oconsole.exe

First submission 2024-10-16 08:19:03

File details

File type:	PE32+ executable (console) x86-64, for MS Windows
Mime type:	application/x-dosexec
File size:	20543.66 KB (21036712 bytes)
Compile time:	2024-10-13 16:10:46
MD5:	a6ff47344d0188ec4c26dc435698a477
SHA1:	a53fa13d323b5973409dacd6b2e69e10bd506345
SHA256:	39e20fa47644c31275280e79c46e8a4d53b796dde456aac92fd8399c984b0358
Import Hash :	a06f302f71edd380da3d5bf4a6d94ebd
Sections 6	.text .rdata .data .pdata .rsrc .reloc
Directories 4	import resource debug relocation

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

OSINT Enrichments

Virus Total:	27/77 VT report date: 2024-10-16 07:49:33
Malware Type 1	trojan
Threat Type 2	clyp disco

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXp://172.104.202.223/oconsole.exe	172.104.202.223	2024-10-16 08:19:03

PE Sections 1 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0x2b110	176640	ea200f32c9b32ca6d80cc06d709db3e6a5557f73	55ff5ed922edfe0b0c10734c674f4ee4
.rdata	0x2d000	0x12842	76288	296d799e4cfbc2390c21fb88463aeaea864d3133	218d7d3a658eaea257d8afb85a8d7db4
.data	0x40000	0x5408	3584	249cf6b3c95e5782a7f27c661b5f018c45d7745c	aff56347f897785154c53727472c548d
.pdata	0x46000	0x22f8	9216	b5fd13ef0a20267ee6c023bcfed00a928a687dfd	57f77a295f3be6e2a8e90035dde19ce2
.rsrc	0x49000	0xef8c	61440	a2f889fc23a4bb2ff4d728fc6dcfff45237dca94	5d72e0338b034862f777c781ab7d2219
.reloc	0x58000	0x768	2048	e599e91a866af587afec0cc6408b4eaba8188703	42d6242177dbae8e11ed5d64b87d0d48

PE Resources 3

Name	Language	Sublanguage	Offset	Size	Data
RT_ICON	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x575ac	1128	PE Resource: RT_ICON - Data ( X8 a@ZJ6fffXXXCCC///\|bA$ Se i'j{Zp;n9Z&?Zi'l-wZNNq;^ l-o3}NNNo8b&o3s8MNLl4ze+f2o:vH}XfsNLKf-ae2i8d'42\|)%:+L8!^F)pT1a9o@}FI["Hh5E5OULvlllm8\|I/zJ5-D\]W2pppYYYq7f3X#N.HS]Z9999u4f3a,h/HR]\U71)))w1g3/HR]\Z8?1 s+k7/HTPQJ;\u1" q&n:/G]X' D/m T ,"@WQ)W;h~\'635e2 X+#;<+U!n gAT-AAAAAAAAAAAAAAAA
RT_GROUP_ICON	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x57a14	104
RT_MANIFEST	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x57a7c	1293	PE Resource: RT_MANIFEST - Data <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <application xmlns="urn:schemas-microsoft-com:asm.v3"> <windowsSettings> <longPathAware xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">true</longPathAware> </windowsSettings> </application> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="" publicKeyToken="6595b64144ccf1df" language=""/> </dependentAssembly> </dependency> </assembly>

Name

Language

Sublanguage

Offset

Size

Data

RT_ICON

LANG_NEUTRAL

SUBLANG_NEUTRAL

0x575ac

1128

RT_GROUP_ICON

LANG_NEUTRAL

SUBLANG_NEUTRAL

0x57a14

104

RT_MANIFEST

LANG_NEUTRAL

SUBLANG_NEUTRAL

0x57a7c

1293

Packers detected 2

Microsoft Visual C++ 8.0 (DLL)
Microsoft Visual C++ 8.0

Anti debug functions 7

GetLastError
GetWindowThreadProcessId
IsDebuggerPresent
IsProcessorFeaturePresent
RaiseException
TerminateProcess
UnhandledExceptionFilter

