sig.exe

First submission 2024-02-08 18:02:02

File details

File type: PE32 executable (GUI) Intel 80386, for MS Windows
Mime type: application/x-dosexec
File size: 4648.23 KB (4759792 bytes)
Compile time: 2023-10-04 17:30:00
MD5: b15566a766c1a7ea3f013fd98bb86216
SHA1: 28409207c0b59d98390e0d8226183fe76fb0d9ca
SHA256: 9423522a796f3190f1e434382e3760294527dae11844bd9aece3ee70899a74c6
Import Hash : 2372a510663575e218ece860e8ec85bb
Sections 5 .text .rdata .data .didat .rsrc
Directories 7 import export resource debug tls relocation security
Virus Total:

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

URLs, FQDN and IP indicators 1

URL Host (FQDN/IP) Date Added
hXXp://89.208.107.151/sig.exe VirusTotal Report 89.208.107.151 VirusTotal Report 2024-02-08 18:02:02

PE Sections 1 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0x2f8000 3112960 0b46e73bd1511d96308288877d099ab99d1f6092 da12ba74f632dce60e4ec1871b9d3b36
.rdata 0x2f9000 0xb9000 754688 e7df4a78abd05c25e9464443c127e0efebbb661a 95f7c1da46169318fa10025ec00ed083
.data 0x3b2000 0xc000 19456 8fe5b097bbe79ec44d1951b6ed1a93041f717e24 dbefc43de450b9336008cb153dca6db3
.didat 0x3be000 0x1000 1536 7cdd79328d1f279ec9aef6e098a56aeed8e20512 760a49b2fddd17f507a9b7809defbbd0
.rsrc 0x3bf000 0xd2250 861184 c3c05445719991fc6eb3caaa41d44e8bdef7c3e9 953821e0bc84aa0a0d1a67c2256230bc

PE Resources 8

Name Language Sublanguage Offset Size Data
REGISTRY LANG_NEUTRAL SUBLANG_SYS_DEFAULT 0x3bfe8c 195
RT_ICON LANG_NEUTRAL SUBLANG_SYS_DEFAULT 0x3d8400 744
RT_MENU LANG_SPANISH SUBLANG_SPANISH_MODERN 0x3d8a78 90
RT_DIALOG LANG_SPANISH SUBLANG_SPANISH_MODERN 0x3db6b8 698
RT_STRING LANG_SPANISH SUBLANG_SPANISH_MODERN 0x3e86d4 782
RT_GROUP_ICON LANG_NEUTRAL SUBLANG_SYS_DEFAULT 0x3e8a5c 20
RT_ANIICON LANG_NEUTRAL SUBLANG_NEUTRAL 0x42b734 415286
RT_MANIFEST LANG_NEUTRAL SUBLANG_SYS_DEFAULT 0x490d6c 1251

Packers detected 2

Microsoft Visual C++ 8
VC8 -> Microsoft Corporation

Anti debug functions 10

GetLastError
IsDebuggerPresent
IsProcessorFeaturePresent
OutputDebugStringA
OutputDebugStringW
Process32FirstW
Process32NextW
RaiseException
TerminateProcess
UnhandledExceptionFilter

Anti debug functions 1

Bochs & QEmu CPUID Trick

File signature

MD5 SHA1 Block size Virtual Address
e16eb991bd9fcc3dd0ce4a21bee037bf 89ae3dcdfe32b40a84e21aa0d020f1f2a360a435 8944 4750848

Strings analysis - File found

Executable
www.google.so
Log
NFCTInstall.log
Temporary
%s\%s.tmp
Data
appsig.dat
Text
.out.txt
C:\FctFIPS\katfail.txt
CryptdLog.txt
CryptdMsg.txt
Library
\system32\Netapi32.dll
wintrust.dll
KERNEL32.dll
FCPreScan\libav.dll
%s\uiresources.dll
NETAPI32.dll
NRICHED32.DLL
FCPreScan\mdare.dll
Crypt32.dll
ntdll.dll
dbghelp.dll
ADVAPI32.dll
\libav.dll
PSAPI.DLL
MSVCRT.dll
diskcopy.dll
api-ms-win-core-synch-l1-2-0.dll
mscoree.dll
mdare.dll
%s\libav.dll
%SystemRoot%\system32\kernel32.dll
%s\utilsdll.dll
FortiCredentialProvider2.dll
%s\fasle.dll
WTSAPI32.dll
%s\fcresc.dll
okernel32.dll
fltLib.dll
rpcrt4.dll
libcrypto-3-x64.dll
SHELL32.dll
USER32.dll
ncrypt.dll
VERSION.dll
atlthunk.dll
COMCTL32.dll
IPHLPAPI.DLL
?COMDLG32.dll
SHLWAPI.dll
WS2_32.dll
USERENV.dll
OLEAUT32.dll
ole32.dll
msi.dll
%s.dll
Installer
FortiClient.msi

