exp.exe

First submission 2024-09-05 07:02:05

File details

File type: PE32 executable (GUI) Intel 80386, for MS Windows
Mime type: application/x-dosexec
File size: 36960.06 KB (37847105 bytes)
Compile time: 2022-03-03 14:15:57
MD5: 26202a742fdb99ec69ee50ce7df978e2
SHA1: d8e2ed3e76597b254ffc15d4098219cc619b6fca
SHA256: 1c3149bb08e538c8439b5943b067306bfb69636e973bcfd6ee334c374d26317c
Import Hash : 12e12319f1029ec4f8fcbed7e82df162
Sections 6 .text .rdata .data .didat .rsrc .reloc
Directories 5 import export resource debug relocation

File features detected

Is DLL
Packers
Anti Debug
Anti VM
Signed
XOR

OSINT Enrichments

URLs, FQDN and IP indicators 1

URL Host (FQDN/IP) Date Added
hXXp://45.137.64.40/hash/exp.exe VirusTotal Report 45.137.64.40 VirusTotal Report 2024-09-05 07:02:05

PE Sections 0 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0x31bdc 203776 619c1d2d3a247d5ea0748c89b0b9d66a30b6417c 2831bb8b11e3209658a53131886cdf98
.rdata 0x33000 0xaec0 45056 6ecf068cbcb8b25488348341dfe9cd146d7efff1 042f11346230ca5aa360727d9908e809
.data 0x3e000 0x24720 4096 f645e3c9267ab7df17b1b1f7196a59a1fa9b097a 9670b581969e508258d8bc903025de5e
.didat 0x63000 0x190 512 08a8f0e687db994f8484fd20dc56094f4c219de5 c83554035c63bb446c6208d0c8fa0256
.rsrc 0x64000 0xe050 57856 db2f7e5783b540baf0c190c82a380cf54d400f09 eaf06e8c806c8384f018fb45f560f16e
.reloc 0x73000 0x233c 9216 f1f4ef62479ee5ed243652eb278d24f467b2beee 40b5e17755fd6fdd34de06e5cdb7f711

PE Resources 6

Name Language Sublanguage Offset Size Data
PNG LANG_RUSSIAN SUBLANG_NEUTRAL 0x6518c 5545
RT_ICON LANG_RUSSIAN SUBLANG_NEUTRAL 0x6bea8 15729
RT_DIALOG LANG_RUSSIAN SUBLANG_NEUTRAL 0x70568 586
RT_STRING LANG_RUSSIAN SUBLANG_NEUTRAL 0x717ac 230
RT_GROUP_ICON LANG_RUSSIAN SUBLANG_NEUTRAL 0x71894 104
RT_MANIFEST LANG_RUSSIAN SUBLANG_NEUTRAL 0x718fc 1875

Packers detected 2

Microsoft Visual C++ 8
VC8 -> Microsoft Corporation

Anti debug functions 6

GetLastError
IsDebuggerPresent
IsProcessorFeaturePresent
RaiseException
TerminateProcess
UnhandledExceptionFilter

Strings analysis - File found

Temporary
%s.%d.tmp
winrarsfxmappingfile.tmp
~nsu.tmp
Database
nselib/data/mgroupnames.db
scripts/script.db
Text
"nselib/data/enterprise_numbers.txt
v1.txt
nselib/data/rtsp-urls.txt
nselib/data/http-folders.txt
nselib/data/tftplist.txt
!nselib/data/jdwp-class/README.txt
Library
Crypt32.dll
peerdist.dll
msasn1.dll
profapi.dll
RpcRtRemote.dll
sfc_os.dll
XmlLite.dll
USERENV.dll
ntmarta.dll
rasadhlp.dll
mscoree.dll
mlang.dll
cryptsp.dll
linkinfo.dll
UxTheme.dll
imageres.dll
shdocvw.dll
cscapi.dll
usp10.dll
wkscli.dll
devrtl.dll
secur32.dll
wintrust.dll
atl.dll
WINNSI.DLL
rsaenh.dll
riched20.dll
comres.dll
cryptui.dll
ntshrui.dll
slc.dll
oleaccrc.dll
PSAPI.DLL
propsys.dll
NETAPI32.dll
aclui.dll
dhcpcsvc6.dll
cryptbase.dll
ws2help.dll
SHELL32.dll
samlib.dll
KERNEL32.dll
VERSION.dll
dwmapi.dll
cabinet.dll
MPR.dll
WS2_32.dll
WindowsCodecs.dll
dnsapi.dll
SSPICLI.DLL
samcli.dll
apphelp.dll
dfscli.dll
dsrole.dll
ieframe.dll
lpk.dll
netutils.dll
clbcatq.dll
dhcpcsvc.dll
IPHLPAPI.DLL
srvcli.dll
DXGIDebug.dll
browcli.dll
SETUPAPI.dll
gdiplus.dll
COMDLG32.dll
ADVAPI32.dll
GDI32.dll
ole32.dll
OLEAUT32.dll
COMCTL32.dll
SHLWAPI.dll
USER32.dll

