DigitalSide Threat Intel

iWGTR.exe

First submission 2022-07-11 10:29:02

File details

File type: PE32 executable (GUI) Intel 80386, for MS Windows
File type: 440.0 KB (450560 bytes)
Compile time: 2022-07-10 23:34:43
MD5: 441e8511c4bd646d55c6001a99057c8d
SHA1: 25d14c05535d580bf13a2dcc48bf63eda296ea14
SHA256: 658142bdeec19fb3ff0556a38a592458b7f005f69d11a39c34d67fd9efe6222c
Import Hash : df8fbcbe90e1e305a660f0ac2aa4fae4
Sections 3 .text .data .rsrc
Directories 2 import resource
Virus Total: 54/71 VT report date: 2022-08-02 18:54:57

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

URLs, FQDN and IP indicators 9

URL Host (FQDN/IP) Date Added
hXXp://srv43923540.ultasrv.com/oFNTE.exe VirusTotal Report srv43923540.ultasrv.com VirusTotal Report 2022-07-11 10:29:02
hXXp://srv43923540.ultasrv.com/EmMGF.exe VirusTotal Report srv43923540.ultasrv.com VirusTotal Report 2022-07-12 09:22:06
hXXp://102.37.220.234/htdocs/yHYWC.exe VirusTotal Report 102.37.220.234 VirusTotal Report 2022-07-21 13:34:08
hXXp://102.37.220.234/htdocs/BgNDT.exe VirusTotal Report 102.37.220.234 VirusTotal Report 2022-07-22 13:21:08
hXXp://102.37.220.234/htdocs/mZWED.exe VirusTotal Report 102.37.220.234 VirusTotal Report 2022-07-26 18:31:10
hXXp://102.37.220.234/htdocs/oKSCQ.exe VirusTotal Report 102.37.220.234 VirusTotal Report 2022-07-26 21:42:07
hXXp://109.206.241.81/htdocs/zWQXY.exe VirusTotal Report 109.206.241.81 VirusTotal Report 2022-08-02 19:49:09
hXXp://109.206.241.81/htdocs/gWRDK.exe VirusTotal Report 109.206.241.81 VirusTotal Report 2022-08-02 20:10:09
hXXp://109.206.241.81/htdocs/iWGTR.exe VirusTotal Report 109.206.241.81 VirusTotal Report 2022-08-02 21:01:07

PE Sections 1 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0x6a29c 438272 6cf72132cbbcfd3522428339bc9fa779140aa2e6 1c65f5af24b32d8c80e2922313afb580
.data 0x6c000 0xbd8 4096 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d 620f0b67a91f7f74151bc5be745b7110
.rsrc 0x6d000 0xa0c 4096 e2e260a6832718af0b8ab390e5a45b056a55a146 2df7dffa0e17a0b5313897211532dcc4

PE Resources 3

Name Language Sublanguage Offset Size Data
RT_ICON LANG_NEUTRAL SUBLANG_NEUTRAL 0x6d4cc 296
RT_GROUP_ICON LANG_NEUTRAL SUBLANG_NEUTRAL 0x6d49c 48
RT_VERSION LANG_ENGLISH SUBLANG_ENGLISH_US 0x6d150 844

Meta infos 11

FileDescription: bolbanac
OriginalFilename: DL_NATIVE_BOTNET00933.exe
LegalCopyright: fishers 2684
Translation: 0x0409 0x04b0
InternalName: DL_NATIVE_BOTNET00933
Comments: flybelt
LegalTrademarks: cuspated
FileVersion: 4.06.0005
ProductName: cusparia
ProductVersion: 4.06.0005
CompanyName: fireblende grasper

Packers detected 2

Microsoft Visual Basic v5.0
Microsoft Visual Basic v5.0 - v6.0

Strings analysis - File found

Autogen
C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
Library
SHELL32.dll
MSVBVM60.DLL
KERNEL32.dll
VBA6.DLL

