45.exe

First submission 2023-01-22 12:04:10

File details

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
File type:	2605.21 KB (2667736 bytes)
Compile time:	1970-01-01 01:00:00
MD5:	d4c1aa3204a0a20362be094af647d35c
SHA1:	f4078cff90e96e64477c3a5ecf9f7b4c5f41a888
SHA256:	6b17273197480205ca53e9cca4298dc16346b65ac29d5ca883690ab1ff1b4183
Import Hash :	0e504ec9659601103bf3eb149ebb6cf2
Sections 9	.text .data .rdata .bss .idata .CRT .tls .rsrc .reloc
Directories 5	security relocation tls resource import
Virus Total:	43/71 VT report date: 2023-01-21 04:23:17

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXp://h166794.srv12.test-hf.su/45.exe	h166794.srv12.test-hf.su	2023-01-22 12:04:15

PE Sections 2 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0x25ec5c	2485760	be2d7d9c23ddff6fb8a4918ab289043f13cb4ab4	73f77c10c2e58959da9469f394cd97a0
.data	0x260000	0x37ec	14336	02999fec701c4f1461a2cd5e268c0f980607a9a7	66e7cc7b5dc0fa720d0bdf92dacada5d
.rdata	0x264000	0x19e08	106496	b10d79c03cfc413b7b6c360d2623ea546d3e20f8	ba491f8cf2ec31ce754202224049343a
.bss	0x27e000	0x10f8	0	da39a3ee5e6b4b0d3255bfef95601890afd80709	d41d8cd98f00b204e9800998ecf8427e
.idata	0x280000	0x18b4	6656	2972e85388e359caa6e4d715b84fb0292548030d	22f74d4197220333b08456ba6906f02b
.CRT	0x282000	0x38	512	ae6dbf182ea9532a7110880bf0771bbb8eda646b	d5a29bc7eada47b988385b6374808243
.tls	0x283000	0x8	512	5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5	bf619eac0cdf3f68d496ea9344137e8b
.rsrc	0x284000	0x4e8	1536	b671fbe837607621efe976c0818374dd789108c7	9c48bce3c3c0341f0d3de6f2df96dca0
.reloc	0x285000	0xaef4	45056	0df22b68ceb3112cf006745e1e3c7c1db1a82071	03d3821b468c7b567549b4c3e8964c5d

PE Resources 1

Name	Language	Sublanguage	Offset	Size	Data
RT_MANIFEST	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x284058	1167	PE Resource: RT_MANIFEST - Data <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker"/> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!--The ID below indicates application support for Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!--The ID below indicates application support for Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!--The ID below indicates application support for Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!--The ID below indicates application support for Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!--The ID below indicates application support for Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> </assembly>

Name

Language

Sublanguage

Offset

Size

Data

RT_MANIFEST

LANG_NEUTRAL

SUBLANG_NEUTRAL

0x284058

1167

Anti debug functions 5

GetLastError
IsDebuggerPresent
OutputDebugStringA
OutputDebugStringW
RaiseException

Anti debug functions 1

VMCheck.dll

File signature

MD5	SHA1	Block size	Virtual Address
a50335659ae3bf9a172aecabc0a64f0a	4b216584e61478b592335da3e381cbd30d81dc7d	5848	2661888

Strings analysis - File found

Library
bcrypt.dll
Crypt32.dll
KERNEL32.dll
WINHTTP.dll
MSVCRT.dll
ADVAPI32.dll

Strings analysis - Possible URLs found 9

https://gcc.gnu.org/bugs/):
http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%
http://ocsp.usertrust.com0
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0v
https://studio.youtube.com
https://sectigo.com/CPS0
http://ocsp.sectigo.com0

