VuABIWibuasdawdhuo_1.exe?ex=670e657e&is=670d13fe&hm=a86b15137dc92a14377324dd8e1458b9c278bc9e200c874be0e592b18df05cbc&

First submission 2024-10-14 16:49:03

File details

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Mime type:	application/x-dosexec
File size:	5829.02 KB (5968912 bytes)
Compile time:	2024-06-26 17:34:47
MD5:	42e6b54b1dc59aeb584b6edfca7654d8
SHA1:	4979cad39dd26d2d21e9e70ffd657efcf557ca09
SHA256:	02bbbb627d4be78cd7c0961aa3051362fcc3c55eb7e30ec25cb4095615d18304
Import Hash :	b41b00fa2f22a1de8d5edd73faeeb113
Sections 12	.idata .tls .rsrc .themida .boot .reloc
Directories 4	import resource tls relocation

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

OSINT Enrichments

Virus Total:	43/79 VT report date: 2024-10-11 18:37:07
Malware Type 1	trojan
Threat Type 1	themida

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXps://cdn.discordapp.com/attachments/1292106251345596556/1295368572939272213/VuABIWibuasdawdhuo_1.exe?ex=670e657e&is=670d13fe&hm=a86b15137dc92a14377324dd8e1458b9c278bc9e200c874be0e592b18df05cbc&	cdn.discordapp.com	2024-10-14 16:49:03

PE Sections 9 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
	0x1000	0x12064c	564224	e1dfd408d3ca7913c5588de9a44a8aaeaddcf4dc	ac081e57b2342dafe532b206ff07d4c7
	0x122000	0x42db8	138240	368b1a96cab366e4d49312634a8f1e3028d0d42c	8047bc2b16bc53739c9a565405199ea7
	0x165000	0x117f8	27648	7f1495a0a5e8f885eb7bb77370a597562b5bf51b	e2631d556b1fcabe10320d84bc214d41
	0x177000	0xa860	25088	6ac69c120ef8c427837406a81408aa84c27fd501	68f47ea7f558acf4afa400f7ddde936c
	0x182000	0x2458	3584	a6b7c601c2baf2ac6979c1d8d8bacb8fa0b2753c	e1a79e544e9147bf411acec3d14ecbee
	0x185000	0x920	1536	7e673093cf8bac8f53a96d7f7e9590ea4bfa983a	f4d0f05d7fd9e104629b4dc21520db8f
.idata	0x186000	0x1000	2560	957b05cfea241391815b045210f20e8095fd9c67	1635176bfdc07bf3613a1938de496b0c
.tls	0x187000	0x1000	512	4844379e9e7d06d9dc2bb67d2f164a0cb91af249	523d1a7fe6c8bac9fe0a2c0c1d9086c7
.rsrc	0x188000	0x1400	5120	69112e6178eebb3765dfbb12b77ac12d3fd156da	4631193c6190a8e5e3dff891d69254bb
.themida	0x18a000	0x76c000	0	da39a3ee5e6b4b0d3255bfef95601890afd80709	d41d8cd98f00b204e9800998ecf8427e
.boot	0x8f6000	0x4f5400	5198848	24d44e34b3e8b0f8923f36cdfdd2fb02236f7501	18b3ee36373d37d6790ce73f5747bfe1
.reloc	0xdec000	0x1000	16	408c443e3e80572cfc2862aa1290a8f03fd06d07	41528054d9fae58b46a462cd05e03629

