» RDPKill.exe
Overview
Analysis
File Details
Downloads (3)
Network (1)

RDPKill.exe

RDPKill

Mark DePalma

The application RDPKill.exe, “A Windows GUI RDP DoS attack based on the MS12-020 exploit.” has been detected as a potentially unwanted program by 34 anti-malware scanners. This is a setup program which is used to install the application. The file has been seen being downloaded from fs02n5.sendspace.com and multiple other hosts. While running, it connects to the Internet address R16RK4U17-1 on port 3389.

File name:

RDPKill.exe

Publisher:

Mark DePalma

Product:

RDPKill

Description:

A Windows GUI RDP DoS attack based on the MS12-020 exploit.

Version:

1.00.0004

MD5:

1725da1cae6163d1eb28b1ccf2f5a697

SHA-1:

83493de4037ac171d44dc720641cde6e7d4ed822

SHA-256:

02897e3f6d8cc9914cb5545bae2ba50d44c28f6f0ef7f56ff4b4a4565c4bc629

Scanner detections:

34 / 68

Status:

Potentially unwanted

Analysis date:

4/27/2024 12:04:51 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Backdoor.Generic.735215

698

Agnitum Outpost

Packed/BitArts

7.1.1

AhnLab V3 Security

Win-Trojan/Hacktool.788480

2014.06.25

Avira AntiVirus

SPR/Tool.Rdpdos.A.3

7.11.210.224

avast!

Win32:Malware-gen

2014.9-150309

AVG

Win32/DH

2016.0.3176

Baidu Antivirus

Hacktool.Win32.RDPKill

4.0.3.1539

Bitdefender

Backdoor.Generic.735215

1.0.20.340

Bkav FE

HW32.Packed

1.3.0.6379

Comodo Security

TrojWare.Win32.Refroso.~d6

21124

Dr.Web

Tool.RDPKill

9.0.1.068

Emsisoft Anti-Malware

Backdoor.Generic.735215

8.15.03.09.08

ESET NOD32

Win32/HackTool.RDPGremlin

9.9993

Fortinet FortiGate

CVE2012.0002!exploit

3/9/2015

F-Prot

W32/Backdoor.D.gen

v6.4.7.1.166

F-Secure

Backdoor.Generic.735215

11.2015-09-03_2

G Data

Trojan.Hacktool.RDPDos

15.3.24

IKARUS anti.virus

Virus.Win32.VBInject

t3scan.1.6.1.0

K7 AntiVirus

Unwanted-Program

13.196.15005

Kaspersky

HackTool.Win32.RDPKill

14.0.0.2373

Malwarebytes

HackTool.RDPKill

v2015.03.09.08

McAfee

Generic.dx!1725DA1CAE61

5600.6832

Microsoft Security Essentials

HackTool:Win32/Rdpdos.A

1.1.11400.0

MicroWorld eScan

Backdoor.Generic.735215

16.0.0.204

NANO AntiVirus

Trojan.Win32.RDPKill.djrlvf

0.30.0.126

Norman

Troj_Generic.BCTBM

11.20150309

nProtect

Trojan/W32.Agent.788480.AB

15.02.17.01

Panda Antivirus

Trj/CI.A

15.06.15.09

Qihoo 360 Security

HEUR/Malware.QVM19.Gen

1.0.0.1015

Quick Heal

HackTool.RDPKill.r6 (Not a Virus)

3.15.14.00

Sophos

Mal/Rdpdos-A

4.98

VIPRE Antivirus

Trojan.Win32.Generic

37676

ViRobot

Trojan.Win32.S.Agent.788480

2011.4.7.4223

Zillya! Antivirus

Tool.RDPKill.Win32.1

2.0.0.2071

File size:

770 KB (788,480 bytes)

Product version:

1.00.0004

Original file name:

RDPKill.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\{user}\downloads\rdpkill.exe

File PE Metadata

Compilation timestamp:

4/12/2012 9:41:54 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

24576:xk0lHsYYWsse25g1haQPrl/MtNvcsJKOpuB:xkTYEser1haQPJ/09csJKau

Entry address:

0x8000

Entry point:

55, E8, 00, 00, 00, 00, 5D, 83, ED, 06, 8B, C5, 55, 60, 89, AD, 93, 22, 00, 00, 2B, 85, 6E, 22, 00, 00, 89, 85, 22, 13, 00, 00, 80, BD, 23, 24, 00, 00, 00, 75, 09, C6, 85, 23, 24, 00, 00, 01, EB, 0B, 61, 5D, 8B, 85, 8F, 22, 00, 00, 5D, FF, E0, EB, 02, EB, FE, 8B, DD, 8C, D8, A8, 04, 74, 08, 81, C3, 8E, 0A, 00, 00, EB, 06, 81, C3, 51, 0A, 00, 00, FF, D3, 6A, 04, 68, 00, 10, 00, 00, 68, 00, 30, 00, 00, 6A, 00, FF, 95, FD, 10, 00, 00, 89, 85, 09, 24, 00, 00, 50, B8, 08, 0C, 00, 00, 03, C5, FF, D0, B8, 43, 0C... 
[+]

Packer / compiler:

Crunch/PE v1.0.x.x

Code size:

20 KB (20,480 bytes)

The file RDPKill.exe has been seen being distributed by the following 3 URLs.

https://fs02n5.sendspace.com/dl/1d87c1b978acf0e4e5f452666b3ad3c5/57305faa7f6f7e10/.../RDPKill.exe

http://mnetwork.us/.../RDPKill.exe

http://www.partage-facile.com/dl-view.php

The executing file has been seen to make the following network communication in live environments.

TCP:

Connects to R16RK4U17-1 (198.204.240.42:3389)

Remove RDPKill.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.