OGYS_MACRO.exe?ex=670c2148&is=670acfc8&hm=a51a7fc2b2407aa19e6e89a41e317ba6c89544aa6228d1d5c61183ba40177f17&

First submission 2024-10-13 19:25:02

File details

File type:	PE32+ executable (console) x86-64, for MS Windows
Mime type:	application/x-dosexec
File size:	23.0 KB (23552 bytes)
Compile time:	2024-04-21 16:52:17
MD5:	5656520dd201e786dbcbd4043409c921
SHA1:	c1ffb9889a94f6fb5d34386ebdd0e7dac3b2858c
SHA256:	fd8d9c433aad9059017c03b07f6d59458b1c9cb0829ee08dc65f816b15ddfdfc
Import Hash :	671a1463842121ba57af655bdf3da007
Sections 6	.text .rdata .data .pdata .rsrc .reloc
Directories 4	import resource debug relocation

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

OSINT Enrichments

Virus Total:	34/77 VT report date: 2024-10-12 20:57:58
Malware Type 1	trojan

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXps://cdn.discordapp.com/attachments/1294745020401717329/1294745575467515996/OGYS_MACRO.exe?ex=670c2148&is=670acfc8&hm=a51a7fc2b2407aa19e6e89a41e317ba6c89544aa6228d1d5c61183ba40177f17&	cdn.discordapp.com	2024-10-13 19:25:02

PE Sections 0 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0x2783	10240	579a7460c7c0b22dd8e343bb81020aedb89f8328	aee0326a47efbae5b6a166ad9fded467
.rdata	0x4000	0x2512	9728	c2b943f68b494aec038355939ffabdac54e7017e	324fa72e122befaee26ee8668e0a7bf5
.data	0x7000	0x7a0	512	0155cca051e37ccb56e0d3f39793769c89b94a2e	a5251d34c90bd7c6631fde061fd04ce5
.pdata	0x8000	0x324	1024	cce9a11412ebbae6824459a20a8a101e4cf95ddf	e10ed82ae93ecf908c5154341ee7b855
.rsrc	0x9000	0x1e8	512	25359da070b6b64e5caddd1a09957a43a83b5c07	b62c408e2a33a54eed41bd643e2fddee
.reloc	0xa000	0x64	512	e2040f7a82d97c581253769f3735c4771b0d7a99	a42c7e1b05d224021d9f580ecd543fd9

PE Resources 1

Name	Language	Sublanguage	Offset	Size	Data
RT_MANIFEST	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x9060	392	PE Resource: RT_MANIFEST - Data <?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='requireAdministrator' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly>

Name

Language

Sublanguage

Offset

Size

Data

RT_MANIFEST

LANG_ENGLISH

SUBLANG_ENGLISH_US

0x9060

392

Packers detected 1

Microsoft Visual C++ 8.0 (DLL)

Anti debug functions 4

IsDebuggerPresent
IsProcessorFeaturePresent
TerminateProcess
UnhandledExceptionFilter

Strings analysis - File found

Library
api-ms-win-crt-math-l1-1-0.dll
api-ms-win-crt-runtime-l1-1-0.dll
api-ms-win-crt-heap-l1-1-0.dll
msvcp140.dll
KERNEL32.dll
vcruntime140.dll
api-ms-win-crt-stdio-l1-1-0.dll
USER32.dll
VCRUNTIME140_1.dll
api-ms-win-crt-locale-l1-1-0.dll

Import functions

api-ms-win-crt-heap-l1-1-0.dll 4 VCRUNTIME140_1.dll 1 api-ms-win-crt-runtime-l1-1-0.dll 20 KERNEL32.dll 19 api-ms-win-crt-math-l1-1-0.dll 1 VCRUNTIME140.dll 10 api-ms-win-crt-stdio-l1-1-0.dll 2 api-ms-win-crt-locale-l1-1-0.dll 1 MSVCP140.dll 30 USER32.dll 2

