Open InterOhm opened 5 months ago
Make sure to look at both relations and behaviour https://www.virustotal.com/gui/file/3c67b3fc77d4807aa3af755118f748aef373f878e602e1e49884ce96db128c77/behavior https://www.virustotal.com/gui/file/5db24f34d010fd728dbe788e96bd3aa11cd512a85a28642604945dd1b30d8e57/behavior
specific files from fxpgunz folder 0asc.scd https://www.virustotal.com/gui/file/7dcf268fb73001c6d5a618702120329b4004ddea4ccbec9f6abcdedd10faf389/relations D3DX9D.dll https://www.virustotal.com/gui/file/0b28546be22c71834501f7d7185ede5d79742457331c7ee09efc14490dd64f5f/detection
couple gunz.exe from fxp https://www.virustotal.com/gui/file/2a3b955a2ba3c4329a26b56d29d6ae7baa9053f2d184155632bcff9109b32e26/detection https://www.virustotal.com/gui/file/d39828a33a07af259921811a52513f0f5824ccb3aa56151ff6bab3b51847a45f?nocache=1 https://www.virustotal.com/gui/file/d39828a33a07af259921811a52513f0f5824ccb3aa56151ff6bab3b51847a45f/relations https://www.virustotal.com/gui/file/d9071790a18cd1c7db2a14824115efca7bb2b806dd799a378b34fdaef71bb0a9/behavior
sharp/ohad tested several exe b4 using them on fxp domain , often he bundled those inside a zip. https://www.virustotal.com/gui/file/250bba2b5f30bcc38cce29d985f80fc1f48a98ce33d38287466481866e264ab1?nocache=1
in depth data https://cryptpad.fr/code/#/2/code/view/M23D6IXLH4aCR8XWOAxCQ6YbzsmxZCZ4jQrBYQ+yuFo/
What?
It's a dump. Of course it's not original fxp.
PE files are completely different when mapped and unmapped.
Unmapped = on disk, not executable. Mapped = in memory, executable.
Very different things.
C:\Users\Ohad\Downloads\Servers\Gunz\Super Repack\Extracted\Client Files\Gunz.pdb is not present which mean it was recompiled. + The google update thingy that load was not there "Gunz2.exe.Dump-Copy.bin.exe" trying to access non-existent file "C:\GUNZ2.EXE.DUMP-COPY.BIN.EXE.LOCAL" "Gunz2.exe.Dump-Copy.bin.exe" trying to access non-existent file "C:\WINSPOOL.DRV" Filename Gunz_1.77'xe.00_008a9e00.exe PE32 executable (GUI) Intel 80386, for MS Windows
7d05bbb19754e1cfed29d3320322b7a083866531594b54c00f47c378bfbffec7Copy SHA256 to clipboard MD5 a47c96b8b6fcbdfb01fb3d0c464327dbCopy MD5 to clipboard SHA1 a72d892605ff715fe763dc89d57f9ca09de06f52Copy SHA1 to clipboard
Compiler/Packer VC8 -> Microsoft Corporation PDB Timestamp 08/18/2023 23:01:46 (UTC) PDB Pathway C:\Users\Ohad\Downloads\Servers\Gunz\Super Repack\Extracted\Client Files\Gunz.pdb PDB GUID 7DF34DBC8B4B46CE91324556B474192A
I did upload various exe on hybrid analysis and virus total, you can easily find them hybrid-analysis com/sample/729a08c5fb401931220bb6715aae8510f4ac452a1f8683215791ccde5ad5fae5 is one of them hybrid-analysis com/sample/7d05bbb19754e1cfed29d3320322b7a083866531594b54c00f47c378bfbffec7/6677b9beebfe447a250008ff
virustotal com/graph/g185df21b48294d5286703098243e956599100d2fc4294f83a55fb11633a30e01 cryptpad fr/code/#/2/code/view/M23D6IXLH4aCR8XWOAxCQ6YbzsmxZCZ4jQrBYQ+yuFo/
add the dot and the http to those url