Strings analysis - Possible URLs found 1

https://api.telegram.org/bot

Import functions

Function Address Souspicious Anti Debug
_CIcos 0x401000
_adj_fptan 0x401004
__vbaVarMove 0x401008
__vbaVarVargNofree 0x40100c
__vbaFreeVar 0x401010
__vbaAryMove 0x401014
__vbaStrVarMove 0x401018
__vbaLenBstr 0x40101c
__vbaEnd 0x401020
__vbaFreeVarList 0x401024
_adj_fdiv_m64 0x401028
__vbaFreeObjList 0x40102c
None 0x401030
_adj_fprem1 0x401034
__vbaRecAnsiToUni 0x401038
__vbaStrCat 0x40103c
None 0x401040
__vbaRecDestruct 0x401044
__vbaSetSystemError 0x401048
__vbaLenBstrB 0x40104c
__vbaHresultCheckObj 0x401050
_adj_fdiv_m32 0x401054
None 0x401058
None 0x40105c
__vbaAryDestruct 0x401060
None 0x401064
__vbaExitProc 0x401068
__vbaForEachCollObj 0x40106c
None 0x401070
__vbaOnError 0x401074
__vbaObjSet 0x401078
_adj_fdiv_m16i 0x40107c
__vbaObjSetAddref 0x401080
_adj_fdivr_m16i 0x401084
_CIsin 0x401088
None 0x40108c
None 0x401090
None 0x401094
None 0x401098
__vbaNextEachCollObj 0x40109c
__vbaVarZero 0x4010a0
__vbaChkstk 0x4010a4
__vbaFileClose 0x4010a8
EVENT_SINK_AddRef 0x4010ac
__vbaGenerateBoundsError 0x4010b0
__vbaStrCmp 0x4010b4
None 0x4010b8
__vbaAryConstruct2 0x4010bc
__vbaVarTstEq 0x4010c0
__vbaI2I4 0x4010c4
__vbaObjVar 0x4010c8
DllFunctionCall 0x4010cc
__vbaVarLateMemSt 0x4010d0
__vbaFpUI1 0x4010d4
__vbaLbound 0x4010d8
__vbaRedimPreserve 0x4010dc
_adj_fpatan 0x4010e0
__vbaRedim 0x4010e4
__vbaRecUniToAnsi 0x4010e8
EVENT_SINK_Release 0x4010ec
__vbaNew 0x4010f0
__vbaUI1I2 0x4010f4
_CIsqrt 0x4010f8
EVENT_SINK_QueryInterface 0x4010fc
__vbaStr2Vec 0x401100
__vbaUI1I4 0x401104
__vbaExceptHandler 0x401108
__vbaPrintFile 0x40110c
__vbaStrToUnicode 0x401110
None 0x401114
None 0x401118
_adj_fprem 0x40111c
_adj_fdivr_m64 0x401120
None 0x401124
None 0x401128
None 0x40112c
__vbaFPException 0x401130
None 0x401134
None 0x401138
__vbaStrVarVal 0x40113c
__vbaUbound 0x401140
__vbaGetOwner3 0x401144
__vbaVarCat 0x401148
None 0x40114c
None 0x401150
None 0x401154
_CIlog 0x401158
__vbaErrorOverflow 0x40115c
__vbaFileOpen 0x401160
__vbaVarLateMemCallLdRf 0x401164
__vbaNew2 0x401168
__vbaInStr 0x40116c
None 0x401170
None 0x401174
__vbaVar2Vec 0x401178
_adj_fdiv_m32i 0x40117c
_adj_fdivr_m32i 0x401180
None 0x401184
__vbaStrCopy 0x401188
__vbaFreeStrList 0x40118c
__vbaDerefAry1 0x401190
_adj_fdivr_m32 0x401194
__vbaPowerR8 0x401198
_adj_fdiv_r 0x40119c
None 0x4011a0
None 0x4011a4
None 0x4011a8
__vbaVarSetVar 0x4011ac
__vbaAryLock 0x4011b0
__vbaLateMemCall 0x4011b4
__vbaVarAdd 0x4011b8
__vbaStrToAnsi 0x4011bc
__vbaVarDup 0x4011c0
__vbaVarCopy 0x4011c4
None 0x4011c8
__vbaFpI4 0x4011cc
__vbaVarLateMemCallLd 0x4011d0
__vbaRecDestructAnsi 0x4011d4
__vbaLateMemCallLd 0x4011d8
_CIatan 0x4011dc
None 0x4011e0
__vbaStrMove 0x4011e4
__vbaCastObj 0x4011e8
__vbaR8IntI4 0x4011ec
__vbaStrVarCopy 0x4011f0
_allmul 0x4011f4
_CItan 0x4011f8
None 0x4011fc
__vbaAryUnlock 0x401200
_CIexp 0x401204
None 0x401208
__vbaI4ErrVar 0x40120c
__vbaFreeObj 0x401210
__vbaFreeStr 0x401214
None 0x401218

Related files by ImpHash 2 df8fbcbe90e1e305a660f0ac2aa4fae4

Name Latest seen MD5
dZDPM.exe 2022-07-26 18:33:02 cbe965aab3f57da4ceda5886e90db6b4
wWLNq.exe 2022-07-26 20:48:03 50de304cffc8136ad4710f12411bb8b9