DigitalSide Threat Intel

npc.exe

First submission 2024-10-16 20:12:00

File details

File type: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Mime type: application/x-dosexec
File size: 12003.5 KB (12291584 bytes)
Compile time: 1970-01-01 01:00:00
MD5: ae8acf66bfe3a44148964048b826d005
SHA1: cea49e9b9b67f3a13ad0be1c2655293ea3c18181
SHA256: 5a456283392ffceeeaca3d3426c306eb470304637520d72fed1cc1febbbd6856
Import Hash : f42ff1ef15a23ca4dd23d78dc0962f09
Sections 6 .text .rdata .data .idata .reloc .symtab
Directories 2 import relocation

File features detected

Is DLL
Packers
Anti Debug
Anti VM
Signed
XOR

OSINT Enrichments

Virus Total: 55/79 VT report date: 2024-09-25 11:08:49
Malware Type 3 hacktool trojan pua
Threat Type 3 npctool crack redcap

URLs, FQDN and IP indicators 1

URL Host (FQDN/IP) Date Added
hXXp://39.105.31.193:1389/npc.exe VirusTotal Report 39.105.31.193 VirusTotal Report 2024-10-16 20:12:00

PE Sections 1 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0x5eeeb4 6221824 c1ebe0d81c18a20bc82f3371f0edaed9c65aa443 e2000b91291ecc9dbfdc3d02e90ead60
.rdata 0x5f0000 0x514ea2 5328896 b85e20bb12a13ed3e8119b92639088cb8354ef15 d27396dd3bee52d1213a1d6d5bd318ee
.data 0xb05000 0xb6c88 493568 91786e580cf080392b6f606f61f70af4399dbe49 bbcfcc6ed18c4cfeb7da4782f8bde380
.idata 0xbbc000 0x4dc 1536 8f953273e4d696df19de9b829911859759dc05b9 d908a1a46112b618941512b0e094700d
.reloc 0xbbd000 0x3b62c 243712 afab20a8387036e2720e238f7d930beb5d32549e 71d610bcd750383c0e5f1d046dd0a33a
.symtab 0xbf9000 0x4 512 943ae54f4818e52409fbbaf60ffd71318d966b0d 07b5472d347d42780469fb2654b7fc54

Anti debug functions 1

Bochs & QEmu CPUID Trick

Strings analysis - File found

Log
*session.Log
*eventlog.Log
math.Log
XML
github.com/astaxie/beego/context.(*BeegoOutput).XML
Library
_32.dll
rof.dll
KERNEL32.dll
*syscall.DLL
*windows.DLL
L32.DLL
i32.dll
type..eq.syscall.DLL
type..eq.golang.org/x/sys/windows.DLL

Strings analysis - Possible IPs found 30

1.2.7.1
1.1.2.1
1.4.6.1
1.1.3.1
1.3.6.1
5.4.62.5
1.4.7.1
1.4.1.1
127.0.0.1
1.2.2.1
4.72.5.4
1.2.3.1
1.4.11.1
1.4.14.2
1.2.5.1
114.114.114.114
1.4.10.1
5.4.112.5
1.2.1.1
1.4.13.1
1.4.3.1
1.4.12.1
1.1.1.1
1.2.9.1
32.5.4.52
1.4.9.1
1.4.14.1
1.4.8.1
0.26.01.12
1.4.4.1

Strings analysis - Possible URLs found 11

http://www.w3.org/XML/1998/namespaceinternal
http://beego.me/docs/advantage/monitor.md
https://identityif-matchif-rangeimageUrlinfinityintprod;invalid
http://beego.me/docs/module/toolbox.md
http://hybull;hyphen;iacute;igrave;iiiint;iinfin;incare;includeinodot;installintcal;integerinvalidiquest;isinsv;itilde;jsercy;kappav;kcedil;key
https://ehang.io/nps/releases/download/%s/%sinsufficient
http://myexternalip.com/rawicmp
http://%shttp2:
https://api.github.com/repos/ehang-io/nps/releases/latestparser.ParseFile:
https://acme-v02.api.letsencrypt.org/directoryinternal
https://%si/o

Import functions