foot.exe

First submission 2024-10-11 10:20:02

File details

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Mime type:	application/x-dosexec
File size:	72.07 KB (73802 bytes)
Compile time:	2009-05-14 01:58:54
MD5:	13ab1cb658c72b66c3a8bce31405ac1d
SHA1:	e44dbe441c724611e1f4c790794b2873cc7e6756
SHA256:	213a76146f0459c0108da55dc4a533145a1fcad98c3d94fb70c81246a1bc9740
Import Hash :	481f47bbb2c9c21e108d65f52b04c448
Sections 4	.text .rdata .data .rsrc
Directories 3	import resource debug

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

OSINT Enrichments

Virus Total:	61/77 VT report date: 2024-10-10 16:02:28
Malware Type 1	trojan
Threat Type 3	swrort cryptz marte

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXp://159.65.193.136/foot.exe	159.65.193.136	2024-10-11 10:20:02

PE Sections 1 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0xa966	45056	c72b635d12d87f600a652607441fe6ebf8f02f8e	34b70c994ba9af4bd44a900796ac13e8
.rdata	0xc000	0xfe6	4096	2d1b3b256819734be18a5171828f544f2fe3c678	25d7ceee3aa85bb3e8c5174736f6f830
.data	0xd000	0x705c	16384	46bdccde681141c8e779b47220c1d7b1a1b9b011	283b5f792323d57b9db4d2bcc46580f8
.rsrc	0x15000	0x7c8	4096	2e051ef30946f9bed1931d1f9dde3ebdb9b99b89	c13a9413aea7291b6fc85d75bfcde381

PE Resources 1

Name	Language	Sublanguage	Offset	Size	Data
RT_VERSION	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x15060	1896	PE Resource: RT_VERSION - Data h4VS_VERSION_INFO?StringFileInfo040904b00CommentsLicensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.VCompanyNameApache Software Foundationj!FileDescriptionApacheBench command line utility.FileVersion2.2.14.InternalNameab.exe/LegalCopyrightCopyright 2009 The Apache Software Foundation.6OriginalFilenameab.exeFProductNameApache HTTP Server2ProductVersion2.2.14DVarFileInfo$Translation

Name

Language

Sublanguage

Offset

Size

Data

RT_VERSION

LANG_ENGLISH

SUBLANG_ENGLISH_US

0x15060

1896

Meta infos 10

LegalCopyright:	Copyright 2009 The Apache Software Foundation.
InternalName:	ab.exe
FileVersion:	2.2.14
CompanyName:	Apache Software Foundation
OriginalFilename:	ab.exe
ProductVersion:	2.2.14
FileDescription:	ApacheBench command line utility
Translation:	0x0409 0x04b0
Comments:	Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
ProductName:	Apache HTTP Server

Packers detected 1

AHTeam EP Protector 0.3 (fake PCGuard 4.03-4.15) -> FEUERRADER

Anti debug functions 2

GetLastError
TerminateProcess

Strings analysis - File found

Library
ADVAPI32.dll
MSVCRT.dll
KERNEL32.dll
ntdll.dll
WS2_32.dll
WSOCK32.dll

Strings analysis - Possible URLs found 7

http://
http://www.apache.org/
http://www.apache.org/licenses/LICENSE-2.0
http://www.zeustech.net/
http://www.zeustech.net/<br
https://
http://www.apache.org/<br

Import functions

ADVAPI32.dll 2 KERNEL32.dll 46 MSVCRT.dll 50 WS2_32.dll 2 WSOCK32.dll 15

Function	Address	Souspicious	Anti Debug
FreeSid	0x40c000
AllocateAndInitializeSid	0x40c004

