Authenticator222.exe

First submission 2024-08-28 09:41:05 Last sumbission 2024-09-01 23:56:03

File details

File type: PE32+ executable (GUI) x86-64, for MS Windows
Mime type: application/x-dosexec
File size: 21893.5 KB (22418944 bytes)
Compile time: 2024-07-28 11:22:58
MD5: 7682909e9bda1e07a178ee76c114e42c
SHA1: 026d1a42f40b04f0e9b0e1c14631dd226aa57371
SHA256: c9c2671d59e747d93585102e1af0215aaa8e9680c5616f17599380e5209a0d0d
Import Hash : 5a6977da69b938abc407aaddd312239b
Sections 11 .text .data .bss .idata .didata .edata .tls .rdata .reloc .pdata .rsrc
Directories 5 import export resource tls relocation

File features detected

Is DLL
Packers
Anti Debug
Anti VM
Signed
XOR

OSINT Enrichments

Virus Total: 22/79 VT report date: 2024-08-11 17:44:16
Malware Type 1 trojan
Threat Type 1 pzcmj

URLs, FQDN and IP indicators 2

URL Host (FQDN/IP) Date Added
hXXps://www.detailed-finance.top/inc/Authenticator222.exe VirusTotal Report www.detailed-finance.top VirusTotal Report 2024-09-01 23:56:06
hXXps://www.financemaster.shop/inc/Authenticator222.exe VirusTotal Report www.financemaster.shop VirusTotal Report 2024-09-01 22:33:06

PE Sections 2 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0xcac9d0 13289984 0f01fe7bf96a75c729950f697bd792e4aac85344 25f819ab7c69bd42f490243405702862
.data 0xcae000 0x115080 1135104 0e10732c7d82283114ba406c565146b8d553e934 d934ce88b753eb49ee033e6e63212336
.bss 0xdc4000 0x20724 0 da39a3ee5e6b4b0d3255bfef95601890afd80709 d41d8cd98f00b204e9800998ecf8427e
.idata 0xde5000 0x55ee 22016 16806f1b79c23c4c6ae91203a702fd2fecd4f64a 06a1def7d9556cd5d8d9d391937fe089
.didata 0xdeb000 0x9228 37888 83fa0023284d0acd8b92b6a804cf3bbde9090818 99eb4b0d3e5e679d12b8214036167f22
.edata 0xdf5000 0x9a 512 bc213eee08a3675b56917bfcd0734dc4bf672e25 6ddab53115ecb35f3613ea9f7c6c6ac9
.tls 0xdf6000 0x1f8 0 da39a3ee5e6b4b0d3255bfef95601890afd80709 d41d8cd98f00b204e9800998ecf8427e
.rdata 0xdf7000 0x6d 512 7891dc1452466b70484c29faa6f00030d20094da 0a5a16e9da92df4e41d2865d0309698c
.reloc 0xdf8000 0xaf604 718848 f6ad016a6c080b52f231b9987dd46da880afade9 0fc04536ebce29868b867b2196595c3c
.pdata 0xea8000 0xa96bc 694272 c002b529079051e9b8b12dda8fc84dcd26ed0736 ae51a11644ca45134856fb017b38e90d
.rsrc 0xf52000 0x637800 6518784 e0e0c3fde4824305757356faaaa24087b9fd7539 8dac0fec890708030ba5f4f98cf676dc

PE Resources 6

Name Language Sublanguage Offset Size Data
RT_CURSOR LANG_ENGLISH SUBLANG_ENGLISH_US 0xf557b4 308
RT_ICON LANG_BULGARIAN SUBLANG_DEFAULT 0xf558e8 37107
RT_STRING LANG_NEUTRAL SUBLANG_NEUTRAL 0xf70ca0 844
RT_RCDATA LANG_ENGLISH SUBLANG_ENGLISH_US 0x1533ebc 350221
RT_GROUP_CURSOR LANG_ENGLISH SUBLANG_ENGLISH_US 0x1589744 20
RT_GROUP_ICON LANG_BULGARIAN SUBLANG_DEFAULT 0x1589758 20

Anti debug functions 8

FindWindowExW
FindWindowW
GetLastError
GetWindowThreadProcessId
IsDebuggerPresent
OutputDebugStringW
RaiseException
UnhandledExceptionFilter

Anti debug functions 1

VMCheck.dll

Strings analysis - File found

Database
Data.DB
Query DB
Dbx.SQL
Library
USER32.dll
KERNEL32.dll
UxTheme.dll
MSWSOCK.DLL
IPHLPAPI.DLL
ntdll.dll
WS2_32.dll
d3d10_1.dll
d3d10.dll
wship6.dll
normaliz.dll
Fwpuclnt.dll
PSAPI.DLL
IdnDL.dll
d2d1.dll
COMCTL32.dll
DWrite.dll
ole32.dll
IMM32.dll
d3d11.dll
OLEAUT32.dll
WTSAPI32.dll
MSVCRT.dll
rpcrt4.dll
COMDLG32.dll
MSIMG32.dll
dwmapi.dll
ADVAPI32.dll
GDI32.dll
WindowsCodecs.dll
VERSION.dll
d3d9.dll
WINMM.dll
gdiplus.dll
SHELL32.dll

Strings analysis - Possible IPs found 4

3.0.0.16
0.0.0.1
255.255.255.255
127.0.0.1

Strings analysis - Possible URLs found 6

http://www.mozilla.org/editor/midasdemo/securityprefs.html
http://digitalbush.com/projects/masked-input-plugin/#license)
http://go.microsoft.com/fwlink/?LinkID=
http://
https://
http://go.microsoft.com/fwlink/?linkid=94243.

Import functions

PE Exports 3 suspicious

Function Address
TMethodImplementationIntercept 0x4a9be0
__dbk_fcall_wrapper 0x419660
dbkFCallWrapperAddr 0x11c8f58