HideProcess.rar

First submission 2024-10-14 23:39:03

File details

File type:	PE32+ executable (console) x86-64, for MS Windows
Mime type:	application/x-dosexec
File size:	563.5 KB (577024 bytes)
Compile time:	2024-10-05 13:43:25
MD5:	41e61cb95f84406c83a0512557800a11
SHA1:	e20e0bb7e073204bc0db0f5ec6dfe9e07468943e
SHA256:	3b77275d167df06f11fc1faef1faf6b76dd4bb3cf161caec0c8fa520cbaf6bed
Import Hash :	daadb1d4525610d94c4189217e22d1f1
Sections 11	.textbss .text .rdata .data .pdata .idata .msvcjmc .tls .00cfg .rsrc .reloc
Directories 5	import resource debug tls relocation

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

OSINT Enrichments

Virus Total:	16/76 VT report date: 2024-10-09 10:49:20
Malware Type 1	trojan

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXp://45.141.26.180/HideProcess.rar	45.141.26.180	2024-10-14 23:39:03

PE Sections 5 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.textbss	0x1000	0x2fc97	0	da39a3ee5e6b4b0d3255bfef95601890afd80709	d41d8cd98f00b204e9800998ecf8427e
.text	0x31000	0x69083	430592	555c8e1164cccce974673638e3bcb750e86defbb	97c4291bbe2e92bab5055e79f65bf69c
.rdata	0x9b000	0x18cd9	101888	0da8ff1514960c1ebf024edb3e0b8d36b1b749b1	8222afcae4bda79dcb042a403eae82a1
.data	0xb4000	0xda0	1536	7bd95586b2c49e5f744aebc4b9ba4c56229ef753	1b2f7ddd49e67ee73dd37ac447a07d4a
.pdata	0xb5000	0x648c	26112	e411297f77a8e399757d9944e0b280586ac22121	10578cec2589e4ce70a1118b1c0726c7
.idata	0xbc000	0x212d	8704	66c49d46cb5a4a2ee91cc871498334d78f6b2d20	fee526402305cc28dac4feb0241a3fba
.msvcjmc	0xbf000	0x25a	1024	b567439cb63cbeca257d7bddb0dbbfcb81a713b7	eba413e4c0e8762f942936ba82b28021
.tls	0xc0000	0x309	1024	04a0b9fde89c71864acaf5e74689fe4c269bd7a8	c573bd7cea296a9c5d230ca6b5aee1a6
.00cfg	0xc1000	0x175	512	1301f3415541a48b1488dae10844f2f4b57c7445	92a905403092809229d47c705890e067
.rsrc	0xc2000	0x446	1536	499fa38c64bddd4c7679d8d6588f66b30e933a78	1987a105d20fc03ff78e4bb46690896c
.reloc	0xc3000	0xb09	3072	d901d8fbc510813b52f5a07bab920cbb2b3303ce	a7cbbea7c8b30dc4fcc8309986104753

PE Resources 1

Name	Language	Sublanguage	Offset	Size	Data
RT_MANIFEST	LANG_ENGLISH	SUBLANG_ENGLISH_US	0xc2170	392	PE Resource: RT_MANIFEST - Data <?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='requireAdministrator' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly>

Name

Language

Sublanguage

Offset

Size

Data

RT_MANIFEST

LANG_ENGLISH

SUBLANG_ENGLISH_US

0xc2170

392

Packers detected 1

Microsoft Visual C++ 8.0

Anti debug functions 9

GetLastError
GetWindowThreadProcessId
IsDebuggerPresent
IsProcessorFeaturePresent
Process32First
Process32Next
RaiseException
TerminateProcess
UnhandledExceptionFilter

Anti debug functions 1

Bochs & QEmu CPUID Trick

Strings analysis - File found

Text
C:\Windows\debug\path.txt
Library
api-ms-win-core-registry-l1-1-0.dll
ADVAPI32.dll
bin\amd64\MSPDB140.DLL
VCRUNTIME140D.dll
urlmon.dll
ntdll.dll
ole32.dll
USER32.dll
SHELL32.dll
MSVCP140D.dll
KERNEL32.dll
ucrtbased.dll
VCRUNTIME140_1D.dll

