DigitalSide Threat Intel

20230120_4.bin

First submission 2024-10-17 17:54:07

File details

File type: PE32+ executable (native) x86-64, for MS Windows
Mime type: application/x-dosexec
File size: 142.2 KB (145616 bytes)
Compile time: 2023-01-20 15:21:06
MD5: b887f1eaec80d94a7b4a89f8521f857f
SHA1: 99011548fc96494ce40412f86b81f91f93247a44
SHA256: 8eaad1d6149c312afcf5aba09cc36d0e21bd05ccb79581ca505d64ece3a77e77
Import Hash : 118a2343ba7a5763d9034e65dcc58b46
Sections 7 .text .rdata .data .pdata INIT .reloc
Directories 3 import relocation security

File features detected

Is DLL
Packers
Anti Debug
Anti VM
Signed
XOR

OSINT Enrichments

Virus Total: 45/75 VT report date: 2023-11-05 02:25:46

URLs, FQDN and IP indicators 1

URL Host (FQDN/IP) Date Added
hXXp://124.248.65.242:8899/sys/20230120_4.bin VirusTotal Report 124.248.65.242 VirusTotal Report 2024-10-17 17:54:07

PE Sections 3 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0x1c46 7680 85f97df56955cbc5168e3cbf70b625c835df6f4f 29c14e5a94f817e41a889a9d14bc67a6
.rdata 0x3000 0x63c 2048 f5669dd430e1861e0cc69cb871c4809eb96158e1 83ab56e7cd477e14ae1ea4e2df86ede3
.data 0x4000 0x1be30 114688 3a774e26d13861fb095e27d008659cc0e6f1945e 83b0cb3c380086bd5049046dfe036ab0
.pdata 0x20000 0x198 512 7055b154f6924777ac4f39c99fea67a33d05cc24 150aad2bbe68275ee35b3e24cdbdbb23
INIT 0x21000 0x432 1536 f996478714ae1dbdf99daf9998f786dfaa59d7ce d7406036dd7ca4d76ef2bddc3ba589a3
0x22000 0x3340 13312 7f69da48a5d625068951f0c06f5bef8010684726 128bfe3c607755eb6cf99ed4f1eb2cd1
.reloc 0x26000 0x14 512 c0484f20718fe1e57bcded0867bcb9a8dee3ca49 cfae0cacdcb3dbfdeeeb0ed3040da6c2

Anti debug functions 1

ZwQueryInformationFile

Anti debug functions 1

Virtual Box

File signature

MD5 SHA1 Block size Virtual Address
8dc653572b19e4ee5951e0736e9c4af0 81d9d00150b956c32d09ae827c803a8d1ce3d036 4304 141312

Strings analysis - File found

Binary
\SystemRoot\System32\GSDrv.bin
Library
\SystemRoot\System32\ntdll.dll

Strings analysis - Possible URLs found 4

http://crl.thawte.com/ThawtePCA.crl0
http://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
http://ocsp.thawte.com0
http://cs-g2-crl.thawte.com/ThawteCSG2.crl0

Import functions

Function Address Souspicious Anti Debug
BCryptSetProperty 0x140003000
BCryptCloseAlgorithmProvider 0x140003008
BCryptGenerateSymmetricKey 0x140003010
BCryptDecrypt 0x140003018
BCryptDestroyKey 0x140003020
BCryptOpenAlgorithmProvider 0x140003028
Function Address Souspicious Anti Debug
RtlInitUnicodeString 0x140003038
KeWaitForSingleObject 0x140003040
ExAllocatePoolWithTag 0x140003048
ExFreePoolWithTag 0x140003050
MmGetSystemRoutineAddress 0x140003058
MmProtectMdlSystemAddress 0x140003060
MmMapLockedPagesSpecifyCache 0x140003068
MmAllocatePagesForMdlEx 0x140003070
PsCreateSystemThread 0x140003078
ObReferenceObjectByHandle 0x140003080
ObReferenceObjectByHandleWithTag 0x140003088
ObCloseHandle 0x140003090
ObfDereferenceObject 0x140003098
ZwCreateFile 0x1400030a0
ZwReadFile 0x1400030a8
ZwWriteFile 0x1400030b0
ZwClose 0x1400030b8
MmIsAddressValid 0x1400030c0
IoCreateFileEx 0x1400030c8
MmFlushImageSection 0x1400030d0
ZwDeleteFile 0x1400030d8
IoFileObjectType 0x1400030e0
RtlGetVersion 0x1400030e8
ZwQueryInformationFile 0x1400030f0
MmGetVirtualForPhysical 0x1400030f8
KeBugCheckEx 0x140003100

Related files by ImpHash 3 118a2343ba7a5763d9034e65dcc58b46

Name Latest seen MD5
20230120_1.bin 2024-10-17 17:52:05 2f3fd904ea51687468b39b707a1587a4
20230120_2.bin 2024-10-17 17:53:05 df090fc9db83229c47d072fca9b3da6b
20230120_3.bin 2024-10-17 17:55:04 919caff04831cd3ccd0e2053769cfd9d