AutoHotkey_1.1.37.02_setup.exe?ex=670cc2fb&is=670b717b&hm=570207948fb679469b7570acf604fb6812252590f27dc144fa3a5b51f3576a28&

First submission 2024-10-13 17:32:02

File details

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Mime type:	application/x-dosexec
File size:	3345.81 KB (3426108 bytes)
Compile time:	2010-11-18 19:41:55
MD5:	c2e8062052bb2b25d4951b78ba9a5e73
SHA1:	947dbf6343d632fc622cc2920d0ad303c32fcc80
SHA256:	49a48e879f7480238d2fe17520ac19afe83685aac0b886719f9e1eac818b75cc
Import Hash :	fa4d5c869351014d1ce952f2833a7558
Sections 4	.text .rdata .data .rsrc
Directories 2	import resource

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

Virus Total:	8/77 VT report date: 2024-10-13 17:23:09
Malware Type 1	trojan

URL	Host (FQDN/IP)	Date Added
hXXps://cdn.discordapp.com/attachments/1282753366694301779/1294738007190147205/AutoHotkey_1.1.37.02_setup.exe?ex=670cc2fb&is=670b717b&hm=570207948fb679469b7570acf604fb6812252590f27dc144fa3a5b51f3576a28&	cdn.discordapp.com	2024-10-13 17:32:02

PE Sections 0 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0x55cc	22016	cbf104c9872e7b62311c1545be7d60854312aa9c	c64c87c9aa464d2e806c4d837bed1860
.rdata	0x7000	0x548	1536	bf8fd133e895cf82d2f85f25b1134aa4fe42f76e	456426414cb0467d180e86ee3e691e20
.data	0x8000	0x220c	512	a5c55515bc7ac18193d84fbbec58d10bd95223cc	19e034c032410ac04ee293cd340e2b1d
.rsrc	0xb000	0x58df	23040	fd47bea696a1be5231e1dcf614fa1285f5a11782	c998d5f6013397bd6b94ab70290a4ec9

Name	Language	Sublanguage	Offset	Size	Data
RT_ICON	LANG_NEUTRAL	SUBLANG_NEUTRAL	0xff48	1128
RT_GROUP_ICON	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x10418	34
RT_VERSION	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x1043c	460
RT_MANIFEST	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x10608	727	PE Resource: RT_MANIFEST - Data <?xml version="1.0" encoding="UTF-8"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false" /></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}" /><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}" /><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" /><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" /><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}" /></application></compatibility></assembly>

GetLastError

Bochs & QEmu CPUID Trick

SHELL32.dll 1 KERNEL32.dll 24 MSVCRT.dll 24 USER32.dll 1

Function	Address	Souspicious	Anti Debug
ShellExecuteExW	0x4070c8

Function	Address	Souspicious	Anti Debug
GetStartupInfoA	0x407000
GetModuleHandleA	0x407004
SetFilePointer	0x407008
WriteFile	0x40700c
ReadFile	0x407010
CreateFileW	0x407014
DeleteFileW	0x407018
FindNextFileW	0x40701c
RemoveDirectoryW	0x407020
FindFirstFileW	0x407024
FindClose	0x407028
GetModuleFileNameW	0x40702c
GetCommandLineW	0x407030
GetTempPathW	0x407034
GetCurrentThreadId	0x407038
GetTickCount	0x40703c
GetCurrentProcessId	0x407040
CreateDirectoryW	0x407044
GetLastError	0x407048
SetFileTime	0x40704c
SetFileAttributesW	0x407050
CreateProcessW	0x407054
CloseHandle	0x407058
WaitForSingleObject	0x40705c

Function	Address	Souspicious	Anti Debug
_controlfp	0x407064
_except_handler3	0x407068
__set_app_type	0x40706c
__p__fmode	0x407070
__p__commode	0x407074
_adjust_fdiv	0x407078
__setusermatherr	0x40707c
_initterm	0x407080
__getmainargs	0x407084
_acmdln	0x407088
exit	0x40708c
_XcptFilter	0x407090
_exit	0x407094
memcpy	0x407098
free	0x40709c
malloc	0x4070a0
wcscmp	0x4070a4
memcmp	0x4070a8
memmove	0x4070ac
strlen	0x4070b0
wcslen	0x4070b4
wcscpy	0x4070b8
wcscat	0x4070bc
memset	0x4070c0

Function	Address	Souspicious	Anti Debug
MessageBoxA	0x4070d0