Setup2.exe

First submission 2024-09-02 04:35:02

File details

File type: PE32 executable (GUI) Intel 80386, for MS Windows
Mime type: application/x-dosexec
File size: 6495.34 KB (6651227 bytes)
Compile time: 2024-08-16 16:43:57
MD5: 37263ede84012177cab167dc23457074
SHA1: 5905e3b2db8ff152a7f43f339c053e1d43b44dfc
SHA256: 9afd9e70b6f166cfc6de30e206dff5963073a6faeff5bcc93ee131df79894fc2
Import Hash : 92a00f4d0a4448266e9c638fdb1341b9
Sections 18 .text .data .rdata /4 .bss .edata .idata .CRT .tls .reloc /14 /29 /41 /55 /67 /80 /91 /102
Directories 4 import export tls relocation

File features detected

Is DLL
Packers
Anti Debug
Anti VM
Signed
XOR

OSINT Enrichments

Virus Total: 53/79 VT report date: 2024-08-26 09:36:57
Malware Type 1 trojan
Threat Type 3 cryptbot stealer cryptnot

URLs, FQDN and IP indicators 1

URL Host (FQDN/IP) Date Added
hXXps://www.financesunion.com/inc/Setup2.exe VirusTotal Report www.financesunion.com VirusTotal Report 2024-09-02 04:35:02

PE Sections 3 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0x47da24 4709376 1ca9d52ce1a8eb456ff4085b3da6f2ef3f95cb02 46f0747e5398871426bb7b18008cac90
.data 0x47f000 0x1988 6656 9b4b3f742c659157257f1dbdfd586435f5b51ba0 88750a2553822943af47dce6f7e6678a
.rdata 0x481000 0x9858 39424 1426f8d86303ee917d12654ab8cf11fc6c8bf00a d91b0819aecfd62617b80a163864c649
/4 0x48b000 0x3a89c 240128 dcafffdfac79e310c300ee7da14fc798155dd375 60605cc7e9299d6194231fce078de3b2
.bss 0x4c6000 0x66e1b4 0 da39a3ee5e6b4b0d3255bfef95601890afd80709 d41d8cd98f00b204e9800998ecf8427e
.edata 0xb35000 0x42 512 b2deb4cacfc1cd3e627efcb2163e53be9cc528f4 2bc92a4aaa9233fcf652e9c1284b341a
.idata 0xb36000 0x9e4 2560 654d4f5bf4b87060b12cc2f67b1ea5597eb477d5 b1228e1778cee4a27a9695b10b9a20a3
.CRT 0xb37000 0x34 512 a58d8ce3769756dea67f6f84aec3ba938c6103a7 732f396854e5023ba4e2913660c241cd
.tls 0xb38000 0x8 512 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 bf619eac0cdf3f68d496ea9344137e8b
.reloc 0xb39000 0xe253c 927232 079ddf49428a535f8546ed8cc67dda7c47c47b0e 044015bc9b143b81499d125973bdeeea
/14 0xc1c000 0x690 2048 50d3857e0b5bcd4200030177ffe4231a197f5f29 94ca038fad4664166af1196f0a717029
/29 0xc1d000 0x1a7c4 108544 50826c3ea5d56b312586935e21981cb61d836bb8 56ba4804c4d83a56337ff28318d29d21
/41 0xc38000 0x4c58 19968 fb6ead9a0e642a028053a8961438bfa38bf25b29 c272f07e704eb90e2b6c4c9bad844e11
/55 0xc3d000 0xe342 58368 16543d4b2ae4aba5aa329892c3e2a316683d1a94 d39686b489a93cc4870fb4b0f4cf3c09
/67 0xc4c000 0x1d54 7680 894587ed6d3d8572dc6af48c7c44cb5591ea6fa5 88ca0279c1622da4e6e9d7fbccb1d09b
/80 0xc4e000 0x961 2560 5f2f92f9b72b2e930692b83babedcc49bf76f473 9109961d3d1231997c8aa80b9ef91e44
/91 0xc4f000 0x18b05 101376 4e16e7e77ef3736928886a32c2a4472f5fa9f104 61331789fad328be2cd11ec960abac21
/102 0xc68000 0x11c0 4608 00bbc1be3808524e04d2188a8e429639cf719222 acb9037b7b793eae32ab82637f1d257e

Anti debug functions 1

GetLastError

Anti debug functions 1

VMCheck.dll

Strings analysis - File found

Data
wallet.dat
Database
key4.db
key3.db
Library
MSVCRT.dll
emsvcrt.dll
SHELL32.dll
KERNEL32.dll
libgcc_s_dw2-1.dll
gdhiseUGdkaaPtjfUmTn.dll

Strings analysis - Possible URLs found 1

https://update-ledger.net/update

Import functions

PE Exports 1 suspicious

Function Address
Main 0x53814a
Name Latest seen MD5
1111.exe 2024-08-25 13:19:03 d2f4d9f256c7535760e18337e4076d9c
Set-up.exe 2024-08-25 18:47:06 ee1442544088c8a6ac94e0a849cbcce2
channel.exe 2024-08-25 20:41:08 51dd8d9912686daa950d583dad0aa631
S%D0%B5tu%D1%80111.exe 2024-08-26 13:24:05 9436c63eb99d4933ec7ffd0661639cbe
Channel1.exe 2024-08-27 11:03:04 703bea610f53655fa0014b93f0fa4b7e
clcs.exe 2024-08-27 11:24:04 5f5eb3caf593e33ff2fd4b82db11084a
joffer2.exe 2024-08-31 16:14:04 243fc7bd91c9718a35f0d32303055695