Windows
Analysis Report
Royalistic.exe
Overview
General Information
Detection
Score: | 68 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- Royalistic.exe (PID: 5700 cmdline:
C:\Users\u ser\Deskto p\Royalist ic.exe MD5: D14335F61C99A9B8A2D5E87CDF83CDD0)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
CloudEyE, GuLoader | CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. | No Attribution |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GuLoader_3 | Yara detected GuLoader | Joe Security | ||
JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security |
Click to jump to signature section
AV Detection |
---|
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Code function: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Static PE information: |
Source: | Process Stats: |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | File read: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: |
Source: | Key value queried: |
Source: | Code function: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | File written: | Jump to behavior |
Source: | Classification label: |
Source: | Code function: |
Source: | File read: | Jump to behavior |
Source: | Code function: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Data Obfuscation |
---|
Source: | File source: | ||
Source: | File source: |
Source: | Static PE information: |
Source: | Code function: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | Process information set: |
Malware Analysis System Evasion |
---|
Source: | RDTSC instruction interceptor: |
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | API call chain: | ||
Source: | API call chain: |
Source: | Code function: |
Source: | Code function: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 1 Native API | Path Interception | 1 Access Token Manipulation | 1 Masquerading | OS Credential Dumping | 1 Security Software Discovery | Remote Services | 1 Archive Collected Data | Exfiltration Over Other Network Medium | 1 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | 1 System Shutdown/Reboot |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Access Token Manipulation | LSASS Memory | 3 File and Directory Discovery | Remote Desktop Protocol | 1 Clipboard Data | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | 1 Timestomp | Security Account Manager | 13 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
26% | ReversingLabs | Win32.Trojan.Generic | ||
51% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs | |||
0% | Virustotal | Browse | ||
0% | ReversingLabs | |||
0% | Virustotal | Browse | ||
0% | ReversingLabs | |||
0% | Virustotal | Browse | ||
0% | ReversingLabs |
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | HEUR/AGEN.1223491 | Download File | ||
100% | Avira | HEUR/AGEN.1223491 | Download File |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false | high | |||
false | high | |||
false | high |
Joe Sandbox Version: | 37.0.0 Beryl |
Analysis ID: | 828570 |
Start date and time: | 2023-03-17 10:37:08 +01:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 9m 33s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 6 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample file name: | Royalistic.exe |
Detection: | MAL |
Classification: | mal68.troj.evad.winEXE@1/16@0/0 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
- Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
- Not all processes where analyzed, report is missing behavior information
