66d5edf357fbf_BitcoinCore.exe

First submission 2024-09-03 18:13:04

File details

File type: PE32+ executable (GUI) x86-64, for MS Windows
Mime type: application/x-dosexec
File size: 13681.5 KB (14009856 bytes)
Compile time: 2024-09-02 17:27:16
MD5: 26dc83cd26d56041c731e497b96a8a73
SHA1: 5338d1bc7da69233af80ca7ef13fa1dacfc0748c
SHA256: b8927abe41a230bb684bcd01fa78d688ccf6c0df1c2177a46510b76df9f6ea6a
Import Hash : 7b4ee4fbf146cc8e12b3508ce0a506fa
Sections 11 .text .data .bss .idata .didata .edata .tls .rdata .reloc .pdata .rsrc
Directories 5 import export resource tls relocation

File features detected

Is DLL
Packers
Anti Debug
Anti VM
Signed
XOR

OSINT Enrichments

Virus Total: 12/79 VT report date: 2024-09-03 17:36:32
Malware Type 1 trojan
Threat Type 2 filerepmalware sleepobf

URLs, FQDN and IP indicators 1

URL Host (FQDN/IP) Date Added
hXXp://147.45.44.104/yuop/66d5edf357fbf_BitcoinCore.exe VirusTotal Report 147.45.44.104 VirusTotal Report 2024-09-03 18:13:04

PE Sections 3 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0x8c0e80 9179136 9d803fe46d972aa5a1c7889f4ff38402add006bc 247c398e0b735526ee759df3463d71cd
.data 0x8c2000 0xbc068 770560 b566004b2770d0f5c9cd770d339f59a1a2d3cd16 6e195073213d6267150a089c735d3f2a
.bss 0x97f000 0x1f25c 0 da39a3ee5e6b4b0d3255bfef95601890afd80709 d41d8cd98f00b204e9800998ecf8427e
.idata 0x99f000 0x50c8 20992 0f0b3b69428fbb25a57d33482bdfb020fd9590c3 9ade7bb775e1a3e4a7f4456d4a692680
.didata 0x9a5000 0x914c 37376 49be1f1e93ae26c8a3c2e817aafdc536d1910b8a ef598eec5be4dcb9eb6bf645673e5dbe
.edata 0x9af000 0xa0 512 7f88c3a710134aefe5844065c7a304d732b66ad3 80f01ac0cc50876df562e44f11824ecd
.tls 0x9b0000 0x370 0 da39a3ee5e6b4b0d3255bfef95601890afd80709 d41d8cd98f00b204e9800998ecf8427e
.rdata 0x9b1000 0x6d 512 2bea7635136f19974688ba0a0603c8a0e47227ff 0ed31f376accdf24b8bcb9484d4548cf
.reloc 0x9b2000 0x7abec 502784 90e41023b3495240c747ba01608a659d813b198f 6b4f29c9363f2b265c6aa617d37db81f
.pdata 0xa2d000 0x71850 465408 652114c10bbef4bcfd7f6e0f665d5069890055f3 57c89100c5bd279dee09986f3f7007e1
.rsrc 0xa9f000 0x2e4200 3031552 105669acbc6616a7ccff96d093bcea5e9184ad9e 35ead7210865796665726ca5728608b7

PE Resources 7

Name Language Sublanguage Offset Size Data
RT_CURSOR LANG_ENGLISH SUBLANG_ENGLISH_US 0xaa070c 308
RT_ICON LANG_CATALAN SUBLANG_ARABIC_LIBYA 0xaa0840 67624
RT_STRING LANG_NEUTRAL SUBLANG_NEUTRAL 0xabe91c 796
RT_RCDATA LANG_ENGLISH SUBLANG_ENGLISH_US 0xd2d4d8 350221
RT_GROUP_CURSOR LANG_ENGLISH SUBLANG_ENGLISH_US 0xd82d60 20
RT_GROUP_ICON LANG_CATALAN SUBLANG_ARABIC_LIBYA 0xd82d74 20
RT_VERSION LANG_NEUTRAL SUBLANG_NEUTRAL 0xd82d88 740

Meta infos 9

LegalCopyright: Copyright (C) 2005-2014. All rights reserved.
InternalName: 1StepDVDCopy.exe
FileVersion: 4.5.4.1
CompanyName:
ProductVersion: 4.5.4.1
FileDescription: 1StepDVDCopy.exe
Translation: 0x0000 0x04b0
OriginalFilename: 1StepDVDCopy.exe
ProductName:

Anti debug functions 8

FindWindowExW
FindWindowW
GetLastError
GetWindowThreadProcessId
IsDebuggerPresent
OutputDebugStringW
RaiseException
UnhandledExceptionFilter

Anti debug functions 1

VMCheck.dll

Strings analysis - File found

Database
Data.DB
Library
d2d1.dll
USER32.dll
KERNEL32.dll
UxTheme.dll
d3d10_1.dll
COMCTL32.dll
DWrite.dll
ole32.dll
IMM32.dll
d3d11.dll
OLEAUT32.dll
d3d10.dll
WINMM.dll
WTSAPI32.dll
WindowsCodecs.dll
MSVCRT.dll
COMDLG32.dll
MSIMG32.dll
dwmapi.dll
ADVAPI32.dll
GDI32.dll
gdiplus.dll
VERSION.dll
d3d9.dll
SHELL32.dll

Strings analysis - Possible IPs found 2

4.5.4.1
3.0.0.16

Strings analysis - Possible URLs found 3

http://support.microsoft.com/kb/239114
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=23734
http://www.microsoft.com/download/en/details.aspx?id=13255zJRO.JetEngine

Import functions

PE Exports 3 suspicious

Function Address
TMethodImplementationIntercept 0x4a3e00
__dbk_fcall_wrapper 0x417dd0
dbkFCallWrapperAddr 0xd83f58