rbx[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

rbx.exe
Size

1.6MB
MD5

121d32503556432aa7faf63185c34e46
SHA1

f1aa3ec2320979a2326d6edc2a4d8ad9c2d519ac
SHA256

6385a127453dbc597799857de46b95cf9aa32108d3a79090169fac593aeb17fb
SHA512

c17a27fcaf31a5217b65516d4731c36e680565f23f64d423dd0332e4e2d5a7d0a33f90e36de985cd24987a1c856ea4220346049a2dd144d193d5a29e8e1d1119
SSDEEP

49152:BI3ZZwsvN9kJt94ur7erP3ifA7cW1CC010P:WZ3EN4ur71a

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
rbx.exe

Files

rbx.exe
.exe windows:6 windows x64 arch:x64

cde0e6523298a85fd5ca8c4e80ebbc43

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\murder\Desktop\rbx\x64\Release\rbx.pdb

Imports

msvcp140

?_Xlength_error@std@@YAXPEBD@Z
?_Xout_of_range@std@@YAXPEBD@Z
?_Xbad_alloc@std@@YAXXZ
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?uncaught_exceptions@std@@YAHXZ
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A
?_Winerror_map@std@@YAHH@Z
?_Xbad_function_call@std@@YAXXZ
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?id@?$ctype@D@std@@2V0locale@2@A
?_Syserror_map@std@@YAPEBDH@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAADD@Z
?setf@ios_base@std@@QEAAHHH@Z
_Xtime_get_ticks
??0_Locinfo@std@@QEAA@PEBD@Z
??1_Locinfo@std@@QEAA@XZ
?_Getcoll@_Locinfo@std@@QEBA?AU_Collvec@@XZ
?_Incref@facet@locale@std@@UEAAXXZ
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
??0facet@locale@std@@IEAA@_K@Z
??1facet@locale@std@@MEAA@XZ
?tolower@?$ctype@D@std@@QEBADD@Z
?tolower@?$ctype@D@std@@QEBAPEBDPEADPEBD@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
_Strcoll
?id@?$collate@D@std@@2V0locale@2@A
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z
?_Xinvalid_argument@std@@YAXPEBD@Z
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
_Strxfrm
_Thrd_detach
_Query_perf_counter
?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z
_Query_perf_frequency
_Thrd_join
_Thrd_id
_Cnd_do_broadcast_at_thread_exit
?_Throw_Cpp_error@std@@YAXH@Z
??Bid@locale@std@@QEAA_KXZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
?get@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAHXZ
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ

ntdll

RtlVirtualUnwind
RtlInitAnsiString
RtlCaptureContext
VerSetConditionMask
RtlLookupFunctionEntry
RtlAnsiStringToUnicodeString
RtlInitUnicodeString
NtQuerySystemInformation

dbghelp

ImageDirectoryEntryToData
ImageRvaToVa
ImageNtHeader

d3d11

D3D11CreateDeviceAndSwapChain

wininet

InternetReadFile
InternetOpenUrlA
InternetCloseHandle
InternetOpenA

user32

SetLayeredWindowAttributes
CreateWindowExA
DefWindowProcA
LoadIconA
PeekMessageA
UnregisterClassA
PostQuitMessage
RegisterClassExA
UpdateWindow
GetKeyState
LoadCursorA
MonitorFromWindow
GetCapture
MoveWindow
TrackMouseEvent
SetCapture
SetCursor
GetClientRect
SetProcessDPIAware
ReleaseCapture
SetCursorPos
OpenClipboard
CloseClipboard
EmptyClipboard
GetClipboardData
SetClipboardData
ShowWindow
MessageBoxA
ScreenToClient
GetAsyncKeyState
GetForegroundWindow
FindWindowA
GetMonitorInfoA
SetWindowDisplayAffinity
DestroyWindow
DispatchMessageA
TranslateMessage
ClientToScreen
GetCursorPos
GetWindowLongA
SetWindowLongA
GetSystemMetrics
SetWindowPos
GetWindowRect
SendInput

