D:\user_local_build\OT\Rafiki_Trunk\x64\Release\RafikiAgent.pdb
Static task
static1
Behavioral task
behavioral1
Sample
1b0f786bce57ae5cdab665ebd18cbe8f8008090a7da2f1304ce5984d3f3656e8.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
1b0f786bce57ae5cdab665ebd18cbe8f8008090a7da2f1304ce5984d3f3656e8.exe
Resource
win10v2004-20231215-en
General
-
Target
1b0f786bce57ae5cdab665ebd18cbe8f8008090a7da2f1304ce5984d3f3656e8
-
Size
548KB
-
MD5
9e1db7b83c15d6cb6294c4a010772110
-
SHA1
4415c2e08955966aee129c355e0d0492b150e1a5
-
SHA256
1b0f786bce57ae5cdab665ebd18cbe8f8008090a7da2f1304ce5984d3f3656e8
-
SHA512
0ab83b14d3f1c2248af85f16c3bce6a0f3cebca2cd19b9dce1db23252a170ed9cb9d185f4d60319e5d7340eaa43cefcd8dfd0e5dd05cbc61f1abbf8633022312
-
SSDEEP
6144:naVlo4ZqyUOMp+bnAbdxH7e2VZF8hoP5rzwj12ZEbdIMkwQ5o1GsNOQer:ncW4Zoe4dtjFWoPgQEbGjwVsQer
Malware Config
Signatures
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
Processes:
resource 1b0f786bce57ae5cdab665ebd18cbe8f8008090a7da2f1304ce5984d3f3656e8
Files
-
1b0f786bce57ae5cdab665ebd18cbe8f8008090a7da2f1304ce5984d3f3656e8.exe windows:6 windows x64 arch:x64
662330befbdd90023c6d8222b1ac3857
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
PDB Paths
Imports
kernel32
Sleep
CloseHandle
FreeLibrary
LoadLibraryW
GetProcAddress
GetCurrentProcessId
QueryPerformanceCounter
QueryPerformanceFrequency
ReadFile
SetEvent
OpenEventW
MoveFileW
GetCurrentThreadId
GetLastError
ConnectNamedPipe
LocalFree
IsProcessorFeaturePresent
IsDebuggerPresent
GetSystemTimeAsFileTime
DecodePointer
EncodePointer
DisconnectNamedPipe
WriteFile
CreateNamedPipeW
user32
GetWindowLongPtrW
PeekMessageW
DefWindowProcW
SetWindowLongPtrW
RegisterClassW
CreateWindowExW
DispatchMessageW
ole32
CoTaskMemFree
CoCreateInstance
CoUninitialize
CoSetProxyBlanket
GetRunningObjectTable
CreateItemMoniker
CoInitialize
CoTaskMemAlloc
oleaut32
SysAllocString
SysFreeString
VariantInit
VariantClear
msvcr110
?__ExceptionPtrCurrentException@@YAXPEAX@Z
towlower
?what@exception@std@@UEBAPEBDXZ
??1exception@std@@UEAA@XZ
??0exception@std@@QEAA@AEBV01@@Z
?__ExceptionPtrCopy@@YAXPEAXPEBX@Z
?__ExceptionPtrCopyException@@YAXPEAXPEBX1@Z
?__ExceptionPtrDestroy@@YAXPEAX@Z
?__ExceptionPtrAssign@@YAXPEAXPEBX@Z
?__ExceptionPtrCreate@@YAXPEAX@Z
?Alloc@Concurrency@@YAPEAX_K@Z
??1scoped_lock@critical_section@Concurrency@@QEAA@XZ
??0scoped_lock@critical_section@Concurrency@@QEAA@AEAV12@@Z
??1critical_section@Concurrency@@QEAA@XZ
??0critical_section@Concurrency@@QEAA@XZ
?set@event@Concurrency@@QEAAXXZ
??1event@Concurrency@@QEAA@XZ
??0event@Concurrency@@QEAA@XZ
?Free@Concurrency@@YAXPEAX@Z
?_RunAndWait@_TaskCollection@details@Concurrency@@QEAA?AW4_TaskCollectionStatus@23@PEAV_UnrealizedChore@23@@Z
