C:\Users\Administrator\Documents\Private Source\private\build\vcpkgsrv.pdb
Behavioral task
behavioral1
Sample
EAC_EOC/vcpkgsrv.exe
Resource
win7-20241010-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral2
Sample
EAC_EOC/vcpkgsrv.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
0 signatures
150 seconds
General
-
Target
EAC_EOC.rar
-
Size
2.4MB
-
MD5
dfe2a493d508c744e90ffa30481e1782
-
SHA1
c3f58ad5e0900790e3272403ee4ee09dbd8bde8d
-
SHA256
4af70dfaec69d22c1109d45c2b8ad8c534c616ee36bb4e0e764057d74a50db31
-
SHA512
7fc1eddda65c3282b59823f23aa4d286d0480c943362ba23c8a9af47f7078cbd4f1d3a0310eec7613662b288e26c6b0700f0db34253bb7dfc60195149f2d152c
-
SSDEEP
49152:+eiNwa+8Yyd0l6qI6FboWqG6fcPPjMCevndQYMjGtL5/7kic7CmSsSqsyWnhbTgz:+zia+NC0D1GObMCe/dnF/7kic7CmSs3P
Malware Config
Signatures
-
Detects RedTiger Stealer 14 IoCs
resource yara_rule sample redtigerv122 sample redtigerv22 sample redtiger_stealer_detection sample redtiger_stealer_detection_v2 sample staticSred sample staticred sample redtiger_stealer_detection_v1 static1/unpack001/EAC_EOC/vcpkgsrv.exe redtigerv122 static1/unpack001/EAC_EOC/vcpkgsrv.exe redtigerv22 static1/unpack001/EAC_EOC/vcpkgsrv.exe redtiger_stealer_detection static1/unpack001/EAC_EOC/vcpkgsrv.exe redtiger_stealer_detection_v2 static1/unpack001/EAC_EOC/vcpkgsrv.exe staticSred static1/unpack001/EAC_EOC/vcpkgsrv.exe staticred static1/unpack001/EAC_EOC/vcpkgsrv.exe redtiger_stealer_detection_v1 -
Redtiger family
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource unpack001/EAC_EOC/vcpkgsrv.exe
Files
-
EAC_EOC.rar.rar
-
EAC_EOC/vcpkgsrv.exe.exe windows:6 windows x64 arch:x64
8ba991f00ea6c79b4793789414a126d9
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
PDB Paths
Imports
kernel32
GetCurrentProcessId
IsDebuggerPresent
IsProcessorFeaturePresent
TerminateProcess
SetProcessMitigationPolicy
GetSystemDirectoryA
VirtualAlloc
LocalAlloc
LocalFree
SwitchToFiber
ConvertThreadToFiber
WideCharToMultiByte
K32EnumProcesses
K32EnumProcessModules
K32GetModuleFileNameExA
K32GetModuleInformation
K32QueryWorkingSetEx
CreateFileW
GetLastError
HeapDestroy
InitializeSListHead
OutputDebugStringW
GetProcessHeap
Process32NextW
Process32FirstW
CreateToolhelp32Snapshot
GetConsoleWindow
SetConsoleTitleW
HeapAlloc
HeapReAlloc
HeapFree
HeapSize
InitializeCriticalSectionEx
DeleteCriticalSection
GetCurrentProcess
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
SetLastError
FormatMessageA
EnterCriticalSection
LeaveCriticalSection
SleepEx
VerifyVersionInfoA
GetTickCount
MoveFileExA
WaitForSingleObjectEx
MultiByteToWideChar
GetEnvironmentVariableA
GetFileType
ReadFile
PeekNamedPipe
WaitForMultipleObjects
MoveFileA
lstrcmpiW
LoadLibraryA
GetProcAddress
GetModuleHandleW
FreeLibrary
CreateThread
Sleep
DeviceIoControl
CloseHandle
Beep
DeleteFileA
GetStdHandle
QueryPerformanceFrequency
QueryPerformanceCounter
GlobalFree
CreateFileA
GetFileSizeEx
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
SleepConditionVariableSRW
GetCurrentThreadId
GetTickCount64
GetLocaleInfoEx
GetCurrentDirectoryW
CreateDirectoryW
SetUnhandledExceptionFilter
FindClose
FindFirstFileW
GetFileAttributesExW
AreFileApisANSI
GetFileInformationByHandleEx
WakeAllConditionVariable
UnhandledExceptionFilter
GetSystemTimeAsFileTime
GlobalLock
GlobalUnlock
GlobalAlloc
user32
SetClipboardData
GetClipboardData
EmptyClipboard
GetActiveWindow
GetKeyState
GetClientRect
SetCursorPos
SetCursor
GetCursorPos
