MeMpEng.exe

First submission 2024-08-30 10:21:03

File details

File type: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Mime type: application/x-dosexec
File size: 667.12 KB (683128 bytes)
Compile time: 2016-12-11 22:51:02
MD5: 6370785ab7838f283caeb2abf4a67d99
SHA1: 462f26fca7db24c67a71b99dc21aca90fde8bd6d
SHA256: d9b50e6caaea2686b421cc5380b6bb3c67515f222f377d2b093352abdfdba47a
Import Hash : 4ea4df5d94204fc550be1874e1b77ea7
Sections 5 .text .rdata .data .ndata .rsrc
Directories 3 import resource security

File features detected

Is DLL
Packers
Anti Debug
Anti VM
Signed
XOR

OSINT Enrichments

Virus Total: 38/78 VT report date: 2024-08-30 10:04:23
Malware Type 1 trojan
Threat Type 3 nsis guloader makoob

URLs, FQDN and IP indicators 1

URL Host (FQDN/IP) Date Added
hXXp://107.172.31.21/510/MeMpEng.exe VirusTotal Report 107.172.31.21 VirusTotal Report 2024-08-30 10:21:03

PE Sections 2 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0x655f 26112 3584bd2a4345481da04f7901f06a053b00eb8d40 a3c5dfe5dc0df29304c4d0e7774629da
.rdata 0x8000 0x14b0 5632 95faddf166d781f400841de92ce382303c08f33c 4bf0a5dece47a0bc27bdc628f545fdb8
.data 0xa000 0x2b018 1536 d3f421a33a724b533b81f8c000d77ea227258cd9 711ec617d4a15851196324b3f27f5ef6
.ndata 0x36000 0x52000 0 da39a3ee5e6b4b0d3255bfef95601890afd80709 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x88000 0xbd38 48640 bb81d54116e21cc44df282c06e1e60c4518b750c e8908cf4b9baa30fc1156d00d10f9641

PE Resources 5

Name Language Sublanguage Offset Size Data
RT_ICON LANG_ENGLISH SUBLANG_ENGLISH_US 0x88238 45341
RT_DIALOG LANG_ENGLISH SUBLANG_ENGLISH_US 0x93778 96
RT_GROUP_ICON LANG_ENGLISH SUBLANG_ENGLISH_US 0x937d8 20
RT_VERSION LANG_ENGLISH SUBLANG_ENGLISH_US 0x937f0 696
RT_MANIFEST LANG_ENGLISH SUBLANG_ENGLISH_US 0x93aa8 656

Meta infos 6

LegalCopyright: brugerordbogens kasusendelse gourami
InternalName: eksposeets overklipning.exe
OriginalFilename: eksposeets overklipning.exe
CompanyName: tetrasporic coregent
Translation: 0x0409 0x04e4
Comments: bramfriest balfaldaraet hypercatharsis

Anti debug functions 2

FindWindowExW
GetLastError

File signature

MD5 SHA1 Block size Virtual Address
85cac82138e1d9a1f2d104ddf2662478 89c13e6b1e5d0fa0854b61f6f2db7d9c58c2f006 4824 678304

Strings analysis - File found

Library
%s%s.dll
ADVAPI32.dll
SHELL32.dll
COMCTL32.dll
ole32.dll
KERNEL32.dll
USER32.dll
GDI32.dll

Strings analysis - Possible URLs found 1

http://nsis.sf.net/NSIS_Error

Import functions

Name Latest seen MD5
scrss.exe 2022-09-07 01:20:04 cc47e259131a9f9956511092be4c1d19
mickeizx.exe 2022-10-21 04:12:02 9bc9a8feedb237e1324101d40d435c82
OneDrive.exe 2022-11-04 13:22:07 9ee74f4eac47c1a3a63303086e07a24f
VBC.exe 2022-11-29 08:53:02 7081c4822cf1c7572dd82822b8f27c49