not a rat trust[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

not a rat trust.exe
Size

3.0MB
MD5

f1ae4ef66ce1404831e378b218f5cf54
SHA1

566e8240887abf0bb1de225cd877491f05886713
SHA256

ace4475aff62fd91868fcc217527f860ab7daec306e528097dd10ed9a08c6741
SHA512

5f79c99f49281be78507b7b479f659f58d99c35cbb6dc0378b1123c904bc2399a90ab42cf5cfbf9543ce51da95d3e028e53e553e16b30d24cc4b138c4f2f71a6
SSDEEP

49152:dGvXNvTbZKYsnnMtPA2mRdpO4jWqX9OMZMB5ruMT:dGvdxNsD2qpOqO

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
not a rat trust.exe

Files

not a rat trust.exe
.exe windows:6 windows x64 arch:x64

92ecba7f234b4f04924cc76663ed7a0e

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\fasbe\source\repos\ImCytox\Cherax\bin\Final\CheraxLoader.pdb

Imports

kernel32

GetStartupInfoW
IsDebuggerPresent
IsProcessorFeaturePresent
TerminateProcess
RtlVirtualUnwind
RtlLookupFunctionEntry
SleepConditionVariableSRW
WakeAllConditionVariable
GetFileSizeEx
WaitForSingleObjectEx
GetFileType
PeekNamedPipe
WaitForMultipleObjects
GetStdHandle
ReadFile
GetEnvironmentVariableA
VerifyVersionInfoW
SleepEx
GetTickCount
InitializeSListHead
CreateFileA
HeapAlloc
HeapFree
MapViewOfFile
UnmapViewOfFile
CreateFileMappingA
CreateRemoteThread
CreateProcessW
VirtualAllocEx
GetProcAddress
Process32FirstW
DeleteCriticalSection
SetEvent
CreateEventW
WaitForSingleObject
Process32NextW
LeaveCriticalSection
EnterCriticalSection
LoadLibraryW
GetSystemDirectoryW
FormatMessageW
SetLastError
GlobalUnlock
GlobalAlloc
CreateNamedPipeA
FreeLibrary
VerSetConditionMask
QueryPerformanceFrequency
LoadLibraryA
Sleep
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
WideCharToMultiByte
MultiByteToWideChar
GetFileInformationByHandleEx
MoveFileExW
AreFileApisANSI
SetFileInformationByHandle
GetFileAttributesExW
FindFirstFileW
FindClose
CreateFileW
CreateDirectoryW
GetLocaleInfoEx
FormatMessageA
LocalFree
GlobalLock
CreateToolhelp32Snapshot
OpenProcess
GetModuleHandleA
WriteProcessMemory
SetUnhandledExceptionFilter
GetModuleHandleW
UnhandledExceptionFilter
AddVectoredExceptionHandler
GetCurrentThread
GetModuleHandleExA
GetSystemTimeAsFileTime
CreateMutexA
ConnectNamedPipe
DisconnectNamedPipe
GlobalFree
WriteFile
GetCurrentThreadId
GetCurrentProcess
RtlCaptureContext
RemoveVectoredExceptionHandler
QueryPerformanceCounter
VirtualFreeEx
GetLastError
GetComputerNameA
DebugBreak
CreateProcessA
GetCurrentProcessId
ExitProcess
SetFileAttributesA
CloseHandle
GetModuleFileNameA
GetFileAttributesA
GetVolumeInformationA
InitializeCriticalSectionEx

user32

GetActiveWindow
DefWindowProcW
GetWindowRect
DestroyWindow
SetWindowPos
SetActiveWindow
CreateWindowExW
UnregisterClassW
RegisterClassExW
ShowWindow
DispatchMessageW
PeekMessageW
GetForegroundWindow
SetFocus
ClientToScreen
GetCapture
TrackMouseEvent
GetKeyState
SetClipboardData
GetClipboardData
EmptyClipboard
CloseClipboard
OpenClipboard
TranslateMessage
PostQuitMessage
UpdateWindow
SetForegroundWindow
FindWindowA
MessageBoxW
MessageBoxA
GetCursorPos
SetCursorPos
ReleaseCapture
GetClientRect
SetCursor
SetCapture
LoadCursorW
ScreenToClient

