EkraHWID[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

EkraHWID.exe
Size

3.8MB
MD5

4bd1e1e5d6b2a4935b4f88f1ef57d384
SHA1

961f94e7872f54605124bb19aa288c1553ff15b1
SHA256

1bf573ee2f787869719510c6860adc85b676b5aba6ad5c55822c872e8039d3db
SHA512

e5efa61f8600442fc700dc7f878de6ec88b77f662539303ccef42074a2258bc11bbab20c64ebcdf623908f106eea232ca680905c60a25bd5b30766a719747608
SSDEEP

98304:5XJof7K5JEyUal+KH4kpc+DX/0HG9crhwFbH:5XizKHEyUZKYODj9c1wB

Score

7^/10

Malware Config

Signatures

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
sample	net_reactor

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
EkraHWID.exe

Files

EkraHWID.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

EkraHWID.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 3.6MB - Virtual size: 3.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 269KB - Virtual size: 268KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