Function	Address	Souspicious	Anti Debug
PeekNamedPipe	0x40c00c
ReadFile	0x40c010
WriteFile	0x40c014
LoadLibraryA	0x40c018
GetProcAddress	0x40c01c
GetVersionExA	0x40c020
GetExitCodeProcess	0x40c024
TerminateProcess	0x40c028
LeaveCriticalSection	0x40c02c
SetEvent	0x40c030
ReleaseMutex	0x40c034
EnterCriticalSection	0x40c038
DeleteCriticalSection	0x40c03c
InitializeCriticalSection	0x40c040
CreateMutexA	0x40c044
GetFileType	0x40c048
SetLastError	0x40c04c
FreeEnvironmentStringsW	0x40c050
GetEnvironmentStringsW	0x40c054
GlobalFree	0x40c058
GetCommandLineW	0x40c05c
TlsAlloc	0x40c060
TlsFree	0x40c064
DuplicateHandle	0x40c068
GetCurrentProcess	0x40c06c
SetHandleInformation	0x40c070
CloseHandle	0x40c074
GetSystemTimeAsFileTime	0x40c078
FileTimeToSystemTime	0x40c07c
GetTimeZoneInformation	0x40c080
FileTimeToLocalFileTime	0x40c084
SystemTimeToFileTime	0x40c088
SystemTimeToTzSpecificLocalTime	0x40c08c
Sleep	0x40c090
FormatMessageA	0x40c094
GetLastError	0x40c098
WaitForSingleObject	0x40c09c
CreateEventA	0x40c0a0
SetStdHandle	0x40c0a4
SetFilePointer	0x40c0a8
CreateFileA	0x40c0ac
CreateFileW	0x40c0b0
GetOverlappedResult	0x40c0b4
DeviceIoControl	0x40c0b8
GetFileInformationByHandle	0x40c0bc
LocalFree	0x40c0c0

Function	Address	Souspicious	Anti Debug
_iob	0x40c0c8
_except_handler3	0x40c0cc
__set_app_type	0x40c0d0
__p__fmode	0x40c0d4
__p__commode	0x40c0d8
_adjust_fdiv	0x40c0dc
__setusermatherr	0x40c0e0
_initterm	0x40c0e4
__getmainargs	0x40c0e8
__p___initenv	0x40c0ec
_XcptFilter	0x40c0f0
_exit	0x40c0f4
_onexit	0x40c0f8
__dllonexit	0x40c0fc
strrchr	0x40c100
wcsncmp	0x40c104
_close	0x40c108
wcslen	0x40c10c
wcscpy	0x40c110
strerror	0x40c114
modf	0x40c118
strspn	0x40c11c
realloc	0x40c120
__p__environ	0x40c124
__p__wenviron	0x40c128
_errno	0x40c12c
free	0x40c130
strncmp	0x40c134
strstr	0x40c138
strncpy	0x40c13c
_ftol	0x40c140
qsort	0x40c144
fopen	0x40c148
perror	0x40c14c
fclose	0x40c150
fflush	0x40c154
calloc	0x40c158
malloc	0x40c15c
signal	0x40c160
printf	0x40c164
_isctype	0x40c168
atoi	0x40c16c
exit	0x40c170
__mb_cur_max	0x40c174
_pctype	0x40c178
strchr	0x40c17c
fprintf	0x40c180
_controlfp	0x40c184
_strdup	0x40c188
_strnicmp	0x40c18c

Function	Address	Souspicious	Anti Debug
WSARecv	0x40c194
WSASend	0x40c198

Function	Address	Souspicious	Anti Debug
getsockopt	0x40c1a0
connect	0x40c1a4
htons	0x40c1a8
gethostbyname	0x40c1ac
ntohl	0x40c1b0
inet_ntoa	0x40c1b4
setsockopt	0x40c1b8
socket	0x40c1bc
closesocket	0x40c1c0
select	0x40c1c4
ioctlsocket	0x40c1c8
__WSAFDIsSet	0x40c1cc
WSAStartup	0x40c1d0
WSACleanup	0x40c1d4
WSAGetLastError	0x40c1d8

