antispy.exe

First submission 2024-10-17 17:06:02

File details

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Mime type:	application/x-dosexec
File size:	88.5 KB (90624 bytes)
Compile time:	2015-06-15 18:07:53
MD5:	463c0ff29190fa0b4b16dbd64ae5a82c
SHA1:	b92d6c4a078304b775f5e81851b5e632c5fb0248
SHA256:	763cf9acd8564b1520ee3365aecabe1a7a013e5bbcf4e9164333cc27e2dfaa8a
Import Hash :	e2795133a833f0c3eaa0391d9efd5c1e
Sections 6	.code .text .pdata .rdata .data .rsrc
Directories 2	import resource

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

OSINT Enrichments

Virus Total:	43/73 VT report date: 2024-10-17 16:46:49

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXp://www.system-corporation.com/prg/1064/sys/antispy.exe	www.system-corporation.com	2024-10-17 17:06:02

PE Sections 0 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.code	0x1000	0x3274	13312	00763bbdf995046a68f3af09db69b59c9eda629b	d6a89afb689eb8a4273f30661414e3cd
.text	0x5000	0xa57e	42496	a87d32e45013b18381dd7c8b151aa03910e2557a	6ecd8735bad06efe10d2ccdd9e3fb8d9
.pdata	0x10000	0xa44	3072	5422b3f11eda395a9b2c65b53c58601156ac2632	13bce504fac2a88314adabd2aac2dfca
.rdata	0x11000	0x13cd	5120	ffc74862579ad1fb2a5c94348ad5025e531f5168	e6159147b37bc3e968587cd50c2eceb2
.data	0x13000	0x23c8	6656	b39aa48cf7e88b1c67154389080a3e2e197b56a8	ef133200616243da8a7e2a8fd945d17a
.rsrc	0x16000	0x4910	18944	35d2632ea9f8a31d2d0786921e60ea7039570fc7	29302ac45bcffc04443d707a09ff350a

PE Resources 2

Name	Language	Sublanguage	Offset	Size	Data
RT_RCDATA	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x1a6a0	6
RT_MANIFEST	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x1a6a8	615	PE Resource: RT_MANIFEST - Data <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" processorArchitecture="amd64" name="CompanyName.ProductName.YourApp" type="win32" /> <description></description> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="amd64" publicKeyToken="6595b64144ccf1df" language="*" /> </dependentAssembly> </dependency> </assembly>

Name

Language

Sublanguage

Offset

Size

Data

RT_RCDATA

LANG_NEUTRAL

SUBLANG_NEUTRAL

0x1a6a0

RT_MANIFEST

LANG_NEUTRAL

SUBLANG_NEUTRAL

0x1a6a8

615

Packers detected 1

Microsoft Visual C++ 8.0 (DLL)

Anti debug functions 2

GetWindowThreadProcessId
TerminateProcess

Strings analysis - File found

Library
KERNEL32.dll
SHLWAPI.dll
WINMM.dll
ole32.dll
MSIMG32.dll
USER32.dll
SHELL32.dll
COMCTL32.dll
UxTheme.dll
GDI32.dll
MSVCRT.dll

Strings analysis - Possible IPs found 1

127.0.0.1

Import functions

WINMM.DLL 1 GDI32.DLL 16 KERNEL32.dll 48 msvcrt.dll 18 SHELL32.DLL 1 OLE32.DLL 3 SHLWAPI.DLL 4 USER32.DLL 60 COMCTL32.DLL 1

Function	Address	Souspicious	Anti Debug
timeBeginPeriod	0x140013bc4

Function	Address	Souspicious	Anti Debug
GetStockObject	0x140013de4
SelectObject	0x140013dec
SetTextColor	0x140013df4
SetBkColor	0x140013dfc
GetTextExtentPoint32A	0x140013e04
CreateSolidBrush	0x140013e0c
DeleteObject	0x140013e14
GetObjectA	0x140013e1c
CreateCompatibleDC	0x140013e24
GetDIBits	0x140013e2c
DeleteDC	0x140013e34
GetObjectType	0x140013e3c
CreateDIBSection	0x140013e44
BitBlt	0x140013e4c
CreateBitmap	0x140013e54
SetPixel	0x140013e5c

