20230120_1.bin

First submission 2024-10-17 17:52:05

File details

File type:	PE32+ executable (native) x86-64, for MS Windows
Mime type:	application/x-dosexec
File size:	160.41 KB (164256 bytes)
Compile time:	2023-01-20 15:21:06
MD5:	2f3fd904ea51687468b39b707a1587a4
SHA1:	812c11f12e90fda91a15dd8db576dd7f1a0a947a
SHA256:	d7ac8ffc3d50c9be9dabacbef939d960a414e89ea2185860064c918b8762788c
Import Hash :	118a2343ba7a5763d9034e65dcc58b46
Sections 7	.text .rdata .data .pdata INIT .reloc
Directories 3	import relocation security

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

URL	Host (FQDN/IP)	Date Added
hXXp://124.248.65.242:8899/sys/20230120_1.bin	124.248.65.242	2024-10-17 17:52:05

PE Sections 3 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0x1c46	7680	85f97df56955cbc5168e3cbf70b625c835df6f4f	29c14e5a94f817e41a889a9d14bc67a6
.rdata	0x3000	0x63c	2048	f5669dd430e1861e0cc69cb871c4809eb96158e1	83ab56e7cd477e14ae1ea4e2df86ede3
.data	0x4000	0x1be30	114688	3a774e26d13861fb095e27d008659cc0e6f1945e	83b0cb3c380086bd5049046dfe036ab0
.pdata	0x20000	0x198	512	7055b154f6924777ac4f39c99fea67a33d05cc24	150aad2bbe68275ee35b3e24cdbdbb23
INIT	0x21000	0x432	1536	f996478714ae1dbdf99daf9998f786dfaa59d7ce	d7406036dd7ca4d76ef2bddc3ba589a3
	0x22000	0x3340	13312	7f69da48a5d625068951f0c06f5bef8010684726	128bfe3c607755eb6cf99ed4f1eb2cd1
.reloc	0x26000	0x14	512	c0484f20718fe1e57bcded0867bcb9a8dee3ca49	cfae0cacdcb3dbfdeeeb0ed3040da6c2

ZwQueryInformationFile

Virtual Box

MD5	SHA1	Block size	Virtual Address
d8ff06b8bb1c2eba0b61ac37c789160b	4016fb0a88661bce7ed00ac28deb38e3a0109ad0	22944	141312

http://subca.ocsp-certum.com01
http://ocsp.verisign.com0
https://www.verisign.com/rpa
http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
https://www.verisign.com/rpa0
http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
http://subca.ocsp-certum.com02
http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0
http://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
http://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
http://crl.verisign.com/pca3-g5.crl04
http://ccsca2021.ocsp-certum.com05
http://repository.certum.pl/ctnca2.cer09
http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
http://ocsp.verisign.com0;
https://www.verisign.com/cps0
http://ocsp.digicert.com0C
http://ocsp.digicert.com0A
https://www.certum.pl/CPS0
http://repository.certum.pl/ccsca2021.cer0
http://ccsca2021.crl.certum.pl/ccsca2021.crl0s
http://ocsp.digicert.com0X
http://repository.certum.pl/ctnca.cer09
http://crl.certum.pl/ctnca2.crl0l
http://logo.verisign.com/vslogo.gif04
http://www.certum.pl/CPS0
http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
http://csc3-2010-aia.verisign.com/CSC3-2010.cer0
http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
http://crl.certum.pl/ctnca.crl0k

cng.sys 6 ntoskrnl.exe 26

Function	Address	Souspicious	Anti Debug
BCryptSetProperty	0x140003000
BCryptCloseAlgorithmProvider	0x140003008
BCryptGenerateSymmetricKey	0x140003010
BCryptDecrypt	0x140003018
BCryptDestroyKey	0x140003020
BCryptOpenAlgorithmProvider	0x140003028

Function	Address	Souspicious	Anti Debug
RtlInitUnicodeString	0x140003038
KeWaitForSingleObject	0x140003040
ExAllocatePoolWithTag	0x140003048
ExFreePoolWithTag	0x140003050
MmGetSystemRoutineAddress	0x140003058
MmProtectMdlSystemAddress	0x140003060
MmMapLockedPagesSpecifyCache	0x140003068
MmAllocatePagesForMdlEx	0x140003070
PsCreateSystemThread	0x140003078
ObReferenceObjectByHandle	0x140003080
ObReferenceObjectByHandleWithTag	0x140003088
ObCloseHandle	0x140003090
ObfDereferenceObject	0x140003098
ZwCreateFile	0x1400030a0
ZwReadFile	0x1400030a8
ZwWriteFile	0x1400030b0
ZwClose	0x1400030b8
MmIsAddressValid	0x1400030c0
IoCreateFileEx	0x1400030c8
MmFlushImageSection	0x1400030d0
ZwDeleteFile	0x1400030d8
IoFileObjectType	0x1400030e0
RtlGetVersion	0x1400030e8
ZwQueryInformationFile	0x1400030f0
MmGetVirtualForPhysical	0x1400030f8
KeBugCheckEx	0x140003100