuids
OpenProcessToken
RegOpenKeyExW
RegNotifyChangeKeyValue
RegGetValueW
GetTokenInformation
GetSecurityInfo
GetLengthSid
InitializeAcl
AddAccessDeniedAce
GetAce
AddAce
SetSecurityInfo

kernel32

FormatMessageW
LocalFree
GetCurrentProcessId
ProcessIdToSessionId
CloseHandle
GetCurrentProcess
HeapSetInformation
SetProcessMitigationPolicy
HeapReAlloc
GetLastError
GetModuleHandleExA
GetProcAddress
FreeLibrary
HeapAlloc
UnmapViewOfFile
LocalAlloc
DelayLoadFailureHook
ResolveDelayLoadedAPI
Sleep
SetEvent
MapViewOfFile
WaitForSingleObject
GetProcessHeap
HeapFree
CreateEventW

user32

RegisterClassExW
LoadStringW
PostQuitMessage
DispatchMessageW
TranslateMessage
GetMessageW
SetTimer
DefWindowProcW
GetWindowLongW
SetWindowLongW
DestroyWindow
KillTimer
CreateWindowExW

msvcrt

??1type_info@@UAE@XZ
memmove
_CxxThrowException
memcmp
?what@exception@@UBEPBDXZ
??1exception@@UAE@XZ
memcpy
??0exception@@QAE@ABV0@@Z
??0exception@@QAE@ABQBDH@Z
??0exception@@QAE@ABQBD@Z
_callnewh
malloc
memset
??3@YAXPAX@Z
_except_handler4_common
_controlfp
?terminate@@YAXXZ
__CxxFrameHandler3
_onexit
__dllonexit
_unlock
_lock
_wcmdln
_initterm
__setusermatherr
__p__fmode
_cexit
_exit
exit
__set_app_type
__wgetmainargs
_amsg_exit
__p__commode
_XcptFilter
_purecall
??_V@YAXPAX@Z
_vsnwprintf

oleaut32

SysAllocStringByteLen
SysStringLen
SysAllocString
SysFreeString

ntdll

EtwEventWriteFull
EtwEventUnregister
EtwEventRegister

api-ms-win-core-com-l1-1-0

CoInitializeSecurity
CoUninitialize
CoInitializeEx
StringFromCLSID
CoTaskMemFree
CoCreateInstance

sspicli

GetUserNameExW

ws2_32

GetAddrInfoW
GetNameInfoW
FreeAddrInfoW

api-ms-win-core-processthreads-l1-1-0

GetCurrentThreadId
TerminateProcess
GetStartupInfoW

api-ms-win-core-errorhandling-l1-1-0

UnhandledExceptionFilter
SetUnhandledExceptionFilter

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleW

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemTimeAsFileTime

winsta

WinStationShadowStop2
WinStationSendMessageW

Sections

.text
Size: 36KB - Virtual size: 35KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

4d86ce84e4eb6ce9e7c94f1e0f629bc5

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

advapi32

kernel32

user32

msvcrt

oleaut32

ntdll

api-ms-win-core-com-l1-1-0

sspicli

ws2_32

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

winsta

Sections

.text Size: 36KB - Virtual size: 35KB

.data Size: 512B - Virtual size: 1KB

.idata Size: 4KB - Virtual size: 3KB

.didat Size: 512B - Virtual size: 12B

.rsrc Size: 2KB - Virtual size: 2KB

.reloc Size: 3KB - Virtual size: 3KB

.text
Size: 36KB - Virtual size: 35KB

.data
Size: 512B - Virtual size: 1KB

.idata
Size: 4KB - Virtual size: 3KB

.didat
Size: 512B - Virtual size: 12B

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 3KB - Virtual size: 3KB