DigitalSide Threat Intel

sos.txt

First submission 2024-10-14 17:21:01

File details

File type: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Mime type: application/x-dosexec
File size: 1968.0 KB (2015232 bytes)
Compile time: 1970-01-01 01:00:00
MD5: 81b497297ddf74bdba44a1b95f092279
SHA1: d480615225d836d08beffb2091182642fda3f2f5
SHA256: b1ead52870bd3f557716840b7e786af809db6dbf2c6637bb09c7795056a70960
Import Hash : 9cbefe68f395e67356e2a5d8d1b285c0
Sections 6 .text .rdata .data .idata .reloc .symtab
Directories 2 import relocation

File features detected

Is DLL
Packers
Anti Debug
Anti VM
Signed
XOR

OSINT Enrichments

Virus Total: 16/76 VT report date: 2024-09-24 20:41:57
Malware Type 1 trojan
Threat Type 2 reverseshell wingo

URLs, FQDN and IP indicators 1

URL Host (FQDN/IP) Date Added
hXXp://154.216.20.170/sos.txt VirusTotal Report 154.216.20.170 VirusTotal Report 2024-10-14 17:21:01

PE Sections 1 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0xe380f 932352 14cbf553e8e7117ac76aa0ff81fe559913abc0a1 469fe6ae90291b778883cb8b2fd2352d
.rdata 0xe5000 0xe8cd8 953856 58bc9bc8647277ce6321e461a2bcb7904bc12522 2fb335c2e8b8969b70100fc784e16176
.data 0x1ce000 0x74708 107520 07d715738272b7fb5ecd80eb0b91785a32089278 9776e1fb7ee5eac5a8271e484ff67016
.idata 0x243000 0x47c 1536 241490381a0e82a83bd70f20111b5c10d9e06898 fb6a0a65f86b268711721648b3d14096
.reloc 0x244000 0x440a 17920 0ce5394355a8a324eb22033c7de6cebc3924a5d8 5ff0727b755e6bd7dbd1689b8f74ccac
.symtab 0x249000 0x4 512 943ae54f4818e52409fbbaf60ffd71318d966b0d 07b5472d347d42780469fb2654b7fc54

Anti debug functions 1

VMCheck.dll

Strings analysis - File found

Library
_32.dll
L32.DLL
i32.dll
type..eq.syscall.DLL
KERNEL32.dll
rof.dll
*syscall.DLL

Strings analysis - Possible IPs found 1

127.0.0.1

Import functions

Function Address Souspicious Anti Debug
WriteFile 0x5ce0e0
WriteConsoleW 0x5ce0e8
WaitForMultipleObjects 0x5ce0f0
WaitForSingleObject 0x5ce0f8
VirtualQuery 0x5ce100
VirtualFree 0x5ce108
VirtualAlloc 0x5ce110
SwitchToThread 0x5ce118
SuspendThread 0x5ce120
SetWaitableTimer 0x5ce128
SetUnhandledExceptionFilter 0x5ce130
SetProcessPriorityBoost 0x5ce138
SetEvent 0x5ce140
SetErrorMode 0x5ce148
SetConsoleCtrlHandler 0x5ce150
ResumeThread 0x5ce158
PostQueuedCompletionStatus 0x5ce160
LoadLibraryA 0x5ce168
LoadLibraryW 0x5ce170
SetThreadContext 0x5ce178
GetThreadContext 0x5ce180
GetSystemInfo 0x5ce188
GetSystemDirectoryA 0x5ce190
GetStdHandle 0x5ce198
GetQueuedCompletionStatusEx 0x5ce1a0
GetProcessAffinityMask 0x5ce1a8
GetProcAddress 0x5ce1b0
GetEnvironmentStringsW 0x5ce1b8
GetConsoleMode 0x5ce1c0
FreeEnvironmentStringsW 0x5ce1c8
ExitProcess 0x5ce1d0
DuplicateHandle 0x5ce1d8
CreateWaitableTimerExW 0x5ce1e0
CreateThread 0x5ce1e8
CreateIoCompletionPort 0x5ce1f0
CreateFileA 0x5ce1f8
CreateEventA 0x5ce200
CloseHandle 0x5ce208
AddVectoredExceptionHandler 0x5ce210

