DigitalSide Threat Intel

putty.exe

First submission 2024-10-15 18:13:02

File details

File type: PE32 executable (GUI) Intel 80386, for MS Windows
Mime type: application/x-dosexec
File size: 1664.78 KB (1704736 bytes)
Compile time: 1992-06-20 00:22:17
MD5: b15ed5517d17dc03b4391f34c81f9697
SHA1: cdf3c4713c01362b5cfaf9084fa4b1fcdacc2fbf
SHA256: 9f96931855f7a2b61a6ba1f0bb14bd3c088c0c2d3a51da28b517569b5c305a57
Import Hash : 9f4693fc0c511135129493f2161d1e86
Sections 8 CODE DATA BSS .idata .tls .rdata .reloc .rsrc
Directories 4 import resource tls relocation

File features detected

Is DLL
Packers
Anti Debug
Anti VM
Signed
XOR

OSINT Enrichments

Virus Total: 69/77 VT report date: 2024-10-14 22:09:05
Malware Type 2 virus trojan
Threat Type 3 neshta hllp apanas

URLs, FQDN and IP indicators 1

URL Host (FQDN/IP) Date Added
hXXp://194.87.31.235/putty.exe VirusTotal Report 194.87.31.235 VirusTotal Report 2024-10-15 18:13:02

PE Sections 3 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
CODE 0x1000 0x722c 29696 d8e5632fdd666820b7dabaa20495c25a6389f778 ca3464d4f08c9010e7ffa2fe3e890344
DATA 0x9000 0x218 1024 a47fe8a4fd97fa97a36e545b5f135e580fb0f57a 7ffc3168a7f3103634abdf3a768ed128
BSS 0xa000 0xa899 0 da39a3ee5e6b4b0d3255bfef95601890afd80709 d41d8cd98f00b204e9800998ecf8427e
.idata 0x15000 0x864 2560 3f7c121baf4a9bd57538b97806920cc8a1d1ba24 6e7a45521bfca94f1e506361f70e7261
.tls 0x16000 0x8 0 da39a3ee5e6b4b0d3255bfef95601890afd80709 d41d8cd98f00b204e9800998ecf8427e
.rdata 0x17000 0x18 512 5fc2d532c93cc509a9e75941fc9cfed27be87979 7e6c0f4f4435abc870eb550d5072bad6
.reloc 0x18000 0x5cc 1536 fd6e0154406bd02a1b8596ca6fe904c176f2372b 16968c66d220638496d6b095f21de777
.rsrc 0x19000 0x1400 5120 c5d4fb3d0fd3906788c314d1d109020cc846298f 65a386253bbe5d53953879683c9f25df

PE Resources 3

Name Language Sublanguage Offset Size Data
RT_ICON LANG_RUSSIAN SUBLANG_RUSSIAN 0x19150 4264
RT_RCDATA LANG_NEUTRAL SUBLANG_NEUTRAL 0x1a208 172
RT_GROUP_ICON LANG_RUSSIAN SUBLANG_RUSSIAN 0x1a2b4 20

Packers detected 2

Borland Delphi 3.0 (???)
Borland Delphi 4.0

Anti debug functions 3

GetLastError
RaiseException
UnhandledExceptionFilter

Strings analysis - File found

Log
putty.log
Object
hhctrl.ocx
Library
mscoree.dll
Shcore.dll
SSPICLI.DLL
secur32.dll
Crypt32.dll
ADVAPI32.dll
Using SSPI from SECUR32.DLL
*.dll
USER32.dll
SHELL32.dll
dwmapi.dll
i64.dll
IMM32.dll
COMCTL32.dll
COMDLG32.dll
ole32.dll
KERNEL32.dll
spoolss.dll
GDI32.dll
WSOCK32.dll
OLEAUT32.dll
Microsoft SSPI SECUR32.DLL
MIT Kerberos GSSAPI64.DLL
Using GSSAPI from GSSAPI64.DLL
WINMM.dll
wship6.dll
WS2_32.dll

Strings analysis - Possible URLs found 19

http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
http://ocsp.sectigo.com0
https://sectigo.com/CPS0
http://crl.comodoca.com/AAACertificateServices.crl06
http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0v
https://www.chiark.greenend.org.uk/~sgtatham/putty/0
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
http://ocsp.comodoca.com0
https://www.chiark.greenend.org.uk/~sgtatham/putty/
http://crl.comodo.net/AAACertificateServices.crl0
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
http://ocsp.usertrust.com0
http://schemas.microsoft.com/SMI/2016/WindowsSettings
http://schemas.microsoft.com/SMI/2005/WindowsSettings
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
http://crl.comodoca.com/AAACertificateServices.crl04

