payload.exe

First submission 2024-10-14 17:44:01

File details

File type:	PE32+ executable (console) x86-64, for MS Windows
Mime type:	application/x-dosexec
File size:	58.72 KB (60125 bytes)
Compile time:	2024-09-22 16:49:31
MD5:	8bbc71bfca95de5ebb9679e32b501d90
SHA1:	3400b76519faa211ac09e16a786801c8269fc9ec
SHA256:	2a4f52e877fbc6c6773407d46a5f820523a4254e88d1889bd52b628b5a8b2494
Import Hash :	e163292b217fe935db063cc7d6af0f13
Sections 18	.text .data .rdata .pdata .xdata .bss .idata .CRT .tls .rsrc .reloc /4 /19 /31 /45 /57 /70 /81
Directories 4	import resource tls relocation

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

OSINT Enrichments

Virus Total:	3/77 VT report date: 2024-10-14 17:40:52

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXp://130.61.181.50/ransomware/payload.exe	130.61.181.50	2024-10-14 17:44:01

PE Sections 5 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0x1e78	8192	a8820ae0de79db1bedd13fd7b18d27a4e8afe87b	8a1c196aa0b8f99a710c83bb9aca6f4b
.data	0x3000	0xa0	512	6c779d640d911bf73ff902909aa740542255dcdb	e54a1a01022216f7b65e86c5b4861af0
.rdata	0x4000	0x8b0	2560	2f0f15a9617aed7f9dd2e3f2a573915859479fbc	5164f134ab23b56d0ede8e03c6feb1c8
.pdata	0x5000	0x24c	1024	c0291ef62287912162ad70216f64b520b65714dd	92077c9757fbed6bde262e5f652ada12
.xdata	0x6000	0x258	1024	0f4e38bdead9c28ef9e4ef2011d18b30c3ef96d8	a2cddc883e52f6ea1fae77ce6f58de91
.bss	0x7000	0x160	0	da39a3ee5e6b4b0d3255bfef95601890afd80709	d41d8cd98f00b204e9800998ecf8427e
.idata	0x8000	0x52c	1536	f8c40767b06edd66855d95b09c6ab9e65fd978f0	3175aeac005fd743c5d9b85766d113db
.CRT	0x9000	0x60	512	4f99a3f6c47e277e7a4976c932b3c2e9c1d1cf45	0d931b027915ccb511976d9ccc491442
.tls	0xa000	0x10	512	5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5	bf619eac0cdf3f68d496ea9344137e8b
.rsrc	0xb000	0x4e8	1536	d8c6bb5e232b4098168c9378078aaf4e9d77ee3f	3b7f4d778dd55680650e27ddd712b430
.reloc	0xc000	0x7c	512	b05c65b299357cf50947009781a09db504e38c93	01fa6748b517377727e581d9d3c1106d
/4	0xd000	0x30	512	42cf2c4ef68974d5e56001ad39a0182cd28a1a00	fa280819a57143764265a93ed69187b5
/19	0xe000	0x2b22	11264	d9c9a25a26831f4c7bf4a6e073e04fc90860fd5d	9b3f7f8e94b8e30cf8293e936d655c7e
/31	0x11000	0x3d9	1024	c04fc2fe0cbb1f9b4a8f751c6e495c1278071a32	d91d35bd40a7713b48d4aa562d3b79fc
/45	0x12000	0x12e	512	fcec62be7ba0e15ea342073c288a7f9eae1e955f	a4879ea3def7e741a4af79f9eec1c24b
/57	0x13000	0x40	512	8a9a55a12afe20df2ec53eadcd82581151739173	04d3c2ff9a153081c13e2b162cadf51f
/70	0x14000	0x53	512	e12b4b8d3387e4e1dfdf0d8335eae488028b34ab	4875ac2726608202d01e29ebaa7f958f
/81	0x15000	0x46f	1536	0784d5c95a0188c49b425b024750311d0178e5c0	54801bfc76d2c716514c622b83e71817

PE Resources 1

Name	Language	Sublanguage	Offset	Size	Data
RT_MANIFEST	LANG_NEUTRAL	SUBLANG_NEUTRAL	0xb058	1167	PE Resource: RT_MANIFEST - Data <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker"/> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!--The ID below indicates application support for Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!--The ID below indicates application support for Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!--The ID below indicates application support for Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!--The ID below indicates application support for Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!--The ID below indicates application support for Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> </assembly>

Name

Language

Sublanguage

Offset

Size

Data

RT_MANIFEST

LANG_NEUTRAL

SUBLANG_NEUTRAL

0xb058

1167

Anti debug functions 1

GetLastError

Strings analysis - File found

Library
MSVCRT.dll
KERNEL32.dll

Import functions

KERNEL32.dll 11 msvcrt.dll 24

Function	Address	Souspicious	Anti Debug
DeleteCriticalSection	0x140008168
EnterCriticalSection	0x140008170
GetLastError	0x140008178
InitializeCriticalSection	0x140008180
LeaveCriticalSection	0x140008188
SetUnhandledExceptionFilter	0x140008190
Sleep	0x140008198
TlsGetValue	0x1400081a0
VirtualProtect	0x1400081a8
VirtualQuery	0x1400081b0
__C_specific_handler	0x1400081b8

Function	Address	Souspicious	Anti Debug
__getmainargs	0x1400081c8
__initenv	0x1400081d0
__iob_func	0x1400081d8
__set_app_type	0x1400081e0
__setusermatherr	0x1400081e8
_amsg_exit	0x1400081f0
_cexit	0x1400081f8
_commode	0x140008200
_fmode	0x140008208
_initterm	0x140008210
free	0x140008218
memcpy	0x140008220
_onexit	0x140008228
abort	0x140008230
calloc	0x140008238
exit	0x140008240
fprintf	0x140008248
fwrite	0x140008250
malloc	0x140008258
signal	0x140008260
strlen	0x140008268
strncmp	0x140008270
system	0x140008278
vfprintf	0x140008280