rcdll.exe

First submission 2024-10-14 16:17:03

File details

File type:	PE32+ executable (console) x86-64, for MS Windows
Mime type:	application/x-dosexec
File size:	68.47 KB (70112 bytes)
Compile time:	2025-09-23 16:13:25
MD5:	d20afbb8f3aef32336906762dd5496f1
SHA1:	e956c318db4d5d9344672ee8bd9cca73ec32fc84
SHA256:	a182e516ba0cd2c38600c6f4eab17666da12ae485c5537050e0191aaedd7dade
Import Hash :	14364fd8f9fe355c6dc3ab49d1f37ab6
Sections 6	.text .rdata .data .pdata .rsrc .reloc
Directories 5	import resource debug relocation security

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

OSINT Enrichments

Virus Total:	0/77 VT report date: 2024-10-13 20:38:34

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXp://206.238.196.40/ms/rcdll.exe	206.238.196.40	2024-10-14 16:17:03

PE Sections 0 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0x9549	38400	a8bfa2311e8faf44cc7e5fb3f78e72b9cff223ef	9b8e5fe109b4f774d19be647b994317f
.rdata	0xb000	0x3286	13312	a51623290625c571d8044e7d0ec489cdbf900eea	b6453509ec5a5459750ae7a3a3f14226
.data	0xf000	0x31c0	4608	5c7f0f8c2e0ab98c2da9569148e372ed7bc46f2d	5f343dddcaa0fdd57e170f5162386634
.pdata	0x13000	0x7bc	2048	304cf0d26119f6a17124613a4b0cfb0a236ccd78	d8798b753aaacfd9ba7c951a2f8d0ad7
.rsrc	0x14000	0x5e8	1536	ce58bdad045b0a971a4205e8f1f6f651fe5174a6	c97283f2e3176b96104e41f76d08d439
.reloc	0x15000	0x160	512	5a47a691d5ec8fea272b68a102bcade9d6875c7f	5baacfceda7672aa17247c8e620162d2

PE Resources 2

Name	Language	Sublanguage	Offset	Size	Data
RT_VERSION	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x14250	916	PE Resource: RT_VERSION - Data 4VS_VERSION_INFO aJ aJ?StringFileInfo040904B0LCompanyNameMicrosoft Corporation`FileDescriptionMicrosoft Resource Compilerl&FileVersion10.0.19041.685 (WinBuild.160101.0800).InternalNamerc.exe.LegalCopyright Microsoft Corporation. All rights reserved.6OriginalFilenamerc.exej%ProductNameMicrosoft Windows Operating SystemBProductVersion10.0.19041.685DVarFileInfo$Translation
RT_MANIFEST	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x140a0	427	PE Resource: RT_MANIFEST - Data <?xml version='1.0' encoding='UTF-8' standalone='yes'?> <!-- Copyright (c) Microsoft Corporation --> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly>

Name

Language

Sublanguage

Offset

Size

Data

RT_VERSION

LANG_ENGLISH

SUBLANG_ENGLISH_US

0x14250

916

RT_MANIFEST

LANG_ENGLISH

SUBLANG_ENGLISH_US

0x140a0

427

Meta infos 9

LegalCopyright:	\xa9 Microsoft Corporation. All rights reserved.
InternalName:	rc.exe
FileVersion:	10.0.19041.685 (WinBuild.160101.0800)
CompanyName:	Microsoft Corporation
ProductVersion:	10.0.19041.685
FileDescription:	Microsoft Resource Compiler
Translation:	0x0409 0x04b0
OriginalFilename:	rc.exe
ProductName:	Microsoft\xae Windows\xae Operating System

Packers detected 1

Microsoft Visual C++ 8.0 (DLL)

Anti debug functions 4

GetLastError
OutputDebugStringA
TerminateProcess
UnhandledExceptionFilter

File signature

MD5	SHA1	Block size	Virtual Address
972d7185d4914efbf8ac1b0e3648fca9	4cef3f631379e2ebe0e19a6a005b3799d1607678	8672	61440

Strings analysis - File found

Library
USER32.dll
mscoree.dll
RCDLL.dll
KERNEL32.dll

Strings analysis - Possible URLs found 8

http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z
http://www.microsoft.com/pki/certs/MicCodSigPCA_2010-07-06.crt0
http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_2010-07-06.crl0Z
http://www.microsoft.com/windows0
http://www.microsoft.com/PKI/docs/CPS/default.htm0@
http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0Z

Import functions

RCDLL.dll 2 KERNEL32.dll 68

Function	Address	Souspicious	Anti Debug
RCW	0x14000b4c0
Handler	0x14000b4c8

Function	Address	Souspicious	Anti Debug
SetConsoleCtrlHandler	0x14000b298
GetModuleFileNameW	0x14000b2a0
SetErrorMode	0x14000b2a8
Sleep	0x14000b2b0
HeapSetInformation	0x14000b2b8
VirtualQuery	0x14000b2c0
GetStdHandle	0x14000b2c8
GetConsoleMode	0x14000b2d0
GetFileType	0x14000b2d8
VirtualProtect	0x14000b2e0
VirtualAlloc	0x14000b2e8
GetVersionExW	0x14000b2f0
RtlUnwindEx	0x14000b2f8
SetStdHandle	0x14000b300
GetLastError	0x14000b308
EnterCriticalSection	0x14000b310
LeaveCriticalSection	0x14000b318
InitializeCriticalSectionAndSpinCount	0x14000b320
WriteConsoleW	0x14000b328
SetUnhandledExceptionFilter	0x14000b330
EncodePointer	0x14000b338
DecodePointer	0x14000b340
SetLastError	0x14000b348
FlsAlloc	0x14000b350
FlsGetValue	0x14000b358
FlsSetValue	0x14000b360
FlsFree	0x14000b368
GetCurrentThreadId	0x14000b370
ExitProcess	0x14000b378
GetModuleHandleExW	0x14000b380
GetProcAddress	0x14000b388
WriteFile	0x14000b390
GetModuleFileNameA	0x14000b398
HeapCreate	0x14000b3a0
DeleteCriticalSection	0x14000b3a8
GetStartupInfoW	0x14000b3b0
QueryPerformanceCounter	0x14000b3b8
GetCurrentProcessId	0x14000b3c0
GetSystemTimeAsFileTime	0x14000b3c8
GetTickCount	0x14000b3d0
GetEnvironmentStringsW	0x14000b3d8
FreeEnvironmentStringsW	0x14000b3e0
GetCommandLineW	0x14000b3e8
RtlCaptureContext	0x14000b3f0
RtlLookupFunctionEntry	0x14000b3f8
RtlVirtualUnwind	0x14000b400
UnhandledExceptionFilter	0x14000b408
GetCurrentProcess	0x14000b410
TerminateProcess	0x14000b418
OutputDebugStringA	0x14000b420
FlushFileBuffers	0x14000b428
WideCharToMultiByte	0x14000b430
GetConsoleCP	0x14000b438
CreateFileW	0x14000b440
CloseHandle	0x14000b448
IsValidCodePage	0x14000b450
GetACP	0x14000b458
GetOEMCP	0x14000b460
GetCPInfo	0x14000b468
MultiByteToWideChar	0x14000b470
HeapFree	0x14000b478
HeapAlloc	0x14000b480
LoadLibraryExW	0x14000b488
SetFilePointer	0x14000b490
GetStringTypeW	0x14000b498
LCMapStringW	0x14000b4a0
SetThreadStackGuarantee	0x14000b4a8
GetSystemInfo	0x14000b4b0