Import functions

msvcrt.dll 94 KERNEL32.dll 112 bcrypt.dll 4 CRYPT32.dll 1 WINHTTP.dll 11

Function	Address	Souspicious	Anti Debug
__getmainargs	0x6805e4
__initenv	0x6805e8
__lconv_init	0x6805ec
__mb_cur_max	0x6805f0
__p__acmdln	0x6805f4
__p__commode	0x6805f8
__p__fmode	0x6805fc
__set_app_type	0x680600
__setusermatherr	0x680604
_amsg_exit	0x680608
_assert	0x68060c
_beginthreadex	0x680610
_cexit	0x680614
_close	0x680618
_endthreadex	0x68061c
_errno	0x680620
_fdopen	0x680624
_filelengthi64	0x680628
_fileno	0x68062c
_fileno	0x680630
_fstat64	0x680634
_initterm	0x680638
_iob	0x68063c
_lseeki64	0x680640
_mbsicmp	0x680644
_onexit	0x680648
_read	0x68064c
_memccpy	0x680650
_setjmp3	0x680654
_strdup	0x680658
_strnicmp	0x68065c
_ultoa	0x680660
_wfopen	0x680664
_wgetenv_s	0x680668
_write	0x68066c
abort	0x680670
atoi	0x680674
calloc	0x680678
exit	0x68067c
fclose	0x680680
fflush	0x680684
fgetpos	0x680688
fopen	0x68068c
fprintf	0x680690
fputc	0x680694
fputs	0x680698
fputwc	0x68069c
fread	0x6806a0
free	0x6806a4
fsetpos	0x6806a8
fwrite	0x6806ac
fwprintf	0x6806b0
getc	0x6806b4
getwc	0x6806b8
isalnum	0x6806bc
isspace	0x6806c0
iswctype	0x6806c4
localtime	0x6806c8
localeconv	0x6806cc
longjmp	0x6806d0
malloc	0x6806d4
memchr	0x6806d8
memcmp	0x6806dc
memcpy	0x6806e0
memmove	0x6806e4
memset	0x6806e8
printf	0x6806ec
putc	0x6806f0
putwc	0x6806f4
realloc	0x6806f8
setlocale	0x6806fc
setvbuf	0x680700
signal	0x680704
strchr	0x680708
strcmp	0x68070c
strcoll	0x680710
strcspn	0x680714
strerror	0x680718
strftime	0x68071c
strlen	0x680720
strncmp	0x680724
strrchr	0x680728
strxfrm	0x68072c
system	0x680730
towlower	0x680734
towupper	0x680738
ungetc	0x68073c
ungetwc	0x680740
vfprintf	0x680744
wcscoll	0x680748
wcsftime	0x68074c
wcslen	0x680750
wcstombs	0x680754
wcsxfrm	0x680758

