DigitalSide Threat Intel

shell.exe

First submission 2022-08-03 10:23:02

File details

File type: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
File type: 24.5 KB (25088 bytes)
Compile time: 2022-08-02 21:29:56
MD5: bb0edcf312622f518415b85deec29be4
SHA1: 72bce426b56988b225862cc6611abb53150bfbc6
SHA256: 3ae4fa96ff3527bf4ea380cbcab19b7e9b0d77c3596d08f74b18b7b843ead231
Import Hash : 45d51bb2a26e8506fa017fe49072c102
Sections 9 .text .data .rdata .pdata .xdata .bss .idata .CRT .tls
Directories 2 import tls
Virus Total: 23/71 VT report date: 2022-08-03 07:26:59

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

URLs, FQDN and IP indicators 2

URL Host (FQDN/IP) Date Added
hXXp://146.70.24.168/load/shell.exe VirusTotal Report 146.70.24.168 VirusTotal Report 2022-08-03 10:23:02
hXXps://dexpsystem.com/load/shell.exe VirusTotal Report dexpsystem.com VirusTotal Report 2022-08-03 10:44:08

PE Sections 2 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0x3358 13312 7ca96e9ea8c33bba048b9e5a5e6b8092497a0230 c19c43b0c17194eb20853cebbe4ae00d
.data 0x5000 0x8f0 2560 78200ea73401df100c0cceac30cb466f663449fb 0d78fb1cb5ed111fb4f1d31172220122
.rdata 0x6000 0xac0 3072 276c13be71d6f49c19d6521dfb5b147e2d4fb0bc 892657c4664ebc62883b51b68dea3e2a
.pdata 0x7000 0x354 1024 f7fad08965ec22c9c2669dba141167c8ec175926 f4237906f3aa5943d75b279487b63772
.xdata 0x8000 0x2e4 1024 04042cd3a7b62b5b514f480748758c9fb8f72088 c19289d966fa50664f8a75f5290790b7
.bss 0x9000 0x980 0 da39a3ee5e6b4b0d3255bfef95601890afd80709 d41d8cd98f00b204e9800998ecf8427e
.idata 0xa000 0x7d0 2048 276edf1e8c21e23e2ad949a9f747dfbd7e562b9a 87cff7a3bdfeb1c79ed2b0c573285e52
.CRT 0xb000 0x68 512 4556102cc0d661eee8459f1baf6b3fbbbe0565d7 f9a73e50eee67fba2392e0e8c992c120
.tls 0xc000 0x10 512 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 bf619eac0cdf3f68d496ea9344137e8b

Packers detected 1

Microsoft Visual C++ 8.0 (DLL)

Anti debug functions 3

GetLastError
TerminateProcess
UnhandledExceptionFilter

Strings analysis - File found

Library
KERNEL32.dll
MSVCRT.dll

Import functions

Function Address Souspicious Anti Debug
__C_specific_handler 0x40a2bc
__getmainargs 0x40a2c4
__initenv 0x40a2cc
__iob_func 0x40a2d4
__lconv_init 0x40a2dc
__set_app_type 0x40a2e4
__setusermatherr 0x40a2ec
_acmdln 0x40a2f4
_amsg_exit 0x40a2fc
_cexit 0x40a304
_fmode 0x40a30c
_initterm 0x40a314
_onexit 0x40a31c
abort 0x40a324
calloc 0x40a32c
exit 0x40a334
fprintf 0x40a33c
free 0x40a344
fwrite 0x40a34c
malloc 0x40a354
memcpy 0x40a35c
memset 0x40a364
signal 0x40a36c
strlen 0x40a374
strncmp 0x40a37c
strtoul 0x40a384
vfprintf 0x40a38c
Function Address Souspicious Anti Debug
DeleteCriticalSection 0x40a1ec
EnterCriticalSection 0x40a1f4
FreeConsole 0x40a1fc
GetCurrentProcess 0x40a204
GetCurrentProcessId 0x40a20c
GetCurrentThreadId 0x40a214
GetLastError 0x40a21c
GetStartupInfoA 0x40a224
GetSystemTimeAsFileTime 0x40a22c
GetTickCount 0x40a234
InitializeCriticalSection 0x40a23c
LeaveCriticalSection 0x40a244
QueryPerformanceCounter 0x40a24c
RtlAddFunctionTable 0x40a254
RtlCaptureContext 0x40a25c
RtlLookupFunctionEntry 0x40a264
RtlVirtualUnwind 0x40a26c
SetUnhandledExceptionFilter 0x40a274
Sleep 0x40a27c
TerminateProcess 0x40a284
TlsGetValue 0x40a28c
UnhandledExceptionFilter 0x40a294
VirtualAlloc 0x40a29c
VirtualProtect 0x40a2a4
VirtualQuery 0x40a2ac