rasautou.exe

  • File Path: C:\Windows\system32\rasautou.exe
  • Description: Remote Access Dialer

Hashes

Type Hash
MD5 749F7EE0E60F24A1C95C5667C7B05F77
SHA1 47C97952A612B2542A9EFEF8E243D0D26AE36616
SHA256 3784BC31BF8A72D3D8AF7726F6944B7C8C17AC6D797654830F462A4A3A33A013
SHA384 FE7D95C5E1882DAC1CB2B8DCB227F62254C06658C13FB3B9C9AA3A30619F3313292D73A8CD5B93285FE117D32CA5CB20
SHA512 46BDD2FDECD54962DCC8E51A20B92334C7984B6DB7B2CA0532CB973CF1FE559ACC23DB8747BC4C5F84995D0DE48DC6E856FF221CDE9E49F1A79A5A6E003565D1
SSDEEP 384:EsTMuRLrDeL9wSDT7VUyoZyTw5PYcWHBW:EQ/D5SRU/fZY9
IMP 0B915B3D21B94438146557937D698E77
PESHA1 3D9D4C217AF91338BF0E763DCAC0B4ECBA1DCD0E
PE256 5E495665514E1FEC42CA79EB536C2B641183578C6B257F2AF8C4DB363C2B11DF

Runtime Data

Usage (stdout):

Usage: rasautou [-f phonebook] [-a address] [-e entry] [-s]

Loaded Modules:

Path
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\system32\rasautou.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: rasdlui.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/71
  • VirusTotal Link: https://www.virustotal.com/gui/file/3784bc31bf8a72d3d8af7726f6944b7c8c17ac6d797654830f462a4a3a33a013/detection/

File Similarity (ssdeep match)

File Score
C:\Windows\system32\rasautou.exe 55

Possible Misuse

The following table contains possible examples of rasautou.exe being misused. While rasautou.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_rasautou_dll_execution.yml title: DLL Execution via Rasautou.exe DRL 1.0
sigma proc_creation_win_rasautou_dll_execution.yml description: Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p. DRL 1.0
sigma proc_creation_win_rasautou_dll_execution.yml - https://lolbas-project.github.io/lolbas/Binaries/Rasautou/ DRL 1.0
sigma proc_creation_win_rasautou_dll_execution.yml Image\|endswith: '\rasautou.exe' DRL 1.0
LOLBAS Rasautou.yml Name: Rasautou.exe  
LOLBAS Rasautou.yml - Command: rasautou -d powershell.dll -p powershell -a a -e e  
LOLBAS Rasautou.yml - Path: C:\Windows\System32\rasautou.exe  
LOLBAS Rasautou.yml - IOC: rasautou.exe command line containing -d and -p  

MIT License. Copyright (c) 2020-2021 Strontic.