6709826e9ef52_win.exe

First submission 2024-10-12 08:05:04

File details

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Mime type:	application/x-dosexec
File size:	24864.0 KB (25460736 bytes)
Compile time:	1970-01-01 01:00:00
MD5:	6ca0245ee4d4dfc56b17364523dbba06
SHA1:	677172c1cb3d298042bb93dd790a835a0f1fb5cb
SHA256:	c468de45d541e28e188e69d9ea27c1658b27fd2c39585da0e20db03aff816114
Import Hash :	1aae8bf580c846f39c71c05898e57e88
Sections 7	.text .rdata .data .idata .reloc .symtab .rsrc
Directories 3	import resource relocation

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

OSINT Enrichments

Virus Total:	18/77 VT report date: 2024-10-12 00:02:07
Malware Type 2	trojan dropper
Threat Type 2	phonzy wingo

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXp://sftp.wddidgo.site/player/6709826e9ef52_win.exe	sftp.wddidgo.site	2024-10-12 08:05:04

PE Sections 1 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0xc118c8	12655104	b6537d17bfcecc0abdeb75728af759d2efee693c	b3f0ea8d7b87162dc77958cc7fe2a6eb
.rdata	0xc13000	0xaf2acc	11480064	f158b5f0abf593be4947619eaa82e84b53091302	ce7fa0128a68e36f4d58ee6b44cf945a
.data	0x1706000	0xb9f78	555008	7583747e83c9c01a00304737867b4ae2f2b5f532	be9c73f43be1f25f7faaee05720a386e
.idata	0x17c0000	0x44c	1536	e421ab8a09eb34a0719d8f9f734c476f731105c2	e7d191e6fc6011e4d4020cfd097e3eca
.reloc	0x17c1000	0xabeb8	704512	1ec1a860a2c72ed48bbf2a6055482196a5edd387	52d3b118613d517dc0148195a083b921
.symtab	0x186d000	0x4	512	943ae54f4818e52409fbbaf60ffd71318d966b0d	07b5472d347d42780469fb2654b7fc54
.rsrc	0x186e000	0xf4f7	62976	1637eca41a41e58fb411b08cfe48495bd4e58540	5cd5b0d17ecac2f709d1f748d06cd3a7

PE Resources 4

Name	Language	Sublanguage	Offset	Size	Data
RT_ICON	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x187c790	1128
RT_GROUP_ICON	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x187cbf8	188
RT_VERSION	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x187ccb4	892	PE Resource: RT_VERSION - Data \|4VS_VERSION_INFO?StringFileInfo040904e4` CompanyNameZoom Video Communications, Inc.XFileDescriptionZoom Meetings Installer,FileVersion6.2.0PInternalNameZoom Meetings Installer7LegalCopyright Zoom Video Communications, Inc. All rights reserved.XOriginalFilenameZoom Meetings InstallerPProductNameZoom Meetings Installer0ProductVersion6.2.0DVarFileInfo$Translation
RT_MANIFEST	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x187d030	1223	PE Resource: RT_MANIFEST - Data <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="ZoomInstaller" processorArchitecture="" version="1.0.0.0" type="win32"></assemblyIdentity><description>ZoomInstaller</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS></application></compatibility></assembly>

Meta infos 9

LegalCopyright:	\xa9 Zoom Video Communications, Inc. All rights reserved.
InternalName:	Zoom Meetings Installer
FileVersion:	6.2.0
CompanyName:	Zoom Video Communications, Inc.
ProductVersion:	6.2.0
FileDescription:	Zoom Meetings Installer
Translation:	0x0409 0x04e4
OriginalFilename:	Zoom Meetings Installer
ProductName:	Zoom Meetings Installer

Anti debug functions 1

Bochs & QEmu CPUID Trick

Strings analysis - File found

Log
go.uber.org/zap.(*SugaredLogger).log
github.com/saferwall/pe/log.(*Filter).Log
github.com/opentracing/opentracing-go.noopSpan.Log
github.com/saferwall/pe/log.(*stdLogger).Log
github.com/saferwall/pe/log.(*Helper).Log
github.com/ipfs/go-log/tracer.(*spanImpl).Log
google.golang.org/grpc/internal/binarylog.(*TruncatingMethodLogger).Log
github.com/sirupsen/logrus.(*Entry).Log
github.com/sirupsen/logrus.(*Logger).Log
go.uber.org/zap.(*Logger).Log
math.Log
google.golang.org/grpc/internal/syscall.log
github.com/opentracing/opentracing-go.(*noopSpan).Log
github.com/saferwall/pe/log.(*logger).Log
Library
WINMM.dll
bcryptprimitives.dll
Powrprof.dll
ntdll.dll
KERNEL32.dll
*syscall.DLL
*windows.DLL
type:.eq.syscall.DLL
type:.eq.golang.org/x/sys/windows.DLL

