persistance.exe

First submission 2024-10-14 17:45:02

File details

File type:	PE32+ executable (console) x86-64, for MS Windows
Mime type:	application/x-dosexec
File size:	2648.63 KB (2712196 bytes)
Compile time:	2024-09-22 20:30:14
MD5:	fb79af307b85682b1133f775dafcab83
SHA1:	de2c8852c3b37bf589af631872df810fbad3a554
SHA256:	fa04b82bc420f171b60b70316bba828de05782a3fd946cce7169b3a431af909a
Import Hash :	90e515923c3b276848e352c938e51804
Sections 19	.text .data .rdata .pdata .xdata .bss .idata .CRT .tls .rsrc .reloc /4 /19 /31 /45 /57 /70 /81 /97
Directories 4	import resource tls relocation

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

OSINT Enrichments

Virus Total:	31/77 VT report date: 2024-10-14 17:19:14
Malware Type 1	trojan
Threat Type 3	tasker dhhxc nekark

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXp://130.61.181.50/ransomware/persistance.exe	130.61.181.50	2024-10-14 17:45:03

PE Sections 3 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0xba598	763392	3704a594c22b34a61623266265574a7579852808	c9f5044633b66585430d8691ca736e35
.data	0xbc000	0x2f40	12288	f82bbbc0b4740558d0a9999a9933238f1a6542b8	b350a38892ea6e36ea9594427fe94dff
.rdata	0xbf000	0x10e00	69120	772cbab2d0a0e76fcdc100f8c0630fbda631eb30	5555e8cb6bd3196204ccbb9ffe1310ec
.pdata	0xd0000	0xbf94	49152	3d233efc537a2d9a3c31f4fdaadd7b11701c402f	9a2bac6b913e9790413ec6046d74b15b
.xdata	0xdc000	0x10b24	68608	0a63d29949e757c5f5322e080a582ffe6382b046	61548f69667fbc93cde0491428fc628e
.bss	0xed000	0xd30	0	da39a3ee5e6b4b0d3255bfef95601890afd80709	d41d8cd98f00b204e9800998ecf8427e
.idata	0xee000	0x150c	5632	3b529b35c8e751b6218dffaa55b2ee0b38d14f5c	fb30be41f4755ad25e1f8fc22b0708ed
.CRT	0xf0000	0x68	512	7f3f48870c6a1805c8e77fc9535a9abbd0a198e2	0148a710148f0fd988027ade1751507b
.tls	0xf1000	0x10	512	5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5	bf619eac0cdf3f68d496ea9344137e8b
.rsrc	0xf2000	0x4e8	1536	4fa0a867f6888732eea3783848ad269812818cba	fa71eec3251932053b41fd475f7874bf
.reloc	0xf3000	0x1644	6144	76b893533525c87af87ce5ecebc7ed0d0b4f996c	30287ab0a15e1e7afd55c7099f6d1aa6
/4	0xf5000	0x5d0	1536	6f0dc4066e9dfd6ea415e17797f27fc1cbe2e55d	dcb315c074480093d5b7b76cd2143543
/19	0xf6000	0x11f28	73728	cedd66a511f9dbc20aa93a722295dcd17df9bddc	e85e187657ba9efc971fccac6db3a540
/31	0x108000	0xd5d	3584	bc50f77e931c067d3bffd301158045304d1d9c7b	f843920baedf44d228ce8bac7bb350b2
/45	0x109000	0x154e	5632	670541d3933aca22a881c64b1d3a416a317d94df	9bdb2bdeed0b7fdc5e5a53683d3ad171
/57	0x10b000	0x1810	6656	ccb6bab0ee74eccc874c51fee5db6fcfb1a1c303	9fc2416f4909843b6f110f6c44dba974
/70	0x10d000	0x531	1536	aaa7b7d637435ff646ae3679c7a4c77800a07e4e	f2194843463a2edafc799d2d77c1b5dd
/81	0x10e000	0x690	2048	c9c424ef6e4d672ab010baddfdaf17e9efca1cae	a4ff79c14767d2668c94e4b6a9f6c9c0
/97	0x10f000	0x3d0	1024	5df2560eff394b8d7ee9e03aebf9a1bd2bdf8775	636eaf15e5eb9902ae3e5bfc1ea0ae7a

PE Resources 1

Name	Language	Sublanguage	Offset	Size	Data
RT_MANIFEST	LANG_NEUTRAL	SUBLANG_NEUTRAL	0xf2058	1167	PE Resource: RT_MANIFEST - Data <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker"/> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!--The ID below indicates application support for Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!--The ID below indicates application support for Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!--The ID below indicates application support for Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!--The ID below indicates application support for Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!--The ID below indicates application support for Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> </assembly>

