reverse_ctl.exe

First submission 2024-10-17 20:37:06

File details

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Mime type:	application/x-dosexec
File size:	6986.67 KB (7154345 bytes)
Compile time:	2024-08-02 12:23:25
MD5:	51dadf28bb2dfca8bcfdd80a15cfdfe1
SHA1:	1ed622472c9323c0a5674ab66194bd45fe817def
SHA256:	c1b5b2692f77317e4a4ed00a960dabaac5c8316a02861844d2970a7f9dc3a915
Import Hash :	456e8615ad4320c9f54e50319a19df9c
Sections 6	.text .rdata .data .pdata .rsrc .reloc
Directories 4	import resource debug relocation

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

OSINT Enrichments

Virus Total:	8/77 VT report date: 2024-10-17 15:16:22

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXp://47.236.122.191/reverse_ctl.exe	47.236.122.191	2024-10-17 20:37:06

PE Sections 1 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0x29210	168960	6766fdac7e7ff041a0543a344a339dc375a6e66e	aca64598002ecff9eefbc96554edf015
.rdata	0x2b000	0x12642	75776	9edcc89891aabe0689696bb46f213b2206ebd2ae	ac9d8aa3ef3043a788afea2b0073d2a7
.data	0x3e000	0x73d8	3584	3e4547154414efe7a9146e813cb6e4d201fee452	d0a288978c66419b180b35f625b6dce7
.pdata	0x46000	0x2208	9216	4f52f9908d0deae6d9454b2262789030c67d4e05	74cf3ea22e0a1756984435d6f80f7da5
.rsrc	0x49000	0xf41c	62976	1e8529b98ad0b12f7eb9a074ec22d6145b33efc5	67d67d1491ed1bb007b5d15c2f5a8a9c
.reloc	0x59000	0x768	2048	4fc3afbbb3d4417f1fadc5f4e09e1f961ca4b266	71de9271648326ec88350e903470cf3e

PE Resources 3

Name	Language	Sublanguage	Offset	Size	Data
RT_ICON	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x57a3c	1128	PE Resource: RT_ICON - Data ( X8 a@ZJ6fffXXXCCC///\|bA$ Se i'j{Zp;n9Z&?Zi'l-wZNNq;^ l-o3}NNNo8b&o3s8MNLl4ze+K{FvH}XfsNLKf-ae2o?pGJrvfUI["Hh5E5OULsd\|I/zJ5-D\]WUVf3X#N.HS]ZV~<f3a,h/HR]\U71w1g3/HR]\Z8?3s+k7/HTPQJDq&n:/G]Xqm T ,"@WQih~\'635e2 yM!#j<UndT-AAAAAAAAAAAAAAAA
RT_GROUP_ICON	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x57ea4	104
RT_MANIFEST	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x57f0c	1293	PE Resource: RT_MANIFEST - Data <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <application xmlns="urn:schemas-microsoft-com:asm.v3"> <windowsSettings> <longPathAware xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">true</longPathAware> </windowsSettings> </application> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="" publicKeyToken="6595b64144ccf1df" language=""/> </dependentAssembly> </dependency> </assembly>

Name

Language

Sublanguage

Offset

Size

Data

RT_ICON

LANG_NEUTRAL

SUBLANG_NEUTRAL

0x57a3c

1128

RT_GROUP_ICON

LANG_NEUTRAL

SUBLANG_NEUTRAL

0x57ea4

104

RT_MANIFEST

LANG_NEUTRAL

SUBLANG_NEUTRAL

0x57f0c

1293

Packers detected 2

Microsoft Visual C++ 8.0 (DLL)
Microsoft Visual C++ 8.0

Anti debug functions 6

GetLastError
IsDebuggerPresent
IsProcessorFeaturePresent
RaiseException
TerminateProcess
UnhandledExceptionFilter

