file.exe

First submission 2024-10-16 17:26:02

File details

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Mime type:	application/x-dosexec
File size:	482.5 KB (494080 bytes)
Compile time:	2024-09-23 16:50:49
MD5:	13095aaded59fb08db07ecf6bc2387ef
SHA1:	13466ec6545a05da5d8ea49a8ec6c56c4f9aa648
SHA256:	02b4e1709e79653e9569bf727301f92d4928726ba69d8d764db5841b94d63671
Import Hash :	1389569a3a39186f3eb453b501cfe688
Sections 7	.text .rdata .data .tls .gfids .rsrc .reloc
Directories 5	import resource debug tls relocation

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

OSINT Enrichments

Virus Total:	64/77 VT report date: 2024-10-05 20:12:19
Malware Type 1	trojan
Threat Type 3	remcos rescoms ratx

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXp://185.215.113.117/inc/file.exe	185.215.113.117	2024-10-16 17:26:02

PE Sections 1 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0x571f5	356864	b8109be2a3d377e1519682fb56271ce83e353672	e504ab64b98631753dc227346d757c52
.rdata	0x59000	0x179dc	96768	18f811680a68eae34758f1c4f367034caa88b015	03563836e8ba6bd75dd82177f19b0089
.data	0x71000	0x5d44	3584	103570606dd02891c9e9eefe13a78f9f278ed62a	0eaccffe1cb836994ce5d3ccfb22d4f9
.tls	0x77000	0x9	512	aa0d33a0c854e073439067876e932688b65cb6a9	1f354d76203061bfdd5a53dae48d5435
.gfids	0x78000	0x230	1024	952fddad66c89d579a212f0085fe4f3cab981241	9ca325bce9f8c0342c0381814603584a
.rsrc	0x79000	0x48a4	18944	17acd2bf1ee45f8b5f62bffd28c4131d1a5f76f5	bf62b688646faf7f96eaf02cff611a72
.reloc	0x7e000	0x3bc8	15360	88230e6c07e690d9099ab957525711c4869053ed	047d13d1dd0f82094cdf10f08253441e

PE Resources 3

Name	Language	Sublanguage	Offset	Size	Data
RT_ICON	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x7b024	9640	PE Resource: RT_ICON - Data (0` %zzwwvvuuuurrrrpp}oo\|nnzmmxmmskkvqqs'%%f^^333RRRQQQQQQQQQQQQKMMqqJIIPPPQQQQQQQQQSSSCCCvvvttttttttttttrssrrdccttttttttttttwww"""\\\666lllCCCdddfffdddcccbbb^__jbbwwFGGKKKKKKJJJKKK???vvuyyxxwwxxlccyllrrSQQ{\|\|EFFuuu&&NQ\|}~ 02Cm$ Sb (?V+WTn%5Is' U!I2d3f _ EF< %7;<H25' #d!fL j%Y]^N`Q>]^ TSh ga [9 3bv"-K-,- in$!%x,U - p7)534 L;k!G\|1<j$YO2h"$<h:l!Fm!ep#e & '$ #$!'+/)(0, !#.0132,$-04544>v(Y&() Q/ Vk$7q'~)0u : A>1h".3-7w#5'/#@ 1u%\|)y-j$/Un% D{,k4- h{w'c1\|&\|+S \|,}+c{(3 _6Yv)c!99 )+F,&!!8U75 +!! " '2! ~\|}\|{zxwxvwvtss}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}COMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMOCss[gg[[[
RT_RCDATA	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x7d5cc	663	PE Resource: RT_RCDATA - Data R#egc&6w/M4NpT]7KcF457FA>FdO`N/i~rz4FD1ZfvZKm$~%^_z]fb#vo Tb 92U_A?:IK+i YYl#3jN2!_\|b~nMo k~TT2N!FHoG%[ffU&C+DN:WCe%"_2n"d&, !lWU%D(9G^lJxC5v7_jGqd:c]gMQE&v'x b2[2O 9?OU?b{0b5?3g9^i)V}(_YI"mX26pgs"uUs'B%+}/!A}{BI 4?)v51\|#Ep&*!5qUUC-$f&QM.{ Dvs0 @eV_tHS
RT_GROUP_ICON	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x7d864	62

