fifthikmerozx.exe

First submission 2022-08-05 04:29:01

File details

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
File type:	2303.5 KB (2358784 bytes)
Compile time:	2022-08-04 21:04:10
MD5:	5ae8471c10cdb2a59b950e66f8ca8a46
SHA1:	284f5b01a3d7f404dcd9b5346d1a67a9de0e9c6b
SHA256:	2a83a969be112352798176d1769378c9d3330799051df12114b1bb8d7ef0bfb5
Import Hash :	62392cae1e208c7171372b2393837769
Sections 7	.text .rdata .data .gfids .tls .rsrc .reloc
Directories 6	import export resource debug tls relocation
Virus Total:	11/71 VT report date: 2022-08-05 02:14:25

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXp://208.67.105.179/fifthikmerozx.exe	208.67.105.179	2022-08-05 04:29:01

PE Sections 2 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0x8a8c	35840	26516d9b6d43d84cfdde26dba18f6de05dd9a9ac	dbb8499a5ca7f055cdcb7f3d22d91fb2
.rdata	0xa000	0x34e6	13824	7df695695a1a6173f8183b7c80d418ea3794e343	fdbe1d7ab79edc302ac899bd8c17ec81
.data	0xe000	0x20a018	2137088	efe554db3a9c0783ac9873de80c32676c6e0c48f	d9878e0ff1a1013753a2fa80f039965a
.gfids	0x219000	0x60	512	71cae4ccf01969e3a7250c18e47e53be0f89a031	f326c9a922e377422580511d0c4ce740
.tls	0x21a000	0x9	512	aa0d33a0c854e073439067876e932688b65cb6a9	1f354d76203061bfdd5a53dae48d5435
.rsrc	0x21b000	0x288d0	166400	25c148c87e93d36bf1ce9fabffb5ee4aeebf6e27	1cb7d39cde45bc712d6e992808b6a56a
.reloc	0x244000	0xd00	3584	7e0e32d97015e15186c64c88e9e3d5d50aa086f1	2a62808fa02c4ce1fb34a2c9d4222c8f

