MalScore
100/100
MalFamily
Bulz

install_1.2_dev.exe

Is DLL Packer Anti Debug Anti VM Signed XOR
File details Download PDF Report
File type: PE32 executable (GUI) Intel 80386, for MS Windows
File size: 1785.00 KB (1827840 bytes)
Compile time: 2021-05-26 09:08:41
MD5: c9f5bba0fdc355682aa17a017718f1b5
SHA1: 606b8d7c9845bdf510657fa56dbd6be7c5d12acc
SHA256: 1a3c664c1f7f98ff34924f72b679cbfa458c1f34020ccd12528da02223a3a8c3
Import hash: 60803a14598fadbdc8d0baa7d6b2a388
Sections 11 .text .itext .data .bss .idata .didata .edata .tls .rdata .reloc .rsrc
Directories 5 import export resource tls relocation
First submission: 2022-03-01 09:00:09
Last submission: 2022-03-01 09:00:09
Filename detected: - install_1.2_dev.exe (1)
URL file hosting
hXXp://download.xp666.com/xzqswf/app/install_1.2_dev.exeVirusTotal
Antivirus Report
Report Date Detection Ratio Permalink Update
No report available
PE Sections 2 suspicious
Name VAddress VSize Size MD5 SHA1
.text 0x1000 0x185bcc 1596416 69c1bec04769157cf9aaa6dc2c19ca83 fcaf85e62cf51afbc9aafb3d39ac113734d6adee
.itext 0x187000 0x1874 6656 3aea57bc10398e10d829d61b33b4d731 5d602c70d0ebf18ede28c9b8be38484025fa5c5e
.data 0x189000 0x7300 29696 55db884508d806636c3130deaf5d5362 6606664ddabdfee950b661bda833ab942d9342b2
.bss 0x191000 0x56f4 0 d41d8cd98f00b204e9800998ecf8427e da39a3ee5e6b4b0d3255bfef95601890afd80709
.idata 0x197000 0x154c 5632 b99e6ba1c4efdf6c50d3ea38872feb81 cc98423f9a0b0d777fad84a20075fa89ed770daf
.didata 0x199000 0x1d0 512 bb624fa62a3724b3b90d8942bc8a7c50 882aae898f4199e051dbd9cfb77a5cffbd7ed37a
.edata 0x19a000 0x5b 512 d2988754e7514779f29a1f1af175e4a4 c7bacca2f98394b83579e5c0c27c32010d9c90ac
.tls 0x19b000 0x18 0 d41d8cd98f00b204e9800998ecf8427e da39a3ee5e6b4b0d3255bfef95601890afd80709
.rdata 0x19c000 0x5d 512 500237a3b5b434e6fb2cd921d0b213c1 fde1434d0101d25172f07b472b4df48f0592e475
.reloc 0x19d000 0x23d60 146944 4086c8ea683ce6d367577898f59f3f6c 796e7fc2daa0abe0f60098dd10e1f6785c5ca818
.rsrc 0x1c1000 0x9c00 39936 eab196a88e3190dc777ef829036c7e91 298c887f3681c04260bf2de76304ecc1cbd32438
  • API Alert
  • Anti Debug
  • PE Exports: install_1.2_dev.exe
    • 0x45a388
      TMethodImplementationIntercept
Meta Info
No Meta found in this file
XOR
No XOR informations found in this file.
Signature
This file isn't digitally signed
Packer(s)
Borland Delphi 3.0 (???)
Borland Delphi 4.0
Borland Delphi v3.0
Borland Delphi v6.0 - v7.0
BobSoft Mini Delphi -> BoB / BobSoft
File found
FIle type: Library
secur32.dll
ssleay32.dll
KERNEL32.dll
security.dll
mswsock.dll
libeay32.dll
IPHLPAPI.DLL
normaliz.dll
Fwpuclnt.dll
IdnDL.dll
wship6.dll
libssl32.dll
OLEAUT32.dll
WS2_32.DLL
urlmon.dll
WININET.dll
USER32.dll
MSVCRT.dll
Netapi32.dll
ADVAPI32.dll
WSOCK32.dll
SHELL32.dll
FIle type: Web Page
http://t.duote.com/duote/index.php
IP Found
0.0.0.1
255.255.255.255
127.0.0.1
2.6.3.1
URL(s)
http://www.indyproject.org/
http://t.duote.com/duote/index.php
http://download.xp666.com/xzqswf/cof/inst_cfg
http://api.xp666.com/get_server_limit.php?type=oper
Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
Seven01b_64 Seven01b_64 VirtualBox 2022-03-01 08:34:17 2022-03-01 08:37:22 185