ClientToScreen
ScreenToClient
LoadCursorW
DispatchMessageW
PeekMessageW
DestroyWindow
ShowWindow
CloseClipboard
SendInput
GetSystemMetrics
GetWindowRect
MessageBoxA
SetWindowLongW
OpenClipboard
SendMessageA
GetWindow
LoadIconW
GetDesktopWindow
d3d9
Direct3DCreate9Ex
msvcp140
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAADD@Z
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD0@Z
?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?_Xbad_alloc@std@@YAXXZ
?_Xlength_error@std@@YAXPEBD@Z
?setf@ios_base@std@@QEAAHHH@Z
??7ios_base@std@@QEBA_NXZ
?_Winerror_map@std@@YAHH@Z
?_Syserror_map@std@@YAPEBDH@Z
?id@?$collate@D@std@@2V0locale@2@A
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
?_Incref@facet@locale@std@@UEAAXXZ
?_Random_device@std@@YAIXZ
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z
?tolower@?$ctype@D@std@@QEBAPEBDPEADPEBD@Z
?tolower@?$ctype@D@std@@QEBADD@Z
??1facet@locale@std@@MEAA@XZ
??0facet@locale@std@@IEAA@_K@Z
?c_str@?$_Yarn@D@std@@QEBAPEBDXZ
?_Getcoll@_Locinfo@std@@QEBA?AU_Collvec@@XZ
??1_Locinfo@std@@QEAA@XZ
??0_Locinfo@std@@QEAA@PEBD@Z
_Strxfrm
_Strcoll
_Mtx_unlock
_Mtx_lock
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?id@?$ctype@D@std@@2V0locale@2@A
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?_Xbad_function_call@std@@YAXXZ
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ
?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ
?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAPEAD0PEAH001@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?_Pnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBA_JXZ
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?_Gnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBA_JXZ
?_Gninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
?width@ios_base@std@@QEAA_J_J@Z
?width@ios_base@std@@QEBA_JXZ
??0_Lockit@std@@QEAA@H@Z
??1_Lockit@std@@QEAA@XZ
?uncaught_exceptions@std@@YAHXZ
?flags@ios_base@std@@QEBAHXZ
?good@ios_base@std@@QEBA_NXZ
?rdstate@ios_base@std@@QEBAHXZ
??Bios_base@std@@QEBA_NXZ
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?_Xout_of_range@std@@YAXPEBD@Z
?always_noconv@codecvt_base@std@@QEBA_NXZ
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
??Bid@locale@std@@QEAA_KXZ
?_Throw_Cpp_error@std@@YAXH@Z
_Thrd_detach
_Query_perf_frequency
_Query_perf_counter
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
imm32
ImmReleaseContext
ImmSetCompositionWindow
ImmGetContext
d3dx9_43
D3DXCreateTextureFromFileInMemoryEx
shlwapi
PathFindFileNameW
PathFindFileNameA
ntdll
RtlInitUnicodeString
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
VerSetConditionMask
winhttp
WinHttpReceiveResponse
WinHttpSendRequest
WinHttpOpenRequest
WinHttpQueryDataAvailable
WinHttpReadData
WinHttpOpen
WinHttpConnect
WinHttpCloseHandle
normaliz
IdnToAscii
wldap32
ord33
ord35
ord79
ord30
ord301
ord200
ord32
ord143
ord217
ord46
ord211
ord60
ord45
ord50
ord41
ord22
ord26
ord27
crypt32
CertOpenStore
CertCloseStore
CertEnumCertificatesInStore
CertFindCertificateInStore
CertFreeCertificateContext
CryptStringToBinaryA
PFXImportCertStore
CertFreeCertificateChain
CertGetCertificateChain
CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
CryptQueryObject
CertGetNameStringA
CertFindExtension
CertAddCertificateContextToStore
CryptDecodeObjectEx
ws2_32
recvfrom
sendto
gethostname
accept
ntohl
freeaddrinfo
getaddrinfo
closesocket
recv
send
WSAGetLastError
bind
connect
