ST_External_Loader.exe?ex=670cf73e&is=670ba5be&hm=df6fdb38f0b871dad38a238a90c3a5082232e6b3dece3fde2cfe260f368e31c7&

First submission 2024-10-13 18:14:03

File details

File type:	PE32+ executable (console) x86-64, for MS Windows
Mime type:	application/x-dosexec
File size:	19263.0 KB (19725312 bytes)
Compile time:	2024-09-13 13:34:38
MD5:	16b1fa75351705eac58419c279470984
SHA1:	a3bcb6a7207e10178bfc6fc6503c95f2f8a51e54
SHA256:	a449c399c359f29cf1f3a43dd45baea4bf47e82e9020ac3b39a3166f59845ca1
Import Hash :	f6c0f2a6b0efb27a2a63257f097acbee
Sections 9	.text .rdata .data .pdata .xorstr0 .xorstr1 .xorstr2 .reloc .rsrc
Directories 4	import resource tls relocation

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

OSINT Enrichments

Virus Total:	31/77 VT report date: 2024-09-23 20:00:26
Malware Type 1	trojan
Threat Type 1	vmprotect

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXps://cdn.discordapp.com/attachments/1292905697662468196/1294975312979034132/ST_External_Loader.exe?ex=670cf73e&is=670ba5be&hm=df6fdb38f0b871dad38a238a90c3a5082232e6b3dece3fde2cfe260f368e31c7&	cdn.discordapp.com	2024-10-13 18:14:03

PE Sections 7 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0x2937cf	0	da39a3ee5e6b4b0d3255bfef95601890afd80709	d41d8cd98f00b204e9800998ecf8427e
.rdata	0x295000	0x72906	0	da39a3ee5e6b4b0d3255bfef95601890afd80709	d41d8cd98f00b204e9800998ecf8427e
.data	0x308000	0x133908	0	da39a3ee5e6b4b0d3255bfef95601890afd80709	d41d8cd98f00b204e9800998ecf8427e
.pdata	0x43c000	0x2838	0	da39a3ee5e6b4b0d3255bfef95601890afd80709	d41d8cd98f00b204e9800998ecf8427e
.xorstr0	0x43f000	0xa2e715	0	da39a3ee5e6b4b0d3255bfef95601890afd80709	d41d8cd98f00b204e9800998ecf8427e
.xorstr1	0xe6e000	0xe20	4096	f5b81a11894e8b9113f82f5b8f18ba13ea83ecaa	df36cf9c72ffa7f10ce797be63908d3a
.xorstr2	0xe6f000	0x12ca6a8	19703808	76bdeb1ff8197b01bc1170a6a48a306fe62c8a19	6a480d09c1e0531828c00960fdcbf29f
.reloc	0x213a000	0x11c	512	45ecb17f26366ecb5b3cd861c37613642c853420	2be816e6a2a26cd6440b8971526e272b
.rsrc	0x213b000	0x3dd0	15872	31ebd7995fa3c471a78054fe034701fc5b2778b8	c589d328536671a8bafbdce9a8429d87

PE Resources 3

Name	Language	Sublanguage	Offset	Size	Data
RT_ICON	LANG_TURKISH	SUBLANG_DEFAULT	0x213c670	9640	PE Resource: RT_ICON - Data (0` $$"277My\|\|\| }~\|{{{\| }}}}}}{ y zz}z z z {~ \| \| }}}$%2@J?Oex\| \| { { { z y y z \|{{ {z{{z{{z z z z z }\|\| \|z~ }\| } }} }}}"4Wm ki t ww { ~ w y x } y ~ { y y z zz z y y yz y y z {wy \|{ z z { { z {\| ":Ym t wvw w xzy u yu v xtxvuvvwz} xwuz \|w} {vw x uy { \|z x y \| z {#<[jqssyuvvru \| u suusu u u stux uttz uvxvtuutwxvz w w y yEjrrrpqqrry%t t sssz x wrswsrsurrrrqprssrsussuttuwM] lijjkoio kn\|v p rlmmnnq pkmlp mklmllms rnmnnnnqtuooqddebg f g i ad dehhjhhddh i h l g g dh ghgpl den h fgk j ggipzjhhcabbcdca`ag dfhggfdae gb`cgcefcdfgec`cdgkk cccgifiea`a_`aba```db`^[bd``abf l`bfde i^aa`_c jc g vebcaf _aa]Z^[[_ ]]\`_\ \ Y[ WX`\[^__b [\\^`]Z[[\adiY Zdca_[_ a XXUSRPRSSYU WVV ROTUSVUUSV`X RSTWXW\Z[\TKAO^ Y^b `VS^YXKJKQO JKQNJO KMPJLJJKLIO P PPMQWUTX TTQ bA>R0,E[TX ^ VSU VQIJJN LKKJMVS LR YJO P KLMNIIQ PQPPKQOU L_86JNO Q RPTPQ NGJKKLMMMI>8=ION @<FH9BLF:>9@>O=DOBTZ1-3 ha\ig<P TU \MLJKGFFGGGGH:mPKgcQ$? 8hD@\|meDX/,}[?:99o^ZM62eD@<vVRQ1.eJEqk9Lu\^z{w6M GSm(#VO JIDFC@A@?@7 N;=eTWkLR1smoK;>zuvH9=4EHIJO I DE==>??>??;~~}USRg__0=-.wtucb]VVmefrmlUGG9ABG EDG C@445688857topf\[mST4\|z }ig[YWUTT\|y,#"; <@<@B@>>-/23101153$&D75F+,t\\c^]tssf^_/ 5; 58:<;;,-.,.--1) nmml^`xwL>:uqm]TRXOO_UUSDD%5124688;+(%4- "~jfZCBE?<d\Z.e[X \|liaQPziius'"hZUj[YWDE$0,/2332= )($#%* ')%ukg%+() +53"$--'$"#,,++,//13%$#""!#!#J=;tgfWKH.6 //),((-A'%VID('TFC5(, / 0 .,J!?423 / '*+,-K$""! ! "!%! '&2&!! %" %*($(+,84 -,.- '(((3 _75!"!"## 'ZKIM?>)5-eUO`OJ,15##8&&E33?%"3!'I21(0 .,*)'((%'()0"bWTNFD\|yws mea""\|y% ,-,/ /++('+ ((+ +>:80!!}{-6(8\630+,('+ + ',)3))MGF6)+0/(5F /)&((#)- ' ( 3)efdqnldXV+()(((+ (N-Q1-0 #' @<:fdbppnpjiZYW{y@75- , (+ , '&F'#F&"&$ F=:853ca_TQPzusUURa_]~\|a_\nni%&&&3( %#$ "($"7/.RKI2) aZY~}{}{y}J97 ( D'!% ! RPN-(&JCB %!( $ )& 40-YTS )!sif:1/"pie<20! "& %="" ! =( %7%$ .# # ! + *
RT_GROUP_ICON	LANG_TURKISH	SUBLANG_DEFAULT	0x213ec18	48
RT_MANIFEST	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x213ec48	392	PE Resource: RT_MANIFEST - Data <?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='requireAdministrator' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly>