Name	Latest seen	MD5
repackend.exe	2022-09-17 09:02:02	315a5c5871b0de15997d187b93b94d97
maxi.exe	2022-10-30 08:32:02	e07965f2bf26b320383323f54e9f1977
rabba.exe	2022-10-30 08:33:02	cfffd8f19174f53ca45cd1e2d3ba73d3
dox.exe	2022-10-30 08:34:01	d5f0a0bf41182aa382b53c9758588086
dollar.exe	2022-10-30 08:36:02	facb41b0215d5399bd97b68f05efe5aa
buga.exe	2022-10-30 08:37:02	d269ca499f52149626d2485bbf74ea35
sanki.exe	2022-10-30 08:38:04	4f3eb4cd6ae13a74d09f29aed9cd73f4
baba.exe	2022-10-30 08:40:05	c12886ed570cc61fd178e690907cfb44
tornado.exe	2022-10-30 08:41:02	2b75c349e90df1fc14b38873992ec3af
solid.exe	2022-10-30 08:42:02	fd87146f6e2a130b1454724a961a1b8a
tray.exe	2022-10-30 08:43:02	face8fd03157a49e11c71259c826b167
yaya.exe	2022-10-30 08:44:02	2416d6cfb74b5277d570aa7ce4702bf3
windox.exe	2022-10-30 08:45:03	46e9d62aa9266ce1ed2a8620934bd7cd
aboki.exe	2022-10-30 08:47:01	b7a0bc8b94f5e9ae7da97a4b96671aae
sfc.exe	2022-10-30 08:48:02	29613e2dec4fc95380ceb7b7f9927ce1
ndulele.exe	2022-10-30 08:49:02	2cb908660103e6449ac76bdae06d81c2
OpenThis.exe	2023-01-19 11:35:02	c5f53044cf4bee51438be9acc5c5c442
reverse.exe	2024-05-20 07:20:02	94604756b7991e2361c98c1ffd1a50ff
venom.exe	2024-05-24 09:05:03	195032debcdcfbd4e56986070144a475
backdoor.exe	2024-05-24 09:31:01	32bab4b22104f0e73eb9f98efa619a68
example.exe	2024-05-24 09:33:02	356697b39d3721250aa3cc92bacc6120
1668093182.exe	2024-05-29 05:18:02	9fbc495f7b8396fd10b994d966f88796
h	2024-07-02 08:59:02	d3905c1568990dad69b03e5b792f2725
4444.exe	2024-07-04 08:06:03	1aca2436ee8c1ef6271dfebd4312b3d7
Extension.exe	2024-08-27 17:01:01	683947f7c0388cde0bf1ec8ca7845226
Documents.exe	2024-08-27 20:03:01	69622bc5a1fc62775a2b77cc4bbbdc00
Launcher.exe	2024-08-30 20:11:02	58fecf9d072c83e0d7ce4fa4c08af240
Extension2.exe	2024-09-22 12:30:02	d1ba5271cc1825702119cfd7e0232f81
TripVPN.exe	2024-09-22 12:39:02	f1796b78cb43fa7b6805584f0c3207c1
CovidPass.exe	2024-09-22 12:40:01	4ff07dff62d31b141d2ff73725935c08
sample.exe	2024-09-22 12:41:02	fe62c6284cc763752ff6801c12f29b33
Icon.exe	2024-09-22 14:09:01	1b73bb409f96bd368cfefa6635f358af
Launcher.exe	2024-09-22 15:06:01	2bf2123730614e66c7a5b926a7eea340
Uploader.exe	2024-09-22 15:08:02	b6b77de46fac92727df6141f2699e398
Organiser.exe	2024-09-22 15:28:01	2939997c9fc9dca6ccf9124200c5bcf7
Excel.exe	2024-09-22 15:57:02	c72a3773f36c1e96d38c8178ce4c3142
Extension.exe	2024-09-22 15:58:01	5c74e515750a07cd1800406809bccdfe
Prototype.exe	2024-09-22 16:20:02	f52a6c6e1c8be6ea65f385f16d2680b6
32.exe.txt	2024-09-28 03:09:02	33c05328038a99ed239df21e508182e6
shell.exe	2024-09-28 23:50:02	04e600266eb46ccb8e3712a48deac3a9
6.exe	2024-10-09 23:41:02	5a68e9c6b62d77db7874b7c027bdba7f
fixing.exe	2024-10-13 22:39:02	4acf8829e5241b6f1307521ee9e0e370