ledd.exe

First submission 2022-08-03 19:46:02

File details

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
File type:	464.0 KB (475136 bytes)
Compile time:	2022-05-20 18:04:59
MD5:	381174065c50d595ce1655c6ff6da73c
SHA1:	95b87d2e1e144703b6b91909cf6eb74e0487b4e4
SHA256:	b835148de603d2b447a2dbe2212a2457e59146e7fc059e27f2a802c8fcb4f7a8
Import Hash :	a7296afab03588778ff3a4f804abab68
Sections 7	.text .rdata .data .tls .gfids .rsrc .reloc
Directories 5	import resource debug tls relocation
Virus Total:	52/71 VT report date: 2022-08-03 15:06:57

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXps://jg.studio/ledd.exe	jg.studio	2022-08-03 19:46:02

PE Sections 1 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0x52ebd	339968	1d55ddc5f1f9583556e20c90875411370df93dc1	b995649520c85ae9a9af377cafacc12d
.rdata	0x54000	0x17086	94720	4ed820c836eee7791674d551a3766b53bd2fa1da	06804dd1755eec5f08876eca920460cb
.data	0x6c000	0x3fbc	3584	50a146c96317ac8ea2dbe3e9a5aed1110ad1d572	5efecb64d7e39f8a6babfd004f924b54
.tls	0x70000	0x9	512	aa0d33a0c854e073439067876e932688b65cb6a9	1f354d76203061bfdd5a53dae48d5435
.gfids	0x71000	0x230	1024	2558eec229bcb9979a3fb3808d931b3b0f01277b	2201d87bb0078cd63aec6df95ae82258
.rsrc	0x72000	0x4b88	19456	a93f9510c737ba09ea26b0e613fa81858116e8a3	841672ad5e7061918b3ae81bdeb668c5
.reloc	0x77000	0x3898	14848	80894f91c33c3538cd995da19003bafbadd46807	ba4fa7506c7ef42ea4732ffaa2916ca9

PE Resources 3

Name	Language	Sublanguage	Offset	Size	Data
RT_ICON	LANG_ITALIAN	SUBLANG_ITALIAN	0x74024	9640	PE Resource: RT_ICON - Data (0` %zzwwvvuuuurrrrpp}oo\|nnzmmxmmskkvqqs'%%f^^333RRRQQQQQQQQQQQQKMMqqJIIPPPQQQQQQQQQSSSCCCvvvttttttttttttrssrrdccttttttttttttwww"""\\\666lllCCCdddfffdddcccbbb^__jbbwwFGGKKKKKKJJJKKK???vvuyyxxwwxxlccyllrrSQQ{\|\|EFFuuu&&NQ\|}~ 02Cm$ Sb (?V+WTn%5Is' U!I2d3f _ EF< %7;<H25' #d!fL j%Y]^N`Q>]^ TSh ga [9 3bv"-K-,- in$!%x,U - p7)534 L;k!G\|1<j$YO2h"$<h:l!Fm!ep#e & '$ #$!'+/)(0, !#.0132,$-04544>v(Y&() Q/ Vk$7q'~)0u : A>1h".3-7w#5'/#@ 1u%\|)y-j$/Un% D{,k4- h{w'c1\|&\|+S \|,}+c{(3 _6Yv)c!99 )+F,&!!8U75 +!! " '2! ~\|}\|{zxwxvwvtss}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}COMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMOCss[gg[[[
RT_RCDATA	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x765cc	1403	PE Resource: RT_RCDATA - Data H?;c$fEI]_dF/:Gs }aY33-}dHV nxa0bJRAc}^3=?6m^ 7PY,z<+ o?kBexx= \|_3uGu>LcXi$\|Huo~x<INPelYq}: +or&OP.-EsSjXbt = eaVM5c?~xM^ 8nV(<~V?jfP.;Fw\{pACj7JVnK;6@IF>V{5b3[JEq{X=pc8GU\7(d#UuD\|=[Cf :)z4%_"im)^]yKhGb9"[U,o#?84RzhlFUWjpv2d 5^uam7u?c:bhMG0jfS&W+b@1N N\Q?=nZImJujG!R[79G5 nJ m>s7Cnp+ N>)($F$-%Zn[A`7 "}J\N`B>$ kn(M}/v\0jjLZLk }(s2o%tq6?zZ [WxP[_gRb6Qfktq_:A9Q\j3y<v"=fvn3:Pq<D%wGU~/sC?]:#xnNqL\lt%Sx7@4&h+ 7:E oscDB=4?MUV7m_:Qeh<B@zwJ@ Fc~^e4Bi,t)xRRgIsGh@x T_wzwJP [O#[7liEzUl[`^ 8H~cz#7oEm[.MI;> UyT#\|zl7km +IWh#b=P!Xk2FoJ\|'
RT_GROUP_ICON	LANG_ITALIAN	SUBLANG_ITALIAN	0x76b48	62

