taskhostsw.exe

First submission 2024-10-17 01:25:02

File details

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Mime type:	application/x-dosexec
File size:	643.02 KB (658448 bytes)
Compile time:	2024-03-30 17:55:21
MD5:	5f0d270fd5e773cd03b98c72112e5426
SHA1:	62fdb5555dd2df30884918dfb02314f3ee59572e
SHA256:	6f7297c7c71d0153376186340f768677b6a91d39e0c3834d9bdb506c9b954aae
Import Hash :	671f2a1f8aee14d336bab98fea93d734
Sections 5	.text .rdata .data .ndata .rsrc
Directories 3	import resource security

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

OSINT Enrichments

Virus Total:	12/77 VT report date: 2024-10-16 17:14:46

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXp://192.3.101.145/240/taskhostsw.exe	192.3.101.145	2024-10-17 01:25:02

PE Sections 1 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0x660c	26624	1745768b9da2f6050229e67ef05016dc68ba6d93	3b90adcd2f1248db844446cb2ef15486
.rdata	0x8000	0x1340	5120	13f6167860cfbcc7990a21a83a3bde4373dfefcc	b3bd9ad1bd1020c5cf4d51a4d7b61e07
.data	0xa000	0x25138	1536	72c5291f3d3d9e7bd2d564664152279a2370fd74	c4e774255fea540ed5efa114edfa6420
.ndata	0x30000	0xf000	0	da39a3ee5e6b4b0d3255bfef95601890afd80709	d41d8cd98f00b204e9800998ecf8427e
.rsrc	0x3f000	0x65b0	26112	96afe6b710cb7c9857a877e99e6587b58e2e8612	fcc4cfc3e98fe6ef679138c9e3f42e29

PE Resources 5

Name	Language	Sublanguage	Offset	Size	Data
RT_ICON	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x3f208	23440
RT_DIALOG	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x45080	96
RT_GROUP_ICON	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x450e0	20
RT_VERSION	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x450f8	376
RT_MANIFEST	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x45270	830	PE Resource: RT_MANIFEST - Data <?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v3.10</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility></assembly>

Meta infos 4

Translation:	0x0409 0x04b0
ProductName:	Aetna Inc.
ProductVersion:	3.3.0.0
FileVersion:	3.3.0.0

Anti debug functions 2

FindWindowExA
GetLastError

File signature

MD5	SHA1	Block size	Virtual Address
713951a8196f64f80583d16092cb4446	d6131b8c707906e483e0f628456dc0418269b99b	2328	656120

Strings analysis - File found

Temporary
~nsu%X.tmp
Library
ADVAPI32.dll
SHELL32.dll
COMCTL32.dll
%s%s.dll
ole32.dll
GDI32.dll
USER32.dll
KERNEL32.dll

Strings analysis - Possible URLs found 1

http://nsis.sf.net/NSIS_Error

Import functions

GDI32.dll 8 SHELL32.dll 5 KERNEL32.dll 62 ADVAPI32.dll 12 ole32.dll 5 USER32.dll 62 COMCTL32.dll 4

Function	Address	Souspicious	Anti Debug
GetDeviceCaps	0x408048
SetBkColor	0x40804c
SelectObject	0x408050
DeleteObject	0x408054
CreateBrushIndirect	0x408058
CreateFontIndirectA	0x40805c
SetBkMode	0x408060
SetTextColor	0x408064

Function	Address	Souspicious	Anti Debug
SHGetPathFromIDListA	0x408168
SHBrowseForFolderA	0x40816c
SHGetFileInfoA	0x408170
SHFileOperationA	0x408174
ShellExecuteExA	0x408178

Function	Address	Souspicious	Anti Debug
CreateFileA	0x40806c
GetTempFileNameA	0x408070
ReadFile	0x408074
RemoveDirectoryA	0x408078
CreateProcessA	0x40807c
CreateDirectoryA	0x408080
GetLastError	0x408084
CreateThread	0x408088
GlobalLock	0x40808c
GlobalUnlock	0x408090
GetDiskFreeSpaceA	0x408094
lstrcpynA	0x408098
SetErrorMode	0x40809c
GetVersionExA	0x4080a0
lstrlenA	0x4080a4
GetCommandLineA	0x4080a8
GetTempPathA	0x4080ac
GetWindowsDirectoryA	0x4080b0
WriteFile	0x4080b4
ExitProcess	0x4080b8
CopyFileA	0x4080bc
GetCurrentProcess	0x4080c0
GetModuleFileNameA	0x4080c4
GetFileSize	0x4080c8
GetTickCount	0x4080cc
Sleep	0x4080d0
SetFileAttributesA	0x4080d4
GetFileAttributesA	0x4080d8
SetCurrentDirectoryA	0x4080dc
MoveFileA	0x4080e0
GetFullPathNameA	0x4080e4
GetShortPathNameA	0x4080e8
SearchPathA	0x4080ec
CompareFileTime	0x4080f0
SetFileTime	0x4080f4
CloseHandle	0x4080f8
lstrcmpiA	0x4080fc
lstrcmpA	0x408100
ExpandEnvironmentStringsA	0x408104
GlobalFree	0x408108
GlobalAlloc	0x40810c
GetModuleHandleA	0x408110
LoadLibraryExA	0x408114
FreeLibrary	0x408118
MultiByteToWideChar	0x40811c
WritePrivateProfileStringA	0x408120
GetPrivateProfileStringA	0x408124
SetFilePointer	0x408128
FindClose	0x40812c
FindNextFileA	0x408130
FindFirstFileA	0x408134
DeleteFileA	0x408138
MulDiv	0x40813c
lstrcpyA	0x408140
MoveFileExA	0x408144
lstrcatA	0x408148
WideCharToMultiByte	0x40814c
GetSystemDirectoryA	0x408150
GetProcAddress	0x408154
GetExitCodeProcess	0x408158
WaitForSingleObject	0x40815c
SetEnvironmentVariableA	0x408160

