neofetch.exe

First submission 2024-10-14 17:46:03

File details

File type:	PE32+ executable (console) x86-64, for MS Windows
Mime type:	application/x-dosexec
File size:	2646.1 KB (2709608 bytes)
Compile time:	2024-09-22 20:48:05
MD5:	d6b10fe0f03dc8bdf3cd5ec9e4e3d305
SHA1:	744f9e241070e7ab43f6cb834420d2ba763a405a
SHA256:	d0786c4c6c967ba28706f92402a6151fc509b010e1d2a18f19118548bbe40393
Import Hash :	52dee48e9c20d673929d8b1b29a57a87
Sections 19	.text .data .rdata .pdata .xdata .bss .idata .CRT .tls .rsrc .reloc /4 /19 /31 /45 /57 /70 /81 /97
Directories 4	import resource tls relocation

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

OSINT Enrichments

Virus Total:	51/77 VT report date: 2024-10-14 17:18:57
Malware Type 3	trojan downloader dropper
Threat Type 3	nekark xycxfp znxkz

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXp://130.61.181.50/ransomware/neofetch.exe	130.61.181.50	2024-10-14 17:46:03

PE Sections 3 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0xbb8b8	768512	26421f654ef65f36573c6d816f7547dfdbc6f47b	826e9c889d49b538d084a406a9f0298e
.data	0xbd000	0x2f40	12288	241daad8c296cdf275e12802af7b33ad187c7340	04dfdc5bf29abe685a786f6251249903
.rdata	0xc0000	0x10ea0	69632	28230f203e5836a5799aabdcbb3f797ef5aca3b3	90c0d6444be82ab4d614654671bc0995
.pdata	0xd1000	0xbf40	49152	8a49c51305fa3b0c1e05c8902882983f2cc57946	2f7b6070c92df0be8d6990d0d76234a2
.xdata	0xdd000	0x10cec	69120	d28269301cf2177ec4c2b13df7cc5df5ac7b703a	03aa60eee77135cc64a643d1382e207d
.bss	0xee000	0xd10	0	da39a3ee5e6b4b0d3255bfef95601890afd80709	d41d8cd98f00b204e9800998ecf8427e
.idata	0xef000	0x146c	5632	f06dccd409e92b6af6d3d9229211ae80aee82197	aacba69961f2fd3a31e1f813b23de13c
.CRT	0xf1000	0x68	512	951ad4deaa79ba911f52eda8c5f3d9f942633444	914377f4789c146c5c73ed48c7df0eec
.tls	0xf2000	0x10	512	5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5	bf619eac0cdf3f68d496ea9344137e8b
.rsrc	0xf3000	0x4e8	1536	de462dc7fcd276d2c14c7cb6abe93313e2522b68	1028f2a1bf91d049b71dd4b4b7d8ad7d
.reloc	0xf4000	0x1648	6144	a0d400cceb10ed163304fa92941ae06f4b0041c2	0d6a21af08a80adbcd6660e809f24b6a
/4	0xf6000	0x610	2048	4d43928a8a04d41cbdbcbe62639aaf69db6c37af	ccdb2020a8c444ddc1e3131cda3e09ad
/19	0xf7000	0x10904	68096	61918f97b52ff48e5a231a07624d6ce3e49a0112	1256ac538511796d4b59aed9ff989406
/31	0x108000	0xc32	3584	58334a794da58792e0253accf9b6b9e0f3913e27	58501516bbd4e4d0ca022d663b69bbf0
/45	0x109000	0x1c03	7680	ccde1981e642e49b7a76e7be11e91701c8ac684f	7f4019ad8350d8ddb882cd208fa65690
/57	0x10b000	0x19c8	6656	3f130631e7924154dfaec7e0015456af4e43f70a	9c2b69d90e0a7bea91953b238bbc120f
/70	0x10d000	0x4ab	1536	37df039666f048f28d38dae0f90cf3303090417b	219ae2cf9805256acd91cf77ad4b72cd
/81	0x10e000	0x63d	2048	8346243e83dae499f43cbdf6114839909eeeb8f1	41b0c301da188b0744221cca42faa6fe
/97	0x10f000	0x402	1536	066e94d60ad13b34c771f3803fabd251126b2acd	eab3a73416f75a197fe4d0fcf5f065ca

PE Resources 1

Name	Language	Sublanguage	Offset	Size	Data
RT_MANIFEST	LANG_NEUTRAL	SUBLANG_NEUTRAL	0xf3058	1167	PE Resource: RT_MANIFEST - Data <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker"/> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!--The ID below indicates application support for Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!--The ID below indicates application support for Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!--The ID below indicates application support for Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!--The ID below indicates application support for Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!--The ID below indicates application support for Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> </assembly>

Name

Language

Sublanguage

Offset

Size

Data

RT_MANIFEST

LANG_NEUTRAL

SUBLANG_NEUTRAL

0xf3058

1167

Anti debug functions 4

GetLastError
IsDebuggerPresent
OutputDebugStringA
RaiseException

Strings analysis - File found

Library
ADVAPI32.dll
MSVCRT.dll
KERNEL32.dll
USER32.dll

Strings analysis - Possible IPs found 1

130.61.181.50

Strings analysis - Possible URLs found 1

https://H

Import functions

ADVAPI32.dll 2 KERNEL32.dll 59 msvcrt.dll 80 USER32.dll 2

Function	Address	Souspicious	Anti Debug
GetTokenInformation	0x1400ef500
OpenProcessToken	0x1400ef508

