service.exe

First submission 2024-10-15 17:42:02

File details

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Mime type:	application/x-dosexec
File size:	1842.5 KB (1886720 bytes)
Compile time:	2024-10-10 00:20:33
MD5:	d44e2b02979b3331e0eb2fab9e96196e
SHA1:	f63dc99f5bd59d534157f6f15d686ee79a0c694a
SHA256:	22fb4c9c67ccdfcd03136a651aaa697c448d86f2a156bd4ef0113adfc2948635
Import Hash :	36c66603aaac9755a6698f59059e1970
Sections 7	.text .rdata .data .pdata _RDATA .rsrc .reloc
Directories 4	import resource debug relocation

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXp://shopping-nice.com/files/service.exe	shopping-nice.com	2024-10-15 17:42:02

PE Sections 0 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0xa1825	662016	9d1ebb6e8a869b88780bb648e869b5f67339142d	4e98e409eae4eb0b54d99163282fab3c
.rdata	0xa3000	0x11cff6	1167360	ae14407abf54803426e8a953e3878ca623acc900	a029c466e04f9ae68ad1f8362855a5ed
.data	0x1c0000	0xa1b4	6144	e445da8542b8cfce6d0eb394682e1f45022e8ee2	472ea7294c9509f4f8538576d6673d43
.pdata	0x1cb000	0xa92c	43520	6f512a5944a5a9a031225b231221a03b6df5d084	b1bed0c82f2a51c7c30405310a4e4b6d
_RDATA	0x1d6000	0x15c	512	22c7b3ff0a1f1293670810984f4bd79c41973926	82ad43e5429dcdf611a1b357c48fae4a
.rsrc	0x1d7000	0x540	1536	66ccfd29cb904ffdcc7bb351e31b660827a7d6b7	9d17cdc6a38a2c1d4cf625c2dfb0114e
.reloc	0x1d8000	0x105c	4608	9b31714b13c15ae70cd10b578d7ca8d0709f8a22	aa30b0feb118266406b55a25b5bea69b

PE Resources 2

Name	Language	Sublanguage	Offset	Size	Data
RT_VERSION	LANG_RUSSIAN	SUBLANG_RUSSIAN	0x1d70a0	796	PE Resource: RT_VERSION - Data 4VS_VERSION_INFO33?zStringFileInfoV044e04b0ZCompanyNameElectronic Services Limited.FFileDescriptionVM NET Service6FileVersion51.3.29.14@InternalNamehwg_service.exed LegalCopyrightCopyright 2009-2023 HWG inc.HOriginalFilenamehwg_service.exe<ProductNameVM NET Client:ProductVersion51.3.29.14DVarFileInfo$TranslationN
RT_MANIFEST	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x1d73c0	381	PE Resource: RT_MANIFEST - Data <?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly>

Name

Language

Sublanguage

Offset

Size

Data

RT_VERSION

LANG_RUSSIAN

SUBLANG_RUSSIAN

0x1d70a0

796

RT_MANIFEST

LANG_ENGLISH

SUBLANG_ENGLISH_US

0x1d73c0

381

Meta infos 9

LegalCopyright:	Copyright \xa9 2009-2023 HWG inc.
InternalName:	hwg_service.exe
FileVersion:	51.3.29.14
CompanyName:	Electronic Services Limited.
ProductVersion:	51.3.29.14
FileDescription:	VM NET Service
Translation:	0x044e 0x04b0
OriginalFilename:	hwg_service.exe
ProductName:	VM NET Client

Anti debug functions 7

GetLastError
IsDebuggerPresent
IsProcessorFeaturePresent
OutputDebugStringW
RaiseException
TerminateProcess
UnhandledExceptionFilter

