hydra.exe?ex=670ef165&is=670d9fe5&hm=d1114b65b18c8fc6ac378cf57169ad9d4f23499ced8ea6fe3b1fe96461e38a98&

First submission 2024-10-15 20:12:05

File details

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Mime type:	application/x-dosexec
File size:	35109.67 KB (35952300 bytes)
Compile time:	2024-10-14 06:04:35
MD5:	d446fa000d260aa78513d383874d82e5
SHA1:	2f2597f40afe134590d31f636ee3ae79456a82d1
SHA256:	57c7ef2c9fc6fd093970b6babf124ee23fdb1c55f8570e05f1198d375548873c
Import Hash :	72c4e339b7af8ab1ed2eb3821c98713a
Sections 6	.text .rdata .data .pdata .rsrc .reloc
Directories 5	import resource debug relocation security

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

OSINT Enrichments

Virus Total:	36/76 VT report date: 2024-10-15 06:07:07
Malware Type 2	trojan pua
Threat Type 2	tedy atraps

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXps://cdn.discordapp.com/attachments/1294032919903338546/1295518790607704084/hydra.exe?ex=670ef165&is=670d9fe5&hm=d1114b65b18c8fc6ac378cf57169ad9d4f23499ced8ea6fe3b1fe96461e38a98&	cdn.discordapp.com	2024-10-15 20:12:05

PE Sections 0 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0x29f00	172032	2d9a342b9cea10af36a9defffc2a2fd763e338be	a6c3b829cc8eaabb1a474c227e90407f
.rdata	0x2b000	0x12a50	76800	f5cf7928de95d2e829da378fabb3badcb58372ed	7909eefe42da6df32b7f7db8a687089d
.data	0x3e000	0x53f8	3584	069fd3959f91e690643115a296bf21044144de01	dba0caeecab624a0ccc0d577241601d1
.pdata	0x44000	0x2250	9216	09c2a6d5404bc19e11f7eddad07a164b42b01ee6	181312260a85d10a1454ba38901c499b
.rsrc	0x47000	0x964	2560	1897c05a10283e57cbd9dfd2cb9883d1aa7afeda	1f12eddaf17305c99935ea7348774f65
.reloc	0x48000	0x764	2048	d73caf6099972c4407ac22954a7454e922084dc0	816c68eeb419ee2c08656c31c06a0fff

PE Resources 2

Name	Language	Sublanguage	Offset	Size	Data
RT_VERSION	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x470a0	948	PE Resource: RT_VERSION - Data 4VS_VERSION_INFO aJ aJ?DVarFileInfo$TranslationStringFileInfo000004b0LCompanyNameMicrosoft Corporation,FileDescription @FileVersion10.0.19041.3992BInternalNameScriptRunner.exe:LegalCopyrightCopyright (c) Microsoft Corporation. All rights reserved.JOriginalFilenameScriptRunner.exev+ProductNameMicrosoft (R) Windows (R) Operating SystemDProductVersion10.0.19041.3992: Assembly Version10.0.0.0
RT_MANIFEST	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x47454	1293	PE Resource: RT_MANIFEST - Data <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <application xmlns="urn:schemas-microsoft-com:asm.v3"> <windowsSettings> <longPathAware xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">true</longPathAware> </windowsSettings> </application> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="" publicKeyToken="6595b64144ccf1df" language=""/> </dependentAssembly> </dependency> </assembly>

Name

Language

Sublanguage

Offset

Size

Data

RT_VERSION

LANG_NEUTRAL

SUBLANG_NEUTRAL

0x470a0

948

RT_MANIFEST

LANG_NEUTRAL

SUBLANG_NEUTRAL

0x47454

1293

Meta infos 10

LegalCopyright:	Copyright (c) Microsoft Corporation. All rights reserved.
Assembly Version:	10.0.0.0
InternalName:	ScriptRunner.exe
FileVersion:	10.0.19041.3992
CompanyName:	Microsoft Corporation
OriginalFilename:	ScriptRunner.exe
Translation:	0x0000 0x04b0
FileDescription:
ProductVersion:	10.0.19041.3992
ProductName:	Microsoft (R) Windows (R) Operating System

