ywx.exe

First submission 2024-10-17 23:22:02

File details

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Mime type:	application/x-dosexec
File size:	428.5 KB (438784 bytes)
Compile time:	2024-10-17 12:16:33
MD5:	4dba58c6e9f435c1cca607525760d0fd
SHA1:	ff8d2afd9d7f0a828592fee34ca55d1a3542f7ed
SHA256:	d2886d86ef67a3550a4aadcf623aa785fddcd3af754b3035229647f186005b1c
Import Hash :	d9a5f4c55bbbe3c1ce16a8560ae80827
Sections 5	.text .rdata .data .rsrc .reloc
Directories 5	import resource debug tls relocation

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXp://176.111.174.140/ywx.exe	176.111.174.140	2024-10-17 23:22:02

PE Sections 0 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0x4ef9a	323584	062e7870197d7f060977d97c9dd7e68e22c1ad16	a06fe7f6af4a53d551acbf91573dae92
.rdata	0x50000	0x1488c	84480	b7e7208745a777406b989a4af07aa594b4d1c03f	d8fbba7e0409f47e021bfc995a8d381f
.data	0x65000	0x6ddc	11264	827ef07468441620723f7089d5a6921647d3c11f	6639fca53606c7aabd108b05f99a0e1a
.rsrc	0x6c000	0x1e0	512	a78032bea3fcb50d7ddd44fe466614e9b8cd3b54	98e41e68d325b18ccaa97806e147c168
.reloc	0x6d000	0x45c4	17920	af0e03f992354bbf797a1f870fd2d50282ec21c2	07b59061159861f672f5a82793451ada

PE Resources 1

Name	Language	Sublanguage	Offset	Size	Data
RT_MANIFEST	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x6c060	381	PE Resource: RT_MANIFEST - Data <?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly>

Name

Language

Sublanguage

Offset

Size

Data

RT_MANIFEST

LANG_ENGLISH

SUBLANG_ENGLISH_US

0x6c060

381

Packers detected 2

Microsoft Visual C++ 8
VC8 -> Microsoft Corporation

Anti debug functions 8

GetLastError
IsDebuggerPresent
IsProcessorFeaturePresent
Process32FirstW
Process32NextW
RaiseException
TerminateProcess
UnhandledExceptionFilter

Anti debug functions 1

VMCheck.dll

Strings analysis - File found

Library
api-ms-win-core-synch-l1-2-0.dll
Bkernel32.dll
mscoree.dll
SHELL32.dll
WININET.dll
ntdll.dll
WS2_32.dll
ADVAPI32.dll
USER32.dll
gdiplus.dll
ole32.dll
GDI32.dll
KERNEL32.dll

Import functions

gdiplus.dll 7 WININET.dll 12 GDI32.dll 5 SHELL32.dll 3 KERNEL32.dll 139 ADVAPI32.dll 17 ole32.dll 3 WS2_32.dll 10 USER32.dll 3

Function	Address	Souspicious	Anti Debug
GdiplusStartup	0x450310
GdipSaveImageToFile	0x450314
GdipGetImageEncodersSize	0x450318
GdiplusShutdown	0x45031c
GdipGetImageEncoders	0x450320
GdipCreateBitmapFromHBITMAP	0x450324
GdipDisposeImage	0x450328

Function	Address	Souspicious	Anti Debug
HttpOpenRequestA	0x4502b0
InternetWriteFile	0x4502b4
InternetOpenUrlA	0x4502b8
InternetOpenW	0x4502bc
HttpEndRequestW	0x4502c0
HttpAddRequestHeadersA	0x4502c4
HttpSendRequestExA	0x4502c8
InternetOpenA	0x4502cc
InternetCloseHandle	0x4502d0
HttpSendRequestA	0x4502d4
InternetConnectA	0x4502d8
InternetReadFile	0x4502dc

Function	Address	Souspicious	Anti Debug
CreateCompatibleBitmap	0x450048
SelectObject	0x45004c
CreateCompatibleDC	0x450050
DeleteObject	0x450054
BitBlt	0x450058

Function	Address	Souspicious	Anti Debug
SHGetFolderPathA	0x450290
ShellExecuteA	0x450294
SHFileOperationA	0x450298