PE Resources 6

Name	Language	Sublanguage	Offset	Size	Data
TYPELIB	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x21b2e0	3560	PE Resource: TYPELIB - Data MSFT A d,\XT04 ( T@$%"d` 4"d@8<%"4"@ %"0 4"0 @d(xH`0(:Oyzew\|Qw<cw\|Qw<dw\|Qw<LdGcd50FF-jKL KZHdL(UB3qqPDX3N!,+7U9__@UMB h5L:,Zd,x-stdole2.tlbWWWDPxdl8\!kCIRCCOLLATTRIBLibWWW 8 CMyCircleWWWd 8bIMyCircleWWWdXCenterWpXCenterdETYCenterW0pYCenterdVRadiusWW:)pRadiusWdaLabelWWW NpbstrLabelWW8CMyCircleCollectionCreatorWW,8SIMyCircleCollectionCreatorWW, =GetCirclesWWenWWW;retvalWW8CMyCircleCollectionW8">IMyCircleCollectionW0vCountWWWzItemIndexWWWxA_NewEnumIMyCircle InterfaceWWW$IMyCircleCollectionCreator InterfaceWW Returns a collection of Circles.WWIMyCircleCollection InterfaceW&Returns number of items in collection.2Given an index, returns an item in the collection.)returns an enumerator for the collection.W@@@@ @ >Created by MIDL version 7.00.0555 at Thu Aug 04 12:04:09 2022 bWW+WW0DHL $LDd $ D!$$LD $(D!$,LD $0D!$4LD $8D!PPxx$Hl88\ D@\l D,LDl 8 \Dl ,$LD l `,d
RT_ICON	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x241e90	5338	PE Resource: RT_ICON - Data PNG IHDR\rfgAMA[^\&xIDATxMkWO4L,{6#qY8L1X kzl V8Yd`!NfX9-Ku9}I.gs}]KvAI&[uK_)#X?:&/n]ZLhbn.u<OG0~0~ @!Gz;E00/ FwA>.0~<V3RLy#q(gsHz_GC<:rivP(ML"0<~:mvVs Usc9\g ?Gpl~rU:&9s`S?GQ}8)2<i_9'(3~TStGMyAac{)Ec??0MY`?\|>B-w= 7=!w>09\|]xo%r.sm#,!!w>b\|Ysg_<qL`yo&];xsp`fwq>D N'!nv\3>jlxk~`6l7]?`906;3_(&@y/`}1$'a7gWiFmkQGypGdWBz@Z.Sa[(0?#fgsOs\|k[.g);\.>X<%=Z e,^5:D>s{g^S,z}sb/?!\|r"^E=K%\A<HD+"`Xf!BDK1^,HD(!R$E$HF,XD("bF~1HN,hD(OR,pD(^dGB2I!@UD`H0@gF(YE1A-?:D`H)IDFAF@ t?9q>0'M!S8!Sy/+D$OP_s_=7X }@2 eI.n?"0:9N V8K1"0}00ksSpz{/}J,,D_oV7FI/DOv=Rd[pfZsK\{>&V!i1>KvmbY/lZy{}0w^"P} (DVK0`"FG!qJaD(D 7 9\/H0@os0 ,.P-h&X/"`X S(AKb+~cX0Q`i@o0 ,uQt`A!F1R,0D(C 76 YP%jR@oL0 ,eT# @2@jo,0 ,X!)@o0 ,F \| %]Z~7VB %D W9%["TTD4@xsKdJonS S@-A`EmLlfLd[2-{:le5Rao_eegWV\k\dB7)7uZ-MN2Nd4ZNtfvIz_~\|C?Wulu,88^vNGv?.F\|6-e\3{KCY~)MwbqK'];vG]1piU?,?^imCnXL[(>09TH`G_K]![GbL 5my?M0,u\|c2`Y$q\<\SenZSm6_qH1KhzWjqFomhcSzMNarSp/.oo&`wP6n<mmH\|j,V~1wU{>?gz) (lY%6m\|Cbbnd)=0/T$[FD@?%NFN3CkXlSY`t?otr`=^otnmr)>&m!0Lb}}X_Gg\RkkS}6osvMr#G4Qi!?Mk}X_Ny=j)>-mwew_.YF+DRgmvS(\|k19V#d%=W}R56nJ@xke647E\c/N+@ d@wI C d@wI C d@wI C d@wI C d@wI C @ @ @ @&IH~m ?!?!?!?!?!?!?!?!?!?!?!SO@9%t]Yr6YLtdrOw.9DF<%o#j\xyvKNmU-ZK RG-Ip 0%?5j% 9\|WsKpU(lQ@a}tmH{!_k!U}X_~QTXLgY})<`\|[[na"\|nVb\NP;i:,C\[KeO5^_m`z;YimqX+zyS1w?-W@1% 9G; JRm6u?<L 9AKy;bOM>UsV NL;\|F%iw}]b]gs!6E=gwt2\Tv6m7?^\|oB6m)=g/.&GzFxUW_PZ,,Wj]oen t,% t,% t,% t,%#^`..P+N:W)Z 'RDg!HYG,>N U@jJtEuw#RaD!HIG7F @Bt:D}bC1YF(14N V@:@"2:HLb I,Eb# Ji@":\0#EqDSBX (@M2'0 W{;ic=^\|#f#%m4M&`EddE5wg-u\|G@O P?Szl"P/\^D>@},E@=z80?CzpL y;%>%}lF Tp= mk!kf`V@5@5^"P>I@yV"P.Y@9N "0=itF"09yd>l"0>x6l"0:h."p8a&"p0A\|J"+K"2@BP@DcOH]<& k$ vBM E@F&J 5@=@J"lI@"$< }2D<8EH\|~~Wz5l.+j-sp kj$Z5]@"]&o\|[h=5>@\|Bd>Q\|a,AKz_Gn=z@J)E8./HCN5q?d"A_g77E#=`$VV!?U3?=?f 93ox]A~R`7Y)gYrK* DB~M'LgDII7x]T^882/G#;w)!F)H eid@in4Bhps[s&4(5w@ym3$`M{L'Lt784#z?QrE :rM2eB6D@sUL}B\|JL,CuF~DTlof?WEm?G:rnp7o<g!g+[U $Usu$^[;E.>* 7Dynv.z&po9{r1\|t= ^!`Nq?Q{>3r&IENDB`
RT_STRING	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x24336c	104
RT_GROUP_ICON	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x2433d4	90
RT_VERSION	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x243430	800	PE Resource: RT_VERSION - Data 4VS_VERSION_INFO?~StringFileInfoZ040904b0LCompanyNameMicrosoft CorporationHFileDescriptionCircColl Module6FileVersion1, 0, 0, 12 InternalNameCIRCCOLL/LegalCopyright Microsoft Corporation. All rights reserved.B OriginalFilenameCIRCCOLL.DLL@ProductNameCircColl Module:ProductVersion1, 0, 0, 1DVarFileInfo$Translation
RT_MANIFEST	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x243750	381	PE Resource: RT_MANIFEST - Data <?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly>

