DigitalSide Threat Intel

update.exe

First submission 2022-08-03 10:19:02

File details

File type: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
File type: 421.0 KB (431104 bytes)
Compile time: 2022-07-08 15:55:12
MD5: 459b0bdd45947e5861ce2d876c3c4033
SHA1: cce9113d8a8b515bfb7d83acf7b1996994144a33
SHA256: a2d546749333d57f7370f528e63ab3b688f72b2b33fb33bdbcab494efc766bd1
Import Hash : e90de0c769aaf7f6d42e62efc3778812
Sections 10 .text .data .rdata .pdata .xdata .bss .idata .CRT .tls .rsrc
Directories 3 import resource tls
Virus Total: 20/71 VT report date: 2022-08-03 07:27:04

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

URLs, FQDN and IP indicators 2

URL Host (FQDN/IP) Date Added
hXXp://146.70.24.168/load/update.exe VirusTotal Report 146.70.24.168 VirusTotal Report 2022-08-03 10:19:02
hXXps://dexpsystem.com/load/update.exe VirusTotal Report dexpsystem.com VirusTotal Report 2022-08-03 10:45:08

PE Sections 3 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0x1e88 8192 bd7de3dee69e8fabbd5b1cdcc262f3de414afede 115a08200e1cd9bf5b0768f852cd2a5b
.data 0x3000 0x64b50 412672 118b62fa7859c9be29a780e65ff3740b54e33cb8 6866c1b033fa149125150dd4cf437470
.rdata 0x68000 0x8f0 2560 47f84e0c1fa15b56bccbf93956efc3f40c658e29 9e9fe20422ec42867cab6badf851f1d6
.pdata 0x69000 0x288 1024 51c6222fb9c5650c45eda1dc6b37788e8cbce656 7e23b2498215ee4bdf8fc0ee29556da9
.xdata 0x6a000 0x210 1024 afe9655936cf39aa695bc72abd21266185a208ec 636985a75400aa413ab5c3db52d2e6f5
.bss 0x6b000 0x980 0 da39a3ee5e6b4b0d3255bfef95601890afd80709 d41d8cd98f00b204e9800998ecf8427e
.idata 0x6c000 0x824 2560 590d396a094f59dd8412f24cd6dd8a696fc717af 6d48c2726c850b075741aef1f17ff7a4
.CRT 0x6d000 0x68 512 fda47ae799db11c42cb182a970a1d8efa857497d bc664edb9eee3bd9eecad0e585781d7e
.tls 0x6e000 0x10 512 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 bf619eac0cdf3f68d496ea9344137e8b
.rsrc 0x6f000 0x3e8 1024 6c30e9d953a117ec0209fd959efd2efa40c2e900 f3b766383496941225450ffa32dce6c8

PE Resources 1

Name Language Sublanguage Offset Size Data
RT_VERSION LANG_ENGLISH SUBLANG_ENGLISH_US 0x6f058 908

Meta infos 9

FileDescription: Windows Explorer
LegalCopyright: \xa9 Microsoft Corporation. All rights reserved.
Translation: 0x0409 0x04f2
InternalName: explorer
ProductName: Microsoft\xae Windows\xae Operating System
CompanyName: Microsoft Corporation
FileVersion: 10.0.19041.1266 (WinBuild.160101.0800)
OriginalFilename: EXPLORER.EXE
ProductVersion: 10.0.19041.1266

Packers detected 1

Microsoft Visual C++ 8.0 (DLL)

Anti debug functions 3

GetLastError
TerminateProcess
UnhandledExceptionFilter

Strings analysis - File found

Library
MSVCRT.dll
KERNEL32.dll

Import functions

Function Address Souspicious Anti Debug
__C_specific_handler 0x46c2ec
__getmainargs 0x46c2f4
__initenv 0x46c2fc
__iob_func 0x46c304
__lconv_init 0x46c30c
__set_app_type 0x46c314
__setusermatherr 0x46c31c
_acmdln 0x46c324
_amsg_exit 0x46c32c
_cexit 0x46c334
_fmode 0x46c33c
_initterm 0x46c344
_onexit 0x46c34c
abort 0x46c354
calloc 0x46c35c
exit 0x46c364
fprintf 0x46c36c
free 0x46c374
fwrite 0x46c37c
malloc 0x46c384
memcpy 0x46c38c
signal 0x46c394
strlen 0x46c39c
strncmp 0x46c3a4
vfprintf 0x46c3ac
Function Address Souspicious Anti Debug
CreateThread 0x46c1fc
DeleteCriticalSection 0x46c204
EnterCriticalSection 0x46c20c
GetCurrentProcess 0x46c214
GetCurrentProcessId 0x46c21c
GetCurrentThreadId 0x46c224
GetLastError 0x46c22c
GetModuleHandleA 0x46c234
GetProcAddress 0x46c23c
GetStartupInfoA 0x46c244
GetSystemTimeAsFileTime 0x46c24c
GetTickCount 0x46c254
HeapAlloc 0x46c25c
HeapCreate 0x46c264
HeapReAlloc 0x46c26c
InitializeCriticalSection 0x46c274
LeaveCriticalSection 0x46c27c
QueryPerformanceCounter 0x46c284
RtlAddFunctionTable 0x46c28c
RtlCaptureContext 0x46c294
RtlLookupFunctionEntry 0x46c29c
RtlVirtualUnwind 0x46c2a4
SetUnhandledExceptionFilter 0x46c2ac
Sleep 0x46c2b4
TerminateProcess 0x46c2bc
TlsGetValue 0x46c2c4
UnhandledExceptionFilter 0x46c2cc
VirtualProtect 0x46c2d4
VirtualQuery 0x46c2dc