Name

Language

Sublanguage

Offset

Size

Data

RT_ICON

LANG_TURKISH

SUBLANG_DEFAULT

0x213c670

9640

RT_GROUP_ICON

LANG_TURKISH

SUBLANG_DEFAULT

0x213ec18

RT_MANIFEST

LANG_ENGLISH

SUBLANG_ENGLISH_US

0x213ec48

392

Anti debug functions 1

Virtual Box

Strings analysis - File found

Library
VCRUNTIME140_1.dll
api-ms-win-crt-runtime-l1-1-0.dll
vcruntime140.dll
api-ms-win-crt-utility-l1-1-0.dll
msvcp140.dll
SHELL32.dll
dwmapi.dll
KERNEL32.dll
api-ms-win-crt-filesystem-l1-1-0.dll
d3d9.dll
IMM32.dll
#^api-ms-win-crt-string-l1-1-0.dll
USER32.dll
api-ms-win-crt-convert-l1-1-0.dll
api-ms-win-crt-math-l1-1-0.dll
sapi-ms-win-crt-stdio-l1-1-0.dll
Papi-ms-win-crt-heap-l1-1-0.dll
api-ms-win-crt-locale-l1-1-0.dll

Import functions

api-ms-win-crt-filesystem-l1-1-0.dll 1 api-ms-win-crt-runtime-l1-1-0.dll 1 api-ms-win-crt-locale-l1-1-0.dll 1 MSVCP140.dll 1 api-ms-win-crt-convert-l1-1-0.dll 1 api-ms-win-crt-string-l1-1-0.dll 1 VCRUNTIME140_1.dll 1 dwmapi.dll 1 KERNEL32.dll 8 api-ms-win-crt-math-l1-1-0.dll 1 api-ms-win-crt-utility-l1-1-0.dll 1 VCRUNTIME140.dll 1 SHELL32.dll 1 api-ms-win-crt-stdio-l1-1-0.dll 1 d3d9.dll 1 api-ms-win-crt-heap-l1-1-0.dll 1 USER32.dll 1 IMM32.dll 1

Function	Address	Souspicious	Anti Debug
_lock_file	0x140e6e0f0

Function	Address	Souspicious	Anti Debug
_initterm	0x140e6e0e0

Function	Address	Souspicious	Anti Debug
_configthreadlocale	0x140e6e110

Function	Address	Souspicious	Anti Debug
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ	0x140e6e040

Function	Address	Souspicious	Anti Debug
atof	0x140e6e0d0

Function	Address	Souspicious	Anti Debug
isprint	0x140e6e0a0

Function	Address	Souspicious	Anti Debug
__CxxFrameHandler4	0x140e6e070

Function	Address	Souspicious	Anti Debug
DwmExtendFrameIntoClientArea	0x140e6e050

Function	Address	Souspicious	Anti Debug
GlobalUnlock	0x140e6e000
GetSystemTimeAsFileTime	0x140e6e120
HeapAlloc	0x140e6e130
HeapFree	0x140e6e138
ExitProcess	0x140e6e140
LoadLibraryA	0x140e6e148
GetModuleHandleA	0x140e6e150
GetProcAddress	0x140e6e158

Function	Address	Souspicious	Anti Debug
floorf	0x140e6e100

Function	Address	Souspicious	Anti Debug
qsort	0x140e6e0b0

Function	Address	Souspicious	Anti Debug
__C_specific_handler	0x140e6e080

Function	Address	Souspicious	Anti Debug
ShellExecuteW	0x140e6e020

Function	Address	Souspicious	Anti Debug
__acrt_iob_func	0x140e6e090

Function	Address	Souspicious	Anti Debug
Direct3DCreate9Ex	0x140e6e060

Function	Address	Souspicious	Anti Debug
_callnewh	0x140e6e0c0

Function	Address	Souspicious	Anti Debug
CloseClipboard	0x140e6e010

Function	Address	Souspicious	Anti Debug
ImmReleaseContext	0x140e6e030