Name

Language

Sublanguage

Offset

Size

Data

RT_ICON

LANG_ITALIAN

SUBLANG_ITALIAN

0x74024

9640

RT_RCDATA

LANG_NEUTRAL

SUBLANG_NEUTRAL

0x765cc

1403

RT_GROUP_ICON

LANG_ITALIAN

SUBLANG_ITALIAN

0x76b48

Packers detected 2

Microsoft Visual C++ 8
VC8 -> Microsoft Corporation

Anti debug functions 9

GetLastError
GetWindowThreadProcessId
IsDebuggerPresent
IsProcessorFeaturePresent
Process32FirstW
Process32NextW
RaiseException
TerminateProcess
UnhandledExceptionFilter

Strings analysis - File found

Database
\key3.db
Text
\sysinfo.txt
license_code.txt
Library
mscoree.dll
KERNEL32.dll
SHLWAPI.dll
WINMM.dll
ntdll.dll
ADVAPI32.dll
USER32.dll
PSAPI.DLL
WININET.dll
SHELL32.dll
Powrprof.dll
gdiplus.dll
urlmon.dll
WS2_32.dll
GDI32.dll

Strings analysis - Possible URLs found 1

http://geoplugin.net/json.gp

Import functions

SHLWAPI.dll 3 urlmon.dll 2 KERNEL32.dll 155 gdiplus.dll 10 WS2_32.dll 17 WININET.dll 4 WINMM.dll 10 SHELL32.dll 4 USER32.dll 42 ADVAPI32.dll 33 GDI32.dll 9

Function	Address	Souspicious	Anti Debug
StrToIntA	0x454334
PathFileExistsW	0x454338
PathFileExistsA	0x45433c

Function	Address	Souspicious	Anti Debug
URLDownloadToFileW	0x4544a4
URLOpenBlockingStreamW	0x4544a8

