Cryptam // document analysis


Sample Details

original filename: RACClientLite.zip

size: 7373171 bytes
submitted: 2017-08-08 14:04:18
md5: 795413a05ad58096bded72d03437c175
sha1: 36f207f84253cbfcf7dd0799375e5a2c83d50eb6
sha256: 3ff041ef62f4de1e1b8c7a3b0c0cc245345d93b2beb2f8eef5784c039cea2283
ssdeep: 196608:x4cRyt0e4yCCqldMTrhDyMlq9Y+LN8QFZEDqKRMCjSmkD:3yYShD+9Ya8QDEDqnD
content/type: Zip archive data, at least v1.0 to extract
analysis time: 0.00 s
result: malware [930]
embedded file objects: yes
embedded executable: found

signature hits:

embedded.file RACclientLite.ENG.lng dd33f89c492677d9117ba462111dac46
RACclientLite.ENG.lng.78: string.This program cannot be run in DOS mode
embedded.file RACclientLite.FRA.lng 003ce74cc4e96552dbe33e2c6658f59b
RACclientLite.FRA.lng.78: string.This program cannot be run in DOS mode
embedded.file RACObjSel.dll a4c22aab8e45962753d3c5140ba69f1d
RACObjSel.dll.78: string.This program cannot be run in DOS mode
RACObjSel.dll.74332: string.LoadLibraryA
RACObjSel.dll.74242: string.GetModuleHandleA
RACObjSel.dll.74412: string.GetCommandLineA
RACObjSel.dll.65280: string.GetSystemMetrics
RACObjSel.dll.74224: string.GetProcAddress
RACObjSel.dll.74002: string.EnterCriticalSection
RACObjSel.dll.74722: string.GetEnvironmentVariableA
RACObjSel.dll.73818: string.CloseHandle
RACObjSel.dll.67508: string.user32.dll
RACObjSel.dll.75000: string.KERNEL32
RACObjSel.dll.74454: string.ExitProcess
embedded.file RACclientLite.ESP.lng 15f4dd2d76a1c42bb2975e667fa9791e
RACclientLite.ESP.lng.78: string.This program cannot be run in DOS mode
embedded.file RACclientLite.ITA.lng 0623d7fee097982cd3fe8e6f88456f20
RACclientLite.ITA.lng.78: string.This program cannot be run in DOS mode
embedded.file RACclientLite.exe eefcb357ad796b83075a90d40b9315a6
RACclientLite.exe.78: string.This program cannot be run in DOS mode
RACclientLite.exe.4660512: string.LoadLibraryA
RACclientLite.exe.4660528: string.GetModuleHandleA
RACclientLite.exe.4663264: string.GetCommandLineA
RACclientLite.exe.4310440: string.GetSystemMetrics
RACclientLite.exe.4660494: string.GetProcAddress
RACclientLite.exe.4661084: string.CreateProcessA
RACclientLite.exe.4661448: string.EnterCriticalSection
RACclientLite.exe.4662080: string.GetEnvironmentVariableA
RACclientLite.exe.4660350: string.CloseHandle
RACclientLite.exe.4660682: string.CreateFileA
RACclientLite.exe.4669306: string.RegOpenKeyExA
RACclientLite.exe.4669390: string.RegDeleteKeyA
RACclientLite.exe.4339976: string.user32.dll
RACclientLite.exe.4680789: string.shell32.dll
RACclientLite.exe.4326712: string.KERNEL32
RACclientLite.exe.4663282: string.ExitProcess
RACclientLite.exe.4665896: string.GetMessageA
RACclientLite.exe.4664610: string.CreateWindowExA
embedded.file RACCH.dll e18f8e8b6b8c5c26da6b1449e9719464
RACCH.dll.78: string.This program cannot be run in DOS mode
RACCH.dll.31770: string.LoadLibraryA
RACCH.dll.31508: string.GetModuleHandleA
RACCH.dll.31056: string.GetCommandLineA
RACCH.dll.31752: string.GetProcAddress
RACCH.dll.30874: string.EnterCriticalSection
RACCH.dll.31528: string.GetEnvironmentVariableA
RACCH.dll.30016: string.user32.dll
RACCH.dll.30920: string.KERNEL32
RACCH.dll.31100: string.ExitProcess
embedded.file RemoteInstall.dll d2d528c2d1d3f0c04623be139015ffbe
