DigitalSide Threat Intel

utility-inst.exe

First submission 2024-10-13 07:39:02

File details

File type: PE32 executable (GUI) Intel 80386, for MS Windows
Mime type: application/x-dosexec
File size: 1723.02 KB (1764368 bytes)
Compile time: 2023-02-15 15:54:16
MD5: 0d43698dffc5ee744f805a699df25c00
SHA1: c914a0238381f03d2558bedd423228ba3e4e0040
SHA256: de14c3b860519dc781aaee813d4fa3adc67d7653c544327f8d26d5b386564712
Import Hash : e569e6f445d32ba23766ad67d1e3787f
Sections 10 .text .itext .data .bss .idata .didata .edata .tls .rdata .rsrc
Directories 4 import export resource tls

File features detected

Is DLL
Packers
Anti Debug
Anti VM
Signed
XOR

OSINT Enrichments

Virus Total: 36/77 VT report date: 2024-10-13 01:52:56
Malware Type 2 trojan downloader
Threat Type 3 offloader amadey yxejkz

URLs, FQDN and IP indicators 1

URL Host (FQDN/IP) Date Added
hXXp://185.215.113.16/inc/utility-inst.exe VirusTotal Report 185.215.113.16 VirusTotal Report 2024-10-13 07:39:02

PE Sections 2 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0xb39e4 735744 343a0e7ec6c87dae257270b90b9988a3ff95a078 43af0a9476ca224d8e8461f1e22c94da
.itext 0xb5000 0x1688 6144 171aebbe52333ffd36593522a712b96644b565e5 185e04b9a1f554e31f7f848515dc890c
.data 0xb7000 0x37a4 14336 7a25edc4b9ed265b2ce19bbb507bad1985c6793e cab2107c933b696aa5cf0cc6c3fd3980
.bss 0xbb000 0x6de8 0 da39a3ee5e6b4b0d3255bfef95601890afd80709 d41d8cd98f00b204e9800998ecf8427e
.idata 0xc2000 0xfdc 4096 b7d043cca31864ef4b86887de77ebb3db089c2bd e7d1635e2624b124cfdce6c360ac21cd
.didata 0xc3000 0x1a4 512 fc7a6c0a1f7068ea13be23c825b3ea7a9f3ea676 8ced971d8a7705c98b173e255d8c9aa7
.edata 0xc4000 0x9a 512 f602c8394c4325ebe7c172a76ee1b74fa463888b 8d4e1e508031afe235bf121c80fd7d5f
.tls 0xc5000 0x18 0 da39a3ee5e6b4b0d3255bfef95601890afd80709 d41d8cd98f00b204e9800998ecf8427e
.rdata 0xc6000 0x5d 512 735078338d2c5f1b3f162ce296611076a9ddcf02 8f2f090acd9622c88a6a852e72f94e96
.rsrc 0xc7000 0x11000 69632 e9c66de8c642620a11b3ee6b7a523e1e7fd7a6c1 dc6585b5b13c096f53bc11051443b78f

PE Resources 6

Name Language Sublanguage Offset Size Data
RT_ICON LANG_ENGLISH SUBLANG_ENGLISH_US 0xd4998 1128
RT_STRING LANG_NEUTRAL SUBLANG_NEUTRAL 0xd6ac4 676
RT_RCDATA LANG_NEUTRAL SUBLANG_NEUTRAL 0xd703c 44
RT_GROUP_ICON LANG_ENGLISH SUBLANG_ENGLISH_US 0xd7068 188
RT_VERSION LANG_ENGLISH SUBLANG_ENGLISH_US 0xd7124 1412
RT_MANIFEST LANG_ENGLISH SUBLANG_ENGLISH_US 0xd76a8 1960

Meta infos 9

LegalCopyright:
OriginalFileName:
FileVersion:
CompanyName:
ProductVersion: 1.0
FileDescription: UtilityInst Setup
Translation: 0x0000 0x04b0
Comments: This installation was built with Inno Setup.
ProductName: UtilityInst

