RjXoD.exe

First submission 2022-08-02 21:02:01

File details

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
File type:	273.5 KB (280064 bytes)
Compile time:	2022-03-01 12:50:40
MD5:	8f98297f190db64c6c1bb9b85b78eca5
SHA1:	1bef5e61a3c11a8651870f3ad386f0a09f94de52
SHA256:	3adeefdaffda88ac8183d5c4164c9ad10b63c039c72fac187a596f4fcf906c00
Import Hash :	e03c5ea8e25367650e1f4380ec0a6eaf
Sections 5	.text .rdata .data .rsrc .reloc
Directories 4	import resource debug relocation
Virus Total:	50/70 VT report date: 2022-08-02 18:35:46

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

URLs, FQDN and IP indicators 3

URL	Host (FQDN/IP)	Date Added
hXXp://109.206.241.81/htdocs/HkAmK.exe	109.206.241.81	2022-08-02 21:02:01
hXXp://109.206.241.81/htdocs/mTGTn.exe	109.206.241.81	2022-08-02 21:29:06
hXXp://109.206.241.81/htdocs/RjXoD.exe	109.206.241.81	2022-08-02 21:30:06

PE Sections 0 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0x34016	213504	8b11a6a75c0c4afe17527437d4e61daf1550e22a	7a9ddb67ce72e7dd208024ba88169987
.rdata	0x36000	0xc21a	50176	5373541278a7844171c7571155eaa60f5a50d01c	4c609e35f19a5036177e73609e0d0d2c
.data	0x43000	0x83d4	5120	3c8e3c7c0ace2ae991996cc536a89bad149de62e	1c9d521216dda7a411c965e7a6c88f9e
.rsrc	0x4c000	0x1e0	512	ef576397c23665da98fde8f33b2c3dab7de7f27d	62c766a35b447894162bbd059d638ccf
.reloc	0x4d000	0x242c	9728	720ba7ac174ae9d214d23395ebdb9195fcbb6b35	b0d1e45242ac1ae5a2dbb390beb9337a

PE Resources 1

Name	Language	Sublanguage	Offset	Size	Data
RT_MANIFEST	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x4c060	381	PE Resource: RT_MANIFEST - Data <?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly>

Name

Language

Sublanguage

Offset

Size

Data

RT_MANIFEST

LANG_ENGLISH

SUBLANG_ENGLISH_US

0x4c060

381

Packers detected 2

Microsoft Visual C++ 8
VC8 -> Microsoft Corporation

Anti debug functions 9

GetLastError
IsDebuggerPresent
IsProcessorFeaturePresent
OutputDebugStringW
Process32First
Process32Next
RaiseException
TerminateProcess
UnhandledExceptionFilter

Strings analysis - File found

Library
mscoree.dll
SHLWAPI.dll
SHELL32.dll
Crypt32.dll
KERNEL32.dll
WINHTTP.dll
WS2_32.dll
ADVAPI32.dll
USER32.dll
IPHLPAPI.DLL
PSAPI.DLL
%s\Sqlite3\sqlite3.dll
NETAPI32.dll
ole32.dll
GDI32.dll

Strings analysis - Possible IPs found 1

1.1.1.1

Strings analysis - Possible URLs found 1

http://%s%%s%.2d-%.2d-%.4d

Import functions

SHLWAPI.dll 1 WS2_32.dll 18 CRYPT32.dll 1 KERNEL32.dll 118 SHELL32.dll 3 ADVAPI32.dll 16 USER32.dll 30 NETAPI32.dll 2 GDI32.dll 8 ole32.dll 2

Function	Address	Souspicious	Anti Debug
StrToIntA	0x436268

Function	Address	Souspicious	Anti Debug
WSAGetLastError	0x4362ec
WSAStartup	0x4362f0
gethostbyname	0x4362f4
socket	0x4362f8
shutdown	0x4362fc
setsockopt	0x436300
send	0x436304
select	0x436308
recv	0x43630c
htons	0x436310
ioctlsocket	0x436314
connect	0x436318
closesocket	0x43631c
__WSAFDIsSet	0x436320
ntohs	0x436324
inet_ntoa	0x436328
WSACleanup	0x43632c
WSAIoctl	0x436330

