DigitalSide Threat Intel

bot64.bin

First submission 2024-10-18 07:23:02

File details

File type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Mime type: application/x-dosexec
File size: 284.5 KB (291328 bytes)
Compile time: 2024-10-14 17:25:10
MD5: 9ef53eea53bc23a3501d4bae7fa76905
SHA1: f2e79cedf527c57a8f3698c216e9e0786e530780
SHA256: 95deedb793e8716b92271896435fd94a7585f699e20a308bb8349671db54cfc2
Import Hash : 5ce0d5a96a49e5bc172e9fc651bd9cca
Sections 6 .text .rdata .data .pdata .rsrc .reloc
Directories 4 import export resource relocation

File features detected

Is DLL
Packers
Anti Debug
Anti VM
Signed
XOR

OSINT Enrichments

Virus Total: 52/77 VT report date: 2024-10-17 15:32:53
Malware Type 1 trojan
Threat Type 3 tinukebot meterpreter nekark

URLs, FQDN and IP indicators 1

URL Host (FQDN/IP) Date Added
hXXp://176.111.174.140/api/bot64.bin VirusTotal Report 176.111.174.140 VirusTotal Report 2024-10-18 07:23:02

PE Sections 0 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0x30a0c 199680 4170968ea4cd50bfcab5c05886e6a69aea4ac37d ff766bdbaac990cb5221e69739195292
.rdata 0x32000 0xddf6 56832 f29e3051a7ca75a93fd83adad86b186c77e7c1b9 511f38a95fb0fedbba51f37012842db4
.data 0x40000 0xcc88 10240 3d23a80df0b4eb537f331b86dd42fe3392d8c827 2a30623590ad9dd19d356986c16f558d
.pdata 0x4d000 0x3234 13312 c422c6bff98410d456b4104c81ca99f432320635 0d9584f9964a079befa078ebbda744d5
.rsrc 0x51000 0x288 1024 19e141e48aa5f73ab78fc250ed36168e32e50816 b2c856b073218d5fc79a1dd7114d8a5c
.reloc 0x52000 0x223e 9216 a82d08b4eae270aa3b252ed4f41044386e8a2db9 16217b4d788bf3ab7ed8038d09c9362c

PE Resources 1

Name Language Sublanguage Offset Size Data
RT_MANIFEST LANG_ENGLISH SUBLANG_ENGLISH_US 0x51060 548

Anti debug functions 7

GetLastError
IsDebuggerPresent
IsProcessorFeaturePresent
OutputDebugStringW
RaiseException
TerminateProcess
UnhandledExceptionFilter

Strings analysis - File found

Binary
bot64.bin
Library
KERNEL32.dll
USER32.dll
mscoree.dll
ADVAPI32.dll
chrome.dll
WS2_32.dll
nss3.dll
ntdll.dll
MSVCRT.dll
child.dll
SHLWAPI.dll
PSAPI.DLL
GDI32.dll
KernelBase.dll
msedge.dll
secur32.dll
WININET.dll
opera_browser.dll
VERSION.dll
SHELL32.dll
Web Page
/GrXRYWt.php

