update.exe

First submission 2024-07-07 11:30:03 Last sumbission 2024-07-09 07:06:03

File details

File type: PE32+ executable (GUI) x86-64, for MS Windows
Mime type: application/x-dosexec
File size: 826.0 KB (845824 bytes)
Compile time: 2024-07-06 21:13:57
MD5: f8ae25eb2bef827759f8cd837ad85bda
SHA1: 5cd4441eb81e030bffd682c5bdbe14142b7b575f
SHA256: 11cd1472cd1cc75245a148d4e9560bf7f7917443b36dec3f92ed79b8e743b399
Import Hash : 9a5829c39073c30fe14404256cbdd15c
Sections 5 .text .rdata .data .pdata .reloc
Directories 2 import relocation

File features detected

Is DLL
Packers
Anti Debug
Anti VM
Signed
XOR

OSINT Enrichments

Virus Total: 39/78 VT report date: 2024-07-07 11:07:34
Malware Type 2 trojan banker
Threat Type 3 razy clipbanker abza

URLs, FQDN and IP indicators 1

URL Host (FQDN/IP) Date Added
hXXps://igenius.org/update.exe VirusTotal Report igenius.org VirusTotal Report 2024-07-09 07:06:05

PE Sections 0 suspicious

Name VAddress VSize Size SHA1 MD5 Suspicious
.text 0x1000 0x8008c 524800 f7abfeaf30e1a17b6cf14ed9b8fbb365c8c1cc0c 6aacaea9a04d17b261a621d4d01b92bd
.rdata 0x82000 0x390fe 233984 3cfd9c1550414c5b288bd0813b22f2ea678dc78e 0d80bd3e9f67e0eef17997699f3897e7
.data 0xbc000 0xa188 23040 8c9815c7609d38217752c62cb89496943d46b26a d41c25f275b2b9204bea0b9fae06bf3b
.pdata 0xc7000 0x6654 26624 d50b6ecc5d9f0c8e202384eb30b4573af5810abd 5b853d245ee7fd225b280d53f9889005
.reloc 0xce000 0x8ce6 36352 9dc85192decb808131b4c5fe6ac40ab30b196019 b08dba424d3590f80f6d42d84f7295a3

Packers detected 1

Microsoft Visual C++ 8.0 (DLL)

Anti debug functions 9

GetLastError
IsDebuggerPresent
IsProcessorFeaturePresent
OutputDebugStringW
Process32FirstW
Process32NextW
RaiseException
TerminateProcess
UnhandledExceptionFilter

Anti debug functions 2

VMCheck.dll
Bochs & QEmu CPUID Trick

Strings analysis - File found

Binary
$Recycle.Bin
Log
_logins.log
_CC.log
_Autofill.log
_History.log
_cookies.log
Compressed
fuck.zip
Database
key4.db
Text
tasklist /v > Open_windows.txt
for /d %i in (C:\Users\*) do if not "%i"=="C:\Users\Public" tree /F /A "%i" >> DirectoriesAndFiles.txt
ipconfig /all > Network.txt
systeminfo > Info.txt
driverquery > Drivers.txt
tasklist > Running_processes.txt
wmic product get name,version > Installed_apps.txt
Network.txt
Installed_apps.txt
RDP.txt
Runing_process.txt
Open_Window.txt
System_info.txt
Drivers.txt
Library
ntdll.dll
mscoree.dll
USER32.dll
http://45.140.146.248/App.dll
KERNEL32.dll
ADVAPI32.dll
SHLWAPI.dll
SHELL32.dll
gdiplus.dll
WININET.dll
Crypt32.dll
MSVCRT.dll
urlmon.dll
GDI32.dll
bcrypt.dll
Web Page
st/api.php

Strings analysis - Possible IPs found 1

45.140.146.248

Strings analysis - Possible URLs found 2

http://45.140.146.248/App.dll
http://www.winimage.com/zLibDll

Import functions