wget.exe

First submission 2024-10-14 23:40:03

File details

File type:	PE32+ executable (console) x86-64, for MS Windows
Mime type:	application/x-dosexec
File size:	4812.61 KB (4928112 bytes)
Compile time:	1970-01-01 01:00:00
MD5:	695378debce1b312f353f84c11cb4629
SHA1:	d0c48530c7cf2141cf3aff229a337d69769efa7e
SHA256:	f595e2e53680ba2937ac48708bc24e6fb5ff6b6fb97d60eb5040bf073ad933bf
Import Hash :	552b863bc83609be81292a8eaceb466d
Sections 12	.text .data .rdata .pdata .xdata .bss .idata .CRT .tls .rsrc .reloc /4
Directories 5	import resource tls relocation security

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

OSINT Enrichments

Virus Total:	0/76 VT report date: 2024-10-14 13:23:29

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXp://193.70.43.137/mvt/wget.exe	193.70.43.137	2024-10-14 23:40:03

PE Sections 3 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0x3226d0	3287040	daf91fd9933f029be6120aa2475042b83e28bcb4	07ac3d2b3fa530b55469affba3dc4400
.data	0x324000	0xcd80	52736	815cf36d2cf7df02b43325ea3951ca8528971b60	9ffae80f1b211c0af502b184d1a8416b
.rdata	0x331000	0x137390	1274880	7b68aba720c1e655c552192c9e57d35755c749d7	db8e5a0dfa3d44c1b3014cf59019a14d
.pdata	0x469000	0x1effc	126976	739e89143165ba810605245949e1b2b4a667a2ae	a64d7b7f2c375cf01f993789d6201b66
.xdata	0x488000	0x1ad04	110080	03ac678eefe00f3ec74085bb677ef66fbb2b1370	938c4aa7bd03f0fff5d207b3a8e81381
.bss	0x4a3000	0x14620	0	da39a3ee5e6b4b0d3255bfef95601890afd80709	d41d8cd98f00b204e9800998ecf8427e
.idata	0x4b8000	0x3b48	15360	6d78077640a32f3e1b0bfb5198dda683ed75ea24	f96007ecf1a54a4c4ba45c18c9137eca
.CRT	0x4bc000	0x68	512	ff5215a75ffa503bf209baea26a913cfad98d792	bb168f7c483a7d2e679e216b162118e1
.tls	0x4bd000	0x10	512	5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5	bf619eac0cdf3f68d496ea9344137e8b
.rsrc	0x4be000	0x4e8	1536	0567ded701dc25bee91840affccf907896af7266	8b58e69a70f7082f3056d2a0b64145fe
.reloc	0x4bf000	0x769c	30720	13eda6ff1ffdc84d70a2ef0e00d057bde5040bd8	d335c11507d6eb0d434d41a16754abed
/4	0x4c7000	0x14	512	fa278fac617b1c5e27d946b39f208819d480c378	d05322128fee195e6f283dbe26cc3010

PE Resources 1

Name	Language	Sublanguage	Offset	Size	Data
RT_MANIFEST	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x4be058	1167	PE Resource: RT_MANIFEST - Data <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker"/> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!--The ID below indicates application support for Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!--The ID below indicates application support for Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!--The ID below indicates application support for Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!--The ID below indicates application support for Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!--The ID below indicates application support for Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> </assembly>

Name

Language

Sublanguage

Offset

Size

Data

RT_MANIFEST

LANG_NEUTRAL

SUBLANG_NEUTRAL

0x4be058

1167

Packers detected 1

Microsoft Visual C++ 8.0 (DLL)

Anti debug functions 5

GetLastError
IsDebuggerPresent
OutputDebugStringA
RaiseException
TerminateProcess

Anti debug functions 1

Bochs & QEmu CPUID Trick

File signature

MD5	SHA1	Block size	Virtual Address
c44558cf5ef01a117734d975996995e9	50ed97e5f79be554a34d74abc751d816dbc829ee	9992	4918120

Strings analysis - File found

Log
metadata://gnu.org/software/wget/warc/wget.log
Temporary
%s.tmp
Data
../../list/public_suffix_list.dat
Text
metadata://gnu.org/software/wget/warc/MANIFEST.txt
metadata://gnu.org/software/wget/warc/wget_arguments.txt
/robots.txt
Library
IPHLPAPI.DLL
ADVAPI32.dll
MSVCRT.dll
2ADVAPI32.DLL
KERNEL32.dll
SHELL32.dll
USER32.dll
bcrypt.dll
WS2_32.dll
Crypt32.dll
rpcrt4.dll
mlang.dll
ole32.dll
%s.dll
ntdll.dll

