GtpToolsDownLoadHandler.ashx?filename=GTP_6_BrowserPlugin_Setup.exe

First submission 2024-10-15 21:23:10

File details

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Mime type:	application/x-dosexec
File size:	11918.33 KB (12204368 bytes)
Compile time:	2013-01-30 15:21:56
MD5:	f9e87cddd88808956105c810842b54e6
SHA1:	dded273a2fb3bc855aac1264fca4494e9b4c02cf
SHA256:	2726cb18d4fa06a0cbd68cd42ba60e3e888d5ebdc3eedbf3038a579738f04ad2
Import Hash :	48aa5c8931746a9655524f67b25a47ef
Sections 8	.text .itext .data .bss .idata .tls .rdata .rsrc
Directories 4	import resource tls security

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

OSINT Enrichments

Virus Total:	2/77 VT report date: 2024-10-15 18:15:27

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXp://hnjgdl.geps.glodon.com:8888/Services/Identification/Server/GtpToolsDownLoadHandler.ashx?filename=GTP_6_BrowserPlugin_Setup.exe	hnjgdl.geps.glodon.com	2024-10-15 21:23:10

PE Sections 3 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0xf12c	61952	e446317d7cb464e9ab9c259129ffb390c0e85bbc	3a126e478661f20816f9d9285615f98e
.itext	0x11000	0xb44	3072	3ee09b4d597b2047cd658a1acfa454edb77e09c7	ba48b9b17b3dd8b92da3bd93f20ddb34
.data	0x12000	0xc88	3584	04e9419b80ec90dff0906e2b7ef0749593fd8648	d7fd5f4b562d7961758f3d6a8c834fd0
.bss	0x13000	0x56b4	0	da39a3ee5e6b4b0d3255bfef95601890afd80709	d41d8cd98f00b204e9800998ecf8427e
.idata	0x19000	0xdd0	3584	391bdc96affa3aca04b3ed0fdce8edbd5a888a76	93d91a2b90e60bd758fc0c4908856ae1
.tls	0x1a000	0x8	0	da39a3ee5e6b4b0d3255bfef95601890afd80709	d41d8cd98f00b204e9800998ecf8427e
.rdata	0x1b000	0x18	512	45d8f890e32cc1adf7ded113fd19004c8869f419	3dffc444ccc131c9dcee18db49ee6403
.rsrc	0x1c000	0xb000	45056	382e439b681e01d01d251df2ed51381930e335c4	0ec3b0cbd28d69aeb07bf0445301b1a3

PE Resources 6

Name	Language	Sublanguage	Offset	Size	Data
RT_ICON	LANG_DUTCH	SUBLANG_DUTCH	0x1cd94	2216	PE Resource: RT_ICON - Data ( @""")))UUUMMMBBB999\|PP3f333f3333f3ffffff3f3ff333f333333333f33333333f33f3ff3f3f3f3333f3333333f333333f3333f3ffffff3f33ff3f3f3f3fff3ffffffffff3fffffff3fffff3fff333f3f3ff3ff33f3ff3f3f333f3333f3ffffff3f3f3f3f333f3333f3ffffff3f3f3ffffffffff!___wwwCCCX1CCX10CX10C10C0CCCCXXCXXRssCXXRsxCXRRsCRsxCxCCzz1111MMM^zz1111MM^^zz1111M^^zz1111^^^zz111z^^^zz11zz^^^zz1zzz^^zzp ??`?`???
RT_STRING	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x1de14	660	PE Resource: RT_STRING - Data Out of memoryI/O error %dFile not foundToo many open filesFile access deniedRead beyond end of file Disk fullInvalid numeric inputDivision by zeroRange check errorInteger overflow Invalid floating point operationFloating point division by zeroFloating point overflowFloating point underflowInvalid pointer operation
RT_RCDATA	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x264f0	44
RT_GROUP_ICON	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x2651c	62
RT_VERSION	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x2655c	1268	PE Resource: RT_VERSION - Data 4VS_VERSION_INFO ?RStringFileInfo.000004b0r-CommentsThis installation was built with Inno Setup.=CompanyNameGlodon Software Inc. =FileDescriptionGTP 6 OmhVO Y]wQ JFileVersion6.2.09.19 eLegalCopyrightCopyright 2014 Glodon Software Inc. =ProductNameGTP 6 OmhVO Y]wQ 3ProductVersion6.2.08.15 DVarFileInfo$Translation
RT_MANIFEST	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x26a50	1444	PE Resource: RT_MANIFEST - Data <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity name="JR.Inno.Setup" processorArchitecture="x86" version="1.0.0.0" type="win32"/> <description>Inno Setup</description> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /> </dependentAssembly> </dependency> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> <application xmlns="urn:schemas-microsoft-com:asm.v3"> <windowsSettings> <dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware> </windowsSettings> </application> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> </application> </compatibility> </assembly>

Meta infos 8

LegalCopyright:	Copyright 2014 Glodon Software Inc.
FileVersion:	6.2.09.19
CompanyName:	Glodon Software Inc.
ProductVersion:	6.2.08.15
FileDescription:	GTP 6 \x6d4f\x89c8\x5668\x4fee\x590d\x5de5\x5177
Translation:	0x0000 0x04b0
Comments:	This installation was built with Inno Setup.
ProductName:	GTP 6 \x6d4f\x89c8\x5668\x4fee\x590d\x5de5\x5177

Packers detected 2

Borland Delphi 3.0 (???)
Borland Delphi 4.0

Anti debug functions 3

GetLastError
RaiseException
UnhandledExceptionFilter

File signature

MD5	SHA1	Block size	Virtual Address
9fea6ec26c9d7f27d2cc679022a167aa	6acea943ba139009912442e7e68907c47b5762e7	10328	12194040