Strings analysis - Possible URLs found 2

http://phat-atc.site/ProcessHider.rar
http://phat-atc.site/phAtAntiCheat/1111.rar

Import functions

ucrtbased.dll 45 MSVCP140D.dll 4 urlmon.dll 1 ADVAPI32.dll 16 KERNEL32.dll 58 VCRUNTIME140_1D.dll 1 SHELL32.dll 1 ole32.dll 3 VCRUNTIME140D.dll 15 USER32.dll 6

Function	Address	Souspicious	Anti Debug
_seh_filter_exe	0x1400bc690
_set_app_type	0x1400bc698
__setusermatherr	0x1400bc6a0
_get_initial_narrow_environment	0x1400bc6a8
_initterm	0x1400bc6b0
_initterm_e	0x1400bc6b8
exit	0x1400bc6c0
_exit	0x1400bc6c8
_set_fmode	0x1400bc6d0
__p___argc	0x1400bc6d8
__p___argv	0x1400bc6e0
_c_exit	0x1400bc6e8
_register_thread_local_exe_atexit_callback	0x1400bc6f0
_configthreadlocale	0x1400bc6f8
_set_new_mode	0x1400bc700
__p__commode	0x1400bc708
_free_dbg	0x1400bc710
terminate	0x1400bc718
_CrtDbgReportW	0x1400bc720
strcat_s	0x1400bc728
_wmakepath_s	0x1400bc730
_wsplitpath_s	0x1400bc738
wcscpy_s	0x1400bc740
_cexit	0x1400bc748
_initialize_narrow_environment	0x1400bc750
_configure_narrow_argv	0x1400bc758
_seh_filter_dll	0x1400bc760
_callnewh	0x1400bc768
__stdio_common_vsprintf_s	0x1400bc770
remove	0x1400bc778
fopen	0x1400bc780
fclose	0x1400bc788
_CrtDbgReport	0x1400bc790
malloc	0x1400bc798
free	0x1400bc7a0
strncmp	0x1400bc7a8
strlen	0x1400bc7b0
tolower	0x1400bc7b8
_invalid_parameter	0x1400bc7c0
_crt_at_quick_exit	0x1400bc7c8
_crt_atexit	0x1400bc7d0
_execute_onexit_table	0x1400bc7d8
_register_onexit_function	0x1400bc7e0
strcpy_s	0x1400bc7e8
_initialize_onexit_table	0x1400bc7f0

Function	Address	Souspicious	Anti Debug
??1_Lockit@std@@QEAA@XZ	0x1400bc370
?_Xlength_error@std@@YAXPEBD@Z	0x1400bc378
?_Xout_of_range@std@@YAXPEBD@Z	0x1400bc380
??0_Lockit@std@@QEAA@H@Z	0x1400bc388

Function	Address	Souspicious	Anti Debug
URLDownloadToFileA	0x1400bc898

Function	Address	Souspicious	Anti Debug
SetKernelObjectSecurity	0x1400bc000
BuildExplicitAccessWithNameA	0x1400bc008
SetSecurityInfo	0x1400bc010
SetEntriesInAclA	0x1400bc018
ConvertStringSecurityDescriptorToSecurityDescriptorA	0x1400bc020
RegSetValueExA	0x1400bc028
RegOpenKeyExA	0x1400bc030
RegDeleteValueA	0x1400bc038
RegCreateKeyExA	0x1400bc040
RegCloseKey	0x1400bc048
LookupPrivilegeValueA	0x1400bc050
SetFileSecurityA	0x1400bc058
InitializeSecurityDescriptor	0x1400bc060
InitializeAcl	0x1400bc068
AdjustTokenPrivileges	0x1400bc070
OpenProcessToken	0x1400bc078