Anti debug functions 2

Virtual Box
Bochs & QEmu CPUID Trick

Strings analysis - File found

Library
mscoree.dll
KERNEL32.dll
WS2_32.dll
USER32.dll
gdiplus.dll
GDI32.dll

Strings analysis - Possible IPs found 1

51.3.29.14

Import functions

KERNEL32.dll 95 gdiplus.dll 8 WS2_32.dll 8 GDI32.dll 1 USER32.dll 1

Function	Address	Souspicious	Anti Debug
LoadLibraryA	0x1400a3010
GetProcAddress	0x1400a3018
FreeLibrary	0x1400a3020
GetLastError	0x1400a3028
WideCharToMultiByte	0x1400a3030
CreateFileW	0x1400a3038
SetStdHandle	0x1400a3040
MultiByteToWideChar	0x1400a3048
GetModuleHandleA	0x1400a3050
FreeEnvironmentStringsW	0x1400a3058
GetEnvironmentStringsW	0x1400a3060
GetCommandLineW	0x1400a3068
GetCommandLineA	0x1400a3070
GetOEMCP	0x1400a3078
GetACP	0x1400a3080
IsValidCodePage	0x1400a3088
FindNextFileW	0x1400a3090
FindFirstFileExW	0x1400a3098
FindClose	0x1400a30a0
ReadConsoleW	0x1400a30a8
ReadFile	0x1400a30b0
GetConsoleMode	0x1400a30b8
GetConsoleOutputCP	0x1400a30c0
FlushFileBuffers	0x1400a30c8
SetFilePointerEx	0x1400a30d0
GetFileSizeEx	0x1400a30d8
ReleaseSRWLockExclusive	0x1400a30e0
AcquireSRWLockExclusive	0x1400a30e8
TryAcquireSRWLockExclusive	0x1400a30f0
GetCurrentThreadId	0x1400a30f8
CloseHandle	0x1400a3100
GetStringTypeW	0x1400a3108
EnterCriticalSection	0x1400a3110
LeaveCriticalSection	0x1400a3118
InitializeCriticalSectionEx	0x1400a3120
DeleteCriticalSection	0x1400a3128
EncodePointer	0x1400a3130
DecodePointer	0x1400a3138
QueryPerformanceCounter	0x1400a3140
LCMapStringEx	0x1400a3148
FlsAlloc	0x1400a3150
FlsGetValue	0x1400a3158
FlsSetValue	0x1400a3160
FlsFree	0x1400a3168
GetSystemTimeAsFileTime	0x1400a3170
GetModuleHandleW	0x1400a3178
GetCPInfo	0x1400a3180
RtlCaptureContext	0x1400a3188
RtlLookupFunctionEntry	0x1400a3190
RtlVirtualUnwind	0x1400a3198
UnhandledExceptionFilter	0x1400a31a0
SetUnhandledExceptionFilter	0x1400a31a8
GetCurrentProcess	0x1400a31b0
TerminateProcess	0x1400a31b8
IsProcessorFeaturePresent	0x1400a31c0
IsDebuggerPresent	0x1400a31c8
GetStartupInfoW	0x1400a31d0
GetCurrentProcessId	0x1400a31d8
InitializeSListHead	0x1400a31e0
RtlUnwindEx	0x1400a31e8
RtlPcToFileHeader	0x1400a31f0
RaiseException	0x1400a31f8
SetLastError	0x1400a3200
InitializeCriticalSectionAndSpinCount	0x1400a3208
TlsAlloc	0x1400a3210
TlsGetValue	0x1400a3218
TlsSetValue	0x1400a3220
TlsFree	0x1400a3228
LoadLibraryExW	0x1400a3230
GetModuleFileNameW	0x1400a3238
GetModuleHandleExW	0x1400a3240
ExitProcess	0x1400a3248
CreateThread	0x1400a3250
ExitThread	0x1400a3258
FreeLibraryAndExitThread	0x1400a3260
HeapAlloc	0x1400a3268
HeapSize	0x1400a3270
HeapValidate	0x1400a3278
GetSystemInfo	0x1400a3280
GetStdHandle	0x1400a3288
WriteFile	0x1400a3290
GetFileType	0x1400a3298
OutputDebugStringW	0x1400a32a0
WriteConsoleW	0x1400a32a8
LCMapStringW	0x1400a32b0
GetLocaleInfoW	0x1400a32b8
IsValidLocale	0x1400a32c0
GetUserDefaultLCID	0x1400a32c8
EnumSystemLocalesW	0x1400a32d0
DeleteFileW	0x1400a32d8
HeapFree	0x1400a32e0
HeapReAlloc	0x1400a32e8
HeapQueryInformation	0x1400a32f0
GetProcessHeap	0x1400a32f8
RtlUnwind	0x1400a3300

Function	Address	Souspicious	Anti Debug
GdipAlloc	0x1400a3368
GdipCreateBitmapFromHBITMAP	0x1400a3370
GdipDisposeImage	0x1400a3378
GdipFree	0x1400a3380
GdipSaveImageToFile	0x1400a3388
GdipCloneImage	0x1400a3390
GdiplusStartup	0x1400a3398
GdiplusShutdown	0x1400a33a0

Function	Address	Souspicious	Anti Debug
send	0x1400a3320
socket	0x1400a3328
inet_addr	0x1400a3330
recv	0x1400a3338
htons	0x1400a3340
WSAStartup	0x1400a3348
closesocket	0x1400a3350
connect	0x1400a3358

Function	Address	Souspicious	Anti Debug
GetDIBits	0x1400a3000

Function	Address	Souspicious	Anti Debug
GetDC	0x1400a3310