66df4cfda9a79_software.exe

First submission 2024-09-28 02:07:05

File details

File type: PE32+ executable (GUI) x86-64, for MS Windows
Mime type: application/x-dosexec
File size: 18417.5 KB (18859520 bytes)
Compile time: 1970-01-01 01:00:00
MD5: 2e4c46fcdaaaa624bd6f37075077b972
SHA1: f01defbf5deff0b4feccc768d41d75cb3a4a2feb
SHA256: d1dd535854368f8445b62566c7e3c8c9299df68c5e5d7813d71f90d1a6cec5ee
Import Hash : 07361a3a7f515bf56ca93120b2aca73b
Sections 15 .text .rdata .data .pdata .xdata /4 /19 /32 /46 /65 /78 /90 .idata .reloc .symtab
Directories 2 import relocation

File features detected

Is DLL
Packers
Anti Debug
Anti VM
Signed
XOR

OSINT Enrichments

Virus Total: 40/77 VT report date: 2024-09-17 05:51:06
Malware Type 3 trojan pua banker
Threat Type 3 express gost qypkr

URLs, FQDN and IP indicators 1

URL Host (FQDN/IP) Date Added
hXXp://147.45.44.104/prog/66df4cfda9a79_software.exe VirusTotal Report 147.45.44.104 VirusTotal Report 2024-09-28 02:07:05

PE Sections 6 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0x624480 6440448 5f889ba7030907542d83eae48d88fd4820b85243 8f5933d3c8eca1d4f6fa5d0af8fa6df2
.rdata 0x626000 0x5c7788 6060032 a5fc35110e6b4f82a6f67d07b2767685468966ed 288077a05ff8777e8cf6271930754397
.data 0xbee000 0x125b10 503808 af5c262aa53760e2c167ece3d42d0e45d97d3c4f a64277f19c0044e492ba0620fa38e563
.pdata 0xd14000 0x227b8 141312 bc60129df1abf1c25647fd026eb9971e4873b4fd 9bbd4c68c28c12d900d6b568b2655c67
.xdata 0xd37000 0xc0 512 a58e8851d94320179dbf946a940dad595255fabc 1e0fd4d1a22f2b6f405e95c965d139df
/4 0xd38000 0x129 512 65d9dc4d3d6c051bd184fe655ee41925f867957c 17f62672c8506464ae13eccc2eb6cb94
/19 0xd39000 0xeb008 963072 1b4dc6de52ba5bb5f016e8434e211ec0558791b2 79f63354823bfe2d479f5f18eb40f8b6
/32 0xe25000 0x35869 219648 a3456c9c6e17faf045d1eebdeefc85174211585e 4ef8c84c7ff0a22e8490cac5b6dad03c
/46 0xe5b000 0x2a 512 5c31bb8cb4724831186f4adf11b6a46cba1b7936 56d08c10aa9e5c0c3680f67f8992b3d4
/65 0xe5c000 0x1a8a93 1739776 ef2e456622fc1e31fbebf858ebca566ea7161987 8d0c35b18aaa3844d5f0d627830f7043
/78 0x1005000 0x1372df 1274880 46e160f2122e3af84eb8f83ed3ee8085a0b59702 77b5f5cd06a7b4be4dce6c2a96e43647
/90 0x113d000 0x552a7 349184 86eb30704169741b08ebb5745b114f1e0ba63afc 3044c6906cd3880eddfdb99820b7861d
.idata 0x1193000 0x590 1536 1483fd9cd93268e963dea3e2989c393c31ba8273 5148c0b29526ab5f590073fc437fdd88
.reloc 0x1194000 0x1c150 115200 5cb089061b1b2835a2b85c3efbbe2b2377aecd37 ea76633517d82f5a9bf6815442c5bad0
.symtab 0x11b1000 0xffbf1 1047552 84c102fab51cb765508ec1fbb57633d6f853ce3a 7d9e6941220441a08f58d3befbb13b6f

Anti debug functions 2

Virtual Box
Bochs & QEmu CPUID Trick

Strings analysis - File found

Executable
unicode.So
Log
github.com/quic-go/quic-go/internal/wire.(*ExtendedHeader).Log
github.com/go-log/log.Log
math.Log
github.com/go-log/log.(*noOpLogger).Log
github.com/ginuerzh/gost.(*LogLogger).Log
Package
L.apk
Text
*dns.TXT
Library
WS2_32.dll
WINMM.dll
ntdll.dll
bcryptprimitives.dll
Powrprof.dll
*syscall.DLL
*windows.DLL
type:.eq.syscall.DLL
type:.eq.golang.org/x/sys/windows.DLL
KERNEL32.dll

Strings analysis - Possible IPs found 15

1.2.2.1
1.1.2.1
192.168.1.10
5.2.2.1
1.1.3.1
5.4.112.5
5.4.32.5
1.2.1.1
5.2.1.1
2.5.4.102
1.1.1.1
127.0.0.1
2.5.4.62
72.5.4.82
4.52.5.4

Strings analysis - Possible URLs found 5

http:///update/record
https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes
http://secretstimeoutnodelayssh_keybacklogderivedInitialEd25519MD2-RSAMD5-RSAserial:number
https://L9
https://github.com/quic-go/quic-go/wiki/LoggingDisabling

Import functions

Name Latest seen MD5
ngrok.exe 2024-07-04 18:42:05 56d222d5febef9fb176df8c79d28c8ae
ngrok.exe 2024-07-04 18:44:09 fe94c576b99dcc99b1c82fce00af97ab
bandwidth_monitor.exe 2024-09-27 16:35:02 19fce7cfdad7e67cd8b36d39bf80f648