Rebel[.]7z | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

Rebel.7z
Size

8.0MB
MD5

06598c035db9cbdfd2577ded793b97a4
SHA1

e2de172829430cecc3dc35b6e37167f13e75b301
SHA256

ebf1f88870aadeb5f22a893b6670c6ac9aaccef37dad26317e000146e3cc8a41
SHA512

502c56f1c45ee81818c119266eb1e782acabd5dfe2bc7c34c7ec4bb1dae2cb4905a19a6a9b86f761a189d02e972b17a156758f3ed7757545353d4480142a0931
SSDEEP

98304:WXd9vCIRiRGhnMj5gm0y0BAdZouKmQbbjktSZyv3vPYdlQ89lc9uYPvANDntb4/6:UhnayBEAyfvPYdlQowtPvAVGHC

Score

3^/10

Malware Config

Signatures

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

Processes:

resource	yara_rule
static1/unpack001/Rebel/Bin/Rebel.dll	embeds_openssl

Unsigned PE 4 IoCs

Checks for missing Authenticode signature.

Processes:

resource
unpack001/Rebel/Bin/Injector.exe
unpack001/Rebel/Bin/Rebel.dll
unpack001/Rebel/FastColoredTextBox.dll
unpack001/Rebel/RebelCracked.exe

Files

Rebel.7z
.7z

Password: Cracked
Rebel/Bin/Injector.exe
.exe windows:6 windows x64 arch:x64

Password: Cracked

076acaa656f74379ef1e60670f0fed54

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

WriteProcessMemory
GetSystemTimeAsFileTime
LocalAlloc
LocalFree
GetModuleFileNameW
GetProcessAffinityMask
SetProcessAffinityMask
SetThreadAffinityMask
Sleep
ExitProcess
FreeLibrary
LoadLibraryA
GetModuleHandleA
GetProcAddress

user32

PostThreadMessageA
GetUserObjectInformationW
GetProcessWindowStation
GetUserObjectInformationW

