b1.exe

First submission 2022-08-02 07:13:31

File details

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
File type:	504.68 KB (516792 bytes)
Compile time:	2021-09-25 23:56:47
MD5:	268e27279cffcb8765360a52bc44785f
SHA1:	17e0b8fe9acfd1776a1566ce5ed6f051f7e0f91f
SHA256:	e14a079d5b6a7ee69fad8577c089a2c1cad0d3c8152d5cadda836930bff2a40a
Import Hash :	61259b55b8912888e90f516ca08dc514
Sections 5	.text .rdata .data .ndata .rsrc
Directories 3	import resource security
Virus Total:	2/70 VT report date: 2022-08-02 05:00:00

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXp://files.ddrive.online/b1.exe	files.ddrive.online	2022-08-02 07:13:31

PE Sections 1 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0x6676	26624	55517dc6ad93689679677d152abfdd1ce20f1135	6f5abe9eeda26ee84b3c1ed1a6c82001
.rdata	0x8000	0x139a	5120	dc4f14d019cad6646b38852dfb7370532acafebc	8c5edfd8ff9cc0135e197611be38ca18
.data	0xa000	0x20378	1536	f45486287d474fdcafc99c24e37c4eb61bf613b3	4b2421975c21b032f7ea000f5e7f9fbf
.ndata	0x2b000	0x36000	0	da39a3ee5e6b4b0d3255bfef95601890afd80709	d41d8cd98f00b204e9800998ecf8427e
.rsrc	0x61000	0x1cca8	118272	78879eab85371c8ba807c7f00437470146ae7d80	89bd623f521266a8685f878d86d65650

PE Resources 5

Name	Language	Sublanguage	Offset	Size	Data
RT_BITMAP	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x61358	872	PE Resource: RT_BITMAP - Data (`wwwwww}wwwwww}wwwwww}wwwwww}wwwwww}}}}}} } } }wwwwp}wwwwp} } } }}wwwwp}wwwp} } } w}wwwwp}xwwp} } } ww}}wwwwp}wp} } } ww}wwwwp}xwp} } } ww}}wwwwp}wp} } } w}wwwwp}wwxp} } } w}wwwwp}wwwp} } } }wwwwp}wwwxp} } } }wwwwp}wwwwp}}}}}}}}}}}
RT_ICON	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x7ced0	1128	PE Resource: RT_ICON - Data ( @zzzt,5{{{jjjzzz>```DDDFFFAAA555KKK?mmm333222...$$!!!fff?\YYY&&&!!!JJJ?qqq333///)))EZZZ?YYYWWWTTTQQQIII888&&&?fffaaa___\\\YYYUUURRRYY?rrriiiff5dddaaa^^^___FFFEkkkqqqnnnkkkiiiuuuCCChuuuxxxuuusssuuucccXvvv\|\|zzzWWWO}}}UUUQQQbbbMMM;;;N444<----
RT_DIALOG	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x7d8a8	96
RT_GROUP_ICON	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x7d908	90
RT_MANIFEST	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x7d968	830	PE Resource: RT_MANIFEST - Data <?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v3.08</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility></assembly>

Anti debug functions 2

FindWindowExW
GetLastError

File signature

MD5	SHA1	Block size	Virtual Address
ff32db1e3efbf678632395e157de805f	80dfddacaa80aa705c5a0f0dd98914cbf28711ac	6896	509896

Strings analysis - File found

Library
%s%s.dll
ADVAPI32.dll
SHELL32.dll
COMCTL32.dll
ole32.dll
USER32.dll
GDI32.dll
KERNEL32.dll

Strings analysis - Possible URLs found 9

http://s.symcb.com/universal-root.crl0
https://d.symcb.com/cps0%
http://s.symcd.com06
http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
http://nsis.sf.net/NSIS_Error
https://d.symcb.com/rpa0@
http://ts-ocsp.ws.symantec.com0;
https://d.symcb.com/rpa0.
http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0

Import functions

KERNEL32.dll 65 SHELL32.dll 6 ADVAPI32.dll 13 USER32.dll 64 COMCTL32.dll 4 GDI32.dll 8 ole32.dll 5