Strings analysis - Possible IPs found 1

2.0.1.5

Strings analysis - Possible URLs found 3

http://schemas.microsoft.com/SMI/2005/WindowsSettings
http://forum.oszone.net/thread-145766.html)
http://nsis.sf.net/NSIS_Error

Import functions

Name Latest seen MD5
data64_6.exe 2022-09-27 07:17:02 ce4d1f93bec113f67c6dad4decaf91ef
NEWSXE.exe 2022-09-30 13:03:04 7241c4a2af9e08ca229912f6c95c72fe
rain2.exe 2022-10-04 13:30:03 bcaa63ad616001ffee657820abeca703
djlexa.exe 2022-10-06 04:20:07 760971f4f588d25fcb74938cc7b778d9
Request%20for%20Quotation.pdf.exe 2022-10-21 09:33:03 85e85028b0d5399456477b6ad7678d34
Video%20Sample.mp4.exe 2022-10-21 10:32:04 8b87d2daee425e6dea0290289fe1314b
data64_5.exe 2022-10-23 20:19:04 0b78f1fbaa652cc5887c785615238eb1
Setup.exe 2022-11-11 10:29:10 7333eda68c433a1ad5502c4712f350aa
2423.sfx.exe 2022-11-15 08:19:08 a8b5a827e530c0eccd598e882c45ee16
Installerx64.exe 2022-11-20 17:13:02 592bef1e0325ada505ec4875d5727bc1
socks5-clean.exe 2022-11-30 07:54:02 ad0cfa2c62b36b79affcd0c3133d3ac2
linda5.exe 2022-12-17 18:02:02 6631b01813159c78c44c377cf8326a39
Desktopl.exe 2023-01-27 06:05:02 a53466fc1c01a7fa4ac637e46c8ca0cd
cdfdghgf.exe 2023-02-02 15:44:02 90eb893c66efe4e796330b770c4d8d93
psftp.exe 2023-02-03 14:02:04 006dce47dafae390008388b5f15c8df2
93.exe 2023-03-18 07:52:03 ef96161362524c8c286e952471f9fa1a
98.exe 2023-03-24 08:01:04 719082dcc3c017e5b675c8b9ec74b6a1
crypt.exe 2023-03-27 10:59:02 9ca296392ffda3a2168b2c8e38423f88
main.exe 2023-04-03 14:54:30 07c9d25aeb2b712910258043749c7023
setup.exe 2023-04-21 17:53:03 9f390e9ca00464a6f7e1ce321baceb22
Halkbank.exe 2023-05-04 06:16:02 43da6da02ab057b4b4b100c727b3fc69
STnew.exe 2023-05-14 00:14:01 b5b1d0c96ca3f5d17eac8afabafc8eff
wdagad.exe 2023-05-23 04:13:01 79931719ae9c21e1d8c5f1a419e85f71
updater.exe 2023-05-27 00:32:02 da9c79f7e1fb381ce030fbfc31d3af6a
7e8e3c8b54a3dd86e1b6afb3300169b0f41449d860921fef25d1038c26215f3f6f88efa1616203fc5b51 2023-06-04 15:41:03 c4b9d83a65b7a0b05d7d24d4abcb29ae
mig_rdp.exe 2024-07-04 07:29:05 a2059ca7715450dc171f7608325744da
dccrypt.exe 2024-08-25 13:02:02 55398a65a9d1abb512e943a0d8901cb0
LAST.exe 2024-08-27 11:57:02 0e920b7f4b09bf94d31434676eeb0225