66df4cfda9a79_software.exe
First submission 2024-09-28 02:07:05
File details
File type: | PE32+ executable (GUI) x86-64, for MS Windows |
Mime type: | application/x-dosexec |
File size: | 18417.5 KB (18859520 bytes) |
Compile time: | 1970-01-01 01:00:00 |
MD5: | 2e4c46fcdaaaa624bd6f37075077b972 |
SHA1: | f01defbf5deff0b4feccc768d41d75cb3a4a2feb |
SHA256: | d1dd535854368f8445b62566c7e3c8c9299df68c5e5d7813d71f90d1a6cec5ee |
Import Hash : | 07361a3a7f515bf56ca93120b2aca73b |
Sections 15 | .text .rdata .data .pdata .xdata /4 /19 /32 /46 /65 /78 /90 .idata .reloc .symtab |
Directories 2 | import relocation |
File features detected
Is DLL
Packers
Anti Debug
Signed
XOR
OSINT Enrichments
Virus Total: | 40/77 VT report date: 2024-09-17 05:51:06 |
Malware Type 3 | trojan pua banker |
Threat Type 3 | express gost qypkr |
URLs, FQDN and IP indicators 1
PE Sections 6 suspicious
Name | VAddress | VSize | Size | SHA1 | MD5 | Suspicious |
---|---|---|---|---|---|---|
.text | 0x1000 | 0x624480 | 6440448 | 5f889ba7030907542d83eae48d88fd4820b85243 | 8f5933d3c8eca1d4f6fa5d0af8fa6df2 | |
.rdata | 0x626000 | 0x5c7788 | 6060032 | a5fc35110e6b4f82a6f67d07b2767685468966ed | 288077a05ff8777e8cf6271930754397 | |
.data | 0xbee000 | 0x125b10 | 503808 | af5c262aa53760e2c167ece3d42d0e45d97d3c4f | a64277f19c0044e492ba0620fa38e563 | |
.pdata | 0xd14000 | 0x227b8 | 141312 | bc60129df1abf1c25647fd026eb9971e4873b4fd | 9bbd4c68c28c12d900d6b568b2655c67 | |
.xdata | 0xd37000 | 0xc0 | 512 | a58e8851d94320179dbf946a940dad595255fabc | 1e0fd4d1a22f2b6f405e95c965d139df | |
/4 | 0xd38000 | 0x129 | 512 | 65d9dc4d3d6c051bd184fe655ee41925f867957c | 17f62672c8506464ae13eccc2eb6cb94 | |
/19 | 0xd39000 | 0xeb008 | 963072 | 1b4dc6de52ba5bb5f016e8434e211ec0558791b2 | 79f63354823bfe2d479f5f18eb40f8b6 | |
/32 | 0xe25000 | 0x35869 | 219648 | a3456c9c6e17faf045d1eebdeefc85174211585e | 4ef8c84c7ff0a22e8490cac5b6dad03c | |
/46 | 0xe5b000 | 0x2a | 512 | 5c31bb8cb4724831186f4adf11b6a46cba1b7936 | 56d08c10aa9e5c0c3680f67f8992b3d4 | |
/65 | 0xe5c000 | 0x1a8a93 | 1739776 | ef2e456622fc1e31fbebf858ebca566ea7161987 | 8d0c35b18aaa3844d5f0d627830f7043 | |
/78 | 0x1005000 | 0x1372df | 1274880 | 46e160f2122e3af84eb8f83ed3ee8085a0b59702 | 77b5f5cd06a7b4be4dce6c2a96e43647 | |
/90 | 0x113d000 | 0x552a7 | 349184 | 86eb30704169741b08ebb5745b114f1e0ba63afc | 3044c6906cd3880eddfdb99820b7861d | |
.idata | 0x1193000 | 0x590 | 1536 | 1483fd9cd93268e963dea3e2989c393c31ba8273 | 5148c0b29526ab5f590073fc437fdd88 | |
.reloc | 0x1194000 | 0x1c150 | 115200 | 5cb089061b1b2835a2b85c3efbbe2b2377aecd37 | ea76633517d82f5a9bf6815442c5bad0 | |
.symtab | 0x11b1000 | 0xffbf1 | 1047552 | 84c102fab51cb765508ec1fbb57633d6f853ce3a | 7d9e6941220441a08f58d3befbb13b6f |
Anti debug functions 2
Virtual Box |
Bochs & QEmu CPUID Trick |
Strings analysis - File found
Executable |
unicode.So |
Log |
github.com/quic-go/quic-go/internal/wire.(*ExtendedHeader).Log |
github.com/go-log/log.Log |
math.Log |
github.com/go-log/log.(*noOpLogger).Log |
github.com/ginuerzh/gost.(*LogLogger).Log |
Package |
L.apk |
Text |
*dns.TXT |
Library |
WS2_32.dll |
WINMM.dll |
ntdll.dll |
bcryptprimitives.dll |
Powrprof.dll |
*syscall.DLL |
*windows.DLL |
type:.eq.syscall.DLL |
type:.eq.golang.org/x/sys/windows.DLL |
KERNEL32.dll |
Strings analysis - Possible IPs found 15
1.2.2.1 |
1.1.2.1 |
192.168.1.10 |
5.2.2.1 |
1.1.3.1 |
5.4.112.5 |
5.4.32.5 |
1.2.1.1 |
5.2.1.1 |
2.5.4.102 |
1.1.1.1 |
127.0.0.1 |
2.5.4.62 |
72.5.4.82 |
4.52.5.4 |
Strings analysis - Possible URLs found 5
http:///update/record |
https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes |
http://secretstimeoutnodelayssh_keybacklogderivedInitialEd25519MD2-RSAMD5-RSAserial:number |
https://L9 |
https://github.com/quic-go/quic-go/wiki/LoggingDisabling |
Import functions
Name | Latest seen | MD5 |
---|---|---|
ngrok.exe | 2024-07-04 18:42:05 | 56d222d5febef9fb176df8c79d28c8ae |
ngrok.exe | 2024-07-04 18:44:09 | fe94c576b99dcc99b1c82fce00af97ab |
bandwidth_monitor.exe | 2024-09-27 16:35:02 | 19fce7cfdad7e67cd8b36d39bf80f648 |