Nuwo.exe?ex=670c4c08&is=670afa88&hm=f938514c9e9024c18f4095e1ecae55d44e84f3578b761e0970464c0f75a816d9&

First submission 2024-10-13 19:46:02

File details

File type:	PE32+ executable (console) x86-64, for MS Windows
Mime type:	application/x-dosexec
File size:	5691.35 KB (5827942 bytes)
Compile time:	2024-01-01 00:27:29
MD5:	013ea4a21aaca3ed7996813e64aa7bba
SHA1:	d0014c7dee9b7ebd81ffc393dd959108763d8d10
SHA256:	5cef45602b843003d06ee762499e1606134be8ce6567e046961863cbc96e9c72
Import Hash :	380d2cbec5e800eecb6612f15b9ac012
Sections 7	.text .rdata .data .pdata _RDATA .rsrc .reloc
Directories 4	import resource debug relocation

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

OSINT Enrichments

Virus Total:	11/76 VT report date: 2024-10-13 19:15:14
Malware Type 1	trojan

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXps://cdn.discordapp.com/attachments/1294783544970842123/1294791476345176157/Nuwo.exe?ex=670c4c08&is=670afa88&hm=f938514c9e9024c18f4095e1ecae55d44e84f3578b761e0970464c0f75a816d9&	cdn.discordapp.com	2024-10-13 19:46:02

PE Sections 1 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0x29c40	171520	5640e4a052eb6407bc37bed4bfca199bd7d6a57b	c397ff3614675a2121ff4c1ca501bf6e
.rdata	0x2b000	0x126a2	75776	1e7b1153d7dc7236b769b12cf2d213f934402567	6682c279dea05a32ab33ba8d9017b1c1
.data	0x3e000	0x3318	3584	09cb66814bd71ae151c51007f492df97ba54224c	90ad139d0222e63ad4eb3d3d23dbd963
.pdata	0x42000	0x22c8	9216	632f1c477eb31edea47ce933231682829f8f4dfb	a9d2e8b79500abfd8a9ff7fe5cede90b
_RDATA	0x45000	0x15c	512	6ff9fcfa10371aac22fbea9d39df131a09915a1a	756b5d3163916be93d6812ecf3e68ffb
.rsrc	0x46000	0x1ec8	8192	b45e79a3591354873675cf61c5aef775910c32d5	47779e0a82020ae57829ffcf5e513aa3
.reloc	0x48000	0x754	2048	8080f76a7753131feb796033a8bb5aca7f069e38	91d414a1bcb67647b8e8c49320056e0b

PE Resources 3

Name	Language	Sublanguage	Offset	Size	Data
RT_ICON	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x46e4c	2829	PE Resource: RT_ICON - Data PNG IHDR5[tZ IDATxZ[L\U^{3gi"cT/IM+Z-64Qhh_ZSc/K4N[" A#5V@@@:e.a-r\|Z{u`6Z;l,M 6&bXa`1l,M 6&bV+01fM{9bqUUAXC"qM^(1Kh"GD(^ ,#b"e933SEDF$it:%I9.+Kr=LST"x< H$-Z$MD3g"(yyy7tMhdDvvv QwQSSc1L&CPwwwgg W?.0AZj "/uUUU(wqGCCHZ\|___O: /F7n\|`ec`p=,~Q??22nMUi<yUU2,\|kjftul>\|\|MC=\wuTt@H$ISv^x6 uQ</p //EI!5M#(tp -2"_gET$IO>-R4]^o__mqt]uxr8q,766[4RUUUU/YDp8&:i;'u]w(:O?L04:curM(D2z{{I =DKK( phoD pSeYnhh5REqF-[s@ssscc#w2gl4`f8)WTTX1Fc}Yt]g}wx{!Q#GpqDI@snm/A<L]]4MEIkk sWWWOO9m`0xwnUUcTTTP"`SVV\| 'Ewynp8~0Xm@ 1<<L$%CCC---n[Q#GvBKH"bII "~x +1333:TPPJyg87%%%CWP(TRReXSS,t5Mq29;cs$yp"f$i``."Czu8m O:Ik+IHRp8+##bX_@APe:tuu=(8u /^<z("F"3gTWWRBg,se8Kwmsn>R9YCc>(---,,8v"vtt8n"q%9990::j166F^{-tT^/EQ]v[)Ht: &H0c^<uuu~abpuww;v{fx/_;wH$_ 11_ZZ 6mzL233zpp\|q3j/rccXMM w;w?~a;It%?:??_-H BYYYqQoVVVQQSR,9K.x^wP(TQQOEymm-"=zINd)9oN<x MMM_="BQ@?Hx 8Y1jy}}}.kZ3^{5===@TL$UB $k.wbli,rJrvB"YYYT'mT+*$jXUU;{,TJ#5bA>lNj(^z{;w' A 9},Xlko'z'7nhLw^r%^$^~7?Swv>!m_`xx8{^QcDAAAFFPqq1F{zz~x<rnJiS$^\\ogO4.\8~x$4pU\s (?/k&<? "Ulw-KWN{ks0}0%Ze><_&bXa`1l,M 6&bXa`1l,c.k<IENDB`
RT_GROUP_ICON	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x4795c	90
RT_MANIFEST	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x479b8	1293	PE Resource: RT_MANIFEST - Data <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <application xmlns="urn:schemas-microsoft-com:asm.v3"> <windowsSettings> <longPathAware xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">true</longPathAware> </windowsSettings> </application> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="" publicKeyToken="6595b64144ccf1df" language=""/> </dependentAssembly> </dependency> </assembly>