Strings analysis - File found

Executable
*X.sO
Compressed
base_library.zip
bbase_library.zip
Library
mscoree.dll
ADVAPI32.dll
bapi-ms-win-core-file-l1-1-0.dll
bapi-ms-win-crt-math-l1-1-0.dll
bapi-ms-win-core-file-l2-1-0.dll
bapi-ms-win-crt-runtime-l1-1-0.dll
bapi-ms-win-core-timezone-l1-1-0.dll
7python311.dll
bapi-ms-win-core-processenvironment-l1-1-0.dll
COMCTL32.dll
bapi-ms-win-core-processthreads-l1-1-0.dll
bapi-ms-win-core-file-l1-2-0.dll
bapi-ms-win-core-processthreads-l1-1-1.dll
bapi-ms-win-core-interlocked-l1-1-0.dll
blibcrypto-1_1.dll
bapi-ms-win-core-profile-l1-1-0.dll
bapi-ms-win-crt-utility-l1-1-0.dll
bapi-ms-win-core-memory-l1-1-0.dll
bapi-ms-win-core-namedpipe-l1-1-0.dll
ucrtbase.dll
bapi-ms-win-crt-convert-l1-1-0.dll
bucrtbase.dll
bapi-ms-win-crt-time-l1-1-0.dll
bapi-ms-win-core-debug-l1-1-0.dll
bapi-ms-win-core-datetime-l1-1-0.dll
Bapi-ms-win-core-synch-l1-2-0.dll
bapi-ms-win-core-rtlsupport-l1-1-0.dll
bVCRUNTIME140.dll
bapi-ms-win-core-synch-l1-1-0.dll
bapi-ms-win-crt-process-l1-1-0.dll
KERNEL32.dll
bapi-ms-win-core-handle-l1-1-0.dll
USER32.dll
bapi-ms-win-core-util-l1-1-0.dll
bapi-ms-win-core-console-l1-1-0.dll
bapi-ms-win-crt-string-l1-1-0.dll
bapi-ms-win-core-localization-l1-2-0.dll
bapi-ms-win-crt-conio-l1-1-0.dll
bpython311.dll
bapi-ms-win-crt-locale-l1-1-0.dll
bapi-ms-win-crt-heap-l1-1-0.dll
bapi-ms-win-core-heap-l1-1-0.dll
bapi-ms-win-core-libraryloader-l1-1-0.dll
bapi-ms-win-crt-environment-l1-1-0.dll
bapi-ms-win-core-sysinfo-l1-1-0.dll
bapi-ms-win-crt-filesystem-l1-1-0.dll
bapi-ms-win-core-string-l1-1-0.dll
bapi-ms-win-core-errorhandling-l1-1-0.dll
GDI32.dll
bapi-ms-win-crt-stdio-l1-1-0.dll

Strings analysis - Possible URLs found 1

http://schemas.microsoft.com/SMI/2016/WindowsSettings

Import functions

ADVAPI32.dll 4 KERNEL32.dll 106 GDI32.dll 3 USER32.dll 19 COMCTL32.dll 1

Function	Address	Souspicious	Anti Debug
OpenProcessToken	0x14002b000
GetTokenInformation	0x14002b008
ConvertStringSecurityDescriptorToSecurityDescriptorW	0x14002b010
ConvertSidToStringSidW	0x14002b018