Packers detected 2

Microsoft Visual C++ 8.0 (DLL)
Microsoft Visual C++ 8.0

Anti debug functions 6

GetLastError
IsDebuggerPresent
IsProcessorFeaturePresent
RaiseException
TerminateProcess
UnhandledExceptionFilter

Anti debug functions 1

Virtual Box

File signature

MD5	SHA1	Block size	Virtual Address
9e0b10c1542a810070372769e476960d	2ed1a83397bdd4f8129a9d390250a7e64215a234	9712	35942588

Strings analysis - File found

Executable
VV<8.So
Backup
h.oLd
Compressed
base_library.zip
bbase_library.zip
XML
N.xML
Database
LA.db
Text
bsetuptools\_vendor\jaraco.context-5.3.0.dist-info\top_level.txt
bsetuptools\_vendor\zipp-3.19.2.dist-info\top_level.txt
bsetuptools\_vendor\jaraco.text-3.12.1.dist-info\top_level.txt
bsetuptools\_vendor\wheel-0.43.0.dist-info\entry_points.txt
bsetuptools\_vendor\typeguard-4.3.0.dist-info\entry_points.txt
bsetuptools\_vendor\jaraco.functools-4.0.1.dist-info\top_level.txt
bsetuptools\_vendor\autocommand-2.2.2.dist-info\top_level.txt
bsetuptools\_vendor\inflect-7.3.1.dist-info\top_level.txt
bsetuptools\_vendor\importlib_resources-6.4.0.dist-info\top_level.txt
bpycountry-24.6.1.dist-info\LICENSE.txt
bsetuptools\_vendor\jaraco\text\Lorem ipsum.txt
bpycountry\COPYRIGHT.txt
bsetuptools\_vendor\wheel-0.43.0.dist-info\LICENSE.txt
bsetuptools\_vendor\importlib_metadata-8.0.0.dist-info\top_level.txt
btypeguard-4.3.0.dist-info\entry_points.txt
bsetuptools\_vendor\jaraco.collections-5.1.0.dist-info\top_level.txt
bsetuptools\_vendor\backports.tarfile-1.2.0.dist-info\top_level.txt
bsetuptools\_vendor\typeguard-4.3.0.dist-info\top_level.txt
btypeguard-4.3.0.dist-info\top_level.txt
bwheel-0.43.0.dist-info\entry_points.txt
bwheel-0.43.0.dist-info\LICENSE.txt
Library
mscoree.dll
vcruntime140.dll
bsqlite3.dll
bpywin32_system32\pywintypes312.dll
blibcrypto-3.dll
bVCRUNTIME140_1.dll
bVCRUNTIME140.dll
blibffi-8.dll
ADVAPI32.dll
8python312.dll
bpython3.dll
blibssl-3.dll
bnumpy.libs\msvcp140-23ebcc0b37c8e3d074511f362feac48b.dll
bpython312.dll
GDI32.dll
COMCTL32.dll
KERNEL32.dll
ucrtbase.dll
bnumpy.libs\libscipy_openblas64_-c16e4918366c6bc1f1cd71e28ca36fc0.dll
USER32.dll

Strings analysis - Possible URLs found 9

http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z
http://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl%200a
http://www.microsoft.com/pkiops/Docs/Repository.htm0
http://www.microsoft.com/windows0
http://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt0
http://schemas.microsoft.com/SMI/2016/WindowsSettings
http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl0l
http://www.microsoft.com/pkiops/certs/Microsoft%20Time-Stamp%20PCA%202010(1).crt0

Import functions

ADVAPI32.dll 4 KERNEL32.dll 107 GDI32.dll 3 USER32.dll 28 COMCTL32.dll 1

Function	Address	Souspicious	Anti Debug
OpenProcessToken	0x14002b000
GetTokenInformation	0x14002b008
ConvertStringSecurityDescriptorToSecurityDescriptorW	0x14002b010
ConvertSidToStringSidW	0x14002b018