Process: | C:\Users\user\Desktop\Royalistic.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 11776 |
Entropy (8bit): | 6.024446974480565 |
Encrypted: | false |
SSDEEP: | 192:Vm9rQDenC9VrcK7REgSWOprANupQYLRszDDH/d9CWlXo7U6Wxf:QJQEaVAK7R9SfpjpQYLRszfH/d9CWB1j |
MD5: | E23600029D1B09BDB1D422FB4E46F5A6 |
SHA1: | 5D64A2F6A257A98A689A3DB9A087A0FD5F180096 |
SHA-256: | 7342B73593B3AA1B15E3731BFB1AFD1961802A5C66343BAC9A2C737EE94F4E38 |
SHA-512: | C971F513142633CE0E6EC6A04C754A286DA8016563DAB368C3FAC83AEF81FA3E9DF1003C4B63D00A46351A9D18EAA7AE7645CAEF172E5E1D6E29123AB864E7AC |
Malicious: | false |
Antivirus: |
|
Reputation: | moderate, very likely benign file |
Preview: |
Process: | C:\Users\user\Desktop\Royalistic.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 263441 |
Entropy (8bit): | 7.470128360205037 |
Encrypted: | false |
SSDEEP: | 6144:gW2L2lxw6CfR2hGhddAkBtTCNwQn4Sp5U2JvkCmLO6ta4Rh40FdmxMDoOz:gMHw9SGh1D6ndCtLO6s4R2eOMTz |
MD5: | ED053E4B81682B3CEF98A00C188F9191 |
SHA1: | 7824184CA7B4588B9665CF5D6ECDF3E6A20820C7 |
SHA-256: | 64A7608273D8284E67F338F8B77230B0EF14C342747CE6C3F8792F567BC99498 |
SHA-512: | 51C4089DE4328B5C37B759CF98FCDE4838C67413CF0F0EE8EB1D9CD6BB129A41C686BEC3DD424B553725C84787671FAE3F9E037C436E8D7D5B8F28F7D42CBE7D |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Affaldsproblem\x-office-spreadsheet.png
Download File
Process: | C:\Users\user\Desktop\Royalistic.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 546 |
Entropy (8bit): | 6.786347340342328 |
Encrypted: | false |
SSDEEP: | 12:6v/7X0ZKjCVdCyXM8OYSd/AuKoOjTOH6BMLHEMA:C0oCDMUaAutUTQ60HED |
MD5: | D4AEA6CA7A8B03C62C36FF2AEBE20C6C |
SHA1: | F0BB798B40E4CA170ECFBD72161EF7796B58B444 |
SHA-256: | EC1222609F69FE70F55C1817535B0138A295EB7C71CCC443D7B3ACAA44537B5B |
SHA-512: | 9912AC7388A0138E809D8E25F4EE90B5952D8B4063969A79BCEB2C5E8A312878897BEF56FF3BBB0185A815262C343984D9C3113B5B5C2D0069716891110A0DFD |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Forhastelse\Kommandjsr\api-ms-win-core-processthreads-l1-1-1.dll
Download File
Process: | C:\Users\user\Desktop\Royalistic.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 19208 |
Entropy (8bit): | 7.005927948691754 |
Encrypted: | false |
SSDEEP: | 384:dtUDfIeFrW1hWC5OZkum0GftpBjVzm3Sx56lgCoha6LDF:dteFuJoVijz1HB |
MD5: | D699333637DB92D319661286DF7CC39E |
SHA1: | 0BFFB9ED366853E7019452644D26E8E8F236241B |
SHA-256: | FE760614903E6D46A1BE508DCCB65CF6929D792A1DB2C365FC937F2A8A240504 |
SHA-512: | 6FA9FF0E45F803FAF3EB9908E810A492F6F971CB96D58C06F408980AB40CBA138B52D853AA0E3C68474053690DFAFA1817F4B4C8FB728D613696B6C516FA0F51 |
Malicious: | false |
Antivirus: |
|
Reputation: | moderate, very likely benign file |
Preview: |
C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Forhastelse\Kommandjsr\api-ms-win-crt-stdio-l1-1-0.dll
Download File
Process: | C:\Users\user\Desktop\Royalistic.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 24328 |
Entropy (8bit): | 6.867867660778997 |
Encrypted: | false |
SSDEEP: | 384:/ZpFVhHW1hWxgYBm0GftpBjMm3SNlndaYhpn3p:boEVi6DBp |
MD5: | D5166AB3034F0E1AA679BFA1907E5844 |
SHA1: | 851DD640CB34177C43B5F47B218A686C09FA6B4C |
SHA-256: | 7BCAB4CA00FB1F85FEA29DD3375F709317B984A6F3B9BA12B8CF1952F97BEEE5 |
SHA-512: | 8F2D7442191DE22457C1B8402FAAD594AF2FE0C38280AAAFC876C797CA79F7F4B6860E557E37C3DBE084FE7262A85C358E3EEAF91E16855A91B7535CB0AC832E |
Malicious: | false |
Antivirus: |
|
Reputation: | moderate, very likely benign file |