Related files by ImpHash 70 9cbefe68f395e67356e2a5d8d1b285c0

Name Latest seen MD5
client64svc.exe 2022-08-04 11:16:04 d1794f597f73f2586b5a55dd7ffc0838
client64.exe 2022-08-04 11:17:03 5d12d4f881b415a255d1a38fa1f4ad6b
app.exe 2022-09-04 03:31:13 70fda5677a8fbcdd3035c464bcbef7f6
svhost.exe 2022-10-09 11:55:02 3862bfb4f1273249bd73a8cba326d9a1
darkangel-crypt-03.exe 2022-10-16 01:08:05 1f011cd53435514ddfaa14dcb3d142f4
darkangel-decrypt-03.exe 2022-10-16 10:09:05 5787d9fbcbc95dd636a9d1f6685b39f3
bro.exe 2022-11-01 08:03:04 7bfb9857ff0e405469350c8fc73b484f
1.exe 2022-11-03 09:02:08 fd401aa718d0d7142760899e130da3b7
main.exe 2022-11-06 18:29:09 99cbc586ee3afb122616d9fdc36b6154
nocrypt.exe 2022-11-11 21:10:24 82040e02a2c16b12957659e1356a5e19
HANDICAPPED_AMBITION.exe 2022-11-12 10:41:14 ce76ee1e9ebf264a4f019bc3f09559b0
SHAGGY_VALUABLE.exe 2022-11-12 10:42:12 a163d5a554d554b4ef7e6d3a7fb05d7a
SCIENTIFIC_ACRYLIC.exe 2022-11-20 02:11:04 ed8f5c5b78004a18094e5a18dc2f872d
conhost.exe 2022-11-21 10:27:04 74675d6d2d829154a7e78ddda56f3087
clip1.exe 2022-11-23 12:55:03 c427b08548edc2deef70da3c60855d54
ree.exe 2022-11-24 23:38:09 17aed6b6e981182a180bc8cf4eef94d3
gala.exe 2022-11-25 18:30:23 f6829a19455a7b24a79e0b984d2a42d9
installer.exe 2022-11-25 22:25:02 867c71f074b9121542595bde9709c2b6
s.exe 2022-11-26 01:09:02 de6a45b3609a8f0baeacee9a81c22302
NaturalStealer_pyedit.exe 2022-11-26 17:31:03 697d8297d88246f9595cd5612650bffd
A.exe 2022-11-27 08:38:03 0708429f417aae8064115f578af961d9
balgo.exe 2022-11-27 08:40:04 2061fc42e1bc12feb0c0f029e92d6fff
file.exe 2022-11-28 08:14:03 69b309453ffe8674a6025fac0dd1a1ae
Setup.exe 2022-11-28 17:25:20 0508ac7b5106f06286e0121185ee7165
softwinx64.exe 2022-12-01 06:25:03 5c2d21926d39cd4ac6189e5ff1e1ec6c
ccc.exe 2022-12-05 08:16:02 3f8fd73111b5a34fea68b5248fba52ea
build333333.exe 2022-12-05 15:06:02 c9c15c4061ab4de4cb7c473c2760f923
MiraiStealer%20%281%29.exe 2022-12-09 14:46:05 56c8ebbfa3a401f15dfad1e8441d0f4b
DevSt.exe 2022-12-18 02:08:03 97824a1a018a194220866d5548eeff95
CLEP.exe 2022-12-18 02:09:03 2b3bff5880cb5d9ab44c302bd1047313
LIMSt.exe 2022-12-18 02:27:03 b26439eb7f5e2a7f1e2dabcfa8e3a7b1
install_win_v.7.46.2594.exe 2023-01-10 07:27:00 0799beba86967c1e742642b2a7fdbeb0
hsjkhfrefiuzhruehgzskk.exe 2023-01-12 16:35:03 51214fbafa91b4477d16a6244fcab3f9
buildppb.exe 2023-01-18 10:10:04 03f0c3802261406b2967dbcfb79908a3
install_windows.exe 2023-01-20 19:19:45 e2cddd280ca697fca70460164de219ca