RemoteInstall.dll.78: string.This program cannot be run in DOS mode
RemoteInstall.dll.323190: string.LoadLibraryA
RemoteInstall.dll.324258: string.GetModuleHandleA
RemoteInstall.dll.324580: string.GetCommandLineA
RemoteInstall.dll.296464: string.GetSystemMetrics
RemoteInstall.dll.323172: string.GetProcAddress
RemoteInstall.dll.324074: string.EnterCriticalSection
RemoteInstall.dll.324742: string.GetEnvironmentVariableA
RemoteInstall.dll.323318: string.CloseHandle
RemoteInstall.dll.323332: string.CreateFileA
RemoteInstall.dll.327262: string.RegOpenKeyExA
RemoteInstall.dll.327564: string.RegDeleteKeyA
RemoteInstall.dll.300716: string.user32.dll
RemoteInstall.dll.298020: string.KERNEL32
RemoteInstall.dll.324598: string.ExitProcess
RemoteInstall.dll.325638: string.GetMessageA
RemoteInstall.dll.326406: string.CreateWindowExA
embedded.file RACclientLite.DEU.lng e0ca651da3a6c419c19de74f37f5cfe5
RACclientLite.DEU.lng.78: string.This program cannot be run in DOS mode
embedded.file RACclientLite.PTG.lng 18c50787a495c29bcb750f8d6e7d5773
RACclientLite.PTG.lng.78: string.This program cannot be run in DOS mode
embedded.file InstallKernel.dll 70e29c1c80c89b3d2e825b5f730de2c4
InstallKernel.dll.78: string.This program cannot be run in DOS mode
InstallKernel.dll.62186: string.LoadLibraryA
InstallKernel.dll.62052: string.GetModuleHandleA
InstallKernel.dll.63134: string.GetCommandLineA
InstallKernel.dll.62168: string.GetProcAddress
InstallKernel.dll.63332: string.EnterCriticalSection
InstallKernel.dll.63166: string.GetEnvironmentVariableA
InstallKernel.dll.61988: string.CloseHandle
InstallKernel.dll.62118: string.CreateFileA
InstallKernel.dll.62824: string.RegOpenKeyExA
InstallKernel.dll.62808: string.RegDeleteKeyA
InstallKernel.dll.59240: string.user32.dll
InstallKernel.dll.62392: string.KERNEL32
InstallKernel.dll.63380: string.ExitProcess
InstallKernel.dll.dropped.file rtf ccc79373d70ad9742570d395b2de39b8 / 2136 bytes / @ 86272
InstallKernel.dll.dropped.file rtf ad6ad237246b60e1628a7fc766697bec / 1824 bytes / @ 88408
InstallKernel.dll.dropped.file rtf 2163118cf3e1bf6a7897d502771e10a0 / 2208 bytes / @ 90232
InstallKernel.dll.dropped.file rtf 909a2187d4956f76effbfa1e2964b905 / 2112 bytes / @ 92440
InstallKernel.dll.dropped.file rtf 3a50813649db46fbea852c385b15428d / 2616 bytes / @ 94552
InstallKernel.dll.dropped.file rtf 7648cd9495f562a1a863311acefb56e6 / 2112 bytes / @ 97168
InstallKernel.dll.dropped.file rtf a0793f1c813840d47a4bf23d7abaa3cf / 46264 bytes / @ 99280
embedded.file RACShared.dll 04b76aa3ae2f3fb2c8ecc849b733f335
RACShared.dll.78: string.This program cannot be run in DOS mode
RACShared.dll.111390: string.LoadLibraryA
RACShared.dll.111096: string.GetModuleHandleA
RACShared.dll.112058: string.GetCommandLineA
RACShared.dll.98136: string.GetSystemMetrics
RACShared.dll.111208: string.GetProcAddress
RACShared.dll.111764: string.EnterCriticalSection
RACShared.dll.112164: string.GetEnvironmentVariableA
RACShared.dll.111594: string.CloseHandle
RACShared.dll.114848: string.RegOpenKeyExA
RACShared.dll.102464: string.user32.dll
RACShared.dll.102300: string.KERNEL32
RACShared.dll.112094: string.ExitProcess
RACShared.dll.114108: string.GetMessageA
RACShared.dll.113310: string.CreateWindowExA


