script.exe

First submission 2024-09-01 15:21:04

File details

File type: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Mime type: application/x-dosexec
File size: 1657.18 KB (1696950 bytes)
Compile time: 2024-03-30 17:55:19
MD5: dc37d19933e5689c25bc6cce8c15d58c
SHA1: 5465ed40e9ce77663bcb5213cf7deb6bded25804
SHA256: fabfaa8fe68a80b286ea7291977e73a830320db89c9acdbfc3373884246f6373
Import Hash : 9dda1a1d1f8a1d13ae0297b47046b26e
Sections 5 .text .rdata .data .ndata .rsrc
Directories 2 import resource

File features detected

Is DLL
Packers
Anti Debug
Anti VM
Signed
XOR

OSINT Enrichments

Virus Total: 47/78 VT report date: 2024-08-27 03:48:29
Malware Type 3 trojan hacktool pua
Threat Type 3 meshagent casdet nsis

URLs, FQDN and IP indicators 1

URL Host (FQDN/IP) Date Added
hXXps://crossback.cl/online/script.exe VirusTotal Report crossback.cl VirusTotal Report 2024-09-01 15:21:04

PE Sections 1 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0x66d7 26624 1c105a39879381cee3c1dae45653a966b9d61268 4e97e586f167bf2d2eddcdba22e25c0e
.rdata 0x8000 0x1358 5120 8677bad7d268e6798da158299b8cde5996219d6a bd82d08a08da8783923a22b467699302
.data 0xa000 0x1fb78 1536 64636f7804874ab0231d3bca77ed62cd293c8879 e411b225ac3cd03a5dad8143ae82958d
.ndata 0x2a000 0x1c000 0 da39a3ee5e6b4b0d3255bfef95601890afd80709 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x46000 0x5810 23040 43c857e76d0935aefa7d2fb3a23d801d2c03cce7 18cdb6cc5cc272f41fe946ef6f377bc0

PE Resources 4

Name Language Sublanguage Offset Size Data
RT_ICON LANG_ENGLISH SUBLANG_ENGLISH_US 0x4ae60 296
RT_DIALOG LANG_ENGLISH SUBLANG_ENGLISH_US 0x4b288 238
RT_GROUP_ICON LANG_ENGLISH SUBLANG_ENGLISH_US 0x4b378 104
RT_MANIFEST LANG_ENGLISH SUBLANG_ENGLISH_US 0x4b3e0 1070

Anti debug functions 2

FindWindowExW
GetLastError

Strings analysis - File found

Temporary
~nsu%X.tmp
Library
%s%s.dll
ADVAPI32.dll
SHELL32.dll
USER32.dll
KERNEL32.dll
COMCTL32.dll
ole32.dll
GDI32.dll

Strings analysis - Possible URLs found 1

http://nsis.sf.net/NSIS_Error

Import functions

Name Latest seen MD5
vpn-1002.exe 2024-06-24 17:07:01 ccb630a81a660920182d1c74b8db7519
Setup.exe 2024-05-27 22:01:09 ae47c12b9320e702a9ce243193494554
loader-1002.exe 2024-06-05 20:44:02 0fec29af2349912ecd5b9a35e682bcec
djpdpoolinstaller.exe 2024-08-26 15:22:31 1ed40858faf2366621a60205eb0bbfed