Windows Analysis Report
rsatcustominstaller.exe

Overview

General Information

Sample name: rsatcustominstaller.exe
Analysis ID: 1432355
MD5: 6d4be5e22e929e1ccd92aee1c6ba0ab8
SHA1: ddfd50226023bcf38c5a4bd74ef16beff662351a
SHA256: 17fa37d97e956f579ef9a6642976f32151c1b8c13ad01f1db27889b66f207a61
Infos:

Detection

Score: 20
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Changes the view of files in windows explorer (hidden files and folders)

Classification

Source: rsatcustominstaller.exe Static PE information: certificate valid
Source: rsatcustominstaller.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: rsatcustominstaller.pdbGCTL source: rsatcustominstaller.exe
Source: Binary string: rsatcustominstaller.pdb source: rsatcustominstaller.exe
Source: classification engine Classification label: sus20.evad.winEXE@1/0@0/0
Source: rsatcustominstaller.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\rsatcustominstaller.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: rsatcustominstaller.exe Static PE information: certificate valid
Source: initial sample Static PE information: Valid certificate with Microsoft Issuer
Source: rsatcustominstaller.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: rsatcustominstaller.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: rsatcustominstaller.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: rsatcustominstaller.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: rsatcustominstaller.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: rsatcustominstaller.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: rsatcustominstaller.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: rsatcustominstaller.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: rsatcustominstaller.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: rsatcustominstaller.pdbGCTL source: rsatcustominstaller.exe
Source: Binary string: rsatcustominstaller.pdb source: rsatcustominstaller.exe
Source: rsatcustominstaller.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: rsatcustominstaller.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: rsatcustominstaller.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: rsatcustominstaller.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: rsatcustominstaller.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Hooking and other Techniques for Hiding and Protection
barindex
Changes the view of files in windows explorer (hidden files and folders)
Source: C:\Users\user\Desktop\rsatcustominstaller.exe Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced Start_AdminToolsRoot Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1432355 Sample: rsatcustominstaller.exe Startdate: 26/04/2024 Architecture: WINDOWS Score: 20 4 rsatcustominstaller.exe 2 2->4         started        signatures3 7 Changes the view of files in windows explorer (hidden files and folders) 4->7
No contacted IP infos