DigitalSide Threat Intel

food.exe.exe

First submission 2024-10-11 11:07:02

File details

File type: PE32+ executable (GUI) x86-64, for MS Windows
Mime type: application/x-dosexec
File size: 244.86 KB (250739 bytes)
Compile time: 2024-10-10 01:24:06
MD5: b307c7d1a5e1ea86e41d84422494ac17
SHA1: 3714934e68f2f49243d221a2dc44617a56d60b15
SHA256: e08f51f4d3d338aaf2c55f635e6a4a83ea60172ff89cf7e35b8c4843be192690
Import Hash : 2d983c43231f2c37c4a2329a07cfc8ab
Sections 19 .text .data .rdata .pdata .xdata .bss .idata .CRT .tls .reloc /4 /19 /31 /45 /57 /70 /81 /97 /113
Directories 3 import tls relocation

File features detected

Is DLL
Packers
Anti Debug
Anti VM
Signed
XOR

OSINT Enrichments

Virus Total: 37/77 VT report date: 2024-10-11 06:38:41
Malware Type 1 trojan
Threat Type 2 zusy rozena

URLs, FQDN and IP indicators 1

URL Host (FQDN/IP) Date Added
hXXp://159.65.193.136/food.exe.exe VirusTotal Report 159.65.193.136 VirusTotal Report 2024-10-11 11:07:02

PE Sections 3 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0x7398 29696 40277a963402728d55f2de63fd03de772292d863 26e7d3d525fef4c8ad106d79623ff24c
.data 0x9000 0xc0 512 c7a24b126b1f03c7c37775814991f238d446acba 1ac68fd4267d2efe8211ee38976f20a2
.rdata 0xa000 0xe40 4096 c163b88b66efe33619fa6bdf4352d39b8b71120b fc66bafa8525cc71e90624b2ea41853f
.pdata 0xb000 0x4e0 1536 f6b2d7d8ffdbeffed9e9cf57ea79f217a36b2581 eaef997d352cb58e421319003527cac7
.xdata 0xc000 0x4a4 1536 c4c0744d255b229462a3e5d5356a21c506b8a525 6b0ac8f76ed820ebc252e51a79fefe59
.bss 0xd000 0xb80 0 da39a3ee5e6b4b0d3255bfef95601890afd80709 d41d8cd98f00b204e9800998ecf8427e
.idata 0xe000 0x928 2560 873c824b28468cc202af138d315724952c457c0b d22a4cfcb7faf79dc096d175a5c72ae6
.CRT 0xf000 0x60 512 e4158b6032fb2e4b8a66d9b8a5dd34636fbdbb1f 1ed33903363528ea258d3f07d054959e
.tls 0x10000 0x10 512 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 bf619eac0cdf3f68d496ea9344137e8b
.reloc 0x11000 0x84 512 0b0886f2f59236c0db6148b29ca7981c505269cc dc135d82febe135771f7b5290d152b0e
/4 0x12000 0x620 2048 a1a1b1088a9f1fefeda7412188e2d204ffb5a9be 742c85f8faf5debcebeddecd372cc95c
/19 0x13000 0x1207c 74240 87d7770beb8366316b953a55329d3587f9ac771d b40d1dd928538127fba4236dde4e7427
/31 0x26000 0x321c 13312 6072853f54bc9eac62cf11e569188f8a29b413b7 335de062d2872a1053913069789fc304
/45 0x2a000 0x6d6d 28160 1fc1416c2b1d3d1c2201e41a880286bf0f390443 3d4731e3e5b2a592bd12db006f12966f
/57 0x31000 0x16c0 6144 a1ad1d0caa5a10a0add758d54b295f5c46221cf8 8c6eece4cc6ecda4a87f5c3bd4f1f410
/70 0x33000 0x39d 1024 c26aa7945adf8e1fa76dde140b4c3fe378bc26bc 7525f1145b47b06d73d7667bb1386b5f
/81 0x34000 0x15fa 5632 e7ba6b4adcbcc8a13c3af6455a13f8e78d539148 b15394a328eca738bc353b3ca53f2a1e
/97 0x36000 0x7825 31232 06db5028564f055d6fdbebb59af89653e00eeeb0 37196f7e1c47fcc81425766596611a26
/113 0x3e000 0x52b 1536 858cf2360e25446203da43914c8f4f7fedd08c41 c8f735d4379e14fc5ae61b34491dffc7

Packers detected 1

Microsoft Visual C++ 8.0 (DLL)

Anti debug functions 1

GetLastError

Strings analysis - File found

Library
WS2_32.dll
USER32.dll
MSVCRT.dll
KERNEL32.dll

Strings analysis - Possible IPs found 1

10.0.2.10

Import functions

Function Address Souspicious Anti Debug
DeleteCriticalSection 0x14000e278
EnterCriticalSection 0x14000e280
GetCurrentThreadId 0x14000e288
GetLastError 0x14000e290
GetTickCount 0x14000e298
InitializeCriticalSection 0x14000e2a0
IsDBCSLeadByteEx 0x14000e2a8
LeaveCriticalSection 0x14000e2b0
MultiByteToWideChar 0x14000e2b8
SetUnhandledExceptionFilter 0x14000e2c0
Sleep 0x14000e2c8
TlsGetValue 0x14000e2d0
VirtualAlloc 0x14000e2d8
VirtualProtect 0x14000e2e0
VirtualQuery 0x14000e2e8
WideCharToMultiByte 0x14000e2f0
Function Address Souspicious Anti Debug
__C_specific_handler 0x14000e300
___lc_codepage_func 0x14000e308
___mb_cur_max_func 0x14000e310
__getmainargs 0x14000e318
__initenv 0x14000e320
__iob_func 0x14000e328
__set_app_type 0x14000e330
__setusermatherr 0x14000e338
_amsg_exit 0x14000e340
_cexit 0x14000e348
_commode 0x14000e350
_errno 0x14000e358
_fmode 0x14000e360
_initterm 0x14000e368
_lock 0x14000e370
_onexit 0x14000e378
_unlock 0x14000e380
abort 0x14000e388
atoi 0x14000e390
calloc 0x14000e398
exit 0x14000e3a0
fprintf 0x14000e3a8
fputc 0x14000e3b0
free 0x14000e3b8
fwrite 0x14000e3c0
localeconv 0x14000e3c8
malloc 0x14000e3d0
memcpy 0x14000e3d8
memset 0x14000e3e0
rand 0x14000e3e8
signal 0x14000e3f0
strerror 0x14000e3f8
strlen 0x14000e400
strncmp 0x14000e408
vfprintf 0x14000e410
wcslen 0x14000e418
Function Address Souspicious Anti Debug
WSACleanup 0x14000e440
WSAStartup 0x14000e448
closesocket 0x14000e450
connect 0x14000e458
gethostbyname 0x14000e460
htons 0x14000e468
recv 0x14000e470
socket 0x14000e478
Function Address Souspicious Anti Debug
PeekMessageA 0x14000e428
PostThreadMessageA 0x14000e430