Tool[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Tool.exe
Size

282KB
MD5

0656c8d8cd12f37f5b62edb858c0d155
SHA1

5bf0a85d1fa21ba0cf2b6e9e106e522a2bfe7f5a
SHA256

41cd34843a8f69ced567ca64ab2f1756b2723e1de993e1bff4592150c9dbdd04
SHA512

32a17995b3c6849087e5570a57afd1f379389513f6b6370f80e31b174b5dc2420eb8ec5b1d2f7f55237d7b5f6c0d12bde9355e436cb76274e6a4be0dcee3f606
SSDEEP

6144:XTwOaPkmc+i9J6LtvMiZ5NUM1W+KVirC9ctXRt:XTwO6kmchWMiZ5NUnlVirgcpRt

Score

7^/10

Malware Config

Signatures

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
sample	net_reactor

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
Tool.exe

Files

Tool.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

DeadSec.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 232KB - Virtual size: 231KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 49KB - Virtual size: 49KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