Preview: |
C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Forhastelse\Kommandjsr\drive-multidisk.png
Download File
Process: | C:\Users\user\Desktop\Royalistic.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 569 |
Entropy (8bit): | 7.482468865601557 |
Encrypted: | false |
SSDEEP: | 12:6v/7QkFqDaHfvZFpa7O/oH5kGxVI7F2bk7jv0E1YpA0sVrgY:x8qeH7MQ+px2qqj5Y60mr7 |
MD5: | B0C0FEE6A573A2776A013307457B6556 |
SHA1: | 95157DA2FAD0902832E25CBEBE3EE4E58C265346 |
SHA-256: | 1A41F703735FD48EE79E423993B2C6695E326269F7A61304DFF4796F59977FF2 |
SHA-512: | 28CDDB1071E69145AC1845EC573618EC6268FDEF795B0F3638EB1DEC834C8FE0FC65517D9ED784F81F67535F25333FC986BD9C9B3AAB73BCE4C42837C81E168C |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Konini\Firsaarsfdselsdage\Whorehouse\Faithworthy\System.Xml.XmlDocument.dll
Download File
Process: | C:\Users\user\Desktop\Royalistic.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 16024 |
Entropy (8bit): | 6.768484247043723 |
Encrypted: | false |
SSDEEP: | 384:EVgGf2BiWOsWql//uPHRN7/2WF//dJR9ztBcvM:EVgGL4lXM/2WF//dj9zUvM |
MD5: | 1FED3E9E68967F0903F43CF955EC8EAE |
SHA1: | DA9D98424E2BB2AE625E9EBEBD90AD4B7F007CA4 |
SHA-256: | B861237F55766E286E7008AC4B1E5CE88E88FDF7741EF9C6B00540E1765390F3 |
SHA-512: | F030383C4D933EC13EE1E892654AEEFD5C722BE25461472639DF49FA0E165AC470BFB901A0A062CA145A6B693C607E279CDBA2A144E62A5B9D2FD6E999943364 |
Malicious: | false |
Antivirus: |
|
Preview: |
C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Konini\Firsaarsfdselsdage\Whorehouse\Faithworthy\accessories-dictionary.png
Download File
Process: | C:\Users\user\Desktop\Royalistic.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 639 |
Entropy (8bit): | 7.594477595602655 |
Encrypted: | false |
SSDEEP: | 12:6v/7xXsWeAITRagJSezSlTm4IpuXLJNux3NdHbvHR+d0FKHrHPnwF4LWbf7H:wINVSo4gud4NxbvxI0erv04Lcf7H |
MD5: | B8367F3483C54EFE19D1426A98402829 |
SHA1: | F9E9A067BFE5F2A3A4AE1C93D519B8B8792719C9 |
SHA-256: | 0791574192B5767D904619B1F6BB30B3A5101FBD51F8C259C2CFFF078C7ECECD |
SHA-512: | A4C0E3D1CAA4A828B9160D4936F5E11E42AFE00A9A611A0814884BBA9E18A691D16B142F5A23E2AEE11708C72AADAAB78F19733E1E541BD19E64437AC6E43AED |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Laboratories53\x-office-address-book-symbolic.svg
Download File
Process: | C:\Users\user\Desktop\Royalistic.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2059 |
Entropy (8bit): | 5.063551723274034 |
Encrypted: | false |
SSDEEP: | 24:t4CpYL7IyKbRAecFxMGMaMlF6Yi36fRMTXoUfQBjWIu4IZ715ByKbRAecFxMGMM:fNtAecFJM/FiqfQpQipvBNtAecFJMM |
MD5: | 5447BF4EF18181AA69BEC4978E312549 |
SHA1: | 4843AA2388FE80EE474F399061C6FDBB547BC2BA |
SHA-256: | EC1CDEAD87BAD12FACA206F03D6748ED11F3A50FF32E8AD341BD44A3A44D6075 |
SHA-512: | 611A25E6FE93CFA74DF01200914D730BB608B6EB05BDB8E77F13416800B45468D4067C8516C734B8C602EF4EFEF4B90D045B7456AA2BAF243526C8145BBA3D4D |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Mitheithel\Homoplasy\Wice\AMD.Power.Processor.ppkg
Download File
Process: | C:\Users\user\Desktop\Royalistic.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1245 |
Entropy (8bit): | 5.462849750105637 |
Encrypted: | false |
SSDEEP: | 24:hM0mIAvy4Wvsqs1Ra7JZRGNeHX+AYcvP2wk1RjdEF3qpMk5:lmIAq1UqsziJZ+eHX+AdP2TvpMk5 |
MD5: | 5343C1A8B203C162A3BF3870D9F50FD4 |
SHA1: | 04B5B886C20D88B57EEA6D8FF882624A4AC1E51D |
SHA-256: | DC1D54DAB6EC8C00F70137927504E4F222C8395F10760B6BEECFCFA94E08249F |
