installer.exe

First submission 2024-10-14 21:12:01

File details

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Mime type:	application/x-dosexec
File size:	523.05 KB (535601 bytes)
Compile time:	2009-12-05 23:50:46
MD5:	a332dda934130d9581fea55fd737a474
SHA1:	998d0cc8d66d54c1c849f36f273d22b97d205c89
SHA256:	235c7943c7cd48eb749b69bdb488a580e13b42ef5123be170acb7a1c471accdb
Import Hash :	099c0646ea7282d232219f8807883be0
Sections 5	.text .rdata .data .ndata .rsrc
Directories 2	import resource

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

OSINT Enrichments

Virus Total:	61/77 VT report date: 2024-10-14 21:01:09
Malware Type 3	trojan adware virus
Threat Type 3	searchprotect visicom badur

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXp://download.yourfileinfo.com/installer.exe	download.yourfileinfo.com	2024-10-14 21:12:02

PE Sections 1 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0x5a5a	23552	dd2a446014a37556f39173b802c63a4e46e09366	0bc2ffd32265a08d72b795b18265828d
.rdata	0x7000	0x1190	4608	6035d27db526131eb0f29aee60cfcdbb5072ed7d	f179218a059068529bdb4637ef5fa28e
.data	0x9000	0x1af98	1024	1f65340672c91ffd0f2583ff104beaece43c7855	975304d6dd6c4a4f076b15511e2bbbc0
.ndata	0x24000	0x8000	0	da39a3ee5e6b4b0d3255bfef95601890afd80709	d41d8cd98f00b204e9800998ecf8427e
.rsrc	0x2c000	0x9e8	2560	8cac944d46b43f84ee57f87e82cac672b52601a9	74b0d2c51e0b3b992e001832690034b7

PE Resources 4

Name	Language	Sublanguage	Offset	Size	Data
RT_ICON	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x2c190	744
RT_DIALOG	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x2c698	96
RT_GROUP_ICON	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x2c6f8	20
RT_MANIFEST	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x2c710	727	PE Resource: RT_MANIFEST - Data <?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

Packers detected 1

Nullsoft PiMP Stub -> SFX

Anti debug functions 2

FindWindowExA
GetLastError

Strings analysis - File found

Temporary
~nsu.tmp
Library
ADVAPI32.dll
VERSION.dll
SHELL32.dll
COMCTL32.dll
USER32.dll
GDI32.dll
ole32.dll
KERNEL32.dll

Strings analysis - Possible URLs found 1

http://nsis.sf.net/NSIS_Error

Import functions

VERSION.dll 3 GDI32.dll 8 ADVAPI32.dll 9 KERNEL32.dll 59 SHELL32.dll 6 ole32.dll 4 USER32.dll 62 COMCTL32.dll 4

Function	Address	Souspicious	Anti Debug
GetFileVersionInfoSizeA	0x407268
GetFileVersionInfoA	0x40726c
VerQueryValueA	0x407270

Function	Address	Souspicious	Anti Debug
SetBkColor	0x40703c
GetDeviceCaps	0x407040
DeleteObject	0x407044
CreateBrushIndirect	0x407048
CreateFontIndirectA	0x40704c
SetBkMode	0x407050
SetTextColor	0x407054
SelectObject	0x407058

Function	Address	Souspicious	Anti Debug
RegQueryValueExA	0x407000
RegSetValueExA	0x407004
RegEnumKeyA	0x407008
RegEnumValueA	0x40700c
RegOpenKeyExA	0x407010
RegDeleteKeyA	0x407014
RegDeleteValueA	0x407018
RegCloseKey	0x40701c
RegCreateKeyExA	0x407020

