index.php

First submission 2023-09-15 14:34:02

File details

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Mime type:	application/x-dosexec
File size:	272.5 KB (279040 bytes)
Compile time:	2022-03-24 08:19:59
MD5:	cb77680df3b88a997837d29478d8a9fa
SHA1:	698ea26835510137871b261181e00ca26f1a96a7
SHA256:	8bbbf51d4c5404915d1b306121e0226d1f23e88acf635c8cb4f4461dbe142838
Import Hash :	ed59ec9c2e7c8ef8d97dbc8b84b56759
Sections 3	.text .data .rsrc
Directories 2	import resource
Virus Total:	27/63 VT report date: 2023-09-15 12:30:22

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXps://api-alajman.com/tmp/index.php	api-alajman.com	2023-09-15 14:34:02

PE Sections 1 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0x1eec2	126976	fedfc0fd4b9b1c9a9438a4ab455dbad0ca8369bb	e5368489aadfe860b57f11566c76982b
.data	0x20000	0x2e28ac	90624	fcb01ea260d09c4662e3c7ea5c9fdcfb9190a221	6fd5f8a2cc06caba389775f8554495cb
.rsrc	0x303000	0xeb28	60416	7e2f10dbf69d0528f57f1947d6cb3bf9b3593bbd	000e1459594d742b04502f9d2d9a412f

PE Resources 6

Name	Language	Sublanguage	Offset	Size	Data
RT_CURSOR	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x3106f0	2216	PE Resource: RT_CURSOR - Data ( @888AAAJJJMMMTTTppp/-P?pQcv1Qq,/KPhp1Qq/!P7pLcy1Qq/Pp",6@J[1qQq/Pp =1[Qyq/"P0p=LYgx1Qq&/@PZpt1Qq/&PAp[t1Qq/P"p0>M[iy1Qq/Pp >1\Qzq/Pp!+6@IZ1pQq/ P6pLbx1Qq,/KPip1Qq/-P?pRcv1Qq/Pp!&,>X1qQq ?
RT_ICON	LANG_SINDHI	SUBLANG_SYS_DEFAULT	0x30ef18	1128
RT_STRING	LANG_SINDHI	SUBLANG_SYS_DEFAULT	0x311660	1224	PE Resource: RT_STRING - Data 4Beketowinefope feme mugaxozad govuve rubeyanopinuvuxGLuhomijiruwaki jenine jidiratako xaba retacototevoh wuro haworaz telavu&Gina dok yunitabapopox yiliverefubizek"Pehuxe diwiyoyizis lepamaxurulunix\Rinisipade varivabusoxa xud peranatasanux kaxiramavuk tata vulom picenanafow tib selulazefinJud vadajuruboneAGov nexemewetupu xaxoxej peru xupitosetejirup nojifuguyimuj pajahXasutete?Yerehezuse fecuwegijusih sejab ruvu mizovapomod xow xofofefudodMWuheluj tijusobocin xuhoni xak banovara wezayatafiyaw webivevamazowu jewaduxePNohitolegar cuzixu suyot xokuyaser hukafifig tipapuxofumoga rivabibixosuzi rihem
RT_GROUP_CURSOR	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x3106c0	48
RT_GROUP_ICON	LANG_SINDHI	SUBLANG_SYS_DEFAULT	0x308b60	90
RT_VERSION	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x310fb0	640	PE Resource: RT_VERSION - Data 4VS_VERSION_INFOD<?StringFileInfo029385B3: CompanyNamePhunderstuck< FileDescriptionsAnybodies: FileVersions49.51.44.114: InternalNameCascader.exeNLegalCopyrightsChallangers bottle,ProductNameBonni8 ProductVersion57.5.64.0DVarFileInfo$TranslationN

Meta infos 8

InternalName:	Cascader.exe
FileVersions:	49.51.44.114
LegalCopyrights:	Challangers bottle
CompanyName:	Phunderstuck
ProductVersion:	57.5.64.0
FileDescriptions:	Anybodies
Translation:	0x124e 0x03fe
ProductName:	Bonni

Packers detected 2

Microsoft Visual C++ 8
VC8 -> Microsoft Corporation

Anti debug functions 6

GetLastError
IsDebuggerPresent
IsProcessorFeaturePresent
RaiseException
TerminateProcess
UnhandledExceptionFilter

Strings analysis - File found

Library
WUSER32.DLL
KERNEL32.dll
mscoree.dll
ADVAPI32.dll
SHELL32.dll
USER32.dll
WINHTTP.dll
ole32.dll
GDI32.dll

Strings analysis - Possible IPs found 1

49.51.44.114

Import functions

GDI32.dll 3 SHELL32.dll 1 KERNEL32.dll 122 ADVAPI32.dll 1 ole32.dll 1 USER32.dll 2 WINHTTP.dll 1

Function	Address	Souspicious	Anti Debug
SelectPalette	0x401008
GetTextFaceW	0x40100c
GetCharWidthW	0x401010

