54f0fa329a53.exe

First submission 2024-10-15 12:57:02

File details

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Mime type:	application/x-dosexec
File size:	947.0 KB (969728 bytes)
Compile time:	2024-10-13 11:32:24
MD5:	7de1a4a7d819cc98fccdea05f9326c1a
SHA1:	be8cbf5903dd27666d08c66114b084e5245d88b8
SHA256:	c0cdd15f9913c6e88d7e124cbcba7ea981f12a856f473d0e96a94d8835d9ecf3
Import Hash :	285f07c66f98861b92460fa57c11d967
Sections 5	.text .rdata .data .rsrc .reloc
Directories 4	import resource debug relocation

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

OSINT Enrichments

Virus Total:	56/77 VT report date: 2024-10-15 12:08:29
Malware Type 1	trojan
Threat Type 3	stealc zusy stealerc

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXp://assets.gziraq.com/css/54f0fa329a53.exe	assets.gziraq.com	2024-10-15 12:57:02

PE Sections 1 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0x87979	555520	543cee87f247810b85d43ad31ad82e9802f74735	80831045492aac3d7214964be10dc8b7
.rdata	0x89000	0x10dbc	69120	34060afa6b491b6b3daf9491a1ebf1f5080aed0a	82c202f63385834858b719ce48a86fba
.data	0x9a000	0x5041c	323072	6b1cf26c5700315256c868c5f316787b50bb312b	e208993c960204a277ddbd287f66454f
.rsrc	0xeb000	0x595	1536	3e1f867bc43560491850b9abfdddde8c73f47780	aafc017bf609fd7dc53f76eaf55ee3ee
.reloc	0xec000	0x4a6c	19456	a77f95e96b873d581ad20e0b563b43bb98f2f026	009df06dda17fef3270fc1c1ff15d647

PE Resources 2

Name	Language	Sublanguage	Offset	Size	Data
RT_VERSION	LANG_ENGLISH	SUBLANG_ENGLISH_US	0xeb0a0	888	PE Resource: RT_VERSION - Data t4VS_VERSION_INFO 4aJ 4aJ?StringFileInfo040904B0LCompanyNameMicrosoft CorporationDFileDescriptionPrint Utilityn'FileVersion10.0.19041.3636 (WinBuild.160101.0800),InternalNamePrint.LegalCopyright Microsoft Corporation. All rights reserved.< OriginalFilenamePrint.Exej%ProductNameMicrosoft Windows Operating SystemDProductVersion10.0.19041.3636DVarFileInfo$Translation
RT_MANIFEST	LANG_ENGLISH	SUBLANG_ENGLISH_US	0xeb418	381	PE Resource: RT_MANIFEST - Data <?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly>

Name

Language

Sublanguage

Offset

Size

Data

RT_VERSION

LANG_ENGLISH

SUBLANG_ENGLISH_US

0xeb0a0

888

RT_MANIFEST

LANG_ENGLISH

SUBLANG_ENGLISH_US

0xeb418

381

Meta infos 9

LegalCopyright:	\xa9 Microsoft Corporation. All rights reserved.
InternalName:	Print
FileVersion:	10.0.19041.3636 (WinBuild.160101.0800)
CompanyName:	Microsoft Corporation
ProductVersion:	10.0.19041.3636
FileDescription:	Print Utility
Translation:	0x0409 0x04b0
OriginalFilename:	Print.Exe
ProductName:	Microsoft\xae Windows\xae Operating System

Packers detected 2

Microsoft Visual C++ 8
VC8 -> Microsoft Corporation

Anti debug functions 7

GetLastError
IsDebuggerPresent
IsProcessorFeaturePresent
OutputDebugStringW
RaiseException
TerminateProcess
UnhandledExceptionFilter

Strings analysis - File found

Library
Hmscoree.dll
KERNEL32.dll

Import functions

KERNEL32.dll 89

Function	Address	Souspicious	Anti Debug
WaitForSingleObject	0x489000
CloseHandle	0x489004
CreateThread	0x489008
MultiByteToWideChar	0x48900c
FormatMessageA	0x489010
GetStringTypeW	0x489014
WideCharToMultiByte	0x489018
EnterCriticalSection	0x48901c
LeaveCriticalSection	0x489020
InitializeCriticalSectionEx	0x489024
DeleteCriticalSection	0x489028
EncodePointer	0x48902c
DecodePointer	0x489030
LocalFree	0x489034
GetLocaleInfoEx	0x489038
LCMapStringEx	0x48903c
CompareStringEx	0x489040
GetCPInfo	0x489044
IsProcessorFeaturePresent	0x489048
UnhandledExceptionFilter	0x48904c
SetUnhandledExceptionFilter	0x489050
GetCurrentProcess	0x489054
TerminateProcess	0x489058
QueryPerformanceCounter	0x48905c
GetCurrentProcessId	0x489060
GetCurrentThreadId	0x489064
GetSystemTimeAsFileTime	0x489068
InitializeSListHead	0x48906c
IsDebuggerPresent	0x489070
GetStartupInfoW	0x489074
GetModuleHandleW	0x489078
CreateFileW	0x48907c
RaiseException	0x489080
RtlUnwind	0x489084
InterlockedPushEntrySList	0x489088
InterlockedFlushSList	0x48908c
GetLastError	0x489090
SetLastError	0x489094
InitializeCriticalSectionAndSpinCount	0x489098
TlsAlloc	0x48909c
TlsGetValue	0x4890a0
TlsSetValue	0x4890a4
TlsFree	0x4890a8
FreeLibrary	0x4890ac
GetProcAddress	0x4890b0
LoadLibraryExW	0x4890b4
GetStdHandle	0x4890b8
WriteFile	0x4890bc
GetModuleFileNameW	0x4890c0
ExitProcess	0x4890c4
GetModuleHandleExW	0x4890c8
HeapAlloc	0x4890cc
HeapFree	0x4890d0
GetDateFormatW	0x4890d4
GetTimeFormatW	0x4890d8
CompareStringW	0x4890dc
LCMapStringW	0x4890e0
GetLocaleInfoW	0x4890e4
IsValidLocale	0x4890e8
GetUserDefaultLCID	0x4890ec
EnumSystemLocalesW	0x4890f0
GetFileType	0x4890f4
GetCurrentThread	0x4890f8
FlushFileBuffers	0x4890fc
GetConsoleOutputCP	0x489100
GetConsoleMode	0x489104
ReadFile	0x489108
GetFileSizeEx	0x48910c
SetFilePointerEx	0x489110
ReadConsoleW	0x489114
SetConsoleCtrlHandler	0x489118
HeapReAlloc	0x48911c
GetTimeZoneInformation	0x489120
OutputDebugStringW	0x489124
FindClose	0x489128
FindFirstFileExW	0x48912c
FindNextFileW	0x489130
IsValidCodePage	0x489134
GetACP	0x489138
GetOEMCP	0x48913c
GetCommandLineA	0x489140
GetCommandLineW	0x489144
GetEnvironmentStringsW	0x489148
FreeEnvironmentStringsW	0x48914c
SetEnvironmentVariableW	0x489150
SetStdHandle	0x489154
GetProcessHeap	0x489158
HeapSize	0x48915c
WriteConsoleW	0x489160

Name	Latest seen	MD5
7f3c2473d1e6.exe	2024-10-13 06:20:02	21b00885507b17bb51792cbac9cd7d01
670a8ccf0c6f9_LofiseNose.exe	2024-10-13 07:06:02	400af20bb680795b1a047b588d8f1b26