fifthikmerozx.exe

First submission 2022-08-05 04:29:01

File details

File type: PE32 executable (GUI) Intel 80386, for MS Windows
File type: 2303.5 KB (2358784 bytes)
Compile time: 2022-08-04 21:04:10
MD5: 5ae8471c10cdb2a59b950e66f8ca8a46
SHA1: 284f5b01a3d7f404dcd9b5346d1a67a9de0e9c6b
SHA256: 2a83a969be112352798176d1769378c9d3330799051df12114b1bb8d7ef0bfb5
Import Hash : 62392cae1e208c7171372b2393837769
Sections 7 .text .rdata .data .gfids .tls .rsrc .reloc
Directories 6 import export resource debug tls relocation
Virus Total: 11/71 VT report date: 2022-08-05 02:14:25

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

URLs, FQDN and IP indicators 1

URL Host (FQDN/IP) Date Added
hXXp://208.67.105.179/fifthikmerozx.exe VirusTotal Report 208.67.105.179 VirusTotal Report 2022-08-05 04:29:01

PE Sections 2 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0x8a8c 35840 26516d9b6d43d84cfdde26dba18f6de05dd9a9ac dbb8499a5ca7f055cdcb7f3d22d91fb2
.rdata 0xa000 0x34e6 13824 7df695695a1a6173f8183b7c80d418ea3794e343 fdbe1d7ab79edc302ac899bd8c17ec81
.data 0xe000 0x20a018 2137088 efe554db3a9c0783ac9873de80c32676c6e0c48f d9878e0ff1a1013753a2fa80f039965a
.gfids 0x219000 0x60 512 71cae4ccf01969e3a7250c18e47e53be0f89a031 f326c9a922e377422580511d0c4ce740
.tls 0x21a000 0x9 512 aa0d33a0c854e073439067876e932688b65cb6a9 1f354d76203061bfdd5a53dae48d5435
.rsrc 0x21b000 0x288d0 166400 25c148c87e93d36bf1ce9fabffb5ee4aeebf6e27 1cb7d39cde45bc712d6e992808b6a56a
.reloc 0x244000 0xd00 3584 7e0e32d97015e15186c64c88e9e3d5d50aa086f1 2a62808fa02c4ce1fb34a2c9d4222c8f

PE Resources 6

Name Language Sublanguage Offset Size Data
TYPELIB LANG_ENGLISH SUBLANG_ENGLISH_US 0x21b2e0 3560
RT_ICON LANG_NEUTRAL SUBLANG_NEUTRAL 0x241e90 5338
RT_STRING LANG_ENGLISH SUBLANG_ENGLISH_US 0x24336c 104
RT_GROUP_ICON LANG_NEUTRAL SUBLANG_NEUTRAL 0x2433d4 90
RT_VERSION LANG_ENGLISH SUBLANG_ENGLISH_US 0x243430 800
RT_MANIFEST LANG_ENGLISH SUBLANG_ENGLISH_US 0x243750 381

Meta infos 9

FileDescription: CircColl Module
LegalCopyright: \xa9 Microsoft Corporation. All rights reserved.
Translation: 0x0409 0x04b0
InternalName: CIRCCOLL
ProductName: CircColl Module
CompanyName: Microsoft Corporation
FileVersion: 1, 0, 0, 1
OriginalFilename: CIRCCOLL.DLL
ProductVersion: 1, 0, 0, 1

Packers detected 2

Microsoft Visual C++ 8
VC8 -> Microsoft Corporation

Anti debug functions 7

GetLastError
IsDebuggerPresent
IsProcessorFeaturePresent
OutputDebugStringW
RaiseException
TerminateProcess
UnhandledExceptionFilter

Strings analysis - File found

Library
KERNEL32.dll
CIRCCOLL.DLL
sOLEAUT32.DLL
api-ms-win-crt-math-l1-1-0.dll
ADVAPI32.dll
api-ms-win-crt-string-l1-1-0.dll
SHELL32.dll
fadvapi32.dll
vcruntime140.dll
api-ms-win-crt-heap-l1-1-0.dll
api-ms-win-crt-locale-l1-1-0.dll
ole32.dll
USER32.dll
OLEAUT32.dll
api-ms-win-crt-runtime-l1-1-0.dll
api-ms-win-crt-stdio-l1-1-0.dll
api-ms-win-crt-multibyte-l1-1-0.dll

Import functions

PE Exports 4 suspicious

Function Address
DllCanUnloadNow 0x402a00
DllGetClassObject 0x402a20
DllRegisterServer 0x402a40
DllUnregisterServer 0x402a90