Wuff_Wuffer.exe?ex=670debbd&is=670c9a3d&hm=6f7f5f6673363b2bca01b322f41d161a019ec017f5debcd1a3f45b2ff7bd0be9&

First submission 2024-10-14 16:54:02

File details

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Mime type:	application/x-dosexec
File size:	16006.0 KB (16390144 bytes)
Compile time:	2024-09-03 04:05:30
MD5:	614edbe5e53c67f6b09edaa1ad35a169
SHA1:	5871a459ecbecf2bb6ee230351ded50f716571d5
SHA256:	f888b7ae01e536121eb963e88e59c9da704d647e782c8ba4445c34ad85fd81ec
Import Hash :	64ff6875483a2174cb92f524c73f2ce4
Sections 9	.text .rdata .data .pdata .lYf .L,! .%Q} .reloc .rsrc
Directories 4	import resource tls relocation

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

OSINT Enrichments

Virus Total:	45/77 VT report date: 2024-10-14 15:23:52
Malware Type 1	trojan
Threat Type 1	vmprotect

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXps://cdn.discordapp.com/attachments/1282372912279715891/1282373073219358800/Wuff_Wuffer.exe?ex=670debbd&is=670c9a3d&hm=6f7f5f6673363b2bca01b322f41d161a019ec017f5debcd1a3f45b2ff7bd0be9&	cdn.discordapp.com	2024-10-14 16:54:02

PE Sections 7 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0xbcedc	0	da39a3ee5e6b4b0d3255bfef95601890afd80709	d41d8cd98f00b204e9800998ecf8427e
.rdata	0xbe000	0x3fb94	0	da39a3ee5e6b4b0d3255bfef95601890afd80709	d41d8cd98f00b204e9800998ecf8427e
.data	0xfe000	0x1470f0	0	da39a3ee5e6b4b0d3255bfef95601890afd80709	d41d8cd98f00b204e9800998ecf8427e
.pdata	0x246000	0x74a0	0	da39a3ee5e6b4b0d3255bfef95601890afd80709	d41d8cd98f00b204e9800998ecf8427e
.lYf	0x24e000	0x8d62a0	0	da39a3ee5e6b4b0d3255bfef95601890afd80709	d41d8cd98f00b204e9800998ecf8427e
.L,!	0xb25000	0x13a0	5120	93e8a9825b61b83e2f63e350ef267209945448c5	bcb30fd05a4e124bcac01cf50cfb1770
.%Q}	0xb27000	0xf9fa74	16382976	d3767993cb252181c4f976c9d1af74ca2a3fd196	01669294ee83cfea455986af45742211
.reloc	0x1ac7000	0x128	512	3d455f3935bcaea10ef83bc59cdd5dd9f520c552	d51bba22618a3cf49ca00ed9ae9d8527
.rsrc	0x1ac8000	0x1d5	512	ee4e74ed73b788ea1e3b703ec27d71340eef04c1	153ea4c802dcf01fae65262b58f09754

PE Resources 1

Name	Language	Sublanguage	Offset	Size	Data
RT_MANIFEST	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x1ac8058	381	PE Resource: RT_MANIFEST - Data <?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly>

Name

Language

Sublanguage

Offset

Size

Data

RT_MANIFEST

LANG_ENGLISH

SUBLANG_ENGLISH_US

0x1ac8058

381

Strings analysis - File found

Library
ADVAPI32.dll
SHELL32.dll
VCRUNTIME140_1.dll
api-ms-win-crt-utility-l1-1-0.dll
api-ms-win-crt-heap-l1-1-0.dll
KERNEL32.dll
d3d11.dll
api-ms-win-crt-filesystem-l1-1-0.dll
api-ms-win-crt-locale-l1-1-0.dll
dwmapi.dll
WS2_32.dll
IMM32.dll
api-ms-win-crt-stdio-l1-1-0.dll
ole32.dll
soK[ntdll.dll
USER32.dll
api-ms-win-crt-convert-l1-1-0.dll
vcruntime140.dll
api-ms-win-crt-math-l1-1-0.dll
api-ms-win-crt-runtime-l1-1-0.dll
D3DCompiler_43.dll
api-ms-win-crt-string-l1-1-0.dll
api-ms-win-crt-time-l1-1-0.dll
normaliz.dll
WLDAP32.dll
Crypt32.dll
msvcp140.dll
\|Xd3dx11_43.dll

