FreeMenuF7.exe?ex=670c6a4f&is=670b18cf&hm=708940c07a26aaf3672b4ecc443356a73d7db9284ddace557e866ab656ed23b4&

First submission 2024-10-13 17:37:02

File details

File type:	PE32+ executable (console) x86-64, for MS Windows
Mime type:	application/x-dosexec
File size:	7571.16 KB (7752871 bytes)
Compile time:	2024-09-22 12:55:57
MD5:	1069ade6b99d29bfe4d0526e23ed714d
SHA1:	47fe8ecfe75b239ed1d5eb8b867a1a9f091c510c
SHA256:	c2973f7cacf16cecac8e6794c37039697a4c91814cc2706434a3e8d175cbc6d3
Import Hash :	a06f302f71edd380da3d5bf4a6d94ebd
Sections 6	.text .rdata .data .pdata .rsrc .reloc
Directories 5	import resource debug relocation security

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

OSINT Enrichments

Virus Total:	45/77 VT report date: 2024-10-12 19:48:16
Malware Type 1	trojan
Threat Type 3	tedy python pyinstaller

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXps://cdn.discordapp.com/attachments/1292492515546497107/1294642793238499459/FreeMenuF7.exe?ex=670c6a4f&is=670b18cf&hm=708940c07a26aaf3672b4ecc443356a73d7db9284ddace557e866ab656ed23b4&	cdn.discordapp.com	2024-10-13 17:37:02

PE Sections 0 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0x2b110	176640	ea200f32c9b32ca6d80cc06d709db3e6a5557f73	55ff5ed922edfe0b0c10734c674f4ee4
.rdata	0x2d000	0x12842	76288	12cf0f1482c667d2b07223b5e81c24176f91238f	56249b92af6fd6fa0d103d9b82bcce17
.data	0x40000	0x5408	3584	249cf6b3c95e5782a7f27c661b5f018c45d7745c	aff56347f897785154c53727472c548d
.pdata	0x46000	0x22f8	9216	b5fd13ef0a20267ee6c023bcfed00a928a687dfd	57f77a295f3be6e2a8e90035dde19ce2
.rsrc	0x49000	0x948	2560	86c789a0d468c7bf8e77794fbd693ea1b0c38ba3	c6bc22c65b6982797e1530776295597c
.reloc	0x4a000	0x768	2048	e599e91a866af587afec0cc6408b4eaba8188703	42d6242177dbae8e11ed5d64b87d0d48

PE Resources 2

Name	Language	Sublanguage	Offset	Size	Data
RT_VERSION	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x490a0	920	PE Resource: RT_VERSION - Data 4VS_VERSION_INFO aJ aJ?StringFileInfo040904B0LCompanyNameMicrosoft Corporation>FileDescriptionCTF Loaderh$FileVersion10.0.19041.1 (WinBuild.160101.0800).InternalNameCTFMON.LegalCopyright Microsoft Corporation. All rights reserved.>OriginalFilenameCTFMON.EXEj%ProductNameMicrosoft Windows Operating System> ProductVersion10.0.19041.1,OleSelfRegisterDDVarFileInfo$Translation
RT_MANIFEST	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x49438	1293	PE Resource: RT_MANIFEST - Data <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <application xmlns="urn:schemas-microsoft-com:asm.v3"> <windowsSettings> <longPathAware xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">true</longPathAware> </windowsSettings> </application> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="" publicKeyToken="6595b64144ccf1df" language=""/> </dependentAssembly> </dependency> </assembly>

Name

Language

Sublanguage

Offset

Size

Data

RT_VERSION

LANG_NEUTRAL

SUBLANG_NEUTRAL

0x490a0

920

RT_MANIFEST

LANG_NEUTRAL

SUBLANG_NEUTRAL

0x49438

1293

Meta infos 10

LegalCopyright:	\xa9 Microsoft Corporation. All rights reserved.
OleSelfRegister:	D
InternalName:	CTFMON
FileVersion:	10.0.19041.1 (WinBuild.160101.0800)
CompanyName:	Microsoft Corporation
ProductVersion:	10.0.19041.1
FileDescription:	CTF Loader
Translation:	0x0409 0x04b0
OriginalFilename:	CTFMON.EXE
ProductName:	Microsoft\xae Windows\xae Operating System