SHA-512: | E0F50ACB6061744E825A4051765CEBF23E8C489B55B190739409D8A79BB08DAC8F919247A4E5F65A015EA9C57D326BBEF7EA045163915129E01F316C4958D949 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Paleograph\Statuskonto\Gusting\folder-new-symbolic.symbolic.png
Download File
Process: | C:\Users\user\Desktop\Royalistic.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 200 |
Entropy (8bit): | 6.353867134664978 |
Encrypted: | false |
SSDEEP: | 6:6v/lhPys1AhcwQnKFxLsaV0MSFw6YB1L5jp:6v/7RgFKBE1L5N |
MD5: | B1E1142D7EF33AD94E80A7394C036540 |
SHA1: | D05408C3B4360DE12D0B7A1CCB04A27E946FD517 |
SHA-256: | 9572648AC9CA12A253EFBFB3DB0160C56CBFAAC3157779285642FAEB1D86CA94 |
SHA-512: | 18AC511A1916E99780BAB5D3CEDBCA816932D88A4230F8FFADE5C17DBF1511840033D5A05322B0AA3EE4D30A9105D2F211C84C46DDFAAA71008444669CB65A3F |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Paleograph\Statuskonto\Gusting\folder-templates-symbolic.svg
Download File
Process: | C:\Users\user\Desktop\Royalistic.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 963 |
Entropy (8bit): | 5.12784027591558 |
Encrypted: | false |
SSDEEP: | 24:t4CptM48A8A8F+yEcGZrGF19XQzyKbRAecFxMGM7:B8A8A8F+yEcGYFmNtAecFJM7 |
MD5: | F5A69E814CB5E7713E3C624942DE1DA5 |
SHA1: | 2919A07D2792295111CF54AF23742CEE14337B10 |
SHA-256: | 06D97F580D3709C0EA0E2705425C621A17FF97CF3A449B468D2976BA0D55EFEB |
SHA-512: | ABC0F7671B316DC01152253639319BED058C20D4E8C56F6D23B67AF6584F39E5F3191D97FD8F135C259E5BD7FE032939528A93029D747061500DFAE14C135D55 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Paleograph\Statuskonto\Gusting\printer-printing-symbolic.svg
Download File
Process: | C:\Users\user\Desktop\Royalistic.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 295 |
Entropy (8bit): | 4.922153835627764 |
Encrypted: | false |
SSDEEP: | 6:tI9mc4slzcWER4W6UmUuksJtjdU0tytlN8uFWOXM2KchvXa7BGl0/:t4CDqW6zUmjW0ktl+sd1a7BM0/ |
MD5: | 611C311204F39AB0E7F3CC8A0264246A |
SHA1: | 9E4A3BEA0DE6D11491E5AA69A61E1FF051D79DED |
SHA-256: | 1E6C4120B833698852CF451D0B5F8FCA83CD5591EA73EBC3C918547B67FBEB34 |
SHA-512: | 919628653C7441CC4F82C7177D5A6EBBB86686A4E15435A21201B1D77B325808435323FA9FF906E6DB4D612ACEB1C00AC89B0571181D1F521636943EFE25EEF0 |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Paleograph\Statuskonto\Gusting\screen-shared-symbolic.symbolic.png
Download File
Process: | C:\Users\user\Desktop\Royalistic.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 254 |
Entropy (8bit): | 6.643831924508014 |
Encrypted: | false |
SSDEEP: | 6:6v/lhPysJ/dh3z6yXtAMoWACcF/byM2TnmLzU/Jqj84up:6v/7p/dh7tfbAC0uM2ygR94c |
MD5: | 0DFD6D9ADF93297702595FA9A5D9A7AF |
SHA1: | 23A4AAE7E34232870AACF6B48B24377EA16519C6 |
SHA-256: | 8CB87F7A9BFFD886E5931B865AB5731DF7CDD7D2768DA05808FE2D40027ED9C1 |
SHA-512: | 880643F4BFD6F660B272EE93D38EE2513F26197053E41DF4AFE3FEC77FDBC0A087B295256451A1FB83ABAC594E6A0A585C2619D3DD400AF1DB49035E23FE555F |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Stinkbranden\Middagsselskaber\AsMultiLang.ini
Download File
Process: | C:\Users\user\Desktop\Royalistic.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 398 |
Entropy (8bit): | 4.737590272626814 |
Encrypted: | false |
SSDEEP: | 6:SIMYmm7jVYNEiJuXLIM/Cnjkq5cKYAbSJ94r1WR0rD1pulzV+ML6JyMx:SI0m7pYNEiJuXLIM6hcKc6curfQzxOf |
MD5: | D96836E1DD4D151DA0687D7251B528DB |
SHA1: | CCF444F32EDE194FCDE18BB32EBFCCF921E7CB30 |
SHA-256: | C013CFD743455DFFDBB614EA966EEC32977D7CBF096DD4A95081E7A650E8E6B9 |
