| File Path | Type and Hashes |
|---|---|
|
C:\Users\user\AppData\Local\Temp\IXP001.TMP\z7869856.exe |
Type : PE32 executable (GUI) Intel 80386, for MS Windows MD5 : e2e1fa6fb24d597c4baba91aaeed2053 SHA-1 : e53d60465e459a7a643d01d6fd13a6b09cf4c4e4 SHA-256 : e6e7ad43a309c948700ed0dd81c8177572cabb0d39b62c61383ac1ce270525ae SHA-512 : dc80d75d92ac7a4706dbd27ff02023ff9d85d737681cbf67f37ce4a69d904f33ddc5008bedd659783ebdd08f246c27d154e4a3ed1723b311b5e8d229b1c9ba95 Size : 232.448 Kilobytes. |
|
C:\Users\user\AppData\Local\Temp\IXP002.TMP\p2889321.exe |
Type : PE32 executable (console) Intel 80386, for MS Windows MD5 : 211a06e9ae68ced1234252a48696431b SHA-1 : 69950e2ee2fafd177d1a295836713bfd8d18df9c SHA-256 : 0bdca9c84103454e329cfde4e69dc41a0ec0196c078c8fc195b0fa739d2f905d SHA-512 : b1643ba376075619335b4bdf0d7610aece13b7c9db60eecb508465f97ef3e6a9d5297f9ac8529886efa052cdd8814ac7d4eeab44812f797a1b2dc5fa967ee7eb Size : 180.544 Kilobytes. |
|
C:\Users\user\AppData\Local\Temp\IXP001.TMP\s6358817.exe |
Type : PE32 executable (console) Intel 80386, for MS Windows MD5 : 0ff113c12c86ad2f2110879308c95299 SHA-1 : 19ec931c74772cf3dfe1bb35e82be3c3b096cfd7 SHA-256 : 6dc9965a8b6eee21a4ef6c86c2df2973c170818da401a7ef13f72e3c0e989cf2 SHA-512 : da894d0a7270b55d370b5615ae9db164a3d1a026ae80f9cc22ac74aa10c9a37b7f89b1fd97d1a1e002143d045fa79c614b3e261451d089eeaa13345d35cc9627 Size : 397.824 Kilobytes. |
|
C:\Users\user\AppData\Local\Temp\IXP002.TMP\r4984541.exe |
Type : PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows MD5 : 7e93bacbbc33e6652e147e7fe07572a0 SHA-1 : 421a7167da01c8da4dc4d5234ca3dd84e319e762 SHA-256 : 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 SHA-512 : 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 Size : 11.264 Kilobytes. |
| Match Rules |
|---|
| File Name: | bdbdc0e68f0175414075ae9841781c51ce3784d7 |
| File Type: | PE32 executable (console) Intel 80386, for MS Windows |
| SHA1: | bdbdc0e68f0175414075ae9841781c51ce3784d7 |
| MD5: | a494133a749128886cf99016e767f5dc |
| First Seen Date: | 2023-06-27 15:20:35.051858 ( ) |
| Number of Clients Seen: | 6 |
| Last Analysis Date: | 2023-06-27 16:57:11.732198 ( ) |
| Human Expert Analysis Date: | 2023-06-28 08:12:19.396679 ( ) |
| Human Expert Analysis Result: | Malware |
| Property | Value |
|---|---|
| magic literal enum | 1 |
| file type enum | 6 |
| debug artifacts | [] |
| number of sections | 6 |
| trid | [[67.4, u'Win32 Executable MS Visual C++ (generic)'], [14.2, u'Win32 Dynamic Link Library (generic)'], [9.7, u'Win32 Executable (generic)'], [4.3, u'Generic Win/DOS Executable'], [4.3, u'DOS Executable Generic']] |
| compilation time stamp | 0x64939328 [Thu Jun 22 00:17:44 2023 UTC] |
| LegalCopyright | \xa9 Macquarie Group Limited All rights reserved. |
| InternalName | eDqzdMMvBPnL |
| FileVersion | 754 |
| CompanyName | Macquarie Group Limited |
| LegalTrademarks | \xa9 Macquarie Group Limited Trademarks |
| Comments | This is a legitimate application. |
| ProductName | OVcuX7qJaY |
| ProductVersion | 754 |
| FileDescription | Macquarie Group Limited Product |
| OriginalFilename | EvQFMQh1.exe |
| Translation | 0x0407 0x04b0 |
| entry point | 0x40b1ff (.text) |
| machine type | Intel 386 or later - 32Bit |
| file size | 896512 |
| ssdeep | 12288:scztKepjWeeIOw6IDWJSn/hTUZvLglRPgc70qvSyfrZiaMr4bLHYN9YbUJOqqKbS:dkNeemn/MDgSxqvSyfonsb0NmrQb8j |
| sha256 | 427875607eaf3406b8a2212e6a4671bf6ded47f771f2bd39228014d05954214f |
| exifinfo | [{u'EXE:FileSubtype': 0, u'File:FilePermissions': u'rw-r--r--', u'SourceFile': u'/nfs/fvs/valkyrie_shared/core/valkyrie_files/b/d/b/d/bdbdc0e68f0175414075ae9841781c51ce3784d7', u'EXE:OriginalFileName': u'EvQFMQh1.exe', u'EXE:ProductName': u'OVcuX7qJaY', u'EXE:InternalName': u'eDqzdMMvBPnL', u'File:MIMEType': u'application/octet-stream', u'File:FileAccessDate': u'2023:06:27 15:20:16+00:00', u'EXE:InitializedDataSize': 740864, u'File:FileModifyDate': u'2023:06:22 06:42:56+00:00', u'EXE:FileVersionNumber': u'754.0.0.0', u'EXE:FileVersion': 754, u'File:FileSize': u'876 kB', u'EXE:CharacterSet': u'Windows, Latin1', u'EXE:MachineType': u'Intel 386 or later, and compatibles', u'EXE:FileOS': u'Win32', u'EXE:LegalTrademarks': u'\xa9 Macquarie Group Limited Trademarks', u'EXE:ProductVersion': 754, u'EXE:ObjectFileType': u'Executable application', u'File:FileType': u'Win32 EXE', u'EXE:CompanyName': u'Macquarie Group Limited', u'File:FileName': u'bdbdc0e68f0175414075ae9841781c51ce3784d7', u'EXE:ImageVersion': 0.0, u'File:FileTypeExtension': u'exe', u'EXE:OSVersion': 6.0, u'EXE:PEType': u'PE32', u'EXE:TimeStamp': u'2023:06:22 00:17:44+00:00', u'EXE:FileFlagsMask': u'0x0000', u'EXE:LegalCopyright': u'\xa9 Macquarie Group Limited All rights reserved.', u'EXE:LinkerVersion': 14.36, u'EXE:FileFlags': u'(none)', u'EXE:Subsystem': u'Windows command line', u'File:Directory': u'/nfs/fvs/valkyrie_shared/core/valkyrie_files/b/d/b/d', u'EXE:FileDescription': u'Macquarie Group Limited Product', u'EXE:EntryPoint': u'0xb1ff', u'EXE:SubsystemVersion': 6.0, u'EXE:CodeSize': 158208, u'EXE:Comments': u'This is a legitimate application.', u'File:FileInodeChangeDate': u'2023:06:22 06:42:57+00:00', u'EXE:UninitializedDataSize': 0, u'EXE:LanguageCode': u'English (U.S.)', u'ExifTool:ExifToolVersion': 10.1, u'EXE:ProductVersionNumber': u'754.0.0.0'}] |
| mime type | application/x-dosexec |
| imphash | 5546d5d08c85c9bfc72c6e57a660ba00 |
| File Path on Client | Seen Count |
|---|---|
| bdbdc0e68f0175414075ae9841781c51ce3784d7 | 1 |
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | MD5 |
|---|---|---|---|---|---|
| .bqwazg | 0x1000 | 0x1f77 | 0x2000 | 6.76477683259 | 67bfd78e0a83f4d0928fa878c4ee4439 |
| .text | 0x3000 | 0x249b5 | 0x24a00 | 6.59492365864 | ebbd22b2556e80b89071865b2b9c3dd8 |
| .rdata | 0x28000 | 0xd818 | 0xda00 | 5.51858453698 | b4d48dda5891246fa03c9b08e01e688b |
| .data | 0x36000 | 0x1d50 | 0x1000 | 3.08126538072 | b1153975ff168f41b4ca583f93fd23af |
| .bqazz | 0x38000 | 0xa4ed0 | 0xa5000 | 7.88130267087 | 7b5314ba8f04e6230940c720c79051c2 |
| .rsrc | 0xdd000 | 0x458 | 0x600 | 2.57638045513 | c897a9f150f2e42da68002e7e5f4e13d |
-
KERNEL32.dll
- WaitForSingleObject
- Sleep
- GetCurrentProcess
- CreateThread
- GetVersion
- VirtualAlloc
- VirtualProtect
- GetModuleHandleA
- GetProcAddress
- LoadLibraryA
- lstrlenW
- FreeConsole
- CreateFileW
- WideCharToMultiByte
- EnterCriticalSection
- LeaveCriticalSection
- InitializeCriticalSectionEx
- DeleteCriticalSection
- EncodePointer
- DecodePointer
- MultiByteToWideChar
- LCMapStringEx
- GetStringTypeW
- GetCPInfo
- IsProcessorFeaturePresent
- QueryPerformanceCounter
- GetCurrentProcessId
- GetCurrentThreadId
- GetSystemTimeAsFileTime
- InitializeSListHead
- IsDebuggerPresent
- UnhandledExceptionFilter
- SetUnhandledExceptionFilter
- GetStartupInfoW
- GetModuleHandleW
- TerminateProcess
- RaiseException
- RtlUnwind
- GetLastError
- SetLastError
- InitializeCriticalSectionAndSpinCount
- TlsAlloc
- TlsGetValue
- TlsSetValue
- TlsFree
- FreeLibrary
- LoadLibraryExW
- GetStdHandle
- WriteFile
- GetModuleFileNameW
- ExitProcess
- GetModuleHandleExW
- GetCommandLineA
- GetCommandLineW
- HeapAlloc
- HeapFree
- GetFileType
- CompareStringW
- LCMapStringW
- GetLocaleInfoW
- IsValidLocale
- GetUserDefaultLCID
- EnumSystemLocalesW
- CloseHandle
- FlushFileBuffers
- GetConsoleOutputCP
- GetConsoleMode
- ReadFile
- GetFileSizeEx
- SetFilePointerEx
- ReadConsoleW
- HeapReAlloc
- FindClose
- FindFirstFileExW
- FindNextFileW
- IsValidCodePage
- GetACP
- GetOEMCP
- GetEnvironmentStringsW
- FreeEnvironmentStringsW
- SetEnvironmentVariableW
- SetStdHandle
- GetProcessHeap
- HeapSize
- WriteConsoleW
{u'lang': u'LANG_ENGLISH', u'name': u'RT_VERSION', u'offset': 905312, u'sha256': u'f5f59d3e9739f7623285f14305091fea2a8c3c68195487853d7eeeb805bcc8d6', u'type': u'data', u'size': 1012}