Import functions

MSVCP140.dll 1 CRYPT32.dll 1 KERNEL32.dll 8 dwmapi.dll 1 ntdll.dll 1 api-ms-win-crt-locale-l1-1-0.dll 1 api-ms-win-crt-filesystem-l1-1-0.dll 1 api-ms-win-crt-math-l1-1-0.dll 1 api-ms-win-crt-utility-l1-1-0.dll 1 VCRUNTIME140.dll 1 ole32.dll 1 USER32.dll 1 IMM32.dll 1 D3DCOMPILER_43.dll 1 api-ms-win-crt-string-l1-1-0.dll 1 VCRUNTIME140_1.dll 1 api-ms-win-crt-runtime-l1-1-0.dll 1 d3d11.dll 1 api-ms-win-crt-convert-l1-1-0.dll 1 SHELL32.dll 1 api-ms-win-crt-stdio-l1-1-0.dll 1 api-ms-win-crt-time-l1-1-0.dll 1 WLDAP32.dll 1 api-ms-win-crt-heap-l1-1-0.dll 1 d3dx11_43.dll 1 ADVAPI32.dll 1 WS2_32.dll 1 Normaliz.dll 1

Function	Address	Souspicious	Anti Debug
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ	0x140b25070

Function	Address	Souspicious	Anti Debug
CertCreateCertificateChainEngine	0x140b250e0

Function	Address	Souspicious	Anti Debug
LoadLibraryW	0x140b25020
GetSystemTimeAsFileTime	0x140b251c0
HeapAlloc	0x140b251d0
HeapFree	0x140b251d8
ExitProcess	0x140b251e0
LoadLibraryA	0x140b251e8
GetModuleHandleA	0x140b251f0
GetProcAddress	0x140b251f8

Function	Address	Souspicious	Anti Debug
DwmExtendFrameIntoClientArea	0x140b25090

Function	Address	Souspicious	Anti Debug
RtlCaptureContext	0x140b250a0

Function	Address	Souspicious	Anti Debug
localeconv	0x140b251a0

Function	Address	Souspicious	Anti Debug
_fstat64	0x140b25180

Function	Address	Souspicious	Anti Debug
cosf	0x140b251b0

Function	Address	Souspicious	Anti Debug
rand	0x140b25130

Function	Address	Souspicious	Anti Debug
__current_exception_context	0x140b25110

Function	Address	Souspicious	Anti Debug
StringFromGUID2	0x140b25060

Function	Address	Souspicious	Anti Debug
IsWindowUnicode	0x140b25030

Function	Address	Souspicious	Anti Debug
ImmReleaseContext	0x140b25080

Function	Address	Souspicious	Anti Debug
D3DCompile	0x140b25010

Function	Address	Souspicious	Anti Debug
_stricmp	0x140b25140

Function	Address	Souspicious	Anti Debug
__CxxFrameHandler4	0x140b25100

Function	Address	Souspicious	Anti Debug
_configure_narrow_argv	0x140b25160

Function	Address	Souspicious	Anti Debug
D3D11CreateDeviceAndSwapChain	0x140b25000

Function	Address	Souspicious	Anti Debug
strtod	0x140b25170

Function	Address	Souspicious	Anti Debug
ShellExecuteW	0x140b25050

Function	Address	Souspicious	Anti Debug
_open	0x140b25120

Function	Address	Souspicious	Anti Debug
wcsftime	0x140b25190

Function	Address	Souspicious	Anti Debug
None	0x140b250d0

Function	Address	Souspicious	Anti Debug
_callnewh	0x140b25150

Function	Address	Souspicious	Anti Debug
D3DX11CreateShaderResourceViewFromMemory	0x140b250b0

Function	Address	Souspicious	Anti Debug
CryptEncrypt	0x140b25040

Function	Address	Souspicious	Anti Debug
gethostname	0x140b250f0

Function	Address	Souspicious	Anti Debug
IdnToAscii	0x140b250c0