MeteorClient.exe?ex=670c18ce&is=670ac74e&hm=159167a5eea16dabf060334833693634e8467b7998a27ab3c01edbb72e6da9d4&

First submission 2024-10-13 20:40:02

File details

File type:	PE32+ executable (console) x86-64, for MS Windows
Mime type:	application/x-dosexec
File size:	7094.29 KB (7264549 bytes)
Compile time:	2024-10-12 20:38:41
MD5:	d64bbed8177a1ed6a060108fe9eb70db
SHA1:	566eb6965ce40b7ae35ded7bb4318181ac761a80
SHA256:	0684a8c6ebb2b0f669ed39ea789118e3ebcf0ec5bdc4fe34e91c73784764e0a2
Import Hash :	023abd09c65289e3a2df4aa2b19cccec
Sections 7	.text .rdata .data .pdata _RDATA .rsrc .reloc
Directories 4	import resource debug relocation

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

OSINT Enrichments

Virus Total:	5/77 VT report date: 2024-10-13 19:21:22

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXps://cdn.discordapp.com/attachments/952258819671588864/1294736473169592421/MeteorClient.exe?ex=670c18ce&is=670ac74e&hm=159167a5eea16dabf060334833693634e8467b7998a27ab3c01edbb72e6da9d4&	cdn.discordapp.com	2024-10-13 20:40:02

PE Sections 1 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0x2b150	176640	5030762a2c7b9e8244cb98e3a841dad9af12bddb	1ffe948fda8287176b84b7a3b237172e
.rdata	0x2d000	0x12c26	77312	caa52a98dd8acdd5526515e7585278379526bfa2	c0baf03f8bc4ba3199d31a09668597dd
.data	0x40000	0x33b8	3584	5aa4b317e22e3d51d25a43c83314955564eb4a3e	0714d4ddb9a1211592095e1351376cf2
.pdata	0x44000	0x2364	9216	ef8176853647112b5daddfe42ae3c299647ef41a	83c41aa29e95d587861d91bdbdbcb3d6
_RDATA	0x47000	0x1f4	512	4440dcc4642667be6a67c5c84f8b4680eacfb597	7c7efebb897cc4ea38b70ce8f0efef3f
.rsrc	0x48000	0xef8c	61440	14785e0e1a23bdcc620ec3118e5703c4870318fd	3579cae944fcd6d7d429e7acd4be96ae
.reloc	0x57000	0x75c	2048	6e5b545c20fad2811376b7e15a105eb231094d98	6492d58c46d0b94c9dcff3d29f4e25f2

PE Resources 3

Name	Language	Sublanguage	Offset	Size	Data
RT_ICON	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x565ac	1128	PE Resource: RT_ICON - Data ( X8 a@ZJ6fffXXXCCC///\|bA$ Se i'j{Zp;n9Z&?Zi'l-wZNNq;^ l-o3}NNNo8b&o3s8MNLl4ze+f2o:vH}XfsNLKf-ae2i8d'42\|)%:+L8!^F)pT1a9o@}FI["Hh5E5OULvlllm8\|I/zJ5-D\]W2pppYYYq7f3X#N.HS]Z9999u4f3a,h/HR]\U71)))w1g3/HR]\Z8?1 s+k7/HTPQJ;\u1" q&n:/G]X' D/m T ,"@WQ)W;h~\'635e2 X+#;<+U!n gAT-AAAAAAAAAAAAAAAA
RT_GROUP_ICON	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x56a14	104
RT_MANIFEST	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x56a7c	1293	PE Resource: RT_MANIFEST - Data <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <application xmlns="urn:schemas-microsoft-com:asm.v3"> <windowsSettings> <longPathAware xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">true</longPathAware> </windowsSettings> </application> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="" publicKeyToken="6595b64144ccf1df" language=""/> </dependentAssembly> </dependency> </assembly>

Name

Language

Sublanguage

Offset

Size

Data

RT_ICON

LANG_NEUTRAL

SUBLANG_NEUTRAL

0x565ac

1128

RT_GROUP_ICON

LANG_NEUTRAL

SUBLANG_NEUTRAL

0x56a14

104

RT_MANIFEST

LANG_NEUTRAL

SUBLANG_NEUTRAL

0x56a7c

1293

Packers detected 2

Microsoft Visual C++ 8.0 (DLL)
Microsoft Visual C++ 8.0

Anti debug functions 7

GetLastError
GetWindowThreadProcessId
IsDebuggerPresent
IsProcessorFeaturePresent
RaiseException
TerminateProcess
UnhandledExceptionFilter

Strings analysis - File found

Compressed
base_library.zip
bbase_library.zip
Library
mscoree.dll
ADVAPI32.dll
KERNEL32.dll
8python312.dll
ucrtbase.dll
bVCRUNTIME140.dll
bpython312.dll
USER32.dll
blibcrypto-3.dll