advapi32

RegQueryValueExA

vcruntime140_1

__CxxFrameHandler4

vcruntime140

__std_exception_copy

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vfprintf

api-ms-win-crt-runtime-l1-1-0

_register_onexit_function

api-ms-win-crt-heap-l1-1-0

malloc

api-ms-win-crt-math-l1-1-0

__setusermatherr

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

wtsapi32

WTSSendMessageW

Exports

Exports

6��t��a�%��q'�?W�.(m�lH�� 5<g�RMm2%; (��|pP�s:OT>�9G+׃�X�)�&�% <��3��H<�R澋�m�b��+*c�x��EҮ��>��a%rW:7�H�=[}| ;��^1�gK�NE�-z�Qa��v��H �� C�RY�� }�� :�<.�Wˑ/�#EC.W��Kʰ�܃;��`e&�@6��M�ON3��ڟƨM4��7?�P�*�C'F>z:��&g�gI [n��ۉ!.(װ۬�8��7�u?˾Ї�� Y�9r&�O@B�\L\[��ȋ��3�]t�O�hH��/�0Z��L�4XT>X� ��i�<��|��͓�`GϖD��l`�G�.吵ѹ�Q�� rtri��y◧*��[�)�k��%�D�s�o��UE\��.��#ʏiK��b�2b��]�D��~0*��OUȕQ�9� p��C~��#��B��!>��s�.+�7֩��o�iE<ZgO�̸�M��J��7��P{�б�D��0;��@=k��kX��Ř�r�%�pM��1�]�{� �pc\��r ��O��XW��_��W��&��,O��w%��gNb.�+�M�"5�I��r%+��̔Mw.n��r��3�7<�9�rп9��a�P�o��֤��IO�!VO��b�Ld��L��L�c)��T�=�+�8�ۤ��+�Q$w��ᰙ�Ą}/��I�7x��3$c�� N(��s`�䢿�.��X[�9�s^��s�4$%��D��B��M' ϥ��N��+`^��i��g��,��2�[��F-4�k[Ƒ]F��LTjZa ��<�_�}Ƿx=��#�W�tF��(��y�se'E��7z�y�Ԕ� �k)��&&�;ߟ��k��a��qg،|��8�$9a��?_=��H��U��q�PTZ i4N�X��YR��3��h��Uvs>.�G��m^��]�T��}<��4��!�a��fgȆ��wЃ�?�]F��x.��#�{QO-B�߶Q��v��+�Å�@H)^-cS�J�8�J:�]`ӕ��-��D��dC��zgz��t�<k G��o�W��ym��P�S1b�;��V ƽ��H��]��h��'�`��i��0eI��G�U��Y�Z�t)D|f��A��S�7�WN��3BKj��o��>�<,� �b�}T�@��W�>㇋��9��Z2%��W��M"&�,�Th5�;*r8äl�cM�P�xM+7��L �t�Yc�pe��Ŝ�`5R֐�\�P<��4GN� v [L��)@뜑�H��1��W� G�.3N��.�F?fbߐ?�Y4}�M�=dm��%@b㪞,�J�q�x��V��&Eyp��te�`8��d�ˈA�Q>qy�`�rǴ#��ֺ��4|`��5{��T��Vp��)�wb ��q��ӷb�7X�F#�0��P��[��7��I~�ô��ul�]��F� � ��9��jVDε�0�3;��˸+��\�i��97�;��~��@^ ��]�18bqw��Gcw��e"N�K�.,��a׆(&�92�J��c@H��|��,ա[DBԈ?��V�ư��3�4��>�Վ�h��ps�)��&~4�A��y�E�F�^��^g�<Y�؉2��J�n�Uy��7�k�/]�y��L��X��&��Zm��<a��J��#�5mA6(�q&XDL oۘ��j�l�b@QF�}BD�d�9e��8�� z��c�)��8��t�k��A�=�,Jφ��*��p��x뒅�i~��#-�=��*��05��&�o�j��S�m��-/Az�X"tѸ�JX>�/�>H?��G@��iH�>VBO(DL�VS�;��O]��F�V��M�n9��o!e��k��s&�펖"��uQ|��!;��%��6�mqVp��3#f��@�>y�Bt�CøNmҖnÝb��~�$��I��a��7)�a�L .��*^��6i��6��ǁY��z�f�5��%��e��&Z��b%�ډ�W��m ��c�A��?.>xO*�ۺ�rF:/ԫ�Pa�KJw^TH��{��u͙A��>=�A]Ld"��8�� `@�]�<ډ}��I�6t�t(uPW&�=�.��;)��-�3��Sϋ$�'4ğ�Š�tX H�w^�Px��7�:��ԲJ\�� o2U�B�-){D4:�KQ��MO7��a��Zm�� X�e��{",�BwP�;� T�飖`7��J�ZL�h+�� 垘؆~��N��i`��n�F�I��l�@bǈ�G5�C2Ðy��:��>-f��u��E�S6s�zS:D��q��|��-"с�Z�?V.kM��Ӭ��-Н��rN�׏lkv��H#�P��D�%z��U3��G�W��su>W�Z{��Cx�K��:�AV6��Nڢ��l�ac3<뎃fD�M/��d�D�?:�v��Oy4��Gf�~`#�>_/��]�)��,��e��sX�vA>�HMN�4��p��b"1�ܴ�E�v�ٶ#mYW�V�/��A��Y�F��b��hv��g5N�C��egy^��,�F��*9[�GcH@��1��wn��9`q"-ԋ=�W��G��͕��~��>��i��B5k�X��V��F�n��8?ʂc�뿉�ztrGg��s�8q��7��;X��{ɍ��:�:��8��S��3�BnL�.�ȁ��S=��|�z��,>� ��Ijr��R�$��E��,t0��rY+��<�W}=�!I�,��z��T�U�

Sections

.text
Size: - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: - Virtual size: 588B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.acedia0
Size: - Virtual size: 3.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.acedia1
Size: 4.8MB - Virtual size: 4.8MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 469B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Rebel/Bin/Rebel.dll
.dll windows:6 windows x64 arch:x64

Password: Cracked

5dbd05d0457a91e7c32b011f85e7842c

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

C:\Users\Nezy\Desktop\Rebel-Mod\x64\Release\Rebel.pdb

Imports

user32

keybd_event
GetProcessWindowStation
GetUserObjectInformationW

ws2_32

shutdown

crypt32

CertGetCertificateContextProperty

advapi32

CryptDecrypt

kernel32

GetFileAttributesExW
LocalAlloc
LocalFree
GetModuleFileNameW
GetProcessAffinityMask
SetProcessAffinityMask
SetThreadAffinityMask
Sleep
ExitProcess
FreeLibrary
LoadLibraryA
GetModuleHandleA
GetProcAddress

msvcp140

?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z

bcrypt

BCryptGenRandom

vcruntime140_1

__CxxFrameHandler4

vcruntime140

_CxxThrowException

api-ms-win-crt-runtime-l1-1-0

_initterm_e

api-ms-win-crt-math-l1-1-0

floor

api-ms-win-crt-convert-l1-1-0

atoi

api-ms-win-crt-heap-l1-1-0

_callnewh

api-ms-win-crt-stdio-l1-1-0

fflush

api-ms-win-crt-string-l1-1-0

strcpy_s

api-ms-win-crt-time-l1-1-0

_difftime64

api-ms-win-crt-utility-l1-1-0

srand

api-ms-win-crt-filesystem-l1-1-0

_stat64

api-ms-win-crt-environment-l1-1-0

getenv

api-ms-win-crt-multibyte-l1-1-0

_mbspbrk

api-ms-win-crt-locale-l1-1-0

___lc_codepage_func

Exports

Exports

callback

Sections

.text
Size: 3.8MB - Virtual size: 3.8MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1004KB - Virtual size: 1003KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 27KB - Virtual size: 38KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 143KB - Virtual size: 143KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.acedia0
Size: 1.4MB - Virtual size: 1.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.acedia1
Size: 2.1MB - Virtual size: 2.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 42KB - Virtual size: 42KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 233B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Rebel/FastColoredTextBox.dll
.dll windows:4 windows x86 arch:x86