Meta infos 9

FileDescription:	CircColl Module
LegalCopyright:	\xa9 Microsoft Corporation. All rights reserved.
Translation:	0x0409 0x04b0
InternalName:	CIRCCOLL
ProductName:	CircColl Module
CompanyName:	Microsoft Corporation
FileVersion:	1, 0, 0, 1
OriginalFilename:	CIRCCOLL.DLL
ProductVersion:	1, 0, 0, 1

Packers detected 2

Microsoft Visual C++ 8
VC8 -> Microsoft Corporation

Anti debug functions 7

GetLastError
IsDebuggerPresent
IsProcessorFeaturePresent
OutputDebugStringW
RaiseException
TerminateProcess
UnhandledExceptionFilter

Strings analysis - File found

Library
KERNEL32.dll
CIRCCOLL.DLL
sOLEAUT32.DLL
api-ms-win-crt-math-l1-1-0.dll
ADVAPI32.dll
api-ms-win-crt-string-l1-1-0.dll
SHELL32.dll
fadvapi32.dll
vcruntime140.dll
api-ms-win-crt-heap-l1-1-0.dll
api-ms-win-crt-locale-l1-1-0.dll
ole32.dll
USER32.dll
OLEAUT32.dll
api-ms-win-crt-runtime-l1-1-0.dll
api-ms-win-crt-stdio-l1-1-0.dll
api-ms-win-crt-multibyte-l1-1-0.dll

Import functions

api-ms-win-crt-heap-l1-1-0.dll 6 KERNEL32.dll 53 api-ms-win-crt-runtime-l1-1-0.dll 20 SHELL32.dll 1 VCRUNTIME140.dll 10 api-ms-win-crt-locale-l1-1-0.dll 1 api-ms-win-crt-multibyte-l1-1-0.dll 1 OLEAUT32.dll 16 api-ms-win-crt-math-l1-1-0.dll 1 api-ms-win-crt-stdio-l1-1-0.dll 6 ADVAPI32.dll 7 USER32.dll 4 api-ms-win-crt-string-l1-1-0.dll 5 ole32.dll 4

Function	Address	Souspicious	Anti Debug
_set_new_mode	0x40a184
calloc	0x40a188
free	0x40a18c
malloc	0x40a190
_callnewh	0x40a194
_recalloc	0x40a198

Function	Address	Souspicious	Anti Debug
HeapAlloc	0x40a020
HeapReAlloc	0x40a024
HeapFree	0x40a028
HeapSize	0x40a02c
GetProcessHeap	0x40a030
RaiseException	0x40a034
GetLastError	0x40a038
EnterCriticalSection	0x40a03c
LeaveCriticalSection	0x40a040
InitializeCriticalSectionAndSpinCount	0x40a044
DeleteCriticalSection	0x40a048
Sleep	0x40a04c
GetModuleFileNameA	0x40a050
GetModuleHandleA	0x40a054
GetModuleHandleW	0x40a058
MultiByteToWideChar	0x40a05c
WideCharToMultiByte	0x40a060
HeapDestroy	0x40a064
SetThreadLocale	0x40a068
GetConsoleWindow	0x40a06c
LockResource	0x40a070
LoadResource	0x40a074
SizeofResource	0x40a078
lstrcmpiA	0x40a07c
FindResourceW	0x40a080
FindResourceExW	0x40a084
IsDBCSLeadByte	0x40a088
GetSystemTimeAsFileTime	0x40a08c
GetCurrentThreadId	0x40a090
GetCurrentProcessId	0x40a094
QueryPerformanceCounter	0x40a098
GetStartupInfoW	0x40a09c
IsProcessorFeaturePresent	0x40a0a0
TerminateProcess	0x40a0a4
VirtualProtect	0x40a0a8
VirtualAlloc	0x40a0ac
GetProcAddress	0x40a0b0
InterlockedDecrement	0x40a0b4
InterlockedIncrement	0x40a0b8
DecodePointer	0x40a0bc
GetThreadLocale	0x40a0c0
EncodePointer	0x40a0c4
GetCurrentProcess	0x40a0c8
SetUnhandledExceptionFilter	0x40a0cc
UnhandledExceptionFilter	0x40a0d0
CreateEventW	0x40a0d4
WaitForSingleObjectEx	0x40a0d8
ResetEvent	0x40a0dc
SetEvent	0x40a0e0
CloseHandle	0x40a0e4
OutputDebugStringW	0x40a0e8
IsDebuggerPresent	0x40a0ec
InitializeSListHead	0x40a0f0