Name

Language

Sublanguage

Offset

Size

Data

RT_MANIFEST

LANG_NEUTRAL

SUBLANG_NEUTRAL

0xf2058

1167

Anti debug functions 4

GetLastError
IsDebuggerPresent
OutputDebugStringA
RaiseException

Strings analysis - File found

Library
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
KERNEL32.dll

Strings analysis - Possible IPs found 1

130.61.181.50

Strings analysis - Possible URLs found 1

https://H

Import functions

SHELL32.dll 1 KERNEL32.dll 65 msvcrt.dll 83

Function	Address	Souspicious	Anti Debug
ShellExecuteA	0x1400ee9c0

Function	Address	Souspicious	Anti Debug
AddVectoredExceptionHandler	0x1400ee510
CloseHandle	0x1400ee518
CreateEventA	0x1400ee520
CreateSemaphoreA	0x1400ee528
DeleteCriticalSection	0x1400ee530
DuplicateHandle	0x1400ee538
EnterCriticalSection	0x1400ee540
FileTimeToSystemTime	0x1400ee548
FormatMessageA	0x1400ee550
GetCurrentProcess	0x1400ee558
GetCurrentProcessId	0x1400ee560
GetCurrentThread	0x1400ee568
GetCurrentThreadId	0x1400ee570
GetHandleInformation	0x1400ee578
GetLastError	0x1400ee580
GetModuleHandleA	0x1400ee588
GetModuleHandleW	0x1400ee590
GetProcAddress	0x1400ee598
GetProcessAffinityMask	0x1400ee5a0
GetProcessTimes	0x1400ee5a8
GetSystemTimeAdjustment	0x1400ee5b0
GetSystemTimeAsFileTime	0x1400ee5b8
GetThreadContext	0x1400ee5c0
GetThreadPriority	0x1400ee5c8
GetThreadTimes	0x1400ee5d0
GetTickCount64	0x1400ee5d8
InitializeCriticalSection	0x1400ee5e0
IsDBCSLeadByteEx	0x1400ee5e8
IsDebuggerPresent	0x1400ee5f0
LeaveCriticalSection	0x1400ee5f8
LoadLibraryW	0x1400ee600
LocalFree	0x1400ee608
MultiByteToWideChar	0x1400ee610
OpenProcess	0x1400ee618
OutputDebugStringA	0x1400ee620
QueryPerformanceCounter	0x1400ee628
QueryPerformanceFrequency	0x1400ee630
RaiseException	0x1400ee638
ReleaseSemaphore	0x1400ee640
RemoveVectoredExceptionHandler	0x1400ee648
ResetEvent	0x1400ee650
ResumeThread	0x1400ee658
RtlCaptureContext	0x1400ee660
RtlLookupFunctionEntry	0x1400ee668
RtlUnwindEx	0x1400ee670
RtlVirtualUnwind	0x1400ee678
SetEvent	0x1400ee680
SetLastError	0x1400ee688
SetProcessAffinityMask	0x1400ee690
SetSystemTime	0x1400ee698
SetThreadContext	0x1400ee6a0
SetThreadPriority	0x1400ee6a8
SetUnhandledExceptionFilter	0x1400ee6b0
Sleep	0x1400ee6b8
SuspendThread	0x1400ee6c0
TlsAlloc	0x1400ee6c8
TlsGetValue	0x1400ee6d0
TlsSetValue	0x1400ee6d8
TryEnterCriticalSection	0x1400ee6e0
VirtualProtect	0x1400ee6e8
VirtualQuery	0x1400ee6f0
WaitForMultipleObjects	0x1400ee6f8
WaitForSingleObject	0x1400ee700
WideCharToMultiByte	0x1400ee708
__C_specific_handler	0x1400ee710

Function	Address	Souspicious	Anti Debug
___lc_codepage_func	0x1400ee720
___mb_cur_max_func	0x1400ee728
__getmainargs	0x1400ee730
__initenv	0x1400ee738
__iob_func	0x1400ee740
__set_app_type	0x1400ee748
__setusermatherr	0x1400ee750
_amsg_exit	0x1400ee758
_beginthreadex	0x1400ee760
_cexit	0x1400ee768
_commode	0x1400ee770
_errno	0x1400ee778
_endthreadex	0x1400ee780
_filelengthi64	0x1400ee788
_fileno	0x1400ee790
_fmode	0x1400ee798
_fstat64	0x1400ee7a0
_initterm	0x1400ee7a8
_lseeki64	0x1400ee7b0
fread	0x1400ee7b8
free	0x1400ee7c0
fsetpos	0x1400ee7c8
memchr	0x1400ee7d0
memcmp	0x1400ee7d8
memcpy	0x1400ee7e0
memmove	0x1400ee7e8
memset	0x1400ee7f0
printf	0x1400ee7f8
srand	0x1400ee800
_onexit	0x1400ee808
_time64	0x1400ee810
_ultoa	0x1400ee818
_setjmp	0x1400ee820
_wfopen	0x1400ee828
abort	0x1400ee830
calloc	0x1400ee838
exit	0x1400ee840
fclose	0x1400ee848
fflush	0x1400ee850
fgetpos	0x1400ee858
fopen	0x1400ee860
fprintf	0x1400ee868
fputc	0x1400ee870
fputs	0x1400ee878
fwrite	0x1400ee880
getc	0x1400ee888
getenv	0x1400ee890
getwc	0x1400ee898
iswctype	0x1400ee8a0
localeconv	0x1400ee8a8
longjmp	0x1400ee8b0
malloc	0x1400ee8b8
putc	0x1400ee8c0
putwc	0x1400ee8c8
rand	0x1400ee8d0
realloc	0x1400ee8d8
setlocale	0x1400ee8e0
setvbuf	0x1400ee8e8
signal	0x1400ee8f0
strchr	0x1400ee8f8
strcmp	0x1400ee900
strcoll	0x1400ee908
strerror	0x1400ee910
strftime	0x1400ee918
strlen	0x1400ee920
strncmp	0x1400ee928
strtoul	0x1400ee930
strxfrm	0x1400ee938
system	0x1400ee940
towlower	0x1400ee948
towupper	0x1400ee950
ungetc	0x1400ee958
ungetwc	0x1400ee960
vfprintf	0x1400ee968
wcscoll	0x1400ee970
wcsftime	0x1400ee978
wcslen	0x1400ee980
wcsxfrm	0x1400ee988
_write	0x1400ee990
_strdup	0x1400ee998
_read	0x1400ee9a0
_fileno	0x1400ee9a8
_fdopen	0x1400ee9b0