JaYSN.exe

First submission 2022-08-02 20:02:01

File details

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
File type:	132.0 KB (135168 bytes)
Compile time:	2022-07-31 18:04:17
MD5:	a3c20b8c564076ca4e520a99c6cd1764
SHA1:	74700468ca8ef36b4111230b786bbab78c410468
SHA256:	d178525a986175d484866facf95baa1573a63a1060e5a06346ee4da4932df656
Import Hash :	4f7271df0bf201cf627af3103fba2c2e
Sections 3	.text .data .rsrc
Directories 2	import resource
Virus Total:	35/71 VT report date: 2022-08-01 12:41:10

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

URLs, FQDN and IP indicators 2

URL	Host (FQDN/IP)	Date Added
hXXp://109.206.241.81/htdocs/JxRQX.exe	109.206.241.81	2022-08-02 20:02:01
hXXp://109.206.241.81/htdocs/JaYSN.exe	109.206.241.81	2022-08-02 20:38:07

PE Sections 0 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0x1dff0	122880	c8fdfdeb1fb4d06e238ca325b7ddeb115268b3c2	131ccd8bec12b7c9a42ecbb1ae7ed9d2
.data	0x1f000	0xbd4	4096	1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d	620f0b67a91f7f74151bc5be745b7110
.rsrc	0x20000	0x9d0	4096	67accd71d6e95b5f1f50d131e3310823d607b6b0	c60e6e6d378907f86f9e06610873804b

PE Resources 3

Name	Language	Sublanguage	Offset	Size	Data
RT_ICON	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x20490	296
RT_GROUP_ICON	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x20460	48
RT_VERSION	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x20150	784	PE Resource: RT_VERSION - Data 4VS_VERSION_INFODVarFileInfo$Translation pStringFileInfoL040904B0,Commentsfirebases8CompanyNameabacterial8FileDescriptionindolsDLegalCopyrightindogaea 24222<LegalTrademarkspuffingly4ProductNamefireball4FileVersion4.01.00028ProductVersion4.01.00024InternalNameflatletsDOriginalFilenameflatlets.exe

Name

Language

Sublanguage

Offset

Size

Data

RT_ICON

LANG_NEUTRAL

SUBLANG_NEUTRAL

0x20490

296

RT_GROUP_ICON

LANG_NEUTRAL

SUBLANG_NEUTRAL

0x20460

RT_VERSION

LANG_ENGLISH

SUBLANG_ENGLISH_US

0x20150

784

Meta infos 11

FileDescription:	indols
OriginalFilename:	flatlets.exe
LegalCopyright:	indogaea 24222
Translation:	0x0409 0x04b0
InternalName:	flatlets
Comments:	firebases
LegalTrademarks:	puffingly
FileVersion:	4.01.0002
ProductName:	fireball
ProductVersion:	4.01.0002
CompanyName:	abacterial

Packers detected 2

Microsoft Visual Basic v5.0
Microsoft Visual Basic v5.0 - v6.0

Strings analysis - File found

Compressed
\CryptoWallets.zip
\Files.zip
Autogen
C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
Library
KERNEL32.dll
MSVBVM60.DLL
WININET.dll
SHELL32.dll
VBA6.DLL

