rlm[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

rlm.exe
Size

2.8MB
MD5

5ad4209e9662db9d64f5a27029169e8d
SHA1

a21f98dbe94c8eb4adeeeaed910d31f09376b34a
SHA256

2cc71d7298cd92980cee10d511b7b25bd240f0eb6c60474229cf788d43cc49b5
SHA512

58ec0781ff13c60cc19c0eb913fab14c36012b9da6844d0ec5c252cd91ebb59fd85f28ceaa8b050fcdc0755c19f3f5276bfde14a84416a8f6a25bbfadb2d2893
SSDEEP

49152:k2AnOhWTQvwBKJujr1o6+1TlZD8NKoqyzcVm+n+dbkFvpcLoK/gt5:k2AnrYwBnD+7ZI8+Kvp7

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
rlm.exe

Files

rlm.exe
.exe windows:6 windows x64 arch:x64

1de52c46abc3793fc48e356638ddf559

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

iphlpapi

GetAdaptersAddresses

ws2_32

bind
accept
__WSAFDIsSet
getsockopt
closesocket
connect
gethostbyname
ioctlsocket
freeaddrinfo
getaddrinfo
WSAStringToAddressA
shutdown
htons
ntohl
WSACleanup
ntohs
gethostname
gethostbyaddr
inet_addr
WSAAddressToStringA
WSAGetLastError
WSAStartup
socket
setsockopt
sendto
send
select
recvfrom
recv
listen
getsockname
getpeername

advapi32

InitializeAcl
CloseServiceHandle
CreateServiceA
DeleteService
OpenSCManagerA
OpenServiceA
QueryServiceStatus
RegisterServiceCtrlHandlerA
SetServiceStatus
StartServiceCtrlDispatcherA
ReportEventW
RegisterEventSourceW
DeregisterEventSource
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
ChangeServiceConfig2A
CreateWellKnownSid
AddAccessAllowedAceEx
GetUserNameW

user32

MessageBoxW
GetDesktopWindow
GetUserObjectInformationW
GetProcessWindowStation
GetSystemMetrics

kernel32

FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
GetDateFormatW
GetTimeFormatW
CompareStringW
LCMapStringW
CreateDirectoryW
ReadConsoleW
GetFileSizeEx
DeleteFileW
MoveFileExW
SetStdHandle
FlushFileBuffers
GetFileAttributesExW
SetFileAttributesW
GetCPInfo
FindFirstFileExW
IsValidCodePage
GetACP
GetOEMCP
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetStringTypeW
WriteConsoleW
GetCommandLineW
GetModuleFileNameW
GetConsoleMode
GetConsoleOutputCP
SetFilePointerEx
SetEndOfFile
FindClose
FindFirstFileW
FindNextFileW
GetFileAttributesW
SetLastError
Sleep
GetSystemTimeAsFileTime
GetTickCount
MultiByteToWideChar
WideCharToMultiByte
SetEvent
GetModuleFileNameA
FindFirstFileA
FindNextFileA
GetCommandLineA
GetLastError
WaitForSingleObject
CreateEventA
CreateThread
ExitThread
GetStdHandle
CreateProcessW
CreateSemaphoreA
GetVersionExA
CloseHandle
CreateProcessA
ReleaseSemaphore
CreateFileA
GetVolumeInformationA
DeviceIoControl
GetFileAttributesA
GetFileInformationByHandle
CreateDirectoryA
GlobalFree
GetFileType
GetCurrentThreadId
GetVersion
QueryPerformanceCounter
GetCurrentProcessId
GetVersionExW
FreeLibrary
GetProcAddress
GlobalMemoryStatus
LoadLibraryW
LocalFree
LocalAlloc
CreateMutexA
ReleaseMutex
FormatMessageA
GetEnvironmentVariableA
LoadLibraryA
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
DeleteCriticalSection
TlsSetValue
TlsGetValue
TlsAlloc
SystemTimeToFileTime
GetSystemTime
FileTimeToSystemTime
GetCurrentProcess
TlsFree
HeapFree
GetProcessHeap
HeapAlloc
GetModuleHandleA
ReadFile
WriteFile
GetFileSize
GetLocalTime
SetErrorMode
HeapReAlloc
SearchPathA
OpenSemaphoreA
FreeLibraryAndExitThread
ResumeThread
GetTimeZoneInformation
GetFullPathNameW
UnlockFileEx
LockFileEx
GetExitCodeProcess
GetCurrentDirectoryW
SetCurrentDirectoryW
SetEnvironmentVariableW
GetModuleHandleExW
ExitProcess
SetConsoleCtrlHandler
SystemTimeToTzSpecificLocalTime
PeekNamedPipe
GetDriveTypeW
CreateFileW
RtlUnwind
LoadLibraryExW
InitializeCriticalSectionAndSpinCount
EncodePointer
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
GetModuleHandleW
RtlPcToFileHeader
RaiseException
RtlUnwindEx
HeapSize

shell32

SHGetSpecialFolderPathA

winhttp

WinHttpGetDefaultProxyConfiguration
WinHttpGetProxyForUrl
WinHttpGetIEProxyConfigForCurrentUser
WinHttpOpen

ole32

CoCreateInstance
CoUninitialize
CoInitializeEx
CoInitializeSecurity
CoSetProxyBlanket

oleaut32

VariantClear
SysFreeString
SysAllocString

Sections

.text
Size: 2.1MB - Virtual size: 2.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 302KB - Virtual size: 301KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 261KB - Virtual size: 1.4MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 76KB - Virtual size: 76KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 476B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 688B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 15KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

1de52c46abc3793fc48e356638ddf559

Headers

DLL Characteristics

File Characteristics

Imports

iphlpapi

ws2_32

advapi32

user32

kernel32

shell32

winhttp

ole32

oleaut32

Sections

.text Size: 2.1MB - Virtual size: 2.1MB

.rdata Size: 302KB - Virtual size: 301KB

.data Size: 261KB - Virtual size: 1.4MB

.pdata Size: 76KB - Virtual size: 76KB

_RDATA Size: 512B - Virtual size: 476B

.rsrc Size: 1024B - Virtual size: 688B

.reloc Size: 15KB - Virtual size: 15KB

.text
Size: 2.1MB - Virtual size: 2.1MB

.rdata
Size: 302KB - Virtual size: 301KB

.data
Size: 261KB - Virtual size: 1.4MB

.pdata
Size: 76KB - Virtual size: 76KB

_RDATA
Size: 512B - Virtual size: 476B

.rsrc
Size: 1024B - Virtual size: 688B

.reloc
Size: 15KB - Virtual size: 15KB