DigitalSide Threat Intel

o1.exe

First submission 2022-05-10 13:48:02

File details

File type: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
File type: 375.73 KB (384752 bytes)
Compile time: 2021-09-25 23:56:47
MD5: 8413d6561a7cea036bcb55ce3739c927
SHA1: 08202c401822dee611a59ec94d0951f5810909cc
SHA256: 45657b8e77b893c62e2ea98135ff4e0479e6588337758d88c266d141897dc767
Import Hash : 61259b55b8912888e90f516ca08dc514
Sections 5 .text .rdata .data .ndata .rsrc
Directories 3 import resource security
Virus Total: 3/68 VT report date: 2022-05-10 11:35:18

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

URLs, FQDN and IP indicators 1

URL Host (FQDN/IP) Date Added
hXXps://cdn.discordapp.com/attachments/973328545218695221/973331573493608468/o1.exe VirusTotal Report cdn.discordapp.com VirusTotal Report 2022-05-10 13:48:02

PE Sections 1 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0x6676 26624 55517dc6ad93689679677d152abfdd1ce20f1135 6f5abe9eeda26ee84b3c1ed1a6c82001
.rdata 0x8000 0x139a 5120 dc4f14d019cad6646b38852dfb7370532acafebc 8c5edfd8ff9cc0135e197611be38ca18
.data 0xa000 0x20378 1536 f45486287d474fdcafc99c24e37c4eb61bf613b3 4b2421975c21b032f7ea000f5e7f9fbf
.ndata 0x2b000 0x27000 0 da39a3ee5e6b4b0d3255bfef95601890afd80709 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x52000 0x28408 165376 61c6b9f2a3f7f8fb98af2fc4ba3f8f4de576a866 b0247578abeb936dd4ca3cf39f9b5d79

PE Resources 5

Name Language Sublanguage Offset Size Data
RT_ICON LANG_ENGLISH SUBLANG_ENGLISH_US 0x79680 1128
RT_DIALOG LANG_ENGLISH SUBLANG_ENGLISH_US 0x79d08 96
RT_GROUP_ICON LANG_ENGLISH SUBLANG_ENGLISH_US 0x79d68 118
RT_VERSION LANG_ENGLISH SUBLANG_ENGLISH_US 0x79de0 740
RT_MANIFEST LANG_ENGLISH SUBLANG_ENGLISH_US 0x7a0c8 830

Meta infos 8

Translation: 0x0409 0x04b0
LegalCopyright: Triad Hospitals Inc
FileDescription: Rohm & Haas Co.
Comments: Tecumseh Products Company
LegalTrademarks: R.J. Reynolds Tobacco Company
FileVersion: 22.18.23
ProductName: Bell Microproducts Inc.
CompanyName: Lawson Software

Anti debug functions 2

FindWindowExW
GetLastError

File signature

MD5 SHA1 Block size Virtual Address
fddae6e3dba50938d0410249c0516acc ab76de18bd4ec43ce487f659d1ee756b4d116e35 6688 378064

Strings analysis - File found

Library
%s%s.dll
ADVAPI32.dll
SHELL32.dll
USER32.dll
COMCTL32.dll
ole32.dll
GDI32.dll
KERNEL32.dll

Strings analysis - Possible URLs found 8

http://ocsp.sectigo.com0
http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%
http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0v
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
http://nsis.sf.net/NSIS_Error
http://ocsp.usertrust.com0
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
https://sectigo.com/CPS0D