Function	Address	Souspicious	Anti Debug
DragFinish	0x401204

Function	Address	Souspicious	Anti Debug
GetNumaProcessorNode	0x401018
MoveFileExA	0x40101c
BuildCommDCBAndTimeoutsA	0x401020
SystemTimeToTzSpecificLocalTime	0x401024
InterlockedDecrement	0x401028
SetDefaultCommConfigW	0x40102c
GetEnvironmentStringsW	0x401030
AddConsoleAliasW	0x401034
GetModuleHandleW	0x401038
GenerateConsoleCtrlEvent	0x40103c
GetNumberFormatA	0x401040
SetFileTime	0x401044
GetConsoleAliasExesW	0x401048
EnumTimeFormatsA	0x40104c
GetCommandLineA	0x401050
GetDriveTypeA	0x401054
GetEnvironmentStrings	0x401058
GetPrivateProfileIntA	0x40105c
LoadLibraryW	0x401060
TerminateThread	0x401064
FatalAppExitW	0x401068
CopyFileW	0x40106c
SetVolumeMountPointA	0x401070
SetConsoleCP	0x401074
SetConsoleCursorPosition	0x401078
GetVolumePathNameA	0x40107c
GetStartupInfoW	0x401080
CreateMailslotW	0x401084
CreateJobObjectA	0x401088
InterlockedExchange	0x40108c
SetThreadLocale	0x401090
OpenMutexW	0x401094
GetConsoleAliasesLengthW	0x401098
GetLastError	0x40109c
GetCurrentDirectoryW	0x4010a0
SetLastError	0x4010a4
BackupRead	0x4010a8
EnumSystemCodePagesW	0x4010ac
LoadLibraryA	0x4010b0
GetProcessId	0x4010b4
InterlockedExchangeAdd	0x4010b8
LocalAlloc	0x4010bc
GetFileType	0x4010c0
RemoveDirectoryW	0x4010c4
GetProfileStringA	0x4010c8
FindNextChangeNotification	0x4010cc
FindAtomA	0x4010d0
GlobalWire	0x4010d4
EnumDateFormatsA	0x4010d8
GetModuleHandleA	0x4010dc
SetLocaleInfoW	0x4010e0
FreeEnvironmentStringsW	0x4010e4
FindNextFileW	0x4010e8
VirtualProtect	0x4010ec
PeekConsoleInputA	0x4010f0
GetShortPathNameW	0x4010f4
OpenSemaphoreW	0x4010f8
FindAtomW	0x4010fc
GetWindowsDirectoryW	0x401100
FindFirstVolumeW	0x401104
DeleteFileW	0x401108
CreateFileW	0x40110c
EnumCalendarInfoA	0x401110
FindFirstFileW	0x401114
GetCommandLineW	0x401118
EnumResourceNamesW	0x40111c
GetComputerNameA	0x401120
GetHandleInformation	0x401124
ReadFile	0x401128
GetStringTypeW	0x40112c
LCMapStringW	0x401130
WriteConsoleW	0x401134
HeapAlloc	0x401138
GetProcAddress	0x40113c
ExitProcess	0x401140
DecodePointer	0x401144
DeleteFileA	0x401148
EncodePointer	0x40114c
HeapReAlloc	0x401150
HeapSetInformation	0x401154
RaiseException	0x401158
UnhandledExceptionFilter	0x40115c
SetUnhandledExceptionFilter	0x401160
IsDebuggerPresent	0x401164
TerminateProcess	0x401168
GetCurrentProcess	0x40116c
HeapFree	0x401170
IsProcessorFeaturePresent	0x401174
WriteFile	0x401178
GetStdHandle	0x40117c
GetModuleFileNameW	0x401180
HeapCreate	0x401184
EnterCriticalSection	0x401188
LeaveCriticalSection	0x40118c
SetFilePointer	0x401190
SetHandleCount	0x401194
InitializeCriticalSectionAndSpinCount	0x401198
DeleteCriticalSection	0x40119c
TlsAlloc	0x4011a0
TlsGetValue	0x4011a4
TlsSetValue	0x4011a8
TlsFree	0x4011ac
InterlockedIncrement	0x4011b0
GetCurrentThreadId	0x4011b4
Sleep	0x4011b8
HeapSize	0x4011bc
QueryPerformanceCounter	0x4011c0
GetTickCount	0x4011c4
GetCurrentProcessId	0x4011c8
GetSystemTimeAsFileTime	0x4011cc
WideCharToMultiByte	0x4011d0
GetConsoleCP	0x4011d4
GetConsoleMode	0x4011d8
GetCPInfo	0x4011dc
GetACP	0x4011e0
GetOEMCP	0x4011e4
IsValidCodePage	0x4011e8
SetStdHandle	0x4011ec
FlushFileBuffers	0x4011f0
RtlUnwind	0x4011f4
MultiByteToWideChar	0x4011f8
CloseHandle	0x4011fc

Function	Address	Souspicious	Anti Debug
LookupAccountSidW	0x401000

Function	Address	Souspicious	Anti Debug
CoGetInstanceFromFile	0x401220

Function	Address	Souspicious	Anti Debug
GetListBoxInfo	0x40120c
CharUpperW	0x401210

Function	Address	Souspicious	Anti Debug
WinHttpSetOption	0x401218

Name	Latest seen	MD5
index.php	2023-09-15 14:11:02	9dfb568692c3817a381c171965d30e1c

index.php

File details

File features detected

URLs, FQDN and IP indicators 1

PE Sections 1 suspicious

PE Resources 6

Meta infos 8

Packers detected 2

Anti debug functions 6

Strings analysis - File found

Strings analysis - Possible IPs found 1

Import functions

Related files by ImpHash 1 ed59ec9c2e7c8ef8d97dbc8b84b56759