?_Cancel@_TaskCollection@details@Concurrency@@QEAAXXZ
?_Schedule@_TaskCollection@details@Concurrency@@QEAAXPEAV_UnrealizedChore@23@@Z
?_GetCurrentInlineDepth@_StackGuard@details@Concurrency@@CAAEA_KXZ
?_DeregisterCallback@_CancellationTokenState@details@Concurrency@@QEAAXPEAV_CancellationTokenRegistration@23@@Z
?_RegisterCallback@_CancellationTokenState@details@Concurrency@@QEAAPEAV_CancellationTokenRegistration@23@P6AXPEAX@Z0H@Z
?_Oversubscribe@_Context@details@Concurrency@@SAX_N@Z
?_ScheduleTask@_CurrentScheduler@details@Concurrency@@SAXP6AXPEAX@Z0@Z
?_NewCollection@_AsyncTaskCollection@details@Concurrency@@SAPEAV123@PEAV_CancellationTokenState@23@@Z
?_ReportUnobservedException@details@Concurrency@@YAXXZ
??0exception@std@@QEAA@XZ
__CxxFrameHandler3
memset
vswprintf_s
_lock
_unlock
_calloc_crt
__dllonexit
__C_specific_handler
_onexit
_XcptFilter
_amsg_exit
__wgetmainargs
__set_app_type
exit
_exit
_cexit
_configthreadlocale
__setusermatherr
_initterm_e
_initterm
__winitenv
_fmode
_commode
__crt_debugger_hook
__crtUnhandledException
__crtTerminateProcess
__crtCapturePreviousContext
?_type_info_dtor_internal_method@type_info@@QEAAXXZ
__crtSetUnhandledExceptionFilter
?__ExceptionPtrToBool@@YA_NPEBX@Z
fflush
__iob_func
wcscpy_s
??_V@YAXPEAX@Z
_wsplitpath_s
wprintf_s
swprintf_s
??_U@YAPEAX_K@Z
memcpy_s
memmove
_purecall
??2@YAPEAX_K@Z
??3@YAXPEAX@Z
_CxxThrowException
?terminate@@YAXXZ
memcpy
shlwapi
PathFileExistsW
msvcp110
?_Future_error_map@std@@YAPEBDH@Z
_Thrd_current
_Thrd_join
??0_Pad@std@@QEAA@XZ
??1_Pad@std@@QEAA@XZ
?_Launch@_Pad@std@@QEAAXPEAU_Thrd_imp_t@@@Z
?_Release@_Pad@std@@QEAAXXZ
?_Throw_Cpp_error@std@@YAXH@Z
_Thrd_equal
_Mtx_init
_Mtx_lock
_Cnd_wait
_Cnd_broadcast
_Mtx_unlock
_Mtx_destroy
_Cnd_unregister_at_thread_exit
?_Throw_future_error@std@@YAXAEBVerror_code@1@@Z
?_Throw_C_error@std@@YAXH@Z
_Cnd_init
?_Xbad_function_call@std@@YAXXZ
?_Orphan_all@_Container_base0@std@@QEAAXXZ
?_Xlength_error@std@@YAXPEBD@Z
?_Xout_of_range@std@@YAXPEBD@Z
?_Xbad_alloc@std@@YAXXZ
?_Syserror_map@std@@YAPEBDH@Z
?_Winerror_map@std@@YAPEBDH@Z
_Cnd_destroy
?_Rethrow_future_exception@std@@YAXVexception_ptr@1@@Z
_Cnd_register_at_thread_exit
winmm
timeGetTime
mfplat
MFStartup
MFShutdown
Sections
.text Size: 58KB - Virtual size: 58KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 35KB - Virtual size: 35KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 48KB - Virtual size: 49KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.pdata Size: 4KB - Virtual size: 3KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.rsrc Size: 1024B - Virtual size: 928B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 400KB - Virtual size: 1.1MB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