Import functions

Function Address Souspicious Anti Debug
GetExitCodeProcess 0x408070
WaitForSingleObject 0x408074
GetModuleHandleA 0x408078
GetProcAddress 0x40807c
GetSystemDirectoryW 0x408080
lstrcatW 0x408084
Sleep 0x408088
lstrcpyA 0x40808c
WriteFile 0x408090
GetTempFileNameW 0x408094
lstrcmpiA 0x408098
RemoveDirectoryW 0x40809c
CreateProcessW 0x4080a0
CreateDirectoryW 0x4080a4
GetLastError 0x4080a8
CreateThread 0x4080ac
GlobalLock 0x4080b0
GlobalUnlock 0x4080b4
GetDiskFreeSpaceW 0x4080b8
WideCharToMultiByte 0x4080bc
lstrcpynW 0x4080c0
lstrlenW 0x4080c4
SetErrorMode 0x4080c8
GetVersionExW 0x4080cc
GetCommandLineW 0x4080d0
GetTempPathW 0x4080d4
GetWindowsDirectoryW 0x4080d8
SetEnvironmentVariableW 0x4080dc
CopyFileW 0x4080e0
ExitProcess 0x4080e4
GetCurrentProcess 0x4080e8
GetModuleFileNameW 0x4080ec
GetFileSize 0x4080f0
CreateFileW 0x4080f4
GetTickCount 0x4080f8
MulDiv 0x4080fc
SetFileAttributesW 0x408100
GetFileAttributesW 0x408104
SetCurrentDirectoryW 0x408108
MoveFileW 0x40810c
GetFullPathNameW 0x408110
GetShortPathNameW 0x408114
SearchPathW 0x408118
CompareFileTime 0x40811c
SetFileTime 0x408120
CloseHandle 0x408124
lstrcmpiW 0x408128
lstrcmpW 0x40812c
ExpandEnvironmentStringsW 0x408130
GlobalFree 0x408134
GlobalAlloc 0x408138
GetModuleHandleW 0x40813c
LoadLibraryExW 0x408140
MoveFileExW 0x408144
FreeLibrary 0x408148
WritePrivateProfileStringW 0x40814c
GetPrivateProfileStringW 0x408150
lstrlenA 0x408154
MultiByteToWideChar 0x408158
ReadFile 0x40815c
SetFilePointer 0x408160
FindClose 0x408164
FindNextFileW 0x408168
FindFirstFileW 0x40816c
DeleteFileW 0x408170
Function Address Souspicious Anti Debug
SHGetSpecialFolderLocation 0x408178
SHFileOperationW 0x40817c
SHBrowseForFolderW 0x408180
SHGetPathFromIDListW 0x408184
ShellExecuteExW 0x408188
SHGetFileInfoW 0x40818c
Function Address Souspicious Anti Debug
RegCreateKeyExW 0x408000
RegEnumKeyW 0x408004
RegQueryValueExW 0x408008
RegSetValueExW 0x40800c
RegCloseKey 0x408010
RegDeleteValueW 0x408014
RegDeleteKeyW 0x408018
AdjustTokenPrivileges 0x40801c
LookupPrivilegeValueW 0x408020
OpenProcessToken 0x408024
SetFileSecurityW 0x408028
RegOpenKeyExW 0x40802c
RegEnumValueW 0x408030
Function Address Souspicious Anti Debug
GetClientRect 0x408194
EndPaint 0x408198
DrawTextW 0x40819c
IsWindowEnabled 0x4081a0
DispatchMessageW 0x4081a4
wsprintfA 0x4081a8
CharNextA 0x4081ac
CharPrevW 0x4081b0
MessageBoxIndirectW 0x4081b4
GetDlgItemTextW 0x4081b8
SetDlgItemTextW 0x4081bc
GetSystemMetrics 0x4081c0
FillRect 0x4081c4
AppendMenuW 0x4081c8
TrackPopupMenu 0x4081cc
OpenClipboard 0x4081d0
SetClipboardData 0x4081d4
CloseClipboard 0x4081d8
IsWindowVisible 0x4081dc
CallWindowProcW 0x4081e0
GetMessagePos 0x4081e4
CheckDlgButton 0x4081e8
LoadCursorW 0x4081ec
SetCursor 0x4081f0
GetSysColor 0x4081f4
SetWindowPos 0x4081f8
GetWindowLongW 0x4081fc
PeekMessageW 0x408200
SetClassLongW 0x408204
GetSystemMenu 0x408208
EnableMenuItem 0x40820c
GetWindowRect 0x408210
ScreenToClient 0x408214
EndDialog 0x408218
RegisterClassW 0x40821c
SystemParametersInfoW 0x408220
CreateWindowExW 0x408224
GetClassInfoW 0x408228
DialogBoxParamW 0x40822c
CharNextW 0x408230
ExitWindowsEx 0x408234
DestroyWindow 0x408238
CreateDialogParamW 0x40823c
SetTimer 0x408240
SetWindowTextW 0x408244
PostQuitMessage 0x408248
SetForegroundWindow 0x40824c
ShowWindow 0x408250
wsprintfW 0x408254
SendMessageTimeoutW 0x408258
FindWindowExW 0x40825c
IsWindow 0x408260
GetDlgItem 0x408264
SetWindowLongW 0x408268
LoadImageW 0x40826c
GetDC 0x408270
ReleaseDC 0x408274
EnableWindow 0x408278
InvalidateRect 0x40827c
SendMessageW 0x408280
DefWindowProcW 0x408284
BeginPaint 0x408288
EmptyClipboard 0x40828c
CreatePopupMenu 0x408290
Function Address Souspicious Anti Debug
None 0x408038
ImageList_Create 0x40803c
ImageList_Destroy 0x408040
ImageList_AddMasked 0x408044
Function Address Souspicious Anti Debug
SetBkMode 0x40804c
SetBkColor 0x408050
GetDeviceCaps 0x408054
CreateFontIndirectW 0x408058
CreateBrushIndirect 0x40805c
DeleteObject 0x408060
SetTextColor 0x408064
SelectObject 0x408068
Function Address Souspicious Anti Debug
OleInitialize 0x408298
OleUninitialize 0x40829c
CoCreateInstance 0x4082a0
IIDFromString 0x4082a4
CoTaskMemFree 0x4082a8