Function	Address	Souspicious	Anti Debug
GetACP	0x14002b058
IsValidCodePage	0x14002b060
GetStringTypeW	0x14002b068
GetFileAttributesExW	0x14002b070
SetEnvironmentVariableW	0x14002b078
FlushFileBuffers	0x14002b080
GetCurrentDirectoryW	0x14002b088
GetOEMCP	0x14002b090
GetCPInfo	0x14002b098
GetModuleHandleW	0x14002b0a0
MulDiv	0x14002b0a8
GetLastError	0x14002b0b0
FormatMessageW	0x14002b0b8
GetModuleFileNameW	0x14002b0c0
SetDllDirectoryW	0x14002b0c8
CreateSymbolicLinkW	0x14002b0d0
GetProcAddress	0x14002b0d8
CreateDirectoryW	0x14002b0e0
GetCommandLineW	0x14002b0e8
GetEnvironmentVariableW	0x14002b0f0
ExpandEnvironmentStringsW	0x14002b0f8
GetEnvironmentStringsW	0x14002b100
FindClose	0x14002b108
FindFirstFileW	0x14002b110
FindNextFileW	0x14002b118
GetDriveTypeW	0x14002b120
RemoveDirectoryW	0x14002b128
GetTempPathW	0x14002b130
CloseHandle	0x14002b138
WaitForSingleObject	0x14002b140
Sleep	0x14002b148
GetCurrentProcess	0x14002b150
GetExitCodeProcess	0x14002b158
CreateProcessW	0x14002b160
GetStartupInfoW	0x14002b168
FreeLibrary	0x14002b170
LoadLibraryExW	0x14002b178
LocalFree	0x14002b180
SetConsoleCtrlHandler	0x14002b188
K32EnumProcessModules	0x14002b190
K32GetModuleFileNameExW	0x14002b198
CreateFileW	0x14002b1a0
FindFirstFileExW	0x14002b1a8
GetFinalPathNameByHandleW	0x14002b1b0
MultiByteToWideChar	0x14002b1b8
WideCharToMultiByte	0x14002b1c0
FreeEnvironmentStringsW	0x14002b1c8
GetProcessHeap	0x14002b1d0
GetTimeZoneInformation	0x14002b1d8
HeapSize	0x14002b1e0
HeapReAlloc	0x14002b1e8
WriteConsoleW	0x14002b1f0
SetEndOfFile	0x14002b1f8
DeleteFileW	0x14002b200
IsProcessorFeaturePresent	0x14002b208
RtlCaptureContext	0x14002b210
RtlLookupFunctionEntry	0x14002b218
RtlVirtualUnwind	0x14002b220
UnhandledExceptionFilter	0x14002b228
SetUnhandledExceptionFilter	0x14002b230
TerminateProcess	0x14002b238
QueryPerformanceCounter	0x14002b240
GetCurrentProcessId	0x14002b248
GetCurrentThreadId	0x14002b250
GetSystemTimeAsFileTime	0x14002b258
InitializeSListHead	0x14002b260
IsDebuggerPresent	0x14002b268
RtlUnwindEx	0x14002b270
SetLastError	0x14002b278
EnterCriticalSection	0x14002b280
LeaveCriticalSection	0x14002b288
DeleteCriticalSection	0x14002b290
InitializeCriticalSectionAndSpinCount	0x14002b298
TlsAlloc	0x14002b2a0
TlsGetValue	0x14002b2a8
TlsSetValue	0x14002b2b0
TlsFree	0x14002b2b8
EncodePointer	0x14002b2c0
RaiseException	0x14002b2c8
RtlPcToFileHeader	0x14002b2d0
GetCommandLineA	0x14002b2d8
GetFileInformationByHandle	0x14002b2e0
GetFileType	0x14002b2e8
PeekNamedPipe	0x14002b2f0
SystemTimeToTzSpecificLocalTime	0x14002b2f8
FileTimeToSystemTime	0x14002b300
ReadFile	0x14002b308
GetFullPathNameW	0x14002b310
SetStdHandle	0x14002b318
GetStdHandle	0x14002b320
WriteFile	0x14002b328
ExitProcess	0x14002b330
GetModuleHandleExW	0x14002b338
HeapFree	0x14002b340
GetConsoleMode	0x14002b348
ReadConsoleW	0x14002b350
SetFilePointerEx	0x14002b358
GetConsoleOutputCP	0x14002b360
GetFileSizeEx	0x14002b368
HeapAlloc	0x14002b370
FlsAlloc	0x14002b378
FlsGetValue	0x14002b380
FlsSetValue	0x14002b388
FlsFree	0x14002b390
CompareStringW	0x14002b398
LCMapStringW	0x14002b3a0

Function	Address	Souspicious	Anti Debug
SelectObject	0x14002b038
DeleteObject	0x14002b040
CreateFontIndirectW	0x14002b048

Function	Address	Souspicious	Anti Debug
CreateWindowExW	0x14002b3b0
PostMessageW	0x14002b3b8
GetMessageW	0x14002b3c0
MessageBoxW	0x14002b3c8
MessageBoxA	0x14002b3d0
SystemParametersInfoW	0x14002b3d8
DestroyIcon	0x14002b3e0
SetWindowLongPtrW	0x14002b3e8
GetWindowLongPtrW	0x14002b3f0
GetClientRect	0x14002b3f8
InvalidateRect	0x14002b400
ReleaseDC	0x14002b408
GetDC	0x14002b410
DrawTextW	0x14002b418
GetDialogBaseUnits	0x14002b420
EndDialog	0x14002b428
DialogBoxIndirectParamW	0x14002b430
MoveWindow	0x14002b438
SendMessageW	0x14002b440

Function	Address	Souspicious	Anti Debug
None	0x14002b028

Name	Latest seen	MD5
rt.exe	2024-07-20 23:13:09	16c657e788d1b5f6ba16f1880ae3ffa2
OneDrive.exe	2024-07-24 11:27:03	f468ae483026819d6977e2a5e34ea52a
2020.exe	2024-08-28 04:41:03	95606667ac40795394f910864b1f8cc4
Proxy.exe	2024-07-26 08:04:05	979c9b19507478fe8f08d537ec70538b
chrome.exe	2024-08-26 00:31:09	780eb7021e18368fd30e77f156dbaeb1
nikzbi.exe	2024-08-27 09:01:02	f2b9c2a610af9cfb62abcdd5b850b320
xx.exe	2024-09-22 18:25:03	cdb08964f95490ea413b0202f9d4576f
wsd.exe	2024-09-23 20:32:02	f1a4608262276d12a77a5db012189fa6

reverse_ctl.exe

File details

File features detected

OSINT Enrichments

URLs, FQDN and IP indicators 1

PE Sections 1 suspicious

PE Resources 3

Packers detected 2

Anti debug functions 6

Strings analysis - File found

Strings analysis - Possible URLs found 1

Import functions

Related files by ImpHash 8 456e8615ad4320c9f54e50319a19df9c