Function	Address	Souspicious	Anti Debug
OpenProcess	0x1400bc0f0
VirtualAllocEx	0x1400bc0f8
WriteProcessMemory	0x1400bc100
MapViewOfFile	0x1400bc108
VirtualFreeEx	0x1400bc110
GetModuleFileNameA	0x1400bc118
GetModuleHandleA	0x1400bc120
GetProcAddress	0x1400bc128
LoadLibraryA	0x1400bc130
LocalFree	0x1400bc138
lstrcmpA	0x1400bc140
CreateFileMappingA	0x1400bc148
GetLogicalDriveStringsA	0x1400bc150
QueryDosDeviceA	0x1400bc158
MultiByteToWideChar	0x1400bc160
CreateRemoteThread	0x1400bc168
SetConsoleTitleA	0x1400bc170
CreateToolhelp32Snapshot	0x1400bc178
Process32First	0x1400bc180
Process32Next	0x1400bc188
K32EnumProcesses	0x1400bc190
K32GetModuleFileNameExA	0x1400bc198
K32GetProcessImageFileNameA	0x1400bc1a0
UnhandledExceptionFilter	0x1400bc1a8
SetUnhandledExceptionFilter	0x1400bc1b0
IsProcessorFeaturePresent	0x1400bc1b8
ReleaseSRWLockExclusive	0x1400bc1c0
AcquireSRWLockExclusive	0x1400bc1c8
WakeAllConditionVariable	0x1400bc1d0
SleepConditionVariableSRW	0x1400bc1d8
GetCurrentThreadId	0x1400bc1e0
CreateThread	0x1400bc1e8
TerminateProcess	0x1400bc1f0
ExitProcess	0x1400bc1f8
GetCurrentProcessId	0x1400bc200
FreeLibrary	0x1400bc208
GetCurrentProcess	0x1400bc210
Sleep	0x1400bc218
WaitForSingleObject	0x1400bc220
GetLastError	0x1400bc228
CloseHandle	0x1400bc230
SetFileAttributesA	0x1400bc238
RtlVirtualUnwind	0x1400bc240
RtlLookupFunctionEntry	0x1400bc248
HeapFree	0x1400bc250
GetProcessHeap	0x1400bc258
VirtualQuery	0x1400bc260
FreeConsole	0x1400bc268
IsDebuggerPresent	0x1400bc270
GetStartupInfoW	0x1400bc278
GetModuleHandleW	0x1400bc280
RaiseException	0x1400bc288
WideCharToMultiByte	0x1400bc290
HeapAlloc	0x1400bc298
InitializeSListHead	0x1400bc2a0
QueryPerformanceCounter	0x1400bc2a8
GetSystemTimeAsFileTime	0x1400bc2b0
RtlCaptureContext	0x1400bc2b8

Function	Address	Souspicious	Anti Debug
__CxxFrameHandler4	0x1400bc5c0

Function	Address	Souspicious	Anti Debug
SHGetFolderPathA	0x1400bc3e8

Function	Address	Souspicious	Anti Debug
CoInitialize	0x1400bc620
CoCreateInstance	0x1400bc628
CoUninitialize	0x1400bc630

Function	Address	Souspicious	Anti Debug
memcmp	0x1400bc4d8
memchr	0x1400bc4e0
__current_exception_context	0x1400bc4e8
__std_exception_copy	0x1400bc4f0
__C_specific_handler	0x1400bc4f8
__vcrt_LoadLibraryExW	0x1400bc500
__vcrt_GetModuleHandleW	0x1400bc508
__vcrt_GetModuleFileNameW	0x1400bc510
__std_type_info_destroy_list	0x1400bc518
_CxxThrowException	0x1400bc520
__C_specific_handler_noexcept	0x1400bc528
memmove	0x1400bc530
__std_exception_destroy	0x1400bc538
__current_exception	0x1400bc540
memcpy	0x1400bc548

Function	Address	Souspicious	Anti Debug
GetWindowTextA	0x1400bc448
GetClassNameA	0x1400bc450
GetWindowThreadProcessId	0x1400bc458
SetWinEventHook	0x1400bc460
GetWindowInfo	0x1400bc468
EnumWindows	0x1400bc470