Function	Address	Souspicious	Anti Debug
AddVectoredExceptionHandler	0x1400ef518
CloseHandle	0x1400ef520
CreateEventA	0x1400ef528
CreateSemaphoreA	0x1400ef530
DeleteCriticalSection	0x1400ef538
DuplicateHandle	0x1400ef540
EnterCriticalSection	0x1400ef548
FormatMessageA	0x1400ef550
GetComputerNameA	0x1400ef558
GetCurrentProcess	0x1400ef560
GetCurrentProcessId	0x1400ef568
GetCurrentThread	0x1400ef570
GetCurrentThreadId	0x1400ef578
GetHandleInformation	0x1400ef580
GetLastError	0x1400ef588
GetModuleHandleW	0x1400ef590
GetProcAddress	0x1400ef598
GetProcessAffinityMask	0x1400ef5a0
GetSystemTimeAsFileTime	0x1400ef5a8
GetThreadContext	0x1400ef5b0
GetThreadPriority	0x1400ef5b8
GetTickCount64	0x1400ef5c0
GlobalMemoryStatusEx	0x1400ef5c8
InitializeCriticalSection	0x1400ef5d0
IsDBCSLeadByteEx	0x1400ef5d8
IsDebuggerPresent	0x1400ef5e0
LeaveCriticalSection	0x1400ef5e8
LoadLibraryW	0x1400ef5f0
LocalFree	0x1400ef5f8
MultiByteToWideChar	0x1400ef600
OpenProcess	0x1400ef608
OutputDebugStringA	0x1400ef610
RaiseException	0x1400ef618
ReleaseSemaphore	0x1400ef620
RemoveVectoredExceptionHandler	0x1400ef628
ResetEvent	0x1400ef630
ResumeThread	0x1400ef638
RtlCaptureContext	0x1400ef640
RtlLookupFunctionEntry	0x1400ef648
RtlUnwindEx	0x1400ef650
RtlVirtualUnwind	0x1400ef658
SetEvent	0x1400ef660
SetLastError	0x1400ef668
SetProcessAffinityMask	0x1400ef670
SetThreadContext	0x1400ef678
SetThreadPriority	0x1400ef680
SetUnhandledExceptionFilter	0x1400ef688
Sleep	0x1400ef690
SuspendThread	0x1400ef698
TlsAlloc	0x1400ef6a0
TlsGetValue	0x1400ef6a8
TlsSetValue	0x1400ef6b0
TryEnterCriticalSection	0x1400ef6b8
VirtualProtect	0x1400ef6c0
VirtualQuery	0x1400ef6c8
WaitForMultipleObjects	0x1400ef6d0
WaitForSingleObject	0x1400ef6d8
WideCharToMultiByte	0x1400ef6e0
__C_specific_handler	0x1400ef6e8

Function	Address	Souspicious	Anti Debug
___lc_codepage_func	0x1400ef6f8
___mb_cur_max_func	0x1400ef700
__getmainargs	0x1400ef708
__initenv	0x1400ef710
__iob_func	0x1400ef718
__set_app_type	0x1400ef720
__setusermatherr	0x1400ef728
_amsg_exit	0x1400ef730
_beginthreadex	0x1400ef738
_cexit	0x1400ef740
_commode	0x1400ef748
_errno	0x1400ef750
_endthreadex	0x1400ef758
_filelengthi64	0x1400ef760
_fileno	0x1400ef768
_fmode	0x1400ef770
_fstat64	0x1400ef778
_initterm	0x1400ef780
_lseeki64	0x1400ef788
fread	0x1400ef790
free	0x1400ef798
fsetpos	0x1400ef7a0
memchr	0x1400ef7a8
memcmp	0x1400ef7b0
memcpy	0x1400ef7b8
memmove	0x1400ef7c0
memset	0x1400ef7c8
printf	0x1400ef7d0
_onexit	0x1400ef7d8
_ultoa	0x1400ef7e0
_setjmp	0x1400ef7e8
_wfopen	0x1400ef7f0
abort	0x1400ef7f8
calloc	0x1400ef800
exit	0x1400ef808
fclose	0x1400ef810
fflush	0x1400ef818
fgetpos	0x1400ef820
fopen	0x1400ef828
fprintf	0x1400ef830
fputc	0x1400ef838
fputs	0x1400ef840
fwrite	0x1400ef848
getc	0x1400ef850
getenv	0x1400ef858
getwc	0x1400ef860
iswctype	0x1400ef868
localeconv	0x1400ef870
longjmp	0x1400ef878
malloc	0x1400ef880
putc	0x1400ef888
putwc	0x1400ef890
realloc	0x1400ef898
setlocale	0x1400ef8a0
setvbuf	0x1400ef8a8
signal	0x1400ef8b0
strchr	0x1400ef8b8
strcmp	0x1400ef8c0
strcoll	0x1400ef8c8
strerror	0x1400ef8d0
strftime	0x1400ef8d8
strlen	0x1400ef8e0
strncmp	0x1400ef8e8
strtoul	0x1400ef8f0
strxfrm	0x1400ef8f8
system	0x1400ef900
towlower	0x1400ef908
towupper	0x1400ef910
ungetc	0x1400ef918
ungetwc	0x1400ef920
vfprintf	0x1400ef928
wcscoll	0x1400ef930
wcsftime	0x1400ef938
wcslen	0x1400ef940
wcsxfrm	0x1400ef948
_write	0x1400ef950
_strdup	0x1400ef958
_read	0x1400ef960
_fileno	0x1400ef968
_fdopen	0x1400ef970

Function	Address	Souspicious	Anti Debug
GetDesktopWindow	0x1400ef980
GetWindowRect	0x1400ef988