kernel32

InitializeSListHead
GetSystemTimeAsFileTime
GetCurrentThreadId
IsDebuggerPresent
IsProcessorFeaturePresent
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
SleepConditionVariableSRW
WakeAllConditionVariable
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
GetFileInformationByHandleEx
AreFileApisANSI
GetTempPathW
SetFileInformationByHandle
GetFullPathNameW
GetFileAttributesExW
GetFileAttributesW
FindNextFileW
FindFirstFileExW
FindFirstFileW
FindClose
CreateDirectoryW
GetLocaleInfoEx
GetFileSizeEx
WaitForMultipleObjects
PeekNamedPipe
ReadFile
GetFileType
GetEnvironmentVariableA
WaitForSingleObjectEx
MoveFileExA
VerifyVersionInfoA
GetSystemDirectoryA
SleepEx
OutputDebugStringW
LeaveCriticalSection
EnterCriticalSection
LocalFree
SetLastError
QueryFullProcessImageNameW
GetModuleHandleW
UnmapViewOfFile
MapViewOfFile
CreateFileMappingW
VirtualProtect
CreateThread
DeleteCriticalSection
InitializeCriticalSectionEx
GetProcessHeap
HeapSize
HeapFree
HeapReAlloc
HeapAlloc
HeapDestroy
QueryPerformanceCounter
QueryPerformanceFrequency
LoadLibraryA
GlobalUnlock
WideCharToMultiByte
GlobalLock
GlobalFree
GlobalAlloc
MultiByteToWideChar
lstrcmpiA
Process32Next
CreateFileA
CreateToolhelp32Snapshot
GetCurrentProcess
Process32First
GetCurrentProcessId
GetModuleHandleA
VirtualAlloc
VirtualFree
GetConsoleWindow
CloseHandle
Sleep
CreateFileW
DeviceIoControl
GetStdHandle
SetConsoleTitleA
FormatMessageA
FreeLibrary
GetProcAddress
GetLastError
LoadLibraryExA
GetModuleFileNameA
GetTickCount

imm32

ImmSetCandidateWindow
ImmReleaseContext
ImmSetCompositionWindow
ImmGetContext

d3dcompiler_43

D3DCompile

gdi32

CreateSolidBrush

dwmapi

DwmExtendFrameIntoClientArea

advapi32

CryptDestroyKey
CryptEncrypt
CryptImportKey
CryptDestroyHash
CryptHashData
CryptCreateHash
CryptGenRandom
CryptGetHashParam
CryptReleaseContext
CryptAcquireContextA
ConvertSidToStringSidA
RegOpenKeyExA
RegQueryValueExA
RegCloseKey
OpenProcessToken
RegSetValueExA
RegDeleteKeyA
RegOpenKeyA
AdjustTokenPrivileges
LookupPrivilegeValueW
RegCreateKeyA
GetUserNameW
AddAccessAllowedAce
GetLengthSid
GetTokenInformation
InitializeAcl
IsValidSid
SetSecurityInfo
CopySid

normaliz

IdnToAscii

wldap32

ord41
ord22
ord26
ord27
ord45
ord301
ord200
ord30
ord79
ord33
ord50
ord35
ord143
ord217
ord46
ord211
ord60
ord32

crypt32

CryptQueryObject
CertGetNameStringA
CertFindExtension
CertAddCertificateContextToStore
PFXImportCertStore
CryptStringToBinaryA
CertFreeCertificateContext
CertFreeCertificateChain
CertGetCertificateChain
CertFreeCertificateChainEngine
CryptDecodeObjectEx
CertOpenStore
CertCloseStore
CertEnumCertificatesInStore
CertFindCertificateInStore
CertCreateCertificateChainEngine

ws2_32

freeaddrinfo
recvfrom
sendto
gethostname
ntohl
select
__WSAFDIsSet
ioctlsocket
listen
htonl
accept
WSACleanup
WSAStartup
WSASetLastError
socket
setsockopt
ntohs
htons
getsockopt
getsockname
getpeername
connect
bind
WSAGetLastError
send
recv
closesocket
getaddrinfo
WSAIoctl

shell32

ShellExecuteA
SHGetFolderPathW

rpcrt4

UuidToStringA
RpcStringFreeA
UuidCreate

psapi

GetModuleInformation

userenv

UnloadUserProfile

vcruntime140_1

__CxxFrameHandler4

vcruntime140

memchr
_CxxThrowException
__C_specific_handler
strrchr
__std_exception_destroy
strchr
strstr
__std_terminate
_purecall
__intrinsic_setjmp
longjmp
__std_exception_copy
memcpy
memmove
memset
__current_exception
__current_exception_context
memcmp