Function	Address	Souspicious	Anti Debug
RegEnumValueA	0x408000
RegEnumKeyA	0x408004
RegQueryValueExA	0x408008
RegSetValueExA	0x40800c
RegCloseKey	0x408010
RegDeleteValueA	0x408014
RegDeleteKeyA	0x408018
AdjustTokenPrivileges	0x40801c
LookupPrivilegeValueA	0x408020
OpenProcessToken	0x408024
RegOpenKeyExA	0x408028
RegCreateKeyExA	0x40802c

Function	Address	Souspicious	Anti Debug
OleUninitialize	0x40827c
OleInitialize	0x408280
IIDFromString	0x408284
CoCreateInstance	0x408288
CoTaskMemFree	0x40828c

Function	Address	Souspicious	Anti Debug
SetDlgItemTextA	0x408180
GetSystemMetrics	0x408184
CreatePopupMenu	0x408188
AppendMenuA	0x40818c
OpenClipboard	0x408190
EmptyClipboard	0x408194
SetClipboardData	0x408198
CloseClipboard	0x40819c
IsWindowVisible	0x4081a0
CallWindowProcA	0x4081a4
GetMessagePos	0x4081a8
CheckDlgButton	0x4081ac
LoadCursorA	0x4081b0
SetCursor	0x4081b4
GetSysColor	0x4081b8
SetWindowPos	0x4081bc
GetWindowLongA	0x4081c0
IsWindowEnabled	0x4081c4
SetClassLongA	0x4081c8
GetSystemMenu	0x4081cc
EnableMenuItem	0x4081d0
GetWindowRect	0x4081d4
ScreenToClient	0x4081d8
EndDialog	0x4081dc
RegisterClassA	0x4081e0
SystemParametersInfoA	0x4081e4
CreateWindowExA	0x4081e8
GetDlgItemTextA	0x4081ec
DialogBoxParamA	0x4081f0
CharNextA	0x4081f4
ExitWindowsEx	0x4081f8
DestroyWindow	0x4081fc
CreateDialogParamA	0x408200
SetTimer	0x408204
SetWindowTextA	0x408208
PostQuitMessage	0x40820c
SetForegroundWindow	0x408210
ShowWindow	0x408214
wsprintfA	0x408218
SendMessageTimeoutA	0x40821c
FindWindowExA	0x408220
IsWindow	0x408224
GetDlgItem	0x408228
SetWindowLongA	0x40822c
LoadImageA	0x408230
GetDC	0x408234
ReleaseDC	0x408238
EnableWindow	0x40823c
InvalidateRect	0x408240
SendMessageA	0x408244
DefWindowProcA	0x408248
BeginPaint	0x40824c
GetClientRect	0x408250
FillRect	0x408254
DrawTextA	0x408258
EndPaint	0x40825c
MessageBoxIndirectA	0x408260
CharPrevA	0x408264
PeekMessageA	0x408268
GetClassInfoA	0x40826c
DispatchMessageA	0x408270
TrackPopupMenu	0x408274

Function	Address	Souspicious	Anti Debug
ImageList_Destroy	0x408034
None	0x408038
ImageList_AddMasked	0x40803c
ImageList_Create	0x408040

Name	Latest seen	MD5
winiti.exe	2024-07-19 16:48:03	6298475c0e4860db7568c5b231e3cca9
66f4186b24569_sfx_123_500.exe	2024-09-25 16:33:02	9aca15a320ce8fe7eabb268f7116cbcc

taskhostsw.exe

File details

File features detected

OSINT Enrichments

URLs, FQDN and IP indicators 1

PE Sections 1 suspicious

PE Resources 5

Meta infos 4

Anti debug functions 2

File signature

Strings analysis - File found

Strings analysis - Possible URLs found 1

Import functions

Related files by ImpHash 2 671f2a1f8aee14d336bab98fea93d734