rustdesk.exe

First submission 2024-07-10 01:14:04

File details

File type: PE32+ executable (GUI) x86-64, for MS Windows
Mime type: application/x-dosexec
File size: 19631.67 KB (20102832 bytes)
Compile time: 2023-08-22 04:13:04
MD5: f78e62330c6757d845aa9b348f33e784
SHA1: 8d42a07fa3f1fd0d2345a5d97a91847e5fc9f663
SHA256: 7d8790e65a906706a93734b91efa6dfdb732f9897e04707233fe48033bd5654e
Import Hash : 945f2eb4d039a0c3278487538fb37df9
Sections 7 .text .rdata .data .pdata _RDATA .rsrc .reloc
Directories 6 import resource debug tls relocation security

File features detected

Is DLL
Packers
Anti Debug
Anti VM
Signed
XOR

OSINT Enrichments

Virus Total: 7/77 VT report date: 2024-07-10 00:58:06
Malware Type 2 hacktool virus
Threat Type 1 rustdesk

URLs, FQDN and IP indicators 1

URL Host (FQDN/IP) Date Added
hXXp://wildenauer.name/rustdesk.exe VirusTotal Report wildenauer.name VirusTotal Report 2024-07-10 01:14:04

PE Sections 1 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0x51240 332800 fad5dce4cef9506e28d0d0fea1512fac84caf154 cf362edf0fb57cee5613d8a5138cd399
.rdata 0x53000 0x12ba95c 19638784 9eb2ba123f4208c02a3557e6ad553b77064296a1 781407210746b3047029038cdcb1e3b0
.data 0x130e000 0x1e18 3072 c388f6ddfc8f03961ea0b0f90ca30085b184a7c7 4012c03de5a6e66bf4bb413efc1e4fbc
.pdata 0x1310000 0x2d48 11776 8c85be23f984756d15166ca626c3fa1952b7eecf e2d7dc86778c94894409911cf8a0685f
_RDATA 0x1313000 0xfc 512 3c91137ee588d8ea82625be58f4afc0386cf50e0 86686325359134223a64d0cf0824b164
.rsrc 0x1314000 0x186d8 100352 f929ccd870fbbf11520f57273a66cb7507807f9f e5f499cd2145af579d7fd246e64de7b9
.reloc 0x132d000 0xbf0 3072 6bd9c0704316318eafae5bad919346357186e779 1776f2127d38ce87efa9e14576d6ee06

PE Resources 2

Name Language Sublanguage Offset Size Data
RT_ICON LANG_ENGLISH SUBLANG_ENGLISH_US 0x131be60 67624
RT_GROUP_ICON LANG_ENGLISH SUBLANG_ENGLISH_US 0x132c688 76

Packers detected 2

Microsoft Visual C++ 8.0 (DLL)
Microsoft Visual C++ 8.0

Anti debug functions 6

GetLastError
IsDebuggerPresent
IsProcessorFeaturePresent
RaiseException
TerminateProcess
UnhandledExceptionFilter

Anti debug functions 1

VMCheck.dll

File signature

MD5 SHA1 Block size Virtual Address
1d3a92aa762840d9d8f2fa55df17afbf 352ababfef4a934434a9b0691fa0ecdc151f701c 11440 20091392

Strings analysis - File found

Binary
'.\data\flutter_assets\AssetManifest.bin
Executable
.\data\app.so
Data
.\data\icudtl.dat
Database
*o.DB
Library
mscoree.dll
ntdll.dll
.\window_manager_plugin.dll
ole32.dll
dbghelp.dll
.\window_size_plugin.dll
bcrypt.dll
.\librustdesk.dll
!.\url_launcher_windows_plugin.dll
!.\desktop_multi_window_plugin.dll
).\RustDeskIddDriver\RustDeskIddDriver.dll
SHELL32.dll
ADVAPI32.dll
KERNEL32.dll
".\flutter_custom_cursor_plugin.dll
.\dylib_virtual_display.dll
.\uni_links_desktop_plugin.dll
.\flutter_windows.dll
.\desktop_drop_plugin.dll
.\screen_retriever_plugin.dll
.\WindowInjection.dll
".\texture_rgba_renderer_plugin.dll

Strings analysis - Possible URLs found 76

http://www.wencodeURIComponent(
http://www.style=
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
http://ator
http://www.
http://www.icon
http://.jpg
http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
http://interpreted
http://option
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
http://html4/loose.dtd
https://aIn
http://familiar
http://www.C//DTD
http://www.css
http://<div
http://www.hortcut
http://www.text-decoration:underthe
http://www-//W3C//DTD
http://www</a
http://www.a
http://mathematicsmargin-top:eventually
http://www./div
http://
http://s;text-align:centerfont-weight:
http://www.years
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
https://<div
https://www.recent
http://cript
http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
http://UA-Compatible
http://Descriptionrelatively
http://ocsp.digicert.com0C
http://</a
https://www.World
http://<a
http://imEnglish
http://navigation
http://ocsp.comodoca.com0
https://sectigo.com/CPS0
http://ocsp.digicert.com0A
http://iparticipation
http://link
http://interested
http://staticsuggested
http://site_name
http://applicationslink
http://.css
http://xt/css
http://www.w3.org/shortcut
https://was
http://px;
http://ocsp.digicert.com0X
http://In
http://dictionaryperceptionrevolutionfoundationpx;height:successfulsupportersmillenniumhis
http://ocsp.sectigo.com0
http://i
http://An
http://encoding=
http://whether
http://www.interpretation
http://addEventListenerresponsible
http://crl.comodoca.com/AAACertificateServices.crl04
http://www.language=
http://);
http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
http://style=
http://according
http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
http://w
http://www.<li
http://crl3.digicert.com/DigiCertTrustedRootG4.crl0

Import functions