Function	Address	Souspicious	Anti Debug
_cexit	0x40a1b8
_initialize_narrow_environment	0x40a1bc
_seh_filter_exe	0x40a1c0
_set_app_type	0x40a1c4
_configure_narrow_argv	0x40a1c8
_initterm	0x40a1cc
_initterm_e	0x40a1d0
exit	0x40a1d4
_crt_atexit	0x40a1d8
_resetstkoflw	0x40a1dc
_c_exit	0x40a1e0
_register_thread_local_exe_atexit_callback	0x40a1e4
_initialize_onexit_table	0x40a1e8
_invalid_parameter_noinfo	0x40a1ec
_controlfp_s	0x40a1f0
terminate	0x40a1f4
_errno	0x40a1f8
_exit	0x40a1fc
_register_onexit_function	0x40a200
_get_narrow_winmain_command_line	0x40a204

Function	Address	Souspicious	Anti Debug
SHGetFileInfoA	0x40a13c

Function	Address	Souspicious	Anti Debug
memcpy	0x40a158
__std_exception_destroy	0x40a15c
__std_exception_copy	0x40a160
_except_handler4_common	0x40a164
__vcrt_InitializeCriticalSectionEx	0x40a168
__CxxFrameHandler3	0x40a16c
memset	0x40a170
_CxxThrowException	0x40a174
__std_terminate	0x40a178
_purecall	0x40a17c

Function	Address	Souspicious	Anti Debug
_configthreadlocale	0x40a1a0

Function	Address	Souspicious	Anti Debug
_mbsnbcpy_s	0x40a1b0

Function	Address	Souspicious	Anti Debug
RegisterTypeLib	0x40a0f8
UnRegisterTypeLib	0x40a0fc
SysAllocStringLen	0x40a100
SysStringByteLen	0x40a104
SysAllocStringByteLen	0x40a108
VariantInit	0x40a10c
VariantClear	0x40a110
VariantCopy	0x40a114
VariantChangeType	0x40a118
VarUI4FromStr	0x40a11c
LoadRegTypeLib	0x40a120
GetErrorInfo	0x40a124
SysFreeString	0x40a128
SysAllocString	0x40a12c
SysStringLen	0x40a130
LoadTypeLib	0x40a134

Function	Address	Souspicious	Anti Debug
__setusermatherr	0x40a1a8

Function	Address	Souspicious	Anti Debug
__stdio_common_vsprintf_s	0x40a20c
__p__commode	0x40a210
_set_fmode	0x40a214
__acrt_iob_func	0x40a218
__stdio_common_vfprintf	0x40a21c
__stdio_common_vfscanf	0x40a220

Function	Address	Souspicious	Anti Debug
RegEnumKeyExA	0x40a000
RegCreateKeyExA	0x40a004
RegQueryInfoKeyA	0x40a008
RegOpenKeyExA	0x40a00c
RegDeleteKeyA	0x40a010
RegCloseKey	0x40a014
RegSetValueExA	0x40a018

Function	Address	Souspicious	Anti Debug
MessageBoxA	0x40a144
CharNextW	0x40a148
CharNextA	0x40a14c
ShowWindow	0x40a150

Function	Address	Souspicious	Anti Debug
strcpy_s	0x40a228
wmemcpy_s	0x40a22c
wcsncpy_s	0x40a230
strcat_s	0x40a234
_wcsicmp	0x40a238

Function	Address	Souspicious	Anti Debug
StringFromCLSID	0x40a240
StringFromGUID2	0x40a244
CoCreateInstance	0x40a248
CoTaskMemFree	0x40a24c

PE Exports 4 suspicious

Function	Address
DllCanUnloadNow	0x402a00
DllGetClassObject	0x402a20
DllRegisterServer	0x402a40
DllUnregisterServer	0x402a90