Import functions

Function Address Souspicious Anti Debug
StretchDIBits 0x4151f4
SetDIBits 0x4151f8
SelectObject 0x4151fc
GetObjectA 0x415200
GetDIBits 0x415204
DeleteObject 0x415208
DeleteDC 0x41520c
CreateSolidBrush 0x415210
CreateDIBSection 0x415214
CreateCompatibleDC 0x415218
CreateCompatibleBitmap 0x41521c
BitBlt 0x415220
Function Address Souspicious Anti Debug
ShellExecuteA 0x41524c
ExtractIconA 0x415250
Function Address Souspicious Anti Debug
DeleteCriticalSection 0x4150dc
LeaveCriticalSection 0x4150e0
EnterCriticalSection 0x4150e4
InitializeCriticalSection 0x4150e8
VirtualFree 0x4150ec
VirtualAlloc 0x4150f0
LocalFree 0x4150f4
LocalAlloc 0x4150f8
GetVersion 0x4150fc
GetCurrentThreadId 0x415100
GetThreadLocale 0x415104
GetStartupInfoA 0x415108
GetLocaleInfoA 0x41510c
GetCommandLineA 0x415110
FreeLibrary 0x415114
ExitProcess 0x415118
WriteFile 0x41511c
UnhandledExceptionFilter 0x415120
RtlUnwind 0x415124
RaiseException 0x415128
GetStdHandle 0x41512c
TlsSetValue 0x41515c
TlsGetValue 0x415160
LocalAlloc 0x415164
GetModuleHandleA 0x415168
WriteFile 0x415180
WinExec 0x415184
SetFilePointer 0x415188
SetFileAttributesA 0x41518c
SetEndOfFile 0x415190
SetCurrentDirectoryA 0x415194
ReleaseMutex 0x415198
ReadFile 0x41519c
GetWindowsDirectoryA 0x4151a0
GetTempPathA 0x4151a4
GetShortPathNameA 0x4151a8
GetModuleFileNameA 0x4151ac
GetLogicalDriveStringsA 0x4151b0
GetLocalTime 0x4151b4
GetLastError 0x4151b8
GetFileSize 0x4151bc
GetFileAttributesA 0x4151c0
GetDriveTypeA 0x4151c4
GetCommandLineA 0x4151c8
FreeLibrary 0x4151cc
FindNextFileA 0x4151d0
FindFirstFileA 0x4151d4
FindClose 0x4151d8
DeleteFileA 0x4151dc
CreateMutexA 0x4151e0
CreateFileA 0x4151e4
CreateDirectoryA 0x4151e8
CloseHandle 0x4151ec
Function Address Souspicious Anti Debug
SysFreeString 0x415150
SysReAllocStringLen 0x415154
Function Address Souspicious Anti Debug
RegQueryValueExA 0x415140
RegOpenKeyExA 0x415144
RegCloseKey 0x415148
RegSetValueExA 0x415170
RegOpenKeyExA 0x415174
RegCloseKey 0x415178
Function Address Souspicious Anti Debug
GetKeyboardType 0x415134
MessageBoxA 0x415138
ReleaseDC 0x415228
GetSysColor 0x41522c
GetIconInfo 0x415230
GetDC 0x415234
FillRect 0x415238
DestroyIcon 0x41523c
CopyImage 0x415240
CharLowerBuffA 0x415244

Related files by ImpHash 7 9f4693fc0c511135129493f2161d1e86

Name Latest seen MD5
world.exe 2022-10-12 19:32:02 4c596d32f75e3a84e48c36e8fc8025fd
1.bat 2022-11-18 07:20:08 49140280d15498a146873199b563852f
kapo.exe 2022-11-18 07:21:09 6ed53a0273682d74b8ebdd50fa1b2a19
java_update.exe 2024-07-02 08:06:02 bc4206081a6f4206dc5b63948b05ef4b
F.exe 2024-07-02 08:08:04 e501c275814bfcb58fe845c38227d5c5
Build.exe 2024-07-02 08:09:03 2f6f4f9674c6721b5ea8319ed90a8f20
x.exe 2024-07-02 08:10:02 d27e7c560c09eb318c80cab58baea1b2