PE Resources 3

Name	Language	Sublanguage	Offset	Size	Data
RT_ICON	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x1880c8	4264	PE Resource: RT_ICON - Data ( @ +."@K!H I I I I I I H I H G J I I I I I I I I I H L"H I I I I I I I I I H -N#H I I I I I I I I I J BGGI!J!I I I I H I M!2 ($ )+ 7tR\:M 'FGI I I I K G# % " "! ,& -.1% $@>`OqTiIS /I J!J I: ))&+((' # 3+! 302+ + .- 8RHoVN'EF E $ 2+)1.-,& " ! 74 $;.) ! 4 7 50XNcBI?K,AV2@U17G04D4,61,3 231,()&D.9'B$#FA'3 9 9724?saBg6Il;Ko<Mr=Ns<Ns<Hi8/;3 56 3 64 --'X). <.=-SM(7= <7AOBPq>Ij9Kl;Jl;Jl;Jl;Jl;Ln=Nu<?Z64::6.-)# 8<-// 5!C :(?A;_n_jVFh8Km<Ik:Hi9Fg8Ff8Ee7Cc6Hd;Pq=Fd78> 7 22.!:# 9) $'-0-(9 -SaRqGi9Ik;Ee7Dd6Ce6Ff8Gg9Hh:Eh7RfBNf?Mt<!.!((<94]/(O-"I$B"H#H'!C% 5@OC\|iYFh7Km<Ik:Km<Km;Km;Kn<Km<Ln<Ik:Jk:Jj;Dd4#&2=9442$9aD3qB2nB3nB1nB0k&G&+6A]6XyGyfUFh7Km<Ik:Jl:Mm<Jj:Hh9Hj:Fg7Lp?Io=Df7Gj8C\:6%Y9(^7'\6&\4$Z0#S6([?-h"=-!KB0i=,c2Ed6Fh5XxHzjYFh7Ko?OoALk=Gh7Jk;Ij:Ed6Ii;?N&TX6]tJ:W0Ef425=3Y2$W1#W2#WNO!QIL%S R7ACJm7@`3jZ\|o^Kj:>@OF&{t\Fh6Mn=Ce6UmCcVE+`Ge:Bc3?S:0U2$W0!U1"VXWX!ZTQ J<S;Fh5Ih;rzuetwVL=2iDg6Lm<Jk:Ll<enV4'b`I5J/Hi8Fe8/%N/V1"S1 QHILLGD>Ea;Ba2oct]xepfxSfaR#XV?Kg=Il9Ll;Ll;Km;Ad1AW2Ed7$#?[233F,R/O0P .0 2. 2<9?\2dUn]>[Y0}Ef87S(>U.Bf6Fh8Hh9Jk:Jk:Kl;B_4-A$,A .0.$H(E."J-N-M,M ( ( # #-^}Kzl"$f@G2i~UUrG+',,=#?Y1Hh9Jk:Jk:Fe7/B$:S.:<,H.P+L,K+I+J 033 15A.$Mwn/,GO:`>R[:cUCc2/C%<U0Kk;Lm;Ik:Km;Km;Mp=PuB@T)G2 0 <'HF(D'C'C9 5C)W$O B!B!@? E1kGJ<HY2Jo=RxBOq=Jl:Ko=Jn=Hh9Gb5=U,18L7 fD5%C%>$=$<#<42 ;@B=; 3 . &3&V@ \>G1@BC\1Ef8Hg8D]0:@4751@2 V9[@7(!6$<#:"9!8!7+ , / . / 1312- 4) B4 `Cd?`@L=>6A0E1M6_?mHR= 3(345432&$""%%$(( .2 -$</H7 P;Z=eB`B[@X>Z? F4 7+#&2/0/... !#&'(& %2' ?3G7B39-://%! .+-+ + '$ ! & + )' '&%$ #$ ") +, )(%%&%$ " ! ! " ! ! " " " # " ! """"#" ((())(%$#!!##!"!
RT_GROUP_ICON	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x189180	20
RT_MANIFEST	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x1891a4	392	PE Resource: RT_MANIFEST - Data <?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='requireAdministrator' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly>

Name

Language

Sublanguage

Offset

Size

Data

RT_ICON

LANG_ENGLISH

SUBLANG_ENGLISH_US

0x1880c8

4264

RT_GROUP_ICON

LANG_ENGLISH

SUBLANG_ENGLISH_US

0x189180

RT_MANIFEST

LANG_ENGLISH

SUBLANG_ENGLISH_US

0x1891a4

392

Strings analysis - File found

Library
ADVAPI32.dll
api-ms-win-crt-multibyte-l1-1-0.dll
SHELL32.dll
dwmapi.dll
VCRUNTIME140_1.dll
USER32.dll
api-ms-win-crt-convert-l1-1-0.dll
d3d11.dll
api-ms-win-crt-filesystem-l1-1-0.dll
api-ms-win-crt-math-l1-1-0.dll
api-ms-win-crt-utility-l1-1-0.dll
vcruntime140.dll
ntdll.dll
api-ms-win-crt-locale-l1-1-0.dll
bcrypt.dll
SHLWAPI.dll
WS2_32.dll
api-ms-win-crt-string-l1-1-0.dll
GDI32.dll
api-ms-win-crt-time-l1-1-0.dll
USERENV.dll
api-ms-win-crt-heap-l1-1-0.dll
KERNEL32.dll
api-ms-win-crt-stdio-l1-1-0.dll
IMM32.dll
D3DCompiler_43.dll
ole32.dll
Crypt32.dll
api-ms-win-crt-runtime-l1-1-0.dll
msvcp140.dll
gdiplus.dll