Function	Address	Souspicious	Anti Debug
GetLocaleInfoA	0x4540b0
CreateToolhelp32Snapshot	0x4540b4
OpenMutexA	0x4540b8
Process32NextW	0x4540bc
LoadLibraryA	0x4540c0
Process32FirstW	0x4540c4
GetProcAddress	0x4540c8
VirtualProtect	0x4540cc
SetLastError	0x4540d0
VirtualFree	0x4540d4
VirtualAlloc	0x4540d8
GetNativeSystemInfo	0x4540dc
HeapAlloc	0x4540e0
GetProcessHeap	0x4540e4
FreeLibrary	0x4540e8
IsBadReadPtr	0x4540ec
GetTempPathW	0x4540f0
OpenProcess	0x4540f4
lstrcatW	0x4540f8
GetCurrentProcessId	0x4540fc
GetTempFileNameW	0x454100
GetCurrentProcess	0x454104
GetSystemDirectoryA	0x454108
GlobalAlloc	0x45410c
GlobalLock	0x454110
GetTickCount	0x454114
GlobalUnlock	0x454118
WriteProcessMemory	0x45411c
ResumeThread	0x454120
GetThreadContext	0x454124
VirtualAllocEx	0x454128
ReadProcessMemory	0x45412c
CreateProcessW	0x454130
SetThreadContext	0x454134
LocalAlloc	0x454138
GlobalFree	0x45413c
MulDiv	0x454140
SizeofResource	0x454144
GetLongPathNameW	0x454148
SetFilePointer	0x45414c
FindResourceA	0x454150
LockResource	0x454154
LoadResource	0x454158
LocalFree	0x45415c
FormatMessageA	0x454160
GetModuleFileNameA	0x454164
lstrcpynA	0x454168
CreateMutexA	0x45416c
QueryPerformanceFrequency	0x454170
QueryPerformanceCounter	0x454174
EnterCriticalSection	0x454178
LeaveCriticalSection	0x45417c
InitializeCriticalSection	0x454180
DeleteCriticalSection	0x454184
HeapSize	0x454188
WriteConsoleW	0x45418c
SetStdHandle	0x454190
SetEnvironmentVariableW	0x454194
SetEnvironmentVariableA	0x454198
FreeEnvironmentStringsW	0x45419c
GetEnvironmentStringsW	0x4541a0
GetCommandLineW	0x4541a4
GetCommandLineA	0x4541a8
GetOEMCP	0x4541ac
IsValidCodePage	0x4541b0
FindFirstFileExA	0x4541b4
ReadConsoleW	0x4541b8
GetConsoleMode	0x4541bc
GetConsoleCP	0x4541c0
FlushFileBuffers	0x4541c4
GetFileType	0x4541c8
GetTimeZoneInformation	0x4541cc
EnumSystemLocalesW	0x4541d0
GetUserDefaultLCID	0x4541d4
IsValidLocale	0x4541d8
GetTimeFormatW	0x4541dc
GetDateFormatW	0x4541e0
HeapReAlloc	0x4541e4
GetACP	0x4541e8
GetStdHandle	0x4541ec
GetModuleHandleExW	0x4541f0
MoveFileExW	0x4541f4
RtlUnwind	0x4541f8
RaiseException	0x4541fc
LoadLibraryExW	0x454200
GetCPInfo	0x454204
GetStringTypeW	0x454208
GetLocaleInfoW	0x45420c
LCMapStringW	0x454210
CompareStringW	0x454214
TlsFree	0x454218
CopyFileW	0x45421c
DeleteFileA	0x454220
ExpandEnvironmentStringsA	0x454224
FindNextFileA	0x454228
FindFirstFileA	0x45422c
GetFileSize	0x454230
TerminateThread	0x454234
GetLastError	0x454238
GetModuleHandleA	0x45423c
SetFileAttributesW	0x454240
CreateDirectoryW	0x454244
RemoveDirectoryW	0x454248
MoveFileW	0x45424c
SetFilePointerEx	0x454250
GetLogicalDriveStringsA	0x454254
DeleteFileW	0x454258
GetFileAttributesW	0x45425c
FindClose	0x454260
lstrlenA	0x454264
GetDriveTypeA	0x454268
FindNextFileW	0x45426c
GetFileSizeEx	0x454270
FindFirstFileW	0x454274
ExitProcess	0x454278
CreateProcessA	0x45427c
PeekNamedPipe	0x454280
CreatePipe	0x454284
TerminateProcess	0x454288
ReadFile	0x45428c
HeapFree	0x454290
HeapCreate	0x454294
CreateEventA	0x454298
GetLocalTime	0x45429c
CreateThread	0x4542a0
SetEvent	0x4542a4
CreateEventW	0x4542a8
WaitForSingleObject	0x4542ac
Sleep	0x4542b0
GetModuleFileNameW	0x4542b4
CloseHandle	0x4542b8
ExitThread	0x4542bc
CreateFileW	0x4542c0
WriteFile	0x4542c4
AllocConsole	0x4542c8
TlsSetValue	0x4542cc
TlsGetValue	0x4542d0
TlsAlloc	0x4542d4
InitializeCriticalSectionAndSpinCount	0x4542d8
MultiByteToWideChar	0x4542dc
DecodePointer	0x4542e0
EncodePointer	0x4542e4
WideCharToMultiByte	0x4542e8
InitializeSListHead	0x4542ec
GetSystemTimeAsFileTime	0x4542f0
GetCurrentThreadId	0x4542f4
IsProcessorFeaturePresent	0x4542f8
GetStartupInfoW	0x4542fc
SetUnhandledExceptionFilter	0x454300
UnhandledExceptionFilter	0x454304
IsDebuggerPresent	0x454308
GetModuleHandleW	0x45430c
WaitForSingleObjectEx	0x454310
ResetEvent	0x454314
SetEndOfFile	0x454318

Function	Address	Souspicious	Anti Debug
GdiplusStartup	0x454478
GdipGetImageEncoders	0x45447c
GdipCloneImage	0x454480
GdipAlloc	0x454484
GdipDisposeImage	0x454488
GdipFree	0x45448c
GdipGetImageEncodersSize	0x454490
GdipSaveImageToStream	0x454494
GdipSaveImageToFile	0x454498
GdipLoadImageFromStream	0x45449c

Function	Address	Souspicious	Anti Debug
recv	0x454430
connect	0x454434
socket	0x454438
send	0x45443c
WSAStartup	0x454440
closesocket	0x454444
inet_ntoa	0x454448
htons	0x45444c
htonl	0x454450
gethostbyname	0x454454
WSASetLastError	0x454458
inet_addr	0x45445c
gethostbyaddr	0x454460
getservbyport	0x454464
ntohs	0x454468
getservbyname	0x45446c
WSAGetLastError	0x454470

Function	Address	Souspicious	Anti Debug
InternetOpenUrlW	0x4543f0
InternetCloseHandle	0x4543f4
InternetReadFile	0x4543f8
InternetOpenW	0x4543fc