Function	Address	Souspicious	Anti Debug
CompareFileTime	0x407060
SearchPathA	0x407064
GetShortPathNameA	0x407068
GetFullPathNameA	0x40706c
MoveFileA	0x407070
SetCurrentDirectoryA	0x407074
GetFileAttributesA	0x407078
GetLastError	0x40707c
CreateDirectoryA	0x407080
SetFileAttributesA	0x407084
Sleep	0x407088
GetTickCount	0x40708c
CreateFileA	0x407090
GetFileSize	0x407094
GetModuleFileNameA	0x407098
GetCurrentProcess	0x40709c
CopyFileA	0x4070a0
ExitProcess	0x4070a4
SetFileTime	0x4070a8
GetTempPathA	0x4070ac
GetCommandLineA	0x4070b0
SetErrorMode	0x4070b4
LoadLibraryA	0x4070b8
lstrcpynA	0x4070bc
GetDiskFreeSpaceA	0x4070c0
GlobalUnlock	0x4070c4
GlobalLock	0x4070c8
CreateThread	0x4070cc
CreateProcessA	0x4070d0
RemoveDirectoryA	0x4070d4
GetTempFileNameA	0x4070d8
lstrlenA	0x4070dc
lstrcatA	0x4070e0
GetSystemDirectoryA	0x4070e4
GetVersion	0x4070e8
CloseHandle	0x4070ec
lstrcmpiA	0x4070f0
lstrcmpA	0x4070f4
ExpandEnvironmentStringsA	0x4070f8
GlobalFree	0x4070fc
GlobalAlloc	0x407100
WaitForSingleObject	0x407104
GetExitCodeProcess	0x407108
GetModuleHandleA	0x40710c
LoadLibraryExA	0x407110
GetProcAddress	0x407114
FreeLibrary	0x407118
MultiByteToWideChar	0x40711c
WritePrivateProfileStringA	0x407120
GetPrivateProfileStringA	0x407124
WriteFile	0x407128
ReadFile	0x40712c
MulDiv	0x407130
SetFilePointer	0x407134
FindClose	0x407138
FindNextFileA	0x40713c
FindFirstFileA	0x407140
DeleteFileA	0x407144
GetWindowsDirectoryA	0x407148

Function	Address	Souspicious	Anti Debug
SHGetPathFromIDListA	0x407150
SHBrowseForFolderA	0x407154
SHGetFileInfoA	0x407158
ShellExecuteA	0x40715c
SHFileOperationA	0x407160
SHGetSpecialFolderLocation	0x407164

Function	Address	Souspicious	Anti Debug
CoTaskMemFree	0x407278
OleInitialize	0x40727c
OleUninitialize	0x407280
CoCreateInstance	0x407284

Function	Address	Souspicious	Anti Debug
EndDialog	0x40716c
ScreenToClient	0x407170
GetWindowRect	0x407174
EnableMenuItem	0x407178
GetSystemMenu	0x40717c
SetClassLongA	0x407180
IsWindowEnabled	0x407184
SetWindowPos	0x407188
GetSysColor	0x40718c
GetWindowLongA	0x407190
SetCursor	0x407194
LoadCursorA	0x407198
CheckDlgButton	0x40719c
GetMessagePos	0x4071a0
LoadBitmapA	0x4071a4
CallWindowProcA	0x4071a8
IsWindowVisible	0x4071ac
CloseClipboard	0x4071b0
SetClipboardData	0x4071b4
EmptyClipboard	0x4071b8
RegisterClassA	0x4071bc
TrackPopupMenu	0x4071c0
AppendMenuA	0x4071c4
CreatePopupMenu	0x4071c8
GetSystemMetrics	0x4071cc
SetDlgItemTextA	0x4071d0
GetDlgItemTextA	0x4071d4
MessageBoxIndirectA	0x4071d8
CharPrevA	0x4071dc
DispatchMessageA	0x4071e0
PeekMessageA	0x4071e4
DestroyWindow	0x4071e8
CreateDialogParamA	0x4071ec
SetTimer	0x4071f0
SetWindowTextA	0x4071f4
PostQuitMessage	0x4071f8
SetForegroundWindow	0x4071fc
wsprintfA	0x407200
SendMessageTimeoutA	0x407204
FindWindowExA	0x407208
SystemParametersInfoA	0x40720c
CreateWindowExA	0x407210
GetClassInfoA	0x407214
DialogBoxParamA	0x407218
CharNextA	0x40721c
OpenClipboard	0x407220
ExitWindowsEx	0x407224
IsWindow	0x407228
GetDlgItem	0x40722c
SetWindowLongA	0x407230
LoadImageA	0x407234
GetDC	0x407238
EnableWindow	0x40723c
InvalidateRect	0x407240
SendMessageA	0x407244
DefWindowProcA	0x407248
BeginPaint	0x40724c
GetClientRect	0x407250
FillRect	0x407254
DrawTextA	0x407258
EndPaint	0x40725c
ShowWindow	0x407260

Function	Address	Souspicious	Anti Debug
ImageList_AddMasked	0x407028
ImageList_Destroy	0x40702c
None	0x407030
ImageList_Create	0x407034

Name	Latest seen	MD5
9377chiyue_Y_mgaz.exe	2022-11-22 08:16:06	e258e77914272054d942bc9cb27ca477

installer.exe

File details

File features detected

OSINT Enrichments

URLs, FQDN and IP indicators 1

PE Sections 1 suspicious

PE Resources 4

Packers detected 1

Anti debug functions 2

Strings analysis - File found

Strings analysis - Possible URLs found 1

Import functions

Related files by ImpHash 1 099c0646ea7282d232219f8807883be0