rasautou.exe

  • File Path: C:\WINDOWS\SysWOW64\rasautou.exe
  • Description: Remote Access Dialer

Hashes

Type Hash
MD5 B5AF55DEC08D3BE1EAF7CC299F73382F
SHA1 8274817D08FB1EC7E1F1064AB03C498CAA75DEE4
SHA256 11C4A4C4196DCD94B6D68763B90F655A4873E02B028AB1A616A8C34222332CDD
SHA384 B39D1BEBD108EC8F756CA257CF2A25716A521852CBE469D21331ED89AB734C1124B98B854C889B24C5C2F7E35A57C569
SHA512 C68FCADF1A0EF6208E0702F7A103631A6104B90A9E602EDE5C5CAB53E8BE0BC25472972D944D893097BB3A24B0C57526BA3B1CC5C4AACC3E7F854439BB204EC2
SSDEEP 192:GfL4Vs5E9SAMaHDjuKn+U09qXe0g5rc0V8xFW5Gg6WpuUFupXCWIBWa:WLXFaD+U0930g5N8xFWddgpXCWIBW
IMP C6774B9EFAD3BC766DB61E2210CE1A6B
PESHA1 F669DCFDF0DF7DF8D6F385DF423FFD73FF668AFC
PE256 B1569763301BC559AC215E62508EB44FDE4AE80CD5D0B751CC620DA98255381C

Runtime Data

Usage (stdout):

Usage: rasautou [-f phonebook] [-a address] [-e entry] [-s]

Loaded Modules:

Path
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64cpu.dll
C:\WINDOWS\System32\wow64win.dll
C:\WINDOWS\SysWOW64\rasautou.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: rasdlui.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/11c4a4c4196dcd94b6d68763b90f655a4873e02b028ab1a616a8c34222332cdd/detection

Possible Misuse

The following table contains possible examples of rasautou.exe being misused. While rasautou.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_rasautou_dll_execution.yml title: DLL Execution via Rasautou.exe DRL 1.0
sigma proc_creation_win_rasautou_dll_execution.yml description: Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p. DRL 1.0
sigma proc_creation_win_rasautou_dll_execution.yml - https://lolbas-project.github.io/lolbas/Binaries/Rasautou/ DRL 1.0
sigma proc_creation_win_rasautou_dll_execution.yml Image\|endswith: '\rasautou.exe' DRL 1.0
LOLBAS Rasautou.yml Name: Rasautou.exe  
LOLBAS Rasautou.yml - Command: rasautou -d powershell.dll -p powershell -a a -e e  
LOLBAS Rasautou.yml - Path: C:\Windows\System32\rasautou.exe  
LOLBAS Rasautou.yml - IOC: rasautou.exe command line containing -d and -p  

MIT License. Copyright (c) 2020-2021 Strontic.