7e207560.exe

First submission 2024-02-10 05:22:03

File details

File type: PE32 executable (GUI) Intel 80386, for MS Windows
Mime type: application/x-dosexec
File size: 798.12 KB (817272 bytes)
Compile time: 2020-09-15 18:09:42
MD5: 90aadf2247149996ae443e2c82af3730
SHA1: 050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256: ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
Import Hash : 3e985254f2e34ad96da799a2a5d33efe
Sections 4 .text .rdata .data .rsrc
Directories 3 import resource security
Virus Total:

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

URLs, FQDN and IP indicators 1

URL Host (FQDN/IP) Date Added
hXXps://secret-s1.ru/files/7e207560.exe VirusTotal Report secret-s1.ru VirusTotal Report 2024-02-10 05:22:03

PE Sections 0 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0x8dbba 581632 8b8c57811f823784195ede1cf2bb86df0e6cab2c e9fdccbf9b6e9c08d2d25203218da990
.rdata 0x8f000 0x1a5a6 110592 49aef74be74bb96ad1bc51640e399712e06b70e3 9e1fe715f2c3b902583721ecc37f38a2
.data 0xaa000 0x1ebb8 94208 4d0d637a3e92cb4889e9461286182531a99db60c f656b81b1a65cc5cd37a0a06e6db25eb
.rsrc 0xc9000 0x4490 20480 2dd0e844b23a6549dbaff63e51a7e741aeb07e4d 75b2d6b81820dddb6dd4a0c0a5ef06df

PE Resources 5

Name Language Sublanguage Offset Size Data
BINARY LANG_NEUTRAL SUBLANG_NEUTRAL 0xcd1a0 1
RT_ICON LANG_NEUTRAL SUBLANG_NEUTRAL 0xcc0c8 4264
RT_GROUP_ICON LANG_NEUTRAL SUBLANG_NEUTRAL 0xcd170 48
RT_VERSION LANG_ENGLISH SUBLANG_ENGLISH_US 0xcd1a8 744
RT_MANIFEST LANG_NEUTRAL SUBLANG_NEUTRAL 0xc91f0 1474

Meta infos 13

LegalCopyright:
InternalName: Ammyy Admin
FileVersion: 3.10
FileDescription: Ammyy Admin
SpecialBuild:
CompanyName: Ammyy LLC
LegalTrademarks:
Comments:
ProductName: Ammyy Admin
ProductVersion: 3.10
PrivateBuild:
Translation: 0x0409 0x04b0
OriginalFilename:

Packers detected 3

Microsoft Visual C++ v6.0
Microsoft Visual C++ 5.0
Microsoft Visual C++

Anti debug functions 7

FindWindowA
FindWindowW
GetLastError
GetWindowThreadProcessId
Process32First
Process32Next
TerminateProcess

Anti debug functions 1

VMCheck.dll

File signature

MD5 SHA1 Block size Virtual Address
f5f002561056067837b38eba4715b84f 2748edaafba3e68532aaf142111452c0a8fe4439 6264 811008

Strings analysis - File found

Binary
Ammyy_Contact_Book.bin
*.bin
contacts3.bin
_tmp\AMMYY_Admin.bin
settings3.bin
settings.bin
contacts.bin
sessions.bin
Log
eAMMYY_service.log
access.log
ammyy.log
ammyy_id.log
Temporary
%sAmmyy_%X.tmp
_%.4hu-%.2hu%.2hu-%.2hu%.2hu%.2hu-%.3hu.tmp
Object
hhctrl.ocx
Data
%u-%u-%u-%u.dat
Library
W\winsta.dll
Shcore.dll
ewmsgapi.dll
ADVAPI32.dll
SHLWAPI.dll
dwmapi.dll
WININET.dll
WTSAPI32.dll
MSVCRT.dll
SHELL32.dll
WS2_32.dll
COMCTL32.dll
secur32.dll
USER32.dll
USERENV.dll
SETUPAPI.dll
GDI32.dll
KERNEL32.dll
DSOUND.dll
COMDLG32.dll
IPHLPAPI.DLL

Strings analysis - Possible IPs found 2

1.0.0.1
127.0.0.1

Strings analysis - Possible URLs found 18

http://www.ammyy.com/?lang=
http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
http://ts-ocsp.ws.symantec.com07
http://ocsp.sectigo.com0
http://crl.thawte.com/ThawteTimestampingCA.crl0
http://ocsp.usertrust.com0
http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%
http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0v
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
https://sectigo.com/CPS0C
http://ocsp.thawte.com0
http://www.ammyy.com/
https://
http://www.ammyy.com
http://schemas.microsoft.com/SMI/2005/WindowsSettings
http://rl.ammyy.com
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<

Import functions