Function	Address	Souspicious	Anti Debug
GetExitCodeProcess	0x408070
WaitForSingleObject	0x408074
GetModuleHandleA	0x408078
GetProcAddress	0x40807c
GetSystemDirectoryW	0x408080
lstrcatW	0x408084
Sleep	0x408088
lstrcpyA	0x40808c
WriteFile	0x408090
GetTempFileNameW	0x408094
lstrcmpiA	0x408098
RemoveDirectoryW	0x40809c
CreateProcessW	0x4080a0
CreateDirectoryW	0x4080a4
GetLastError	0x4080a8
CreateThread	0x4080ac
GlobalLock	0x4080b0
GlobalUnlock	0x4080b4
GetDiskFreeSpaceW	0x4080b8
WideCharToMultiByte	0x4080bc
lstrcpynW	0x4080c0
lstrlenW	0x4080c4
SetErrorMode	0x4080c8
GetVersionExW	0x4080cc
GetCommandLineW	0x4080d0
GetTempPathW	0x4080d4
GetWindowsDirectoryW	0x4080d8
SetEnvironmentVariableW	0x4080dc
CopyFileW	0x4080e0
ExitProcess	0x4080e4
GetCurrentProcess	0x4080e8
GetModuleFileNameW	0x4080ec
GetFileSize	0x4080f0
CreateFileW	0x4080f4
GetTickCount	0x4080f8
MulDiv	0x4080fc
SetFileAttributesW	0x408100
GetFileAttributesW	0x408104
SetCurrentDirectoryW	0x408108
MoveFileW	0x40810c
GetFullPathNameW	0x408110
GetShortPathNameW	0x408114
SearchPathW	0x408118
CompareFileTime	0x40811c
SetFileTime	0x408120
CloseHandle	0x408124
lstrcmpiW	0x408128
lstrcmpW	0x40812c
ExpandEnvironmentStringsW	0x408130
GlobalFree	0x408134
GlobalAlloc	0x408138
GetModuleHandleW	0x40813c
LoadLibraryExW	0x408140
MoveFileExW	0x408144
FreeLibrary	0x408148
WritePrivateProfileStringW	0x40814c
GetPrivateProfileStringW	0x408150
lstrlenA	0x408154
MultiByteToWideChar	0x408158
ReadFile	0x40815c
SetFilePointer	0x408160
FindClose	0x408164
FindNextFileW	0x408168
FindFirstFileW	0x40816c
DeleteFileW	0x408170

Function	Address	Souspicious	Anti Debug
SHGetSpecialFolderLocation	0x408178
SHFileOperationW	0x40817c
SHBrowseForFolderW	0x408180
SHGetPathFromIDListW	0x408184
ShellExecuteExW	0x408188
SHGetFileInfoW	0x40818c

Function	Address	Souspicious	Anti Debug
RegCreateKeyExW	0x408000
RegEnumKeyW	0x408004
RegQueryValueExW	0x408008
RegSetValueExW	0x40800c
RegCloseKey	0x408010
RegDeleteValueW	0x408014
RegDeleteKeyW	0x408018
AdjustTokenPrivileges	0x40801c
LookupPrivilegeValueW	0x408020
OpenProcessToken	0x408024
SetFileSecurityW	0x408028
RegOpenKeyExW	0x40802c
RegEnumValueW	0x408030

Function	Address	Souspicious	Anti Debug
GetClientRect	0x408194
EndPaint	0x408198
DrawTextW	0x40819c
IsWindowEnabled	0x4081a0
DispatchMessageW	0x4081a4
wsprintfA	0x4081a8
CharNextA	0x4081ac
CharPrevW	0x4081b0
MessageBoxIndirectW	0x4081b4
GetDlgItemTextW	0x4081b8
SetDlgItemTextW	0x4081bc
GetSystemMetrics	0x4081c0
FillRect	0x4081c4
AppendMenuW	0x4081c8
TrackPopupMenu	0x4081cc
OpenClipboard	0x4081d0
SetClipboardData	0x4081d4
CloseClipboard	0x4081d8
IsWindowVisible	0x4081dc
CallWindowProcW	0x4081e0
GetMessagePos	0x4081e4
CheckDlgButton	0x4081e8
LoadCursorW	0x4081ec
SetCursor	0x4081f0
GetSysColor	0x4081f4
SetWindowPos	0x4081f8
GetWindowLongW	0x4081fc
PeekMessageW	0x408200
SetClassLongW	0x408204
GetSystemMenu	0x408208
EnableMenuItem	0x40820c
GetWindowRect	0x408210
ScreenToClient	0x408214
EndDialog	0x408218
RegisterClassW	0x40821c
SystemParametersInfoW	0x408220
CreateWindowExW	0x408224
GetClassInfoW	0x408228
DialogBoxParamW	0x40822c
CharNextW	0x408230
ExitWindowsEx	0x408234
DestroyWindow	0x408238
CreateDialogParamW	0x40823c
SetTimer	0x408240
SetWindowTextW	0x408244
PostQuitMessage	0x408248
SetForegroundWindow	0x40824c
ShowWindow	0x408250
wsprintfW	0x408254
SendMessageTimeoutW	0x408258
FindWindowExW	0x40825c
IsWindow	0x408260
GetDlgItem	0x408264
SetWindowLongW	0x408268
LoadImageW	0x40826c
GetDC	0x408270
ReleaseDC	0x408274
EnableWindow	0x408278
InvalidateRect	0x40827c
SendMessageW	0x408280
DefWindowProcW	0x408284
BeginPaint	0x408288
EmptyClipboard	0x40828c
CreatePopupMenu	0x408290