Name

Language

Sublanguage

Offset

Size

Data

RT_ICON

LANG_NEUTRAL

SUBLANG_NEUTRAL

0x46e4c

2829

RT_GROUP_ICON

LANG_NEUTRAL

SUBLANG_NEUTRAL

0x4795c

RT_MANIFEST

LANG_NEUTRAL

SUBLANG_NEUTRAL

0x479b8

1293

Packers detected 2

Microsoft Visual C++ 8.0 (DLL)
Microsoft Visual C++ 8.0

Anti debug functions 7

GetLastError
GetWindowThreadProcessId
IsDebuggerPresent
IsProcessorFeaturePresent
RaiseException
TerminateProcess
UnhandledExceptionFilter

Strings analysis - File found

Compressed
bbase_library.zip
base_library.zip
Text
bcolorful-0.5.5.dist-info\top_level.txt
bcolorful\data\rgb.txt
Library
mscoree.dll
ADVAPI32.dll
ucrtbase.dll
bpython310.dll
bapi-ms-win-crt-runtime-l1-1-0.dll
bapi-ms-win-core-rtlsupport-l1-1-0.dll
bapi-ms-win-core-file-l1-2-0.dll
bapi-ms-win-crt-environment-l1-1-0.dll
USER32.dll
bapi-ms-win-core-namedpipe-l1-1-0.dll
bapi-ms-win-core-util-l1-1-0.dll
KERNEL32.dll
bapi-ms-win-core-timezone-l1-1-0.dll
bapi-ms-win-core-file-l2-1-0.dll
bapi-ms-win-crt-filesystem-l1-1-0.dll
6python310.dll
bapi-ms-win-core-string-l1-1-0.dll
bapi-ms-win-core-console-l1-1-0.dll
bapi-ms-win-core-sysinfo-l1-1-0.dll
blibcrypto-1_1.dll
bapi-ms-win-core-processenvironment-l1-1-0.dll
bapi-ms-win-crt-convert-l1-1-0.dll
bapi-ms-win-crt-stdio-l1-1-0.dll
bapi-ms-win-core-processthreads-l1-1-1.dll
bapi-ms-win-core-localization-l1-2-0.dll
bapi-ms-win-core-heap-l1-1-0.dll
bapi-ms-win-core-file-l1-1-0.dll
bapi-ms-win-core-datetime-l1-1-0.dll
bapi-ms-win-core-libraryloader-l1-1-0.dll
bapi-ms-win-core-memory-l1-1-0.dll
bapi-ms-win-core-handle-l1-1-0.dll
bapi-ms-win-crt-utility-l1-1-0.dll
bapi-ms-win-core-errorhandling-l1-1-0.dll
blibffi-7.dll
bapi-ms-win-crt-locale-l1-1-0.dll
bapi-ms-win-crt-conio-l1-1-0.dll
bucrtbase.dll
bapi-ms-win-crt-math-l1-1-0.dll
bapi-ms-win-core-interlocked-l1-1-0.dll
bVCRUNTIME140.dll
bapi-ms-win-core-synch-l1-1-0.dll
bapi-ms-win-core-debug-l1-1-0.dll
Bapi-ms-win-core-synch-l1-2-0.dll
bapi-ms-win-crt-string-l1-1-0.dll
bapi-ms-win-crt-heap-l1-1-0.dll
bapi-ms-win-crt-time-l1-1-0.dll
bapi-ms-win-core-processthreads-l1-1-0.dll
bapi-ms-win-core-profile-l1-1-0.dll
bapi-ms-win-crt-process-l1-1-0.dll

Strings analysis - Possible URLs found 1

http://schemas.microsoft.com/SMI/2016/WindowsSettings

Import functions

ADVAPI32.dll 4 KERNEL32.dll 102 USER32.dll 2

Function	Address	Souspicious	Anti Debug
ConvertSidToStringSidW	0x14002b000
GetTokenInformation	0x14002b008
OpenProcessToken	0x14002b010
ConvertStringSecurityDescriptorToSecurityDescriptorW	0x14002b018