Strings analysis - Possible URLs found 1

https://api.telegram.org/bot

Import functions

MSVBVM60.DLL 130

Function	Address	Souspicious	Anti Debug
_CIcos	0x401000
_adj_fptan	0x401004
__vbaVarMove	0x401008
__vbaVarVargNofree	0x40100c
__vbaFreeVar	0x401010
__vbaAryMove	0x401014
__vbaLenBstr	0x401018
__vbaStrVarMove	0x40101c
__vbaEnd	0x401020
__vbaFreeVarList	0x401024
_adj_fdiv_m64	0x401028
__vbaFreeObjList	0x40102c
None	0x401030
_adj_fprem1	0x401034
__vbaStrCat	0x401038
__vbaRecDestruct	0x40103c
__vbaSetSystemError	0x401040
__vbaLenBstrB	0x401044
__vbaHresultCheckObj	0x401048
_adj_fdiv_m32	0x40104c
None	0x401050
None	0x401054
__vbaAryDestruct	0x401058
None	0x40105c
__vbaExitProc	0x401060
__vbaForEachCollObj	0x401064
None	0x401068
__vbaOnError	0x40106c
__vbaObjSet	0x401070
_adj_fdiv_m16i	0x401074
__vbaObjSetAddref	0x401078
_adj_fdivr_m16i	0x40107c
_CIsin	0x401080
__vbaErase	0x401084
None	0x401088
None	0x40108c
None	0x401090
None	0x401094
__vbaNextEachCollObj	0x401098
__vbaVarZero	0x40109c
__vbaChkstk	0x4010a0
__vbaFileClose	0x4010a4
EVENT_SINK_AddRef	0x4010a8
__vbaGenerateBoundsError	0x4010ac
__vbaStrCmp	0x4010b0
None	0x4010b4
__vbaAryConstruct2	0x4010b8
__vbaI2I4	0x4010bc
__vbaObjVar	0x4010c0
DllFunctionCall	0x4010c4
__vbaFpUI1	0x4010c8
__vbaLbound	0x4010cc
__vbaRedimPreserve	0x4010d0
_adj_fpatan	0x4010d4
__vbaRedim	0x4010d8
EVENT_SINK_Release	0x4010dc
__vbaNew	0x4010e0
__vbaUI1I2	0x4010e4
_CIsqrt	0x4010e8
EVENT_SINK_QueryInterface	0x4010ec
__vbaStr2Vec	0x4010f0
__vbaUI1I4	0x4010f4
__vbaStrUI1	0x4010f8
__vbaExceptHandler	0x4010fc
__vbaPrintFile	0x401100
__vbaStrToUnicode	0x401104
None	0x401108
None	0x40110c
_adj_fprem	0x401110
_adj_fdivr_m64	0x401114
None	0x401118
None	0x40111c
None	0x401120
__vbaFPException	0x401124
None	0x401128
None	0x40112c
__vbaStrVarVal	0x401130
__vbaUbound	0x401134
__vbaGetOwner3	0x401138
__vbaVarCat	0x40113c
None	0x401140
None	0x401144
None	0x401148
_CIlog	0x40114c
__vbaErrorOverflow	0x401150
__vbaFileOpen	0x401154
__vbaVarLateMemCallLdRf	0x401158
__vbaNew2	0x40115c
__vbaInStr	0x401160
None	0x401164
None	0x401168
__vbaVar2Vec	0x40116c
_adj_fdiv_m32i	0x401170
_adj_fdivr_m32i	0x401174
None	0x401178
__vbaStrCopy	0x40117c
__vbaFreeStrList	0x401180
__vbaDerefAry1	0x401184
_adj_fdivr_m32	0x401188
__vbaPowerR8	0x40118c
_adj_fdiv_r	0x401190
None	0x401194
None	0x401198
None	0x40119c
__vbaAryLock	0x4011a0
__vbaVarAdd	0x4011a4
__vbaLateMemCall	0x4011a8
__vbaStrToAnsi	0x4011ac
__vbaVarDup	0x4011b0
__vbaVarCopy	0x4011b4
None	0x4011b8
__vbaFpI4	0x4011bc
__vbaVarLateMemCallLd	0x4011c0
__vbaLateMemCallLd	0x4011c4
_CIatan	0x4011c8
None	0x4011cc
__vbaAryCopy	0x4011d0
__vbaStrMove	0x4011d4
__vbaCastObj	0x4011d8
__vbaR8IntI4	0x4011dc
__vbaStrVarCopy	0x4011e0
_allmul	0x4011e4
_CItan	0x4011e8
__vbaAryUnlock	0x4011ec
_CIexp	0x4011f0
None	0x4011f4
__vbaI4ErrVar	0x4011f8
__vbaFreeObj	0x4011fc
__vbaFreeStr	0x401200
None	0x401204

Name	Latest seen	MD5
xPBAQ.exe	2022-07-06 18:26:01	c7468437984c0dbc9da355e31bc153e7
jHRLw.exe	2022-07-26 20:58:02	bee47439c4960e2728594ece9ad95ba7
NqHNP.exe	2022-07-27 23:06:02	d7b1362070332023e5163fc54bc9decc
LqAST.exe	2022-07-28 14:26:02	a64c16946bf03bfa2c52aba4dd0b55cc
RdSwQ.exe	2022-08-02 20:30:02	6862264bbd7688ac4bd96f16786cd153
GsLQA.exe	2022-08-02 20:53:02	97ea1fd26da454e1502d7f4de38a21af