DEF.exe
First submission 2024-10-16 17:25:02
File details
| File type: | PE32 executable (GUI) Intel 80386, for MS Windows |
| Mime type: | application/x-dosexec |
| File size: | 482.5 KB (494080 bytes) |
| Compile time: | 2024-09-23 16:50:49 |
| MD5: | 6520492a4e7f9bc4dfb068de1c7b6450 |
| SHA1: | b5c2086a01528386482826ad243c2711e04200fb |
| SHA256: | 94465e214c05a6b477f6310957448e7d891ce37c960e36d246294eb6843081aa |
| Import Hash : | 1389569a3a39186f3eb453b501cfe688 |
| Sections 7 | .text��� .rdata�� .data��� .tls���� .gfids�� .rsrc��� .reloc�� |
| Directories 5 | import resource debug tls relocation |
File features detected
Anti VM
Signed
XOR
OSINT Enrichments
| Virus Total: | 63/77 VT report date: 2024-10-08 23:59:19 |
| Malware Type 1 | trojan |
| Threat Type 3 | remcos rescoms ratx |
URLs, FQDN and IP indicators 1
| URL | Host (FQDN/IP) | Date Added |
|---|---|---|
hXXp://185.215.113.117/inc/DEF.exe  |
185.215.113.117 |
2024-10-16 17:25:02 |
PE Sections 1 suspicious
| Name | VAddress | VSize | Size | SHA1 | MD5 | Suspicious |
|---|---|---|---|---|---|---|
| .text��� | 0x1000 | 0x571f5 | 356864 | b8109be2a3d377e1519682fb56271ce83e353672 | e504ab64b98631753dc227346d757c52 | |
| .rdata�� | 0x59000 | 0x179dc | 96768 | 18f811680a68eae34758f1c4f367034caa88b015 | 03563836e8ba6bd75dd82177f19b0089 | |
| .data��� | 0x71000 | 0x5d44 | 3584 | 103570606dd02891c9e9eefe13a78f9f278ed62a | 0eaccffe1cb836994ce5d3ccfb22d4f9 | |
| .tls���� | 0x77000 | 0x9 | 512 | aa0d33a0c854e073439067876e932688b65cb6a9 | 1f354d76203061bfdd5a53dae48d5435 | |
| .gfids�� | 0x78000 | 0x230 | 1024 | 952fddad66c89d579a212f0085fe4f3cab981241 | 9ca325bce9f8c0342c0381814603584a | |
| .rsrc��� | 0x79000 | 0x48d0 | 18944 | d743d413861a0ca5e24d0616fbe1258782b5c936 | d45628eabe99b7463c56c59b37318cd8 | |
| .reloc�� | 0x7e000 | 0x3bc8 | 15360 | 88230e6c07e690d9099ab957525711c4869053ed | 047d13d1dd0f82094cdf10f08253441e |
PE Resources 3
| Name | Language | Sublanguage | Offset | Size | Data |
|---|---|---|---|---|---|
| RT_ICON | LANG_ENGLISH | SUBLANG_ENGLISH_US | 0x7b024 | 9640 | |
| RT_RCDATA | LANG_NEUTRAL | SUBLANG_NEUTRAL | 0x7d5cc | 706 | |
| RT_GROUP_ICON | LANG_ENGLISH | SUBLANG_ENGLISH_US | 0x7d890 | 62 |
Packers detected 2
| Microsoft Visual C++ 8 |
| VC8 -> Microsoft Corporation |
Anti debug functions 9
| GetLastError |
| GetWindowThreadProcessId |
| IsDebuggerPresent |
| IsProcessorFeaturePresent |
| Process32FirstW |
| Process32NextW |
| RaiseException |
| TerminateProcess |
| UnhandledExceptionFilter |
Strings analysis - File found
| Database |
| \key3.db |
| Text |
| \sysinfo.txt |
| license_code.txt |
| Library |
| mscoree.dll |
| ntdll.dll |
| KERNEL32.dll |
| SHLWAPI.dll |
| WINMM.dll |
| WS2_32.dll |
| ADVAPI32.dll |
| USER32.dll |
| WININET.dll |
| Powrprof.dll |
| gdiplus.dll |
| SHELL32.dll |
| urlmon.dll |
| ole32.dll |
| GDI32.dll |
Strings analysis - Possible URLs found 1
| http://geoplugin.net/json.gp |
Import functions
| Name | Latest seen | MD5 |
|---|---|---|
| jhg.exe | 2024-08-30 13:58:02 | b21e324a39b4279504b10fee217239d3 |
| Subsys32.exe | 2024-09-25 16:11:02 | 4c128449b1492fc2ff49c431044d4b10 |
| file.exe | 2024-10-16 17:26:02 | 13095aaded59fb08db07ecf6bc2387ef |