Strings analysis - Possible IPs found 1

176.111.174.140

Strings analysis - Possible URLs found 1

http://schemas.microsoft.com/SMI/2005/WindowsSettings

Import functions

Function Address Souspicious Anti Debug
RegOpenKeyExA 0x180032000
RegQueryValueExA 0x180032008
RegCloseKey 0x180032010
Function Address Souspicious Anti Debug
CreateFileW 0x180032020
FlushFileBuffers 0x180032028
WriteConsoleW 0x180032030
SetStdHandle 0x180032038
ReadConsoleW 0x180032040
SetFilePointerEx 0x180032048
GetConsoleMode 0x180032050
GetConsoleCP 0x180032058
GetProcAddress 0x180032060
LoadLibraryA 0x180032068
GetSystemInfo 0x180032070
VirtualAlloc 0x180032078
VirtualFree 0x180032080
VirtualQuery 0x180032088
CloseHandle 0x180032090
HeapCreate 0x180032098
HeapAlloc 0x1800320a0
HeapReAlloc 0x1800320a8
HeapFree 0x1800320b0
Sleep 0x1800320b8
GetCurrentProcess 0x1800320c0
GetCurrentProcessId 0x1800320c8
GetCurrentThreadId 0x1800320d0
OpenThread 0x1800320d8
SuspendThread 0x1800320e0
ResumeThread 0x1800320e8
GetThreadContext 0x1800320f0
SetThreadContext 0x1800320f8
FlushInstructionCache 0x180032100
VirtualProtect 0x180032108
GetModuleHandleW 0x180032110
CreateToolhelp32Snapshot 0x180032118
Thread32First 0x180032120
Thread32Next 0x180032128
EnterCriticalSection 0x180032130
LeaveCriticalSection 0x180032138
lstrlenA 0x180032140
CreateFileA 0x180032148
WriteFile 0x180032150
GetModuleHandleA 0x180032158
Module32First 0x180032160
Module32Next 0x180032168
GlobalAlloc 0x180032170
GlobalLock 0x180032178
GlobalUnlock 0x180032180
GetFileSize 0x180032188
ReadFile 0x180032190
lstrcatA 0x180032198
CreateThread 0x1800321a0
InitializeCriticalSectionEx 0x1800321a8
DeleteCriticalSection 0x1800321b0
EncodePointer 0x1800321b8
DecodePointer 0x1800321c0
WideCharToMultiByte 0x1800321c8
GetLocaleInfoEx 0x1800321d0
MultiByteToWideChar 0x1800321d8
GetStringTypeW 0x1800321e0
RtlPcToFileHeader 0x1800321e8
RaiseException 0x1800321f0
RtlLookupFunctionEntry 0x1800321f8
RtlUnwindEx 0x180032200
GetLastError 0x180032208
GetCommandLineA 0x180032210
InitializeCriticalSectionAndSpinCount 0x180032218
GetCPInfo 0x180032220
IsProcessorFeaturePresent 0x180032228
GetStdHandle 0x180032230
GetModuleFileNameW 0x180032238
ExitProcess 0x180032240
GetModuleHandleExW 0x180032248
HeapSize 0x180032250
SetLastError 0x180032258
IsValidCodePage 0x180032260
GetACP 0x180032268
GetOEMCP 0x180032270
GetProcessHeap 0x180032278
IsDebuggerPresent 0x180032280
GetFileType 0x180032288
InitOnceExecuteOnce 0x180032290
GetStartupInfoW 0x180032298
GetModuleFileNameA 0x1800322a0
QueryPerformanceCounter 0x1800322a8
GetSystemTimeAsFileTime 0x1800322b0
GetTickCount64 0x1800322b8
GetEnvironmentStringsW 0x1800322c0
FreeEnvironmentStringsW 0x1800322c8
RtlCaptureContext 0x1800322d0
RtlVirtualUnwind 0x1800322d8
UnhandledExceptionFilter 0x1800322e0
SetUnhandledExceptionFilter 0x1800322e8
FlsAlloc 0x1800322f0
FlsGetValue 0x1800322f8
FlsSetValue 0x180032300
FlsFree 0x180032308
TerminateProcess 0x180032310
CompareStringEx 0x180032318
GetUserDefaultLocaleName 0x180032320
LCMapStringEx 0x180032328
IsValidLocaleName 0x180032330
EnumSystemLocalesEx 0x180032338
OutputDebugStringW 0x180032340
LoadLibraryExW 0x180032348
LoadLibraryW 0x180032350
Function Address Souspicious Anti Debug
freeaddrinfo 0x180032360
getaddrinfo 0x180032368
WSACleanup 0x180032370
WSAStartup 0x180032378
socket 0x180032380
shutdown 0x180032388
send 0x180032390
connect 0x180032398
closesocket 0x1800323a0

PE Exports 1 suspicious

Function Address
?ReflectiveLoader@@YA_KXZ 0x18001aed0

Related files by ImpHash 1 5ce0d5a96a49e5bc172e9fc651bd9cca

Name Latest seen MD5
update.pack 2024-10-15 05:21:02 9ae6451ef8b57a66983dc0496050f7c4