battle_net.exe 2023-01-20 19:20:50 bf4959547d8735d468dd21e2b66d17a8
LibreOffice_7.4.4_Win_x64.exe 2023-01-24 18:54:46 6f0e5d6e68edc1470c568386e670c8ec
TyrlNickh89535665.exe 2023-01-27 20:53:03 9ceb1034d47927a247f594c36271bf37
TyrlNickh58765421.exe 2023-02-04 08:21:05 942263313e05915cb53cfdb38d5c32b5
TranKLPort354259.exe 2023-02-09 15:44:06 d04a9ab037eebfa31314a30095fc9fab
TranKLPort354259.exe 2023-02-10 06:36:05 909bbf2ab9f8ac9868e4e79d163fd10d
build.exe 2023-02-11 09:04:11 3220cc3d312e82fdb500c097a7ab0166
bin.exe 2023-02-25 15:22:07 af4268c094f2a9c6e6a85f8626b9a5c7
buildd.exe 2023-02-27 06:28:02 15ae1218c1c773497a6a5e6db8d11922
win.exe 2023-03-22 09:54:04 361fae4aa3f862f912e2fc6642e36298
svchost.exe 2023-03-22 20:35:04 a8a106555b9e1f92569d623c66ee8c12
1.exe 2023-03-24 14:03:08 67870ab4e076d6d97f2e900148508a5b
agent.exe 2023-03-25 15:35:04 ce117b0b7aff5bf55822e7e879b76fe9
2023.exe.exe 2023-03-27 12:48:02 027a60b4337dd0847d0414aa8719ffec
syshost.exe 2023-04-12 20:13:03 138eefb81e72bbdf6bf009876f445c28
svchost.exe 2023-04-12 20:14:05 0cb1e47546d778ad888baee0f6c9b5ec
milmonjey.txt 2023-04-20 08:54:03 5531e69bae1958fecf77492ce5091225
1.exe 2023-05-30 12:55:03 3f005ce85f08a09e93679254e35df782
gogw.exe 2023-06-05 11:17:03 486ce67349a1f31a1426600888d189a9
Clr32p45.exe 2023-06-20 10:43:02 68be007bd3fa09d26fcee584a9157770
svchost.exe 2023-06-20 15:26:02 d076c4b5f5c42b44d583c534f78adbe7
Asusdebug.exe 2024-06-14 12:33:14 9d3b19c8bf21723224e6885db1eea012
b.exe 2024-06-16 11:55:02 ccd45a73d555f6a89b06924e150680e5
win.exe 2024-07-07 15:38:34 f0e6f9c7b9ddc461c6929d4765a15eaa
eeep.jpg 2024-07-10 14:54:05 216b7623ed6b6add83db04e08e364b7c
gen.exe 2024-07-10 15:08:04 2ece8e2b24bfaf4825acc4888bbd31ac
gpp.jpg 2024-07-10 15:09:04 55c0ddc95cdc2f8dea401d51af42caa5
gen.jpg 2024-07-10 15:10:07 80dfbadd33e96a682b6b64c620bd47d3
goo.exe 2024-07-10 15:18:04 8bd9ba6bf43c3664ac3179f8aaaf780b
gpp.exe 2024-07-10 15:20:06 783540957edcf666dd295ac4835f51e8
winwrt.exe 2024-07-10 15:25:07 738be35e781a93b2f3486268fcbf2d6e
mft.exe 2024-07-10 15:29:05 387d5dde1f4a235218315898b93df6c1
ecbbb2801bb4d27db737c96ac45b2a51b449ddd9e2e2af42c1e85b79caa5a5ab.exe.exe 2024-09-30 16:28:08 ea94a1fe3c2921313e7ea2b77675c7db
a1b6bc527346f83980b95415abf3a30e636926afcc5e0cdc5d3b6c497b03f204.exe.exe 2024-09-30 18:49:07 7b4035b7052f56004af9eaab53827574
kd.exe 2024-10-06 17:46:18 90ad218ba8d8acd68ce2702c34e44fb6