PrintSpoofer64.exe

First submission 2024-10-11 21:42:03

File details

File type:	PE32+ executable (console) x86-64, for MS Windows
Mime type:	application/x-dosexec
File size:	26.5 KB (27136 bytes)
Compile time:	2020-09-10 19:43:27
MD5:	108da75de148145b8f056ec0827f1665
SHA1:	188098b9caf3bc4d1b68dcad50d2e1cbd2e9d519
SHA256:	8524fbc0d73e711e69d60c64f1f1b7bef35c986705880643dd4d5e17779e586d
Import Hash :	545a81240793f9ca97306fa5b3ad76df
Sections 6	.text .rdata .data .pdata .rsrc .reloc
Directories 4	import resource debug relocation

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

OSINT Enrichments

Virus Total:	58/77 VT report date: 2024-09-23 11:58:01
Malware Type 2	hacktool trojan
Threat Type 3	printspoofer printer expl

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXp://34.142.201.103:8443/PrintSpoofer64.exe	34.142.201.103	2024-10-11 21:42:03

PE Sections 1 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0x1da8	7680	ba65a9639ef6e2d14fe81750b8415ac67568f2d3	b9328487d16792e446669718942b1f30
.rdata	0x3000	0x3d16	15872	ea68d8197f6b41f2596fe645446f4ed5ca5f5872	473ad5e2580a6798c7b3984145d0db3d
.data	0x7000	0x650	512	599b17bf94a08deb831c54748da8a829caf16fd9	df472dc55d3b30057eb5fc703f6e33fa
.pdata	0x8000	0x2ac	1024	bf544d1d6360501c34fc747f4a269839ef22b291	74f16c2146368d9c8d960f0ce5da4cff
.rsrc	0x9000	0x1e0	512	53b0a43a879cf778730d8bd7309f76d73d40a678	fb20ae2a7910d36ef7e1ed0b22953dbf
.reloc	0xa000	0x128	512	c134954e542841b3b04cb0bb4b42cbe25597d047	153660ca73c2cf8a68d0777ebbba0adc

PE Resources 1

Name	Language	Sublanguage	Offset	Size	Data
RT_MANIFEST	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x9060	381	PE Resource: RT_MANIFEST - Data <?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly>

Name

Language

Sublanguage

Offset

Size

Data

RT_MANIFEST

LANG_ENGLISH

SUBLANG_ENGLISH_US

0x9060

381

Packers detected 1

Microsoft Visual C++ 8.0 (DLL)

Anti debug functions 5

GetLastError
IsDebuggerPresent
IsProcessorFeaturePresent
TerminateProcess
UnhandledExceptionFilter

Strings analysis - File found

Library
api-ms-win-crt-math-l1-1-0.dll
api-ms-win-crt-runtime-l1-1-0.dll
api-ms-win-crt-string-l1-1-0.dll
USERENV.dll
KERNEL32.dll
api-ms-win-crt-locale-l1-1-0.dll
vcruntime140.dll
api-ms-win-crt-convert-l1-1-0.dll
api-ms-win-crt-stdio-l1-1-0.dll
api-ms-win-crt-heap-l1-1-0.dll
ADVAPI32.dll
rpcrt4.dll

Strings analysis - Possible IPs found 1

10.10.13.37

Import functions

api-ms-win-crt-heap-l1-1-0.dll 3 api-ms-win-crt-convert-l1-1-0.dll 1 api-ms-win-crt-string-l1-1-0.dll 1 api-ms-win-crt-runtime-l1-1-0.dll 18 KERNEL32.dll 25 VCRUNTIME140.dll 4 ADVAPI32.dll 13 RPCRT4.dll 7 api-ms-win-crt-stdio-l1-1-0.dll 6 api-ms-win-crt-locale-l1-1-0.dll 1 api-ms-win-crt-math-l1-1-0.dll 1 USERENV.dll 2

