DigitalSide Threat Intel

Mirdll2.rar

First submission 2024-10-15 19:36:04

File details

File type: PE32 executable (GUI) Intel 80386, for MS Windows
Mime type: application/x-dosexec
File size: 628.0 KB (643072 bytes)
Compile time: 2024-01-22 02:49:43
MD5: e4143f505907a6d865085a2a4784041c
SHA1: 0c15733cd68594109cb3eddde8ca9b943a33022f
SHA256: afd5d8edce971a6c13b6d112c0b0e519cb33d8f69e6c2afd9c0449efae930931
Import Hash : dfd4650d0daa53c84ab675810da696fb
Sections 6 .text .data .t345340 .tls .t345341 .rsrc
Directories 4 import export resource tls

File features detected

Is DLL
Packers
Anti Debug
Anti VM
Signed
XOR

OSINT Enrichments

Virus Total: 47/76 VT report date: 2024-05-14 04:40:44
Malware Type 2 trojan pua
Threat Type 3 fragtor malgent vmprotect

URLs, FQDN and IP indicators 1

URL Host (FQDN/IP) Date Added
hXXp://dow.andylab.cn/Mirdll2.rar VirusTotal Report dow.andylab.cn VirusTotal Report 2024-10-15 19:36:04

PE Sections 4 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0x44e60 0 da39a3ee5e6b4b0d3255bfef95601890afd80709 d41d8cd98f00b204e9800998ecf8427e
.data 0x46000 0x4e94 0 da39a3ee5e6b4b0d3255bfef95601890afd80709 d41d8cd98f00b204e9800998ecf8427e
.t345340 0x4b000 0x80a70 0 da39a3ee5e6b4b0d3255bfef95601890afd80709 d41d8cd98f00b204e9800998ecf8427e
.tls 0xcc000 0x18 4096 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d 620f0b67a91f7f74151bc5be745b7110
.t345341 0xcd000 0x993e8 630784 1ff82102d6feaa6c1131ff3af98a89ce8236bc61 5118dfcd55f69855b2144b5fdc0b6027
.rsrc 0x167000 0x65c 4096 53d3e30c56235e016e40eb72a34c97392c2e33f7 ba3fa5cabcb66bd82b3881c00effbb9b

PE Resources 3

Name Language Sublanguage Offset Size Data
RT_ICON LANG_NEUTRAL SUBLANG_NEUTRAL 0x1670e8 872
RT_GROUP_ICON LANG_NEUTRAL SUBLANG_NEUTRAL 0x167450 20
RT_VERSION LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0x167464 504

Meta infos 6

InternalName: Mirdll2
ProductVersion: 2024.01.0022
Translation: 0x0804 0x04b0
ProductName: wind\x5185\x6838
OriginalFilename: Mirdll2.exe
FileVersion: 2024.01.0022

Strings analysis - File found

Executable
1}.so
Library
)KERNEL32.dll
USER32.dll
|USER32.dll
MSVBVM60.DLL

Import functions

Function Address Souspicious Anti Debug
FindResourceExW 0x543420
GetModuleFileNameW 0x543430
GetModuleHandleA 0x543438
LoadLibraryA 0x54343c
LocalAlloc 0x543440
LocalFree 0x543444
GetModuleFileNameA 0x543448
ExitProcess 0x54344c
Function Address Souspicious Anti Debug
None 0x543418
Function Address Souspicious Anti Debug
CharUpperBuffW 0x543428