1174180.exe

First submission 2024-10-15 21:47:13

File details

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Mime type:	application/x-dosexec
File size:	7448.03 KB (7626784 bytes)
Compile time:	2024-10-08 12:56:51
MD5:	110a014684ddaaf25e6b81d798d7ae8f
SHA1:	2a7516f83872d15862448b9da8f72ceeadb2ec82
SHA256:	5df0c8a02789c6833a07bfbbff5a02b161201c1e55e9b00af59e7f1684e193b9
Import Hash :	12b2bc20d7737a83639913d36501fd39
Sections 5	.text .sedata .idata .rsrc .sedata
Directories 4	import resource debug security

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

OSINT Enrichments

Virus Total:	41/77 VT report date: 2024-10-15 20:52:59
Malware Type 1	trojan
Threat Type 3	rootkit dangeroussig ecpsx

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXp://by.haory.cn/f/f89/1174180.exe	by.haory.cn	2024-10-15 21:47:13

PE Sections 3 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0x59000	149504	0f1c234622439f51ed470970eec61a27495f3f9d	6291e5150b96eadaf1ad499da499b885
.sedata	0x5a000	0x15a000	1414656	736df004fffee37e6a47613fac74fdaa81548047	bbf03b16d612bfad893bafc60e12d2ad
.idata	0x1b4000	0x1000	1024	755d9c69668c2c3673df11bdb0a8fbf3dfa766f1	014ea69c5c9ea2b9112132445b879bd2
.rsrc	0x1b5000	0x12000	72704	8d53e32bbbec74d64e411c02e78ab3a80c021ad6	f2ffff57b7abf9aa51de27473328572d
.sedata	0x1c7000	0x1000	4096	5fb5e0e7396db8c0bc1b3ec72ef2e201fd9c2749	658c539f00d58b68d39a2e54866b43cd

PE Resources 3

Name	Language	Sublanguage	Offset	Size	Data
RT_ICON	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x1c5fd8	1128	PE Resource: RT_ICON - Data ( @v6rsttsrv6mjjjjjjjjjjm[`Cw```````[VesUVVVVVVVN 7QkM M M M M M M K 6sxHuD uD uD uD uD uB U/l<l<l<l<k;nC%eKlb4b4`4rc[.Y,Y,Y,g=)fV}pY,W*P#P$P$P$P$P$mfrkvpP$P#GHHHHHHuqfD?HGB6BBBBBBv\WBB6<<<<<<R70Y?9pYT{<6$666666aLF66$6.00000000.6/6.,,,,./6
RT_GROUP_ICON	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x1c6440	188
RT_MANIFEST	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x1c64fc	1293	PE Resource: RT_MANIFEST - Data <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <application xmlns="urn:schemas-microsoft-com:asm.v3"> <windowsSettings> <longPathAware xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">true</longPathAware> </windowsSettings> </application> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="" publicKeyToken="6595b64144ccf1df" language=""/> </dependentAssembly> </dependency> </assembly>

Name

Language

Sublanguage

Offset

Size

Data

RT_ICON

LANG_NEUTRAL

SUBLANG_NEUTRAL

0x1c5fd8

1128

RT_GROUP_ICON

LANG_NEUTRAL

SUBLANG_NEUTRAL

0x1c6440

188

RT_MANIFEST

LANG_NEUTRAL

SUBLANG_NEUTRAL

0x1c64fc

1293

Packers detected 1

Safeguard 1.03 -> Simonzh

File signature

MD5	SHA1	Block size	Virtual Address
a055c00166cb00a00f863a90daf56512	91009eb844799991fd8c9084397f321a91395e4e	4888	7621896

Strings analysis - File found

Executable
ee.so
Backup
h.oLd
Compressed
bbase_library.zip
Library
ADVAPI32.dll
MSVCRT.dll
mscorwks.dll
SHELL32.dll
IPHLPAPI.DLL
KERNEL32.dll
ntdll.dll
mscoree.dll
COMCTL32.dll
blibffi-7.dll
PSAPI.DLL
4python38.dll
6msvcrt.dll
bpython3.dll
bVCRUNTIME140.dll
blibssl-1_1.dll
clr.dll
diasymreader.dll
bpython38.dll
KernelBase.dll
hid.dll
SESDKDummy64.dll
USER32.dll
mscoreei.dll
GDI32.dll
mscorsvr.dll
blibcrypto-1_1.dll
Duser32.dll

Strings analysis - Possible URLs found 11

https://www.verisign.com/cps0
http://ocsp.verisign.com0
https://www.verisign.com/rpa
http://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
http://crl.verisign.com/pca3.crl0
http://crl.verisign.com/pca3-g5.crl04
https://www.verisign.com/rpa0
http://logo.verisign.com/vslogo.gif04
http://csc3-2010-aia.verisign.com/CSC3-2010.cer0
http://schemas.microsoft.com/SMI/2016/WindowsSettings
http://ocsp.verisign.com0;

Import functions

IPHLPAPI.DLL 1 GDI32.dll 1 SHELL32.dll 1 KERNEL32.dll 1 msvcrt.dll 1 ADVAPI32.dll 1 PSAPI.DLL 1 USER32.dll 1 COMCTL32.dll 1

Function	Address	Souspicious	Anti Debug
GetInterfaceInfo	0x1401b422e

Function	Address	Souspicious	Anti Debug
SelectObject	0x1401b4216

Function	Address	Souspicious	Anti Debug
SHGetFolderPathW	0x1401b4276

Function	Address	Souspicious	Anti Debug
GetACP	0x1401b41e6

Function	Address	Souspicious	Anti Debug
_wcsnicmp	0x1401b4246

Function	Address	Souspicious	Anti Debug
OpenProcessToken	0x1401b41fe

Function	Address	Souspicious	Anti Debug
GetMappedFileNameW	0x1401b425e

Function	Address	Souspicious	Anti Debug
CreateWindowExW	0x1401b41b6

Function	Address	Souspicious	Anti Debug
None	0x1401b41ce