Strings analysis - File found

Backup
h.oLd
Compressed
bbase_library.zip
base_library.zip
Database
p4.i.Db
&A.Db
Text
bsetuptools-65.5.0.dist-info\entry_points.txt
bsetuptools-65.5.0.dist-info\top_level.txt
Library
mscoree.dll
vcruntime140.dll
7python311.dll
bsqlite3.dll
bpython3.dll
blibssl-1_1.dll
blibffi-8.dll
bpywin32_system32\pywintypes311.dll
ADVAPI32.dll
KERNEL32.dll
bPythonwin\mfc140u.dll
ucrtbase.dll
bVCRUNTIME140_1.dll
bVCRUNTIME140.dll
USER32.dll
bpywin32_system32\pythoncom311.dll
bpython311.dll
blibcrypto-1_1.dll

Strings analysis - Possible URLs found 1

http://schemas.microsoft.com/SMI/2016/WindowsSettings

Import functions

ADVAPI32.dll 4 KERNEL32.dll 107 USER32.dll 14

Function	Address	Souspicious	Anti Debug
ConvertSidToStringSidW	0x14002d000
GetTokenInformation	0x14002d008
OpenProcessToken	0x14002d010
ConvertStringSecurityDescriptorToSecurityDescriptorW	0x14002d018

Function	Address	Souspicious	Anti Debug
GetTimeZoneInformation	0x14002d028
GetProcessHeap	0x14002d030
FreeEnvironmentStringsW	0x14002d038
GetEnvironmentStringsW	0x14002d040
GetCPInfo	0x14002d048
GetOEMCP	0x14002d050
GetACP	0x14002d058
IsValidCodePage	0x14002d060
GetStringTypeW	0x14002d068
FormatMessageW	0x14002d070
GetLastError	0x14002d078
GetModuleFileNameW	0x14002d080
LoadLibraryExW	0x14002d088
SetDllDirectoryW	0x14002d090
CreateSymbolicLinkW	0x14002d098
GetProcAddress	0x14002d0a0
CreateDirectoryW	0x14002d0a8
GetCommandLineW	0x14002d0b0
GetEnvironmentVariableW	0x14002d0b8
ExpandEnvironmentStringsW	0x14002d0c0
DeleteFileW	0x14002d0c8
FindClose	0x14002d0d0
FindFirstFileW	0x14002d0d8
FindNextFileW	0x14002d0e0
HeapSize	0x14002d0e8
RemoveDirectoryW	0x14002d0f0
GetTempPathW	0x14002d0f8
CloseHandle	0x14002d100
QueryPerformanceCounter	0x14002d108
QueryPerformanceFrequency	0x14002d110
WaitForSingleObject	0x14002d118
Sleep	0x14002d120
GetCurrentProcess	0x14002d128
GetCurrentProcessId	0x14002d130
TerminateProcess	0x14002d138
GetExitCodeProcess	0x14002d140
CreateProcessW	0x14002d148
GetStartupInfoW	0x14002d150
FreeLibrary	0x14002d158
LocalFree	0x14002d160
SetConsoleCtrlHandler	0x14002d168
GetConsoleWindow	0x14002d170
K32EnumProcessModules	0x14002d178
K32GetModuleFileNameExW	0x14002d180
CreateFileW	0x14002d188
FindFirstFileExW	0x14002d190
GetFinalPathNameByHandleW	0x14002d198
MultiByteToWideChar	0x14002d1a0
WideCharToMultiByte	0x14002d1a8
GetFileAttributesExW	0x14002d1b0
HeapReAlloc	0x14002d1b8
WriteConsoleW	0x14002d1c0
SetEndOfFile	0x14002d1c8
GetDriveTypeW	0x14002d1d0
IsDebuggerPresent	0x14002d1d8
RtlCaptureContext	0x14002d1e0
RtlLookupFunctionEntry	0x14002d1e8
RtlVirtualUnwind	0x14002d1f0
UnhandledExceptionFilter	0x14002d1f8
SetUnhandledExceptionFilter	0x14002d200
IsProcessorFeaturePresent	0x14002d208
GetCurrentThreadId	0x14002d210
GetSystemTimeAsFileTime	0x14002d218
InitializeSListHead	0x14002d220
GetModuleHandleW	0x14002d228
RtlUnwindEx	0x14002d230
SetLastError	0x14002d238
EnterCriticalSection	0x14002d240
LeaveCriticalSection	0x14002d248
DeleteCriticalSection	0x14002d250
InitializeCriticalSectionAndSpinCount	0x14002d258
TlsAlloc	0x14002d260
TlsGetValue	0x14002d268
TlsSetValue	0x14002d270
TlsFree	0x14002d278
EncodePointer	0x14002d280
RaiseException	0x14002d288
RtlPcToFileHeader	0x14002d290
GetFileInformationByHandle	0x14002d298
GetFileType	0x14002d2a0
PeekNamedPipe	0x14002d2a8
SystemTimeToTzSpecificLocalTime	0x14002d2b0
FileTimeToSystemTime	0x14002d2b8
ReadFile	0x14002d2c0
GetFullPathNameW	0x14002d2c8
SetStdHandle	0x14002d2d0
GetStdHandle	0x14002d2d8
WriteFile	0x14002d2e0
ExitProcess	0x14002d2e8
GetModuleHandleExW	0x14002d2f0
GetCommandLineA	0x14002d2f8
HeapFree	0x14002d300
GetConsoleMode	0x14002d308
ReadConsoleW	0x14002d310
SetFilePointerEx	0x14002d318
GetConsoleOutputCP	0x14002d320
GetFileSizeEx	0x14002d328
HeapAlloc	0x14002d330
FlsAlloc	0x14002d338
FlsGetValue	0x14002d340
FlsSetValue	0x14002d348
FlsFree	0x14002d350
CompareStringW	0x14002d358
LCMapStringW	0x14002d360
GetCurrentDirectoryW	0x14002d368
FlushFileBuffers	0x14002d370
SetEnvironmentVariableW	0x14002d378