Function	Address	Souspicious	Anti Debug
GetACP	0x14002b058
IsValidCodePage	0x14002b060
GetStringTypeW	0x14002b068
GetFileAttributesExW	0x14002b070
SetEnvironmentVariableW	0x14002b078
FlushFileBuffers	0x14002b080
GetCurrentDirectoryW	0x14002b088
LCMapStringW	0x14002b090
CompareStringW	0x14002b098
FlsFree	0x14002b0a0
GetOEMCP	0x14002b0a8
GetCPInfo	0x14002b0b0
GetModuleHandleW	0x14002b0b8
MulDiv	0x14002b0c0
FormatMessageW	0x14002b0c8
GetLastError	0x14002b0d0
GetModuleFileNameW	0x14002b0d8
LoadLibraryExW	0x14002b0e0
SetDllDirectoryW	0x14002b0e8
CreateSymbolicLinkW	0x14002b0f0
GetProcAddress	0x14002b0f8
GetEnvironmentStringsW	0x14002b100
GetCommandLineW	0x14002b108
GetEnvironmentVariableW	0x14002b110
ExpandEnvironmentStringsW	0x14002b118
DeleteFileW	0x14002b120
FindClose	0x14002b128
FindFirstFileW	0x14002b130
FindNextFileW	0x14002b138
GetDriveTypeW	0x14002b140
RemoveDirectoryW	0x14002b148
GetTempPathW	0x14002b150
CloseHandle	0x14002b158
QueryPerformanceCounter	0x14002b160
QueryPerformanceFrequency	0x14002b168
WaitForSingleObject	0x14002b170
Sleep	0x14002b178
GetCurrentProcess	0x14002b180
TerminateProcess	0x14002b188
GetExitCodeProcess	0x14002b190
CreateProcessW	0x14002b198
GetStartupInfoW	0x14002b1a0
FreeLibrary	0x14002b1a8
LocalFree	0x14002b1b0
SetConsoleCtrlHandler	0x14002b1b8
K32EnumProcessModules	0x14002b1c0
K32GetModuleFileNameExW	0x14002b1c8
CreateFileW	0x14002b1d0
FindFirstFileExW	0x14002b1d8
GetFinalPathNameByHandleW	0x14002b1e0
MultiByteToWideChar	0x14002b1e8
WideCharToMultiByte	0x14002b1f0
FlsSetValue	0x14002b1f8
FreeEnvironmentStringsW	0x14002b200
GetProcessHeap	0x14002b208
GetTimeZoneInformation	0x14002b210
HeapSize	0x14002b218
HeapReAlloc	0x14002b220
WriteConsoleW	0x14002b228
SetEndOfFile	0x14002b230
CreateDirectoryW	0x14002b238
RtlCaptureContext	0x14002b240
RtlLookupFunctionEntry	0x14002b248
RtlVirtualUnwind	0x14002b250
UnhandledExceptionFilter	0x14002b258
SetUnhandledExceptionFilter	0x14002b260
IsProcessorFeaturePresent	0x14002b268
GetCurrentProcessId	0x14002b270
GetCurrentThreadId	0x14002b278
GetSystemTimeAsFileTime	0x14002b280
InitializeSListHead	0x14002b288
IsDebuggerPresent	0x14002b290
RtlUnwindEx	0x14002b298
SetLastError	0x14002b2a0
EnterCriticalSection	0x14002b2a8
LeaveCriticalSection	0x14002b2b0
DeleteCriticalSection	0x14002b2b8
InitializeCriticalSectionAndSpinCount	0x14002b2c0
TlsAlloc	0x14002b2c8
TlsGetValue	0x14002b2d0
TlsSetValue	0x14002b2d8
TlsFree	0x14002b2e0
EncodePointer	0x14002b2e8
RaiseException	0x14002b2f0
RtlPcToFileHeader	0x14002b2f8
GetCommandLineA	0x14002b300
GetFileInformationByHandle	0x14002b308
GetFileType	0x14002b310
PeekNamedPipe	0x14002b318
SystemTimeToTzSpecificLocalTime	0x14002b320
FileTimeToSystemTime	0x14002b328
ReadFile	0x14002b330
GetFullPathNameW	0x14002b338
SetStdHandle	0x14002b340
GetStdHandle	0x14002b348
WriteFile	0x14002b350
ExitProcess	0x14002b358
GetModuleHandleExW	0x14002b360
HeapFree	0x14002b368
GetConsoleMode	0x14002b370
ReadConsoleW	0x14002b378
SetFilePointerEx	0x14002b380
GetConsoleOutputCP	0x14002b388
GetFileSizeEx	0x14002b390
HeapAlloc	0x14002b398
FlsAlloc	0x14002b3a0
FlsGetValue	0x14002b3a8