Function	Address	Souspicious	Anti Debug
GetModuleFileNameW	0x14002b028
CreateSymbolicLinkW	0x14002b030
GetProcAddress	0x14002b038
GetCommandLineW	0x14002b040
GetEnvironmentVariableW	0x14002b048
SetEnvironmentVariableW	0x14002b050
ExpandEnvironmentStringsW	0x14002b058
CreateDirectoryW	0x14002b060
GetTempPathW	0x14002b068
WaitForSingleObject	0x14002b070
Sleep	0x14002b078
GetExitCodeProcess	0x14002b080
CreateProcessW	0x14002b088
SetDllDirectoryW	0x14002b090
FreeLibrary	0x14002b098
LoadLibraryExW	0x14002b0a0
SetConsoleCtrlHandler	0x14002b0a8
FindClose	0x14002b0b0
FindFirstFileExW	0x14002b0b8
CloseHandle	0x14002b0c0
GetCurrentProcess	0x14002b0c8
GetCurrentProcessId	0x14002b0d0
LocalFree	0x14002b0d8
FormatMessageW	0x14002b0e0
MultiByteToWideChar	0x14002b0e8
WideCharToMultiByte	0x14002b0f0
GetConsoleWindow	0x14002b0f8
GetTimeZoneInformation	0x14002b100
GetLastError	0x14002b108
HeapSize	0x14002b110
WriteConsoleW	0x14002b118
GetStartupInfoW	0x14002b120
TlsSetValue	0x14002b128
RtlCaptureContext	0x14002b130
RtlLookupFunctionEntry	0x14002b138
RtlVirtualUnwind	0x14002b140
UnhandledExceptionFilter	0x14002b148
SetUnhandledExceptionFilter	0x14002b150
TerminateProcess	0x14002b158
IsProcessorFeaturePresent	0x14002b160
QueryPerformanceCounter	0x14002b168
GetCurrentThreadId	0x14002b170
GetSystemTimeAsFileTime	0x14002b178
InitializeSListHead	0x14002b180
IsDebuggerPresent	0x14002b188
GetModuleHandleW	0x14002b190
RtlUnwindEx	0x14002b198
SetLastError	0x14002b1a0
EnterCriticalSection	0x14002b1a8
LeaveCriticalSection	0x14002b1b0
DeleteCriticalSection	0x14002b1b8
InitializeCriticalSectionAndSpinCount	0x14002b1c0
TlsAlloc	0x14002b1c8
TlsGetValue	0x14002b1d0
SetEndOfFile	0x14002b1d8
TlsFree	0x14002b1e0
EncodePointer	0x14002b1e8
RaiseException	0x14002b1f0
RtlPcToFileHeader	0x14002b1f8
GetCommandLineA	0x14002b200
CreateFileW	0x14002b208
GetDriveTypeW	0x14002b210
GetFileInformationByHandle	0x14002b218
GetFileType	0x14002b220
PeekNamedPipe	0x14002b228
SystemTimeToTzSpecificLocalTime	0x14002b230
FileTimeToSystemTime	0x14002b238
GetFullPathNameW	0x14002b240
RemoveDirectoryW	0x14002b248
FindNextFileW	0x14002b250
SetStdHandle	0x14002b258
DeleteFileW	0x14002b260
ReadFile	0x14002b268
GetStdHandle	0x14002b270
WriteFile	0x14002b278
ExitProcess	0x14002b280
GetModuleHandleExW	0x14002b288
HeapFree	0x14002b290
GetConsoleMode	0x14002b298
ReadConsoleW	0x14002b2a0
SetFilePointerEx	0x14002b2a8
GetConsoleOutputCP	0x14002b2b0
GetFileSizeEx	0x14002b2b8
HeapAlloc	0x14002b2c0
FlsAlloc	0x14002b2c8
FlsGetValue	0x14002b2d0
FlsSetValue	0x14002b2d8
FlsFree	0x14002b2e0
CompareStringW	0x14002b2e8
LCMapStringW	0x14002b2f0
GetCurrentDirectoryW	0x14002b2f8
FlushFileBuffers	0x14002b300
HeapReAlloc	0x14002b308
GetFileAttributesExW	0x14002b310
GetStringTypeW	0x14002b318
IsValidCodePage	0x14002b320
GetACP	0x14002b328
GetOEMCP	0x14002b330
GetCPInfo	0x14002b338
GetEnvironmentStringsW	0x14002b340
FreeEnvironmentStringsW	0x14002b348
GetProcessHeap	0x14002b350

Function	Address	Souspicious	Anti Debug
GetWindowThreadProcessId	0x14002b360
ShowWindow	0x14002b368