Strings analysis - Possible IPs found 1

127.0.0.1

Strings analysis - Possible URLs found 29

ftp://%s
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
https://sectigo.com/CPS0D
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
http://www.metalinker.org/
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
https://gnu.org/licenses/
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
ftp://%s%s:%d
http://
http://crl.comodoca.com/AAACertificateServices.crl04
http://www.gnu.org/licenses/gpl.html
http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%
http://www.w3.org/XML/1998/namespace
http://ocsp.comodoca.com0
https://sectigo.com/CPS0
ftps://
file://
http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0v
http://www.w3.org/2000/xmlns/
http://ocsp.usertrust.com0
ftp://
http://%s
http://ocsp.sectigo.com0
http://netpreserve.org/warc/1.0/revisit/identical-payload-digest
https://gnu.org/licenses/gpl.html
https://savannah.gnu.org/bugs/?func=additem&group=wget.
http://bibnum.bnf.fr/WARC/WARC_ISO_28500_version1_latestdraft.pdf
https://

Import functions

bcrypt.dll 1 IPHLPAPI.DLL 3 CRYPT32.dll 7 SHELL32.dll 1 KERNEL32.dll 151 msvcrt.dll 180 ADVAPI32.dll 22 ole32.dll 3 WS2_32.dll 40 USER32.dll 8

Function	Address	Souspicious	Anti Debug
BCryptGenRandom	0x1404b8ee4

Function	Address	Souspicious	Anti Debug
FreeMibTable	0x1404b8f34
GetUnicastIpAddressTable	0x1404b8f3c
if_indextoname	0x1404b8f44

Function	Address	Souspicious	Anti Debug
CertCloseStore	0x1404b8ef4
CertDuplicateCertificateContext	0x1404b8efc
CertEnumCertificatesInStore	0x1404b8f04
CertFindCertificateInStore	0x1404b8f0c
CertFreeCertificateContext	0x1404b8f14
CertGetCertificateContextProperty	0x1404b8f1c
CertOpenStore	0x1404b8f24