Name

Language

Sublanguage

Offset

Size

Data

RT_ICON

LANG_ENGLISH

SUBLANG_ENGLISH_US

0x7b024

9640

RT_RCDATA

LANG_NEUTRAL

SUBLANG_NEUTRAL

0x7d5cc

663

RT_GROUP_ICON

LANG_ENGLISH

SUBLANG_ENGLISH_US

0x7d864

Packers detected 2

Microsoft Visual C++ 8
VC8 -> Microsoft Corporation

Anti debug functions 9

GetLastError
GetWindowThreadProcessId
IsDebuggerPresent
IsProcessorFeaturePresent
Process32FirstW
Process32NextW
RaiseException
TerminateProcess
UnhandledExceptionFilter

Strings analysis - File found

Database
\key3.db
Text
\sysinfo.txt
license_code.txt
Library
mscoree.dll
ntdll.dll
KERNEL32.dll
SHLWAPI.dll
WINMM.dll
WS2_32.dll
ADVAPI32.dll
USER32.dll
WININET.dll
Powrprof.dll
gdiplus.dll
SHELL32.dll
urlmon.dll
ole32.dll
GDI32.dll

Strings analysis - Possible URLs found 1

http://geoplugin.net/json.gp

Import functions

gdiplus.dll 9 urlmon.dll 2 WINMM.dll 10 WININET.dll 4 GDI32.dll 10 SHELL32.dll 4 KERNEL32.dll 169 ADVAPI32.dll 33 ole32.dll 3 SHLWAPI.dll 3 WS2_32.dll 17 USER32.dll 44

Function	Address	Souspicious	Anti Debug
GdipSaveImageToStream	0x4594bc
GdipGetImageEncodersSize	0x4594c0
GdipFree	0x4594c4
GdipDisposeImage	0x4594c8
GdipAlloc	0x4594cc
GdipCloneImage	0x4594d0
GdipGetImageEncoders	0x4594d4
GdiplusStartup	0x4594d8
GdipLoadImageFromStream	0x4594dc

Function	Address	Souspicious	Anti Debug
URLOpenBlockingStreamW	0x4594f4
URLDownloadToFileW	0x4594f8

Function	Address	Souspicious	Anti Debug
waveInOpen	0x459448
waveInStart	0x45944c
waveInAddBuffer	0x459450
PlaySoundW	0x459454
mciSendStringA	0x459458
mciSendStringW	0x45945c
waveInClose	0x459460
waveInStop	0x459464
waveInPrepareHeader	0x459468
waveInUnprepareHeader	0x45946c

Function	Address	Souspicious	Anti Debug
InternetOpenUrlW	0x459434
InternetOpenW	0x459438
InternetCloseHandle	0x45943c
InternetReadFile	0x459440

Function	Address	Souspicious	Anti Debug
BitBlt	0x459088
CreateCompatibleBitmap	0x45908c
SelectObject	0x459090
CreateCompatibleDC	0x459094
StretchBlt	0x459098
GetDIBits	0x45909c
DeleteObject	0x4590a0
CreateDCA	0x4590a4
GetObjectA	0x4590a8
DeleteDC	0x4590ac

Function	Address	Souspicious	Anti Debug
ShellExecuteExA	0x45935c
Shell_NotifyIconA	0x459360
ExtractIconA	0x459364
ShellExecuteW	0x459368