advapi32

RegQueryValueExW
GetUserNameA
RegOpenKeyExW
CryptReleaseContext
CryptGetHashParam
CryptDestroyHash
CryptHashData
CryptCreateHash
CryptAcquireContextW
CryptImportKey
CryptEncrypt
CryptDestroyKey
RegCloseKey

shell32

SHGetKnownFolderPath
ShellExecuteW

ole32

CoTaskMemFree

msvcp140

?_Getcvt@_Locinfo@std@@QEBA?AU_Cvtvec@@XZ
??1_Locinfo@std@@QEAA@XZ
??0_Locinfo@std@@QEAA@PEBD@Z
_Thrd_yield
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z
_Tolower
_Toupper
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Init@ios_base@std@@IEAAXXZ
??0ios_base@std@@IEAA@XZ
??1ios_base@std@@UEAA@XZ
?clear@ios_base@std@@QEAAXH_N@Z
??1ctype_base@std@@UEAA@XZ
??0ctype_base@std@@QEAA@_K@Z
?do_encoding@codecvt_base@std@@MEBAHXZ
?do_max_length@codecvt_base@std@@MEBAHXZ
??1codecvt_base@std@@UEAA@XZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
??0codecvt_base@std@@QEAA@_K@Z
?_Getctype@_Locinfo@std@@QEBA?AU_Ctypevec@@XZ
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?id@?$time_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@2V0locale@2@A
?_Getcat@?$time_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?put@?$time_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@QEBA?AV?$ostreambuf_iterator@DU?$char_traits@D@std@@@2@V32@AEAVios_base@2@DPEBUtm@@PEBD3@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@J@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?_Getfalse@_Locinfo@std@@QEBAPEBDXZ
?_Gettrue@_Locinfo@std@@QEBAPEBDXZ
??Bid@locale@std@@QEAA_KXZ
?_Incref@facet@locale@std@@UEAAXXZ
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
??0facet@locale@std@@IEAA@_K@Z
??1facet@locale@std@@MEAA@XZ
??Bios_base@std@@QEBA_NXZ
?good@ios_base@std@@QEBA_NXZ
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?get@?$time_get@DV?$istreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@QEBA?AV?$istreambuf_iterator@DU?$char_traits@D@std@@@2@V32@0AEAVios_base@2@AEAHPEAUtm@@PEBD4@Z
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
?_Getcat@?$time_get@DV?$istreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
_Mtx_unlock
_Thrd_join
_Xtime_get_ticks
_Query_perf_frequency
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?_Throw_Cpp_error@std@@YAXH@Z
?uncaught_exceptions@std@@YAHXZ
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
?_Xbad_alloc@std@@YAXXZ
?_Xinvalid_argument@std@@YAXPEBD@Z
?_Xout_of_range@std@@YAXPEBD@Z
?id@?$time_get@DV?$istreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@2V0locale@2@A
?_Winerror_map@std@@YAHH@Z
?_Xbad_function_call@std@@YAXXZ
?id@?$numpunct@D@std@@2V0locale@2@A
?_Xlength_error@std@@YAXPEBD@Z
?_Syserror_map@std@@YAPEBDH@Z
_Mtx_destroy_in_situ
_Mtx_lock
_Mtx_init_in_situ
_Cnd_do_broadcast_at_thread_exit
_Thrd_id
_Query_perf_counter
_Thrd_detach

d3d11

D3D11CreateDeviceAndSwapChain

winhttp

WinHttpOpen
WinHttpConnect
WinHttpWebSocketClose
WinHttpQueryHeaders
WinHttpReceiveResponse
WinHttpQueryDataAvailable
WinHttpOpenRequest
WinHttpWebSocketSend
WinHttpWebSocketCompleteUpgrade
WinHttpReadData
WinHttpSendRequest
WinHttpSetOption
WinHttpCloseHandle
WinHttpWebSocketReceive