Function	Address	Souspicious	Anti Debug
GetFileAttributesA	0x450060
Process32NextW	0x450064
CreateFileA	0x450068
Process32FirstW	0x45006c
CloseHandle	0x450070
GetSystemInfo	0x450074
CreateThread	0x450078
GetLocalTime	0x45007c
GetThreadContext	0x450080
GetProcAddress	0x450084
GetLastError	0x450088
RemoveDirectoryA	0x45008c
ReadProcessMemory	0x450090
CreateProcessA	0x450094
CreateDirectoryA	0x450098
SetThreadContext	0x45009c
SetEndOfFile	0x4500a0
HeapSize	0x4500a4
GetProcessHeap	0x4500a8
SetEnvironmentVariableW	0x4500ac
Wow64RevertWow64FsRedirection	0x4500b0
GetTempPathA	0x4500b4
Sleep	0x4500b8
CreateToolhelp32Snapshot	0x4500bc
OpenProcess	0x4500c0
SetCurrentDirectoryA	0x4500c4
GetModuleHandleA	0x4500c8
ResumeThread	0x4500cc
GetComputerNameExW	0x4500d0
GetVersionExW	0x4500d4
WaitForSingleObject	0x4500d8
CreateMutexA	0x4500dc
FindClose	0x4500e0
PeekNamedPipe	0x4500e4
CreatePipe	0x4500e8
FindNextFileA	0x4500ec
VirtualAlloc	0x4500f0
Wow64DisableWow64FsRedirection	0x4500f4
WriteFile	0x4500f8
VirtualFree	0x4500fc
FindFirstFileA	0x450100
SetHandleInformation	0x450104
WriteProcessMemory	0x450108
GetModuleFileNameA	0x45010c
VirtualAllocEx	0x450110
ReadFile	0x450114
FreeEnvironmentStringsW	0x450118
GetEnvironmentStringsW	0x45011c
GetOEMCP	0x450120
GetACP	0x450124
IsValidCodePage	0x450128
FindNextFileW	0x45012c
FindFirstFileExW	0x450130
GetTimeZoneInformation	0x450134
HeapReAlloc	0x450138
ReadConsoleW	0x45013c
SetStdHandle	0x450140
GetFullPathNameW	0x450144
GetCurrentDirectoryW	0x450148
DeleteFileW	0x45014c
EnumSystemLocalesW	0x450150
GetUserDefaultLCID	0x450154
IsValidLocale	0x450158
GetLocaleInfoW	0x45015c
LCMapStringW	0x450160
CompareStringW	0x450164
HeapAlloc	0x450168
HeapFree	0x45016c
GetConsoleMode	0x450170
GetConsoleOutputCP	0x450174
FlushFileBuffers	0x450178
SetFilePointerEx	0x45017c
GetFileSizeEx	0x450180
GetCommandLineW	0x450184
GetCommandLineA	0x450188
GetStdHandle	0x45018c
GetModuleFileNameW	0x450190
FileTimeToSystemTime	0x450194
SystemTimeToTzSpecificLocalTime	0x450198
GetFileType	0x45019c
GetFileInformationByHandle	0x4501a0
GetDriveTypeW	0x4501a4
CreateFileW	0x4501a8
RaiseException	0x4501ac
GetCurrentThreadId	0x4501b0
IsProcessorFeaturePresent	0x4501b4
FreeLibraryWhenCallbackReturns	0x4501b8
CreateThreadpoolWork	0x4501bc
SubmitThreadpoolWork	0x4501c0
CloseThreadpoolWork	0x4501c4
GetModuleHandleExW	0x4501c8
InitializeConditionVariable	0x4501cc
WakeConditionVariable	0x4501d0
WakeAllConditionVariable	0x4501d4
SleepConditionVariableCS	0x4501d8
SleepConditionVariableSRW	0x4501dc
InitOnceComplete	0x4501e0
InitOnceBeginInitialize	0x4501e4
InitializeSRWLock	0x4501e8
ReleaseSRWLockExclusive	0x4501ec
AcquireSRWLockExclusive	0x4501f0
EnterCriticalSection	0x4501f4
LeaveCriticalSection	0x4501f8
InitializeCriticalSectionEx	0x4501fc
TryEnterCriticalSection	0x450200
DeleteCriticalSection	0x450204
WaitForSingleObjectEx	0x450208
QueryPerformanceCounter	0x45020c
GetSystemTimeAsFileTime	0x450210
GetModuleHandleW	0x450214
EncodePointer	0x450218
DecodePointer	0x45021c
MultiByteToWideChar	0x450220
WideCharToMultiByte	0x450224
LCMapStringEx	0x450228
GetStringTypeW	0x45022c
GetCPInfo	0x450230
InitializeCriticalSectionAndSpinCount	0x450234
SetEvent	0x450238
ResetEvent	0x45023c
CreateEventW	0x450240
UnhandledExceptionFilter	0x450244
SetUnhandledExceptionFilter	0x450248
GetCurrentProcess	0x45024c
TerminateProcess	0x450250
IsDebuggerPresent	0x450254
GetStartupInfoW	0x450258
GetCurrentProcessId	0x45025c
InitializeSListHead	0x450260
RtlUnwind	0x450264
SetLastError	0x450268
TlsAlloc	0x45026c
TlsGetValue	0x450270
TlsSetValue	0x450274
TlsFree	0x450278
FreeLibrary	0x45027c
LoadLibraryExW	0x450280
ExitProcess	0x450284
WriteConsoleW	0x450288

Function	Address	Souspicious	Anti Debug
RevertToSelf	0x450000
RegCloseKey	0x450004
RegQueryInfoKeyW	0x450008
RegGetValueA	0x45000c
RegQueryValueExA	0x450010
GetSidSubAuthorityCount	0x450014
GetSidSubAuthority	0x450018
GetUserNameA	0x45001c
CreateProcessWithTokenW	0x450020
LookupAccountNameA	0x450024
ImpersonateLoggedOnUser	0x450028
RegSetValueExA	0x45002c
OpenProcessToken	0x450030
RegOpenKeyExA	0x450034
RegEnumValueA	0x450038
DuplicateTokenEx	0x45003c
GetSidIdentifierAuthority	0x450040

Function	Address	Souspicious	Anti Debug
CoUninitialize	0x450330
CoCreateInstance	0x450334
CoInitialize	0x450338

Function	Address	Souspicious	Anti Debug
closesocket	0x4502e4
inet_pton	0x4502e8
getaddrinfo	0x4502ec
WSAStartup	0x4502f0
send	0x4502f4
socket	0x4502f8
connect	0x4502fc
recv	0x450300
htons	0x450304
freeaddrinfo	0x450308

Function	Address	Souspicious	Anti Debug
GetSystemMetrics	0x4502a0
ReleaseDC	0x4502a4
GetDC	0x4502a8