Strings analysis - File found

Executable
wnQ.so
Autocad
MwS.DwG
Library
KERNEL32.dll
SHELL32.dll
COMCTL32.dll
OLEAUT32.dll
USER32.dll
ADVAPI32.dll

Strings analysis - Possible IPs found 2

6.2.08.15
6.2.09.19

Strings analysis - Possible URLs found 16

http://ocsp.digicert.com0\
http://ocsp.digicert.com0C
http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
http://ocsp.digicert.com0A
http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
http://schemas.microsoft.com/SMI/2005/WindowsSettings
http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
http://www.digicert.com/CPS0
http://ocsp.digicert.com0X

Import functions

advapi32.dll 9 kernel32.dll 90 oleaut32.dll 3 user32.dll 17 comctl32.dll 1

Function	Address	Souspicious	Anti Debug
RegQueryValueExW	0x41930c
RegOpenKeyExW	0x419310
RegCloseKey	0x419314
RegQueryValueExW	0x4194d8
RegOpenKeyExW	0x4194dc
RegCloseKey	0x4194e0
OpenProcessToken	0x4194e4
LookupPrivilegeValueW	0x4194e8
AdjustTokenPrivileges	0x419500

Function	Address	Souspicious	Anti Debug
GetACP	0x419330
Sleep	0x419334
VirtualFree	0x419338
VirtualAlloc	0x41933c
GetSystemInfo	0x419340
GetTickCount	0x419344
QueryPerformanceCounter	0x419348
GetVersion	0x41934c
GetCurrentThreadId	0x419350
VirtualQuery	0x419354
WideCharToMultiByte	0x419358
MultiByteToWideChar	0x41935c
lstrlenW	0x419360
lstrcpynW	0x419364
LoadLibraryExW	0x419368
GetThreadLocale	0x41936c
GetStartupInfoA	0x419370
GetProcAddress	0x419374
GetModuleHandleW	0x419378
GetModuleFileNameW	0x41937c
GetLocaleInfoW	0x419380
GetCommandLineW	0x419384
FreeLibrary	0x419388
FindFirstFileW	0x41938c
FindClose	0x419390
ExitProcess	0x419394
WriteFile	0x419398
UnhandledExceptionFilter	0x41939c
RtlUnwind	0x4193a0
RaiseException	0x4193a4
GetStdHandle	0x4193a8
CloseHandle	0x4193ac
TlsSetValue	0x4193b4
TlsGetValue	0x4193b8
LocalAlloc	0x4193bc
GetModuleHandleW	0x4193c0
WriteFile	0x419400
WideCharToMultiByte	0x419404
WaitForSingleObject	0x419408
VirtualQuery	0x41940c
VirtualProtect	0x419410
VirtualFree	0x419414
VirtualAlloc	0x419418
SizeofResource	0x41941c
SignalObjectAndWait	0x419420
SetLastError	0x419424
SetFilePointer	0x419428
SetEvent	0x41942c
SetErrorMode	0x419430
SetEndOfFile	0x419434
ResetEvent	0x419438
RemoveDirectoryW	0x41943c
ReadFile	0x419440
MultiByteToWideChar	0x419444
LockResource	0x419448
LoadResource	0x41944c
LoadLibraryW	0x419450
GetWindowsDirectoryW	0x419454
GetVersionExW	0x419458
GetUserDefaultLangID	0x41945c
GetThreadLocale	0x419460
GetSystemInfo	0x419464
GetStdHandle	0x419468
GetProcAddress	0x41946c
GetModuleHandleW	0x419470
GetModuleFileNameW	0x419474
GetLocaleInfoW	0x419478
GetLastError	0x41947c
GetFullPathNameW	0x419480
GetFileSize	0x419484
GetFileAttributesW	0x419488
GetExitCodeProcess	0x41948c
GetEnvironmentVariableW	0x419490
GetDiskFreeSpaceW	0x419494
GetCurrentProcess	0x419498
GetCommandLineW	0x41949c
GetCPInfo	0x4194a0
InterlockedExchange	0x4194a4
InterlockedCompareExchange	0x4194a8
FreeLibrary	0x4194ac
FormatMessageW	0x4194b0
FindResourceW	0x4194b4
EnumCalendarInfoW	0x4194b8
DeleteFileW	0x4194bc
CreateProcessW	0x4194c0
CreateFileW	0x4194c4
CreateEventW	0x4194c8
CreateDirectoryW	0x4194cc
CloseHandle	0x4194d0
Sleep	0x4194f8

Function	Address	Souspicious	Anti Debug
SysFreeString	0x4192fc
SysReAllocStringLen	0x419300
SysAllocStringLen	0x419304

Function	Address	Souspicious	Anti Debug
GetKeyboardType	0x41931c
LoadStringW	0x419320
MessageBoxA	0x419324
CharNextW	0x419328
CreateWindowExW	0x4193c8
TranslateMessage	0x4193cc
SetWindowLongW	0x4193d0
PeekMessageW	0x4193d4
MsgWaitForMultipleObjects	0x4193d8
MessageBoxW	0x4193dc
LoadStringW	0x4193e0
GetSystemMetrics	0x4193e4
ExitWindowsEx	0x4193e8
DispatchMessageW	0x4193ec
DestroyWindow	0x4193f0
CharUpperBuffW	0x4193f4
CallWindowProcW	0x4193f8

Function	Address	Souspicious	Anti Debug
InitCommonControls	0x4194f0