Function	Address	Souspicious	Anti Debug
SHGetSpecialFolderPathW	0x1404b99dc

Function	Address	Souspicious	Anti Debug
AddVectoredExceptionHandler	0x1404b8f54
CloseHandle	0x1404b8f5c
ConvertFiberToThread	0x1404b8f64
ConvertThreadToFiber	0x1404b8f6c
CreateDirectoryA	0x1404b8f74
CreateDirectoryW	0x1404b8f7c
CreateEventA	0x1404b8f84
CreateFiber	0x1404b8f8c
CreateFileA	0x1404b8f94
CreateFileMappingA	0x1404b8f9c
CreateFileW	0x1404b8fa4
CreateHardLinkA	0x1404b8fac
CreatePipe	0x1404b8fb4
CreateProcessA	0x1404b8fbc
CreateProcessW	0x1404b8fc4
CreateSemaphoreA	0x1404b8fcc
CreateThread	0x1404b8fd4
DeleteCriticalSection	0x1404b8fdc
DeleteFiber	0x1404b8fe4
DeleteFileA	0x1404b8fec
DeleteFileW	0x1404b8ff4
DuplicateHandle	0x1404b8ffc
EnterCriticalSection	0x1404b9004
ExpandEnvironmentStringsA	0x1404b900c
FileTimeToSystemTime	0x1404b9014
FindClose	0x1404b901c
FindFirstFileA	0x1404b9024
FindFirstFileW	0x1404b902c
FindFirstVolumeW	0x1404b9034
FindNextFileW	0x1404b903c
FindNextVolumeW	0x1404b9044
FindVolumeClose	0x1404b904c
FormatMessageA	0x1404b9054
FormatMessageW	0x1404b905c
FreeLibrary	0x1404b9064
GetACP	0x1404b906c
GetCPInfo	0x1404b9074
GetCommandLineA	0x1404b907c
GetConsoleMode	0x1404b9084
GetConsoleOutputCP	0x1404b908c
GetConsoleScreenBufferInfo	0x1404b9094
GetConsoleWindow	0x1404b909c
GetCurrentDirectoryW	0x1404b90a4
GetCurrentProcess	0x1404b90ac
GetCurrentProcessId	0x1404b90b4
GetCurrentThread	0x1404b90bc
GetCurrentThreadId	0x1404b90c4
GetDiskFreeSpaceExW	0x1404b90cc
GetEnvironmentVariableA	0x1404b90d4
GetEnvironmentVariableW	0x1404b90dc
GetExitCodeProcess	0x1404b90e4
GetFileAttributesA	0x1404b90ec
GetFileInformationByHandle	0x1404b90f4
GetFileSize	0x1404b90fc
GetFileSizeEx	0x1404b9104
GetFileType	0x1404b910c
GetHandleInformation	0x1404b9114
GetLastError	0x1404b911c
GetModuleFileNameA	0x1404b9124
GetModuleFileNameW	0x1404b912c
GetModuleHandleA	0x1404b9134
GetModuleHandleExW	0x1404b913c
GetModuleHandleW	0x1404b9144
GetNamedPipeInfo	0x1404b914c
GetNumberOfConsoleInputEvents	0x1404b9154
GetPriorityClass	0x1404b915c
GetProcAddress	0x1404b9164
GetProcessAffinityMask	0x1404b916c
GetProcessTimes	0x1404b9174
GetStartupInfoA	0x1404b917c
GetStdHandle	0x1404b9184
GetSystemTime	0x1404b918c
GetSystemTimeAdjustment	0x1404b9194
GetSystemTimeAsFileTime	0x1404b919c
GetTempPathA	0x1404b91a4
GetThreadContext	0x1404b91ac
GetThreadLocale	0x1404b91b4
GetThreadPriority	0x1404b91bc
GetThreadTimes	0x1404b91c4
GetTickCount	0x1404b91cc
GetTickCount64	0x1404b91d4
GetVersion	0x1404b91dc
GetVersionExA	0x1404b91e4
GetVolumeInformationW	0x1404b91ec
GetWindowsDirectoryA	0x1404b91f4
InitializeCriticalSection	0x1404b91fc
InitializeCriticalSectionAndSpinCount	0x1404b9204
IsDBCSLeadByteEx	0x1404b920c
IsDebuggerPresent	0x1404b9214
IsValidCodePage	0x1404b921c
LeaveCriticalSection	0x1404b9224
LoadLibraryA	0x1404b922c
LoadLibraryW	0x1404b9234
LocalAlloc	0x1404b923c
LocalFree	0x1404b9244
LockFileEx	0x1404b924c
MapViewOfFile	0x1404b9254
MoveFileExA	0x1404b925c
MultiByteToWideChar	0x1404b9264
OpenFileMappingA	0x1404b926c
OpenProcess	0x1404b9274
OutputDebugStringA	0x1404b927c
PeekConsoleInputA	0x1404b9284
PeekNamedPipe	0x1404b928c
QueryPerformanceCounter	0x1404b9294
QueryPerformanceFrequency	0x1404b929c
RaiseException	0x1404b92a4
ReadConsoleA	0x1404b92ac
ReadConsoleW	0x1404b92b4
ReadFile	0x1404b92bc
ReleaseSemaphore	0x1404b92c4
RemoveVectoredExceptionHandler	0x1404b92cc
ResetEvent	0x1404b92d4
ResumeThread	0x1404b92dc
RtlVirtualUnwind	0x1404b92e4
SetConsoleCtrlHandler	0x1404b92ec
SetConsoleMode	0x1404b92f4
SetConsoleTitleA	0x1404b92fc
SetCurrentDirectoryW	0x1404b9304
SetEndOfFile	0x1404b930c
SetEnvironmentVariableA	0x1404b9314
SetEvent	0x1404b931c
SetFilePointer	0x1404b9324
SetFilePointerEx	0x1404b932c
SetFileTime	0x1404b9334
SetLastError	0x1404b933c
SetProcessAffinityMask	0x1404b9344
SetSystemTime	0x1404b934c
SetThreadContext	0x1404b9354
SetThreadPriority	0x1404b935c
SetUnhandledExceptionFilter	0x1404b9364
Sleep	0x1404b936c
SleepEx	0x1404b9374
SuspendThread	0x1404b937c
SwitchToFiber	0x1404b9384
SystemTimeToFileTime	0x1404b938c
TerminateProcess	0x1404b9394
TerminateThread	0x1404b939c
TlsAlloc	0x1404b93a4
TlsFree	0x1404b93ac
TlsGetValue	0x1404b93b4
TlsSetValue	0x1404b93bc
TryEnterCriticalSection	0x1404b93c4
UnlockFile	0x1404b93cc
UnmapViewOfFile	0x1404b93d4
VirtualProtect	0x1404b93dc
VirtualQuery	0x1404b93e4
WaitForMultipleObjects	0x1404b93ec
WaitForSingleObject	0x1404b93f4
WideCharToMultiByte	0x1404b93fc
WriteFile	0x1404b9404

Function	Address	Souspicious	Anti Debug
__C_specific_handler	0x1404b9414
___lc_codepage_func	0x1404b941c
___mb_cur_max_func	0x1404b9424
__argv	0x1404b942c
__getmainargs	0x1404b9434
__initenv	0x1404b943c
__iob_func	0x1404b9444
__set_app_type	0x1404b944c
__setusermatherr	0x1404b9454
_access	0x1404b945c
_access	0x1404b9464
_acmdln	0x1404b946c
_amsg_exit	0x1404b9474
_assert	0x1404b947c
_beginthreadex	0x1404b9484
_cexit	0x1404b948c
_chdir	0x1404b9494
_chmod	0x1404b949c
_close	0x1404b94a4
_close	0x1404b94ac
_commode	0x1404b94b4
_dup	0x1404b94bc
_dup	0x1404b94c4
_dup2	0x1404b94cc
_endthreadex	0x1404b94d4
_environ	0x1404b94dc
_errno	0x1404b94e4
_exit	0x1404b94ec
_fdopen	0x1404b94f4
_filelengthi64	0x1404b94fc
_fileno	0x1404b9504
_findclose	0x1404b950c
_fileno	0x1404b9514
_findfirst64	0x1404b951c
_findnext64	0x1404b9524
_fmode	0x1404b952c
_fstat64	0x1404b9534
_fullpath	0x1404b953c
_get_osfhandle	0x1404b9544
_getch	0x1404b954c
_getcwd	0x1404b9554
_getmaxstdio	0x1404b955c
_getmbcp	0x1404b9564
_getpid	0x1404b956c
_getpid	0x1404b9574
_gmtime64	0x1404b957c
_initterm	0x1404b9584
_isatty	0x1404b958c
_isatty	0x1404b9594
_isctype	0x1404b959c
_localtime64	0x1404b95a4
_lock	0x1404b95ac
_lseek	0x1404b95b4
_lseeki64	0x1404b95bc
_mkdir	0x1404b95c4
_mkgmtime64	0x1404b95cc
_onexit	0x1404b95d4
_open	0x1404b95dc
_open	0x1404b95e4
_open_osfhandle	0x1404b95ec
_pipe	0x1404b95f4
_putenv	0x1404b95fc
_putenv	0x1404b9604
_read	0x1404b960c
_read	0x1404b9614
_rmdir	0x1404b961c
_setjmp	0x1404b9624
_setmaxstdio	0x1404b962c
_setmode	0x1404b9634
_setmode	0x1404b963c
_stat64	0x1404b9644
_stricmp	0x1404b964c
_stricmp	0x1404b9654
_strdup	0x1404b965c
_strdup	0x1404b9664
_strnicmp	0x1404b966c
_strnicmp	0x1404b9674
_sys_errlist	0x1404b967c
_sys_nerr	0x1404b9684
_telli64	0x1404b968c
_time64	0x1404b9694
_ultoa	0x1404b969c
_unlink	0x1404b96a4
_unlock	0x1404b96ac
_vsnprintf	0x1404b96b4
_vsnwprintf	0x1404b96bc
_waccess	0x1404b96c4
_wfopen	0x1404b96cc
_wopen	0x1404b96d4
_write	0x1404b96dc
abort	0x1404b96e4
atoi	0x1404b96ec
bsearch	0x1404b96f4
calloc	0x1404b96fc
clearerr	0x1404b9704
clock	0x1404b970c
exit	0x1404b9714
fclose	0x1404b971c
feof	0x1404b9724
ferror	0x1404b972c
fflush	0x1404b9734
fgetc	0x1404b973c
fgetpos	0x1404b9744
fgets	0x1404b974c
fopen	0x1404b9754
fprintf	0x1404b975c
fputc	0x1404b9764
fputs	0x1404b976c
fread	0x1404b9774
free	0x1404b977c
fseek	0x1404b9784
fsetpos	0x1404b978c
ftell	0x1404b9794
fwrite	0x1404b979c
getc	0x1404b97a4
getenv	0x1404b97ac
isalnum	0x1404b97b4
isalpha	0x1404b97bc
iscntrl	0x1404b97c4
isgraph	0x1404b97cc
islower	0x1404b97d4
isprint	0x1404b97dc
ispunct	0x1404b97e4
isspace	0x1404b97ec
isupper	0x1404b97f4
iswctype	0x1404b97fc
isxdigit	0x1404b9804
_write	0x1404b980c
localeconv	0x1404b9814
longjmp	0x1404b981c
malloc	0x1404b9824
memchr	0x1404b982c
memcmp	0x1404b9834
memcpy	0x1404b983c
memmove	0x1404b9844
memset	0x1404b984c
perror	0x1404b9854
printf	0x1404b985c
puts	0x1404b9864
qsort	0x1404b986c
raise	0x1404b9874
realloc	0x1404b987c
rand	0x1404b9884
rewind	0x1404b988c
setbuf	0x1404b9894
setlocale	0x1404b989c
setvbuf	0x1404b98a4
signal	0x1404b98ac
srand	0x1404b98b4
strcat	0x1404b98bc
strchr	0x1404b98c4
strcmp	0x1404b98cc
strcpy	0x1404b98d4
strcspn	0x1404b98dc
strerror	0x1404b98e4
strftime	0x1404b98ec
strlen	0x1404b98f4
strncat	0x1404b98fc
strncmp	0x1404b9904
strncpy	0x1404b990c
strpbrk	0x1404b9914
strrchr	0x1404b991c
strspn	0x1404b9924
strstr	0x1404b992c
strtok	0x1404b9934
strtol	0x1404b993c
strtoul	0x1404b9944
tmpfile	0x1404b994c
tolower	0x1404b9954
toupper	0x1404b995c
towlower	0x1404b9964
towupper	0x1404b996c
ungetc	0x1404b9974
vfprintf	0x1404b997c
wcscat	0x1404b9984
wcscmp	0x1404b998c
wcscpy	0x1404b9994
wcslen	0x1404b999c
wcsstr	0x1404b99a4
wcstombs	0x1404b99ac