Packers detected 2

Borland Delphi 3.0 (???)
Borland Delphi 4.0

Anti debug functions 3

GetLastError
RaiseException
UnhandledExceptionFilter

Strings analysis - File found

Library
USERENV.dll
ntmarta.dll
comres.dll
propsys.dll
KERNEL32.dll
OLEAUT32.dll
cryptbase.dll
UxTheme.dll
OLEACC.dll
profapi.dll
VERSION.dll
dwmapi.dll
apphelp.dll
ntdll.dll
clbcatq.dll
SHELL32.dll
SETUPAPI.dll
USER32.dll
NETAPI32.dll
COMCTL32.dll
ADVAPI32.dll

Strings analysis - Possible URLs found 2

https://jrsoftware.org/ishelp/index.php?topic=setupcmdline
http://schemas.microsoft.com/SMI/2005/WindowsSettings

Import functions

Function Address Souspicious Anti Debug
GetFileVersionInfoSizeW 0x4c2490
VerQueryValueW 0x4c2494
GetFileVersionInfoW 0x4c2498
Function Address Souspicious Anti Debug
GetACP 0x4c22f4
GetExitCodeProcess 0x4c22f8
LocalFree 0x4c22fc
CloseHandle 0x4c2300
SizeofResource 0x4c2304
VirtualProtect 0x4c2308
VirtualFree 0x4c230c
GetFullPathNameW 0x4c2310
ExitProcess 0x4c2314
HeapAlloc 0x4c2318
GetCPInfoExW 0x4c231c
RtlUnwind 0x4c2320
GetCPInfo 0x4c2324
GetStdHandle 0x4c2328
GetModuleHandleW 0x4c232c
FreeLibrary 0x4c2330
HeapDestroy 0x4c2334
ReadFile 0x4c2338
CreateProcessW 0x4c233c
GetLastError 0x4c2340
GetModuleFileNameW 0x4c2344
SetLastError 0x4c2348
FindResourceW 0x4c234c
CreateThread 0x4c2350
CompareStringW 0x4c2354
LoadLibraryA 0x4c2358
ResetEvent 0x4c235c
GetVersion 0x4c2360
RaiseException 0x4c2364
FormatMessageW 0x4c2368
SwitchToThread 0x4c236c
GetExitCodeThread 0x4c2370
GetCurrentThread 0x4c2374
LoadLibraryExW 0x4c2378
LockResource 0x4c237c
GetCurrentThreadId 0x4c2380
UnhandledExceptionFilter 0x4c2384
VirtualQuery 0x4c2388
VirtualQueryEx 0x4c238c
Sleep 0x4c2390
EnterCriticalSection 0x4c2394
SetFilePointer 0x4c2398
LoadResource 0x4c239c
SuspendThread 0x4c23a0
GetTickCount 0x4c23a4
GetFileSize 0x4c23a8
GetStartupInfoW 0x4c23ac
GetFileAttributesW 0x4c23b0
InitializeCriticalSection 0x4c23b4
GetSystemWindowsDirectoryW 0x4c23b8
GetThreadPriority 0x4c23bc
SetThreadPriority 0x4c23c0
GetCurrentProcess 0x4c23c4
VirtualAlloc 0x4c23c8
GetSystemInfo 0x4c23cc
GetCommandLineW 0x4c23d0
LeaveCriticalSection 0x4c23d4
GetProcAddress 0x4c23d8
ResumeThread 0x4c23dc
GetVersionExW 0x4c23e0
VerifyVersionInfoW 0x4c23e4
HeapCreate 0x4c23e8
GetWindowsDirectoryW 0x4c23ec
VerSetConditionMask 0x4c23f0
GetDiskFreeSpaceW 0x4c23f4
FindFirstFileW 0x4c23f8
GetUserDefaultUILanguage 0x4c23fc
lstrlenW 0x4c2400
QueryPerformanceCounter 0x4c2404
SetEndOfFile 0x4c2408
HeapFree 0x4c240c
WideCharToMultiByte 0x4c2410
FindClose 0x4c2414
MultiByteToWideChar 0x4c2418
LoadLibraryW 0x4c241c
SetEvent 0x4c2420
