167.exe

First submission 2023-09-16 11:34:02

File details

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Mime type:	application/x-dosexec
File size:	268.5 KB (274944 bytes)
Compile time:	2023-01-18 19:20:24
MD5:	29df412b9bddce9b6080d7fe66610868
SHA1:	500fc57fe1af43a9a13878ff08a2ce6a2969dfbc
SHA256:	a5e7f0781b82d2f124bd113e2be8df4e6bdf61b1b25b31ad813b41336a174844
Import Hash :	be971270bdc2a8fd4ff1ab41bb993dd1
Sections 3	.text .data .rsrc
Directories 2	import resource
Virus Total:	33/71 VT report date: 2023-09-15 21:48:39

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXp://h170703.srv22.test-hf.su/167.exe	h170703.srv22.test-hf.su	2023-09-16 11:34:02

PE Sections 1 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0x1ecb8	126464	701789b37d4ce4305ddb28e6276f79664456b825	2564ea597fcd5a22208bf2adf53149dd
.data	0x20000	0x2e2dcc	92160	948e9a89fd5c3204296f866f886b853b37eb40ed	00bf0273259e796adfcd49552fc9c504
.rsrc	0x303000	0xd770	55296	e5b412dc21d57c11cd7aa082152bd308e3ca26e5	4e81654c14be88fea5a8ca8bc88aa9b1

PE Resources 6

Name	Language	Sublanguage	Offset	Size	Data
RT_CURSOR	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x30f338	2216	PE Resource: RT_CURSOR - Data ( @888AAAJJJMMMTTTppp/-P?pQcv1Qq,/KPhp1Qq/!P7pLcy1Qq/Pp",6@J[1qQq/Pp =1[Qyq/"P0p=LYgx1Qq&/@PZpt1Qq/&PAp[t1Qq/P"p0>M[iy1Qq/Pp >1\Qzq/Pp!+6@IZ1pQq/ P6pLbx1Qq,/KPip1Qq/-P?pRcv1Qq/Pp!&,>X1qQq ?
RT_ICON	LANG_SINDHI	SUBLANG_SYS_DEFAULT	0x30ee58	1128
RT_STRING	LANG_SINDHI	SUBLANG_SYS_DEFAULT	0x3102b0	1216	PE Resource: RT_STRING - Data 2Beketowifope feme mugaxozad govuve rubeyanopinuvuxGLuhomijiruwaki jenine jidiratako xaba retacototevoh wuro haworaz telavu&Gina dok yunitabapopox yiliverefubizek"Pehuxe diwiyoyizis lepamaxurulunixZRinisipade varivabusoxa xud peranatanux kaxiramavuk tata vulom picenanafow tib selulazefinJud vadajuruboneAGov nexemewetupu xaxoxej peru xupitosetejirup nojifuguyimuj pajahXasutete?Yerehezuse fecuwegijusih sejab ruvu mizovapomod xow xofofefudodMWuheluj tijusobocin xuhoni xak banovara wezayatafiyaw webivevamazowu jewaduxePNohitolegar cuzixu suyot xokuyaser hukafifig tipapuxofumoga rivabibixosuzi rihem
RT_GROUP_CURSOR	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x30fbe0	20
RT_GROUP_ICON	LANG_SINDHI	SUBLANG_SYS_DEFAULT	0x308aa0	90
RT_VERSION	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x30fbf8	644	PE Resource: RT_VERSION - Data 4VS_VERSION_INFOD<?StringFileInfo029385B3: CompanyNamePhunderstuck< FileDescriptionsAnybodies: FileVersions49.51.44.114: InternalNameCascader.exeNLegalCopyrightsChallangers bottle,ProductNameBonni<ProductVersion17.25.64.30DVarFileInfo$TranslationN

Meta infos 8

InternalName:	Cascader.exe
FileVersions:	49.51.44.114
LegalCopyrights:	Challangers bottle
CompanyName:	Phunderstuck
ProductVersion:	17.25.64.30
FileDescriptions:	Anybodies
Translation:	0x124e 0x03fe
ProductName:	Bonni

Packers detected 2

Microsoft Visual C++ 8
VC8 -> Microsoft Corporation

Anti debug functions 6

GetLastError
IsDebuggerPresent
IsProcessorFeaturePresent
RaiseException
TerminateProcess
UnhandledExceptionFilter

Strings analysis - File found

Library
WUSER32.DLL
KERNEL32.dll
mscoree.dll
ADVAPI32.dll
SHELL32.dll
WINHTTP.dll
USER32.dll
ole32.dll
GDI32.dll

Strings analysis - Possible IPs found 2

49.51.44.114
17.25.64.30

Import functions

GDI32.dll 3 SHELL32.dll 1 KERNEL32.dll 124 ADVAPI32.dll 1 ole32.dll 1 USER32.dll 2 WINHTTP.dll 1

Function	Address	Souspicious	Anti Debug
GetCharWidthW	0x401008
GetTextFaceW	0x40100c
SelectPalette	0x401010