Function	Address	Souspicious	Anti Debug
None	0x408038
ImageList_Create	0x40803c
ImageList_Destroy	0x408040
ImageList_AddMasked	0x408044

Function	Address	Souspicious	Anti Debug
SetBkMode	0x40804c
SetBkColor	0x408050
GetDeviceCaps	0x408054
CreateFontIndirectW	0x408058
CreateBrushIndirect	0x40805c
DeleteObject	0x408060
SetTextColor	0x408064
SelectObject	0x408068

Function	Address	Souspicious	Anti Debug
OleInitialize	0x408298
OleUninitialize	0x40829c
CoCreateInstance	0x4082a0
IIDFromString	0x4082a4
CoTaskMemFree	0x4082a8

Name	Latest seen	MD5
vbc.exe	2022-03-22 21:32:04	a7ff9d6ac75f5a8e46de69043e142416
Equivoluminal6.exe	2022-03-27 19:39:02	37ad1e65666e75dbe7235a60e5e2a09a
vbc.exe	2022-04-05 20:36:02	21d9fd5a0644c27d57f9b39cec04d780
Reported.exe	2022-04-22 18:23:02	dd7dc45de8376c2698113dbd4be04871
bena.exe	2022-04-25 17:17:02	03a7feb739f98820f92e25fe8d8d55a9
vgp.exe	2022-04-26 18:33:02	5bc069f8644f6e6ad5a1df00def3ae51
mic.exe	2022-04-26 19:24:02	4a039ccf1c333214953856f96659e016
d1.exe	2022-05-05 08:10:02	2d7346894efa8803eaa27ef2f2f723b9
d2.exe	2022-05-05 08:11:01	eabd968d3bd07d857e816b7e8c4fb006
EF.exe	2022-05-05 08:17:01	e6858850ced6520506513ea119640e65
m3.exe	2022-05-05 08:20:01	8f18bb71f42a1eb3fdb1de3ee5f6d06b
vbc.exe	2022-05-10 13:02:02	643eead21d07a4bb7c11bb4c7459f898
vbc.exe	2022-05-10 13:03:03	54b3f1c51ae8550134a0d40970b455a9
o1.exe	2022-05-10 13:48:02	8413d6561a7cea036bcb55ce3739c927
vbc.exe	2022-05-10 14:04:02	33096629a4f1afa66342a3eb9ba3a09e
vbc.exe	2022-05-10 14:09:03	cd3ce7188d4c93259f0524b8087a207d
vbc.exe	2022-05-10 17:34:02	8727321276f756618f961727765b792c
vbc.exe	2022-05-10 17:35:02	9eb9e0b2d312768914016744d9361751
duk.exe	2022-05-10 17:40:03	1fb45ed5a8de2d0818db9cc1051ccaad
vbc.exe	2022-05-10 17:42:03	f35d4b7708578a4ad7f16a1c51d41eda
vbc.exe	2022-05-10 19:58:03	c33d399c78bbc6d5f34b50759ce3deda
vbc.exe	2022-05-10 19:59:02	e854767c8344eb7087eb6fb00e078efc
vbc.exe	2022-05-10 20:28:03	8b9e4e9b0b4d1548e9ea574d984991d4
kotr.exe	2022-05-11 17:04:08	a0f036baaf9746f735f4b256c985515c
nedx.exe	2022-05-12 08:42:02	98a602591bf121ef9282ce623291a941
Scan_load.exe	2022-05-12 09:44:02	b116243ed4215cbcb325a827d11cdc68
vbc.exe	2022-05-12 09:45:02	63024416555335f0668d2450f16fed17
vbc.exe	2022-05-12 09:46:04	b78bacf2638d6457c841f5de45d34f24
vbc.exe	2022-05-12 09:49:02	3f4a3a3a87472b777905e5908b6762a6
vbc.exe	2022-05-12 09:50:02	706a52c35a1c1186de5b098fd6cafd8f
SCAN9.exe	2022-05-12 09:53:02	a1e007787cbe3d27a07fbeb2cb0956ad
scrss.exe	2022-05-12 09:55:03	6cc7f4dc6d60f6b01b7164532f4d4fe6