Import functions

gdiplus.dll 1 MSVCP140.dll 1 api-ms-win-crt-convert-l1-1-0.dll 1 kernel32.dll 1 dwmapi.dll 1 ntdll.dll 1 api-ms-win-crt-locale-l1-1-0.dll 1 api-ms-win-crt-filesystem-l1-1-0.dll 1 bcrypt.dll 1 api-ms-win-crt-math-l1-1-0.dll 1 api-ms-win-crt-multibyte-l1-1-0.dll 1 api-ms-win-crt-utility-l1-1-0.dll 1 VCRUNTIME140.dll 1 ole32.dll 1 SHLWAPI.dll 1 USER32.dll 1 IMM32.dll 1 D3DCOMPILER_43.dll 1 api-ms-win-crt-string-l1-1-0.dll 1 VCRUNTIME140_1.dll 1 api-ms-win-crt-runtime-l1-1-0.dll 1 d3d11.dll 1 CRYPT32.dll 1 SHELL32.dll 1 api-ms-win-crt-stdio-l1-1-0.dll 1 USERENV.dll 1 api-ms-win-crt-time-l1-1-0.dll 1 api-ms-win-crt-heap-l1-1-0.dll 1 GDI32.dll 1 ADVAPI32.dll 1 WS2_32.dll 1

Function	Address	Souspicious	Anti Debug
GdipCreateBitmapFromHBITMAP	0x1401867b8

Function	Address	Souspicious	Anti Debug
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ	0x140186788

Function	Address	Souspicious	Anti Debug
atoll	0x140186878

Function	Address	Souspicious	Anti Debug
GetModuleHandleA	0x140186728

Function	Address	Souspicious	Anti Debug
DwmExtendFrameIntoClientArea	0x1401868c8

Function	Address	Souspicious	Anti Debug
RtlCaptureContext	0x1401867a8

Function	Address	Souspicious	Anti Debug
_configthreadlocale	0x140186898

Function	Address	Souspicious	Anti Debug
_unlink	0x140186828

Function	Address	Souspicious	Anti Debug
BCryptGenRandom	0x1401868e8

Function	Address	Souspicious	Anti Debug
_dsign	0x140186848

Function	Address	Souspicious	Anti Debug
_mbsicmp	0x1401868a8

Function	Address	Souspicious	Anti Debug
qsort	0x140186858

Function	Address	Souspicious	Anti Debug
_CxxThrowException	0x1401867e8

Function	Address	Souspicious	Anti Debug
CoCreateInstance	0x140186778

Function	Address	Souspicious	Anti Debug
None	0x140186798

Function	Address	Souspicious	Anti Debug
SetWindowTextW	0x140186738

Function	Address	Souspicious	Anti Debug
ImmReleaseContext	0x1401868b8

Function	Address	Souspicious	Anti Debug
D3DCompile	0x1401868d8

Function	Address	Souspicious	Anti Debug
_strdup	0x140186838

Function	Address	Souspicious	Anti Debug
__CxxFrameHandler4	0x1401867f8

Function	Address	Souspicious	Anti Debug
_register_onexit_function	0x140186808

Function	Address	Souspicious	Anti Debug
D3D11CreateDeviceAndSwapChain	0x1401867c8

Function	Address	Souspicious	Anti Debug
CertEnumCertificatesInStore	0x140186908

Function	Address	Souspicious	Anti Debug
ShellExecuteA	0x140186768

Function	Address	Souspicious	Anti Debug
_set_fmode	0x140186818

Function	Address	Souspicious	Anti Debug
UnloadUserProfile	0x1401867d8

Function	Address	Souspicious	Anti Debug
_mktime64	0x140186888

Function	Address	Souspicious	Anti Debug
_recalloc	0x140186868

Function	Address	Souspicious	Anti Debug
SelectObject	0x140186748

Function	Address	Souspicious	Anti Debug
CryptReleaseContext	0x140186758

Function	Address	Souspicious	Anti Debug
setsockopt	0x1401868f8