Function	Address	Souspicious	Anti Debug
GetModuleHandleA	0x140013a0c
HeapCreate	0x140013a14
GetCommandLineA	0x140013a1c
RemoveDirectoryA	0x140013a24
GetTempFileNameA	0x140013a2c
GetShortPathNameA	0x140013a34
HeapDestroy	0x140013a3c
ExitProcess	0x140013a44
GetExitCodeProcess	0x140013a4c
FindResourceA	0x140013a54
LoadResource	0x140013a5c
SizeofResource	0x140013a64
HeapAlloc	0x140013a6c
HeapFree	0x140013a74
Sleep	0x140013a7c
LoadLibraryA	0x140013a84
GetProcAddress	0x140013a8c
FreeLibrary	0x140013a94
GetCurrentThreadId	0x140013a9c
GetCurrentProcessId	0x140013aa4
CloseHandle	0x140013aac
InitializeCriticalSection	0x140013ab4
GetModuleFileNameA	0x140013abc
GetEnvironmentVariableA	0x140013ac4
SetEnvironmentVariableA	0x140013acc
GetCurrentProcess	0x140013ad4
TerminateProcess	0x140013adc
RtlLookupFunctionEntry	0x140013ae4
RtlVirtualUnwind	0x140013aec
RemoveVectoredExceptionHandler	0x140013af4
AddVectoredExceptionHandler	0x140013afc
EnterCriticalSection	0x140013b04
LeaveCriticalSection	0x140013b0c
GetVersionExA	0x140013b14
HeapReAlloc	0x140013b1c
SetLastError	0x140013b24
TlsAlloc	0x140013b2c
GetCurrentDirectoryA	0x140013b34
SetCurrentDirectoryA	0x140013b3c
GetTempPathA	0x140013b44
SetFileAttributesA	0x140013b4c
DeleteFileA	0x140013b54
CreateDirectoryA	0x140013b5c
WriteFile	0x140013b64
CreateFileA	0x140013b6c
SetFilePointer	0x140013b74
ReadFile	0x140013b7c
DeleteCriticalSection	0x140013b84

Function	Address	Souspicious	Anti Debug
memset	0x140013974
memcpy	0x14001397c
strncmp	0x140013984
memmove	0x14001398c
strncpy	0x140013994
_strnicmp	0x14001399c
strlen	0x1400139a4
strcmp	0x1400139ac
sprintf	0x1400139b4
fabs	0x1400139bc
ceil	0x1400139c4
malloc	0x1400139cc
floor	0x1400139d4
free	0x1400139dc
fclose	0x1400139e4
_stricmp	0x1400139ec
tolower	0x1400139f4
strcpy	0x1400139fc

Function	Address	Souspicious	Anti Debug
ShellExecuteExA	0x140013bb4

Function	Address	Souspicious	Anti Debug
CoInitialize	0x140013b94
CoTaskMemFree	0x140013b9c
RevokeDragDrop	0x140013ba4

Function	Address	Souspicious	Anti Debug
PathRemoveArgsA	0x140013bd4
PathGetArgsA	0x140013bdc
PathAddBackslashA	0x140013be4
PathQuoteSpacesA	0x140013bec

Function	Address	Souspicious	Anti Debug
MessageBoxA	0x140013bfc
SendMessageA	0x140013c04
PostMessageA	0x140013c0c
GetWindowThreadProcessId	0x140013c14
IsWindowVisible	0x140013c1c
GetWindowLongPtrA	0x140013c24
GetForegroundWindow	0x140013c2c
IsWindowEnabled	0x140013c34
EnableWindow	0x140013c3c
EnumWindows	0x140013c44
SetWindowPos	0x140013c4c
DestroyWindow	0x140013c54
GetDC	0x140013c5c
GetWindowTextLengthA	0x140013c64
GetWindowTextA	0x140013c6c
SetRect	0x140013c74
DrawTextA	0x140013c7c
GetWindowLongA	0x140013c84
GetSystemMetrics	0x140013c8c
ReleaseDC	0x140013c94
GetSysColor	0x140013c9c
GetSysColorBrush	0x140013ca4
CreateWindowExA	0x140013cac
CallWindowProcA	0x140013cb4
SetWindowLongPtrA	0x140013cbc
SetFocus	0x140013cc4
RedrawWindow	0x140013ccc
RemovePropA	0x140013cd4
DefWindowProcA	0x140013cdc
SetPropA	0x140013ce4
GetPropA	0x140013cec
GetParent	0x140013cf4
GetWindow	0x140013cfc
SetActiveWindow	0x140013d04
UnregisterClassA	0x140013d0c
DestroyAcceleratorTable	0x140013d14
LoadIconA	0x140013d1c
LoadCursorA	0x140013d24
RegisterClassA	0x140013d2c
AdjustWindowRectEx	0x140013d34
ShowWindow	0x140013d3c
CreateAcceleratorTableA	0x140013d44
PeekMessageA	0x140013d4c
MsgWaitForMultipleObjects	0x140013d54
GetMessageA	0x140013d5c
GetActiveWindow	0x140013d64
TranslateAcceleratorA	0x140013d6c
TranslateMessage	0x140013d74
DispatchMessageA	0x140013d7c
EnumChildWindows	0x140013d84
GetClientRect	0x140013d8c
FillRect	0x140013d94
GetFocus	0x140013d9c
DefFrameProcA	0x140013da4
GetWindowRect	0x140013dac
IsChild	0x140013db4
GetClassNameA	0x140013dbc
GetKeyState	0x140013dc4
DestroyIcon	0x140013dcc
RegisterWindowMessageA	0x140013dd4

Function	Address	Souspicious	Anti Debug
InitCommonControlsEx	0x140013e6c