CreateFileW 0x4c2424
GetLocaleInfoW 0x4c2428
GetSystemDirectoryW 0x4c242c
DeleteFileW 0x4c2430
GetLocalTime 0x4c2434
GetEnvironmentVariableW 0x4c2438
WaitForSingleObject 0x4c243c
WriteFile 0x4c2440
ExitThread 0x4c2444
DeleteCriticalSection 0x4c2448
TlsGetValue 0x4c244c
GetDateFormatW 0x4c2450
SetErrorMode 0x4c2454
IsValidLocale 0x4c2458
TlsSetValue 0x4c245c
CreateDirectoryW 0x4c2460
GetSystemDefaultUILanguage 0x4c2464
EnumCalendarInfoW 0x4c2468
LocalAlloc 0x4c246c
GetUserDefaultLangID 0x4c2470
RemoveDirectoryW 0x4c2474
CreateEventW 0x4c2478
SetThreadLocale 0x4c247c
GetThreadLocale 0x4c2480
Function Address Souspicious Anti Debug
SysAllocStringLen 0x4c24e4
SafeArrayPtrOfIndex 0x4c24e8
VariantCopy 0x4c24ec
SafeArrayGetLBound 0x4c24f0
SafeArrayGetUBound 0x4c24f4
VariantInit 0x4c24f8
VariantClear 0x4c24fc
SysFreeString 0x4c2500
SysReAllocStringLen 0x4c2504
VariantChangeType 0x4c2508
SafeArrayCreate 0x4c250c
Function Address Souspicious Anti Debug
NetWkstaGetInfo 0x4c2514
NetApiBufferFree 0x4c2518
Function Address Souspicious Anti Debug
ConvertStringSecurityDescriptorToSecurityDescriptorW 0x4c2520
RegQueryValueExW 0x4c2524
AdjustTokenPrivileges 0x4c2528
GetTokenInformation 0x4c252c
ConvertSidToStringSidW 0x4c2530
LookupPrivilegeValueW 0x4c2534
RegCloseKey 0x4c2538
OpenProcessToken 0x4c253c
RegOpenKeyExW 0x4c2540
Function Address Souspicious Anti Debug
CreateWindowExW 0x4c24a0
TranslateMessage 0x4c24a4
CharLowerBuffW 0x4c24a8
CallWindowProcW 0x4c24ac
CharUpperW 0x4c24b0
PeekMessageW 0x4c24b4
GetSystemMetrics 0x4c24b8
SetWindowLongW 0x4c24bc
MessageBoxW 0x4c24c0
DestroyWindow 0x4c24c4
CharUpperBuffW 0x4c24c8
CharNextW 0x4c24cc
MsgWaitForMultipleObjects 0x4c24d0
LoadStringW 0x4c24d4
ExitWindowsEx 0x4c24d8
DispatchMessageW 0x4c24dc
Function Address Souspicious Anti Debug
InitCommonControls 0x4c2488

PE Exports 3 suspicious

Function Address
TMethodImplementationIntercept 0x4541a8
__dbk_fcall_wrapper 0x40d0a0
dbkFCallWrapperAddr 0x4be63c

Related files by ImpHash 8 e569e6f445d32ba23766ad67d1e3787f

Name Latest seen MD5
unknown.exe 2022-10-04 20:08:02 49dc8a730f78a0fbd887d897b6b0b0d9
TradingVIew.exe 2023-03-30 21:00:19 c7c8ceb388bcd30a71d6bc892713d4e2
SecHorST.exe 2023-05-11 08:21:02 bec821cc9ca7762dd50f48d0cf4344cd
clnsetup.exe 2023-05-15 09:55:05 a5087cf0193854a455afcc4533fd7acf
setup.exe 2023-06-20 16:13:04 c44f108197b7b0b2a1f5fe5ffe1e8743
setup%E8%87%AA%E6%9F%A5%E5%85%A5%E5%8F%A3.exe 2024-05-29 11:13:52 068fb7605542cd8350ed34ec2d767856
utility-installer.exe 2024-10-03 21:31:16 05bf0fb13746875a2b7b9082200f7dc0
2927.exe 2024-10-16 21:33:02 f734d3c885625d361b085cfc8af1fc25