S0FTWARE.exe?ex=670cf846&is=670ba6c6&hm=ef0accaede7e828a27212ae4a123c9fb037408be859efe1d4c509beb514da77b&

First submission 2024-10-13 17:40:02

File details

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Mime type:	application/x-dosexec
File size:	9346.5 KB (9570816 bytes)
Compile time:	1970-01-01 01:00:00
MD5:	de40920ceb6061d4a5b62fd03a9438c5
SHA1:	eb3d3f46aad57e868b9d4b2c07d24410bfd2ca85
SHA256:	959e47ec654acce16b8df4466da97f8479d65b9a69a2c3603c3cb6856ceaecc0
Import Hash :	4f2f006e2ecf7172ad368f8289dc96c1
Sections 7	.text .rdata .data .idata .reloc .symtab .rsrc
Directories 3	import resource relocation

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

OSINT Enrichments

Virus Total:	42/77 VT report date: 2024-10-13 17:03:27
Malware Type 2	trojan dropper
Threat Type 3	dtftn msil vidar

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXps://cdn.discordapp.com/attachments/1268641353307521130/1294976423769018428/S0FTWARE.exe?ex=670cf846&is=670ba6c6&hm=ef0accaede7e828a27212ae4a123c9fb037408be859efe1d4c509beb514da77b&	cdn.discordapp.com	2024-10-13 17:40:02

PE Sections 1 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0x305f59	3170304	9b6dbefbbceaf144d9718343469ada24f6da3b0f	574bf4d19e1ffddf2383b2fbcad2618d
.rdata	0x307000	0x5b49e8	5982720	b3391d82fc29fbece12c38aba9ce863f6ad60c3e	b2a89a573f6d1778f5f8b8e8943c2d00
.data	0x8bc000	0x68648	240640	d23557ca5fc77f4246956775e2aced8fbe1c76b4	15450240646b32c5c7872f6106e3efa2
.idata	0x925000	0x45e	1536	d43729749d74b95207890706f89998247db50967	52d83605414a0f24fbda57874f293638
.reloc	0x926000	0x2992a	170496	adddb0c7e6393c9f508add103cd0097735db7a3b	d8a2e51e79e47b9e876284292d3a58f5
.symtab	0x950000	0x4	512	943ae54f4818e52409fbbaf60ffd71318d966b0d	07b5472d347d42780469fb2654b7fc54
.rsrc	0x951000	0xd89	3584	484b4e87c02e97ff62398d01c083a3f10024a693	6f1ed2c4b7cfc5a2aad5e32487ffee2f

PE Resources 2

Name	Language	Sublanguage	Offset	Size	Data
RT_VERSION	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x9510a0	1412	PE Resource: RT_VERSION - Data 4VS_VERSION_INFO?StringFileInfo000004b0r-CommentsThis installation was built with Inno Setup.=CompanyNameNAPS2 Software =FileDescriptionNAPS2 installer JFileVersion7.5.2 eLegalCopyright(c) 2009-2024 3OriginalFileName =ProductNameNAPS2 3ProductVersion7.5.2 DVarFileInfo$Translation
RT_MANIFEST	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x951624	1893	PE Resource: RT_MANIFEST - Data <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity name="JR.Inno.Setup" processorArchitecture="x86" version="1.0.0.0" type="win32"/> <description>Inno Setup</description> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /> </dependentAssembly> </dependency> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> <application xmlns="urn:schemas-microsoft-com:asm.v3"> <windowsSettings> <dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware> </windowsSettings> </application> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <file name="mpr.dll" loadFrom="%SystemRoot%\system32\" /> <file name="netapi32.dll" loadFrom="%SystemRoot%\system32\" /> <file name="netutils.dll" loadFrom="%SystemRoot%\system32\" /> <file name="version.dll" loadFrom="%SystemRoot%\system32\" /> <file name="winhttp.dll" loadFrom="%SystemRoot%\system32\" /> </assembly>

Name

Language

Sublanguage

Offset

Size

Data

RT_VERSION

LANG_ENGLISH

SUBLANG_ENGLISH_US

0x9510a0

1412

RT_MANIFEST

LANG_ENGLISH

SUBLANG_ENGLISH_US

0x951624

1893

Meta infos 9

LegalCopyright:	(c) 2009-2024
OriginalFileName:
FileVersion:	7.5.2
CompanyName:	NAPS2 Software
ProductVersion:	7.5.2
FileDescription:	NAPS2 installer
Translation:	0x0000 0x04b0
Comments:	This installation was built with Inno Setup.
ProductName:	NAPS2

