GiftCardPaypalKey.exe

First submission 2024-10-15 19:49:02

File details

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Mime type:	application/x-dosexec
File size:	1703.5 KB (1744384 bytes)
Compile time:	2020-12-12 01:09:05
MD5:	ccb3b74d378733c21fc584875b5a8b07
SHA1:	6779b4d3cfff750eeeeba77ec7abf4e206cc3931
SHA256:	0b1fadc136b71d5961664a2a1dc8e340c28324d3d8637667f1280bee4c3d12db
Import Hash :	2edb88f7689ca448e9a88dda8c785c3c
Sections 7	.rsrc .data
Directories 3	import resource debug

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

OSINT Enrichments

Virus Total:	53/77 VT report date: 2020-12-11 20:01:14
Malware Type 2	trojan worm
Threat Type 3	msil heye r002c0wjb24

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXp://furymetin2.3x.ro/GiftCardPaypalKey.exe	furymetin2.3x.ro	2024-10-15 19:49:02

PE Sections 6 suspicious

Name	VAddress	VSize	Size	SHA1	MD5	Suspicious
	0x1000	0x1a000	57344	5b7fea6fecac8c1a80663e6c07170f82b9c8f7c8	7d0c482b31737e8bb97281e6b0452ffa
	0x1b000	0x7000	14848	25b5c6552c993d34dc96cd237734d6f27ed0f854	19fc88db3cc01dcb0836d8dddb06cb2e
	0x22000	0x4000	2048	c3baf179086fe09ef182ae2111dffc237c95534f	f5f7bd7c26b45ba1f1a2ab0cce8d0e00
	0x26000	0x66000	417792	e3a1fdf3f7449417191d99c1edbdcf4ec86eb381	a77d70086e722512dbd1ddac07e13b68
.rsrc	0x8c000	0x4000	13312	918c9566043f5f805eb964834d86f99ca81cd860	6d43bc4601434fd0cba88e38faa0d160
	0x90000	0x2a5000	170496	506d5fbe971ba2fb9271f8eae0eb1ab91000b2b7	e76ce3431682f34c2c0205ada90c9ea6
.data	0x335000	0x105000	1067520	2237f255322871d9de188e357182be71652b6206	219561a42605e5b5d48bb21703f5e925

PE Resources 5

Name	Language	Sublanguage	Offset	Size	Data
RT_ICON	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x8e8f0	1128
RT_RCDATA	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x8b944	32
RT_GROUP_ICON	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x8ed58	104
RT_VERSION	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x8edc0	672	PE Resource: RT_VERSION - Data 4VS_VERSION_INFO?DVarFileInfo$TranslationStringFileInfo000004b08FileDescriptionPhulli0FileVersion1.0.0.08InternalNamePhulli.exeHLegalCopyrightCopyright 2014@OriginalFilenamePhulli.exe0ProductNamePhulli4ProductVersion1.0.0.08Assembly Version1.0.0.0
RT_MANIFEST	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x8f060	490	PE Resource: RT_MANIFEST - Data <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>

Meta infos 9

LegalCopyright:	Copyright \xa9 2014
Assembly Version:	1.0.0.0
InternalName:	Phulli.exe
FileVersion:	1.0.0.0
FileDescription:	Phulli
OriginalFilename:	Phulli.exe
Translation:	0x0000 0x04b0
ProductVersion:	1.0.0.0
ProductName:	Phulli

Packers detected 4

Borland Delphi 3.0 (???)
Borland Delphi 4.0
BobSoft Mini Delphi -> BoB / BobSoft
Enigma Protector 1.1X-1.3X -> Sukhov Vladimir & Serge N. Markin

Strings analysis - File found

FTP Config
.Ftp
Library
OLEAUT32.dll
mscoree.dll
USER32.dll
ADVAPI32.dll
GDI32.dll
KERNEL32.dll
VERSION.dll
ole32.dll
SHELL32.dll

Import functions

version.dll 1 mscoree.dll 1 gdi32.dll 1 shell32.dll 1 kernel32.dll 4 oleaut32.dll 1 advapi32.dll 1 ole32.dll 1 user32.dll 1

Function	Address	Souspicious	Anti Debug
GetFileVersionInfoA	0x735104

Function	Address	Souspicious	Anti Debug
CorBindToRuntimeEx	0x735114

Function	Address	Souspicious	Anti Debug
CreateFontA	0x7350f4

Function	Address	Souspicious	Anti Debug
ShellExecuteA	0x7350fc

Function	Address	Souspicious	Anti Debug
GetModuleHandleA	0x7350c8
GetProcAddress	0x7350cc
ExitProcess	0x7350d0
LoadLibraryA	0x7350d4

Function	Address	Souspicious	Anti Debug
SysFreeString	0x7350ec

Function	Address	Souspicious	Anti Debug
RegCloseKey	0x7350e4

Function	Address	Souspicious	Anti Debug
OleInitialize	0x73510c

Function	Address	Souspicious	Anti Debug
MessageBoxA	0x7350dc