mvp.dll

First submission 2024-10-15 18:16:10

File details

File type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Mime type:	application/x-dosexec
File size:	14229.5 KB (14571008 bytes)
Compile time:	2024-10-04 07:25:37
MD5:	f8e88dafb064ebf5fcb3803f15f5dddb
SHA1:	dd871b70df52b266d1697ceef2dd96b8335f1758
SHA256:	afac5142f89cd756fdc4decd24d1ba465bcb7d05000813b2ebce43ce29cb9175
Import Hash :	e6d55d8079f22bfdd242f3195a3f07e3
Sections 9	.text .rdata .data .pdata .61; .XmY .lIw .rsrc .reloc
Directories 4	import resource tls relocation

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

OSINT Enrichments

Virus Total:	23/77 VT report date: 2024-10-12 16:54:19
Malware Type 1	trojan
Threat Type 1	vmprotect

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXp://110.42.46.186:9900/mvp.dll	110.42.46.186	2024-10-15 18:16:10

PE Sections 6 suspicious

Name	VAddress	VSize	Size	SHA1	MD5	Suspicious
.text	0x1000	0x4240f	0	da39a3ee5e6b4b0d3255bfef95601890afd80709	d41d8cd98f00b204e9800998ecf8427e
.rdata	0x44000	0x160ee	0	da39a3ee5e6b4b0d3255bfef95601890afd80709	d41d8cd98f00b204e9800998ecf8427e
.data	0x5b000	0x4130	0	da39a3ee5e6b4b0d3255bfef95601890afd80709	d41d8cd98f00b204e9800998ecf8427e
.pdata	0x60000	0x29d0	0	da39a3ee5e6b4b0d3255bfef95601890afd80709	d41d8cd98f00b204e9800998ecf8427e
.61;	0x63000	0x85d767	0	da39a3ee5e6b4b0d3255bfef95601890afd80709	d41d8cd98f00b204e9800998ecf8427e
.XmY	0x8c1000	0x138	512	31040d589a809e645299626f7fe33c209581de45	7b09b0f422167fc7d85e69a1e4c23c7e
.lIw	0x8c2000	0xde4adc	14568448	6d8f717a6dcd38ec6ca75a1eccf46a9938ae777a	cb315e8428cdb34922494861ef2c4a72
.rsrc	0x16a7000	0xe9	512	3af5722c0e5ca84ad3c55dd244ba4f1f96f91a16	eb00c68e1ac2d6098380b2ae3c3e3838
.reloc	0x16a8000	0x104	512	ab883559c6d2261983b3d60359e7ce88f2d75209	0c200f1737e6e95998e2d27350898906

PE Resources 1

Name	Language	Sublanguage	Offset	Size	Data
RT_MANIFEST	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x16a7058	145

Strings analysis - File found

Library
VCRUNTIME140_1.dll
api-ms-win-crt-string-l1-1-0.dll
Lapi-ms-win-crt-environment-l1-1-0.dll
ADVAPI32.dll
api-ms-win-crt-stdio-l1-1-0.dll
USER32.dll
api-ms-win-crt-convert-l1-1-0.dll
KERNEL32.dll
api-ms-win-crt-math-l1-1-0.dll
vcruntime140.dll
api-ms-win-crt-runtime-l1-1-0.dll
WS2_32.dll
api-ms-win-crt-heap-l1-1-0.dll
api-ms-win-crt-filesystem-l1-1-0.dll
msvcp140.dll
api-ms-win-crt-locale-l1-1-0.dll

Import functions

api-ms-win-crt-environment-l1-1-0.dll 1 api-ms-win-crt-filesystem-l1-1-0.dll 1 api-ms-win-crt-locale-l1-1-0.dll 1 MSVCP140.dll 1 api-ms-win-crt-convert-l1-1-0.dll 1 api-ms-win-crt-string-l1-1-0.dll 1 VCRUNTIME140_1.dll 1 api-ms-win-crt-runtime-l1-1-0.dll 1 KERNEL32.dll 1 api-ms-win-crt-math-l1-1-0.dll 1 VCRUNTIME140.dll 1 ADVAPI32.dll 1 api-ms-win-crt-stdio-l1-1-0.dll 1 WS2_32.dll 1 api-ms-win-crt-heap-l1-1-0.dll 1 USER32.dll 1

Function	Address	Souspicious	Anti Debug
getenv	0x1808c10e0

Function	Address	Souspicious	Anti Debug
_unlock_file	0x1808c10c0

Function	Address	Souspicious	Anti Debug
localeconv	0x1808c10d0

Function	Address	Souspicious	Anti Debug
?id@?$collate@D@std@@2V0locale@2@A	0x1808c1030

Function	Address	Souspicious	Anti Debug
strtoul	0x1808c10b0

Function	Address	Souspicious	Anti Debug
tolower	0x1808c10f0

Function	Address	Souspicious	Anti Debug
__CxxFrameHandler4	0x1808c1050

Function	Address	Souspicious	Anti Debug
_register_onexit_function	0x1808c1070

Function	Address	Souspicious	Anti Debug
Module32First	0x1808c1000

Function	Address	Souspicious	Anti Debug
_dclass	0x1808c10a0

Function	Address	Souspicious	Anti Debug
memchr	0x1808c1060

Function	Address	Souspicious	Anti Debug
CryptGenRandom	0x1808c1020

Function	Address	Souspicious	Anti Debug
_open_osfhandle	0x1808c1080

Function	Address	Souspicious	Anti Debug
closesocket	0x1808c1040

Function	Address	Souspicious	Anti Debug
free	0x1808c1090

Function	Address	Souspicious	Anti Debug
MessageBoxA	0x1808c1010