vbc.exe	2022-05-12 09:58:03	b09f17c52adfbbf6c3e91e84a404b112
sepat.exe	2022-05-12 10:00:04	bd445ce54588f3ea14c6ef52fe6470e7
vbc.exe	2022-05-12 11:21:02	bce919cf4fa0ea578e827b11c9966dad
vbc.exe	2022-05-12 11:23:02	0af7fbb3b5a2a7059555859c4c1db8f9
vbc.exe	2022-05-12 11:25:02	c85a753c46e005748eb59d6d062d596c
vbc.exe	2022-05-12 11:26:02	2c24fa42140a8a16f3777173a2d3f0ab
vbc.exe	2022-05-12 11:27:02	5aced01eb87f9b45da181121f2c5f510
vbc.exe	2022-05-12 12:29:04	d9a63266613ba6cc68ac317ef99f5fdd
vbc.exe	2022-05-12 20:30:02	e647eb555d9cabaf7997da05d2195ad0
vbc.exe	2022-05-12 20:50:02	0eb62853b63f5276c9eb21fff540c8be
vbc.exe	2022-05-12 21:08:02	5d27e82459861cbe558cbe64f1a94b70
vbc.exe	2022-05-12 21:25:03	7d230009eab36798f73226c3adc7ac8e
vbc.exe	2022-05-12 21:26:03	98f9e6fdd56e13f7cedb352712cdcccb
vbc.exe	2022-05-12 21:28:02	4b29dbf34a5049758ec7e986a6a85c7f
vbc.exe	2022-05-12 22:26:03	9c62175af4cb7d4581c22df0555e0c0a
copy_load.exe	2022-05-13 17:15:02	b5691d968eccd79d3b535e2686cb1a03
vbc.exe	2022-05-13 17:25:02	f850bf6bfd9be6aa4d73b6a026986c29
vbc.exe	2022-05-13 17:26:02	21f7996aa488b062d4c0725eb6f23b2c
vbc.exe	2022-05-13 17:28:02	69250f55fbfe48822c838b4eeaf33a0a
BUSY.exe	2022-05-13 17:29:03	029bbe98a216416eb698ca543a5c0830
vbc.exe	2022-05-13 17:30:03	e437b563de87f3d825a87269e16fdd50
vbc.exe	2022-05-13 18:53:04	5af1c7dd89a535dee51c3e28b4a74f8d
vbc.exe	2022-05-14 15:38:02	de76ef6a11a63efc00b0303888bc0b7f
vbc.exe	2022-05-16 00:01:02	3fe3699a62de454defd75c884f72dfee
vbc.exe	2022-05-16 07:43:02	e95ec4d6653fd04defa43e0503d4314a
vbc.exe	2022-05-16 11:33:02	4f2b5d6712ca51ba7619581acc9e6c06
Swift0022.exe	2022-05-16 15:09:02	6b652bdcd4da5e522480b3175938b26c
vbc.exe	2022-05-16 15:10:02	62a3e5d4ed5c3edf4f5b2aa432511a84
vbc.exe	2022-05-16 15:24:01	b6a0b45c78db4ee37368efd93ecfffac
vbc.exe	2022-05-16 15:26:02	2d4739ab2d34eec849d903e05e8e0eb4
vbc.exe	2022-05-17 08:31:02	8118e5d37ebfabb1c197b307bb5d6e43
vbc.exe	2022-05-17 10:38:02	38e8bb23fbdf63faa5c2c8729ac52f9e
jnstp.exe	2022-05-17 11:44:05	f32d1f6e94da654932e73e42f0f4773a
vbc.exe	2022-05-17 11:46:02	4e1ea6968374c2122d2fe747e4bfbb79
vbc.exe	2022-05-17 11:49:02	401d189e5da7d6d6d490a4ed29a5538a
maxva.exe	2022-05-17 11:56:07	1f1cd20b6c5e777bc87e3e7b1722563c
Swift%20Payment%20Copy%200522.exe	2022-05-17 12:59:02	86bbe0769ec9dfc1477801e40aa65d85
vbc.exe	2022-05-17 17:58:02	e78afca36c1a8c02b8adca514a527e05
vbc.exe	2022-05-18 05:31:02	8933cba2367b3dff27fb3f09822cba40
PO4550358074.exe	2022-05-18 16:38:02	ed9c16720462e8381b5048cd57be1532