Strings analysis - Possible IPs found 26

1.3.111.2
4.1.188.7
1.3.101.111
1.3.101.110
1.3.101.113
1.3.101.112
1.3.36.3
1.3.6.1
2.5.8.3
3.1.9.9
3.1.9.4
3.1.9.3
3.1.9.1
3.1.9.29
3.1.9.49
3.1.9.21
3.1.9.43
3.1.9.23
3.1.9.44
1.3.14.3
3.1.9.24
3.1.9.41
101.3.4.1
101.3.4.2
61.1.1.1
1.9.16.3

Strings analysis - Possible URLs found 19

http://certificates.godaddy.com/repository/gdig2.crt0
http://ocsp.godaddy.com/02
http://ocsp.godaddy.com/05
http://crl.godaddy.com/gdroot-g2.crl0F
http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%
http://certs.godaddy.com/repository/1301
http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0v
http://crl.godaddy.com/gdig2s5-6.crl0
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
http://ocsp.godaddy.com/0@
http://%s
http://certificates.godaddy.com/repository/0
http://ocsp.usertrust.com0
https://clients2.google.com/service/update2/crx
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
http://ocsp.sectigo.com0
https://certs.godaddy.com/repository/0
https://sectigo.com/CPS0D
http://crl.godaddy.com/gdroot.crl0F

Import functions

PE Exports 54 suspicious

Function Address
BeginHttpRequest 0x4e28f0
BeginHttpResponse 0x4e2980
FCP_add_param 0x4dfa30
FCP_append_objdata_ff 0x4dfa80
FCP_break_obj_header 0x4dfdd0
FCP_breakup_data_item 0x4dfed0
FCP_calculate_obj_head_chksum 0x4e1d70
FCP_chk_partial_obj_files 0x4dff50
FCP_cleanup 0x4e01e0
FCP_clear_object_storage 0x4e01f0
FCP_clear_package 0x4e0270
FCP_clear_params 0x4e02e0
FCP_clear_request 0x4e0320
FCP_clear_response 0x4e0380
FCP_combine_params 0x4e03f0
FCP_create_package_hdr 0x4e1da0
FCP_del_param 0x4e0540
FCP_delete_file 0x4e0580
FCP_get_file_size 0x4e05b0
FCP_get_obj_resume_info 0x4e0600
FCP_get_object_desc 0x4e07b0
FCP_get_param 0x4e07f0
FCP_init_object_storage 0x4e0830
FCP_init_package 0x4e0860
FCP_init_params 0x4e08a0
FCP_init_request 0x4e08d0
FCP_init_request_for_sending 0x4e0900
FCP_init_response 0x4e0990
FCP_init_response_for_sending 0x4e09b0
FCP_initialize 0x4e0a40
FCP_load_object 0x4e0a50
FCP_load_package 0x4e0b40
FCP_pack_obj 0x4e1e70
FCP_parse_params 0x4e1120
FCP_recv_request 0x4e1240
FCP_recv_response 0x4e13e0
FCP_send_n_recv 0x4e1580
FCP_send_object 0x4e15c0
FCP_send_request 0x4e16f0
FCP_send_response 0x4e1720
FCP_set_param 0x4e1750
FCP_unpack_obj 0x4e20a0
FCP_unpack_obj_ff 0x4e2320
FCP_unpack_obj_fnfn 0x4e25b0
FCP_verify_object_hdr 0x4e2660
FCP_verify_package_hdr 0x4e26a0
FR_cleanup 0x4e2a60
FR_close 0x4e2a70
FR_connect 0x4e2a90
FR_connected 0x4e2aa0
FR_get_local_addr 0x4e2ac0
FR_initialize 0x4e2b10
FR_read 0x4e2b70
FR_write 0x4e2b90