Function	Address	Souspicious	Anti Debug
DragFinish	0x40120c

Function	Address	Souspicious	Anti Debug
GetNumaProcessorNode	0x401018
MoveFileExA	0x40101c
BuildCommDCBAndTimeoutsA	0x401020
SystemTimeToTzSpecificLocalTime	0x401024
InterlockedDecrement	0x401028
SetDefaultCommConfigW	0x40102c
GetEnvironmentStringsW	0x401030
SetConsoleScreenBufferSize	0x401034
AddConsoleAliasW	0x401038
SetVolumeMountPointW	0x40103c
BackupSeek	0x401040
GetModuleHandleW	0x401044
GenerateConsoleCtrlEvent	0x401048
GetNumberFormatA	0x40104c
SetFileTime	0x401050
GetConsoleAliasExesW	0x401054
EnumTimeFormatsA	0x401058
GetCommandLineA	0x40105c
GetDriveTypeA	0x401060
GetEnvironmentStrings	0x401064
GetPrivateProfileIntA	0x401068
LoadLibraryW	0x40106c
TerminateThread	0x401070
FatalAppExitW	0x401074
CopyFileW	0x401078
SetConsoleCP	0x40107c
GetVolumePathNameA	0x401080
GetStartupInfoW	0x401084
CreateMailslotW	0x401088
CreateJobObjectA	0x40108c
InterlockedExchange	0x401090
SetThreadLocale	0x401094
OpenMutexW	0x401098
GetConsoleAliasesLengthW	0x40109c
GetLastError	0x4010a0
GetCurrentDirectoryW	0x4010a4
SetLastError	0x4010a8
PeekConsoleInputW	0x4010ac
EnumSystemCodePagesW	0x4010b0
LoadLibraryA	0x4010b4
GetProcessId	0x4010b8
InterlockedExchangeAdd	0x4010bc
LocalAlloc	0x4010c0
GetFileType	0x4010c4
RemoveDirectoryW	0x4010c8
GetProfileStringA	0x4010cc
FindNextChangeNotification	0x4010d0
FindAtomA	0x4010d4
GlobalWire	0x4010d8
EnumDateFormatsA	0x4010dc
GetModuleHandleA	0x4010e0
SetLocaleInfoW	0x4010e4
FreeEnvironmentStringsW	0x4010e8
FindNextFileW	0x4010ec
VirtualProtect	0x4010f0
GetCurrentDirectoryA	0x4010f4
EnumDateFormatsW	0x4010f8
GetShortPathNameW	0x4010fc
OpenSemaphoreW	0x401100
FindAtomW	0x401104
GetWindowsDirectoryW	0x401108
FindFirstVolumeW	0x40110c
DeleteFileW	0x401110
CreateFileW	0x401114
EnumCalendarInfoA	0x401118
GetCommandLineW	0x40111c
FindFirstFileW	0x401120
EnumResourceNamesW	0x401124
GetComputerNameA	0x401128
GetHandleInformation	0x40112c
ReadFile	0x401130
FlushFileBuffers	0x401134
GetStringTypeW	0x401138
LCMapStringW	0x40113c
HeapFree	0x401140
HeapAlloc	0x401144
GetProcAddress	0x401148
ExitProcess	0x40114c
DecodePointer	0x401150
DeleteFileA	0x401154
EncodePointer	0x401158
HeapReAlloc	0x40115c
HeapSetInformation	0x401160
RaiseException	0x401164
UnhandledExceptionFilter	0x401168
SetUnhandledExceptionFilter	0x40116c
IsDebuggerPresent	0x401170
TerminateProcess	0x401174
GetCurrentProcess	0x401178
IsProcessorFeaturePresent	0x40117c
HeapCreate	0x401180
WriteFile	0x401184
GetStdHandle	0x401188
GetModuleFileNameW	0x40118c
EnterCriticalSection	0x401190
LeaveCriticalSection	0x401194
InitializeCriticalSectionAndSpinCount	0x401198
DeleteCriticalSection	0x40119c
TlsAlloc	0x4011a0
TlsGetValue	0x4011a4
TlsSetValue	0x4011a8
TlsFree	0x4011ac
InterlockedIncrement	0x4011b0
GetCurrentThreadId	0x4011b4
Sleep	0x4011b8
HeapSize	0x4011bc
SetHandleCount	0x4011c0
QueryPerformanceCounter	0x4011c4
GetTickCount	0x4011c8
GetCurrentProcessId	0x4011cc
GetSystemTimeAsFileTime	0x4011d0
SetFilePointer	0x4011d4
WideCharToMultiByte	0x4011d8
GetConsoleCP	0x4011dc
GetConsoleMode	0x4011e0
GetCPInfo	0x4011e4
GetACP	0x4011e8
GetOEMCP	0x4011ec
IsValidCodePage	0x4011f0
RtlUnwind	0x4011f4
MultiByteToWideChar	0x4011f8
SetStdHandle	0x4011fc
WriteConsoleW	0x401200
CloseHandle	0x401204

Function	Address	Souspicious	Anti Debug
LookupAccountSidW	0x401000

Function	Address	Souspicious	Anti Debug
CoGetInstanceFromFile	0x401228

Function	Address	Souspicious	Anti Debug
GetListBoxInfo	0x401214
CharUpperW	0x401218

Function	Address	Souspicious	Anti Debug
WinHttpWriteData	0x401220