dbghelp

StackWalk64
ImageNtHeader
SymCleanup
SymGetModuleBase64
SymSetOptions
SymInitialize
SymGetLineFromAddr64
SymFunctionTableAccess64

d3dcompiler_47

D3DCompile

imm32

ImmGetContext
ImmReleaseContext
ImmSetCompositionWindow
ImmAssociateContextEx
ImmSetCandidateWindow

bcrypt

BCryptGenRandom

vcruntime140_1

__CxxFrameHandler4

vcruntime140

memchr
memcmp
__intrinsic_setjmp
memset
memmove
memcpy
longjmp
_CxxThrowException
__std_exception_destroy
__std_exception_copy
strstr
__current_exception_context
__current_exception
__C_specific_handler
wcschr
strchr
strrchr
__std_terminate

api-ms-win-crt-heap-l1-1-0

malloc
_set_new_mode
_callnewh
realloc
calloc
free

api-ms-win-crt-math-l1-1-0

sqrtf
_fdclass
ldexp
_dclass
_dsign
_fdsign
_ldsign
ceilf
_fdopen
cosf
fmodf
__setusermatherr
powf
_ldclass
acosf
sinf

api-ms-win-crt-convert-l1-1-0

strtol
strtoll
strtoul
wcstombs
atoi
strtoull
strtod

api-ms-win-crt-runtime-l1-1-0

terminate
_errno
__sys_errlist
_beginthreadex
_register_onexit_function
__sys_nerr
system
_invalid_parameter_noinfo_noreturn
_configure_narrow_argv
_initialize_narrow_environment
_register_thread_local_exe_atexit_callback
_c_exit
_initialize_onexit_table
_exit
exit
_initterm_e
_initterm
_get_narrow_winmain_command_line
_set_app_type
_seh_filter_exe
_cexit
_crt_atexit
abort

api-ms-win-crt-locale-l1-1-0

___lc_codepage_func
_configthreadlocale
localeconv

api-ms-win-crt-stdio-l1-1-0

__p__commode
__stdio_common_vsprintf
_read
__stdio_common_vsscanf
_lseeki64
_write
fclose
fgets
fwrite
fputc
__stdio_common_vswprintf
fflush
fputs
fgetc
_fileno
_wopen
_close
_set_fmode
fgetpos
_wfopen
setvbuf
__acrt_iob_func
ungetc
fsetpos
ferror
fread
feof
fopen_s
_fseeki64
fseek
fopen
ftell
_get_stream_buffer_pointers

api-ms-win-crt-time-l1-1-0

_time64
_gmtime64
_mktime64
_localtime64
strftime

api-ms-win-crt-filesystem-l1-1-0

_unlock_file
_unlink
_wstat64
_wstat64i32
remove
_fstat64
_waccess
_lock_file

api-ms-win-crt-string-l1-1-0

strncmp
_strdup
strncpy
_wcsdup
wcspbrk
strcspn
strspn
wcsncpy
wcsncmp
strpbrk
strcmp

api-ms-win-crt-environment-l1-1-0

getenv

api-ms-win-crt-utility-l1-1-0

qsort

ws2_32

WSAStartup
gethostname
WSAGetLastError
getaddrinfo
socket
freeaddrinfo
getsockname
htonl
WSACleanup
accept
listen
getpeername
WSAEnumNetworkEvents
recvfrom
connect
WSACreateEvent
WSACloseEvent
closesocket
ntohs
recv
WSAIoctl
getsockopt
setsockopt
sendto
__WSAFDIsSet
bind
WSAWaitForMultipleEvents
select
send
WSASetLastError
ioctlsocket
WSAResetEvent
WSAEventSelect
htons
WSASetEvent

