DigitalSide Threat Intel

num.exe

First submission 2024-09-29 23:02:01 Last sumbission 2024-10-16 16:24:02

File details

File type: PE32 executable (GUI) Intel 80386, for MS Windows
Mime type: application/x-dosexec
File size: 307.0 KB (314368 bytes)
Compile time: 2024-09-29 20:19:54
MD5: 791fcee57312d4a20cc86ae1cea8dfc4
SHA1: 04a88c60ae1539a63411fe4765e9b931e8d2d992
SHA256: 27e4a3627d7df2b22189dd4bebc559ae1986d49a8f4e35980b428fadb66cf23d
Import Hash : 8e9e6de8c6aa184371108e1074479bb3
Sections 4 .text .rdata .data .reloc
Directories 2 import relocation

File features detected

Is DLL
Packers
Anti Debug
Anti VM
Signed
XOR

OSINT Enrichments

Virus Total: 41/77 VT report date: 2024-09-29 22:05:00
Malware Type 1 trojan
Threat Type 3 tedy stealc stealerc

URLs, FQDN and IP indicators 1

URL Host (FQDN/IP) Date Added
hXXp://185.215.113.16/test/num.exe VirusTotal Report 185.215.113.16 VirusTotal Report 2024-10-16 16:24:07

PE Sections 0 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0x1cc8f 118272 c01328abd807f11db790ac069ac8f6a68d0085af 66879e12cc36ce58a318f5ac2299b01a
.rdata 0x1e000 0xcf8c 53248 fce2615b0df785e169943ffd73972bb1bf48e65a 5a4ad10aa14db5722597b4c96ac0ea1e
.data 0x2b000 0x2303a4 123904 7e654258ce7efec203501119cce3af9edd686ade 47130f1bd451e62a6f3377958ec20b2f
.reloc 0x25c000 0x459e 17920 f8732edaa945e2546949e4b31d8b40d054a8dc6a d8f492474b01bdac93fa77f23f413e35

Packers detected 1

Borland Delphi 3.0 (???)

Anti debug functions 5

GetLastError
IsDebuggerPresent
RaiseException
TerminateProcess
UnhandledExceptionFilter

Anti debug functions 1

VMCheck.dll

Strings analysis - File found

Compressed
-.zip
XML
\AppData\Roaming\FileZilla\recentservers.xml
Text
steam_tokens.txt
Library
WUSER32.DLL
mscoree.dll
dKERNEL32.dll
chrome.dll
KERNEL32.dll
ntdll.dll
WININET.dll
Crypt32.dll
MSVCRT.dll
USER32.dll
SHELL32.dll
SHLWAPI.dll
ADVAPI32.dll
VERSION.dll

Import functions

Function Address Souspicious Anti Debug
GetCurrentProcess 0x41e000
RaiseException 0x41e004
GetStringTypeW 0x41e008
MultiByteToWideChar 0x41e00c
LCMapStringW 0x41e010
IsValidCodePage 0x41e014
GetOEMCP 0x41e018
lstrlenA 0x41e01c
HeapAlloc 0x41e020
GetProcessHeap 0x41e024
VirtualProtect 0x41e028
WaitForSingleObject 0x41e02c
CreateProcessA 0x41e030
lstrcatA 0x41e034
VirtualQueryEx 0x41e038
OpenProcess 0x41e03c
ReadProcessMemory 0x41e040
WriteFile 0x41e044
GetACP 0x41e048
GetCPInfo 0x41e04c
UnhandledExceptionFilter 0x41e050
SetUnhandledExceptionFilter 0x41e054
IsDebuggerPresent 0x41e058
EncodePointer 0x41e05c
DecodePointer 0x41e060
TerminateProcess 0x41e064
InitializeCriticalSectionAndSpinCount 0x41e068
LeaveCriticalSection 0x41e06c
EnterCriticalSection 0x41e070
RtlUnwind 0x41e074
GetProcAddress 0x41e078
GetModuleHandleW 0x41e07c
ExitProcess 0x41e080
Sleep 0x41e084
GetStdHandle 0x41e088
GetModuleFileNameW 0x41e08c
GetLastError 0x41e090
LoadLibraryW 0x41e094
TlsGetValue 0x41e098
TlsSetValue 0x41e09c
InterlockedIncrement 0x41e0a0
SetLastError 0x41e0a4
GetCurrentThreadId 0x41e0a8
InterlockedDecrement 0x41e0ac
WideCharToMultiByte 0x41e0b0
Function Address Souspicious Anti Debug
strncpy 0x41e0b8
??_V@YAXPAX@Z 0x41e0bc
memchr 0x41e0c0
??_U@YAPAXI@Z 0x41e0c4
strtok 0x41e0c8
atexit 0x41e0cc
strtok_s 0x41e0d0
strcpy_s 0x41e0d4
vsprintf_s 0x41e0d8
memmove 0x41e0dc
strlen 0x41e0e0
malloc 0x41e0e4
free 0x41e0e8
memcmp 0x41e0ec
??2@YAPAXI@Z 0x41e0f0
memset 0x41e0f4
memcpy 0x41e0f8
__CxxFrameHandler3 0x41e0fc