Function	Address	Souspicious	Anti Debug
TranslateMessage	0x14002d388
ShutdownBlockReasonCreate	0x14002d390
GetWindowThreadProcessId	0x14002d398
SetWindowLongPtrW	0x14002d3a0
GetWindowLongPtrW	0x14002d3a8
MsgWaitForMultipleObjects	0x14002d3b0
ShowWindow	0x14002d3b8
DestroyWindow	0x14002d3c0
CreateWindowExW	0x14002d3c8
RegisterClassW	0x14002d3d0
DefWindowProcW	0x14002d3d8
PeekMessageW	0x14002d3e0
DispatchMessageW	0x14002d3e8
GetMessageW	0x14002d3f0

Name	Latest seen	MD5
FreeMenuF7.exe?ex=670c6a4f&is=670b18cf&hm=708940c07a26aaf3672b4ecc443356a73d7db9284ddace557e866ab656ed23b4&	2024-10-13 17:37:02	1069ade6b99d29bfe4d0526e23ed714d
RezWareUpdater.exe?ex=670cae4b&is=670b5ccb&hm=6b7767e2959bba7239b160100573375d95ac04f204f064ca6d9161caf5dd4d0e&	2024-10-13 18:25:03	caf83d29d4db7764696f1c225317fe16

oconsole.exe

File details

File features detected

OSINT Enrichments

URLs, FQDN and IP indicators 1

PE Sections 1 suspicious

PE Resources 3

Packers detected 2

Anti debug functions 7

Strings analysis - File found

Strings analysis - Possible URLs found 1

Import functions

Related files by ImpHash 2 a06f302f71edd380da3d5bf4a6d94ebd