wldap32

ord142
ord216
ord145
ord41
ord14
ord147
ord79
ord27
ord26
ord127
ord46
ord117
ord301
ord219
ord208
ord133
ord73
ord167

crypt32

CertCloseStore
PFXImportCertStore
CertFindCertificateInStore
CertOpenStore
CryptStringToBinaryW
CryptDecodeObjectEx
CertGetCertificateChain
CertFreeCertificateChainEngine
CertAddCertificateContextToStore
CryptQueryObject
CertFreeCertificateChain
CertFindExtension
CertEnumCertificatesInStore
CertCreateCertificateChainEngine
CertFreeCertificateContext
CertGetNameStringW

Exports

Exports

curl_easy_cleanup
curl_easy_duphandle
curl_easy_escape
curl_easy_getinfo
curl_easy_header
curl_easy_init
curl_easy_nextheader
curl_easy_pause
curl_easy_perform
curl_easy_recv
curl_easy_reset
curl_easy_send
curl_easy_setopt
curl_easy_strerror
curl_easy_unescape
curl_easy_upkeep
curl_escape
curl_formadd
curl_formfree
curl_formget
curl_free
curl_getdate
curl_getenv
curl_global_cleanup
curl_global_init
curl_global_init_mem
curl_global_sslset
curl_global_trace
curl_maprintf
curl_mfprintf
curl_mime_addpart
curl_mime_data
curl_mime_data_cb
curl_mime_encoder
curl_mime_filedata
curl_mime_filename
curl_mime_free
curl_mime_headers
curl_mime_init
curl_mime_name
curl_mime_subparts
curl_mime_type
curl_mprintf
curl_msnprintf
curl_msprintf
curl_multi_add_handle
curl_multi_assign
curl_multi_cleanup
curl_multi_fdset
curl_multi_get_handles
curl_multi_info_read
curl_multi_init
curl_multi_perform
curl_multi_poll
curl_multi_remove_handle
curl_multi_setopt
curl_multi_socket
curl_multi_socket_action
curl_multi_socket_all
curl_multi_strerror
curl_multi_timeout
curl_multi_wait
curl_multi_wakeup
curl_mvaprintf
curl_mvfprintf
curl_mvprintf
curl_mvsnprintf
curl_mvsprintf
curl_share_cleanup
curl_share_init
curl_share_setopt
curl_share_strerror
curl_slist_append
curl_slist_free_all
curl_strequal
curl_strnequal
curl_unescape
curl_url
curl_url_cleanup
curl_url_dup
curl_url_get
curl_url_set
curl_url_strerror
curl_ws_meta
curl_ws_recv
curl_ws_send

Sections

.text
Size: 1.9MB - Virtual size: 1.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1002KB - Virtual size: 1002KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 69KB - Virtual size: 69KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 67KB - Virtual size: 67KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

92ecba7f234b4f04924cc76663ed7a0e

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

advapi32

shell32

ole32

msvcp140

d3d11

winhttp

dbghelp

d3dcompiler_47

imm32

bcrypt

vcruntime140_1

vcruntime140

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-environment-l1-1-0

api-ms-win-crt-utility-l1-1-0

ws2_32

wldap32

crypt32

Exports

Exports

Sections

.text Size: 1.9MB - Virtual size: 1.9MB

.rdata Size: 1002KB - Virtual size: 1002KB

.data Size: 8KB - Virtual size: 12KB

.pdata Size: 69KB - Virtual size: 69KB

.rsrc Size: 67KB - Virtual size: 67KB

.reloc Size: 5KB - Virtual size: 5KB

.text
Size: 1.9MB - Virtual size: 1.9MB

.rdata
Size: 1002KB - Virtual size: 1002KB

.data
Size: 8KB - Virtual size: 12KB

.pdata
Size: 69KB - Virtual size: 69KB

.rsrc
Size: 67KB - Virtual size: 67KB

.reloc
Size: 5KB - Virtual size: 5KB