Robocopy[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

Robocopy.exe
Size

139KB
MD5

57d201152098bbaf0f4cabeed43dd0fd
SHA1

719f6a9de18e2325e8bcc81364e9166df8c7866c
SHA256

99cba540c07eff7b45cdfffda700571adbccd12cc2bcf6e07f86d72fde7498c1
SHA512

99cecbe3829db253804b2252020cdc0a6437f7c5ff3de1a87e6cb39fb561154743e232c07bcca4ceeacde8042a1f5be4a2f22b80031190ddead9131847050a60
SSDEEP

3072:/Yp7yVv/yLpCPUYVUpl4UnKQewc7Wnbd8CRDb6Ed:wpqv/JbVUoOKocGr

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
Robocopy.exe

Files

Robocopy.exe
.exe windows:10 windows x86 arch:x86

22ad0de837b4d478336f27283bd36a3e

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

robocopy.pdb

Imports

msvcrt

__set_app_type
__wgetmainargs
_amsg_exit
__p__commode
_XcptFilter
_callnewh
_wcsnicmp
_vsnprintf_s
??0exception@@QAE@ABV0@@Z
??0exception@@QAE@XZ
??1exception@@UAE@XZ
_purecall
_wcsicmp
malloc
free
exit
_exit
_cexit
__p__fmode
__setusermatherr
_initterm
?terminate@@YAXXZ
??1type_info@@UAE@XZ
_lock
_unlock
__dllonexit
_onexit
_except_handler4_common
_controlfp
memcpy
memcmp
_ftol2_sse
_ftol2
_CxxThrowException
wcsstr
clock
ctime
time
wcstok_s
wcscat_s
wcscpy_s
fwprintf_s
fflush
wcstol
_wsetlocale
swprintf_s
fwprintf
memmove_s
printf
fgetws
_wcsupr_s
_wfopen
_fileno
_setmode
__iob_func
_errno
_get_osfhandle
fprintf
fputws
fclose
memcpy_s
_vsnwprintf
wprintf
__CxxFrameHandler3
memset

kernel32

WriteConsoleW
ExitProcess
GetStdHandle
HeapValidate
GetConsoleMode
GetFileType
HeapSize
HeapReAlloc
HeapDestroy
RaiseException
CopyFile2
GetSystemTimeAsFileTime
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
CreateThread
GetExitCodeThread
ExitThread
ResumeThread
SetThreadPriority
IsDebuggerPresent
GetTickCount
BackupRead
IsBadWritePtr
IsBadReadPtr
SizeofResource
CompareStringW
SetLastError
GetFullPathNameW
lstrlenW
ExpandEnvironmentStringsW
GetVersion
LocalFileTimeToFileTime
GetLastError
FileTimeToSystemTime
LockResource
FindResourceExW
LoadResource
GetLocalTime
GetTimeFormatW
SystemTimeToFileTime
GetSystemTime
GetDateFormatW
InitializeSRWLock
CloseThreadpoolWork
CreateThreadpool
SetWaitableTimer
TlsSetValue
EnterCriticalSection
GetConsoleOutputCP
CreateWaitableTimerW
SetFileTime
WaitForMultipleObjects
SetThreadUILanguage
LeaveCriticalSection
InitializeCriticalSection
SetErrorMode
WaitForSingleObject
CreateFileW
GetFileAttributesW
GetCurrentThreadId
FindFirstChangeNotificationW
OpenProcess
CreateEventW
CloseThreadpoolCleanupGroupMembers
Sleep
SetThreadpoolThreadMaximum
ReleaseSRWLockExclusive
SetEvent
AcquireSRWLockExclusive
FindCloseChangeNotification
WaitForSingleObjectEx
TlsAlloc
QueryPerformanceFrequency
CloseHandle
CreateThreadpoolCleanupGroup
HeapSetInformation
ResetEvent
FindNextChangeNotification
SubmitThreadpoolWork
DeleteCriticalSection
GetCurrentProcessId
GetModuleHandleW
SleepEx
TlsGetValue
QueryPerformanceCounter
OpenThread
CreateThreadpoolWork
GetLocaleInfoEx
LocalAlloc
GetNumberFormatEx
FormatMessageW
LocalFree
WideCharToMultiByte
CreateDirectoryW
GetVolumeInformationW
CompareFileTime
FindFirstFileW
DeviceIoControl
RemoveDirectoryW
FindClose
SetFileAttributesW
GetFileInformationByHandle
GlobalFree
DebugBreak
lstrcmpW
GetModuleFileNameA
BackupWrite
CreateSemaphoreExW
HeapFree
ReleaseSemaphore
GetModuleHandleExW
CompareStringOrdinal
InitializeCriticalSectionEx
WaitForThreadpoolTimerCallbacks
ReleaseMutex
OutputDebugStringW
CloseThreadpoolTimer
DeleteFileW
OpenSemaphoreW
SetThreadpoolTimer
ReleaseSRWLockShared
CreateThreadpoolTimer
HeapAlloc
GetProcAddress
CreateMutexExW
AcquireSRWLockShared
GetProcessHeap

advapi32

GetUserNameW
AdjustTokenPrivileges
LookupPrivilegeValueW
GetSecurityDescriptorControl
EncryptFileW
ReadEncryptedFileRaw
DecryptFileW
RegQueryValueExW
RegDeleteValueW
RegSetValueExW
RegCreateKeyExW
RegCloseKey
WriteEncryptedFileRaw
OpenEncryptedFileRawW
CloseEncryptedFileRaw
OpenProcessToken

user32

UnregisterClassA
LoadStringW

ws2_32

WSACleanup

ntdll

NtSetInformationProcess
RtlCompareMemory
NtOpenFile
RtlGetDaclSecurityDescriptor
NtQuerySecurityObject
NtQueryDirectoryFile
RtlFreeHeap
NtQueryInformationFile
RtlSetControlSecurityDescriptor
NtQueryEaFile
NtSetSecurityObject
NtSetEaFile
NtSetInformationFile
RtlInitUnicodeString
RtlGetSaclSecurityDescriptor
RtlDosPathNameToRelativeNtPathName_U
RtlGetControlSecurityDescriptor
RtlNtStatusToDosErrorNoTeb
NtQueryVolumeInformationFile
RtlNtStatusToDosError
NtClose

Sections

.text
Size: 120KB - Virtual size: 120KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

22ad0de837b4d478336f27283bd36a3e

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

kernel32

advapi32

user32

ws2_32

ntdll

Sections

.text Size: 120KB - Virtual size: 120KB

.data Size: 1024B - Virtual size: 5KB

.idata Size: 6KB - Virtual size: 6KB

.rsrc Size: 2KB - Virtual size: 1KB

.reloc Size: 8KB - Virtual size: 8KB

.text
Size: 120KB - Virtual size: 120KB

.data
Size: 1024B - Virtual size: 5KB

.idata
Size: 6KB - Virtual size: 6KB

.rsrc
Size: 2KB - Virtual size: 1KB

.reloc
Size: 8KB - Virtual size: 8KB