Related files by ImpHash 61 61259b55b8912888e90f516ca08dc514

Name Latest seen MD5
vbc.exe 2022-03-22 21:32:04 a7ff9d6ac75f5a8e46de69043e142416
Equivoluminal6.exe 2022-03-27 19:39:02 37ad1e65666e75dbe7235a60e5e2a09a
vbc.exe 2022-04-05 20:36:02 21d9fd5a0644c27d57f9b39cec04d780
Reported.exe 2022-04-22 18:23:02 dd7dc45de8376c2698113dbd4be04871
bena.exe 2022-04-25 17:17:02 03a7feb739f98820f92e25fe8d8d55a9
vgp.exe 2022-04-26 18:33:02 5bc069f8644f6e6ad5a1df00def3ae51
mic.exe 2022-04-26 19:24:02 4a039ccf1c333214953856f96659e016
d1.exe 2022-05-05 08:10:02 2d7346894efa8803eaa27ef2f2f723b9
d2.exe 2022-05-05 08:11:01 eabd968d3bd07d857e816b7e8c4fb006
EF.exe 2022-05-05 08:17:01 e6858850ced6520506513ea119640e65
m3.exe 2022-05-05 08:20:01 8f18bb71f42a1eb3fdb1de3ee5f6d06b
vbc.exe 2022-05-10 13:02:02 643eead21d07a4bb7c11bb4c7459f898
vbc.exe 2022-05-10 13:03:03 54b3f1c51ae8550134a0d40970b455a9
vbc.exe 2022-05-10 14:04:02 33096629a4f1afa66342a3eb9ba3a09e
vbc.exe 2022-05-10 14:09:03 cd3ce7188d4c93259f0524b8087a207d
vbc.exe 2022-05-10 17:34:02 8727321276f756618f961727765b792c
vbc.exe 2022-05-10 17:35:02 9eb9e0b2d312768914016744d9361751
duk.exe 2022-05-10 17:40:03 1fb45ed5a8de2d0818db9cc1051ccaad
vbc.exe 2022-05-10 17:42:03 f35d4b7708578a4ad7f16a1c51d41eda
vbc.exe 2022-05-10 19:58:03 c33d399c78bbc6d5f34b50759ce3deda
vbc.exe 2022-05-10 19:59:02 e854767c8344eb7087eb6fb00e078efc
vbc.exe 2022-05-10 20:28:03 8b9e4e9b0b4d1548e9ea574d984991d4
kotr.exe 2022-05-11 17:04:08 a0f036baaf9746f735f4b256c985515c
nedx.exe 2022-05-12 08:42:02 98a602591bf121ef9282ce623291a941
Scan_load.exe 2022-05-12 09:44:02 b116243ed4215cbcb325a827d11cdc68
vbc.exe 2022-05-12 09:45:02 63024416555335f0668d2450f16fed17
vbc.exe 2022-05-12 09:46:04 b78bacf2638d6457c841f5de45d34f24
vbc.exe 2022-05-12 09:49:02 3f4a3a3a87472b777905e5908b6762a6
vbc.exe 2022-05-12 09:50:02 706a52c35a1c1186de5b098fd6cafd8f
SCAN9.exe 2022-05-12 09:53:02 a1e007787cbe3d27a07fbeb2cb0956ad
