potkmdaw.exe

First submission 2024-07-08 16:10:03 Last sumbission 2024-07-12 12:39:02

File details

File type: PE32+ executable (GUI) x86-64, for MS Windows
Mime type: application/x-dosexec
File size: 963.31 KB (986428 bytes)
Compile time: 2024-05-12 12:17:07
MD5: cefc3739d099bae51eb2a9d3887ac12c
SHA1: fba9f10f553d73382f73247c5c136e8338f1ebe5
SHA256: 17808b7509e2a5d8ae805cc59eaae1305ae4d3069f173187b57aa29b3833f9e7
Import Hash : b1c5b1beabd90d9fdabd1df0779ea832
Sections 8 .text .rdata .data .pdata .didat _RDATA .rsrc .reloc
Directories 6 import export resource debug tls relocation

File features detected

Is DLL
Packers
Anti Debug
Anti VM
Signed
XOR

OSINT Enrichments

Virus Total: 45/78 VT report date: 2024-07-08 12:25:32
Malware Type 2 trojan spyware
Threat Type 3 lazy recordbreaker raccoonsteal

URLs, FQDN and IP indicators 3

URL Host (FQDN/IP) Date Added
hXXp://77.91.77.80/lend/potkmdaw.exe VirusTotal Report 77.91.77.80 VirusTotal Report 2024-07-12 12:39:03
hXXp://77.91.77.82/lend/potkmdaw.exe VirusTotal Report 77.91.77.82 VirusTotal Report 2024-07-12 12:38:04
hXXp://77.91.77.81/lend/potkmdaw.exe VirusTotal Report 77.91.77.81 VirusTotal Report 2024-07-08 16:10:03

PE Sections 0 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0x4676e 288768 278d421b8fcce5071cdb55190b5a29b42bdf8201 f06bb06e02377ae8b223122e53be35c2
.rdata 0x48000 0x128c4 76288 3114d29305d4b88fffea6ad50b3704072be27858 2de06d4a6920a6911e64ff20000ea72f
.data 0x5b000 0xe75c 6656 a1ae38ef93496365ab03cd8e1b3098ca6ac430e0 0dbdb901a7d477980097e42e511a94fb
.pdata 0x6a000 0x306c 12800 e0cde833721b87c288e4dbf07c14d46d8670d708 b0ce0f057741ad2a4ef4717079fa34e9
.didat 0x6e000 0x360 1024 190f8d2fea268d844623189351a02d25e6bedfff 1fcc7b1d7a02443319f8fcc2be4ca936
_RDATA 0x6f000 0x15c 512 8d13993151b09d8343303215408e337388130e61 3f331ec50f09ba861beaf955b33712d5
.rsrc 0x70000 0xff7c 65536 5f2ce9aee06fb8dbc4a8eb14d730c52b98bd3602 7cc0e4178407044344713ed68f887c23
.reloc 0x80000 0x970 2560 b8c49df878d332ebd45f8be315a23f5d1c7402bf 77a9ddfc47a5650d6eebbcc823e39532

PE Resources 6

Name Language Sublanguage Offset Size Data
PNG LANG_RUSSIAN SUBLANG_NEUTRAL 0x711ec 5545
RT_ICON LANG_NEUTRAL SUBLANG_DEFAULT 0x7d394 1128
RT_DIALOG LANG_RUSSIAN SUBLANG_NEUTRAL 0x7e148 586
RT_STRING LANG_RUSSIAN SUBLANG_NEUTRAL 0x7f548 616
RT_GROUP_ICON LANG_NEUTRAL SUBLANG_DEFAULT 0x7f7b0 118
RT_MANIFEST LANG_RUSSIAN SUBLANG_NEUTRAL 0x7f828 1875

Packers detected 1

Microsoft Visual C++ 8.0 (DLL)

Anti debug functions 6

GetLastError
IsDebuggerPresent
IsProcessorFeaturePresent
RaiseException
TerminateProcess
UnhandledExceptionFilter

Strings analysis - File found

Temporary
winrarsfxmappingfile.tmp
Library
Crypt32.dll
peerdist.dll
msasn1.dll
profapi.dll
api-ms-win-core-synch-l1-2-0.dll
RpcRtRemote.dll
sfc_os.dll
XmlLite.dll
USERENV.dll
ntmarta.dll
rasadhlp.dll
mscoree.dll
mlang.dll
cryptsp.dll
linkinfo.dll
UxTheme.dll
imageres.dll
VERSION.dll
cscapi.dll
usp10.dll
wkscli.dll
devrtl.dll
secur32.dll
wintrust.dll
atl.dll
WINNSI.DLL
rsaenh.dll
riched20.dll
cryptui.dll
ntshrui.dll
slc.dll
oleaccrc.dll
PSAPI.DLL
propsys.dll
KERNEL32.dll
NETAPI32.dll
aclui.dll
dhcpcsvc6.dll
cryptbase.dll
ws2help.dll
SHELL32.dll
samlib.dll
shdocvw.dll
dwmapi.dll
cabinet.dll
MPR.dll
WS2_32.dll
WindowsCodecs.dll
dnsapi.dll
SSPICLI.DLL
samcli.dll
apphelp.dll
dfscli.dll
dsrole.dll
ieframe.dll
lpk.dll
comres.dll
netutils.dll
clbcatq.dll
dhcpcsvc.dll
IPHLPAPI.DLL
srvcli.dll
DXGIDebug.dll
browcli.dll
SETUPAPI.dll
Fole32.dll
ADVAPI32.dll
GDI32.dll
COMDLG32.dll
OLEAUT32.dll
USER32.dll
SHLWAPI.dll
COMCTL32.dll
gdiplus.dll

Strings analysis - Possible URLs found 1

http://schemas.microsoft.com/SMI/2005/WindowsSettings

Import functions

Name Latest seen MD5
a.exe 2024-05-26 01:26:02 5c95d5493dda877b228a6485a6d40d9c
csrss.exe 2024-05-30 10:24:06 1eaae465bda927c1893a5744301cde9b
lrthijawd.exe 2024-06-14 16:06:02 1b1ecd323162c054864b63ada693cd71
kfiwarhg.exe 2024-06-14 16:30:14 7d44a8a6757c2b7287c4a7b761f4e326
4x.exe 2024-06-07 14:16:02 c8432b773d48e5e0a9f2d1ecb7c557f8
motruhjgmawes.exe 2024-06-14 16:49:08 57a6a83482ce2897e8cdec17accbd662