Function	Address	Souspicious	Anti Debug
AddAtomA	0x680420
AddVectoredExceptionHandler	0x680424
AreFileApisANSI	0x680428
CloseHandle	0x68042c
CreateEventA	0x680430
CreateFileA	0x680434
CreateFileMappingA	0x680438
CreateFileMappingW	0x68043c
CreateFileW	0x680440
CreateMutexA	0x680444
CreateMutexW	0x680448
CreateProcessA	0x68044c
CreateSemaphoreA	0x680450
DeleteAtom	0x680454
DeleteCriticalSection	0x680458
DeleteFileA	0x68045c
DeleteFileW	0x680460
DuplicateHandle	0x680464
EnterCriticalSection	0x680468
FindAtomA	0x68046c
FlushFileBuffers	0x680470
FlushViewOfFile	0x680474
FormatMessageA	0x680478
FormatMessageW	0x68047c
FreeLibrary	0x680480
GetAtomNameA	0x680484
GetCurrentProcess	0x680488
GetCurrentProcessId	0x68048c
GetCurrentThread	0x680490
GetCurrentThreadId	0x680494
GetDiskFreeSpaceA	0x680498
GetDiskFreeSpaceW	0x68049c
GetFileAttributesA	0x6804a0
GetFileAttributesExW	0x6804a4
GetFileAttributesW	0x6804a8
GetFileSize	0x6804ac
GetFullPathNameA	0x6804b0
GetFullPathNameW	0x6804b4
GetHandleInformation	0x6804b8
GetLastError	0x6804bc
GetModuleHandleW	0x6804c0
GetProcAddress	0x6804c4
GetProcessAffinityMask	0x6804c8
GetProcessHeap	0x6804cc
GetStartupInfoA	0x6804d0
GetSystemInfo	0x6804d4
GetSystemTime	0x6804d8
GetSystemTimeAsFileTime	0x6804dc
GetTempPathA	0x6804e0
GetTempPathW	0x6804e4
GetThreadContext	0x6804e8
GetThreadPriority	0x6804ec
GetTickCount	0x6804f0
GetVersionExA	0x6804f4
GetVersionExW	0x6804f8
HeapAlloc	0x6804fc
HeapCompact	0x680500
HeapCreate	0x680504
HeapDestroy	0x680508
HeapFree	0x68050c
HeapReAlloc	0x680510
HeapSize	0x680514
HeapValidate	0x680518
InitializeCriticalSection	0x68051c
IsDBCSLeadByteEx	0x680520
IsDebuggerPresent	0x680524
LeaveCriticalSection	0x680528
LoadLibraryA	0x68052c
LoadLibraryW	0x680530
LocalFree	0x680534
LockFile	0x680538
LockFileEx	0x68053c
MapViewOfFile	0x680540
MultiByteToWideChar	0x680544
OpenProcess	0x680548
OutputDebugStringA	0x68054c
OutputDebugStringW	0x680550
QueryPerformanceCounter	0x680554
QueryPerformanceFrequency	0x680558
RaiseException	0x68055c
ReadFile	0x680560
ReleaseMutex	0x680564
ReleaseSemaphore	0x680568
RemoveVectoredExceptionHandler	0x68056c
ResetEvent	0x680570
ResumeThread	0x680574
SetEndOfFile	0x680578
SetEvent	0x68057c
SetFilePointer	0x680580
SetLastError	0x680584
SetProcessAffinityMask	0x680588
SetThreadContext	0x68058c
SetThreadPriority	0x680590
SetUnhandledExceptionFilter	0x680594
Sleep	0x680598
SuspendThread	0x68059c
SystemTimeToFileTime	0x6805a0
TlsAlloc	0x6805a4
TlsGetValue	0x6805a8
TlsSetValue	0x6805ac
TryEnterCriticalSection	0x6805b0
UnlockFile	0x6805b4
UnlockFileEx	0x6805b8
UnmapViewOfFile	0x6805bc
VirtualProtect	0x6805c0
VirtualQuery	0x6805c4
WaitForMultipleObjects	0x6805c8
WaitForSingleObject	0x6805cc
WaitForSingleObjectEx	0x6805d0
WideCharToMultiByte	0x6805d4
WriteFile	0x6805d8
lstrcatW	0x6805dc

Function	Address	Souspicious	Anti Debug
BCryptDecrypt	0x680404
BCryptGenerateSymmetricKey	0x680408
BCryptOpenAlgorithmProvider	0x68040c
BCryptSetProperty	0x680410

Function	Address	Souspicious	Anti Debug
CryptUnprotectData	0x680418

Function	Address	Souspicious	Anti Debug
WinHttpAddRequestHeaders	0x680760
WinHttpCloseHandle	0x680764
WinHttpConnect	0x680768
WinHttpOpen	0x68076c
WinHttpOpenRequest	0x680770
WinHttpQueryDataAvailable	0x680774
WinHttpQueryHeaders	0x680778
WinHttpReadData	0x68077c
WinHttpReceiveResponse	0x680780
WinHttpSendRequest	0x680784
WinHttpSetOption	0x680788

Name	Latest seen	MD5
777.exe	2023-01-22 08:48:09	590fc96081d6f6f939b5959880610d00
47.exe	2023-01-22 20:50:11	d253e2c40881972952a5acd8a42de333