Nezur.exe

First submission 2024-09-02 19:39:02 Last sumbission 2024-09-02 19:40:02

File details

File type: PE32+ executable (console) x86-64, for MS Windows
Mime type: application/x-dosexec
File size: 2183.0 KB (2235392 bytes)
Compile time: 2024-02-26 01:38:43
MD5: d6f133dee71ed4c119a2d2aaf4cf3a69
SHA1: d31a9b77e1eb1308c6c686e7b1715999ad18019b
SHA256: 3c1ada57fbbe1a5fe4e56ab89545f9c38b888676ef303ffb2934d289937af83d
Import Hash : fcb66291bbc92600bc2c5e74df51cd00
Sections 6 .text .rdata .data .pdata .rsrc .reloc
Directories 5 import resource debug tls relocation

File features detected

Is DLL
Packers
Anti Debug
Anti VM
Signed
XOR

OSINT Enrichments

Virus Total: 45/79 VT report date: 2024-09-02 19:13:51
Malware Type 2 trojan pua
Threat Type 3 tedy gamehack filerepmalware

URLs, FQDN and IP indicators 1

URL Host (FQDN/IP) Date Added
hXXp://downloadsparrow.com/cl/Nezur.exe VirusTotal Report downloadsparrow.com VirusTotal Report 2024-09-02 19:39:02

PE Sections 0 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0x17f2c3 1569792 84195d271684b0889e5f4c56ae219ed0b9566718 c55fe6591ee0601c761a1fb23f0a2aa0
.rdata 0x181000 0x92074 598528 dc4aa4b08a8f97ee56a078b1cbf2e3444b8464bb 8cde604d1a99109865a83a7b2622b661
.data 0x214000 0x6da0 7680 4f45e903207a2b80b17f1c2afdfb003d1788e785 d66c101a81a6ea57343f851d6b0d202a
.pdata 0x21b000 0x9e58 40960 7777ebb6f282cfcf2d1848867c1a914c7ddccac0 4b168a773c22f104ad1fe0854e203eb8
.rsrc 0x225000 0x3588 13824 5729ffcd2b69bf349f01ce2c1526b49ee9a1c5ef 4b7ca7c99d0700962c4278be02234d17
.reloc 0x229000 0xc50 3584 c5818ca8b6e784c9da8d9dbd844c5b957bb89551 e6d782474263987363b9232a30319c14

PE Resources 3

Name Language Sublanguage Offset Size Data
RT_ICON LANG_ENGLISH SUBLANG_ENGLISH_US 0x227340 4264
RT_GROUP_ICON LANG_ENGLISH SUBLANG_ENGLISH_US 0x227328 20
RT_MANIFEST LANG_ENGLISH SUBLANG_ENGLISH_US 0x228400 392

Packers detected 1

Microsoft Visual C++ 8.0 (DLL)

Anti debug functions 8

FindWindowA
GetLastError
IsDebuggerPresent
IsProcessorFeaturePresent
Process32First
Process32Next
TerminateProcess
UnhandledExceptionFilter

Strings analysis - File found

Temporary
%s%s.tmp
Text
imgui_log.txt
Library
KERNEL32.dll
api-ms-win-crt-utility-l1-1-0.dll
ADVAPI32.dll
bcrypt.dll
secur32.dll
dwmapi.dll
api-ms-win-crt-filesystem-l1-1-0.dll
d3dcompiler_47.dll
WLDAP32.dll
SHELL32.dll
WS2_32.dll
ntdll.dll
api-ms-win-crt-string-l1-1-0.dll
normaliz.dll
xinput1_2.dll
d3d11.dll
api-ms-win-crt-time-l1-1-0.dll
VCRUNTIME140_1.dll
IMM32.dll
security.dll
dbghelp.dll
api-ms-win-crt-environment-l1-1-0.dll
Crypt32.dll
USER32.dll
xinput9_1_0.dll
xinput1_1.dll
api-ms-win-crt-math-l1-1-0.dll
api-ms-win-crt-locale-l1-1-0.dll
api-ms-win-crt-runtime-l1-1-0.dll
api-ms-win-crt-convert-l1-1-0.dll
msvcp140.dll
api-ms-win-crt-heap-l1-1-0.dll
xinput1_3.dll
api-ms-win-crt-stdio-l1-1-0.dll
IPHLPAPI.DLL
vcruntime140.dll
ixinput1_4.dll
hal.dll

Strings analysis - Possible IPs found 26

127.0.0.1
2.5.4.8
2.5.4.9
2.5.4.6
2.5.4.7
2.5.4.4
2.5.4.5
2.5.4.3
2.5.4.72
2.5.4.10
2.5.4.11
2.5.4.12
2.5.4.13
2.5.4.17
1.3.14.3
2.5.4.45
101.3.4.2
2.5.4.44
2.5.4.65
2.5.29.17
2.5.4.46
2.5.29.18
2.5.29.19
2.5.4.43
2.5.4.42
2.5.4.41

Strings analysis - Possible URLs found 19

https://www.verisign.com/cps0
http://crl.verisign.com/pca3.crl0)
http://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
https://curl.se/docs/http-cookies.html
http://crl.verisign.com/ThawteTimestampingCA.crl0
http://ocsp.verisign.com0
https://www.verisign.com/rpa
http://csc3-2009-2-aia.verisign.com/CSC3-2009-2.cer0
http://csc3-2009-2-crl.verisign.com/CSC3-2009-2.crl0D
http://logo.verisign.com/vslogo.gif0
https://www.verisign.com/rpa0
https://curl.se/docs/alt-svc.html
file://%s%s%s
http://ocsp.verisign.com01
file://
http://ocsp.verisign.com0?
http://crl.verisign.com/tss-ca.crl0
https://curl.se/docs/hsts.html
https://github.com/dharma

Import functions