TWO.file

First submission 2024-02-04 17:37:02

File details

File type: PE32 executable (console) Intel 80386, for MS Windows
Mime type: application/x-dosexec
File size: 1183.38 KB (1211781 bytes)
Compile time: 2017-04-03 00:14:17
MD5: 6942fdfdc1268cc9ba8ee3c02e9cc410
SHA1: 6630a275bf6279dc31ade342e9e4f79111a67489
SHA256: a10c0dcb551a87840d77902130f5e1991c2fbacce949a7ec376c7302c42cf09b
Import Hash : a602c5f081ba454f5c1df2cfd85b0b3a
Sections 5 .text .rdata .data .rsrc .reloc
Directories 5 import resource debug relocation security
Virus Total:

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

URLs, FQDN and IP indicators 1

URL Host (FQDN/IP) Date Added
hXXp://91.92.255.211/files/TWO.file VirusTotal Report 91.92.255.211 VirusTotal Report 2024-02-04 17:37:02

PE Sections 0 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0x23f31 147456 2d2ce1243623eb0ec35d093312bfdafbaec23709 8b38e5cf7484755c4bd7b6e1a27dd497
.rdata 0x25000 0x94ca 38400 7504b9e3a19f72152a4f29a30c9686dbe1677aa6 174ecb2e399cd1299a6915fe91292b66
.data 0x2f000 0x5cf4 4096 75209b18fee0750951e7a69f2fa4d1335ac8560c 9694db7d273005cb3d60d8f42d870521
.rsrc 0x35000 0x5219 21504 f9418bbc9a9e5ebe45ec80fa83b2f51c6dba9845 8fdd7c0db714c9aba9a5cffd922fc173
.reloc 0x3b000 0x2208 9216 993201a13060a38a74848c81002dd55d8014d65e 27cf1c4224c42f28163c2e01e05a6ad5

PE Resources 5

Name Language Sublanguage Offset Size Data
RT_ICON LANG_NEUTRAL SUBLANG_NEUTRAL 0x37008 4392
RT_STRING LANG_SPANISH SUBLANG_NEUTRAL 0x39ab8 192
RT_GROUP_ICON LANG_NEUTRAL SUBLANG_NEUTRAL 0x39b78 34
RT_VERSION LANG_NEUTRAL SUBLANG_NEUTRAL 0x39b9c 884
RT_MANIFEST LANG_NEUTRAL SUBLANG_NEUTRAL 0x39f10 777

Meta infos 9

LegalCopyright: Copyright \xa9 VideoCraft Studios Inc. 2016
InternalName: PixelFlow
FileVersion: 5.56.5.643470
CompanyName: PixelFlow
ProductVersion: 5.56.5.643470
FileDescription: Smooth and intuitive video editing and production
Translation: 0x0000 0x04b0
Comments: Smooth and intuitive video editing and production
ProductName: PixelFlow

Packers detected 2

Microsoft Visual C++ 8
VC8 -> Microsoft Corporation

Anti debug functions 6

GetLastError
IsDebuggerPresent
IsProcessorFeaturePresent
RaiseException
TerminateProcess
UnhandledExceptionFilter

Anti debug functions 1

Bochs & QEmu CPUID Trick

File signature

MD5 SHA1 Block size Virtual Address
fdee96b9e430cbb3a11b08ded00cfdfe ee3997cd4de85b7bb0696ce06d78a645d72a9443 10408 1201373

Strings analysis - File found

Library
mscoree.dll
KERNEL32.dll
epokliu.dll
OLEAUT32.dll
SHELL32.dll
COMCTL32.dll
ole32.dll
USER32.dll
GDI32.dll

Strings analysis - Possible URLs found 17

http://ocsp.sectigo.com0
https://sectigo.com/CPS0
http://ocsp.usertrust.com0
https://www.globalsign.com/repository/0
http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%
http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0v
http://crl.globalsign.com/root-r3.crl0G
http://crl.globalsign.com/gsgccr45codesignca2020.crl0
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
http://secure.globalsign.com/cacert/root-r3.crt06
http://crl.globalsign.com/codesigningrootr45.crl0V
http://ocsp.globalsign.com/rootr30;
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt0=
http://ocsp.globalsign.com/gsgccr45codesignca20200V
http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
http://ocsp.globalsign.com/codesigningrootr450F

Import functions

Name Latest seen MD5
variousstored.exe 2024-01-18 06:52:02 def8000d24255c6308da5c9be0906455