Function	Address	Souspicious	Anti Debug
_callnewh	0x140004218
malloc	0x140004220
free	0x140004228
_set_new_mode	0x140004230

Function	Address	Souspicious	Anti Debug
__CxxFrameHandler4	0x140004208

Function	Address	Souspicious	Anti Debug
_crt_atexit	0x140004260
terminate	0x140004268
_register_onexit_function	0x140004270
_exit	0x140004278
_initialize_onexit_table	0x140004280
__p___argc	0x140004288
_initterm_e	0x140004290
_initterm	0x140004298
_get_initial_narrow_environment	0x1400042a0
_initialize_narrow_environment	0x1400042a8
_configure_narrow_argv	0x1400042b0
__p___argv	0x1400042b8
_set_app_type	0x1400042c0
_seh_filter_exe	0x1400042c8
_register_thread_local_exe_atexit_callback	0x1400042d0
_c_exit	0x1400042d8
_cexit	0x1400042e0
_invalid_parameter_noinfo_noreturn	0x1400042e8
system	0x1400042f0
exit	0x1400042f8

Function	Address	Souspicious	Anti Debug
SetConsoleTextAttribute	0x140004000
GetStdHandle	0x140004008
Sleep	0x140004010
FreeConsole	0x140004018
RtlLookupFunctionEntry	0x140004020
RtlVirtualUnwind	0x140004028
UnhandledExceptionFilter	0x140004030
SetUnhandledExceptionFilter	0x140004038
GetCurrentProcess	0x140004040
TerminateProcess	0x140004048
IsProcessorFeaturePresent	0x140004050
QueryPerformanceCounter	0x140004058
GetCurrentProcessId	0x140004060
GetCurrentThreadId	0x140004068
GetSystemTimeAsFileTime	0x140004070
InitializeSListHead	0x140004078
IsDebuggerPresent	0x140004080
GetModuleHandleW	0x140004088
RtlCaptureContext	0x140004090

Function	Address	Souspicious	Anti Debug
__setusermatherr	0x140004250

Function	Address	Souspicious	Anti Debug
__std_terminate	0x1400041b0
__std_exception_destroy	0x1400041b8
memcmp	0x1400041c0
__C_specific_handler	0x1400041c8
__current_exception_context	0x1400041d0
_CxxThrowException	0x1400041d8
__current_exception	0x1400041e0
__std_exception_copy	0x1400041e8
memset	0x1400041f0
memcpy	0x1400041f8

Function	Address	Souspicious	Anti Debug
_set_fmode	0x140004308
__p__commode	0x140004310

Function	Address	Souspicious	Anti Debug
_configthreadlocale	0x140004240

Function	Address	Souspicious	Anti Debug
_Thrd_sleep	0x1400040a0
_Query_perf_counter	0x1400040a8
_Xtime_get_ticks	0x1400040b0
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ	0x1400040b8
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z	0x1400040c0
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ	0x1400040c8
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z	0x1400040d0
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z	0x1400040d8
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z	0x1400040e0
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z	0x1400040e8
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ	0x1400040f0
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ	0x1400040f8
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ	0x140004100
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z	0x140004108
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z	0x140004110
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z	0x140004118
?id@?$ctype@D@std@@2V0locale@2@A	0x140004120
?good@ios_base@std@@QEBA_NXZ	0x140004128
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z	0x140004130
??Bid@locale@std@@QEAA_KXZ	0x140004138
?_Xlength_error@std@@YAXPEBD@Z	0x140004140
_Query_perf_frequency	0x140004148
??1_Lockit@std@@QEAA@XZ	0x140004150
??0_Lockit@std@@QEAA@H@Z	0x140004158
?uncaught_exceptions@std@@YAHXZ	0x140004160
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A	0x140004168
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ	0x140004170
?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A	0x140004178
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z	0x140004180
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ	0x140004188

Function	Address	Souspicious	Anti Debug
SendInput	0x140004198
GetAsyncKeyState	0x1400041a0