Strings analysis - Possible IPs found 14

1.2.2.1
1.1.2.1
2.5.4.102
5.2.2.1
1.1.3.1
5.4.112.5
5.4.32.5
1.2.1.1
4.52.5.4
5.2.1.1
1.1.1.1
2.5.4.62
72.5.4.82
127.0.0.1

Strings analysis - Possible URLs found 10

http://nil
https://tools.ietf.org/html/rfc3066J
https://api.zitadel.ch/assets/v1/avatar-32432jkh4kj32
https://github.com/zitadel/zitadel/blob/new-eventstore/cmd/zitadel/startup.yaml.
https://tools.ietf.org/html/rfc3966)J
file://amxtileamxint8amxbf16osxsaveeae_prkno
https://protobuf.dev/reference/go/faq#namespace-conflictunexpected
https://Trailer:http/1.148828125infinitystrconv.parsing
https://github.com/golang/protobuf/issues/1609):
https://tools.ietf.org/html/rfc2822#section-3.4.1)J

Import functions

kernel32.dll 44

Function	Address	Souspicious	Anti Debug
WriteFile	0x1b09a20
WriteConsoleW	0x1b09a24
WerSetFlags	0x1b09a28
WerGetFlags	0x1b09a2c
WaitForMultipleObjects	0x1b09a30
WaitForSingleObject	0x1b09a34
VirtualQuery	0x1b09a38
VirtualFree	0x1b09a3c
VirtualAlloc	0x1b09a40
TlsAlloc	0x1b09a44
SwitchToThread	0x1b09a48
SuspendThread	0x1b09a4c
SetWaitableTimer	0x1b09a50
SetUnhandledExceptionFilter	0x1b09a54
SetProcessPriorityBoost	0x1b09a58
SetEvent	0x1b09a5c
SetErrorMode	0x1b09a60
SetConsoleCtrlHandler	0x1b09a64
ResumeThread	0x1b09a68
RaiseFailFastException	0x1b09a6c
PostQueuedCompletionStatus	0x1b09a70
LoadLibraryW	0x1b09a74
LoadLibraryExW	0x1b09a78
SetThreadContext	0x1b09a7c
GetThreadContext	0x1b09a80
GetSystemInfo	0x1b09a84
GetSystemDirectoryA	0x1b09a88
GetStdHandle	0x1b09a8c
GetQueuedCompletionStatusEx	0x1b09a90
GetProcessAffinityMask	0x1b09a94
GetProcAddress	0x1b09a98
GetErrorMode	0x1b09a9c
GetEnvironmentStringsW	0x1b09aa0
GetCurrentThreadId	0x1b09aa4
GetConsoleMode	0x1b09aa8
FreeEnvironmentStringsW	0x1b09aac
ExitProcess	0x1b09ab0
DuplicateHandle	0x1b09ab4
CreateWaitableTimerExW	0x1b09ab8
CreateThread	0x1b09abc
CreateIoCompletionPort	0x1b09ac0
CreateEventA	0x1b09ac4
CloseHandle	0x1b09ac8
AddVectoredExceptionHandler	0x1b09acc

Name	Latest seen	MD5
66cdff2bded74_Update.exe	2024-10-08 00:41:19	9157a0df4966b25e45271e8010de96f7
66d1b7f7f3765_Front.exe	2024-10-07 23:43:05	ef210f3d8e05ecafd8d41a98b5806218
Amadeus.exe	2024-09-27 16:54:02	36a627b26fae167e6009b4950ff15805
CheckTool.exe	2024-09-23 17:11:06	b8a15f36239ac6a968a373bf93d06ce6
66eaf17e9bd9e_Softwarepaxck.exe	2024-10-07 21:02:03	e4795aedf3d67af6b0cc029d010f7183
66ccd10a6862b_stream.exe	2024-10-04 22:09:03	07b67369bfb20733f18242f320b5ac20
QueryAC.exe	2024-10-05 21:36:06	0c2122e76676082991f3cf30aabbff34
66eb0d09c9f08_Gads.exe	2024-10-07 21:14:04	5fb5e099087ca0db68f8d58ae7555949

6709826e9ef52_win.exe

File details

File features detected

OSINT Enrichments

URLs, FQDN and IP indicators 1

PE Sections 1 suspicious

PE Resources 4

Meta infos 9

Anti debug functions 1

Strings analysis - File found

Strings analysis - Possible IPs found 14

Strings analysis - Possible URLs found 10

Import functions

Related files by ImpHash 8 1aae8bf580c846f39c71c05898e57e88