eternal_free.exe?ex=670d7840&is=670c26c0&hm=46379dcd197132e258e80d6ff342fa07a1f5f903798b998245e5b1aa33817828&

First submission 2024-10-14 16:47:03

File details

File type:	PE32+ executable (console) x86-64, for MS Windows
Mime type:	application/x-dosexec
File size:	5712.0 KB (5849088 bytes)
Compile time:	2022-07-16 18:58:28
MD5:	4aa39760450001bab52ea021a8026252
SHA1:	c4a850eaae8550681d3146b3eae62804f076b0e7
SHA256:	66f0cae57153f67d7f2530271e4933be1df09f599633b3d1717863fcf2ce3420
Import Hash :	2b81322e2c04225db1a4f1d145db31b6
Sections 7	.text .rdata .data .pdata .vroom0 .vroom1 .rsrc
Directories 4	import export resource tls

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

OSINT Enrichments

Virus Total:	52/78 VT report date: 2024-10-14 01:25:43
Malware Type 2	trojan pua
Threat Type 3	vmprotect tnega r002c0dc424

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXps://cdn.discordapp.com/attachments/1294751376831942677/1294751446176239657/eternal_free.exe?ex=670d7840&is=670c26c0&hm=46379dcd197132e258e80d6ff342fa07a1f5f903798b998245e5b1aa33817828&	cdn.discordapp.com	2024-10-14 16:47:03

PE Sections 6 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0xf03eb	0	da39a3ee5e6b4b0d3255bfef95601890afd80709	d41d8cd98f00b204e9800998ecf8427e
.rdata	0xf2000	0x63dfa	0	da39a3ee5e6b4b0d3255bfef95601890afd80709	d41d8cd98f00b204e9800998ecf8427e
.data	0x156000	0x61ff0	0	da39a3ee5e6b4b0d3255bfef95601890afd80709	d41d8cd98f00b204e9800998ecf8427e
.pdata	0x1b8000	0xbaa8	0	da39a3ee5e6b4b0d3255bfef95601890afd80709	d41d8cd98f00b204e9800998ecf8427e
.vroom0	0x1c4000	0x325f55	0	da39a3ee5e6b4b0d3255bfef95601890afd80709	d41d8cd98f00b204e9800998ecf8427e
.vroom1	0x4ea000	0x593834	5847552	7162f1f2491a1ff2b5d53c095ee68219eae812e8	62e0e67cef5ba66456b647828617ddcc
.rsrc	0xa7e000	0x1d5	512	8552314d7a988dc2551ee718587daaf1bf2fd902	51119ddeca791a755dcb9ab0de069bcb

PE Resources 1

Name	Language	Sublanguage	Offset	Size	Data
RT_MANIFEST	LANG_ENGLISH	SUBLANG_ENGLISH_US	0xa7e058	381	PE Resource: RT_MANIFEST - Data <?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly>

Name

Language

Sublanguage

Offset

Size

Data

RT_MANIFEST

LANG_ENGLISH

SUBLANG_ENGLISH_US

0xa7e058

381

Strings analysis - File found

Library
VCRUNTIME140_1.dll
USER32.dll
api-ms-win-crt-convert-l1-1-0.dll
KERNEL32.dll
vcruntime140.dll
api-ms-win-crt-filesystem-l1-1-0.dll
api-ms-win-crt-math-l1-1-0.dll
api-ms-win-crt-utility-l1-1-0.dll
api-ms-win-crt-locale-l1-1-0.dll
api-ms-win-crt-string-l1-1-0.dll
api-ms-win-crt-time-l1-1-0.dll
ADVAPI32.dll
api-ms-win-crt-heap-l1-1-0.dll
api-ms-win-crt-stdio-l1-1-0.dll
d3d9.dll
WTSAPI32.dll
IMM32.dll
api-ms-win-crt-runtime-l1-1-0.dll
msvcp140.dll

Import functions

api-ms-win-crt-filesystem-l1-1-0.dll 1 api-ms-win-crt-time-l1-1-0.dll 1 api-ms-win-crt-locale-l1-1-0.dll 1 MSVCP140.dll 1 api-ms-win-crt-convert-l1-1-0.dll 1 api-ms-win-crt-string-l1-1-0.dll 1 VCRUNTIME140_1.dll 1 api-ms-win-crt-runtime-l1-1-0.dll 1 KERNEL32.dll 14 api-ms-win-crt-math-l1-1-0.dll 1 api-ms-win-crt-utility-l1-1-0.dll 1 VCRUNTIME140.dll 1 ADVAPI32.dll 1 api-ms-win-crt-stdio-l1-1-0.dll 1 WTSAPI32.dll 1 d3d9.dll 1 api-ms-win-crt-heap-l1-1-0.dll 1 USER32.dll 4 IMM32.dll 1

Function	Address	Souspicious	Anti Debug
_lock_file	0x140609110

Function	Address	Souspicious	Anti Debug
_localtime64_s	0x140609100

Function	Address	Souspicious	Anti Debug
___lc_codepage_func	0x1406090b0

Function	Address	Souspicious	Anti Debug
_Cnd_signal	0x140609040

Function	Address	Souspicious	Anti Debug
strtol	0x1406090f0

Function	Address	Souspicious	Anti Debug
strncmp	0x1406090d0

Function	Address	Souspicious	Anti Debug
__CxxFrameHandler4	0x140609060

Function	Address	Souspicious	Anti Debug
_beginthreadex	0x140609090

Function	Address	Souspicious	Anti Debug
LoadLibraryA	0x140609010
GetSystemTimeAsFileTime	0x140609130
LocalAlloc	0x140609150
LocalFree	0x140609158
GetModuleFileNameW	0x140609160
GetProcessAffinityMask	0x140609168
SetProcessAffinityMask	0x140609170
SetThreadAffinityMask	0x140609178
Sleep	0x140609180
ExitProcess	0x140609188
FreeLibrary	0x140609190
LoadLibraryA	0x140609198
GetModuleHandleA	0x1406091a0
GetProcAddress	0x1406091a8

Function	Address	Souspicious	Anti Debug
_dclass	0x1406090a0

Function	Address	Souspicious	Anti Debug
qsort	0x1406090e0

Function	Address	Souspicious	Anti Debug
_CxxThrowException	0x140609070

Function	Address	Souspicious	Anti Debug
InitializeSecurityDescriptor	0x140609030

Function	Address	Souspicious	Anti Debug
ftell	0x1406090c0

Function	Address	Souspicious	Anti Debug
WTSSendMessageW	0x140609120

Function	Address	Souspicious	Anti Debug
Direct3DCreate9	0x140609000

Function	Address	Souspicious	Anti Debug
_set_new_mode	0x140609080

Function	Address	Souspicious	Anti Debug
SetCursor	0x140609020
GetUserObjectInformationW	0x140609140
GetProcessWindowStation	0x1406091b8
GetUserObjectInformationW	0x1406091c0

Function	Address	Souspicious	Anti Debug
ImmReleaseContext	0x140609050