Function	Address	Souspicious	Anti Debug
SelectObject	0x14002b038
DeleteObject	0x14002b040
CreateFontIndirectW	0x14002b048

Function	Address	Souspicious	Anti Debug
CreateWindowExW	0x14002b3b8
ShutdownBlockReasonCreate	0x14002b3c0
MsgWaitForMultipleObjects	0x14002b3c8
ShowWindow	0x14002b3d0
DestroyWindow	0x14002b3d8
RegisterClassW	0x14002b3e0
DefWindowProcW	0x14002b3e8
PeekMessageW	0x14002b3f0
DispatchMessageW	0x14002b3f8
TranslateMessage	0x14002b400
PostMessageW	0x14002b408
GetMessageW	0x14002b410
MessageBoxW	0x14002b418
MessageBoxA	0x14002b420
SystemParametersInfoW	0x14002b428
DestroyIcon	0x14002b430
SetWindowLongPtrW	0x14002b438
GetWindowLongPtrW	0x14002b440
GetClientRect	0x14002b448
InvalidateRect	0x14002b450
ReleaseDC	0x14002b458
GetDC	0x14002b460
DrawTextW	0x14002b468
GetDialogBaseUnits	0x14002b470
EndDialog	0x14002b478
DialogBoxIndirectParamW	0x14002b480
MoveWindow	0x14002b488
SendMessageW	0x14002b490

Function	Address	Souspicious	Anti Debug
None	0x14002b028

Name	Latest seen	MD5
discordnitrogen.exe	2024-08-26 11:31:14	2db515aa4c8ba2b4e6878e7e0b550c8f
tac.exe	2024-09-23 16:57:06	8a35be4e0576e642603dc78f07f32a93
Software.exe	2024-09-24 15:24:04	66c1d33fa2373f9f734336b87f123e31
st3amBYluxy.exe?ex=670cd923&is=670b87a3&hm=9d7dba21c2a8ad22d47f3edba77c4617ddfb3d025ff473df74bdf2b60f0c68d1&	2024-10-13 17:33:03	23f733d217275847ffb11bf97827dae8
freenitro.exe?ex=670c1355&is=670ac1d5&hm=fe431b2f20f8cc958563e6e904e1c828290ba1470a54a6f82725608fa4784485&	2024-10-13 19:34:02	8c9efd9a2d9d55aad11203cc4e3c816d
nitrobuyer.exe?ex=670c445a&is=670af2da&hm=1f281fd80c98af4f9fd87d76a7cd35a3e597b77693d1a804430d0000615d585a&	2024-10-13 19:38:03	32554d2f5dcd9927b21b43dda85359c2
mullakka.exe?ex=670c4027&is=670aeea7&hm=c37458cb8f8dc2985499fcc5dd86600a1dda5f7a724709109a97ae24970f4d65&	2024-10-13 20:17:02	136c7ac634c84ad86c1c7340c9262116
FreakyBrowse.exe?ex=670c18f3&is=670ac773&hm=3a26c3c7751649dfe642708c7308021483cb3a3e840a9d7ffd5fdf0ed02746be&	2024-10-13 20:39:02	a2728dfccca75072dd2f6c6a02617ee6
distribution.exe	2024-10-14 12:45:31	2cf67f645897af37ea483ed1aa3b2790
Wahiy_swapper.exe?ex=670e299f&is=670cd81f&hm=d668cc4432184523e29c1a622634c90477a431b1b18691a624773cd7989420a9&	2024-10-14 16:52:04	8e77547b14323977331594025634d90a
worker.exe	2024-10-14 23:10:06	5f08961671234960517cefb9df7a8c41
Rv2_Nuker.exe?ex=670f7931&is=670e27b1&hm=22265025fa8bb5baf986ff9795b8348e2c4fa24d4f6cced287e52fcfb45bf1e7&	2024-10-15 20:10:02	b459e3a71f72a9ac8a725144d56d1168
Exela.exe	2024-10-15 21:10:21	83154f0731104f82b198eb13465dfa57