Hi Forum Community,
I have discovered a crytpo tool during an investigation (TQ_cryptosys.exe), I have never seen it before and there is little information I can glean from the internet (i.e. google and hacking forums). I was wondering if anyone has seen it before or whether its just something that is rarely used and proprietary?
The tool when executed creates a pop-up stating 128bit AES encryption is enabled. So naturally its piqued my suspicions.
Any feedback or information would be appreciated.
Best Regards,
Qinc0
Can you
1) Right click on the executable and have a look at the properties. Have a look at the "Details tab" for any meta data strings left by the developer and also have a any digital signatures.
2) Run a 'strings' like program over the .exe to extract out all the strings from the .exe itself. Might turn up some interesting stuff. e.g. the web address of the developer
2) Run a 'strings' like program over the .exe to extract out all the strings from the .exe itself. Might turn up some interesting stuff. e.g. the web address of the developer
If you have a Win resorce editor available, it is often possible to put those strings in some context. It may also be possible to find related data in dialogs or icons that could be difficult to identify otherwise.
I usually bounce unknown file names against the fileadvisor service of bit9, as knowing in what context the file appears can sometime provide ideas. In this case, though, the name does not seem to be recorded by bit9, which suggests that it's probably not freeware or generally or easily available software. Don't forget to check if the binary is digitally signed.