Team.exe

First submission 2024-08-27 12:01:03 Last sumbission 2024-09-02 00:29:03

File details

File type: PE32+ executable (GUI) x86-64, for MS Windows
Mime type: application/x-dosexec
File size: 14711.0 KB (15064064 bytes)
Compile time: 2024-08-03 20:14:03
MD5: 2f208b17f8bda673f6b4f0dacf43d1bf
SHA1: 5131b890e8f91770039a889e72464b5ce411c412
SHA256: 1fc3e92f7f30f4f68861d3ceb8284853ae30c11cbd0ed3e46ea9eb698b3ec348
Import Hash : c346eaddb975f381aa1bae852c6a8010
Sections 11 .text .data .bss .idata .didata .edata .tls .rdata .reloc .pdata .rsrc
Directories 5 import export resource tls relocation

File features detected

Is DLL
Packers
Anti Debug
Anti VM
Signed
XOR

OSINT Enrichments

Virus Total: 57/79 VT report date: 2024-08-19 04:08:29
Malware Type 1 trojan
Threat Type 3 sleepobf tedy privateloader

URLs, FQDN and IP indicators 2

URL Host (FQDN/IP) Date Added
hXXps://financemen.net/inc/Team.exe VirusTotal Report financemen.net VirusTotal Report 2024-09-02 00:29:05
hXXps://specialcoupons.top/inc/Team.exe VirusTotal Report specialcoupons.top VirusTotal Report 2024-09-01 22:12:05

PE Sections 3 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0x9ac910 10144256 2fbc34625a37126b331fb8b22488d4b82a7ac0bb 8a12cec75fa1b7f6ab032c3e493d1f0a
.data 0x9ae000 0xd2400 861184 c4f2ff3f5c77d1b5866f271b19aaf7023d8936e9 70ed1f8f3c87e24e69b4d4ebec9e4398
.bss 0xa81000 0x1f25c 0 da39a3ee5e6b4b0d3255bfef95601890afd80709 d41d8cd98f00b204e9800998ecf8427e
.idata 0xaa1000 0x5218 21504 de6fb7db9cca48e59c504fc2d7dcecc11224df37 5985df0a5deb48b68547a75c2e640373
.didata 0xaa7000 0x914c 37376 094b1cf4b9df15e30c4a4b5243495af48c8978f4 55b869781b877ba3330f2bb7a526c96e
.edata 0xab1000 0x9d 512 22a11d49d448e76d8cfc9fff68424da21868f33b 6ca90f14a252f412224132f03ba6b1e7
.tls 0xab2000 0x370 0 da39a3ee5e6b4b0d3255bfef95601890afd80709 d41d8cd98f00b204e9800998ecf8427e
.rdata 0xab3000 0x6d 512 357f037b28d370c177fdd3d634cc028cfb407d5f 1c329feaa686b2968bdf6490e85c9c08
.reloc 0xab4000 0x857a4 546816 002e21f4341e065d7b5c54af83454fe5ecb8119f da187b9748370297723c12d51c93a24b
.pdata 0xb3a000 0x80214 525312 c635297e166c1a79cc46ed55c2c2fb590ef49d9d cfd7216651ecdfb829ae803f99fd9521
.rsrc 0xbbb000 0x2ca400 2925568 43300288417b449d77504852991fb20fba67e061 b2ac0d75453b8148ad11568fa2523c77

PE Resources 7

Name Language Sublanguage Offset Size Data
RT_CURSOR LANG_ENGLISH SUBLANG_ENGLISH_US 0xbbc6e4 308
RT_ICON LANG_BULGARIAN SUBLANG_DEFAULT 0xbbc818 67624
RT_STRING LANG_NEUTRAL SUBLANG_NEUTRAL 0xbdb698 796
RT_RCDATA LANG_ENGLISH SUBLANG_ENGLISH_US 0xe2f894 350221
RT_GROUP_CURSOR LANG_ENGLISH SUBLANG_ENGLISH_US 0xe8511c 20
RT_GROUP_ICON LANG_BULGARIAN SUBLANG_DEFAULT 0xe85130 20
RT_VERSION LANG_ENGLISH SUBLANG_ENGLISH_US 0xe85144 616

Meta infos 7

InternalName: 3nity cd dvd burner
FileVersion: 3.4.0.28
CompanyName: 3nity softwares
ProductVersion: 3.4.0.28
FileDescription: 3nity cd dvd burner
Translation: 0x0409 0x04e4
ProductName: 3nity cd dvd burner

Anti debug functions 8

FindWindowExW
FindWindowW
GetLastError
GetWindowThreadProcessId
IsDebuggerPresent
OutputDebugStringW
RaiseException
UnhandledExceptionFilter

Anti debug functions 1

VMCheck.dll

Strings analysis - File found

Database
Data.DB
Library
d2d1.dll
USER32.dll
KERNEL32.dll
UxTheme.dll
d3d10_1.dll
COMCTL32.dll
DWrite.dll
ole32.dll
IMM32.dll
d3d11.dll
OLEAUT32.dll
d3d10.dll
WINMM.dll
WTSAPI32.dll
MSVCRT.dll
COMDLG32.dll
MSIMG32.dll
dwmapi.dll
ADVAPI32.dll
GDI32.dll
gdiplus.dll
WindowsCodecs.dll
VERSION.dll
d3d9.dll
SHELL32.dll

Strings analysis - Possible IPs found 2

3.4.0.28
3.0.0.16

Strings analysis - Possible URLs found 3

http://support.microsoft.com/kb/239114
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=23734
http://www.microsoft.com/download/en/details.aspx?id=13255zJRO.JetEngine

Import functions

PE Exports 3 suspicious

Function Address
TMethodImplementationIntercept 0x4a7420
__dbk_fcall_wrapper 0x4180f0
dbkFCallWrapperAddr 0xe85f58