Strings analysis - File found

Log
github.com/saferwall/pe/log.(*Filter).Log
github.com/saferwall/pe/log.(*stdLogger).Log
math.Log
Library
WINMM.dll
KERNEL32.dll
ntdll.dll
bcryptprimitives.dll
WS2_32.dll
Powrprof.dll
*syscall.DLL
*windows.DLL
type:.eq.syscall.DLL
type:.eq.golang.org/x/sys/windows.DLL

Strings analysis - Possible IPs found 7

5.4.112.5
2.5.4.102
5.4.32.5
127.0.0.1
2.5.4.62
72.5.4.82
4.52.5.4

Strings analysis - Possible URLs found 2

http://schemas.microsoft.com/SMI/2005/WindowsSettings
http://chunked19531259765625invaliduintptrSwapperChanDir

Import functions

kernel32.dll 45

Function	Address	Souspicious	Anti Debug
WriteFile	0xcbc640
WriteConsoleW	0xcbc644
WerSetFlags	0xcbc648
WerGetFlags	0xcbc64c
WaitForMultipleObjects	0xcbc650
WaitForSingleObject	0xcbc654
VirtualQuery	0xcbc658
VirtualFree	0xcbc65c
VirtualAlloc	0xcbc660
TlsAlloc	0xcbc664
SwitchToThread	0xcbc668
SuspendThread	0xcbc66c
SetWaitableTimer	0xcbc670
SetUnhandledExceptionFilter	0xcbc674
SetProcessPriorityBoost	0xcbc678
SetEvent	0xcbc67c
SetErrorMode	0xcbc680
SetConsoleCtrlHandler	0xcbc684
ResumeThread	0xcbc688
RaiseFailFastException	0xcbc68c
PostQueuedCompletionStatus	0xcbc690
LoadLibraryW	0xcbc694
LoadLibraryExW	0xcbc698
SetThreadContext	0xcbc69c
GetThreadContext	0xcbc6a0
GetSystemInfo	0xcbc6a4
GetSystemDirectoryA	0xcbc6a8
GetStdHandle	0xcbc6ac
GetQueuedCompletionStatusEx	0xcbc6b0
GetProcessAffinityMask	0xcbc6b4
GetProcAddress	0xcbc6b8
GetErrorMode	0xcbc6bc
GetEnvironmentStringsW	0xcbc6c0
GetCurrentThreadId	0xcbc6c4
GetConsoleMode	0xcbc6c8
FreeEnvironmentStringsW	0xcbc6cc
ExitProcess	0xcbc6d0
DuplicateHandle	0xcbc6d4
CreateWaitableTimerExW	0xcbc6d8
CreateThread	0xcbc6dc
CreateIoCompletionPort	0xcbc6e0
CreateFileA	0xcbc6e4
CreateEventA	0xcbc6e8
CloseHandle	0xcbc6ec
AddVectoredExceptionHandler	0xcbc6f0

Name	Latest seen	MD5
winresinet.exe	2024-05-20 15:23:06	c3736d21ee30c4dd5eec74b630e39b46
ewwe.exe	2024-06-18 10:38:25	58f8e96f834d5d882046bd503ee83b18
rev.exe	2024-07-10 15:14:04	35f6193692dc722a7b3384ccd2ab6778
go.exe	2024-07-10 15:15:09	6b7ca7aa20d0a9225f1b297bbf4c7f14
1.jpg	2024-07-10 15:33:09	aea9dd8e15582e240dce2c066ec1befc
66f45134d0ef8_Advsnced.exe	2024-09-25 22:57:04	59075d8a5bacaa3e994d886d2ec346f7
66f410932765c_videoshaper.exe	2024-10-08 02:21:03	927f42900da344192bdfea8e3325d631
8.11.9-Windows.exe	2024-09-27 16:45:03	1c6b522d985b2e60890a098e3d5e78b8
66dc99a997229_VirtualLibrary.exe	2024-10-08 00:31:05	0bd8936501f04777f9c8684b417b6399
66df5745ca628_SETUP.exe	2024-10-08 02:46:49	41acc938951854469f46ca6856927c22
66e34827a9d4e_driver.exe	2024-10-04 22:35:03	32ae51ec5c2a5b248bafe9cbd3db5d85
386.exe	2024-09-28 06:36:12	a523bc1239f0d151e77fef1b9b439796
Silencer.exe	2024-09-28 20:55:07	d19d5d7fe28ef9630b2ab06835b576cc
670270265df69_fhjh11.exe	2024-10-06 19:20:03	b884d5dacd4ac3c4eba7908f3321024a
66f6b6430e06f_FixIt.exe	2024-10-07 21:57:04	4a66239217d390819d227e60f32f6fce