Password: Cracked

dae02f32a21e03ce65412f6e56942daa

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

D:\Projects_CSharp\FastColoredTextBox\FastColoredTextBox\obj\Debug\FastColoredTextBox.pdb

Imports

mscoree

_CorDllMain

Sections

.text
Size: 320KB - Virtual size: 320KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Rebel/FastColoredTextBox.xml
.xml
Rebel/ReadMe.txt
Rebel/RebelCracked.exe
.exe windows:4 windows x86 arch:x86

Password: Cracked

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 151KB - Virtual size: 151KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Rebel/System.CodeDom.dll
.dll windows:4 windows x86 arch:x86

Password: Cracked

dae02f32a21e03ce65412f6e56942daa

Code Sign

33:00:00:03:7c:c9:f6:bc:ed:07:59:ae:08:00:00:00:00:03:7c
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

11-05-2023 19:03

Not After

08-05-2024 19:03

Subject

CN=.NET,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08-07-2011 20:59

Not After

08-07-2026 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

87:e1:77:0b:a1:e0:aa:d7:46:49:65:d7:07:3c:14:3f:a3:84:a8:14:c6:a8:32:6f:ce:06:e0:61:56:a3:c7:e7
Signer

Actual PE Digest

87:e1:77:0b:a1:e0:aa:d7:46:49:65:d7:07:3c:14:3f:a3:84:a8:14:c6:a8:32:6f:ce:06:e0:61:56:a3:c7:e7

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

/_/artifacts/obj/System.CodeDom/Release/net462/System.CodeDom.pdb

Imports

mscoree

_CorDllMain

Sections

.text
Size: 17KB - Virtual size: 16KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Rebel/System.CodeDom.xml

Sharing

General

Malware Config

Signatures

Files

Password: Cracked

Password: Cracked

076acaa656f74379ef1e60670f0fed54

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

vcruntime140_1

vcruntime140

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-locale-l1-1-0

wtsapi32

Exports

Exports

Sections

.text Size: - Virtual size: 10KB

.rdata Size: - Virtual size: 7KB

.data Size: - Virtual size: 1KB

.pdata Size: - Virtual size: 588B

.acedia0 Size: - Virtual size: 3.1MB

.acedia1 Size: 4.8MB - Virtual size: 4.8MB

.rsrc Size: 512B - Virtual size: 469B

Password: Cracked

5dbd05d0457a91e7c32b011f85e7842c

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

user32

ws2_32

crypt32

advapi32

kernel32

msvcp140

bcrypt

vcruntime140_1

vcruntime140

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-environment-l1-1-0

api-ms-win-crt-multibyte-l1-1-0

api-ms-win-crt-locale-l1-1-0

Exports

Exports

Sections

.text Size: 3.8MB - Virtual size: 3.8MB

.rdata Size: 1004KB - Virtual size: 1003KB

.data Size: 27KB - Virtual size: 38KB

.pdata Size: 143KB - Virtual size: 143KB

.acedia0 Size: 1.4MB - Virtual size: 1.4MB

.acedia1 Size: 2.1MB - Virtual size: 2.1MB

.reloc Size: 42KB - Virtual size: 42KB

.rsrc Size: 512B - Virtual size: 233B

Password: Cracked

dae02f32a21e03ce65412f6e56942daa

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

mscoree

.text
Size: - Virtual size: 10KB

.rdata
Size: - Virtual size: 7KB

.data
Size: - Virtual size: 1KB

.pdata
Size: - Virtual size: 588B

.acedia0
Size: - Virtual size: 3.1MB

.acedia1
Size: 4.8MB - Virtual size: 4.8MB

.rsrc
Size: 512B - Virtual size: 469B

.text
Size: 3.8MB - Virtual size: 3.8MB

.rdata
Size: 1004KB - Virtual size: 1003KB

.data
Size: 27KB - Virtual size: 38KB

.pdata
Size: 143KB - Virtual size: 143KB

.acedia0
Size: 1.4MB - Virtual size: 1.4MB

.acedia1
Size: 2.1MB - Virtual size: 2.1MB

.reloc
Size: 42KB - Virtual size: 42KB

.rsrc
Size: 512B - Virtual size: 233B

.text
Size: 320KB - Virtual size: 320KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 12B

.text
Size: 151KB - Virtual size: 151KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 12B

33:00:00:03:7c:c9:f6:bc:ed:07:59:ae:08:00:00:00:00:03:7c
Certificate

61:0e:90:d2:00:00:00:00:00:03
Certificate

87:e1:77:0b:a1:e0:aa:d7:46:49:65:d7:07:3c:14:3f:a3:84:a8:14:c6:a8:32:6f:ce:06:e0:61:56:a3:c7:e7
Signer

.text
Size: 17KB - Virtual size: 16KB

.rsrc
Size: 2KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 12B