7 Behaviors detected by system signatures

Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
Seven01b_64 Seven01b_64 VirtualBox 2022-03-01 08:34:17 2022-03-01 08:37:22 185

8 Summary items with data

Files

C:\Users\Seven01\AppData\Local\Temp\install_1.2_dev.it-IT
C:\Users\Seven01\AppData\Local\Temp\install_1.2_dev.it
C:\Users\Seven01\AppData\Local\Temp\install_1.2_dev.ITA
C:\Users\Seven01\AppData\Local\Temp\install_1.2_dev.IT
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\Seven01\AppData\Local\Temp\libeay32.dll
C:\Windows\System32\libeay32.dll
C:\Windows\system\libeay32.dll
C:\Windows\libeay32.dll
C:\ProgramData\Oracle\Java\javapath\libeay32.dll
C:\Windows\System32\wbem\libeay32.dll
C:\Windows\System32\WindowsPowerShell\v1.0\libeay32.dll
C:\unrar\libeay32.dll
C:\Python27\libeay32.dll
C:\Windows\System32\tzres.dll
C:\Windows\System32\it-IT\tzres.dll.mui
C:\Users\Seven01\AppData\Local\Temp\_deleteme.bat
C:\Users\Seven01\AppData\Local\Temp
C:\Users
C:\Users\Seven01
C:\Users\Seven01\AppData
C:\Users\Seven01\AppData\Local
C:\
C:\Users\Seven01\AppData\Local\Temp\install_1.2_dev.exe

Read Files

C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\System32\tzres.dll
C:\Windows\System32\it-IT\tzres.dll.mui
C:\Users\Seven01\AppData\Local\Temp\_deleteme.bat

Write Files

C:\Users\Seven01\AppData\Local\Temp\_deleteme.bat

Delete Files

C:\Users\Seven01\AppData\Local\Temp\install_1.2_dev.exe
C:\Users\Seven01\AppData\Local\Temp\_deleteme.bat

Keys

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it-IT
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it-IT
HKEY_CURRENT_USER\Software\Embarcadero\Locales
HKEY_LOCAL_MACHINE\Software\Embarcadero\Locales
HKEY_CURRENT_USER\Software\CodeGear\Locales
HKEY_LOCAL_MACHINE\Software\CodeGear\Locales
HKEY_CURRENT_USER\Software\Borland\Locales
HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000410
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CMF\Config
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CMF\Config\SYSTEM
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option

Read Keys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it-IT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it-IT
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000410
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CMF\Config\SYSTEM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun

Write Keys

Nothing to display

Delete Keys

Nothing to display

Mutexes

Resolved APIs

kernel32.dll.GetThreadPreferredUILanguages
kernel32.dll.SetThreadPreferredUILanguages
kernel32.dll.GetThreadUILanguage
kernel32.dll.GetNativeSystemInfo
kernel32.dll.GetDiskFreeSpaceExW
kernel32.dll.GetLogicalProcessorInformation
oleaut32.dll.VariantChangeTypeEx
oleaut32.dll.VarNeg
oleaut32.dll.VarNot
oleaut32.dll.VarAdd
oleaut32.dll.VarSub
oleaut32.dll.VarMul
oleaut32.dll.VarDiv
oleaut32.dll.VarIdiv
oleaut32.dll.VarMod
oleaut32.dll.VarAnd
oleaut32.dll.VarOr
oleaut32.dll.VarXor
oleaut32.dll.VarCmp
oleaut32.dll.VarI4FromStr
oleaut32.dll.VarR4FromStr
oleaut32.dll.VarR8FromStr
oleaut32.dll.VarDateFromStr
oleaut32.dll.VarCyFromStr
oleaut32.dll.VarBoolFromStr
oleaut32.dll.VarBstrFromCy
oleaut32.dll.VarBstrFromDate
oleaut32.dll.VarBstrFromBool
kernel32.dll.InitializeConditionVariable
kernel32.dll.WakeConditionVariable
kernel32.dll.WakeAllConditionVariable
kernel32.dll.SleepConditionVariableCS
kernel32.dll.GetFileSizeEx
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
security.dll.InitSecurityInterfaceW
kernel32.dll.CreateToolhelp32Snapshot
kernel32.dll.Heap32ListFirst
kernel32.dll.Heap32ListNext
kernel32.dll.Heap32First
kernel32.dll.Heap32Next
kernel32.dll.Toolhelp32ReadProcessMemory
kernel32.dll.Process32First
kernel32.dll.Process32Next
kernel32.dll.Process32FirstW
kernel32.dll.Process32NextW
kernel32.dll.Thread32First
kernel32.dll.Thread32Next
kernel32.dll.Module32First
kernel32.dll.Module32Next
kernel32.dll.Module32FirstW
kernel32.dll.Module32NextW
ws2_32.dll.WSAStartup
ws2_32.dll.GetAddrInfoW
ws2_32.dll.GetNameInfoW
ws2_32.dll.FreeAddrInfoW
ws2_32.dll.InetPtonW
ws2_32.dll.InetNtopW
ws2_32.dll.GetAddrInfoExW
ws2_32.dll.SetAddrInfoExW
ws2_32.dll.FreeAddrInfoExW
fwpuclnt.dll.WSASetSocketPeerTargetName
fwpuclnt.dll.WSADeleteSocketPeerTargetName
fwpuclnt.dll.WSAImpersonateSocketPeer
fwpuclnt.dll.WSAQuerySocketSecurity
fwpuclnt.dll.WSARevertImpersonation
idndl.dll.DownlevelGetLocaleScripts
idndl.dll.DownlevelGetStringScripts
idndl.dll.DownlevelVerifyScripts
normaliz.dll.IdnToUnicode
normaliz.dll.IdnToNameprepUnicode
normaliz.dll.IdnToAscii
normaliz.dll.IsNormalizedString
normaliz.dll.NormalizeString
ws2_32.dll.socket
ws2_32.dll.getsockopt
ws2_32.dll.setsockopt
ws2_32.dll.htons
ws2_32.dll.bind
ws2_32.dll.getsockname
ws2_32.dll.ntohs
ws2_32.dll.connect
ws2_32.dll.getpeername
ws2_32.dll.send
ws2_32.dll.select
ws2_32.dll.recv
ws2_32.dll.shutdown
ws2_32.dll.closesocket
ws2_32.dll.WSACleanup
kernel32.dll.SetThreadUILanguage
kernel32.dll.CopyFileExW
kernel32.dll.IsDebuggerPresent
kernel32.dll.SetConsoleInputExeNameW
advapi32.dll.SaferIdentifyLevel
advapi32.dll.SaferComputeTokenFromLevel
advapi32.dll.SaferCloseLevel

Execute Commands

C:\Users\Seven01\AppData\Local\Temp\_deleteme.bat

Started Services

Nothing to display

Created Services

Nothing to display
Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
Seven01b_64 Seven01b_64 VirtualBox 2022-03-01 08:34:17 2022-03-01 08:37:22 185

1 HTTP Request(s) detected

http://download.xp666.com/xzqswf/cof/inst_cfg
  • Hostname: download.xp666.com
  • IP Address: 0.0.0.0
  • Port: 80
  • Count: 1

GET /xzqswf/cof/inst_cfg HTTP/1.1
Host: download.xp666.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: identity
User-Agent: Mozilla/3.0 (compatible; Indy Library)

#infosec #automation

TheSystem Itself @ 2022-03-01 09:00:11

Detected family: #Bulz

TheSystem Itself @ 2022-03-01 09:09:02