View.exe
First submission 2024-10-15 18:14:07
File details
| File type: | PE32 executable (GUI) Intel 80386, for MS Windows |
| Mime type: | application/x-dosexec |
| File size: | 10777.0 KB (11035648 bytes) |
| Compile time: | 1992-06-20 00:22:17 |
| MD5: | b9ceb90dccdeddec2945fae9e1f5c80b |
| SHA1: | 72bb453a90443659262bab8fa4836b19a6df0acc |
| SHA256: | 3aafc326ba586288ba44bbd7b115ebf461f27c15a283f181136faae33b103e5c |
| Import Hash : | 8121da246ea94cbab5bbea46d181bdcb |
| Sections 8 | CODE���� DATA���� BSS����� .idata�� .tls���� .rdata�� .reloc�� .rsrc��� |
| Directories 4 | import resource tls relocation |
File features detected
Signed
XOR
OSINT Enrichments
| Virus Total: | 57/77 VT report date: 2024-09-16 11:10:42 |
| Malware Type 3 | trojan hacktool miner |
| Threat Type 3 | cmdwow keylogger password |
URLs, FQDN and IP indicators 1
| URL | Host (FQDN/IP) | Date Added |
|---|---|---|
hXXp://xemhang.vn/Website1/Duc/View.exe  |
xemhang.vn |
2024-10-15 18:14:08 |
PE Sections 3 suspicious
| Name | VAddress | VSize | Size | SHA1 | MD5 | Suspicious |
|---|---|---|---|---|---|---|
| CODE���� | 0x1000 | 0x13044 | 78336 | 2c8fdfff65d49bc53e64e77b999b57f8d3518445 | f244922fda075765e8f17189a4294935 | |
| DATA���� | 0x15000 | 0x60c | 2048 | 247f14b55ec86b994210f597fc04e9c4f64abed9 | d769b11b951aa1676a9b56ed8657f9e0 | |
| BSS����� | 0x16000 | 0xca5 | 0 | da39a3ee5e6b4b0d3255bfef95601890afd80709 | d41d8cd98f00b204e9800998ecf8427e | |
| .idata�� | 0x17000 | 0xa50 | 3072 | 125dc2b774d2b294864ef19ef7d1b2f8f47ce6cb | f12761531f848d781df349820c2c9510 | |
| .tls���� | 0x18000 | 0xc | 0 | da39a3ee5e6b4b0d3255bfef95601890afd80709 | d41d8cd98f00b204e9800998ecf8427e | |
| .rdata�� | 0x19000 | 0x18 | 512 | a5de091903509711e4ce5f48b75b03f86d77c3c1 | 84ec229773168945be103e78a704bd09 | |
| .reloc�� | 0x1a000 | 0x18b8 | 6656 | 5e986f05512a5552f39a7552bf1851946bfda5f5 | 4bd4a9c9fd181c01c407ce5b4b897f2d | |
| .rsrc��� | 0x1c000 | 0xa6fc68 | 10944000 | 54f73e59f014d40129123f7fd0ba001bfbf3584d | 62ecebff42d011d78c06bc1ee7a65585 |
PE Resources 4
| Name | Language | Sublanguage | Offset | Size | Data |
|---|---|---|---|---|---|
| RT_ICON | LANG_ENGLISH | SUBLANG_ENGLISH_US | 0x1ca88 | 2216 | |
| RT_STRING | LANG_NEUTRAL | SUBLANG_NEUTRAL | 0x1e244 | 672 | |
| RT_RCDATA | LANG_NEUTRAL | SUBLANG_NEUTRAL | 0xa8bba0 | 162 | |
| RT_GROUP_ICON | LANG_ENGLISH | SUBLANG_ENGLISH_US | 0xa8bc44 | 34 |
Anti debug functions 3
| GetLastError |
| RaiseException |
| UnhandledExceptionFilter |
Anti debug functions 2
| VMCheck.dll |
| Bochs & QEmu CPUID Trick |
Strings analysis - File found
| Binary |
| guid.bin |
| \guid.bin |
| \USOShared\settings.bin |
| \USOShared\guid.bin |
| Can't rename guid_temp.bin back into guid.bin |
| can't rename guid.bin into guid_temp.bin |
| XML |
| topology.xml |
| Text |
| eid.txt |
| CMDOW /RUN /HID notepad /P readme.txt |
| Can't create/open file id.txt |
| Library |
| sas.dll |
| KERNEL32.dll |
| dwmapi.dll |
| Qapi-ms-win-core-synch-l1-2-0.dll |
| ntdll.dll |
| api-ms-win-core-synch-l1-2-0.dll |
| mscoree.dll |
| combase.dll |
| ADVAPI32.dll |
| Swmsgapi.dll |
| urlmon.dll |
| SHELL32.dll |
| bcrypt.dll |
| Powrprof.dll |
| USER32.dll |
| MSIMG32.dll |
| WININET.dll |
| OLEAUT32.dll |
| IPHLPAPI.DLL |
| atiadlxx.dll |
| opencl.dll |
| MSVCRT.dll |
| COMCTL32.dll |
| WINMM.dll |
| WS2_32.dll |
| SHLWAPI.dll |
| xmrig-cuda.dll |
| libgcj-13.dll |
| WINHTTP.dll |
| %PROGRAMFILES%\NVIDIA Corporation\NVSMI\nvml.dll |
| USERENV.dll |
| gdiplus.dll |
| COMDLG32.dll |
| nvml.dll |
| WTSAPI32.dll |
| ole32.dll |
| Crypt32.dll |
| %s.dll |
| PSAPI.DLL |
| GDI32.dll |
| MPR.dll |
| hal.dll |
| Web Page |
| /aa-debug-log.php |
| /sims/sims_new.php |
Strings analysis - Possible IPs found 28
| 1.3.111.2 |
| 1.3.101.111 |
| 1.3.101.110 |
| 1.3.101.113 |
| 1.3.101.112 |
| 1.9.2.25 |
| 127.0.0.1 |
| 1.3.36.3 |
| 1.2.0.5 |
| 1.3.6.1 |
| 101.3.4.1 |
| 3.1.9.9 |
| 3.1.9.4 |
| 3.1.9.3 |
| 3.1.9.1 |
| 3.1.9.29 |
| 3.1.9.49 |
| 3.1.9.21 |
| 1.3.14.3 |
| 3.1.9.23 |
| 3.1.9.44 |
| 3.1.9.43 |
| 3.1.9.24 |
| 3.1.9.41 |
| 8.8.8.8 |
| 101.3.4.2 |
| 61.1.1.1 |
| 1.9.16.3 |
Strings analysis - Possible URLs found 34
| http://crl.globalsign.com/root-r6.crl0G |
| https://ulm.aeroadmin.com/build_number |
| https://www.globalsign.com/repository/0 |
| http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0 |
| https://ulm.microsoft.com/ |
| http://ocsp2.globalsign.com/rootr606 |
| http://crl.globalsign.net/root.crl0 |
| http://schemas.microsoft.com/SMI/2005/WindowsSettings |
| http://ocsp.globalsign.com/ca/gstsacasha384g40C |
| http://nssm.cc/ |
| http://crl.globalsign.com/ca/gstsacasha384g4.crl0 |
| https://xmrig.com/docs/algorithms |
| http://www.aeroadmin.com/ |
| http://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0 |
| http:// |
| http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0? |
| http://secure.globalsign.com/cacert/codesigningrootr45.crt0A |
| https://xmrig.com/benchmark/%s |
| http://crl.globalsign.net/RootSignPartners.crl0 |
| http://www.commandline.co.uk. |
| https://xmrig.com/wizard |
| http://ocsp.globalsign.com/codesigningrootr450F |
| http://crl.globalsign.com/root-r3.crl0G |
| http://crl.globalsign.net/ObjectSign.crl0 |
| http://crl.globalsign.net/primobject.crl0 |
| https://www.aeroadmin.com/ |
| http://ocsp.globalsign.com/gsgccr45evcodesignca20200U |
| http://secure.globalsign.com/cacert/gstsacasha384g4.crt0 |
| http://crl.globalsign.com/codesigningrootr45.crl0U |
| https://www.aeroadmin.com/ref/screen-recorder-installation |
| http://900100.net |
| http://ocsp.globalsign.com/rootr30; |
| http://secure.globalsign.com/cacert/root-r3.crt06 |
| https:// |