Function	Address	Souspicious	Anti Debug
CryptUnprotectData	0x436044

Function	Address	Souspicious	Anti Debug
Process32First	0x436070
Process32Next	0x436074
InitializeCriticalSection	0x436078
EnterCriticalSection	0x43607c
LeaveCriticalSection	0x436080
ExitProcess	0x436084
GetDiskFreeSpaceExA	0x436088
GetDriveTypeA	0x43608c
GetVolumeInformationA	0x436090
SetErrorMode	0x436094
GetLogicalDriveStringsA	0x436098
GetCommandLineA	0x43609c
CreateDirectoryW	0x4360a0
DeleteFileW	0x4360a4
FindClose	0x4360a8
FindFirstFileA	0x4360ac
FindFirstFileW	0x4360b0
FindNextFileA	0x4360b4
FindNextFileW	0x4360b8
GetFileAttributesW	0x4360bc
GetFileAttributesExW	0x4360c0
SetFileAttributesW	0x4360c4
CreateProcessA	0x4360c8
GetModuleFileNameW	0x4360cc
MoveFileW	0x4360d0
FileTimeToSystemTime	0x4360d4
MultiByteToWideChar	0x4360d8
WideCharToMultiByte	0x4360dc
Sleep	0x4360e0
GetSystemTime	0x4360e4
GetLocalTime	0x4360e8
FreeLibrary	0x4360ec
GetProcAddress	0x4360f0
LoadLibraryA	0x4360f4
GetCommandLineW	0x4360f8
GetLastError	0x4360fc
ReleaseMutex	0x436100
CreateMutexA	0x436104
GetModuleFileNameA	0x436108
LocalFree	0x43610c
CreateFileW	0x436110
SetFilePointer	0x436114
WriteFile	0x436118
GetFullPathNameW	0x43611c
CreateToolhelp32Snapshot	0x436120
TerminateProcess	0x436124
OpenProcess	0x436128
GetCurrentThreadId	0x43612c
GetTickCount	0x436130
ReadFile	0x436134
CreatePipe	0x436138
PeekNamedPipe	0x43613c
GetStartupInfoA	0x436140
GetSystemInfo	0x436144
GetVersionExA	0x436148
GetComputerNameW	0x43614c
ResumeThread	0x436150
GetFileSizeEx	0x436154
GetConsoleMode	0x436158
GetConsoleOutputCP	0x43615c
LCMapStringW	0x436160
CompareStringW	0x436164
HeapFree	0x436168
HeapAlloc	0x43616c
WriteConsoleW	0x436170
GetStdHandle	0x436174
SystemTimeToTzSpecificLocalTime	0x436178
GetFileType	0x43617c
GetFileInformationByHandle	0x436180
GetDriveTypeW	0x436184
GetModuleHandleExW	0x436188
FreeLibraryAndExitThread	0x43618c
ExitThread	0x436190
CreateThread	0x436194
RaiseException	0x436198
DecodePointer	0x43619c
LoadLibraryExW	0x4361a0
TlsFree	0x4361a4
TlsSetValue	0x4361a8
CloseHandle	0x4361ac
SetFilePointerEx	0x4361b0
ReadConsoleW	0x4361b4
FlushFileBuffers	0x4361b8
HeapReAlloc	0x4361bc
SetStdHandle	0x4361c0
GetCurrentProcessId	0x4361c4
GetTimeZoneInformation	0x4361c8
OutputDebugStringW	0x4361cc
FindFirstFileExW	0x4361d0
IsValidCodePage	0x4361d4
GetACP	0x4361d8
GetOEMCP	0x4361dc
GetCPInfo	0x4361e0
GetEnvironmentStringsW	0x4361e4
FreeEnvironmentStringsW	0x4361e8
SetEnvironmentVariableW	0x4361ec
GetStringTypeW	0x4361f0
GetProcessHeap	0x4361f4
SetEndOfFile	0x4361f8
HeapSize	0x4361fc
GetCurrentDirectoryW	0x436200
GetProcessTimes	0x436204
TlsGetValue	0x436208
TlsAlloc	0x43620c
InitializeCriticalSectionAndSpinCount	0x436210
DeleteCriticalSection	0x436214
SetLastError	0x436218
RtlUnwind	0x43621c
UnhandledExceptionFilter	0x436220
SetUnhandledExceptionFilter	0x436224
GetCurrentProcess	0x436228
IsProcessorFeaturePresent	0x43622c
QueryPerformanceCounter	0x436230
GetSystemTimeAsFileTime	0x436234
InitializeSListHead	0x436238
IsDebuggerPresent	0x43623c
GetStartupInfoW	0x436240
GetModuleHandleW	0x436244

Function	Address	Souspicious	Anti Debug
SHFileOperationW	0x436258
ShellExecuteW	0x43625c
CommandLineToArgvW	0x436260

Function	Address	Souspicious	Anti Debug
CryptHashData	0x436000
GetUserNameW	0x436004
RegSetValueExA	0x436008
RegEnumValueA	0x43600c
RegDeleteValueA	0x436010
RegDeleteKeyA	0x436014
RegCreateKeyExA	0x436018
CryptDestroyHash	0x43601c
RegCloseKey	0x436020
CryptCreateHash	0x436024
CryptGetHashParam	0x436028
CryptReleaseContext	0x43602c
CryptAcquireContextA	0x436030
RegQueryValueExA	0x436034
RegOpenKeyExA	0x436038
RegEnumKeyExA	0x43603c

Function	Address	Souspicious	Anti Debug
IsWindowVisible	0x436270
SendMessageW	0x436274
SendMessageA	0x436278
GetSystemMetrics	0x43627c
GetLastInputInfo	0x436280
GetDesktopWindow	0x436284
SetCursorPos	0x436288
ReleaseDC	0x43628c
GetDC	0x436290
SetWindowTextW	0x436294
EnumWindows	0x436298
RegisterRawInputDevices	0x43629c
GetRawInputData	0x4362a0
GetWindowTextW	0x4362a4
GetForegroundWindow	0x4362a8
MapVirtualKeyW	0x4362ac
ToUnicode	0x4362b0
GetKeyNameTextW	0x4362b4
GetKeyboardState	0x4362b8
GetKeyState	0x4362bc
CreateWindowExW	0x4362c0
ShowWindow	0x4362c4
PostQuitMessage	0x4362c8
DefWindowProcW	0x4362cc
DispatchMessageA	0x4362d0
TranslateMessage	0x4362d4
GetMessageW	0x4362d8
keybd_event	0x4362dc
mouse_event	0x4362e0
RegisterClassExW	0x4362e4

Function	Address	Souspicious	Anti Debug
NetWkstaGetInfo	0x43624c
NetApiBufferFree	0x436250

Function	Address	Souspicious	Anti Debug
SelectObject	0x43604c
GetDIBits	0x436050
GetDeviceCaps	0x436054
DeleteObject	0x436058
DeleteDC	0x43605c
CreateCompatibleDC	0x436060
CreateCompatibleBitmap	0x436064
BitBlt	0x436068

Function	Address	Souspicious	Anti Debug
CoInitialize	0x436338
CoCreateInstance	0x43633c

Name	Latest seen	MD5
rZDBX.exe	2022-08-02 21:24:01	b701f11ecf355febaa54d234d9b33529