Function	Address	Souspicious	Anti Debug
FindNextFileA	0x4590b4
ExpandEnvironmentStringsA	0x4590b8
GetLongPathNameW	0x4590bc
CopyFileW	0x4590c0
GetLocaleInfoA	0x4590c4
CreateToolhelp32Snapshot	0x4590c8
Process32NextW	0x4590cc
Process32FirstW	0x4590d0
VirtualProtect	0x4590d4
SetLastError	0x4590d8
VirtualFree	0x4590dc
VirtualAlloc	0x4590e0
GetNativeSystemInfo	0x4590e4
HeapAlloc	0x4590e8
GetProcessHeap	0x4590ec
FreeLibrary	0x4590f0
IsBadReadPtr	0x4590f4
GetTempPathW	0x4590f8
OpenProcess	0x4590fc
OpenMutexA	0x459100
lstrcatW	0x459104
GetCurrentProcessId	0x459108
GetTempFileNameW	0x45910c
UnmapViewOfFile	0x459110
DuplicateHandle	0x459114
CreateFileMappingW	0x459118
MapViewOfFile	0x45911c
GetSystemDirectoryA	0x459120
GlobalAlloc	0x459124
GlobalLock	0x459128
GetTickCount	0x45912c
GlobalUnlock	0x459130
WriteProcessMemory	0x459134
ResumeThread	0x459138
GetThreadContext	0x45913c
ReadProcessMemory	0x459140
CreateProcessW	0x459144
SetThreadContext	0x459148
LocalAlloc	0x45914c
GlobalFree	0x459150
MulDiv	0x459154
SizeofResource	0x459158
QueryDosDeviceW	0x45915c
FindFirstVolumeW	0x459160
GetConsoleScreenBufferInfo	0x459164
SetConsoleTextAttribute	0x459168
lstrlenW	0x45916c
GetStdHandle	0x459170
SetFilePointer	0x459174
FindResourceA	0x459178
LockResource	0x45917c
LoadResource	0x459180
LocalFree	0x459184
FindVolumeClose	0x459188
GetVolumePathNamesForVolumeNameW	0x45918c
lstrcpyW	0x459190
FindFirstFileA	0x459194
FormatMessageA	0x459198
FindNextVolumeW	0x45919c
AllocConsole	0x4591a0
lstrcmpW	0x4591a4
GetModuleFileNameA	0x4591a8
lstrcpynA	0x4591ac
QueryPerformanceFrequency	0x4591b0
QueryPerformanceCounter	0x4591b4
EnterCriticalSection	0x4591b8
LeaveCriticalSection	0x4591bc
InitializeCriticalSection	0x4591c0
DeleteCriticalSection	0x4591c4
HeapSize	0x4591c8
WriteConsoleW	0x4591cc
SetStdHandle	0x4591d0
SetEnvironmentVariableW	0x4591d4
SetEnvironmentVariableA	0x4591d8
FreeEnvironmentStringsW	0x4591dc
GetEnvironmentStringsW	0x4591e0
GetCommandLineW	0x4591e4
GetCommandLineA	0x4591e8
GetOEMCP	0x4591ec
IsValidCodePage	0x4591f0
FindFirstFileExA	0x4591f4
ReadConsoleW	0x4591f8
GetConsoleMode	0x4591fc
GetConsoleCP	0x459200
FlushFileBuffers	0x459204
GetFileType	0x459208
GetTimeZoneInformation	0x45920c
EnumSystemLocalesW	0x459210
GetUserDefaultLCID	0x459214
IsValidLocale	0x459218
GetTimeFormatW	0x45921c
GetDateFormatW	0x459220
HeapReAlloc	0x459224
GetACP	0x459228
GetModuleHandleExW	0x45922c
MoveFileExW	0x459230
RtlUnwind	0x459234
RaiseException	0x459238
LoadLibraryExW	0x45923c
GetCPInfo	0x459240
GetStringTypeW	0x459244
GetLocaleInfoW	0x459248
LCMapStringW	0x45924c
CompareStringW	0x459250
TlsFree	0x459254
TlsSetValue	0x459258
TlsGetValue	0x45925c
TlsAlloc	0x459260
GetFileSize	0x459264
TerminateThread	0x459268
GetLastError	0x45926c
CreateDirectoryW	0x459270
GetModuleHandleA	0x459274
RemoveDirectoryW	0x459278
MoveFileW	0x45927c
SetFilePointerEx	0x459280
GetLogicalDriveStringsA	0x459284
DeleteFileW	0x459288
DeleteFileA	0x45928c
SetFileAttributesW	0x459290
GetFileAttributesW	0x459294
FindClose	0x459298
lstrlenA	0x45929c
GetDriveTypeA	0x4592a0
FindNextFileW	0x4592a4
GetFileSizeEx	0x4592a8
FindFirstFileW	0x4592ac
GetModuleHandleW	0x4592b0
ExitProcess	0x4592b4
CreateMutexA	0x4592b8
GetCurrentProcess	0x4592bc
GetProcAddress	0x4592c0
LoadLibraryA	0x4592c4
CreateProcessA	0x4592c8
PeekNamedPipe	0x4592cc
CreatePipe	0x4592d0
TerminateProcess	0x4592d4
ReadFile	0x4592d8
HeapFree	0x4592dc
HeapCreate	0x4592e0
CreateEventA	0x4592e4
GetLocalTime	0x4592e8
CreateThread	0x4592ec
SetEvent	0x4592f0
CreateEventW	0x4592f4
WaitForSingleObject	0x4592f8
Sleep	0x4592fc
GetModuleFileNameW	0x459300
CloseHandle	0x459304
ExitThread	0x459308
CreateFileW	0x45930c
WriteFile	0x459310
SetConsoleOutputCP	0x459314
InitializeCriticalSectionAndSpinCount	0x459318
MultiByteToWideChar	0x45931c
DecodePointer	0x459320
EncodePointer	0x459324
WideCharToMultiByte	0x459328
InitializeSListHead	0x45932c
GetSystemTimeAsFileTime	0x459330
GetCurrentThreadId	0x459334
IsProcessorFeaturePresent	0x459338
GetStartupInfoW	0x45933c
SetUnhandledExceptionFilter	0x459340
UnhandledExceptionFilter	0x459344
IsDebuggerPresent	0x459348
WaitForSingleObjectEx	0x45934c
ResetEvent	0x459350
SetEndOfFile	0x459354