Packers detected 2

Microsoft Visual C++ 8.0 (DLL)
Microsoft Visual C++ 8.0

Anti debug functions 7

GetLastError
GetWindowThreadProcessId
IsDebuggerPresent
IsProcessorFeaturePresent
RaiseException
TerminateProcess
UnhandledExceptionFilter

File signature

MD5	SHA1	Block size	Virtual Address
7c376d23b11698129fdaaac7b6b5b8d4	b2d43454932979d82015c1b8eb8f22393f421099	9288	7743583

Strings analysis - File found

Compressed
base_library.zip
bbase_library.zip
Library
mscoree.dll
vcruntime140.dll
ADVAPI32.dll
bsqlite3.dll
KERNEL32.dll
7python311.dll
ucrtbase.dll
bpython311.dll
bVCRUNTIME140.dll
blibcrypto-3.dll
USER32.dll
blibffi-8.dll
blibssl-3.dll

Strings analysis - Possible URLs found 18

http://s.symcb.com/universal-root.crl0
http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
http://ocsp.comodoca.com0
https://sectigo.com/CPS0
http://ocsp.sectigo.com0$
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
http://ocsp.sectigo.com0
http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
http://ts-ocsp.ws.symantec.com0;
https://d.symcb.com/rpa0@
https://d.symcb.com/cps0%
http://schemas.microsoft.com/SMI/2016/WindowsSettings
https://d.symcb.com/rpa0.
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
http://s.symcd.com06
http://crl.comodoca.com/AAACertificateServices.crl04

Import functions

ADVAPI32.dll 4 KERNEL32.dll 107 USER32.dll 14

Function	Address	Souspicious	Anti Debug
ConvertSidToStringSidW	0x14002d000
GetTokenInformation	0x14002d008
OpenProcessToken	0x14002d010
ConvertStringSecurityDescriptorToSecurityDescriptorW	0x14002d018

