raserver[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

raserver.exe
Size

156KB
MD5

f78767496d6c74fc666ff75eb7a690c5
SHA1

c27ea3afb2675d6648f1c647fb6becf33516b286
SHA256

af20453ae1334e4e504b16a6dcb09ad89616e789c97c9d3921e0eeca088f41f6
SHA512

3e57b59e7464d8d8ce2a8cb0e47d4b53824a6490f1d48402e22f1fe8222457f5567d3df62342fb9210d57cf992702a4913c166bfde174b4fd99601dd158a408c
SSDEEP

3072:RNjbYWVApJS7hxG+jZAO9Bjh8wq78yjiM4+BDnOXyLFCcLPxfkzH:RNjbYWVApJS73jZAG9hHqgyWM4gOXyLE

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
raserver.exe

Files

raserver.exe
.exe windows:10 windows x64 arch:x64

e20b4754318a11b8eb79040b310ad904

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

RAServer.pdb

Imports

advapi32

RegDeleteValueW
RegOpenKeyExW
RegSetValueExW
RegEnumKeyExW
RegCreateKeyExW
RegQueryInfoKeyW
RegCloseKey
RegQueryValueExW
IsValidRelativeSecurityDescriptor
MakeAbsoluteSD
InitializeSecurityDescriptor
InitializeAcl
MakeSelfRelativeSD
IsValidSecurityDescriptor
AllocateAndInitializeSid
GetLengthSid
AddAccessAllowedAce
SetSecurityDescriptorDacl
SetSecurityDescriptorOwner
SetSecurityDescriptorGroup
FreeSid
GetSecurityDescriptorDacl
IsValidAcl
GetAclInformation
GetAce
EqualSid
AddAccessDeniedAce
DeleteAce
RegEnumValueW
CryptDestroyKey
CryptReleaseContext
CryptAcquireContextW
CryptGetUserKey
CryptGenKey
CryptExportKey
CryptImportKey
CryptDecrypt
CryptEncrypt
EventWrite
EventUnregister
EventRegister

kernel32

GetModuleFileNameW
LeaveCriticalSection
InitializeCriticalSection
WaitForSingleObject
GetCurrentThreadId
ReleaseMutex
CreateEventW
MultiByteToWideChar
FormatMessageW
GetLastError
OutputDebugStringW
ReleaseSemaphore
OpenSemaphoreW
CloseHandle
RaiseException
FindResourceExW
LoadResource
HeapAlloc
GetProcAddress
CreateMutexExW
DeleteCriticalSection
GetCurrentProcessId
GetProcessHeap
GetModuleHandleW
FreeLibrary
DebugBreak
lstrcmpiW
LoadLibraryExW
IsDebuggerPresent
SetProcessMitigationPolicy
SetErrorMode
HeapSetInformation
CompareStringW
GetCommandLineW
SetEvent
Sleep
CreateThread
LoadLibraryW
ResetEvent
GetSystemDirectoryW
DelayLoadFailureHook
ResolveDelayLoadedAPI
OutputDebugStringA
GetTickCount
GetSystemTimeAsFileTime
QueryPerformanceCounter
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
GetStartupInfoW
EnterCriticalSection
SetLastError
HeapFree
CreateSemaphoreExW
SizeofResource
GetModuleHandleExW
GetModuleFileNameA
WaitForSingleObjectEx

user32

TranslateMessage
DispatchMessageW
LoadStringW
UnregisterClassA
CharNextW
CharUpperW
PostThreadMessageW
GetMessageW

msvcrt

__setusermatherr
_callnewh
_wcmdln
_fmode
_commode
_errno
??0exception@@QEAA@AEBQEBDH@Z
realloc
?terminate@@YAXXZ
_lock
_unlock
__dllonexit
_onexit
??1type_info@@UEAA@XZ
_initterm
memcmp
wcsncmp
_wtol
iswdigit
_cexit
_exit
exit
__set_app_type
_wtoi
wcscat_s
wcscpy_s
wcsncpy_s
malloc
free
_vsnprintf_s
??0exception@@QEAA@AEBV0@@Z
??0exception@@QEAA@XZ
??1exception@@UEAA@XZ
_purecall
memcpy_s
_vsnwprintf
??_V@YAXPEAX@Z
__C_specific_handler
__CxxFrameHandler4
??3@YAXPEAX@Z
__wgetmainargs
_amsg_exit
_XcptFilter
memmove
memcpy
__CxxFrameHandler3
??0exception@@QEAA@AEBQEBD@Z
?what@exception@@UEBAPEBDXZ
memset
_CxxThrowException
wcscmp

shlwapi

StrCmpIW

oleaut32

SafeArrayDestroy
SafeArrayUnaccessData
SafeArrayAccessData
SafeArrayCreateVector
SysAllocStringByteLen
SysAllocString
UnRegisterTypeLi
LoadRegTypeLi
LoadTypeLi
SysFreeString
SysStringByteLen
RegisterTypeLi
SysStringLen
VarUI4FromStr
VarBstrCat
SysAllocStringLen
VarBstrCmp

wtsapi32

WTSQuerySessionInformationW
WTSEnumerateSessionsW
WTSFreeMemory

shell32

SHGetSpecialFolderPathW
ShellExecuteW

crypt32

CryptStringToBinaryW
CryptBinaryToStringW

api-ms-win-core-com-l1-1-0

CoWaitForMultipleHandles
CoSuspendClassObjects
CoRegisterClassObject
CoRevokeClassObject
CoCreateInstance
StringFromGUID2
CoResumeClassObjects
CoInitializeEx
CoUninitialize
CoTaskMemRealloc
CoTaskMemFree
CoTaskMemAlloc

samcli

NetLocalGroupAddMembers
NetLocalGroupDel
NetLocalGroupAdd
NetLocalGroupGetInfo
NetLocalGroupGetMembers
NetLocalGroupDelMembers

netutils

NetApiBufferFree

Sections

.text
Size: 84KB - Virtual size: 80KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 32KB - Virtual size: 31KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 16KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 960B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

e20b4754318a11b8eb79040b310ad904

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

advapi32

kernel32

user32

msvcrt

shlwapi

oleaut32

wtsapi32

shell32

crypt32

api-ms-win-core-com-l1-1-0

samcli

netutils

Sections

.text Size: 84KB - Virtual size: 80KB

.rdata Size: 32KB - Virtual size: 31KB

.data Size: 4KB - Virtual size: 3KB

.pdata Size: 8KB - Virtual size: 4KB

.didat Size: 4KB - Virtual size: 16B

.rsrc Size: 16KB - Virtual size: 13KB

.reloc Size: 4KB - Virtual size: 960B

.text
Size: 84KB - Virtual size: 80KB

.rdata
Size: 32KB - Virtual size: 31KB

.data
Size: 4KB - Virtual size: 3KB

.pdata
Size: 8KB - Virtual size: 4KB

.didat
Size: 4KB - Virtual size: 16B

.rsrc
Size: 16KB - Virtual size: 13KB

.reloc
Size: 4KB - Virtual size: 960B