api-ms-win-crt-heap-l1-1-0

realloc
_callnewh
malloc
_set_new_mode
calloc
free

api-ms-win-crt-math-l1-1-0

ceil
__setusermatherr
sqrtf
tan
acos
llround
atan2
ldexp
asin
_dclass
acosf
ceilf
cos
cosf
exp
floor
fmod
log
log10
frexp
pow
sin
sinf
sqrt

api-ms-win-crt-string-l1-1-0

tolower
isupper
isgraph
_stricmp
iscntrl
isblank
strpbrk
strncpy
isxdigit
isdigit
ispunct
islower
toupper
_strdup
isalnum
strcspn
isalpha
strncmp
strcmp
strspn
isspace
strcoll

api-ms-win-crt-runtime-l1-1-0

_invalid_parameter_noinfo_noreturn
exit
_errno
_register_thread_local_exe_atexit_callback
_c_exit
__p___argv
system
__p___argc
_exit
_initterm_e
_initterm
_get_initial_narrow_environment
strerror
_set_app_type
_seh_filter_exe
_cexit
_crt_atexit
_register_onexit_function
_initialize_onexit_table
_initialize_narrow_environment
_configure_narrow_argv
_getpid
_resetstkoflw
_invalid_parameter_noinfo
__sys_nerr
abort
perror
terminate
_beginthreadex

api-ms-win-crt-stdio-l1-1-0

fsetpos
fgetpos
__acrt_iob_func
setvbuf
ftell
fseek
fflush
fclose
_wfopen
__stdio_common_vsscanf
tmpfile
ferror
_pclose
clearerr
_popen
fgets
ungetc
fgetc
getc
_get_stream_buffer_pointers
__stdio_common_vfprintf
fputs
_open
_close
_lseeki64
fwrite
__stdio_common_vsprintf
_write
_read
__p__commode
_ftelli64
_fseeki64
freopen
fputc
fopen
feof
fread
_set_fmode
tmpnam

api-ms-win-crt-locale-l1-1-0

setlocale
localeconv
___lc_codepage_func
_configthreadlocale

api-ms-win-crt-time-l1-1-0

_difftime64
_mktime64
strftime
_gmtime64
_time64
_localtime64
clock

api-ms-win-crt-environment-l1-1-0

getenv

api-ms-win-crt-convert-l1-1-0

strtod
strtoull
atoi
strtoll
strtoul
strtol
atof

api-ms-win-crt-filesystem-l1-1-0

_unlink
remove
_lock_file
_unlock_file
rename
_fstat64
_stat64
_access

api-ms-win-crt-utility-l1-1-0

srand
rand
qsort

Sections

.text
Size: 1019KB - Virtual size: 1018KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 244KB - Virtual size: 243KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 303KB - Virtual size: 310KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 47KB - Virtual size: 47KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 488B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

cde0e6523298a85fd5ca8c4e80ebbc43

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcp140

ntdll

dbghelp

d3d11

wininet

user32

kernel32

imm32

d3dcompiler_43

gdi32

dwmapi

advapi32

normaliz

wldap32

crypt32

ws2_32

shell32

rpcrt4

psapi

userenv

vcruntime140_1

vcruntime140

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-environment-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-utility-l1-1-0

Sections

.text Size: 1019KB - Virtual size: 1018KB

.rdata Size: 244KB - Virtual size: 243KB

.data Size: 303KB - Virtual size: 310KB

.pdata Size: 47KB - Virtual size: 47KB

.rsrc Size: 512B - Virtual size: 488B

.reloc Size: 5KB - Virtual size: 4KB

.text
Size: 1019KB - Virtual size: 1018KB

.rdata
Size: 244KB - Virtual size: 243KB

.data
Size: 303KB - Virtual size: 310KB

.pdata
Size: 47KB - Virtual size: 47KB

.rsrc
Size: 512B - Virtual size: 488B

.reloc
Size: 5KB - Virtual size: 4KB