Function	Address	Souspicious	Anti Debug
GetTimeZoneInformation	0x14002d028
GetProcessHeap	0x14002d030
FreeEnvironmentStringsW	0x14002d038
GetEnvironmentStringsW	0x14002d040
GetCPInfo	0x14002d048
GetOEMCP	0x14002d050
GetACP	0x14002d058
IsValidCodePage	0x14002d060
GetStringTypeW	0x14002d068
FormatMessageW	0x14002d070
GetLastError	0x14002d078
GetModuleFileNameW	0x14002d080
LoadLibraryExW	0x14002d088
SetDllDirectoryW	0x14002d090
CreateSymbolicLinkW	0x14002d098
GetProcAddress	0x14002d0a0
CreateDirectoryW	0x14002d0a8
GetCommandLineW	0x14002d0b0
GetEnvironmentVariableW	0x14002d0b8
ExpandEnvironmentStringsW	0x14002d0c0
DeleteFileW	0x14002d0c8
FindClose	0x14002d0d0
FindFirstFileW	0x14002d0d8
FindNextFileW	0x14002d0e0
HeapSize	0x14002d0e8
RemoveDirectoryW	0x14002d0f0
GetTempPathW	0x14002d0f8
CloseHandle	0x14002d100
QueryPerformanceCounter	0x14002d108
QueryPerformanceFrequency	0x14002d110
WaitForSingleObject	0x14002d118
Sleep	0x14002d120
GetCurrentProcess	0x14002d128
GetCurrentProcessId	0x14002d130
TerminateProcess	0x14002d138
GetExitCodeProcess	0x14002d140
CreateProcessW	0x14002d148
GetStartupInfoW	0x14002d150
FreeLibrary	0x14002d158
LocalFree	0x14002d160
SetConsoleCtrlHandler	0x14002d168
GetConsoleWindow	0x14002d170
K32EnumProcessModules	0x14002d178
K32GetModuleFileNameExW	0x14002d180
CreateFileW	0x14002d188
FindFirstFileExW	0x14002d190
GetFinalPathNameByHandleW	0x14002d198
MultiByteToWideChar	0x14002d1a0
WideCharToMultiByte	0x14002d1a8
GetFileAttributesExW	0x14002d1b0
HeapReAlloc	0x14002d1b8
WriteConsoleW	0x14002d1c0
SetEndOfFile	0x14002d1c8
GetDriveTypeW	0x14002d1d0
IsDebuggerPresent	0x14002d1d8
RtlCaptureContext	0x14002d1e0
RtlLookupFunctionEntry	0x14002d1e8
RtlVirtualUnwind	0x14002d1f0
UnhandledExceptionFilter	0x14002d1f8
SetUnhandledExceptionFilter	0x14002d200
IsProcessorFeaturePresent	0x14002d208
GetCurrentThreadId	0x14002d210
GetSystemTimeAsFileTime	0x14002d218
InitializeSListHead	0x14002d220
GetModuleHandleW	0x14002d228
RtlUnwindEx	0x14002d230
SetLastError	0x14002d238
EnterCriticalSection	0x14002d240
LeaveCriticalSection	0x14002d248
DeleteCriticalSection	0x14002d250
InitializeCriticalSectionAndSpinCount	0x14002d258
TlsAlloc	0x14002d260
TlsGetValue	0x14002d268
TlsSetValue	0x14002d270
TlsFree	0x14002d278
EncodePointer	0x14002d280
RaiseException	0x14002d288
RtlPcToFileHeader	0x14002d290
GetFileInformationByHandle	0x14002d298
GetFileType	0x14002d2a0
PeekNamedPipe	0x14002d2a8
SystemTimeToTzSpecificLocalTime	0x14002d2b0
FileTimeToSystemTime	0x14002d2b8
ReadFile	0x14002d2c0
GetFullPathNameW	0x14002d2c8
SetStdHandle	0x14002d2d0
GetStdHandle	0x14002d2d8
WriteFile	0x14002d2e0
ExitProcess	0x14002d2e8
GetModuleHandleExW	0x14002d2f0
GetCommandLineA	0x14002d2f8
HeapFree	0x14002d300
GetConsoleMode	0x14002d308
ReadConsoleW	0x14002d310
SetFilePointerEx	0x14002d318
GetConsoleOutputCP	0x14002d320
GetFileSizeEx	0x14002d328
HeapAlloc	0x14002d330
FlsAlloc	0x14002d338
FlsGetValue	0x14002d340
FlsSetValue	0x14002d348
FlsFree	0x14002d350
CompareStringW	0x14002d358
LCMapStringW	0x14002d360
GetCurrentDirectoryW	0x14002d368
FlushFileBuffers	0x14002d370
SetEnvironmentVariableW	0x14002d378

Function	Address	Souspicious	Anti Debug
TranslateMessage	0x14002d388
ShutdownBlockReasonCreate	0x14002d390
GetWindowThreadProcessId	0x14002d398
SetWindowLongPtrW	0x14002d3a0
GetWindowLongPtrW	0x14002d3a8
MsgWaitForMultipleObjects	0x14002d3b0
ShowWindow	0x14002d3b8
DestroyWindow	0x14002d3c0
CreateWindowExW	0x14002d3c8
RegisterClassW	0x14002d3d0
DefWindowProcW	0x14002d3d8
PeekMessageW	0x14002d3e0
DispatchMessageW	0x14002d3e8
GetMessageW	0x14002d3f0

Name	Latest seen	MD5
RezWareUpdater.exe?ex=670cae4b&is=670b5ccb&hm=6b7767e2959bba7239b160100573375d95ac04f204f064ca6d9161caf5dd4d0e&	2024-10-13 18:25:03	caf83d29d4db7764696f1c225317fe16
oconsole.exe	2024-10-16 08:19:03	a6ff47344d0188ec4c26dc435698a477