Strings analysis - Possible IPs found 1

7.4.6.5

Strings analysis - Possible URLs found 1

http://schemas.microsoft.com/SMI/2016/WindowsSettings

Import functions

ADVAPI32.dll 4 KERNEL32.dll 103 USER32.dll 2

Function	Address	Souspicious	Anti Debug
ConvertSidToStringSidW	0x14002d000
GetTokenInformation	0x14002d008
OpenProcessToken	0x14002d010
ConvertStringSecurityDescriptorToSecurityDescriptorW	0x14002d018

Function	Address	Souspicious	Anti Debug
CreateFileW	0x14002d028
GetFinalPathNameByHandleW	0x14002d030
CloseHandle	0x14002d038
GetModuleFileNameW	0x14002d040
CreateSymbolicLinkW	0x14002d048
GetProcAddress	0x14002d050
GetCommandLineW	0x14002d058
GetEnvironmentVariableW	0x14002d060
SetEnvironmentVariableW	0x14002d068
ExpandEnvironmentStringsW	0x14002d070
CreateDirectoryW	0x14002d078
GetTempPathW	0x14002d080
WaitForSingleObject	0x14002d088
Sleep	0x14002d090
SetDllDirectoryW	0x14002d098
CreateProcessW	0x14002d0a0
GetStartupInfoW	0x14002d0a8
FreeLibrary	0x14002d0b0
LoadLibraryExW	0x14002d0b8
SetConsoleCtrlHandler	0x14002d0c0
FindClose	0x14002d0c8
FindFirstFileExW	0x14002d0d0
GetCurrentProcess	0x14002d0d8
GetCurrentProcessId	0x14002d0e0
LocalFree	0x14002d0e8
FormatMessageW	0x14002d0f0
MultiByteToWideChar	0x14002d0f8
WideCharToMultiByte	0x14002d100
GetConsoleWindow	0x14002d108
HeapSize	0x14002d110
GetLastError	0x14002d118
WriteConsoleW	0x14002d120
SetEndOfFile	0x14002d128
GetExitCodeProcess	0x14002d130
TlsGetValue	0x14002d138
RtlCaptureContext	0x14002d140
RtlLookupFunctionEntry	0x14002d148
RtlVirtualUnwind	0x14002d150
UnhandledExceptionFilter	0x14002d158
SetUnhandledExceptionFilter	0x14002d160
TerminateProcess	0x14002d168
IsProcessorFeaturePresent	0x14002d170
QueryPerformanceCounter	0x14002d178
GetCurrentThreadId	0x14002d180
GetSystemTimeAsFileTime	0x14002d188
InitializeSListHead	0x14002d190
IsDebuggerPresent	0x14002d198
GetModuleHandleW	0x14002d1a0
RtlUnwindEx	0x14002d1a8
SetLastError	0x14002d1b0
EnterCriticalSection	0x14002d1b8
LeaveCriticalSection	0x14002d1c0
DeleteCriticalSection	0x14002d1c8
InitializeCriticalSectionAndSpinCount	0x14002d1d0
TlsAlloc	0x14002d1d8
TlsSetValue	0x14002d1e0
TlsFree	0x14002d1e8
EncodePointer	0x14002d1f0
RaiseException	0x14002d1f8
RtlPcToFileHeader	0x14002d200
GetCommandLineA	0x14002d208
GetDriveTypeW	0x14002d210
GetFileInformationByHandle	0x14002d218
GetFileType	0x14002d220
PeekNamedPipe	0x14002d228
SystemTimeToTzSpecificLocalTime	0x14002d230
FileTimeToSystemTime	0x14002d238
GetFullPathNameW	0x14002d240
RemoveDirectoryW	0x14002d248
FindNextFileW	0x14002d250
SetStdHandle	0x14002d258
DeleteFileW	0x14002d260
ReadFile	0x14002d268
GetStdHandle	0x14002d270
WriteFile	0x14002d278
ExitProcess	0x14002d280
GetModuleHandleExW	0x14002d288
HeapFree	0x14002d290
GetConsoleMode	0x14002d298
ReadConsoleW	0x14002d2a0
SetFilePointerEx	0x14002d2a8
GetConsoleOutputCP	0x14002d2b0
GetFileSizeEx	0x14002d2b8
HeapAlloc	0x14002d2c0
FlsAlloc	0x14002d2c8
FlsGetValue	0x14002d2d0
FlsSetValue	0x14002d2d8
FlsFree	0x14002d2e0
CompareStringW	0x14002d2e8
LCMapStringW	0x14002d2f0
GetCurrentDirectoryW	0x14002d2f8
FlushFileBuffers	0x14002d300
HeapReAlloc	0x14002d308
GetFileAttributesExW	0x14002d310
GetStringTypeW	0x14002d318
IsValidCodePage	0x14002d320
GetACP	0x14002d328
GetOEMCP	0x14002d330
GetCPInfo	0x14002d338
GetEnvironmentStringsW	0x14002d340
FreeEnvironmentStringsW	0x14002d348
GetProcessHeap	0x14002d350
GetTimeZoneInformation	0x14002d358

Function	Address	Souspicious	Anti Debug
GetWindowThreadProcessId	0x14002d368
ShowWindow	0x14002d370