Function	Address	Souspicious	Anti Debug
CryptAcquireContextA	0x459000
CryptGenRandom	0x459004
CryptReleaseContext	0x459008
GetUserNameW	0x45900c
RegEnumKeyExA	0x459010
QueryServiceStatus	0x459014
CloseServiceHandle	0x459018
OpenSCManagerW	0x45901c
OpenSCManagerA	0x459020
ControlService	0x459024
StartServiceW	0x459028
QueryServiceConfigW	0x45902c
ChangeServiceConfigW	0x459030
OpenServiceW	0x459034
EnumServicesStatusW	0x459038
AdjustTokenPrivileges	0x45903c
LookupPrivilegeValueA	0x459040
OpenProcessToken	0x459044
RegCreateKeyA	0x459048
RegCloseKey	0x45904c
RegQueryInfoKeyW	0x459050
RegQueryValueExA	0x459054
RegCreateKeyExW	0x459058
RegEnumKeyExW	0x45905c
RegSetValueExW	0x459060
RegSetValueExA	0x459064
RegOpenKeyExA	0x459068
RegOpenKeyExW	0x45906c
RegCreateKeyW	0x459070
RegDeleteValueW	0x459074
RegEnumValueW	0x459078
RegQueryValueExW	0x45907c
RegDeleteKeyA	0x459080

Function	Address	Souspicious	Anti Debug
CoInitializeEx	0x4594e4
CoUninitialize	0x4594e8
CoGetObject	0x4594ec

Function	Address	Souspicious	Anti Debug
PathFileExistsW	0x459370
PathFileExistsA	0x459374
StrToIntA	0x459378

Function	Address	Souspicious	Anti Debug
gethostbyname	0x459474
send	0x459478
WSAStartup	0x45947c
closesocket	0x459480
inet_ntoa	0x459484
htons	0x459488
htonl	0x45948c
getservbyname	0x459490
ntohs	0x459494
getservbyport	0x459498
gethostbyaddr	0x45949c
inet_addr	0x4594a0
WSASetLastError	0x4594a4
WSAGetLastError	0x4594a8
recv	0x4594ac
connect	0x4594b0
socket	0x4594b4

Function	Address	Souspicious	Anti Debug
GetMessageA	0x459380
GetWindowTextW	0x459384
wsprintfW	0x459388
GetClipboardData	0x45938c
UnhookWindowsHookEx	0x459390
GetForegroundWindow	0x459394
ToUnicodeEx	0x459398
GetKeyboardLayout	0x45939c
SetWindowsHookExA	0x4593a0
CloseClipboard	0x4593a4
OpenClipboard	0x4593a8
GetKeyboardState	0x4593ac
CallNextHookEx	0x4593b0
GetKeyboardLayoutNameA	0x4593b4
GetKeyState	0x4593b8
GetWindowTextLengthW	0x4593bc
DispatchMessageA	0x4593c0
SetForegroundWindow	0x4593c4
SetClipboardData	0x4593c8
EnumWindows	0x4593cc
ExitWindowsEx	0x4593d0
EmptyClipboard	0x4593d4
ShowWindow	0x4593d8
SetWindowTextW	0x4593dc
MessageBoxW	0x4593e0
IsWindowVisible	0x4593e4
CloseWindow	0x4593e8
SendInput	0x4593ec
EnumDisplaySettingsW	0x4593f0
mouse_event	0x4593f4
CreatePopupMenu	0x4593f8
TranslateMessage	0x4593fc
TrackPopupMenu	0x459400
DefWindowProcA	0x459404
CreateWindowExA	0x459408
AppendMenuA	0x45940c
GetSystemMetrics	0x459410
RegisterClassExA	0x459414
GetCursorPos	0x459418
SystemParametersInfoW	0x45941c
GetWindowThreadProcessId	0x459420
MapVirtualKeyA	0x459424
DrawIcon	0x459428
GetIconInfo	0x45942c

Name	Latest seen	MD5
jhg.exe	2024-08-30 13:58:02	b21e324a39b4279504b10fee217239d3
Subsys32.exe	2024-09-25 16:11:02	4c128449b1492fc2ff49c431044d4b10
DEF.exe	2024-10-16 17:25:02	6520492a4e7f9bc4dfb068de1c7b6450