po%20kipo000903%20%20(%20kind122822%20).exe	2022-05-18 19:13:02	22bde89a8afcad7436370bcbc8a6b1ea
dj.exe	2022-05-18 19:47:03	dd6738b8bd7f1450c7c21f6bd71b6fa2
koboko.exe	2022-05-19 09:02:05	57e6d8c2eb8585c0250814c8a8be2b9b
vbc.exe	2022-05-19 16:31:02	851bfdd07219ce507c79fa16dc106490
vbc.exe	2022-05-19 16:37:01	c3d24ca1d36fa354df3de6ca57a979d4
domla.exe	2022-05-19 17:26:06	aee375e4146251b66ba38231c842eb87
vbc.exe	2022-05-19 18:16:02	d85f82b6c267725dbef70ba110f5b972
vbc.exe	2022-05-19 18:19:02	4e59abfcc6537ad26941fa659093991f
vbc.exe	2022-05-19 18:29:02	0c5c5af36d67e89a321bff54e6f6e431
vbc.exe	2022-05-19 21:00:03	0d5c12ef90391b5bfc0dedeca59476b6
vbc.exe	2022-05-19 21:22:03	e2af2968f48cda473f9d64b989c4e2da
vbc.exe	2022-05-20 01:47:02	aa6422a82c0bf522ed68ecbedf0755c4
vbc.exe	2022-05-20 03:56:01	7b7351bdf7eec81ce0dcb0c1cdd097b8
vbc.exe	2022-05-20 03:58:02	fefc83495ed902d83c464f33c73be672
vbc.exe	2022-05-20 03:59:01	3369ce745b233c6036e13b9b9cea8478
vbc.exe	2022-05-20 20:58:03	8133ee977a0f5e8649fdf16976ff84fc
o1.exe	2022-05-21 01:11:02	00a05a9a172996c6178c6800c9971b09
abl.exe	2022-05-24 22:26:02	f46edbe315ff60d02ce7c243edda1072
droidttrre.exe	2022-05-25 22:48:02	2a384e15f8133c8b9ecefa4da1d96cee
Lifeleaf2.exe	2022-05-26 04:41:02	09d431a8321ec75d7ff057787c319897
Quo1.exe	2022-05-31 16:33:02	cb9459350c5e818cb575633db0a416b8
Qu2.exe	2022-05-31 16:35:02	607f782a718c2472fdcba8740677d2a1
vbc.exe	2022-06-07 19:05:03	72e4ed6e48b1e928279015c70d7f3aa6
vbc.exe	2022-06-10 05:04:03	7e9add08e21c0191128a77f1115eb03f
vbc.exe	2022-06-14 10:26:02	38a9d938eee5ea7e6533c84ddd8d0aa2
vbc.exe	2022-06-14 12:02:03	b68226a19cd3638b4c4e91cbae5352f3
Kyssene3.exe	2022-06-21 12:28:07	c37e6f5da00efca227af3989fbc79748
vbc.exe	2022-06-22 23:51:02	c348de43b0f16779c94ed0d15185e675
zolotink.exe	2022-07-01 12:05:02	6afcd8e27e808d0453012d342d666c92
ussfe3.exe	2022-07-01 12:07:02	c129048556088244b16d23deb7720e4b
vbc.exe	2022-07-04 20:52:03	0e7a3eeac6f7b7e5d2ebe6b603c8374d
mee.exe	2022-07-04 20:53:03	2ccb4fdc466c751e7f2114ae1bc2e413
vbc.exe	2022-07-05 17:51:02	7a6a3cba11533760965c27a15a921668
a1.exe	2022-08-02 07:16:38	aa849555aeb4215ef866b999ec67824c
abc.exe	2022-08-04 23:29:05	13d3828002bbe548ed0b85321e15c72c
se.exe	2022-08-05 01:40:02	977f07ae0d305258efd0012996fc3b24

b1.exe

File details

File features detected

URLs, FQDN and IP indicators 1

PE Sections 1 suspicious

PE Resources 5

Anti debug functions 2

File signature

Strings analysis - File found

Strings analysis - Possible URLs found 9

Import functions

Related files by ImpHash 108 61259b55b8912888e90f516ca08dc514