scrss.exe 2022-05-12 09:55:03 6cc7f4dc6d60f6b01b7164532f4d4fe6
vbc.exe 2022-05-12 09:58:03 b09f17c52adfbbf6c3e91e84a404b112
sepat.exe 2022-05-12 10:00:04 bd445ce54588f3ea14c6ef52fe6470e7
vbc.exe 2022-05-12 11:21:02 bce919cf4fa0ea578e827b11c9966dad
vbc.exe 2022-05-12 11:23:02 0af7fbb3b5a2a7059555859c4c1db8f9
vbc.exe 2022-05-12 11:25:02 c85a753c46e005748eb59d6d062d596c
vbc.exe 2022-05-12 11:26:02 2c24fa42140a8a16f3777173a2d3f0ab
vbc.exe 2022-05-12 11:27:02 5aced01eb87f9b45da181121f2c5f510
vbc.exe 2022-05-12 12:29:04 d9a63266613ba6cc68ac317ef99f5fdd
vbc.exe 2022-05-12 20:30:02 e647eb555d9cabaf7997da05d2195ad0
vbc.exe 2022-05-12 20:50:02 0eb62853b63f5276c9eb21fff540c8be
vbc.exe 2022-05-12 21:08:02 5d27e82459861cbe558cbe64f1a94b70
vbc.exe 2022-05-12 21:25:03 7d230009eab36798f73226c3adc7ac8e
vbc.exe 2022-05-12 21:26:03 98f9e6fdd56e13f7cedb352712cdcccb
vbc.exe 2022-05-12 21:28:02 4b29dbf34a5049758ec7e986a6a85c7f
vbc.exe 2022-05-12 22:26:03 9c62175af4cb7d4581c22df0555e0c0a
copy_load.exe 2022-05-13 17:15:02 b5691d968eccd79d3b535e2686cb1a03
vbc.exe 2022-05-13 17:25:02 f850bf6bfd9be6aa4d73b6a026986c29
vbc.exe 2022-05-13 17:26:02 21f7996aa488b062d4c0725eb6f23b2c
vbc.exe 2022-05-13 17:28:02 69250f55fbfe48822c838b4eeaf33a0a
BUSY.exe 2022-05-13 17:29:03 029bbe98a216416eb698ca543a5c0830
vbc.exe 2022-05-13 17:30:03 e437b563de87f3d825a87269e16fdd50
vbc.exe 2022-05-13 18:53:04 5af1c7dd89a535dee51c3e28b4a74f8d
vbc.exe 2022-05-14 15:38:02 de76ef6a11a63efc00b0303888bc0b7f
vbc.exe 2022-05-16 00:01:02 3fe3699a62de454defd75c884f72dfee
vbc.exe 2022-05-16 07:43:02 e95ec4d6653fd04defa43e0503d4314a
vbc.exe 2022-05-16 11:33:02 4f2b5d6712ca51ba7619581acc9e6c06
Swift0022.exe 2022-05-16 15:09:02 6b652bdcd4da5e522480b3175938b26c
vbc.exe 2022-05-16 15:10:02 62a3e5d4ed5c3edf4f5b2aa432511a84
vbc.exe 2022-05-16 15:24:01 b6a0b45c78db4ee37368efd93ecfffac
vbc.exe 2022-05-16 15:26:02 2d4739ab2d34eec849d903e05e8e0eb4