66d1b41544279_build.exe

First submission 2024-08-30 18:19:05

File details

File type: PE32+ executable (GUI) x86-64, for MS Windows
Mime type: application/x-dosexec
File size: 13047.5 KB (13360640 bytes)
Compile time: 2024-08-30 13:17:38
MD5: 084e0e9053875ee1c7eb25799b4f2a55
SHA1: a2ca6af5fa9d82cd2b247eee13591b3b0754a457
SHA256: e242523ba15340f0001135ef832d6c5a90e1349b0bbfa09f92737832dec60836
Import Hash : 5baf00027826d0a6cac39c60cf82fa58
Sections 11 .text .data .bss .idata .didata .edata .tls .rdata .reloc .pdata .rsrc
Directories 5 import export resource tls relocation

File features detected

Is DLL
Packers
Anti Debug
Anti VM
Signed
XOR

OSINT Enrichments

URLs, FQDN and IP indicators 1

URL Host (FQDN/IP) Date Added
hXXp://147.45.44.104/yuop/66d1b41544279_build.exe VirusTotal Report 147.45.44.104 VirusTotal Report 2024-08-30 18:19:05

PE Sections 3 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0x83f590 8648192 02fe785996dfd09047d3b834983ca57756184699 c603219782c9e4d2aa1e7d605c43074d
.data 0x841000 0xb12b8 726016 68be1b65044b18fb032fee77b9100cd1ed580b70 8411c65768a83fdc82ca394d97787cdd
.bss 0x8f3000 0x1f05c 0 da39a3ee5e6b4b0d3255bfef95601890afd80709 d41d8cd98f00b204e9800998ecf8427e
.idata 0x913000 0x5136 20992 05448398589547fe2d549e831eaed36db98c7d36 4171d604f09f1d70b68ba307edf440a6
.didata 0x919000 0x910c 37376 3bc22f7792327999d55a851719ee849eff1d888e eb475e0a81a3470f84c13fbc71bd63b0
.edata 0x923000 0xa0 512 22fa2ec72c2974d09b2218b60271e48ff91a7637 4a2a3a7245d18d778290360a3da1a72a
.tls 0x924000 0x1e4 0 da39a3ee5e6b4b0d3255bfef95601890afd80709 d41d8cd98f00b204e9800998ecf8427e
.rdata 0x925000 0x6d 512 233668b10aa7a940aa95c2ddc2df27735f0cd067 2ec25ac50027ad2a12398e6bbcf193d4
.reloc 0x926000 0x7616c 483840 e3c9f4d7c4ecda8a3b5e9c51a3916dbed11942ac 2b435f389f6f467bd12ebbe7ef4963a3
.pdata 0x99d000 0x6aa28 437248 b58beb6609b1e36106c28eeea9c1f4c0bd758986 ab7f41e3d43974d02f42ea842ccb8b70
.rsrc 0xa08000 0x2dda00 3004928 09ca300772966398c8140f5ace105e49668801ad 702e2b00b9f6042a294af7dcb695af72

PE Resources 7

Name Language Sublanguage Offset Size Data
RT_CURSOR LANG_ENGLISH SUBLANG_ENGLISH_US 0xa0932c 308
RT_ICON LANG_CATALAN SUBLANG_ARABIC_LIBYA 0xa09460 67624
RT_STRING LANG_NEUTRAL SUBLANG_NEUTRAL 0xa20920 772
RT_RCDATA LANG_ENGLISH SUBLANG_ENGLISH_US 0xc8fe10 350221
RT_GROUP_CURSOR LANG_ENGLISH SUBLANG_ENGLISH_US 0xce5698 20
RT_GROUP_ICON LANG_CATALAN SUBLANG_ARABIC_LIBYA 0xce56ac 20
RT_VERSION LANG_NEUTRAL SUBLANG_NEUTRAL 0xce56c0 740

Meta infos 9

LegalCopyright: Copyright (C) 2005-2014. All rights reserved.
InternalName: 1StepDVDCopy.exe
FileVersion: 4.5.4.1
CompanyName:
ProductVersion: 4.5.4.1
FileDescription: 1StepDVDCopy.exe
Translation: 0x0000 0x04b0
OriginalFilename: 1StepDVDCopy.exe
ProductName:

Anti debug functions 8

FindWindowExW
FindWindowW
GetLastError
GetWindowThreadProcessId
IsDebuggerPresent
OutputDebugStringW
RaiseException
UnhandledExceptionFilter

Anti debug functions 1

VMCheck.dll

Strings analysis - File found

Library
d2d1.dll
USER32.dll
KERNEL32.dll
UxTheme.dll
d3d10_1.dll
COMCTL32.dll
DWrite.dll
ole32.dll
IMM32.dll
d3d11.dll
OLEAUT32.dll
d3d10.dll
MSVCRT.dll
WINMM.dll
WTSAPI32.dll
COMDLG32.dll
MSIMG32.dll
dwmapi.dll
ADVAPI32.dll
GDI32.dll
gdiplus.dll
WindowsCodecs.dll
VERSION.dll
d3d9.dll
SHELL32.dll

Strings analysis - Possible IPs found 2

4.5.4.1
3.0.0.16

Import functions

PE Exports 3 suspicious

Function Address
TMethodImplementationIntercept 0x49f500
__dbk_fcall_wrapper 0x417bc0
dbkFCallWrapperAddr 0xcf7f58