Strings

raw strings

Dropped Files

RACclientLite.ENG.lng at zip
md5: dd33f89c492677d9117ba462111dac46
sha1: 12377233935362dd1333b81518f869c874277355
sha256: dfe1033972bcc8e88e0d0f86f5a9331cf2b3de648cb9d64bf9bbe778c7d0c937
view strings

RACclientLite.FRA.lng at zip
md5: 003ce74cc4e96552dbe33e2c6658f59b
sha1: f598aff07f15a2f6beda705d72c12dd600cb78cd
sha256: 19b8c8af8911353004b75c118638449a60c37f1f92ecb75fb11fe29a424590f0
view strings

RACObjSel.dll at zip
md5: a4c22aab8e45962753d3c5140ba69f1d
sha1: 7ddabdec1ecdaba753a7696fbbc9391a37620f42
sha256: a9d84635841e739c608de9a4a9f81aba2aedf76764f8ac126b4abb112942fb0d
view strings

RACclientLite.ESP.lng at zip
md5: 15f4dd2d76a1c42bb2975e667fa9791e
sha1: 3427cd404b1639961ad40c5b602e0b755bc0a62e
sha256: 5fec8c702d77de73989226fcdcdc902a6a09226a94a64fe99cabd7b48dead0cf
view strings

RACclientLite.ITA.lng at zip
md5: 0623d7fee097982cd3fe8e6f88456f20
sha1: f8337c619ac2e3509030488e379420561b95914c
sha256: 5ebe914096259606c2d88221b2df51c34f5d7cf80d9fc55ec58a03a8e82ec618
view strings

RACclientLite.exe at zip
md5: eefcb357ad796b83075a90d40b9315a6
sha1: 4bffefc86bca045d3ba54ab48a86246fe420400a
sha256: b0cb03d2d824f8a386f88792d0c898c14adec76ea9a3c57ac5d5424498a62101
view strings

RACCH.dll at zip
md5: e18f8e8b6b8c5c26da6b1449e9719464
sha1: 8c2d47dc70886eddfbd2c75a4e462952d1805ef6
sha256: 322a640665bc1dc3c49b011b4ac9973d7959f14153fd583852456970cad7aecb
view strings

RemoteInstall.dll at zip
md5: d2d528c2d1d3f0c04623be139015ffbe
sha1: e81413bd946b973598388c59bd04fed2715c913f
sha256: 2b177bcf7ad84effa8819f526b3d9bf497f370b0365f87d7aa5f7f70591110ac
view strings

RACclientLite.DEU.lng at zip
md5: e0ca651da3a6c419c19de74f37f5cfe5
sha1: 8f5fa8394637e22058b2a5d9ab281ac126f2bb2f
sha256: 6d0fcfdf02b38efb0a7757376c346b091ea99e5e47421343057ee31ffa7ea523
view strings

RACclientLite.PTG.lng at zip
md5: 18c50787a495c29bcb750f8d6e7d5773
sha1: 0469bcac9f0bada4afca7a6f906941ce6f16e144
sha256: 125e74a7cc08209293fa182998996b2cc1f8b4b3fbcdf1e8d92a6396642536a1
view strings

InstallKernel.dll at zip
md5: 70e29c1c80c89b3d2e825b5f730de2c4
sha1: d14dc0f6bd06af5abe1aa4f932945a1852540b7d
sha256: 7cfb0da75c2e3389edc2d3e78088dbd49372d2a88f8da07519c946fc6aff7305
view strings

rtf at 86272
md5: ccc79373d70ad9742570d395b2de39b8
sha1: 4d2de2a3ebced756e62e03bb9dcd2d3fc5da60b4
sha256: eff3fe9d47940f8fff1440d199bcc5a0834828fec53df812effa783de7f17b9a
view strings

rtf at 88408
md5: ad6ad237246b60e1628a7fc766697bec
sha1: 684a13a9f7df8109aef51a7c3ac0fb6820815591
sha256: 371c21bdd3127e5e7c454415419922d886a1d5bf9f422f92c6bda5d34e010e34
view strings

rtf at 90232
md5: 2163118cf3e1bf6a7897d502771e10a0
sha1: e218a6a6be06731b0beeca9d9ddfaf36d95aaf77
sha256: 7b148b4ffdfbe3c42666d4d0e2b7e3e5d1d2c877c67cf0eb9ef587fead43fb5a
view strings

rtf at 92440
md5: 909a2187d4956f76effbfa1e2964b905
sha1: 3577a833d6e060f5d7d09d6870ca421e1dfdaf6e
sha256: 03a5bf1e0759fb925c9ff9f209d92b3c6be6adea53f9586ae17fc6036619fea9
view strings

rtf at 94552
md5: 3a50813649db46fbea852c385b15428d
sha1: 23bacd50a9a8b2fb73f8bd35f15bb0558b75c3e2
sha256: 99f03e634fc6fde2eaffec7a638a3817a158d19acbe4a628d25ded1d6c119270
view strings

rtf at 97168
md5: 7648cd9495f562a1a863311acefb56e6
sha1: a4744fd7454bbb247abb2161bac1155f6892e609
sha256: 5c64bd5aa471dc45875f15a81b45901ada9b68896f84c2e4be0c6eb6adb90cf9
view strings

rtf at 99280
md5: a0793f1c813840d47a4bf23d7abaa3cf
sha1: 3347c7e26238d4a324c6e154bd5eaf59b1a80eb8
sha256: 6c35c1b0fb9dd9e9b4464c6d3421a72016d7d7b237edb70a45b46d76fa3f8c84
view strings

RACShared.dll at zip
md5: 04b76aa3ae2f3fb2c8ecc849b733f335
sha1: 2561a4ef11e6c29d5cd3b7b97d87bb7fdf9c125e
sha256: 26d48221049143f06a93dd0e6374ab9d98cdf26eae8af029b8ffe501106d079d
view strings