cryptedBB.exe

First submission 2023-09-13 15:12:02

File details

File type:	PE32 executable (console) Intel 80386, for MS Windows
Mime type:	application/x-dosexec
File size:	461.0 KB (472064 bytes)
Compile time:	2023-09-13 11:58:50
MD5:	3dd01710d9d6f58e5588ad656f0441a1
SHA1:	6dfce0ad42f9d4049d3ee01d3f626428fdfab928
SHA256:	1c15a59b56b5298f4b02671994f7d19a28dca5e4dbe176204385ee95ddae174b
Import Hash :	29c8b785823d6c11cf3aae5ebbb5f0e6
Sections 6	.text .rdata .data .bsp .rsrc .reloc
Directories 6	import export resource debug tls relocation
Virus Total:	35/71 VT report date: 2023-09-13 12:56:24

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXp://77.91.68.78/lend/cryptedBB.exe	77.91.68.78	2023-09-13 15:12:02

PE Sections 0 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0x2967c	169984	150fd79635f2fcb1aef2b658f730c036b3e795f1	9110c9ee2bbca100a2f7fdc3f3f38399
.rdata	0x2b000	0xefa4	61440	e3ad3518daa59803d414185cd028acfd30ec310c	947122df64e19e7640a474183aec84dd
.data	0x3a000	0x2b10	7168	fefb6b70c80057e7f8b64544dd1869073489b200	ed3356dfdf856ccbae026cf6e70449f8
.bsp	0x3d000	0x36490	222720	8c1bf1a323995d3e46dabecd9cb3dc303d0698d9	84f554e552f068d959435e1f02e87aac
.rsrc	0x74000	0x1e0	512	7d530214e42990380ee62dd8472b14986e869190	feaa43704ad9535a5a7d034df50280d5
.reloc	0x75000	0x22f0	9216	b57e57b00951340d352041d0cc869352c0912658	01495ca0fc6e847b45e9d282bfa20579

PE Resources 1

Name	Language	Sublanguage	Offset	Size	Data
RT_MANIFEST	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x74060	381	PE Resource: RT_MANIFEST - Data <?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly>

Name

Language

Sublanguage

Offset

Size

Data

RT_MANIFEST

LANG_ENGLISH

SUBLANG_ENGLISH_US

0x74060

381

Packers detected 2

Microsoft Visual C++ 8
VC8 -> Microsoft Corporation

Anti debug functions 6

GetLastError
IsDebuggerPresent
IsProcessorFeaturePresent
RaiseException
TerminateProcess
UnhandledExceptionFilter

Strings analysis - File found

Library
api-ms-win-core-synch-l1-2-0.dll
mscoree.dll
KERNEL32.dll
USER32.dll
ole32.dll

Import functions

ole32.dll 2 KERNEL32.dll 97 USER32.dll 3

Function	Address	Souspicious	Anti Debug
CoGetApartmentType	0x42b198
CoGetObjectContext	0x42b19c

Function	Address	Souspicious	Anti Debug
CreateFileW	0x42b000
HeapSize	0x42b004
ReadConsoleW	0x42b008
SetStdHandle	0x42b00c
GetProcessHeap	0x42b010
GetLastError	0x42b014
RaiseException	0x42b018
GetCurrentThreadId	0x42b01c
IsProcessorFeaturePresent	0x42b020
FreeLibraryWhenCallbackReturns	0x42b024
CreateThreadpoolWork	0x42b028
SubmitThreadpoolWork	0x42b02c
CloseThreadpoolWork	0x42b030
GetModuleHandleExW	0x42b034
MultiByteToWideChar	0x42b038
InitializeConditionVariable	0x42b03c
WakeConditionVariable	0x42b040
WakeAllConditionVariable	0x42b044
SleepConditionVariableSRW	0x42b048
InitOnceComplete	0x42b04c
InitOnceBeginInitialize	0x42b050
GetStringTypeW	0x42b054
InitializeSRWLock	0x42b058
ReleaseSRWLockExclusive	0x42b05c
AcquireSRWLockExclusive	0x42b060
TryAcquireSRWLockExclusive	0x42b064
WideCharToMultiByte	0x42b068
CloseHandle	0x42b06c
WaitForSingleObjectEx	0x42b070
GetExitCodeThread	0x42b074
QueryPerformanceCounter	0x42b078
EnterCriticalSection	0x42b07c
LeaveCriticalSection	0x42b080
InitializeCriticalSectionEx	0x42b084
DeleteCriticalSection	0x42b088
EncodePointer	0x42b08c
DecodePointer	0x42b090
LCMapStringEx	0x42b094
GetSystemTimeAsFileTime	0x42b098
GetModuleHandleW	0x42b09c
GetProcAddress	0x42b0a0
WriteConsoleW	0x42b0a4
GetCPInfo	0x42b0a8
InitializeCriticalSectionAndSpinCount	0x42b0ac
SetEvent	0x42b0b0
ResetEvent	0x42b0b4
CreateEventW	0x42b0b8
UnhandledExceptionFilter	0x42b0bc
SetUnhandledExceptionFilter	0x42b0c0
GetCurrentProcess	0x42b0c4
TerminateProcess	0x42b0c8
IsDebuggerPresent	0x42b0cc
GetStartupInfoW	0x42b0d0
GetCurrentProcessId	0x42b0d4
InitializeSListHead	0x42b0d8
SetEnvironmentVariableW	0x42b0dc
RtlUnwind	0x42b0e0
SetLastError	0x42b0e4
TlsAlloc	0x42b0e8
TlsGetValue	0x42b0ec
TlsSetValue	0x42b0f0
TlsFree	0x42b0f4
FreeLibrary	0x42b0f8
LoadLibraryExW	0x42b0fc
CreateThread	0x42b100
ExitThread	0x42b104
FreeLibraryAndExitThread	0x42b108
ExitProcess	0x42b10c
GetModuleFileNameW	0x42b110
GetStdHandle	0x42b114
WriteFile	0x42b118
GetCommandLineA	0x42b11c
GetCommandLineW	0x42b120
HeapAlloc	0x42b124
HeapFree	0x42b128
CompareStringW	0x42b12c
LCMapStringW	0x42b130
GetLocaleInfoW	0x42b134
IsValidLocale	0x42b138
GetUserDefaultLCID	0x42b13c
EnumSystemLocalesW	0x42b140
GetFileType	0x42b144
GetFileSizeEx	0x42b148
SetFilePointerEx	0x42b14c
FlushFileBuffers	0x42b150
GetConsoleOutputCP	0x42b154
GetConsoleMode	0x42b158
ReadFile	0x42b15c
HeapReAlloc	0x42b160
FindClose	0x42b164
FindFirstFileExW	0x42b168
FindNextFileW	0x42b16c
IsValidCodePage	0x42b170
GetACP	0x42b174
GetOEMCP	0x42b178
GetEnvironmentStringsW	0x42b17c
FreeEnvironmentStringsW	0x42b180

Function	Address	Souspicious	Anti Debug
GetForegroundWindow	0x42b188
CreatePopupMenu	0x42b18c
FlashWindowEx	0x42b190

PE Exports 1 suspicious

Function	Address
_jbxjgbguyw3@4	0x405420

Name	Latest seen	MD5
fotod445.exe	2023-09-12 20:11:03	4f125016bafd01db0f30a335c199497c
vur.exe	2023-09-12 21:51:02	73a427553c9c3d8b5f5377630c5d9c61
foto5445.exe	2023-09-13 10:55:03	3ee86d1734ad1891b99c7fdeb5382960