getpeername
getsockname
getsockopt
htons
ntohs
setsockopt
socket
WSASetLastError
WSAIoctl
WSAStartup
WSACleanup
select
htonl
listen
ioctlsocket
__WSAFDIsSet
rpcrt4
RpcStringFreeA
UuidToStringA
UuidCreate
userenv
UnloadUserProfile
vcruntime140
__std_exception_copy
__std_exception_destroy
_CxxThrowException
memcpy
memmove
memset
__std_terminate
strstr
memchr
strchr
memcmp
__C_specific_handler
strrchr
__current_exception
__current_exception_context
vcruntime140_1
__CxxFrameHandler4
api-ms-win-crt-runtime-l1-1-0
_register_thread_local_exe_atexit_callback
_c_exit
__p___argv
__p___argc
exit
_exit
_initterm_e
_initterm
_get_initial_narrow_environment
system
_set_app_type
_seh_filter_exe
_cexit
_crt_atexit
_register_onexit_function
_initialize_onexit_table
_initialize_narrow_environment
_configure_narrow_argv
_invalid_parameter_noinfo_noreturn
abort
terminate
_beginthreadex
strerror
__sys_nerr
_getpid
_invalid_parameter_noinfo
_resetstkoflw
_errno
api-ms-win-crt-heap-l1-1-0
realloc
malloc
calloc
_callnewh
_set_new_mode
free
api-ms-win-crt-string-l1-1-0
_strdup
strncpy
isprint
isupper
strspn
strcspn
strpbrk
strcpy_s
strnlen
tolower
strncmp
strcmp
api-ms-win-crt-stdio-l1-1-0
feof
fputs
fopen
_close
fflush
fread
_write
fclose
_wfopen
fseek
ftell
fwrite
__stdio_common_vfprintf
__stdio_common_vsprintf
__stdio_common_vsprintf_s
__stdio_common_vsscanf
fsetpos
fputc
fgetpos
__acrt_iob_func
_read
ungetc
setvbuf
fgetc
_get_stream_buffer_pointers
_fseeki64
__p__commode
_popen
_pclose
fgets
_set_fmode
_open
_lseeki64
api-ms-win-crt-utility-l1-1-0
rand
srand
qsort
api-ms-win-crt-math-l1-1-0
ceilf
atan2f
asin
pow
powf
_dsign
atan2
sqrt
__setusermatherr
tanf
sqrtf
fmodf
sinf
floorf
cosf
api-ms-win-crt-convert-l1-1-0
strtoull
strtoll
strtod
atof
strtol
strtoul
atoi
api-ms-win-crt-filesystem-l1-1-0
_stat64
_access
_unlink
_fstat64
_lock_file
_unlock_file
api-ms-win-crt-locale-l1-1-0
localeconv
_configthreadlocale
___lc_codepage_func
api-ms-win-crt-time-l1-1-0
_localtime64_s
_gmtime64
_localtime64
_time64
strftime
api-ms-win-crt-multibyte-l1-1-0
_mbsstr
api-ms-win-crt-environment-l1-1-0
getenv
advapi32
CryptGenRandom
AdjustTokenPrivileges
OpenProcessToken
AllocateAndInitializeSid
FreeSid
GetLengthSid
GetSidLengthRequired
InitializeAcl
InitializeSecurityDescriptor
SetKernelObjectSecurity
SetSecurityDescriptorDacl
SetSecurityDescriptorSacl
LookupPrivilegeValueW
CryptAcquireContextA
CryptReleaseContext
CryptGetHashParam
CryptCreateHash
CryptHashData
CryptDestroyHash
SetEntriesInAclA
SetNamedSecurityInfoA
AddAccessAllowedAce
ConvertStringSidToSidA
GetTokenInformation
IsValidSid
GetUserNameA
CopySid
CryptEncrypt
CryptImportKey
CryptDestroyKey
ConvertSidToStringSidA
AddAccessDeniedAce
shell32
ShellExecuteA
Exports
Exports
Ethera_Antidll
Ethera_Check
Ethera_Execute_Function
Ethera_Getinput
Ethera_Print
Ethera_Protect
Ethera_Protect_Function
Ethera_Protect_Threads
Ethera_Thread
Ethera_Wait
Sections
.text Size: 4.5MB - Virtual size: 4.5MB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 895KB - Virtual size: 895KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 1.5MB - Virtual size: 1.5MB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.pdata Size: 38KB - Virtual size: 38KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.rsrc Size: 512B - Virtual size: 488B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 2KB - Virtual size: 2KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