SHA-512: | 2442D9289CD7E741FF74DD99BEF39EBA7562B94DC153C3C4C4F7642455FFB0879330BC0C59B888F39A352C1C58418995F8AA319FB3BBA110B57FF7EE0A8751EF |
Malicious: | false |
Preview: |
C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Stinkbranden\Middagsselskaber\PSReadline.psd1
Download File
Process: | C:\Users\user\Desktop\Royalistic.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1245 |
Entropy (8bit): | 5.462849750105637 |
Encrypted: | false |
SSDEEP: | 24:hM0mIAvy4Wvsqs1Ra7JZRGNeHX+AYcvP2wk1RjdEF3qpMk5:lmIAq1UqsziJZ+eHX+AdP2TvpMk5 |
MD5: | 5343C1A8B203C162A3BF3870D9F50FD4 |
SHA1: | 04B5B886C20D88B57EEA6D8FF882624A4AC1E51D |
SHA-256: | DC1D54DAB6EC8C00F70137927504E4F222C8395F10760B6BEECFCFA94E08249F |
SHA-512: | E0F50ACB6061744E825A4051765CEBF23E8C489B55B190739409D8A79BB08DAC8F919247A4E5F65A015EA9C57D326BBEF7EA045163915129E01F316C4958D949 |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 7.493705345043699 |
TrID: |
|
File name: | Royalistic.exe |
File size: | 385376 |
MD5: | d14335f61c99a9b8a2d5e87cdf83cdd0 |
SHA1: | f82f3481619be8f9f11d76638db3107b1d332912 |
SHA256: | 08cabec4d0127fb3e6530b04448cb3539c2b8f28988e60499c2dbbfe475206df |
SHA512: | 9d94b9bc836b9bb292b4e2b0ef83f1632fceb712bf60bdb3127ffaca3b4c2dcbe4aeb3f5ad3c712a47111d81c650b1a44a55e0e26f0f3f83e6727f8556d11ea2 |
SSDEEP: | 6144:hGemq9vVMEHIx0Sc149PSjEeUlbojewwn1QuMQylhWsqfXatqMFJZV2H4ktcA8a:hmK9MNx0Sc149KAeyyeZ1QiyeVX8zHYX |
TLSH: | E384F121F128BCCAD60358F01DBDA61051E5DFED80D5450D6ABA328994F239778AFF2E |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG..sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................f....... ...3............@ |
Icon Hash: | 0355ccaeb2fe5500 |
Entrypoint: | 0x4033b3 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x614F9D8B [Sat Sep 25 22:07:07 2021 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 5f0c714c36e6cc016b3a1f4bc86559e4 |
Signature Valid: | false |
Signature Issuer: | E=squeaked@Dipsas.Ge, OU="Skumringstimes subhalid Cocitizen ", O=Alveolariform, L=Saint-Georges-de-Luzen\xe7on, S=Occitanie, C=FR |
Signature Validation Error: | A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider |
Error Number: | -2146762487 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | 7AB231DCE5C6FFAD69D73B26E510B330 |
Thumbprint SHA-1: | 78B2E08127E635C646392C64AE8048CE0274B9EB |
Thumbprint SHA-256: | D5FDEC97888AB854DBF29C2F3CDDD20DE4CEEBF3C0264DBC1620ACC59A819E35 |
Serial: | 6A4A99A1737DDB2714130F7ACA2C5BCFD03D4200 |
Instruction |
---|
push ebp |
mov ebp, esp |
sub esp, 00000220h |
push esi |
push edi |
xor edi, edi |
push 00008001h |
mov dword ptr [ebp-10h], edi |
mov dword ptr [ebp-04h], 0040A198h |
mov dword ptr [ebp-08h], edi |
mov byte ptr [ebp-0Ch], 00000020h |
call dword ptr [004080B8h] |
mov esi, dword ptr [004080BCh] |
lea eax, dword ptr [ebp-000000C0h] |
push eax |
mov dword ptr [ebp-000000ACh], edi |
mov dword ptr [ebp-2Ch], edi |
mov dword ptr [ebp-28h], edi |
mov dword ptr [ebp-000000C0h], 0000009Ch |
call esi |
test eax, eax |
jne 00007FEA38B584B1h |
lea eax, dword ptr [ebp-000000C0h] |
mov dword ptr [ebp-000000C0h], 00000094h |
push eax |
call esi |
cmp dword ptr [ebp-000000B0h], 02h |
jne 00007FEA38B5849Ch |
movsx cx, byte ptr [ebp-0000009Fh] |
mov al, byte ptr [ebp-000000ACh] |
sub ecx, 30h |
sub al, 53h |
mov byte ptr [ebp-26h], 00000004h |
neg al |
sbb eax, eax |
not eax |
and eax, ecx |
mov word ptr [ebp-2Ch], ax |
cmp dword ptr [ebp-000000B0h], 02h |
jnc 00007FEA38B58494h |
and byte ptr [ebp-26h], 00000000h |