Function	Address	Souspicious	Anti Debug
CryptAcquireContextA	0x1404b8e2c
CryptAcquireContextW	0x1404b8e34
CryptCreateHash	0x1404b8e3c
CryptDecrypt	0x1404b8e44
CryptDestroyHash	0x1404b8e4c
CryptDestroyKey	0x1404b8e54
CryptEnumProvidersW	0x1404b8e5c
CryptExportKey	0x1404b8e64
CryptGenRandom	0x1404b8e6c
CryptGetProvParam	0x1404b8e74
CryptGetUserKey	0x1404b8e7c
CryptReleaseContext	0x1404b8e84
CryptSetHashParam	0x1404b8e8c
CryptSignHashW	0x1404b8e94
DeregisterEventSource	0x1404b8e9c
GetUserNameW	0x1404b8ea4
RegCloseKey	0x1404b8eac
RegEnumKeyExA	0x1404b8eb4
RegOpenKeyExA	0x1404b8ebc
RegQueryValueExA	0x1404b8ec4
RegisterEventSourceW	0x1404b8ecc
ReportEventW	0x1404b8ed4

Function	Address	Souspicious	Anti Debug
CoCreateInstance	0x1404b99bc
CoInitializeEx	0x1404b99c4
CoUninitialize	0x1404b99cc

Function	Address	Souspicious	Anti Debug
WSAAddressToStringA	0x1404b9a34
WSACleanup	0x1404b9a3c
WSAEnumNetworkEvents	0x1404b9a44
WSAEventSelect	0x1404b9a4c
WSAGetLastError	0x1404b9a54
WSASetLastError	0x1404b9a5c
WSASocketW	0x1404b9a64
WSAStartup	0x1404b9a6c
WSAStringToAddressW	0x1404b9a74
__WSAFDIsSet	0x1404b9a7c
accept	0x1404b9a84
bind	0x1404b9a8c
closesocket	0x1404b9a94
connect	0x1404b9a9c
freeaddrinfo	0x1404b9aa4
getaddrinfo	0x1404b9aac
gethostbyname	0x1404b9ab4
gethostname	0x1404b9abc
getnameinfo	0x1404b9ac4
getpeername	0x1404b9acc
getservbyname	0x1404b9ad4
getservbyport	0x1404b9adc
getsockname	0x1404b9ae4
getsockopt	0x1404b9aec
htonl	0x1404b9af4
htons	0x1404b9afc
inet_addr	0x1404b9b04
inet_pton	0x1404b9b0c
ioctlsocket	0x1404b9b14
listen	0x1404b9b1c
ntohl	0x1404b9b24
ntohs	0x1404b9b2c
recv	0x1404b9b34
recvfrom	0x1404b9b3c
select	0x1404b9b44
send	0x1404b9b4c
sendto	0x1404b9b54
setsockopt	0x1404b9b5c
shutdown	0x1404b9b64
socket	0x1404b9b6c

Function	Address	Souspicious	Anti Debug
DispatchMessageA	0x1404b99ec
GetProcessWindowStation	0x1404b99f4
GetUserObjectInformationW	0x1404b99fc
MessageBoxA	0x1404b9a04
MessageBoxW	0x1404b9a0c
MsgWaitForMultipleObjects	0x1404b9a14
PeekMessageA	0x1404b9a1c
TranslateMessage	0x1404b9a24