DigitalSide Threat Intel

nb.exe

First submission 2024-10-12 00:22:03

File details

File type: PE32 executable (console) Intel 80386, for MS Windows
Mime type: application/x-dosexec
File size: 36.0 KB (36864 bytes)
Compile time: 2008-04-09 01:27:27
MD5: f01a9a2d1e31332ed36c1a4d2839f412
SHA1: 90da10004c8f6fafdaa2cf18922670a745564f45
SHA256: c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e
Import Hash : 2fa43c5392ec7923ababced078c2f98d
Sections 3 .text .rdata .data
Directories 1 import

File features detected

Is DLL
Packers
Anti Debug
Anti VM
Signed
XOR

OSINT Enrichments

Virus Total: 41/76 VT report date: 2024-10-11 22:23:58
Malware Type 3 hacktool trojan pua
Threat Type 3 nbtscan nettool filereppup

URLs, FQDN and IP indicators 1

URL Host (FQDN/IP) Date Added
hXXp://34.142.201.103:8443/nb.exe VirusTotal Report 34.142.201.103 VirusTotal Report 2024-10-12 00:22:03

PE Sections 1 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0x4400 20480 33c77681566ec827b08dbc182e9e273bfc205c5e b99af79097690cf2611475ea85b9fa60
.rdata 0x6000 0x17ba 8192 5b778e16f2c75d504d8e1e769ed3a2d820993803 d970a1b87a05ec4449e60546b6f31a63
.data 0x8000 0x4c0 4096 08690af4cc4c4ade7664074ae6e515961bda65d0 4c5c817648df69cccf2e3f2d1375363c

Packers detected 3

Microsoft Visual C++ v6.0
Microsoft Visual C++ 5.0
Microsoft Visual C++

Anti debug functions 1

GetLastError

Strings analysis - File found

Library
MSVCRT.dll
KERNEL32.dll
WSOCK32.dll

Strings analysis - Possible IPs found 1

192.168.12.64

Strings analysis - Possible URLs found 1

http://www.unixwiz.net/tools/

Import functions

Function Address Souspicious Anti Debug
GetLastError 0x406000
Sleep 0x406004
Function Address Souspicious Anti Debug
_controlfp 0x40600c
_except_handler3 0x406010
__set_app_type 0x406014
__p__fmode 0x406018
__p__commode 0x40601c
__setusermatherr 0x406020
_initterm 0x406024
__getmainargs 0x406028
__p___initenv 0x40602c
_XcptFilter 0x406030
_exit 0x406034
strpbrk 0x406038
_adjust_fdiv 0x40603c
fflush 0x406040
fputc 0x406044
fputs 0x406048
_iob 0x40604c
strchr 0x406050
fprintf 0x406054
memset 0x406058
printf 0x40605c
fopen 0x406060
atoi 0x406064
exit 0x406068
puts 0x40606c
strcmp 0x406070
strerror 0x406074
_errno 0x406078
_strdup 0x40607c
_assert 0x406080
putc 0x406084
vfprintf 0x406088
calloc 0x40608c
malloc 0x406090
_pctype 0x406094
_isctype 0x406098
__mb_cur_max 0x40609c
sprintf 0x4060a0
strncmp 0x4060a4
strcpy 0x4060a8
strncpy 0x4060ac
memcpy 0x4060b0
strlen 0x4060b4
ctime 0x4060b8
time 0x4060bc
strtok 0x4060c0
Function Address Souspicious Anti Debug
WSAStartup 0x4060c8
gethostbyaddr 0x4060cc
gethostbyname 0x4060d0
recvfrom 0x4060d4
sendto 0x4060d8
ntohl 0x4060dc
select 0x4060e0
__WSAFDIsSet 0x4060e4
socket 0x4060e8
htonl 0x4060ec
htons 0x4060f0
bind 0x4060f4
WSAGetLastError 0x4060f8
ntohs 0x4060fc
inet_addr 0x406100
WSACleanup 0x406104