QQ.exe

First submission 2024-07-09 00:29:23

File details

File type: PE32 executable (GUI) Intel 80386, for MS Windows
Mime type: application/x-dosexec
File size: 2004.0 KB (2052096 bytes)
Compile time: 2024-07-05 11:30:40
MD5: 89512b367f79e86bf2aaa9e855018793
SHA1: 5032c6280c12e3664d6e99db077b9d6d5e220b77
SHA256: b7c7ddc71405ecb5058fcd27cb0d453273272dff184ea143da43070768714d58
Import Hash : 1daa05aae881e27fc33c151dd2924a32
Sections 4 .text .rdata .data .rsrc
Directories 2 import resource

File features detected

Is DLL
Packers
Anti Debug
Anti VM
Signed
XOR

OSINT Enrichments

Virus Total: 58/78 VT report date: 2024-07-08 21:33:21
Malware Type 2 trojan pua
Threat Type 3 babar rootkit flystudio

URLs, FQDN and IP indicators 1

URL Host (FQDN/IP) Date Added
hXXp://129.204.230.225/QQ.exe VirusTotal Report 129.204.230.225 VirusTotal Report 2024-07-09 00:29:23

PE Sections 0 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0x1747ea 1527808 6e529dd5b13a38802980029ff461277586808721 68c232d613a0da8cb09e55d2093315ac
.rdata 0x176000 0x5889c 364544 09c98506b7ed6f2cc139f0d55ce5576db859ddbc cd0999389de2f16fd491db161e4b7afb
.data 0x1cf000 0x6404a 114688 22f24d60502332ff12674890611d40f8b4203dab d839326410a02cdfed04788e02cae14e
.rsrc 0x234000 0x924c 40960 737753fe672882c50fa0a098ccb3499bd7e583d5 2b5a8e4338f57a9ee4ad1060b796f63f

PE Resources 11

Name Language Sublanguage Offset Size Data
TEXTINCLUDE LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0x234c18 337
RT_CURSOR LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0x235108 180
RT_BITMAP LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0x23697c 324
RT_ICON LANG_NEUTRAL SUBLANG_NEUTRAL 0x236ed0 16936
RT_MENU LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0x23b104 644
RT_DIALOG LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0x23c34c 396
RT_STRING LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0x23cd94 36
RT_GROUP_CURSOR LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0x23cde0 34
RT_GROUP_ICON LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0x23ce2c 20
RT_VERSION LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0x23ce40 572
RT_MANIFEST LANG_NEUTRAL SUBLANG_NEUTRAL 0x23d07c 461

Meta infos 7

LegalCopyright: \x4f5c\x8005\x7248\x6743\x6240\x6709 \x8bf7\x5c0a\x91cd\x5e76\x4f7f\x7528\x6b63\x7248
ProductVersion: 1.0.0.0
FileDescription: \x6613\x8bed\x8a00\x7a0b\x5e8f
Translation: 0x0804 0x04b0
ProductName: QQ
Comments: \x672c\x7a0b\x5e8f\x4f7f\x7528\x6613\x8bed\x8a00\x7f16\x5199(http://www.eyuyan.com)
FileVersion: 1.0.0.0

Packers detected 3

Microsoft Visual C++ v6.0
Microsoft Visual C++ 5.0
Microsoft Visual C++

Anti debug functions 9

FindWindowA
FindWindowExA
GetLastError
GetWindowThreadProcessId
Process32First
Process32Next
RaiseException
TerminateProcess
UnhandledExceptionFilter

Anti debug functions 1

VMCheck.dll

Strings analysis - File found

Library
SHLWAPI.dll
OLEAUT32.dll
ADVAPI32.dll
VERSION.dll
WININET.dll
GDI32.dll
MPR.dll
USER32.dll
WS2_32.dll
ntdll.dll
COMCTL32.dll
MSVCRT.dll
SYMSRV.DLL
ole32.dll
SHELL32.dll
KERNEL32.dll
mhmain.dll
WINMM.dll
IPHLPAPI.DLL
COMDLG32.dll
hal.dll

Strings analysis - Possible IPs found 2

192.168.0.129
129.204.230.225

Strings analysis - Possible URLs found 26

http://crls.pki.jemmylovejenny.tk/SHA1TimeStampingServicesCA.crl0
http://ocsp.verisign.com0
https://www.verisign.com/rpa
https://www.verisign.com/rpa0
http://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
http://ocsp.pki.jemmylovejenny.tk/SHA1TimeStampingServicesCA0O
http://cacerts.pki.jemmylovejenny.tk/SHA1TimeStampingServicesCA.crt0
http://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
https://d.symcb.com/cps0%
http://129.204.230.225//QQ.exe
http://
http://crls.pki.jemmylovejenny.tk/EVRootCA.crl0
http://crl.verisign.com/pca3-g5.crl04
http://ocsp.pki.jemmylovejenny.tk/EVRootCA0=
https://d.symcb.com/rpa0
https://www.verisign.com/cps0
https://pki.jemmylovejenny.tk/rpa0
http://sf.symcd.com0&
http://sf.symcb.com/sf.crl0f
http://cacerts.pki.jemmylovejenny.tk/EVRootCA.crt0?
http://sf.symcb.com/sf.crt0
https://pki.jemmylovejenny.tk/cps0/
http://ocsp.verisign.com0;
http://www.eyuyan.com)
http://logo.verisign.com/vslogo.gif04
http://csc3-2010-aia.verisign.com/CSC3-2010.cer0

Import functions