Function	Address	Souspicious	Anti Debug
waveInStop	0x454404
waveInClose	0x454408
waveInPrepareHeader	0x45440c
mciSendStringA	0x454410
waveInUnprepareHeader	0x454414
waveInOpen	0x454418
waveInStart	0x45441c
mciSendStringW	0x454420
waveInAddBuffer	0x454424
PlaySoundW	0x454428

Function	Address	Souspicious	Anti Debug
ShellExecuteExA	0x454320
Shell_NotifyIconA	0x454324
ExtractIconA	0x454328
ShellExecuteW	0x45432c

Function	Address	Souspicious	Anti Debug
GetKeyboardLayoutNameA	0x454344
GetKeyState	0x454348
GetWindowTextLengthW	0x45434c
GetWindowThreadProcessId	0x454350
SetForegroundWindow	0x454354
SetClipboardData	0x454358
EnumWindows	0x45435c
ExitWindowsEx	0x454360
TranslateMessage	0x454364
DispatchMessageA	0x454368
GetMessageA	0x45436c
GetWindowTextW	0x454370
wsprintfW	0x454374
GetClipboardData	0x454378
UnhookWindowsHookEx	0x45437c
GetForegroundWindow	0x454380
ToUnicodeEx	0x454384
GetKeyboardLayout	0x454388
SetWindowsHookExA	0x45438c
CloseClipboard	0x454390
OpenClipboard	0x454394
GetKeyboardState	0x454398
CallNextHookEx	0x45439c
GetIconInfo	0x4543a0
SystemParametersInfoW	0x4543a4
GetCursorPos	0x4543a8
RegisterClassExA	0x4543ac
AppendMenuA	0x4543b0
CreateWindowExA	0x4543b4
GetSystemMetrics	0x4543b8
DefWindowProcA	0x4543bc
TrackPopupMenu	0x4543c0
CreatePopupMenu	0x4543c4
DrawIcon	0x4543c8
mouse_event	0x4543cc
SendInput	0x4543d0
CloseWindow	0x4543d4
IsWindowVisible	0x4543d8
EmptyClipboard	0x4543dc
ShowWindow	0x4543e0
SetWindowTextW	0x4543e4
MessageBoxW	0x4543e8

Function	Address	Souspicious	Anti Debug
RegDeleteKeyA	0x454000
CryptAcquireContextA	0x454004
CryptGenRandom	0x454008
CryptReleaseContext	0x45400c
GetUserNameW	0x454010
RegEnumKeyExA	0x454014
QueryServiceStatus	0x454018
CloseServiceHandle	0x45401c
OpenSCManagerW	0x454020
OpenSCManagerA	0x454024
ControlService	0x454028
StartServiceW	0x45402c
QueryServiceConfigW	0x454030
ChangeServiceConfigW	0x454034
OpenServiceW	0x454038
EnumServicesStatusW	0x45403c
AdjustTokenPrivileges	0x454040
LookupPrivilegeValueA	0x454044
OpenProcessToken	0x454048
RegCreateKeyA	0x45404c
RegCloseKey	0x454050
RegQueryInfoKeyW	0x454054
RegQueryValueExA	0x454058
RegCreateKeyExW	0x45405c
RegEnumKeyExW	0x454060
RegSetValueExW	0x454064
RegSetValueExA	0x454068
RegOpenKeyExA	0x45406c
RegOpenKeyExW	0x454070
RegCreateKeyW	0x454074
RegDeleteValueW	0x454078
RegEnumValueW	0x45407c
RegQueryValueExW	0x454080

Function	Address	Souspicious	Anti Debug
SelectObject	0x454088
CreateCompatibleDC	0x45408c
StretchBlt	0x454090
GetDIBits	0x454094
DeleteDC	0x454098
DeleteObject	0x45409c
CreateDCA	0x4540a0
GetObjectA	0x4540a4
CreateCompatibleBitmap	0x4540a8

Name	Latest seen	MD5
vbc.exe	2022-06-09 12:08:02	76b266d47a00e0c91bfed96dc0d881ec
55555.exe	2022-06-18 08:45:03	edb7d4821efa469977296d4a1e443f9f
HpQzZ.exe	2022-06-24 22:08:03	1babe254a9d587f2449d2e0d564a757c
708.exe	2022-06-30 18:24:02	544952a372b29a3c32b18a2cf4579011
rFMBo.exe	2022-07-06 18:28:02	ae2ede7c8ca2b10dfe8f6285b349d2e3
vast.exe	2022-08-03 15:12:02	e896c66e66443d92a15a3866f29f99d0