Itkool-Setup.exe

First submission 2024-02-04 15:21:05

File details

File type: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Mime type: application/x-dosexec
File size: 6757.5 KB (6919680 bytes)
Compile time: 1970-01-01 01:00:00
MD5: c47e12a1fec39e4f1a120a13e5c35c30
SHA1: 75ee1d1b1fedd4bf5b53a7d3c3758c56185b8a26
SHA256: 7b3606e2809dab9d70adcb1cfb485c9ed71c395a39da4ade0050cb4b32a0debc
Import Hash : 5929190c8765f5bc37b052ab5c6c53e7
Sections 12 .text .data .rdata .pdata .xdata .bss .edata .idata .CRT .tls .rsrc .reloc
Directories 5 import export resource tls relocation
Virus Total:

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

URLs, FQDN and IP indicators 1

URL Host (FQDN/IP) Date Added
hXXp://193.233.132.167/lend/Itkool-Setup.exe VirusTotal Report 193.233.132.167 VirusTotal Report 2024-02-04 15:21:05

PE Sections 3 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0x2a2190 2761216 39a66bece0ec4506e87aa3eb7cb9a00bccda4041 1a55d8a525787cab17ac7e218cfb265d
.data 0x2a4000 0x3db70 252928 d7bfbc809b03eac6b8a7e302de1fbb59f48311d0 c8eb7603867f02232761fa3a7ff63a5f
.rdata 0x2e2000 0x366f90 3567616 de8e8ca6763120317e0bebdfdac7d93e309435ac 4e92ca524f6985ed296e9eabc04571a3
.pdata 0x649000 0x14e8c 86016 10f40eedc155bae04ffa58708ba66a18457185f4 48e3c980e675985770b1992a084eb019
.xdata 0x65e000 0xc44 3584 ef5088813b70a30a2eb4cf979e1cd86bda5e1b80 db65ad795bd5c3429b0cf04833571506
.bss 0x65f000 0x61920 0 da39a3ee5e6b4b0d3255bfef95601890afd80709 d41d8cd98f00b204e9800998ecf8427e
.edata 0x6c1000 0x4e 512 96035083817e12ee827c93b23d0da74f5d838e8b 7779e8bdb5ea3c11503b6224e209e521
.idata 0x6c2000 0x13d0 5120 a1c3aaebafbc0ee3b04f6b16dd69d620e2771a2e 7b48bec1da62f0a02df816945f5a9d22
.CRT 0x6c4000 0x70 512 506d9944708d5f5384c1a082831f3ec67b27f705 a9c5c7170364bc632dd6114aac904e7e
.tls 0x6c5000 0x10 512 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 bf619eac0cdf3f68d496ea9344137e8b
.rsrc 0x6c6000 0x2b446 177664 32acc53c1dc33a879cfc2772945d637e0730a431 d73c0847f312965407da2dd4fc75d4e8
.reloc 0x6f2000 0xf4d4 62976 5fe67db07d5f57e71a7b7c10fd5bfcb0417707b7 ca76901802e5b017c322172dea5d6c4e

PE Resources 6

Name Language Sublanguage Offset Size Data
RT_ICON LANG_ENGLISH SUBLANG_ENGLISH_US 0x6e79c4 1128
RT_STRING LANG_NEUTRAL SUBLANG_NEUTRAL 0x6e8604 660
RT_RCDATA LANG_NEUTRAL SUBLANG_NEUTRAL 0x6f0ce0 44
RT_GROUP_ICON LANG_ENGLISH SUBLANG_ENGLISH_US 0x6f0d0c 90
RT_VERSION LANG_ENGLISH SUBLANG_ENGLISH_US 0x6f0d68 1268
RT_MANIFEST LANG_NEUTRAL SUBLANG_NEUTRAL 0x6f125c 490

Meta infos 8

LegalCopyright: Copyright(c) 2004-2023 Itkool. ALL RIGHTS RESERVED.
FileVersion: 2.2.0
CompanyName: Itkool
ProductVersion: 2.2.0
FileDescription: Itkool Video Downloader Setup
Translation: 0x0000 0x04b0
Comments: This installation was built with Inno Setup.
ProductName: Itkool Video Downloader

Packers detected 1

Microsoft Visual C++ 8.0 (DLL)

Anti debug functions 4

GetLastError
IsDebuggerPresent
OutputDebugStringA
RaiseException

Anti debug functions 1

Virtual Box

Strings analysis - File found

Log
github.com/saferwall/pe/log.(*Filter).Log
math.Log
github.com/saferwall/pe/log.(*stdLogger).Log
Library
WS2_32.dll
WINMM.dll
KERNEL32.dll
ntdll.dll
bcryptprimitives.dll
Powrprof.dll
*syscall.DLL
MSVCRT.dll
*windows.DLL
type:.eq.syscall.DLL
type:.eq.golang.org/x/sys/windows.DLL

Strings analysis - Possible IPs found 12

1.2.2.1
1.1.2.1
5.4.112.5
1.1.3.1
5.4.32.5
1.2.1.1
4.52.5.4
1.1.1.1
2.5.4.62
72.5.4.82
127.0.0.1
12.5.4.102

Strings analysis - Possible URLs found 4

https://developers.whatismybrowser.com/useragents/explore/%s/%s/%dtls:
https://raw.githubusercontent.com/EDDYCJY/fake-useragent/v0.2.0/static/too
http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtdtls:
http://chunkedCreatedIM

Import functions

PE Exports 1 suspicious

Function Address
_cgo_dummy_export 0x1406bfb50
Name Latest seen MD5
BEST-13-12-2023v1.exe 2023-12-13 18:13:04 4bc1bd277770c8da36c5d31968a0e977
test2.exe 2024-01-08 06:23:02 037949445f001bdf36221ac7706d6c08
322321.exe 2024-01-22 14:51:02 b1087aa5a1a538d7ee3bd9c3b774bb38
TrueCrypt_JfDCWj.exe 2024-01-10 05:52:02 8f655252551741b4cf59d00b32b43839
Setup.exe 2024-01-10 06:32:02 76d605139bbe5e8f135c8b5949758145
125.exe 2024-01-11 03:26:03 6e6daa196cfdcfd8f2481d230b0e8abe
photo.jpg 2024-01-11 04:52:02 360bab4dd905795e1f6d8e6dff02444b
image2.jpg 2024-01-14 12:13:03 33d080070ac3e6eb0957d2bd5a96725f
logo4.jpg 2024-01-16 22:11:02 5a56ed15402941ec11c3fd3b278d23bd
cryppp.exe 2024-01-17 20:52:02 a95b7d1ef3c4f8932fa97c287dd54c70
Machinegggg.exe 2024-01-28 05:03:02 8b8c6376bb40d5bd505d1ae0deee9d2c
TrueCrypt_NKwtUN.exe 2024-01-24 16:43:05 39f80737377063d3707ee4cca86f1178
TrueCrypt_NyNIUi.exe 2024-01-25 14:05:03 103b8f2dfacb5d9fac830f710c031f22
o3.exe 2024-01-30 12:22:05 a0ad541b6b14f43ba14405684a97f3a8
o3tech.exe 2024-02-02 01:29:03 ce588fbb745992adf637104433d1143c
d.exe 2024-02-03 06:01:04 1d5694669b0c9b54fff8ae7e8cbef468
TrueCrypt_RRzIAf.exe 2024-02-09 16:24:02 9f6c76c41673975e5a7ca8cfa4adc060