Function	Address	Souspicious	Anti Debug
free	0x1400031d0
malloc	0x1400031d8
_set_new_mode	0x1400031e0

Function	Address	Souspicious	Anti Debug
wcstoul	0x1400031c0

Function	Address	Souspicious	Anti Debug
_wcsicmp	0x1400032e0

Function	Address	Souspicious	Anti Debug
__p___argc	0x140003210
_seh_filter_exe	0x140003218
_set_app_type	0x140003220
_c_exit	0x140003228
_cexit	0x140003230
_crt_atexit	0x140003238
terminate	0x140003240
_initialize_onexit_table	0x140003248
_configure_wide_argv	0x140003250
_exit	0x140003258
__p___wargv	0x140003260
_initialize_wide_environment	0x140003268
_register_thread_local_exe_atexit_callback	0x140003270
_register_onexit_function	0x140003278
exit	0x140003280
_initterm_e	0x140003288
_initterm	0x140003290
_get_initial_wide_environment	0x140003298

Function	Address	Souspicious	Anti Debug
ConnectNamedPipe	0x140003070
GetComputerNameW	0x140003078
CreateThread	0x140003080
CloseHandle	0x140003088
GetCurrentThread	0x140003090
GetLastError	0x140003098
CreateEventW	0x1400030a0
GetSystemDirectoryW	0x1400030a8
WaitForSingleObject	0x1400030b0
CreateNamedPipeW	0x1400030b8
GetCurrentProcess	0x1400030c0
IsDebuggerPresent	0x1400030c8
InitializeSListHead	0x1400030d0
GetSystemTimeAsFileTime	0x1400030d8
GetCurrentThreadId	0x1400030e0
GetCurrentProcessId	0x1400030e8
QueryPerformanceCounter	0x1400030f0
IsProcessorFeaturePresent	0x1400030f8
TerminateProcess	0x140003100
SetUnhandledExceptionFilter	0x140003108
UnhandledExceptionFilter	0x140003110
RtlVirtualUnwind	0x140003118
RtlLookupFunctionEntry	0x140003120
RtlCaptureContext	0x140003128
GetModuleHandleW	0x140003130

Function	Address	Souspicious	Anti Debug
__C_specific_handler	0x140003198
memset	0x1400031a0
__current_exception_context	0x1400031a8
__current_exception	0x1400031b0

Function	Address	Souspicious	Anti Debug
OpenThreadToken	0x140003000
AdjustTokenPrivileges	0x140003008
RevertToSelf	0x140003010
SetTokenInformation	0x140003018
LookupPrivilegeNameW	0x140003020
CreateProcessWithTokenW	0x140003028
OpenProcessToken	0x140003030
ImpersonateNamedPipeClient	0x140003038
InitializeSecurityDescriptor	0x140003040
CreateProcessAsUserW	0x140003048
ConvertStringSecurityDescriptorToSecurityDescriptorW	0x140003050
DuplicateTokenEx	0x140003058
GetTokenInformation	0x140003060

Function	Address	Souspicious	Anti Debug
UuidCreate	0x140003140
RpcBindingFree	0x140003148
RpcStringBindingComposeW	0x140003150
NdrClientCall3	0x140003158
UuidToStringW	0x140003160
RpcBindingFromStringBindingW	0x140003168
RpcStringFreeW	0x140003170

Function	Address	Souspicious	Anti Debug
__stdio_common_vfwprintf	0x1400032a8
_set_fmode	0x1400032b0
__p__commode	0x1400032b8
__acrt_iob_func	0x1400032c0
__stdio_common_vswprintf	0x1400032c8
fflush	0x1400032d0

Function	Address	Souspicious	Anti Debug
_configthreadlocale	0x1400031f0

Function	Address	Souspicious	Anti Debug
__setusermatherr	0x140003200

Function	Address	Souspicious	Anti Debug
DestroyEnvironmentBlock	0x140003180
CreateEnvironmentBlock	0x140003188