cmp byte ptr [ebp-000000ABh], 00000041h |
jl 00007FEA38B58483h |
movsx ax, byte ptr [ebp-000000ABh] |
sub eax, 40h |
mov word ptr [ebp-2Ch], ax |
jmp 00007FEA38B58476h |
mov word ptr [ebp-2Ch], di |
cmp dword ptr [ebp-000000BCh], 0Ah |
jnc 00007FEA38B5847Ah |
and word ptr [ebp+00000000h], 0000h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x8544 | 0xa0 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xcf000 | 0x14bf8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x5d730 | 0xa30 | .ndata |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x8000 | 0x29c | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x65ba | 0x6600 | False | 0.6783088235294118 | data | 6.475278602230841 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x8000 | 0x1382 | 0x1400 | False | 0.4626953125 | data | 5.262676635269928 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0xa000 | 0x48538 | 0x600 | False | 0.4615885416666667 | data | 4.125526322488032 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.ndata | 0x53000 | 0x7c000 | 0x0 | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0xcf000 | 0x14bf8 | 0x14c00 | False | 0.16929828689759036 | data | 4.457664961464067 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0xcf250 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 0 | English | United States |
RT_ICON | 0xdfa78 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | English | United States |
RT_ICON | 0xe2020 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | English | United States |
RT_ICON | 0xe30c8 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | English | United States |
RT_DIALOG | 0xe3530 | 0x100 | data | English | United States |
RT_DIALOG | 0xe3630 | 0x11c | data | English | United States |
RT_DIALOG | 0xe3750 | 0xc4 | data | English | United States |
RT_DIALOG | 0xe3818 | 0x60 | data | English | United States |
RT_GROUP_ICON | 0xe3878 | 0x3e | data | English | United States |
RT_MANIFEST | 0xe38b8 | 0x33e | XML 1.0 document, ASCII text, with very long lines (830), with no line terminators | English | United States |
DLL | Import |
---|---|
ADVAPI32.dll | RegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA |
SHELL32.dll | SHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA |
ole32.dll | IIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree |
COMCTL32.dll | ImageList_Create, ImageList_Destroy, ImageList_AddMasked |
USER32.dll | SetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, SetWindowPos, SetCursor, GetSysColor, SetClassLongA, GetWindowLongA, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard |
GDI32.dll | SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject |
KERNEL32.dll | GetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, ReadFile, GetTempFileNameA, WriteFile, RemoveDirectoryA, CreateProcessA, CreateFileA, GetLastError, CreateThread, CreateDirectoryA, GlobalUnlock, GetDiskFreeSpaceA, GlobalLock, SetErrorMode, GetVersionExA, lstrcpynA, GetCommandLineA, GetTempPathA, lstrlenA, SetEnvironmentVariableA, ExitProcess, GetWindowsDirectoryA, GetCurrentProcess, GetModuleFileNameA, CopyFileA, GetTickCount, Sleep, GetFileSize, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Target ID: | 0 |
Start time: | 10:38:05 |
Start date: | 17/03/2023 |
Path: | C:\Users\user\Desktop\Royalistic.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 385376 bytes |
MD5 hash: | D14335F61C99A9B8A2D5E87CDF83CDD0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |