Manalyze report for a29a697ebe6ed601a022de3537a8cac1

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2024-Apr-27 18:54:12
Detected languages	English - United States

Plugin Output

Info	Interesting strings found in the binary:	`Contains domain names: example.com https://curl.se`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32` `Uses constants related to SHA256` `Microsoft's Cryptography API`
Suspicious	The PE is possibly packed.	`Unusual section name found: .KrmpBin` `Section .KrmpBin is both writable and executable.` `Unusual section name found: .KrmpSec` `Unusual section name found: .gehcont` `Unusual section name found: .voltbl` `Unusual section name found: .KrmpVmi` `Section .KrmpVmi is both writable and executable.`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA LoadLibraryExW LoadLibraryW` `Uses Microsoft's cryptographic API: CryptAcquireContextW CryptCreateHash CryptDestroyHash CryptDestroyKey CryptEncrypt CryptGetHashParam CryptHashData CryptImportKey CryptReleaseContext CryptDecodeObjectEx CryptQueryObject CryptStringToBinaryW` `Memory manipulation functions often used by packers: VirtualAlloc VirtualProtect` `Leverages the raw socket API to access the Internet: WSACleanup WSACloseEvent WSACreateEvent WSAEnumNetworkEvents WSAEventSelect WSAGetLastError WSAIoctl WSAResetEvent WSASetLastError WSAStartup WSAWaitForMultipleEvents __WSAFDIsSet accept bind closesocket connect freeaddrinfo getaddrinfo gethostname getpeername getsockname getsockopt htonl htons inet_ntop inet_pton ioctlsocket listen ntohs recv recvfrom select send sendto setsockopt socket` `Functions related to the privilege level: AdjustTokenPrivileges OpenProcessToken` `Enumerates local disk drives: GetDriveTypeW` `Interacts with the certificate store: CertAddCertificateContextToStore CertOpenStore`
Suspicious	No VirusTotal score.	`This file has never been scanned on VirusTotal.`

Hashes

MD5	`a29a697ebe6ed601a022de3537a8cac1`
SHA1	`599580bc25a3443a5fc60592f18a321fefdf7346`
SHA256	`1bbe09c119295fda4d5ab2940f5fafe99b4a3528ee78d22050f128cd63ef5a4d`
SHA3	`3cf217ef6013f117ca8448f0182f88365a0bd73c0003e3f7cabdf4c1e2902366`
SSDeep	`49152:AosQHMmpQAaR824OnqDPqFmhlyjsrrJLp2lUEFP4+Po6kk:i4O2P5JLQlVt4ib`
Imports Hash	`10af48964ca0dc2b8bfb1d86a7e27863`

DOS Header

e_magic	`MZ`
e_cblp	`0x78`
e_cp	`0x1`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0`
e_ss	`0`
e_sp	`0`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x78`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`14`
TimeDateStamp	2024-Apr-27 18:54:12
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0xb8c00`
SizeOfInitializedData	`0x45200`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000000000008B920 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x259000`
SizeOfHeaders	`0x400`
Checksum	`0x250395`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`e5b55c591b7d9de68e4f72334108cc8d`
SHA1	`8fd28d4c2eb222621c20b16c8d058f75208c8295`
SHA256	`0b8698a30497afe67f6fdb3d7a5634a9f999a94823c7fc6e784954e69d846e1f`
SHA3	`78099adbcbd68e9c651d8970c47001ffbca46ff979c59c92d7f6e66286aa0741`
VirtualSize	`0xb8ab6`
VirtualAddress	`0x1000`
SizeOfRawData	`0xb8c00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.52145`

.rdata

MD5	`1252b7223987692cade066286866c02a`
SHA1	`62035631a6f0f47ab6ed73ba13cd18da7e7992b4`
SHA256	`f3ff69ebe88967728f8054ccc219e94e4aa5d9662fd96f7df99c69f726c5508d`
SHA3	`6b2cc3bca0b7f9d37e9115677b1e7a51d4f581d18dd4bc4aa9224639598f432d`
VirtualSize	`0x37b6c`
VirtualAddress	`0xba000`
SizeOfRawData	`0x37c00`
PointerToRawData	`0xb9000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.83645`

.data

MD5	`0dbea5b0d0eb1a9a15777d5081cbc850`
SHA1	`e81992aa3b08f12668c0f75c6ee7abb874312497`
SHA256	`66aaa9a02bd84b97ef4282a6cec8cb87cc77197d13f0b612fc725b5588eec4b8`
SHA3	`297ada5b7a43f785303f81bcb6a2b9fa35640d797783ffc5665bfa6881e3d627`
VirtualSize	`0x3db0`
VirtualAddress	`0xf2000`
SizeOfRawData	`0x2000`
PointerToRawData	`0xf0c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.54096`

.pdata

MD5	`daa635725b94a7fecda7075ce5fab0fa`
SHA1	`bed8efd26b3fac6c588306b407998ceca5415bb5`
SHA256	`d1044c8a45adfdcc9789f9feb085a1108a0ab3f4076def6c9f8e4cfc43f22984`
SHA3	`e06f7cc66d1a29b86a749b9e729fcba597e4931674c0b8a3c19b46a2ff25ac1d`
VirtualSize	`0x8958`
VirtualAddress	`0xf6000`
SizeOfRawData	`0x8a00`
PointerToRawData	`0xf2c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.97407`

.00cfg

MD5	`cd7284503d3837be7784cde78ce62711`
SHA1	`25060244783bf79f2c04472cce6acf2ad32a0222`
SHA256	`c9ddc0affd06318c44e1266749fb035f5e791d90ab192f67e34042310243c33e`
SHA3	`b39884ff4f968998211ba986cd6b492bd5ae88d4aa3ea2e1f25d8d6db85aed43`
VirtualSize	`0x28`
VirtualAddress	`0xff000`
SizeOfRawData	`0x200`
PointerToRawData	`0xfb600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`0.408342`

.KrmpBin

MD5	`2a25651339f8b0f70cc33b46eb6aa48f`
SHA1	`551a82e7643604b31c94abc2c4ea5fe6e4551709`
SHA256	`401572eb20d8465cbfa8794fb8facc473db6af46e8179730d34b6197f315de30`
SHA3	`46188afb6e9b55b46c13f4dbd54ed2432b45a23462851a4fc115f88c7f00e77c`
VirtualSize	`0x1000`
VirtualAddress	`0x100000`
SizeOfRawData	`0x1000`
PointerToRawData	`0xfb800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`8`

.KrmpSec

MD5	`1dd794829161ca48172662fcedf3e5bc`
SHA1	`3596a02e97a5573346e859d254cf9bb12cb32b6c`
SHA256	`a42f1cbc5d23bfe6d0880b76b95a7497def1a131b6d7ec66b205e81282013778`
SHA3	`52ebb51ac968cf77508c672bdbb8eb34c6313611741de75b89d96ac742ce360d`
VirtualSize	`0xf295`
VirtualAddress	`0x101000`
SizeOfRawData	`0xf400`
PointerToRawData	`0xfc800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.03645`

.gehcont

MD5	`3e8ae706243683641132c6ee3c53f5ca`
SHA1	`366deda98c52470fab67e2ae082c94c7bcbbe0f8`
SHA256	`f11cb3bf17bf6092c2b4a8d6988eb9d6bc1585d07158c5fdf2ec864492f2b043`
SHA3	`f60b6575355df6029a8f6715d1c538fb566e542c59c4c255512e577158247db0`
VirtualSize	`0x5c`
VirtualAddress	`0x111000`
SizeOfRawData	`0x200`
PointerToRawData	`0x10bc00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`0.615314`

.tls

MD5	`1f354d76203061bfdd5a53dae48d5435`
SHA1	`aa0d33a0c854e073439067876e932688b65cb6a9`
SHA256	`4c6474903705cb450bb6434c29e8854f17d8324efca1fdb9ee9008599060883a`
SHA3	`991fbbd46bbd69198269fe6c247d440e0f8a7d38259b7a1e04b74790301d1d2b`
VirtualSize	`0x9`
VirtualAddress	`0x112000`
SizeOfRawData	`0x200`
PointerToRawData	`0x10be00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.0203931`

.voltbl

MD5	`463546dff7fbc0101e226740392c7da5`
SHA1	`9d5ce2d1ff24be4ac7cc00eeaadcb1edb0c694a2`
SHA256	`ea69e04c1755ea64eabda4a94f93afa8c5b70fe373cc607779d1be55354c4378`
SHA3	`968c3a1dd3a1f4b5e0eaa03a6e760a0405eefd6a424f34ea7c6f88a71f12c1a2`
VirtualSize	`0x48`
VirtualAddress	`0x113000`
SizeOfRawData	`0x200`
PointerToRawData	`0x10c000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`(EMPTY)`
Entropy	`1.22008`

_RDATA

MD5	`4a41c484a4a97262361b120225fec0fb`
SHA1	`1e541a329b0242b59f43f62f383401366adf26f6`
SHA256	`2cded2059149c5a5d596cf217505f4b58e0de73f316767f1f05d64e6ddbd1939`
SHA3	`ce697e7ce2c0da7e1b4fb2010da9bb9fcdea372c8c6396d5e2c9082ddfd6ff54`
VirtualSize	`0xf4`
VirtualAddress	`0x114000`
SizeOfRawData	`0x200`
PointerToRawData	`0x10c200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`2.45336`

.rsrc

MD5	`6e48f9cd9c1c04ffabaa127dc1ee0243`
SHA1	`63459a8f683448aad1a756e12063f9bd9ded96ad`
SHA256	`6111594f502fa1aa9c050df7e70d5dc1ee1d7553507862af831f1314b1eae0a0`
SHA3	`0eab3157537a65886e472cc8854257322397b909d003988a568e63b803a70653`
VirtualSize	`0x1a8`
VirtualAddress	`0x115000`
SizeOfRawData	`0x200`
PointerToRawData	`0x10c400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.17819`

.reloc

MD5	`2e2d5801fa3a177a421cbc589722395f`
SHA1	`7d469f925f17f6b2b74b2eff230e84153f8ac6ab`
SHA256	`0172d8f49d7232826e6bb07b5878f379340734f6f06cb47c248cb8d5970621f9`
SHA3	`c9c0e9e3a14fecb068eea1459727b8abed64c1bdecd9427e5419b6dda5e67114`
VirtualSize	`0x1150`
VirtualAddress	`0x116000`
SizeOfRawData	`0x1200`
PointerToRawData	`0x10c600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.39688`

.KrmpVmi

MD5	`fe7596330ce7b8417561c482f14c4feb`
SHA1	`0421329c6fe399fc7759f39f41b349c2bf78ae80`
SHA256	`6afda0f87c4763e6a679650e9f0fdce396b7e2b6ee90e4d4465adc62acef6939`
SHA3	`c230e15cbdda0898f3ec8ce44ba5f2c35f70e44567bcc9dfa6ade63024b231ac`
VirtualSize	`0x140600`
VirtualAddress	`0x118000`
SizeOfRawData	`0x14050b`
PointerToRawData	`0x10d800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`6.78511`

Imports

KERNEL32.dll	`AcquireSRWLockExclusive` `CloseHandle` `CompareStringEx` `CompareStringW` `CreateEventW` `CreateFileW` `CreateThread` `DecodePointer` `DeleteCriticalSection` `DeleteFileW` `EncodePointer` `EnterCriticalSection` `EnumSystemLocalesW` `ExitProcess` `ExitThread` `FileTimeToSystemTime` `FindClose` `FindFirstFileExW` `FindNextFileW` `FlushFileBuffers` `FormatMessageW` `FreeEnvironmentStringsW` `FreeLibrary` `FreeLibraryAndExitThread` `GetACP` `GetCPInfo` `GetCommandLineA` `GetCommandLineW` `GetConsoleMode` `GetConsoleOutputCP` `GetCurrentDirectoryW` `GetCurrentProcess` `GetCurrentProcessId` `GetCurrentThreadId` `GetDateFormatW` `GetDriveTypeW` `GetEnvironmentStringsW` `GetEnvironmentVariableA` `GetExitCodeThread` `GetFileAttributesExW` `GetFileInformationByHandle` `GetFileSizeEx` `GetFileType` `GetFullPathNameW` `GetLastError` `GetLocaleInfoW` `GetModuleFileNameW` `GetModuleHandleA` `GetModuleHandleExW` `GetModuleHandleW` `GetOEMCP` `GetProcAddress` `GetProcessHeap` `GetStartupInfoW` `GetStdHandle` `GetStringTypeW` `GetSystemDirectoryW` `GetSystemTimeAsFileTime` `GetTickCount` `GetTimeFormatW` `GetTimeZoneInformation` `GetUserDefaultLCID` `HeapAlloc` `HeapFree` `HeapReAlloc` `HeapSize` `InitializeCriticalSectionAndSpinCount` `InitializeCriticalSectionEx` `InitializeSListHead` `IsDebuggerPresent` `IsProcessorFeaturePresent` `IsValidCodePage` `IsValidLocale` `LCMapStringEx` `LCMapStringW` `LeaveCriticalSection` `LoadLibraryA` `LoadLibraryExW` `LoadLibraryW` `MoveFileExW` `MultiByteToWideChar` `PeekNamedPipe` `QueryPerformanceCounter` `QueryPerformanceFrequency` `RaiseException` `ReadConsoleW` `ReadFile` `ReleaseSRWLockExclusive` `ResetEvent` `RtlCaptureContext` `RtlLookupFunctionEntry` `RtlPcToFileHeader` `RtlUnwind` `RtlUnwindEx` `RtlVirtualUnwind` `SetEndOfFile` `SetEnvironmentVariableW` `SetEvent` `SetFilePointerEx` `SetLastError` `SetStdHandle` `SetUnhandledExceptionFilter` `Sleep` `SleepEx` `SystemTimeToTzSpecificLocalTime` `TerminateProcess` `TlsAlloc` `TlsFree` `TlsGetValue` `TlsSetValue` `UnhandledExceptionFilter` `VerSetConditionMask` `VerifyVersionInfoW` `VirtualAlloc` `VirtualProtect` `WaitForMultipleObjects` `WaitForSingleObjectEx` `WideCharToMultiByte` `WriteConsoleW` `WriteFile`
ADVAPI32.dll	`AdjustTokenPrivileges` `CryptAcquireContextW` `CryptCreateHash` `CryptDestroyHash` `CryptDestroyKey` `CryptEncrypt` `CryptGetHashParam` `CryptHashData` `CryptImportKey` `CryptReleaseContext` `LookupPrivilegeValueW` `OpenProcessToken`
WS2_32.dll	`WSACleanup` `WSACloseEvent` `WSACreateEvent` `WSAEnumNetworkEvents` `WSAEventSelect` `WSAGetLastError` `WSAIoctl` `WSAResetEvent` `WSASetLastError` `WSAStartup` `WSAWaitForMultipleEvents` `__WSAFDIsSet` `accept` `bind` `closesocket` `connect` `freeaddrinfo` `getaddrinfo` `gethostname` `getpeername` `getsockname` `getsockopt` `htonl` `htons` `inet_ntop` `inet_pton` `ioctlsocket` `listen` `ntohs` `recv` `recvfrom` `select` `send` `sendto` `setsockopt` `socket`
CRYPT32.dll	`CertAddCertificateContextToStore` `CertCloseStore` `CertCreateCertificateChainEngine` `CertEnumCertificatesInStore` `CertFindCertificateInStore` `CertFindExtension` `CertFreeCertificateChain` `CertFreeCertificateChainEngine` `CertFreeCertificateContext` `CertGetCertificateChain` `CertGetNameStringW` `CertOpenStore` `CryptDecodeObjectEx` `CryptQueryObject` `CryptStringToBinaryW` `PFXImportCertStore`
Normaliz.dll	`IdnToAscii`
bcrypt.dll	`BCryptGenRandom`

Delayed Imports

1

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x143`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.71208`
MD5	`9ce8c70178061cc4cf4a6bb1e291df93`
SHA1	`dc9804dd3aa348fb0c05f53c53c698518af514a0`
SHA256	`6f88bc7cb02ccb2dbc26b5f4ce53e355b331e31bb920b2ba8cbbcd1b5d4cd5a0`
SHA3	`9492809889cb617928395fd8b46fc6dd11eeb9b1101175bd478b7c4ca5bc10e1`

Version Info

TLS Callbacks

StartAddressOfRawData	`0x140112000`
EndAddressOfRawData	`0x140112008`
AddressOfIndex	`0x1400f4238`
AddressOfCallbacks	`0x1400dfd28`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_ALIGN_4BYTES`
Callbacks	`(EMPTY)`

Load Configuration

Size	`0x138`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x1400f2e28`

RICH Header

a29a697ebe6ed601a022de3537a8cac1

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.pdata

.00cfg

.KrmpBin

.KrmpSec

.gehcont

.tls

.voltbl

_RDATA

.rsrc

.reloc

.KrmpVmi

Imports

Delayed Imports

1

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors